AC-ABAC: Attribute-based access control for electronic medical records during acute care

Acute care demands fast response and procedures from the healthcare professionals involved in the emergency. The availability of electronic medical records (EMR) enables acute care teams to access patient data promptly, which is critical for proper treatment. The EMR contains sensitive data, so proper access control is a necessity. However, acute care situations entail the introduction of dynamic authorisation techniques that are able to swiftly grant access to the acute care teams during the treatment and that at the same time can revoke it as soon as the treatment is over. In this work, our contributions are threefold. First, we propose a step-by-step methodology that defines dynamic and fine-grained access control in acute care incidents. Then, we applied this methodology with the Amsterdam University Medical Center acute stroke care teams, resulting in a new model coined 'Acute Care Attribute-Based Access Control (AC-ABAC)'. AC-ABAC implements access control policies that take into account contextual attributes for dynamically sharing patient data with the appropriate healthcare professionals during the life cycle of acute care. Finally, we evaluate the performance and show the feasibility and correctness of AC-ABAC through a prototype implementation of the model and simulation of patient data requests in various scenarios. The results show that the most complex policy evaluation takes on average 194.89 ms, which is considered worthwhile when compared to the added value to the system's security and the acute care process.