A Privacy-aware Graph-based Access Control System for the Healthcare Domain

The growing concern for the protection of personal information has made it critical to implement effective technologies for privacy and data management. By observing the limitations of existing approaches, we found that there is an urgent need for a flexible, privacy-aware system that is able to meet the privacy preservation needs at both the role levels and the personal levels. We proposed a conceptual system that considered these two requirements: a graph-based, access control model to safeguard patient privacy. We present a case study of the healthcare field in this paper. While our model was tested in the field of healthcare, it is generic and can be adapted to use in other fields. The proof-of-concept demos were also provided with the aim of valuating the efficacy of our system. In the end, based on the hospital scenarios, we present the experimental results to demonstrate the performance of our system, and we also compared those results to existing privacy-aware systems. As a result, we ensured a high quality of medical care service by preserving patient privacy.

[1]  Marc Langheinrich,et al.  Privacy by Design - Principles of Privacy-Aware Ubiquitous Systems , 2001, UbiComp.

[2]  Biao Song,et al.  Relationship Based Privacy Management for Ubiquitous Society , 2009, ICCSA.

[3]  Eui-Nam Huh,et al.  A Novel Graph-Based Privacy Policy Management System , 2009, 2009 International Conference on Management and Service Science.

[4]  Elisa Bertino,et al.  Purpose based access control of complex data for privacy protection , 2005, SACMAT '05.

[5]  Josep Domingo-Ferrer,et al.  Recent progress in database privacy , 2009, Data Knowl. Eng..

[6]  Elisa Bertino,et al.  Computer Security — ESORICS 96 , 1996, Lecture Notes in Computer Science.

[7]  Thomas C. Rindfleisch,et al.  Privacy, information technology, and health care , 1997, CACM.

[8]  Robert W. Proctor,et al.  Usability of User Agents for Privacy-Preference Specification , 2007, HCI.

[9]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[10]  Jing Zhang,et al.  Further Analyzing the Sybil Attack in Mitigating Peer-to-Peer Botnets , 2012, KSII Trans. Internet Inf. Syst..

[11]  Ninghui Li,et al.  Purpose based access control for privacy protection in relational database systems , 2008, The VLDB Journal.

[12]  Zheng Wang,et al.  Analysis of Flooding DoS Attacks Utilizing DNS Name Error Queries , 2012, KSII Trans. Internet Inf. Syst..

[13]  Lorrie Faith Cranor,et al.  User interfaces for privacy agents , 2006, TCHI.

[14]  Jason Smith,et al.  A Novel Use of RBAC to Protect Privacy in Distributed Health Care Information Systems ? , 2003 .

[15]  Rafael Accorsi,et al.  Personalization in privacy-aware highly dynamic systems , 2006, CACM.

[16]  Anind K. Dey,et al.  Who wants to know what when? privacy preference determinants in ubiquitous computing , 2003, CHI Extended Abstracts.

[17]  Ravi S. Sandhu Role Hierarchies and Constraints for Lattice-Based Access Controls , 1996, ESORICS.

[18]  Asuman Dogac,et al.  A Semantic based Privacy Framework for Web Services , 2003 .

[19]  Latanya Sweeney,et al.  k-Anonymity: A Model for Protecting Privacy , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[20]  Nicola Zannone,et al.  Towards the development of privacy-aware systems , 2009, Inf. Softw. Technol..

[21]  Elisa Bertino,et al.  RBAC models - concepts and trends , 2003, Comput. Secur..

[22]  Biao Song,et al.  A purpose-based privacy-aware system using privacy data graph , 2009, MoMM.

[23]  Gerardo Canfora,et al.  A Three Layered Model to Implement Data Privacy Policies , 2008, WOSIS.

[24]  Peter Bodorik,et al.  Consistent privacy preferences (CPP): model, semantics, and properties , 2008, SAC '08.

[25]  Alexander Pretschner,et al.  On Obligations , 2005, ESORICS.

[26]  Ismail Hakki Toroslu,et al.  A Semantic-Based User Privacy Protection Framework for Web Services , 2003, ITWP.

[27]  Lara Khansa,et al.  How significant is human error as a cause of privacy breaches? An empirical study and a framework for error management , 2009, Computers & security.

[28]  Dimitra I. Kaklamani,et al.  A middleware architecture for privacy protection , 2007, Comput. Networks.

[29]  Elisa Bertino,et al.  Privacy-Preserving Database Systems , 2005, FOSAD.

[30]  R. C. Jain,et al.  A Privacy Preserving Repository For Data Integration Across Data Sharing Services , 2013 .

[31]  Andreas Pfitzmann,et al.  Anonymity, Unobservability, and Pseudonymity - A Proposal for Terminology , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[32]  David M. Eyers,et al.  OASIS role-based access control for electronic health records , 2006, IEE Proc. Softw..

[33]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[34]  W. Ryan,et al.  Privacy and freedom: Alan F. Westin Atheneum Publishers, $10 , 1967 .

[35]  Dov Dori,et al.  Situation-Based Access Control: Privacy management via modeling of patient data access scenarios , 2008, J. Biomed. Informatics.

[36]  D. Richard Kuhn,et al.  Role-Based Access Controls , 2009, ArXiv.

[37]  C. Powers Privacy Promises, Access Control, and Privacy Management , 2002 .

[38]  Robert Boguslaw,et al.  Privacy and Freedom , 1968 .

[39]  Gramm Leach Bliley Privacy Enforcement with an Extended Role-Based Access Control Model , 2006 .

[40]  Fausto Giunchiglia,et al.  Tropos: An Agent-Oriented Software Development Methodology , 2004, Autonomous Agents and Multi-Agent Systems.

[41]  Elisa Bertino,et al.  Multi-domain and privacy-aware role based access control in eHealth , 2008, Pervasive 2008.

[42]  John Mylopoulos,et al.  Hierarchical hippocratic databases with minimal disclosure for virtual organizations , 2006, The VLDB Journal.