1. Policy-based Dynamic Authorization Framework for Sharing Medical Data Apurva Mohan and Douglas M. Blough, Georgia Institute of Technology Andrew Post, Tahsin Kurc, and Joel Saltz, Emory University Traditional Approach Manual and coarse-grain access control with ad hoc representation of access control policies. Primarily static authorization rules and access control policies. Clinical and research use of the medical data is possible. Patient control over his data sharing is limited to one time opt-in or opt-out consent policy. Few authorization credentials like IRB approvals and employee credentials. All the available policies are evaluated and conflict analysis is static. Medical data access is not real time. Data disclosure is dependent on a number of policies like IRB, HIPAA, institutions’ IT policies, bi-lateral agreements, patient’s consent, and data source’s policy. Manually checking compliance with each policy is labor intensive and error prone. Even thought the medical data disclosure environment is dynamic, the authorization policies are static. Our Proposed Approach Policy-driven authorization system based on attributes. Policies consisting of subject, resource and environment attributes which change dynamically. Selection of applicable policies and conflict resolution algorithm in a dynamic fashion. Patients can specify data disclosure constraints and participation in research studies defining policies in addition to consent policies. Two-stage authorization mechanism. Core disclosure policies are made known to other members in the federation, so that authorization happens at the originating entity. Architecture using the proposed Nationwide Health Information Network (NHIN) and XACML standard. Advantages of Proposed Approach Real time access to patient data using a fine-grained authorization system. Allowing wider access to patient’s medical data with enhanced privacy protection. The patient has more control over disclosure of his medical data by defining disclosure policies, which can be modified dynamically. Dynamic determination of applicable policies and dynamic run time conflict resolution in policies. Evaluating a large number of policies with higher efficiency. Requests are authorized at originating organization, hence compromising the responding organization is more difficult. Dynamic authorization can achieve better balance between usability and security/privacy by compromising usability when threat is higher. Architecture of the proposed privacy-enhanced data sharing framework Use Case – Enrolling Patients in Research Study Authorization System PCA – Policy Combination Algorithm 2 Stage Authorization System Stage 1 – Policies and Combination Algorithm applicable to this request are chosen. Stage 2 – Applicable policies are executed. Authorization System Architecture based on Nationwide Health Information Network (NHIN) Standard. Novel Dynamic Framework for Fine-grained Authorization and Higher Performance. Case A: Access within the organization Case B: Access across different organizations Case A: Requesting permission to access patient data and schedule (Current) Case B: Patient automatically registering for advertised research study (Proposed)