Aspect-oriented design and implementation of adaptable access control for electronic medical records.

OBJECTIVES

Maintaining proper access control to Electronic Medical Records (EMR) is essential to protecting patients' privacy. We aim to develop mechanisms and tools that can support fine-grained and adaptable access control for EMR.

METHOD

This paper presents an aspect-oriented design and implementation scheme to providing adaptable access control for Web-based EMR systems. In our scheme, access control logic is decoupled from the core of the EMR application and collected into separate aspect modules which are automatically synthesized from access control rules in XML format and properly designed aspect templates. The generated aspect modules will then be compiled and integrated into the underlying EMR application using standard aspect tools. At runtime, these binary aspect modules will be executed to enforce the required access control. Future changes of access control rules can also be effectively realized through these mechanisms without actual coding.

RESULTS

A structured form of access control rules based on the Taiwan Electronic Medical Record Template, a suite of abstract aspects and templates for enforcing access control and a translator for synthesizing the complete access control code in AspectJ from such access control rules and aspect templates. We have also built a Web-based EMR prototype implementation to demonstrate our approach.

CONCLUSION

Our approach can not only accommodate a wide range of fine-grained access control requirements but also enforce them in a modular and easy to adapt manner without incurring extra performance overhead due to rule interpretation. The use of aspect-oriented technology to provide adaptable access control for EMR is a promising approach. We have further enhanced our scheme with a mechanism for dynamic adjustment of access control rules. Other tools for authoring and analyzing the access control rules are the main parts of our future work.