An access control architecture for protecting health information systems

The enormous benefits that Health Information Systems (HISs) can offer in terms of quality of care and reduction in costs have led many organizations to develop such systems in their domain. Many national and international organizations have developed their HISs in according to their needs, financial availability and organizational resources (such as technology infrastructure, number of involved structures, etc.), without taking into account the possibility of communicating with other systems satisfying common security policies for distributed authorization. For this reason, the solutions are not interoperable with each other. The main cause of the lack of interoperability is the development of "no open architectures" for communication with other systems and the adoption of different technologies. This paper illustrates a technological architecture based on a set of interoperability services to enable secure communication among heterogeneous HISs. In order to protect the interoperability services, having the aim of invoking services of local HISs, an appropriate access control model is part of the proposed architecture. This Access Control Architecture described in this paper allows different HISs to interoperate each other, ensuring the protection of interoperability services among different HIS systems through the integration of the XACML architecture with the HL7 PASS services. The main architectural components needed to perform the security checks established among heterogeneous HIS are shown in detail. Finally, the use of the architecture in the Italian context is shown.