A Study of Access Control Requirements for Healthcare Systems Based on Audit Trails from Access Logs

Lillian Røstad
Norwegian University of Science and Technology (NTNU)
Norway

Ole Edsberg
Norwegian University of Science and Technology (NTNU)
Norway

In healthcare, role-based access control systems are often
extended with exception mechanisms to ensure access
to needed information even when the needs don’t follow
the expected patterns. Exceptionmechanisms increase the
threats to the privacy of patient information, and therefore
their use should be limited and subject to auditing. We
have studied access logs and user records from a hospital
EPR system with extensive use of exception-based access
control. We found that the uses of the exception mechanisms
were too frequent and widespread to be considered
exceptions. The huge size of the log and the use of prede-
fined or uninformative reasons for access make it infeasible
to audit the log for misuse. Those informative reasons
that were given provided starting points for requirements
on how the usage needs should be accomplished without
exception-based access. With more structured and
fine-grained logging, analysis of access logs could be a
very useful tool for learning how to reduce the need for
exception-based access.

Keywords: access control, audit trails

Read Paper Read Paper (in PDF)