DOI: 10.4018/IJKBO.2018040104 International Journal of Knowledge-Based Organizations Volume 8 • Issue 2 • April-June 2018 Copyright © 2018, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. 42 A Conceptual Framework for an Extension Access Control Models in Saudi Arabia Healthcare Systems Amin Shaqrah, College of Computer Science and Engineering in Yanbu, Taibah University, Medina, Saudi Arabia Talal Noor, College of Computer Science and Engineering in Yanbu, Taibah University, Medina, Saudi Arabia ABSTRACT This article aims to develop an extension access control models framework in Saudi Arabian healthcare systems. The conceptual framework acts as an ascendency structure to organize and support the efforts of several health care standards which reflect on the coherent of confidentiality; integrity; and availability triads in order to achieve the strategic business objectives of Saudi Arabian healthcare institutions. It is considered to be three common access control models developed by ACM institute and extended to other criteria identified by the National Institute of Standards and Technology. While literature explains that an easy-to-use access control model can lead to success healthcare system, understanding the extension of access control systems is vital for Saudi Arabian healthcare institutions to protect resources against unauthorized use. This article has taken a step in this direction. KEywORdS Access Control Models, Saudi Arabia Healthcare Systems, Security Policies INTROdUCTION The purpose of information security in Healthcare Information Systems (HIS), in general, is to guarantee the Confidentiality, Integrity, and Availability (CIA) of the data (Srisakthi and Shanthi, 2015). Confidentiality of the data is the protection that only those with appropriate rights and verified permissions might access certain data (Whitman et al., 2013). Data should not be disclosed to unauthorized entities, integrity in general means sustaining and ensuring the accurateness of data over its entire life cycle. In HIS, integrity of the data means that data should not be modified by unauthorized entities/persons. Protection of data in HIS prevents unofficial or accidental with holding of data or resources. To insure HIS security, countries initiate laws and regulations that healthcare organizations must follow. In the US there are three acts, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm Leah Bliley Act (GLBA), and the Sarbanes Oxley Act (SOX), that involve statements to protect personal information from being revealed or retrieved by unofficial persons, entities, or processes (Gopalan et al., 2012). HIPAA upholds principles for the practice and release of Protected Health Information (PHI), which is any data about health status, provision of health care, or health care expenses that can be connected to an individual (Lerouge, et al., 2007). To protect PHI, healthcare organizations need to enforce the patients’ rights by using a set of policies and technologies. Access control models were introduced to overcome the privacy matter and grant permission to access PHI to only authorized persons. Access control models are used to prevent