G.I. Davida and Y. Frankel (Eds.): ISC 2001, LNCS 2200, pp. 335–346, 2001.© Springer-Verlag Berlin Heidelberg 2001

A Flexible Role-Based Access Control Model forMultimedia Medical Image Database Systems

Sofia Tzelepi and George Pangalos

Informatics Laboratory, Computers Division, General Department, Faculty of Technology,Aristotelian University, Thessaloniki 54006, Greece

{tzelepi, gip}@eng.auth.gr

Abstract. Most of the work on multimedia medical images security until nowhas focused on cryptographic approaches. While valuable, cryptography is notenough to control access to images. Therefore additional protection approachesshould be applied at a higher level. Role-based access control (RBAC) is a goodcandidate to provide access control in a multimedia medical image DBMS.However, in a multimedia medical image DBMS, specifications of image accessrights are often based on the semantic content of the images, the attributes of theuser accessing the image, the relationship between the user and the patientwhose images are to be accessed and the time. Unfortunately, RBAC cannot beused to handle the above requirements. In this paper we describe an extendedRBAC model by using constraints in the specification of the Role-Permissionrelationship. The proposed access control model preserves the advantages ofscaleable security administration that RBAC-style models offer and yet offersthe flexibility to specify very fine-grained, flexible, content, context and time-based access control policies.

1 Introduction

In many health care information systems medical images are an important part of themultimedia medical patient record. Most of the work on multimedia medical imagessecurity until now has focused on cryptographic approaches [1], [2], [3]. While valu-able, cryptography is not enough to control access to medical images. Cryptographycan only control secrecy and authentication aspects, but cannot handle for exampledifferent types of access by different users, fine-grained restrictions at the level ofindividual users and specific images, content, context and time-based access to images[4]. Therefore additional approaches should be applied at a higher level. The healthcare information systems are generally characterized by users with a diverse set ofqualifications and responsibilities that can naturally be mapped to various roles. Assuch, it appears that role-based access control (RBAC) is a good candidate to provideaccess control, since roles accurately describe which types of people need access tocertain types of objects.

336 S. Tzelepi and G. Pangalos

Role-based access control (RBAC) is proposed and studied as an alternative formandatory (MAC) and discretionary (DAC) access control approaches. In RBAC, it ispossible to simplify the complicated form of an organization’s access control policy.Access decisions are based on the roles, which is part of an organization. RBAC is anon-discretionary access control in which the system administrator allows the role’spermissions to the user by defining user, role, and permission. The system adminis-trator divides roles according to operations in an organization. The administrator of thesystem or organization gives access permissions to roles and users are endowed withroles according to their responsibility and obligation. Users who are granted a role insystem can manage their works with their role permissions. In case of changing accesscontrol policy, the system supervisor easily can grant a new permission or can elimi-nate the existing permission to the role. Because access permissions are granted toroles (permissions are associated with roles), not to users, it is possible to manageaccess control policy more efficiently. There are many variations of RBAC, but thebasic architecture of RBAC is that permissions are assigned to roles (not directly tousers) and roles are assigned to users [5].

The notion of roles is an important factor in authorization rules, but in a multimediamedical image database system context in order to be effective it has to be used inconjunction with the following information:

� Semantic content of the images: image access is naturally described in terms of itssemantic contents, for example, all images presenting a cancer of the lung must notbe made available to physicians who are accessing information from no trust do-main.

� Domain: what domain of the health system a particular caregiver works for. Forexample, medical images belong to certain departments and are not accessible bycertain physicians, or a physician may be permitted to access only medical imagesof his/her subordinates and their subordinates, recursively.

� Location: where the user is accessing information services from. Location informa-tion is used in several types of authorization rules. One type uses location to iden-tify the trust domain where the user is accessing information services from. A rea-sonable policy would deny access to any sensitive information to anyone accessingit from such areas. Location can also be used to derive the emergency level of ac-cess. A policy can allow read access to all images of all patients for any user as-signed to the role physician and accessing the information from an emergencyroom.

