Андрій Сергійович Андрійчук, Анастасія Андріївна Стрєлкіна


Modern medicine has grown to an insurmountable level over the past decades. Today, this sector of human life is a high-tech industry, where all areas that can save lives of previously hopeless patients are successfully developing. The technical equipment of health care facilities has been substantially improved, it has become possible to diagnose diseases at an early stage and to quickly restore the working capacity of patients. Nevertheless, with all the advantages and capabilities of modern technology in this area, there are many problems. One of the most significant is the provision of privacy of medical information, which should be considered from both sides, both technical and regulatory. Ensuring the confidentiality of data in medical systems depends on the correct and timely organization of managing access to medical information. The US Health Insurance Portability and Accountability Act (HIPAA) is the most widespread and comprehensive regulatory document for the security of medical data. Regarding the Ukrainian normative documents, they realize the rights of the patient to receive information about their state of health, and medical systems do not have a certificate on the compliance of a comprehensive system of protection of information in accordance with the requirements of normative documents on the technical protection of information. In this article, the authors are considering designing an access control model that solves the problem of providing information security for medical systems and is based on access control based on roles with minimal constraints. The model to be developed should determine the actions and resources that are available to the user, as well as provide individual access to resources. The authors examined the existing models of access control, identified the advantages and disadvantages that formed the basis of their own model. The paper describes the creation of a role-based security policy that defines the information flows permitted by the system, based on the international regulatory document HIPAA. With the help of the developed model, it is possible to execute its storage in different ways and in any case, it is very easy to convert into a relational database


private medical information; access model; security policy model; HIPAA; RBAC


Tucker D., Healthcare Goes Digital. Available at: (accessed 18.12.2012).

U.S. Department of Health & Human Services, HIPAA Privacy Rules for the Protection of Health and Mental Health Information. Available at: (accessed 11.10.2009).

Strielkina, A., Uzun, D. Zabezpechennya kiberbezpeky medychnykh system: vyklyky i rishennya v konteksti Internetu rechey. [Cybersecurity of medical systems: challenges and solutions in the context of the internet of things]. Radioelektronni i komp'uterni sistemi - Radioelectronic and computer systems, 2017, no. 1, pp. 44–50.

U.S. Department of Health & Human Services. The HIPAA Privacy Rule. Available at: (accessed 11.10.2009)

U.S. Department of Health & Human Services. The HIPAA Security Rule. Available at: (accessed 11.10.2009).

Pravo na medychnu informatsiyu [Right to healthcare information]. Available at: (accessed 14.07.2017).

Ustiniov, O. V. Ukrayins'kyy medychnyy chasopys, Elektronna systema okhorony zdorov"ya [Digital healthcare system]. Available at: (accessed 18.07.2017).

eHealth: shcho dast' ukrayintsyam elektronna systema okhorony zdorov"ya [eHealth: What will the Ukrainian health system provide to Ukrainians]? Available at: (accessed 25.07.2017)

Yaka normatyvno-pravova baza lezhyt' v osnovi roboty systemy? [What legal framework is the basis of the system?]. Available at: (accessed 22.05.2018).

Do systemy eHealth vzhe pidklyucheno blyz'ko tysyachi medustanov [To the eHealth system already connected about a thousand medical institutions]. Available at: (accessed 22.04.2018).

U.S. Department of Health & Human Services, HIPAA Privacy Rules for the Protection of Health and Mental Health Information. Available at: (accessed 11.07.2009).

Semenova, N. Semantycheskaya rolevaya model' upravlenyya dostupom [Semantic Role-Based Access Control Model]. Applied Discrete Mathematics, 2016, no. 2(16), pp. 50-64.

Techopedia, Discretionary Access Control (DAC). Available at: (accessed 10.12.2008).

Rouse, M. Mandatory access control (MAC). Available at: (accessed 05.08.2008).



  • There are currently no refbacks.