Skip to Main Content
Healthcare information systems collect, store and manage sensitive information about patients and, hence, it is imperative for such systems to provide robust access control mechanisms with a view to thwarting potential security and privacy threats. The access-control requirements in healthcare systems are quite diverse as compared to those of other systems. The existing subject-, role-, object-, attribute-, or context-centric approaches seem insufficient to efficiently and flexibly model the access-control needs of the healthcare domain. In this paper, we propose a combined access control scheme for healthcare information systems, amalgamating features of discretionary access control (DAC), role-based access control (RBAC) and context-aware access control. We discuss the design, implementation and evaluation of the proposed scheme, and explain the rationale behind the combination.