� Time: time constraints specify the validity periods for a policy.� Relationship: what is the relationship between the user and the patient whose im-

ages are to be accessed. Some types of relationships that need to be managed in thehealthcare context are: patient’s primary care provider; admitting, attending, refer-ring, or consulting physician of a particular patient; part of the patient care team;healthcare staff explicitly assigned to take care of the patient; patient’s immediatefamily; patient’s legal counsel or guard; personal pastoral care provider.

Unfortunately, RBAC cannot be used to handle the above requirements [6]. In order toovercome this problem, in this paper we propose an extended role-based access con-

A Flexible Role-Based Access Control Model 337

trol model by considering, in the specification of the Role-Permission relationshipphase the constraints which must be satisfied in order for the holders of the permissionto use those permissions. The use of constraints allows role-based access control to betailored to specify very fine-grained, flexible, content, context and time-based accesscontrol policies. The proposed access control model preserves the advantages of scale-able security administration that RBAC-style models offer and yet offers the flexibil-ity to specify complex access restrictions based on the semantic content of the images,the attributes of the user accessing the image, the relationship between the user and thepatient whose images are to be accessed and the time.

A subset of Object Constraint Language (OCL) [7] is used for specifying con-straints. In the development of content-based constraints a simplified medical imagemodel for describing the semantic content of a medical image is used. The medicalimage can be viewed as pairs of iso-semantic regions and signals in respect with ananatomic and a pathological model [8]. Moreover, medical images are associated withcomplementary textual patient information.

The rest of this paper is structured as follows. Section 2 introduces related work andcontrasts it with our work. The proposed RBAC and the detailed specification of itscomponents are described in section 3. Section 4 introduces the medical image datamodel. Section 5 presents the access control mechanisms and the algorithm proposedin this paper. Section 6 introduces the access control architecture and section 7 con-cludes the paper.

2 Related Work

As mentioned above, one of the problems of applying RBAC to multimedia medicalimage DBMS is the specification and enforcement of fine-grained access control atthe level of individual users and specific images [3]. For example, just because thedoctor’s role enables a set of accesses to medical images does not mean that the doc-tor’s role should provide access to all medical images. A doctor can only access themedical images for those patient currently assigned to this doctor. There have beenseveral approaches for creating an instance level policy for roles by using the notion ofteam-based access control (TMAC) [3] or by introducing parameterized roles toRBAC models [4], [5].

An alternative approach to specify and enforce fine-grained access control at thelevel of individual users and specific images is proposed in this paper by considering,in the specification of the Role-Permission relationship phase, the constraints whichmust be satisfied in order for the holders of the permission to use those permissions.Furthermore, constraints offer also the ability to specify complex access restrictionsbased on the semantic content of the images, the attributes of the user accessing theimage, the relationship between the user and the patient whose images are to be ac-cessed and the time.Constraints have also been addressed in [10]. In [10] content-based access control isenforced by simply specifying some constraints against attribute values of data ob-

338 S. Tzelepi and G. Pangalos

jects. In contrast, due to the nature of medical images, content-dependent access con-trol for a medical image database system must be based on the semantics of the medi-cal images, rather than on the attributes characterizing them. Medical image attributesoften only deal with physical characteristics of the medical images (for example, ac-quisition device, direction, format,…) and therefore are not significant for accesscontrol.

In the development of content-based constraints specification a simplified medicalimage model for describing the semantic content of a medical image is described inthe next section.

3 The Underlying Medical Image Data Model

For content-based access control, medical image databases must have capabilities torecognize and quantitate image content and merge the quantitated image data withtextual patient data into a common data model [11]. For the past three decades, themedical image processing community has actively pursued efficient algorithms thatcan extract and quantify semantic objects from images. Established algorithms can bereadily integrated into a multimedia medical DBMS for image segmentation, textureanalysis, content extraction and image registration. These can be performed automati-cally or interactively depending on the difficulty of segmenting and extracting seman-tic structures.

