{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,25]],"date-time":"2026-04-25T08:59:48Z","timestamp":1777107588935,"version":"3.51.4"},"reference-count":58,"publisher":"Emerald","issue":"3","license":[{"start":{"date-parts":[[2020,6,14]],"date-time":"2020-06-14T00:00:00Z","timestamp":1592092800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2020,6,14]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>An electronic health record (EHR) enables clinicians to access and share patient information electronically and has the ultimate goal of improving the delivery of healthcare. However, this can create security and privacy risks to patient information. This paper aims to present a model for securing the EHR based on role-based access control (RBAC), attribute-based access control (ABAC) and the Clark-Wilson model.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>A systematic literature review was conducted which resulted in the collection of secondary data that was used as the content analysis sample. Using the MAXQDA software program, the secondary data was analysed quantitatively using content analysis, resulting in 2,856 tags, which informed the discussion. An expert review was conducted to evaluate the proposed model using an evaluation framework.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>The study found that a combination of RBAC, ABAC and the Clark-Wilson model may be used to secure the EHR. While RBAC is applicable to healthcare, as roles are linked to an organisation\u2019s structure, its lack of dynamic authorisation is addressed by ABAC. Additionally, key concepts of the Clark-Wilson model such as well-formed transactions, authentication, separation of duties and auditing can be used to secure the EHR.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>Although previous studies have been based on a combination of RBAC and ABAC, this study also uses key concepts of the Clark-Wilson model for securing the EHR. Countries implementing the EHR can use the model proposed by this study to help secure the EHR while also providing EHR access in a medical emergency.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-08-2019-0100","type":"journal-article","created":{"date-parts":[[2020,6,15]],"date-time":"2020-06-15T07:37:55Z","timestamp":1592206675000},"page":"373-395","source":"Crossref","is-referenced-by-count":9,"title":["A Clark-Wilson and ANSI role-based access control model"],"prefix":"10.1108","volume":"28","author":[{"given":"Tamir","family":"Tsegaye","sequence":"first","affiliation":[]},{"given":"Stephen","family":"Flowerday","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"key":"key2020071513123631200_ref001","doi-asserted-by":"publisher","first-page":"1287","DOI":"10.1007\/978-1-4419-5906-5","article-title":"Three-factor authentication","volume-title":"Encyclopedia of Cryptography and Security","year":"2011"},{"key":"key2020071513123631200_ref002","doi-asserted-by":"publisher","first-page":"371","DOI":"10.1007\/978-3-540-78238-4_38","article-title":"Access control requirements for processing electronic health records","volume-title":"International conference on business process management","year":"2007"},{"issue":"2","key":"key2020071513123631200_ref003","first-page":"65","article-title":"Multi factor authentication using mobile phones","volume":"4","year":"2009","journal-title":"International journal of mathematics and computer science"},{"key":"key2020071513123631200_ref004","doi-asserted-by":"publisher","first-page":"1","DOI":"10.2466\/03.CP.3.4","article-title":"Achieving saturation in thematic analysis: development and refinement of a codebook","volume":"3","year":"2014","journal-title":"Comprehensive Psychology"},{"key":"key2020071513123631200_ref005","article-title":"Findings of expert validation and review of the technology enhanced interaction framework","year":"2013"},{"key":"key2020071513123631200_ref006","doi-asserted-by":"publisher","first-page":"131","DOI":"10.1109\/FMEC.2018.8364055","article-title":"An efficient implementation of next generation access control for the mobile health cloud","volume-title":"2018 third international conference on fog and mobile edge computing (FMEC)","year":"2018"},{"key":"key2020071513123631200_ref007","volume-title":"Identity management: Concepts, technologies, and systems","year":"2011"},{"key":"key2020071513123631200_ref008","doi-asserted-by":"publisher","first-page":"398","DOI":"10.1007\/978-3-030-11932-4_38","article-title":"Proposal of a dynamic access control model based on roles and delegation for intelligent systems using realm","volume-title":"The challenges of the