Multi-domain and Privacy-awareRole Based Access Control in

eHealth

Lorenzo D. Martino, Qun NiDan Lin, Elisa Bertino

This work has been supported by IBM OCR project “Privacy and Security Policy Management” and theNSF grant 0712846 “IPS: Security Services for HealthcareApplications”.

OutlineOutline

• Healthcare is a multi-domain environment

• Privacy in e-Health • Why RBAC?• Core P-RBAC• Multi-domain P-RBAC• Conclusions and future work

Healthcare is a distributed Healthcare is a distributed multimulti--domain environmentdomain environment

HRO

Hospital

Owning Domain

External DomainAnalysis Lab.

External DomainInsurance External Domain

University

External Domain

Contracted service: emergency dept. phyisicians

Contracted service: anasthesiologists

Staff

Clinicians Nurses

Privacy in healthcarePrivacy in healthcare

• Privacy is an important issue–HIPAA – Healthcare Insurance

Portability and Accountability Act (1996)

• Privacy protection policies–Privacy notices, policies by NL or P3P

• Enforcing privacy policies is the key

Laws & regulations

Internal privacy & security policies

ProcessesProcedures Controls

Machine-processable

policies

Application-levelpolicies

Data--levelpolicies

Can generateReconciliation

Privacy policy managementPrivacy policy management

Why RBAC?Why RBAC?

• RBAC advantages– It is based on the notion of functional roles in an

organization – It provides a simple and natural approach to modeling

organizational security policies– It simplifies authorization administration– It meets a large variety of security requirements and

has received considerable attention by healthcare organizations: RBAC task force - Department of Veterans Affairs (VA), Department of Defense (DoD)

• However, RBAC cannot support privacy policies without some extension

PrivacyPrivacy--awareaware RBAC (PRBAC (P--RBAC)RBAC)

• P-RBAC extends the RBAC model in order to support privacy-aware access control

• Privacy policies are expressed as permission assignments (PA); these permissions differ from permissions in classical RBAC because of the presence of additional components, representing privacy-related information

Core PCore P--RBACRBAC

• Privacy Sensitive Data Permission (a, d, p, c, o)

Policies Policies –– an examplean example

• For treatment purposes, patients’medical information can be accessed by physicians, nurses, technicians, medical students, or others who are involved in the patients’ care or by other departments of the healthcare organization for the care/therapy coordination or by contracted physician services, such as emergency department physicians, pathologists, anesthesiologists, radiologists.

Permissions in PPermissions in P--RBACRBAC(physician, read, patient.EMR.raw, treatment, subject = patient. duty physician, ;)

• the physician role can read patient EMR content

• for treatment purpose• patient.EMR.raw is a data object specified

according to a condition:– the subject associated to the physician role can

access the data only if the subject is the patient’s on duty physician - subject = patient.duty_physician -

MultiMulti--domain domain PP--RBACRBAC

• It extends P-RBAC with:– Role precondition: a user can be assigned

to a certain role provided that the user is associated to one or more specific roles in his/her home organization

– Data profile: it allows to specify set of data such as patient’s identification data, therapy data, prescriptions and so forth

( (GP, HP, physician) , read, patient.EMR.raw, treatment, subject = patient. duty physician, ;)

• Role precondition: the physician role can be assigned to a subject provided that he/she plays the GP role in the Healthcare organization HP

• the physician role can read patient EMR content• for treatment purpose• patient.EMR.raw is a data object specified according to

a condition:– the subject associated to the physician role can access the

data only if the subject is the patient’s on duty physician -subject = patient.duty_physician -

Permissions in Ext PPermissions in Ext P--RBACRBAC

ConclusionsConclusions

• Role preconditions enhance security • Role precondition provide a further control in

addition to user identification and authentication, by relying upon organizational control processes

• Underlying assumptions: – a) there is a trust relationship between the owner

organization and the users’ home organization, and – b) the users’ home organization itself adopt a controlled

process before declaring that its users play a certain role

Future WorkFuture Work

• Investigate different role provisioning strategies

• Implementation on LBAC database• Consistency analysis techniques on

privacy permissions w.r.t. data profile

Questions?Questions?

Thank you!Thank you!

Lorenzo D. MartinoComputer & Information Technology Dept.

Purdue Universitylmartino@purdue.edu