| With the development of Hospital Information System (HIS) technology,The Application such as Electronic Medical Record, Health Record have greatly improved the capability of Medical Services and the utility of Medical Information. However, HIS System is facing new challenges in Access Control as the Privacy disclosure of Medical Information.HIS System is an open system, it can integrate all kinds of Medical Applications conveniently. Since HIS System covers a wide range of Medical Privacy, it must provide flexible Authorization and Access Control as well as perfect protection mechanism for Medical Privacy. RBAC which is widely used in the area of Access Control, can't satisfy the requirement of the HIS System of the Medical Privacy in three aspects. Firstly, the separation of the information owner and the issuer of the policy, brings about the difficulty to define what's Privacy content. Secondly, the general policy based on role let the personalization of the Privacy Protection very difficult. Thirdly, we need to focus more on the usage intention of the information, but the traditional RBAC didn't.After discussing the features of Privacy Protection in the Medical Information System, we proposed a new model PBAC-HIS based on the requirement of Privacy Protection. The main idea of this model is patients oriented. Transfer part of the management authority to the patients themselves, so they could make, maintain the access policy and clearly define the Privacy Content individually. The module considered about inheritance, adopted Authorization Management method based-on Purpose Management. According to the roles responsibilities, the hospitals make policies by binding roles with purpose. Then, based on the different priorities of roles, patients set purpose attribute of the privacy data, making personal policies. By combining general policies with personal policies, patients could adjust the personal policies to satisfy the demand of individually privacy as well as the generality and flexibility with the premise of unchanged General Policy. In this paper, we first described the Design of PBAC-HIS, then introduced its significant parts and key modules, at last we presented the detail design of Purpose Management Module.The main attribute of this paper is as follows: Firstly, We proposed a new model--PBAC-HIS, a HIS Privacy Protection oriented Access Control model,through which the Medical Institution could manage Medical Information with multi-level authority management, so as to satisfy the requirement of personalized Access Control to the Privacy Protection. Secondly, we adopted"Purpose-based"decision pattern, designed and implemented the Purpose Manager, let the result of the access decision depends on the consistency of intention, then control the usage of the resource. Thirdly, we combined the General Policy with Personal Policy based on Policy Group which greatly improved the flexibility of the access control. Fourthly, accomplished the design of related models and implemented Purpose Manager, which have a certain reference value to the applications. |
PDF Full Text Request