Date of Award

Fall 9-1-2015

Document Type


Degree Name

Doctor of Science in Information Systems


Business and Information Systems

First Advisor

Yong Wang

Second Advisor

Ashley Podhradsky

Third Advisor

Dianxiang Xu

Fourth Advisor

Mark Hawkes


Healthcare information systems deal with sensitive data across complex workflows. They often allow various stakeholders from different environments to access data across organizational boundaries. This elevates the risk of exposing sensitive healthcare information to unauthorized personnel, leading ‘controlling access to resources’ a major concern. To prevent unwanted access to sensitive information, healthcare organizations need to adopt effective workflows and access control mechanisms. It is well-known that aligning security policies with business objectives is a challenging task. As of now, many healthcare organizations are mainly using role based access control. It is important for them to develop workflows and properly assign roles to tasks without the policies causing obstructions. Also many healthcare organizations are not yet considering or do not know how to accommodate the ‘context’ element as a crucial element in their workflows and access control policies. We envision the future of healthcare where ‘context’ will be considered as a crucial element. We can accommodate context through a new element ‘environment’ in workflows, and can accommodate context in policies through well-known attribute based access control mechanism (ABAC). As of now, it is hard to identify what policies are being applied on a particular workflow activity, and also it is hard to identify if all of the access policies are being used and which of those policies are not being used. This dissertation mainly addresses these problems by developing two methodologies one for each scenario: (i) analyzing workflow instances for obstructions due to static and dynamic authorization policies through a new algorithm that allows organizations to properly assign users to tasks without the policies causing obstructions, and (ii) identifying workflow activities that are not being protected by access control policies and improving the workflow activities and/or existing access control policies through integrating workflow activities and attribute based access control policies using SARE (Subject, Action, Resource, and environment) elements.