An access control model for a South African National Electronic Health Record System

Abstract

Countries such as South Africa have attempted to leverage eHealth by digitising patients' medical records with the ultimate goal of improving the delivery of healthcare. This involves the use of the Electronic Health Record (EHR) which is a longitudinal electronic record of a patient's information. The EHR is comprised of all of the encounters that have been made at different health facilities. In the national context, the EHR is also known as a national EHR which enables the sharing of patient information between points of care. Despite this, the realisation of a national EHR system puts patients' EHRs at risk. This is because patients' information, which was once only available at local health facilities in the form of paper-based records, can be accessed anywhere within the country as a national EHR. This results in security and privacy issues since patients' EHRs are shared with an increasing number of parties who are geographically distributed. This study proposes an access control model that will address the security and privacy issues by providing the right level of secure access to authorised clinicians. The proposed model is based on a combination of Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC). The study found that RBAC is the most common access control model that is used within the healthcare domain where users' job functions are based on roles. While RBAC is not able to handle dynamic events such as emergencies, the proposed model's use of ABAC addresses this limitation. The development of the proposed model followed the design science research paradigm and was informed by the results of the content analysis plus an expert review. The content analysis sample was retrieved by conducting a systematic literature review and the analysis of this sample resulted in 6743 tags. The proposed model was evaluated using an evaluation framework via an expert review.