digital transformation in education. ICL 2018. Advances in intelligent systems and computing","year":"2020"},{"key":"key2020071513123631200_ref009","doi-asserted-by":"publisher","first-page":"916","DOI":"10.1007\/978-1-4419-5906-5","article-title":"Password","volume-title":"Encyclopedia of Cryptography and Security","year":"2011"},{"key":"key2020071513123631200_ref010","doi-asserted-by":"publisher","first-page":"72","DOI":"10.1007\/978-1-4419-5906-5","article-title":"Bell-LaPadula confidentiality model","volume-title":"Encyclopedia of Cryptography and Security","year":"2011"},{"key":"key2020071513123631200_ref011","doi-asserted-by":"publisher","first-page":"203","DOI":"10.1007\/978-1-4419-5906-5","article-title":"Chinese wall model","volume-title":"Encyclopedia of Cryptography and Security","year":"2011"},{"issue":"5","key":"key2020071513123631200_ref012","doi-asserted-by":"publisher","first-page":"545","DOI":"10.1188\/14.ONF.545-547","article-title":"The use of triangulation in qualitative research","volume":"41","year":"2014","journal-title":"Oncology Nursing Forum"},{"issue":"1","key":"key2020071513123631200_ref013","first-page":"41","article-title":"Modeling in confidentiality and integrity for a supply chain network","volume":"7","year":"2007","journal-title":"Communications of IIMA"},{"key":"key2020071513123631200_ref014","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1109\/SECCOM.2007.4550335","article-title":"An analysis of the Chinese wall pattern for guaranteeing confidentiality in grid-based virtual organisations","volume-title":"Proceedings of the 3rd international conference on security and privacy in communication networks","year":"2007"},{"key":"key2020071513123631200_ref015","doi-asserted-by":"publisher","first-page":"208","DOI":"10.1007\/978-1-4419-5906-5","article-title":"Clark and Wilson model","volume-title":"Encyclopedia of Cryptography and Security","year":"2011"},{"key":"key2020071513123631200_ref016","unstructured":"Deloitte (2015), \u201cIndependent review of New Zealand\u2019s electronic health records strategy\u201d, available at: www.health.govt.nz\/publication\/independent-review-new-zealands-electronic-health-record-strategy (accessed 28 February 2017)."},{"key":"key2020071513123631200_ref017","unstructured":"Department of Health (2012), \u201ceHealth strategy South Africa\u201d, available at: www.health-e.org.za\/wp-content\/uploads\/2014\/08\/South-Africa-eHealth-Strategy-2012-2017.pdf (accessed 28 February 2017)."},{"key":"key2020071513123631200_ref018","article-title":"The break-the-glass (BtG) principle in access control","year":"2012"},{"key":"key2020071513123631200_ref019","doi-asserted-by":"publisher","first-page":"81","DOI":"10.1007\/978-1-4419-5906-5","article-title":"Biba integrity model","volume-title":"Encyclopedia of Cryptography and Security","year":"2011"},{"issue":"3","key":"key2020071513123631200_ref020","doi-asserted-by":"publisher","first-page":"541","DOI":"10.1016\/j.jbi.2012.12.003","article-title":"Security and privacy in electronic health records: a systematic literature review","volume":"46","year":"2013","journal-title":"Journal of Biomedical Informatics"},{"issue":"3","key":"key2020071513123631200_ref021","first-page":"108","article-title":"Virtual ethnography research on second life virtual communities","volume":"12","year":"2011","journal-title":"Turkish Online Journal of Distance Education"},{"key":"key2020071513123631200_ref022","unstructured":"Frigg, R. and Hartmann, S. (2018), \u201cModels in science\u201d, available at: https:\/\/plato.stanford.edu\/archives\/sum2018\/entries\/models-science (accessed 15 December 2019)."},{"key":"key2020071513123631200_ref023","volume-title":"Securing information and communications systems: principles, technologies, and applications","year":"2008"},{"key":"key2020071513123631200_ref024","unstructured":"Garnaut, P. and Thompson, J. (2011), \u201cReview of data integrity models in multi-level security environments\u201d, available at: https:\/\/trove.nla.gov.au\/work\/81105835?q&versionId=94395621 (accessed 7 November 2019)."},{"key":"key2020071513123631200_ref025","volume-title":"CISSP exam cram","year":"2017","edition":"4th ed."