In this section, we use in the development of our content-based access controlmodel a simplified medical image model introduced in [8]. Our emphasis in this paperwill be on the development of our content-based access control model rather than onmodeling effectively multimedia medical data. In [8], the medical image model repre-sents

� what is the image (i.e. the pictorial attributes of image)� what is around the image (i.e. the context)� and finally what is in the image (i.e. the content)

Figure 1 illustrates the medical image data model. The attributes of the IMAGE entitydescribe the type of the image (such as the acquisition device (scanner, MRI,…)), thedirection (saggital, coronal, axial) and the format. The attributes of the PATIENTentity describe what is” around” the image such as the data about the patient. Finally,we need a model to describe the semantic content of a medical image.

A medical image usually shows an organic structure, where pathological signalscan be detected in special places. The content-based constraints we are concerned withdeal with the presence or absence (and eventually with the characteristics) of a refer-enced object in a particular location of the image. Therefore, the semantic content of amedical image can be described in terms of iso-semantic regions and signs: the re-gions allow to define and name the location place, the signs are the referenced objects,subjects of the content-based constraints. Our methodology uses an anatomical model

A Flexible Role-Based Access Control Model 339

to capture some iso- semantic regions in a medical image, and a pathological model tocapture the signs, i.e. the “signals” in their medical definition (see figure 2).

Fig. 1. Medical image model

The anatomical model. In order to describe an organic structure, we propose a decom-position of the organ into substructures that are the iso-semantic regions definedabove. These iso-semantic regions are defined by the doctors and are a representationwhich is near to an anatomic plan of the human body. The edges of the regions definezones that have for example a same nature and/or role. A region is characterized by itsname, its nature (vascular, porous), and its role. The location of a signal will not bedefined with mathematical coordinates but by giving the name of the region where itappears.

The pathological model. It is necessary to complement the anatomical model with apathological model. This builds regions where signals can be identified in a non-ambiguous manner. Indeed, each region is associated to the set of signals that is con-sistent with it. This relationship becomes an integrity constraint when formulating acontent-based constraint or adding an image in the database. The signals have attrib-utes for their name, nature, and gravity. To enhance the model, the SIGNAL entity canbe specialized according to its nature. Overriding then can be needed for example torepresent additional attributes as height or weight for a signal types “tumor”.We use the anatomical model and the pathological model to build a semantic descrip-tor of an image. Indeed, an image visualizes a list of syndromes, i.e. a list of regions

340 S. Tzelepi and G. Pangalos

injured by several signals. Consequently, the semantic descriptor of an image is anentity SYNDROME, set of pairs (region, set of signals). The syndrome is the tran-scription of what the doctor can see in the image.

Fig. 2. Semantic content of an image

4 An Extended Role-Based Access Control Model for MultimediaMedical Image Databases

The basic components of a simplified RBAC model are Users, Roles, Permissions,User-Role (U-R) relationship and Role-Permission (R-P) relationship. User is a personwho uses the system or an application program in the system. Membership to roles isgranted to users based on their obligation and responsibility in the organization. Theoperation of a user can be carried out based on the user’s role.

Role is a set of functional responsibilities within the organization. The system ad-ministrator defines roles and assigns them to users. A User-Role (U-R) relationshiprepresents collection of a user and a role.

A permission is the way for the role to access to more than one objects in the sys-tem. The terms authorization, access right and privilege are also used in the literatureto denote a permission. Permissions are always positive and confer the ability to theholder of the permission to perform some actions in the system. A Role-Permission(R-P) relationship describes which role is assigned to perform what kind of permissionin the organization.

