Adaptable Access Control Policies for Medical Information Systems

Verhanneman, Tine; Jaco, Liesbeth; Win, Bart De; Piessens, Frank; Joosen, Wouter

doi:10.1007/978-3-540-40010-3_12

Cited by 7 publications

(5 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We define security rules and provide a corresponding engine to grant or deny access requests. This generic approach is common in the literature [11,33,55,58,59]. We further optionally provide a facility for behavior analysis.…”

Section: Access Control Model Evaluationmentioning

confidence: 98%

See 1 more Smart Citation

Behavior-based access control for distributed healthcare systems

Yarmand

Sartipi

Down

2013

JCS

View full text Add to dashboard Cite

Sensitivity of clinical data and strict rules regarding data sharing have caused privacy and security to be critical requirements for using patient profiles in distributed healthcare systems. The amalgamation of new information technology with traditional healthcare workflows for sharing patient profiles has made the whole system vulnerable to privacy and security breaches. Standardization organizations are developing specifications to satisfy the required privacy and security requirements. In this paper we present a novel access control model compliant with healthcare standards based on a framework designed for data and service interoperability in the healthcare domain. The proposed model for customizable access control captures the dynamic behavior of the user and determines access rights accordingly.The model is generic and flexible in the sense that an access control engine dynamically receives security effective parameters from the subject user, and identifies the privilege level in accessing data using different specialized components within the engine. Standard data representation formats and ontologies are used to make the model compatible with different healthcare systems. The access control engine employs an approach to follow the user's behavior and navigates among engine components to provide the user's privilege to access a resource. A simulation environment is implemented to evaluate and test the proposed model. M.H. Yarmand et al. / Behavior-based access control for distributed healthcare systemsWhile solving the problem of interoperability among heterogeneous systems, these proposals introduce many security and privacy issues, as natural consequences of providing customizable services. Regarding confidentiality, integrity and availability requirements of patient data, a major concern is to avoid disclosure of these data to unqualified users. Access by unauthorized users to patient data may result in misdiagnosis, delays in treatment, or mistreatment. Other consequences may include financial problems such as denial of insurance coverage and loss of job opportunities [36].Authentication and authorization methods at inter-/intra-organizational levels should be employed to provide the required security. In this context, several methods have been proposed namely role-based [20,45,54,63], team-based [21], attribute-based [16], content-based [22], scenario-based [43,48], situation-aware [61], context-aware [1,4,33,63], and context sensitive [34] access control methods.Only a few consider the problem in distributed systems [4,33,45,61]. Moreover, most access control methods deal only with static systems. However, dynamism and configurability are two requirements of models for distributed systems [33,45,61,62].There are a small number of approaches that propose models adherent to healthcare standards [6,35,42].In very large scale distributed systems, the integrity, flexibility, generality, and robustness of the model becomes critical. Due to the high complexity of these systems, any errors in the operation...

show abstract

Section: Access Control Model Evaluationmentioning

confidence: 98%

“…They use UML and OCL to express constraints and relations. Verhanneman et al [58] support usage of fine-grained and dynamic policies in the healthcare domain. They focus on a reconfigurable implementation and identify a number of shortcomings of current technologies for aiding their implementation.…”

Section: Related Workmentioning

confidence: 99%

Behavior-based access control for distributed healthcare systems

Yarmand

Sartipi

Down

2013

JCS

View full text Add to dashboard Cite

show abstract

“…Motivation for flexible and fine-grained access control in medical applications was provided by Verhanneman et al [16], although they focused more on the lack of programmatic controls using J2EE or .NET rather than on database enforcement. Anderson proposed a set of principles for clinical information systems [1], which provides a good set of practical guidelines for use in the medical field.…”

Section: Related Workmentioning

confidence: 99%

A medical database case study for reflective database access control

Olson

Gunter

Olson

2009

Proceedings of the First ACM Workshop on Security and Privacy in Medical and Home-Care Systems

View full text Add to dashboard Cite

Reflective Database Access Control (RDBAC) is a model in which a database privilege is expressed as a database query itself, rather than as a static privilege in an access control matrix. RDBAC aids the management of database access controls by improving the expressiveness of policies, enabling enforcement at the database level rather than at the application level. This in turn facilitates the creation of new applications without the need for duplicating security enforcement in each application. Past work has proposed the use of the Transaction Datalog (TD) language as a theoretical basis for RDBAC. We present a case study for a medical database using TD. This case study includes a wide range of access patterns for which RDBAC provides a simple method for formulating policies, demonstrating the flexibility of RD-BAC as well as the practicality and scalability of using such a system in real-world applications that require non-trivial policy definitions on large data sets.

show abstract

“…Our discussion is necessarily focused on the situation within the United Kingdom: other countries will have their own concerns to address. Within the United States, for example, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is of concern: the privacy rule "sets forth what uses and disclosures are authorized or required and what rights patients have with respect to their health information" (Verhanneman, Jaco, & De Win, 2003); the security rule "specifies what implementation is obligatory for enforcement of this policy or what reasonable efforts should be [undertaken]'' (Verhanneman et al, 2003).…”

Section: A Secure Health Grid Architecturementioning

confidence: 99%

On The Development of Secure Service-Oriented Architectures to Support Medical Research

Simpson

Power

Slaymaker

et al. 2007

International Journal of Healthcare Information Systems and Informatics

View full text Add to dashboard Cite

In this article we report upon our experiences of developing Web-services based infrastructures within two e-health projects. The first-a small demonstrator project funded by the UK's National Cancer Research Institute (NCRI)-is concerned with facilitating the aggregation of different types of data (specifically, MRI scans and histopathology slides) to aid the treatment of colorectal cancer; the second-a rather larger project funded by the UK's Medical Research Council (MRC)-is concerned with the development of a virtual research environment to support neuro-imaging research. In both cases, the underlying infrastructures are being developed by a team that is based in Oxford; it is the experiences of this team that we report upon in this article. We also report upon how we have considered the future potential for our systems interoperating with other systems which are deployed within the

show abstract

Adaptable Access Control Policies for Medical Information Systems

Cited by 7 publications

References 7 publications

Behavior-based access control for distributed healthcare systems

Behavior-based access control for distributed healthcare systems

A medical database case study for reflective database access control

On The Development of Secure Service-Oriented Architectures to Support Medical Research

Contact Info

Product

Resources

About