Access control regulation in the health care sector

• Main Author: Castro, Beatriz
• Format: Others
• Language: English
• Published: Stockholms universitet, Juridiska institutionen 2018
• Subjects: Law and economics; Law; Juridik
• Online Access: http://urn.kb.se/resolve?urn=urn:nbn:se:su:diva-156879

This thesis is about access control in the health care sector. Access control is a function in It-systems that allows authorized users to access data they have right to access, prevents unauthorized users from accessing data and prevents authorized users from disclosing data unlawfully. One of the pillars of access control is that a user only is authorized to access data that he or she needs to perform a task. This describes the principle of least privilege and its objective is to ensure data's confidentiality and integrity. In the health care sector where an increasing number of public and private actors are processing sensitive data the application of this principle is essential to protect patients' privacy and confidence in the system. The lawmaker has incorporated the principle of least privilege in legal bodies such as the General Data Protection Regulation, Patient Data Act and the regulation of registers that allow processing of health data. This thesis examines how the lawmaker has incorporated the principle of least privilege to protect health data. Therefore, it examines access control regulation, in particular, requirements on management of access rights and log audits. The lawmaker has applied this principle through requirements on the system that should be incorporated by default and through requirements on management of access rights. The conclusion is that given that the tendency in health care, like in other sectors, is toward automation and more focus on self-care, the requirements should be directed more to systems than medical staff.