Enforcing Minimum Necessary Access in Healthcare Through Integrated Audit and Access Control.

ABSTRACTOne of the most important requirements of HIPAA is the "minimum-necessary" access requirement, which states that healthcare personnel must be granted no more access to electronic healthcare data than is necessary in order to work effectively. Due to the complexity of constructing such a policy, many hospitals do not comply with the regulation and instead manually audit the logs when they suspect that abuse has occurred. This audit-only approach is error-prone and difficult due to the volume of data contained in the logs. To address this problem, we have built a policy engine capable of automatically auditing logs and separating normal accesses from abnormal accesses. Our policy engine implicitly constructs role-based policies from the audit data in order to produce a workable policy that can be used to enforce minimum-necessary access. The policy engine can also audit an existing role-based access policy by comparing it to observed accesses in order to determine whether the existing policy is overpermissive compared to actual usage patterns.