Automated Reviewing of Healthcare Security Policies

We present a new formal validation method for healthcare security policies in the form of feedback-based queries to ensure an answer to the question of Who is accessing What in Electronic Health Records. To this end, we consider Role-based Access Control (RBAC) that offers the flexibility to specify the users, roles, permissions, actions, and the objects to secure. We use the Z notation both for formal specification of RBAC security policies and for queries aimed at reviewing these security policies. To ease the effort in creating the correct specification of the security policies, RBAC-based graphical models (such as SecureUML) are used and automatically translated into the corresponding Z specifications. These specifications are then animated using the Jaza tool to execute queries against the specification of security policies. Through this process, it is automatically detected who will gain access to the medical record of the patient and which information will be exposed to that system user.

[1]  Nafees Qamar,et al.  Validation of Security-Design Models Using Z , 2011, ICFEM.

[2]  Anthony Hall Specifying and Interpreting Class Hierarchies in Z , 1994, Z User Workshop.

[3]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[4]  Nafees Qamar,et al.  Validation of security policies by the animation of Z specifications , 2011, SACMAT '11.

[5]  Marc Frappier,et al.  Combining UML, ASTD and B for the formal specification of an access control filter , 2011, Innovations in Systems and Software Engineering.

[6]  Anthony Boswell Specification and Validation of a Security Policy Model , 1995, IEEE Trans. Software Eng..

[7]  Yeping He,et al.  A Verifiable Formal Specification for RBAC Model with Constraints of Separation of Duty , 2006, Inscrypt.

[8]  Jim Woodcock,et al.  Using Z - specification, refinement, and proof , 1996, Prentice Hall international series in computer science.

[9]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[10]  Andreas Schaad,et al.  A lightweight approach to specification and analysis of role-based access control extensions , 2002, SACMAT '02.

[11]  Manachai Toahchoodee,et al.  Ensuring spatio-temporal access control for real-world applications , 2009, SACMAT '09.

[12]  Jonathan P. Bowen Formal Specification and Documentation Using Z: A Case Study Approach , 1996 .

[13]  David A. Basin,et al.  Automated analysis of security-design models , 2009, Inf. Softw. Technol..

[14]  Ajitha Rajan,et al.  Requirements Coverage as an Adequacy Measure for Conformance Testing , 2008, ICFEM.

[15]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[16]  M. Eric Johnson,et al.  Information security and privacy in healthcare: current state of research , 2010, Int. J. Internet Enterp. Manag..

[17]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[18]  Etienne J. Khayat,et al.  Formal Z Specifications of Several Flat Role-Based Access Control Models , 2006, 2006 30th Annual IEEE/NASA Software Engineering Workshop.

[19]  Jean-Marc Jézéquel,et al.  ≪UML≫ 2002 — The Unified Modeling Language , 2002, Lecture Notes in Computer Science.

[20]  Gail-Joon Ahn,et al.  Towards realizing a formal RBAC model in real systems , 2007, SACMAT '07.

[21]  J. Michael Spivey,et al.  The Z notation - a reference manual , 1992, Prentice Hall International Series in Computer Science.

[22]  Martin Törngren,et al.  Tool Integration Beyond Wasserman , 2011, CAiSE 2011.

[23]  Frank van Harmelen,et al.  Improving medical protocols by formal methods , 2006, Artif. Intell. Medicine.

[24]  Régine Laleau,et al.  Taking into Account Functional Models in the Validation of IS Security Policies , 2011, CAiSE Workshops.

[25]  Jingde Cheng,et al.  Formal verification of security specifications with common criteria , 2007, SAC '07.

[26]  William Yurcik,et al.  A statistical analysis of disclosed storage security breaches , 2006, StorageSS '06.