Date post: | 23-Jan-2015 |
Category: |
Technology |
Upload: | guest3dc8ca |
View: | 1,832 times |
Download: | 3 times |
Multi-domain and Privacy-awareRole Based Access Control in
eHealth
Lorenzo D. Martino, Qun NiDan Lin, Elisa Bertino
This work has been supported by IBM OCR project “Privacy and Security Policy Management” and theNSF grant 0712846 “IPS: Security Services for HealthcareApplications”.
OutlineOutline
• Healthcare is a multi-domain environment
• Privacy in e-Health • Why RBAC?• Core P-RBAC• Multi-domain P-RBAC• Conclusions and future work
Healthcare is a distributed Healthcare is a distributed multimulti--domain environmentdomain environment
HRO
Hospital
Owning Domain
External DomainAnalysis Lab.
External DomainInsurance External Domain
University
External Domain
Contracted service: emergency dept. phyisicians
Contracted service: anasthesiologists
Staff
Clinicians Nurses
Privacy in healthcarePrivacy in healthcare
• Privacy is an important issue–HIPAA – Healthcare Insurance
Portability and Accountability Act (1996)
• Privacy protection policies–Privacy notices, policies by NL or P3P
• Enforcing privacy policies is the key
Laws & regulations
Internal privacy & security policies
ProcessesProcedures Controls
Machine-processable
policies
Application-levelpolicies
Data--levelpolicies
Can generateReconciliation
Privacy policy managementPrivacy policy management
Why RBAC?Why RBAC?
• RBAC advantages– It is based on the notion of functional roles in an
organization – It provides a simple and natural approach to modeling
organizational security policies– It simplifies authorization administration– It meets a large variety of security requirements and
has received considerable attention by healthcare organizations: RBAC task force - Department of Veterans Affairs (VA), Department of Defense (DoD)
• However, RBAC cannot support privacy policies without some extension
PrivacyPrivacy--awareaware RBAC (PRBAC (P--RBAC)RBAC)
• P-RBAC extends the RBAC model in order to support privacy-aware access control
• Privacy policies are expressed as permission assignments (PA); these permissions differ from permissions in classical RBAC because of the presence of additional components, representing privacy-related information
Core PCore P--RBACRBAC
• Privacy Sensitive Data Permission (a, d, p, c, o)
Policies Policies –– an examplean example
• For treatment purposes, patients’medical information can be accessed by physicians, nurses, technicians, medical students, or others who are involved in the patients’ care or by other departments of the healthcare organization for the care/therapy coordination or by contracted physician services, such as emergency department physicians, pathologists, anesthesiologists, radiologists.
Permissions in PPermissions in P--RBACRBAC(physician, read, patient.EMR.raw, treatment, subject = patient. duty physician, ;)
• the physician role can read patient EMR content
• for treatment purpose• patient.EMR.raw is a data object specified
according to a condition:– the subject associated to the physician role can
access the data only if the subject is the patient’s on duty physician - subject = patient.duty_physician -
MultiMulti--domain domain PP--RBACRBAC
• It extends P-RBAC with:– Role precondition: a user can be assigned
to a certain role provided that the user is associated to one or more specific roles in his/her home organization
– Data profile: it allows to specify set of data such as patient’s identification data, therapy data, prescriptions and so forth
( (GP, HP, physician) , read, patient.EMR.raw, treatment, subject = patient. duty physician, ;)
• Role precondition: the physician role can be assigned to a subject provided that he/she plays the GP role in the Healthcare organization HP
• the physician role can read patient EMR content• for treatment purpose• patient.EMR.raw is a data object specified according to
a condition:– the subject associated to the physician role can access the
data only if the subject is the patient’s on duty physician -subject = patient.duty_physician -
Permissions in Ext PPermissions in Ext P--RBACRBAC
ConclusionsConclusions
• Role preconditions enhance security • Role precondition provide a further control in
addition to user identification and authentication, by relying upon organizational control processes
• Underlying assumptions: – a) there is a trust relationship between the owner
organization and the users’ home organization, and – b) the users’ home organization itself adopt a controlled
process before declaring that its users play a certain role
Future WorkFuture Work
• Investigate different role provisioning strategies
• Implementation on LBAC database• Consistency analysis techniques on
privacy permissions w.r.t. data profile
Questions?Questions?
Thank you!Thank you!
Lorenzo D. MartinoComputer & Information Technology Dept.
Purdue [email protected]