Strengthen Electronic Health Records System (EHR-S) Access-Control to Cope with GDPR Explicit Consent.

Patient consent is currently a missing piece on Electronic Health Records System (EHR-S) access permission. The control is needed to ensure personal data as the property of the individual, not data controllers or health-care service providers. To cope with this need, in this article, an adaptation of existent Role-Based Access Control (RBAC), including patient-centric control, is described. The revisited feature of existing administrative and supporting RBAC functions allows exclusive control orchestrated by the patient as sole information owner, including the ability to encrypt their data for confidentiality purposes. The additions mimic a Discretionary Access Control (DAC) capability using existing user group membership to vet access over symmetric keys bind to patient's data via the associated PERMS matrix.