A role-based delegation framework for healthcare information systems

As organizations implement information strategies that call for sharing access to resources in the networked environment, mechanisms must be provided to protect the resources from adversaries. The proposed delegation framework addresses the issue of how to advocate selective information sharing in role-based systems while minimizing the risks of unauthorized access. We introduce a systematic approach to specify delegation and revocation policies using a set of rules. We demonstrate the feasibility of our framework through policy specification, enforcement, and a proof-of-concept implementation on specific domains, e.g. the healthcare environment. We believe that our work can be applied to organizations that rely heavily on collaborative tasks.

[1]  Pietro Iglio,et al.  Role templates for content-based access control , 1997, RBAC '97.

[2]  Ravi S. Sandhu,et al.  Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management , 1997, DBSec.

[3]  Thomas Hildmann,et al.  Managing trust between collaborating companies using outsourced role based access control , 1999, RBAC '99.

[4]  Ross J. Anderson,et al.  A security policy model for clinical information systems , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[5]  Gail-Joon Ahn,et al.  A rule-based framework for role based delegation , 2001, SACMAT '01.

[6]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[7]  Mike A. Lockyer,et al.  A model of accountability, confidentiality and override for healthcare and other applications , 2000, RBAC '00.

[8]  Roshan K. Thomas,et al.  Flexible team-based access control using contexts , 2001, SACMAT '01.

[9]  Wayne J. Salamon,et al.  Distributed Communication Methods and Role-Based Access Control for Use in Health Care Applications , 1996 .

[10]  G Potamias,et al.  Role-based access to patients clinical data: the InterCare approach in the region of Crete. , 2000, Studies in health technology and informatics.

[11]  Roshan K. Thomas,et al.  Team-based access control (TMAC): a primitive for applying role-based access controls in collaborative environments , 1997, RBAC '97.

[12]  Mary Ellen Zurko,et al.  Separation of duty in role-based environments , 1997, Proceedings 10th Computer Security Foundations Workshop.

[13]  D. Richard Kuhn,et al.  A role-based access control model and reference implementation within a corporate intranet , 1999, TSEC.

[14]  Serban I. Gavrila,et al.  Formal specification for role based access control user/role and role/role relationship management , 1998, RBAC '98.

[15]  Morrie Gasser,et al.  An architecture for practical delegation in a distributed system , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.