Technical Report Number
In theory, access control is a solved problem. In practice, large real-world enterprises still report trouble: de facto policy becomes unmanageable; users circumvent controls. These issues can be particularly critical in medical IT, such as emerging EMR and EHR, where access control errors can have serious repercussions. In this paper, we investigate how real-world EMR users think about access control when they are making policy decisions in the abstract---and when they are actually using the system in treatment scenarios. Mismatches suggest places ("empathy gaps") where new policy tools may be needed.
Dartmouth Digital Commons Citation
Wang, Yifei; Smith, Sean; and Gettinger, Andrew, "Access Control Hygiene and the Empathy Gap in Medical IT" (2012). Computer Science Technical Report TR2012-713. https://digitalcommons.dartmouth.edu/cs_tr/354