},{"key":"key2020071513123631200_ref026","doi-asserted-by":"publisher","first-page":"63","DOI":"10.1145\/1987993.1988006","article-title":"Evaluating access control of open source electronic health record systems","volume-title":"Proceedings of the 3rd workshop on software engineering in health care","year":"2011"},{"key":"key2020071513123631200_ref027","doi-asserted-by":"publisher","first-page":"1295","DOI":"10.1109\/SCIS-ISIS.2018.00203","article-title":"Distributed authority management method based on blockchains","volume-title":"2018 joint 10th international conference on soft computing and intelligent systems (SCIS) and 19th international symposium on advanced intelligent systems (ISIS)","year":"2018"},{"key":"key2020071513123631200_ref028","volume-title":"INCITS 359-2012 information technology: Role based access control","author":"INCITS","year":"2012"},{"key":"key2020071513123631200_ref029","volume-title":"INCITS 494 information technology: Role based access control \u2013 Policy-enhanced","author":"INCITS","year":"2012"},{"key":"key2020071513123631200_ref030","doi-asserted-by":"publisher","first-page":"95","DOI":"10.1109\/ICMeCG.2012.72","article-title":"Analysis of security models based on multilevel security policy","volume-title":"2012 international conference on management of e-commerce and e-government","year":"2012"},{"key":"key2020071513123631200_ref031","doi-asserted-by":"publisher","first-page":"385","DOI":"10.1007\/978-981-13-1819-1_36","article-title":"Attribute-based access control in web applications","volume-title":"Applications of artificial intelligence techniques in engineering. Advances in intelligent systems and computing","year":"2019"},{"key":"key2020071513123631200_ref032","volume-title":"Content analysis: An introduction to its methodology","year":"2013","edition":"3rd ed."},{"issue":"6","key":"key2020071513123631200_ref033","doi-asserted-by":"publisher","first-page":"79","DOI":"10.1109\/mc.2010.155","article-title":"Adding attributes to role-based access control","volume":"43","year":"2010","journal-title":"IEEE Computer"},{"key":"key2020071513123631200_ref034","doi-asserted-by":"publisher","first-page":"13","DOI":"10.1057\/9781137509468_2","article-title":"General Systems Theory and Creativity","volume-title":"The Creative System in Action: Understanding Cultural Production and Practice","year":"2016"},{"key":"key2020071513123631200_ref035","doi-asserted-by":"publisher","first-page":"237","DOI":"10.1145\/1542207.1542244","article-title":"Trojan horse resistant discretionary access control","volume-title":"Proceedings of the 14th ACM symposium on access control models and technologies","year":"2009"},{"key":"key2020071513123631200_ref036","doi-asserted-by":"publisher","first-page":"73","DOI":"10.1145\/1998441.1998453","article-title":"Rumpole: a flexible break-glass access control model","volume-title":"SACMAT\u201911 proceedings of the 16th ACM symposium on access control models and technologies","year":"2011"},{"key":"key2020071513123631200_ref037","doi-asserted-by":"publisher","first-page":"1353","DOI":"10.1109\/FSKD.2018.8687163","article-title":"Discussing alternative login methods and their advantages and disadvantages","volume-title":"2018 14th international conference on natural computation, fuzzy systems and knowledge discovery (ICNC-FSKD)","year":"2018"},{"issue":"7","key":"key2020071513123631200_ref038","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1371\/journal.pmed.1000097","article-title":"Preferred reporting items for systematic reviews and meta-analyses: the PRISMA statement","volume":"6","year":"2009","journal-title":"PLOS Medicine"},{"key":"key2020071513123631200_ref039","doi-asserted-by":"publisher","first-page":"73","DOI":"10.1145\/2046642.2046658","article-title":"Behavioral biometrics for persistent single sign-on","volume-title":"Proceedings of the 7th ACM workshop on digital identity management","year":"2011"},{"key":"key2020071513123631200_ref040","volume-title":"Researching information systems and computing","year":"2006"},{"key":"key2020071513123631200_ref041","doi-asserted-by":"publisher","first-page":"733","DOI":"10.1109\/ICCSP.2018.8524318","article-title":"Authentication using 3 tier biometric modalities","volume-title":"2018 International Conference on Communication and Signal Processing (ICCSP)","year":"2018"},{"key":"key2020071513123631200_ref042","first-page":"37","article-title":"Federated privileged identity management for break-the-glass: a case study with OpenAM","volume-title":"Proceedings of the 2nd European workshop on Practical Aspects of Health Informatics","year":"2014"},{"key":"key2020071513123631200_ref043","doi-asserted-by":"publisher","first-page":"134","DOI":"10.1016\/j.protcy.2012.05.019","article-title":"A survey on single sign-on techniques","volume":"4","year":"2012","journal-title":"Procedia Technology"},{"key":"key2020071513123631200_ref044","article-title":"A framework to implement OpenID connect protocol for federated identity management in