Activity-based Access Control Model to Hospital Information

Hospital work is characterized by the need to manage multiple activities simultaneously, constant local mobility, frequently interruptions, and intense collaboration and communication. Hospital employees must handle a large amount of data that is often tied to specific work activities. This calls for a proper access control model. In this paper, we propose a novel approach, activity-based access control model (ACM). Unlike conventional approaches which exploit user identity/role information, ACM leverages user's activities to determine the access permissions for that user. In ACM, a user is assigned to perform a number of actions if s/he poses a set of satisfactory attributes. Access permissions to hospital information are granted according to user's actions. By doing this, ACM contributes a number of advantages over conventional models: (1) facilitates user's work; (2) reduces complexity and cost of access management. Though the design of ACM first aims to support clinical works in hospitals, it can be applied in other activity-centered environments.

[1]  Jaehong Park,et al.  The UCONABC usage control model , 2004, TSEC.

[2]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[3]  Sungyoung Lee,et al.  Research issues in the development of context-aware middleware architectures , 2005, 11th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA'05).

[4]  Sérgio Shiguemi Furuie,et al.  A contextual role-based access control authorization model for electronic patient record , 2003, IEEE Transactions on Information Technology in Biomedicine.

[5]  David W. Chadwick,et al.  The PERMIS X.509 role based privilege management infrastructure , 2002, SACMAT '02.

[6]  Antonio Corradi,et al.  Context-based access control management in ubiquitous environments , 2004, Third IEEE International Symposium on Network Computing and Applications, 2004. (NCA 2004). Proceedings..

[7]  Mike A. Lockyer,et al.  The tees confidentiality model: an authorisation model for identities and roles , 2003, SACMAT '03.

[8]  13th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA 2007), 21-24 August 2007, Daegu, Korea , 2007, RTCSA.

[9]  Young-Koo Lee,et al.  Security for Ubiquitous Computing: Problems and Proposed Solutionl , 2006, 12th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA'06).

[10]  Peter Sewell,et al.  Cassandra: distributed access control policies with tunable expressiveness , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[11]  Butler W. Lampson,et al.  Dynamic protection structures , 1899, AFIPS '69 (Fall).

[12]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[13]  Marcela D. Rodríguez,et al.  Location-aware access to hospital information and services , 2004, IEEE Transactions on Information Technology in Biomedicine.

[14]  Jakob E. Bardram,et al.  Pervasive Computing Support for Hospitals: An overview of the Activity-Based Computing Project , 2007, IEEE Pervasive Computing.

[15]  Mustaque Ahamad,et al.  Generalized Role-Based Access Control for Securing Future Applications , 2000 .