Automatic enforcement of multiple policies in healthcare domain

Enforcement of security policies on sensitive documents in an organizational setup is a critical task. This function can be performed manually by administrators but is not scalable as number of documents increases. Permission assignment can be automated by assigning permission on type of document to roles like clinical documents to medical staff and financial documents to accounts staff. But it becomes a complex task for fine grained requirements like sensitive clinical information be only available to primary doctors. We propose automatic enforcement of fine grained multiple polices on clinical documents based on security requirements using semantic matching. The first step in this process in to construct domain specific ontology. Subsequently, attributes of clinical documents are extracted by data mining and rule-based semantic matching is employed using roles attributes. Such matching allows objects with sensitive healthcare information to be placed under Discretionary Access Control (DAC) policy. Under DAC policy sensitive documents are only available to the primary doctor treating the patient. The normal documents are assigned to all doctors using Role Based Access Control (RBAC). Currently, a secure healthcare system is being implemented using the Policy Machine (PM) architecture proposed by National Institute of Standards and Technology (NIST). PM allows enforcement of arbitrary and organization specific attribute based access control policies.