Access Controls

Once a user is identified, the next step is to determine the privileges that user has in terms of accessing services and information. This requires determining access both to particular application programs and to particular sets of data. In environments in which there is no notion of organization log-in, the existence of an account for a user is the first order of access control. In a more general distributed framework, either a database must exist that contains information for each user regarding access privileges or each piece of information must be tagged to describe its access rights. The classical approach in a hierarchical file structure is protection assigned at each node—directory or file. More fine-grained systems would assign protection levels to individual data elements within each directory or file. Protections are usually assigned to control ability to perform operations on the data structure, for example, to read, write, append, delete, and create. Each node typically has an owner and a set of privileges that apply to that person, a set of privileges that apply to specially defined groups of users, and privileges that apply to everyone else. In more modern systems, quite general access control list (ACL) mechanisms are available under which each group of users may have its own set of privileges and additional privileges can be defined (e.g., whether an entity may even see that a node exists in the file structure). Similar access control mechanisms are implemented in commercial database systems and may apply at various levels of granularity in the data structure—database, table, record, or data element.7

Operationally the problem becomes one of securely maintaining the database of user privileges, assigning group memberships (roles) appropriate to the user's current function, and assigning appropriate role-based access controls to various elements of information, based on need and right to know. This operational process, of course, has little to do with technology deployment, except insofar as technology may provide a smoothly integrated user interface for managing the database of access information in a consistent and timely way. The difficulties that confound this process include not having a clear model for information secu-


Note, however, that organizing all data in concert with all possible access rights is a major effort. Such a task requires that the many pieces of information contained within an electronic medical record be reviewed to ensure that retrieval of a given piece of information is consistent with all relevant access rights. This task is complicated by a number of factors. For example, not all data within a given electronic medical record are necessarily controlled by a single system or system supplier. As important, it is difficult to ensure that all data are properly filed, so that a partitioned access right will not retrieve any data that give or allow inferences beyond the authorized access rights.

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement