Secure Access Control for Health Information Sharing Systems

The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 encourages healthcare providers to share information to improve healthcare quality at reduced cost. Such information sharing, however, raises security and privacy concerns that require appropriate access control mechanisms to ensure Health Insurance Portability and Accountability Act (HIPAA) compliance. Current approaches such as Role-Based Access Control (RBAC) and its variants, and newer approaches such as Attribute-Based Access Control (ABAC) are inadequate. RBAC provides simple administration of access control and user permission review, but demands complex initial role engineering and makes access control inflexible. ABAC, on the other hand, simplifies initial setup but increases the complexity of managing privileges and user permissions. These limitations have motivated research into the development of newer access control models that use attributes and policies while preserving RBAC's strengths. The BiLayer Access Control (BLAC) model is a two-step method being proposed to integrate attributes with roles: an access request is checked against pseudoroles, i.e., the list of subject attributes (first layer), and then against rules within the policies (second layer) associated with the requested object. This paper motivates the BLAC approach, outlines the BLAC model, and illustrates its usefulness to healthcare information sharing environments.

[1]  Jian Zhu,et al.  Attribute Based Access Control and Security for Collaboration Environments , 2008, 2008 IEEE National Aerospace and Electronics Conference.

[2]  Xin Jin,et al.  RABAC: Role-Centric Attribute-Based Access Control , 2012, MMM-ACNS.

[3]  Scott D. Stoller,et al.  Algorithms for mining meaningful roles , 2012, SACMAT '12.

[4]  David M. Nicol,et al.  A framework integrating attribute-based policies into role-based access control , 2012, SACMAT '12.

[5]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[6]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[7]  BertinoElisa,et al.  A Generalized Temporal Role-Based Access Control Model , 2005 .

[8]  Elisa Bertino,et al.  TRBAC , 2001, ACM Trans. Inf. Syst. Secur..

[9]  Ian T. Foster,et al.  A Flexible Attribute Based Access Control Method for Grid Computing , 2008, Journal of Grid Computing.

[10]  D. Richard Kuhn,et al.  Adding Attributes to Role-Based Access Control , 2010, Computer.

[11]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[12]  Pierangela Samarati,et al.  Regulating service access and information release on the Web , 2000, CCS.

[13]  Elisa Bertino,et al.  GEO-RBAC: a spatially aware RBAC , 2005, SACMAT '05.

[14]  Ravi S. Sandhu,et al.  A model for attribute-based user-role assignment , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[15]  Muttukrishnan Rajarajan,et al.  An User-Centric Attribute Based Access Control Model for Ubuquitous Environments , 2011, MobiCASE.

[16]  Jorge Lobo,et al.  Privacy-Aware Role-Based Access Control , 2007, IEEE Security & Privacy.

[17]  Seog Park,et al.  Task-role-based access control model , 2003, Inf. Syst..

[18]  Mehdi Sabbari,et al.  A policy based access control model for web services , 2011, 2011 International Conference for Internet Technology and Secured Transactions.

[19]  Stan Matwin,et al.  Advantages of a non-technical XACML notation in role-based models , 2011, 2011 Ninth Annual International Conference on Privacy, Security and Trust.

[20]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[21]  Jin Tong,et al.  Attributed based access control (ABAC) for Web services , 2005, IEEE International Conference on Web Services (ICWS'05).

[22]  Elisa Bertino,et al.  A generalized temporal role-based access control model , 2005, IEEE Transactions on Knowledge and Data Engineering.

[23]  Liu Sainan Task-role-based access control model and its implementation , 2010, 2010 2nd International Conference on Education Technology and Computer.

[24]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[25]  John Morrissey,et al.  Health information exchange. , 2011, Hospitals & health networks.

[26]  Amirreza Masoumzadeh,et al.  PuRBAC: Purpose-Aware Role-Based Access Control , 2008, OTM Conferences.

[27]  Manachai Toahchoodee,et al.  A Spatio-temporal Role-Based Access Control Model , 2007, DBSec.

[28]  Joon S. Park,et al.  Smart Certi cates: Extending X.509 for Secure Attribute Services on the Web , 1999 .

[29]  Fan Hong,et al.  An Attribute-Based Access Control Model for Web Services , 2006, PDCAT.