| dc.description.abstract | In health care, access to sensitive information about patients is a necessity in order to offer care to the patient, and maintain patient safety. At the same time it is important that the information is protected against unauthorized access, to ensure patient privacy. Access control is an essential function in electronic health records (EHR) to maintain the duality between patient safety and patient privacy by ensuring that authorized personnel are allowed access to information they need. However, care processes are often unpredictable, and a number of end users can be involved in treatment across organizational units in the same health enterprise. As a consequence, it is hard to implement strict access control rules, and exception mechanisms must be used. In the specialist care, role based access control (RBAC) is mainly used as access control model, and it has since 2001 been a requirement in Norway that access control in EHR must be given on the basis of decisions about health care, so called decision based access. Within few years, this will be used in all Norwegian health enterprises. Literature shows a number of challenges with access control in EHR, but empirical data on experiences with the use and setup of decision based access, is almost nonexistent. The purpose of this study was therefore to identify what the end users and system administrators are experiencing as the most important challenges using decision based access, and what they consider important factors for the improvement of the access control. To answer this, a Delphi survey was conducted, and it is taken out reports from an EHR database. The survey and reports show that a number of challenges that have been identified in previous studies are still present. The access control is not sufficiently tailored to treatment processes, and extensive use of exception mechanisms is necessary to protect patient safety, which generates long event records that are not followed up systematically, and therefore may go at the expense of patient privacy. Possible improvements of the challenges uncovered include more education, standardization of access control, easier use of exception mechanisms and a more process oriented access control. Keywords Access Control, Delphi, Electronic Health Records, Information security, Patient safety | nb_NO |
