GPT, Ontology, and CAABAC: A Tripartite Personalized Access Control Model Anchored by Compliance, Context and Attribute
Raza Nowrozy, Khandakar Ahmed, Hua Wang
TL;DR
The paper tackles the challenge of securing EHRs in dynamically regulated healthcare environments by introducing the GPT-Onto-CAABAC framework, which fuses GPT-based policy interpretation with a medical-legal ontology and Context-Aware Attribute-Based Access Control (CAABAC). It advances a framework where GPT internally constructs an implicit, domain-specific ontology, captures real-time context, and informs CAABAC-driven decisions, with human oversight to ensure ethical and compliant outcomes. The authors implement a proof-of-concept using OpenAI GPT-4, Protégé, and an ontology-driven dataset of 120 use-case scenarios aligned to Australian privacy laws, demonstrating improved alignment with complex policies and post-decision auditing capabilities. The work contributes a high-level architecture, a methodology for policy-to-legal-ontology construction, a comprehensive evaluation plan, and a discussion of broader applicability beyond EHRs, highlighting potential for regulated domains requiring adaptive, auditable access control.
Abstract
As digital healthcare evolves, the security of electronic health records (EHR) becomes increasingly crucial. This study presents the GPT-Onto-CAABAC framework, integrating Generative Pretrained Transformer (GPT), medical-legal ontologies and Context-Aware Attribute-Based Access Control (CAABAC) to enhance EHR access security. Unlike traditional models, GPT-Onto-CAABAC dynamically interprets policies and adapts to changing healthcare and legal environments, offering customized access control solutions. Through empirical evaluation, this framework is shown to be effective in improving EHR security by accurately aligning access decisions with complex regulatory and situational requirements. The findings suggest its broader applicability in sectors where access control must meet stringent compliance and adaptability standards.