Robert Steele

Framework & Prototype for Secure XML-based Electronic Health Records System

Robert Steele, William Gardner, Darius Chandra, Tharam Dillon
University of Technology, Sydney

Abstract

The issue on how to ensure proper handling of privacy and protection of personal medical information has always been a challenge for the advancement of electronic based health record initiatives. The result of inappropriate disclosure of personal health records, either deliberate or accidental could have serious effects for the individual that the information belongs to. With advancements in information technologies, eXtensible Markup Language (XML), a self-describing and semi-structured data format, is rapidly becoming the key standard for representation of information and exchanging of data between applications across the Web. XML repositories are also starting to be used either as a data storage format or as an interoperability layer for cases where legacy applications are connected with new system or simply between different data sources. The widespread use of XML and the prospect of its use in the Electronic Health (e-Health) domain highlights the need for flexible access control models for XML data and documents, in order to protect sensitive and valuable information (e.g. patient medical records) from unauthorised access. This paper presents a novel declarative access control model for XML based data repositories and elaborates how this model allows the expression of the access control rules also in an XML format. The paper further introduces the operational semantics of the model by describing the Xplorer engine which supports search-browse-navigate activities on XML repositories. Xplorer takes as inputs XML based data schema, instance data and access control rules to auto-generate an access control enabled Web application in accordance with these rules.