In this paper, an extended simplified role-based access control model for multime-dia medical image database systems is presented. Two major extensions to the modelare introduced. The first extension introduces the notion of user attributes. As men-tioned above, there is a need to use user attributes for providing access control. Userattributes include among other things the user name, his domain (e.g. position) in themanagement hierarchy and his location.

1,1ORGAN

id_organnamenaturefunctiondescription

compose

REGION

id_regionnamedescription

can_injure

SIGNAL

id_signnamenaturedescription

1,n

0,n

1,n

A Flexible Role-Based Access Control Model 341

A domain is a collection of subjects/objects which have been explicitly grouped to-gether for the purposes of management. It is used to partition the enterprise manage-ment scope according to geographical boundaries, administrative departments, etc. Forexample, subjects/objects inside a department may be grouped in a domain. The con-cept of a domain is very similar to that of directory in a typical hierarchical file sys-tem. The authorization which implies to a domain will, by default, propagate to sub-domains and to the objects within them. User attributes are presented as follows:

<user_id, user_name, domain, location>

where, user_id is the user identifier, user_name is the user name, domain is the de-partment of the health system the user works on and location is the place where theuser is accessing information services from. The attribute location is dynamic.

The second extension concerns the Role-Permission relationship. In the proposedmodel, we consider in the specification of the Role-Permission relationship phase, theconstraints which must be satisfied in order for the holders of the permission to usethose permissions. In this case, each Role-Permission relationship is a decision rule,which specifies, besides the access modes the holder s of the permission is authorizedfor on image(s) i, also the constraints to be satisfied in order for s to exercise the ac-cess modes. Constraints are based on the semantic content of the images, the attributesof the user accessing the image, the relationship between the user and the patientwhose images are to be accessed and the time.

In a multimedia medical database context, the general form of a Role-Permissionrelationship is 5-tuple

<identifier, s: r, {action}, t: target, constraints(s, t)>

According to the above definition, a Role-Permission relationship has the followingcomponents:

� identifier: it is used to identify uniquely the permission� s: subject to which the permissions apply� r: role which can process this permission. Subject s is authorized for role “r”� action: it is the operation, which is to be processed by role� t: object on which actions are to be performed� target: it is the object type� constraints(s, t): limit the applicability of the permission. Constraints must be satis-

fied by s and t.

In a multimedia medical database context low level operations, such as physical readand write operations, are not semantically meaningful for access control in multimediamedical image database. Therefore, in our model we introduce a set of abstract opera-tions that are relevant to the way users actually access medical images.

Users of medical images database go through the following stages. The user firstsubmit a request for a given image. The medical image database server processes therequest, and returns to the user either the annotations associated with the image, or therequested image in thumbnail format. The user can then request the display of the full-resolution image in the main display window. Another group of operations for which

342 S. Tzelepi and G. Pangalos

access control should also be provided include operations for processing, annotating,deleting the images or for introducing ones. In general, authorizations to perform suchoperations should be given to few, selected users. For example, Saving, on the mainarchive, is most always reserved for radiology. Deleting is reserved for the securityadministrator but only with dual access code security i.e. someone else with securitymust be present and authorize the deletion. Retrieve, annotate, process can be per-formed by anyone with the proper access. The different modes of operation, imageaccess privileges, that are provided as part of our model are described in Table 1.

Application example: In the following example we consider a health-care organizationsecurity policy. In this example we have a health-care organization composed of sev-eral hospitals, and each hospital is structured into some divisions. A primary physicianis assigned to a division and he/she can only access medical images for those patientscurrently assigned in that division and to this doctor. In order to achieve such policy,we define the following role-permission relationship:

{dp1, s: Primary_Physician, {view}, t: Image,domain_user(s) = domain(t) � s � carrying_physicians(t)}

The function domain_user gives us the domain associated with a user. For instance thedomain associated to the primary physician “John Smith” is “hospital1/div2”. Basedon the above policy, “John Smith” can only access medical images for those patientscurrently assigned in the domain “hospital1/div2” and to the doctor “John Smith”.

