Identity Management to Support Access Control in E-Health Systems

The related and often challenging topics of identity management and access control form an essential foundation for e-health infrastructure. Several approaches and supporting specifications for electronic healthcare record system (EHR-S) communication have been proposed by research projects and standards development organizations in recent years. For instance, part four of the CEN TC251 EN13606 EHRcom standard and the HL7 Role Based Access Control Draft Standard for Trial Use have helped to specify the nature of access control behaviour in relation to EHR communication within and between healthcare organisations. Access control services are a core component not only of the integrated care EHR-S but also for other information systems in the e-health domain. To underpin functionality of this type in a distributed environment, it is necessary to provide access to scalable, secure and uniform ID domains for users and patients. This paper considers the use of part four of the EHRcom standard in the context of the availability (or lack thereof) of national identification systems for patients and for users of an integrated care EHR-S. This work begins with a brief summary of the state-of-the-art in identity management and access control in the health domain and a description of approaches that could lead to a secure and interoperable identification mechanism. To address the identification problem, the authors describe well known EHR access control viewpoints that are compatible with the CEN standard for EHR communication, EN13606 and describe how an identification service can support this functionality.