Fine-grained access control to medical records in digital healthcare enterprises

Adopting IT as an integral part of business and operation is certainly making the healthcare industry more efficient and cost-effective. With the widespread digitalization of personal health information, coupled with big data revolution and advanced analytics, security and privacy related to medical data - especially ensuring authorized access thereto - is facing a huge challenge. In this paper, we argue that a fine-grained approach is needed for developing access control mechanisms contingent upon various environmental and application-dependent contexts along with provision for secure delegation of access-control rights. In particular, we propose a context-sensitive approach to access control, building on conventional discretionary access control (DAC) and role-based access control (RBAC) models. Taking a holistic view to access control, we effectively address the precursory authentication part as well. The eTRON architecture - which advocates use of tamper-resistant chips equipped with functions for mutual authentication and encrypted communication - is used for authentication and implementing the DAC-based delegation of access-control rights. For realizing the authorization and access decision, we used the RBAC model and implemented context verification on top of it. Our approach closely follows regulatory and technical standards of the healthcare domain. Evaluation of the proposed system in terms of various security and performance showed promising results.

[1]  Carole S. Jordan A Guide to Understanding Discretionary Access Control in Trusted Systems , 1987 .

[2]  Elisa Bertino,et al.  GEO-RBAC: a spatially aware RBAC , 2005, SACMAT '05.

[3]  Steven B. Lipner,et al.  Trusted Computer System Evaluation Criteria ( Orange Book ) December , 2001 .

[4]  Ravi Sandhu,et al.  A Role-Based Delegation Model and Some Extensions , 2000 .

[5]  A. Karp,et al.  From ABAC to ZBAC : The Evolution of Access Control Models , 2009 .

[6]  Patrick R. Gallagher A GUIDE TO UNDERSTANDING DISCRETIONARY ACCESS CONTROL IN TRUSTED SYSTEMS , 1987 .

[7]  Ravi S. Sandhu,et al.  Role-based delegation model/hierarchical roles (RBDM1) , 2004, 20th Annual Computer Security Applications Conference.

[8]  Gregory D. Abowd,et al.  Securing context-aware applications using environment roles , 2001, SACMAT '01.

[9]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[10]  Takeshi Yashiro,et al.  eTNet: A Smart Card Network Architecture for Flexible Electronic Commerce Services , 2011, 2011 4th IFIP International Conference on New Technologies, Mobility and Security.

[11]  John M. Boone,et al.  INTEGRITY-ORIENTED CONTROL OBJECTIVES: PROPOSED REVISIONS TO THE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA (TCSEC), DoD 5200.28-STD , 1991 .

[12]  Roy H. Campbell,et al.  Access control for Active Spaces , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[13]  Ken Sakamura,et al.  The eTRON Wide-Area Distributed-System Architecture for E-Commerce , 2001, IEEE Micro.

[14]  Elisa Bertino,et al.  A generalized temporal role-based access control model , 2005, IEEE Transactions on Knowledge and Data Engineering.

[15]  Ravi S. Sandhu,et al.  PBDM: a flexible delegation model in RBAC , 2003, SACMAT '03.

[16]  Gail-Joon Ahn,et al.  A rule-based framework for role based delegation , 2001, SACMAT '01.

[17]  D. Richard Kuhn,et al.  Adding Attributes to Role-Based Access Control , 2010, Computer.