In the following section we present a detailed specification of the constraints.

Table 1. Image privileges provided by the access control model

Privilege MeaningView_annotation To display the results as the associated annotations only.View_ thumbnail To display the requested image in thumbnail format. It

speeds up the query response time.Display To display the full-resolution image in the main display

windowEdit_annotation To edit the annotations of the imagesEdit_image To process, delete or add images to medical images data-

base

4.1 Constraints

As said above, an important element of each role-permission relationship is the set ofconstraints which must be satisfied in order for the holders of the permission to use thepermissions. Constraint definitions allow constraints to be separately defined andmultiply used. A subset of Object Constraint Language (OCL) is used for specifyingconstraints which limit the applicability of the permission, for example to a particulartime interval or according to the state of the system.

A Flexible Role-Based Access Control Model 343

The following are some examples of constraint expressions:

� domain_user(s) = domain(x) � s � carrying_physicians(x)The function domain_user gives us the domain associated with a user. The functiondomain gives us the domain associated with an image. The function carry-ing_physicians(x) gives us the set of physicians associated with patient’s image x.� “lung” � regions(x) � “cancer” � signals(x, lung)This expression denotes all images (x) that present a cancer of the lung. The functionregions gives us the set of regions associated with an image. The function signalsgives us the set of signals located in a particular region of an image.� “left ventricle” � regions(x) � “tumor” � signals(x, “left ventricle”) � height(x,

“left ventricle”, “tumor”) � 1cm.This expression denotes all images (x) that present a tumor with a height of more than1 cm on the left ventricle. The function height gives us information about the attributesof the signal “tumor”.� time.between("1600", "1800")This expression limits the policy to apply between 4:00pm and 6:00pm.

5 Access Control

The main goal of the access control mechanism is to verify whether user u, trying toaccess image i, using a privilege p, under a certain role r, is authorized to do so, ac-cording to access control restrictions enforced by that role. The access control algo-rithm is specified in Figure 3.

6 System Architecture

The complete system architecture is depicted in Figure 4. The authorization manageris responsible for the full management of both the Role-Permission relationships base,User-Role relationships base and User attributes base. Through the authorizationmanager, the security administrator can add, modify, or delete User-Role relation-ships, Role-Permission relationships and User attributes. The access control managerimplements the access control algorithm in section 5. The image data manager isresponsible for handling of images. Each time a new image is acquired by the medicalimage database system, it is first processed by the image postprocessing manager,which extracts the semantic content from this image. Information on the semanticcontent are then stored and used to perform content-based access control restrictions.In particular, in our working prototype we used in the development of our content-based access control model a content-based image interpretation computerized methodintroduced in [12]. In [12], their work consists of the detection of brain lesions onSPECT images.

344 S. Tzelepi and G. Pangalos

We used a relational database management system (Oracle8) to implement our im-age model as described in section 3 and to store all necessary data (e.g. Role-Permission relationships, User-Role relationships, User attributes). The whole appli-cation is written in Pro*C/C++. In our implementation a constraint is evaluated onlywhen a role is activated for a user. A more sophisticated solution might be imple-mented within an active database system. Trigger mechanisms might be used to dy-namically change the user’s set of permissions as soon as a specified constraint is nomore satisfied.

____________________________________________________________________

ALGORITHM 1. Access control AlgorithmINPUT: [1] An access request (u, r, i, p), [2] The User-Role relationship set, [3] TheRole-Permission relationship set, [4] The user attributes setOUTPUT: [1] ACCEPT, [2] REJECT otherwiseMETHOD:

If (Is_role_members(u, r) � Is_role_operations(p, r)) thenIf (evaluation_constraints(u, i, p, r, cn)) then Return (ACCEPT)

Else Return (REJECT)Else Return (REJECT)