enterprises","year":"2017"},{"key":"key2020071513123631200_ref045","doi-asserted-by":"publisher","first-page":"93","DOI":"10.1007\/978-3-319-11460-6_9","article-title":"A review of delegation and break-glass models for flexible access control management","volume-title":"Business information systems workshops. BIS 2014. Lecture notes in business information processing","year":"2014"},{"key":"key2020071513123631200_ref046","doi-asserted-by":"publisher","first-page":"255","DOI":"10.1007\/978-3-319-74500-8_23","article-title":"Ensuring security in cloud computing using access control: a survey","volume-title":"Proceedings of the Mediterranean Symposium on Smart city Applications","year":"2017"},{"key":"key2020071513123631200_ref047","doi-asserted-by":"publisher","first-page":"97","DOI":"10.1007\/978-981-13-7561-3_8","article-title":"ARBAC: Attribute-enabled role based access control model","volume-title":"Security and Privacy. ISEA-ISAP 2019. Communications in Computer and Information Science","year":"2019"},{"key":"key2020071513123631200_ref048","doi-asserted-by":"publisher","first-page":"882","DOI":"10.1109\/INDIN.2018.8472068","article-title":"Overview of authentication and access controls for I&C systems","volume-title":"2018 IEEE 16th International Conference on Industrial Informatics (INDIN)","year":"2018"},{"issue":"4","key":"key2020071513123631200_ref049","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s10916-016-0465-x","article-title":"Toward proper authentication methods in electronic medical record access compliant to HIPAA and C.I.A","volume":"40","year":"2016","journal-title":"Triangle, Journal of Medical Systems"},{"key":"key2020071513123631200_ref050","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3351108.3351130","article-title":"PoPI compliance through access control of electronic health records","volume-title":"Proceedings of ACM SAICSIT conference (SAICSIT\u201919)","year":"2019"},{"issue":"1","key":"key2020071513123631200_ref051","first-page":"69","article-title":"The research design maze: understanding paradigms, cases, methods and methodologies","volume":"10","year":"2012","journal-title":"Journal of Applied Management Accounting Research"},{"key":"key2020071513123631200_ref052","doi-asserted-by":"publisher","volume-title":"Introduction to Social Systems Engineering","year":"2018","DOI":"10.1007\/978-981-10-7040-2"},{"issue":"1","key":"key2020071513123631200_ref053","doi-asserted-by":"publisher","first-page":"1","DOI":"10.17705\/1jais.00284","article-title":"Evaluating and developing theories in the information systems discipline","volume":"13","year":"2012","journal-title":"Journal of the Association for Information Systems"},{"key":"key2020071513123631200_ref054","volume-title":"Principles of information security","year":"2016","edition":"5th ed."},{"key":"key2020071513123631200_ref055","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1109\/HealthCom.2016.7749426","article-title":"Anatomy of log files: implications for information accountability measures","volume-title":"2016 IEEE 18th International Conference on e-health Networking, Applications and Services (Healthcom)","year":"2016"},{"key":"key2020071513123631200_ref056","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1016\/j.future.2016.08.011","article-title":"Research issues for privacy and security of electronic health services","volume":"68","year":"2017","journal-title":"Future Generation Computer Systems"},{"key":"key2020071513123631200_ref057","doi-asserted-by":"publisher","first-page":"749","DOI":"10.1007\/978-3-319-77028-4_98","article-title":"Operating system security management and ease of implementation (passwords, firewalls and antivirus)","volume-title":"Information Technology \u2013 New Generations. Advances in Intelligent Systems and Computing","year":"2018"},{"issue":"5","key":"key2020071513123631200_ref058","doi-asserted-by":"publisher","first-page":"975","DOI":"10.1007\/s10916-009-9313-6","article-title":"Biometrics for electronic health records","volume":"34","year":"2010","journal-title":"Journal of Medical Systems"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-08-2019-0100\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-08-2019-0100\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:08Z","timestamp":1753406588000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/28\/3\/373-395\/199276"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,6,14]]},"references-count":58,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2020,6,14]]}},"alternative-id":["10.1108\/ICS-08-2019-0100"],"URL":"https:\/\/doi.org\/10.1108\/ics-08-2019-0100","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2020,6,14]]}}}