The function Is_role_members(u, r) returns TRUE if user u is authorized for role r,else return FALSE. The function Is_role_operations(p, r) returns TRUE if operation pis associated with role r, else return FALSE. The function evaluation_constraints(u, i,p, r, cn)) returns TRUE if image i and user u satisfies the constraints cn that are asso-ciated to the role r, else return FALSE

Fig. 3. Access control algorithm

7 Summary

The RBAC model and mechanism have proven to be useful and effective. Neverthe-less, there are many common examples where access decisions must include otherfactors, in particular, as the semantic content of the images, the attributes of the useraccessing the image, the relationship between the user and the patient whose imagesare to be accessed and the time. In this paper, the above factors are expressed usingconstraints in the specification of the Role-Permission relationship. The use of con-straints allows role-based access control to be tailored to specify very fine-grained,flexible, content, context and time-based access control policies. The proposed accesscontrol model preserves the advantages of scaleable security administration thatRBAC-style models offer and yet offers the flexibility to specify complex access re-strictions.

From our development and implementation experience we are convinced that theproposed model provides significant capabilities to model and implement access con-trol restrictions in a flexible manner, so as to meet the needs of multimedia medicalimage database management systems.

A Flexible Role-Based Access Control Model 345

Fig. 4. System architecture for a secure multimedia medical image DBMS

References

1. J. P. Smith, “Authentication of Digital Medical Images with Digital Signature Technol-ogy”, Radiology 1995, 194, pp:771-774.

2. S. T. C. Wong, "A Cryptologic-Based Trust Center for Authenticating Medical Images," J.American Medical Informatics Assoc., Vol. 3, No. 6, Nov./Dec. 1996, pp. 410-421.

3. R. B. Wolfang and E. J. Delp, “Overview of image security techniques with applications inmultimedia systems”, SPIE Conference on Multimedia Networks: Security, Displays,Terminals and Gateways, Vol. 3228, November 2-5, 1997, Dallas, Texas, pp:297-3308.

4. E. B. Fernandez and K. R. Nair, ”An Abstract Authorization System for the Internet”, inProceedings of the 9th International Workshop on Database and Expert Systems Applica-tions, 1998.

5. R. Sandhu, E. J. Coynee, H. L. Feinsteinn, and C. E. Youman, “ Role-based access controlmodels”, IEEE Computer, 29(2), February, 1996.

6. R. K. Thomas, “Team-based access control (TMAC): A primitive for applying role-basedaccess controls in collaborative environments”, ACM RBAC’97, 1997.

7. Rational Software Corporation, Object Constraint Language Specification, Version 1.1,Available at http://www.rational.com/uml/, September 1997.

8. A. Tchounikine, “Creation and content-based retrieval in a radiological documentary rec-ord”, in Proceedings of the 3rd Basque International Workshop on Information Technology,1997.

9. L. Giuri and P. Iglio, “Role templates for content-based access control”, in Proceedings ofthe Second ACM Role-Based Access Control Workshop, November 1997.

10. E. C. Lupu and M. Sloman, “Reconciling role-based management and role-based accesscontrol”, in Proceedings of the Second ACM Role-Based Access Control Workshop, No-vember 1997.

R-P relation-ship base

U-R relation-ship base

User attributes baseOther Components of Medical

Image Database System

Image Post-processingmanager

Image DataManager

Access Control Manager

Security Ad-ministrator

End UserApplicationPrograms

Authorization manager

346 S. Tzelepi and G. Pangalos

11. S. T. C. Wong and H. K. Huang, “Design methods and architectural issues of integratedmedical image data based systems”, Computerized Medical Imaging and Graphics, Vol.20, No 4, pp. 285-299, 1996.

12. E. A. Stamatakis, M. F. Glabus, D. J. Wyper, A. Barnes and J. T. L. Wilson, “Validationof Statistical Parametric Mapping (SPM) in Assessing Cerebral Lesions: A SimulationStudy”, NeuroImage 10, 397-407 (1999).