Understanding Attribute-based Access Control for Modelling and Analysing Healthcare Professionals’ Security Practices

In recent years, there has been an increase in the application of attribute-based access control (ABAC) in electronic health (e-health) systems. E-health systems are used to store a patient’s electronic version of medical records. These records are usually classified according to their usage i.e., electronic health record (EHR) and personal health record (PHR). EHRs are electronic medical records held by the healthcare providers, while PHRs are electronic medical records held by the patients themselves. Both EHRs and PHRs are critical assets that require access control mechanism to regulate the manner in which they are accessed. ABAC has demonstrated to be an efficient and effective approach for providing fine grained access control to these critical assets. In this paper, we conduct a survey of the existing literature on the application of ABAC in e-health systems to understand the suitability of ABAC for e-health systems and the possibility of using ABAC access logs for observing, modelling and analysing security practices of healthcare professionals. We categorize the existing works according to the application of ABAC in PHR and EHR. We then present a discussion on the lessons learned and outline future challenges. This can serve as a basis for selecting and further advancing the use of ABAC in e-health systems

[1]  Reihaneh Safavi-Naini,et al.  Privacy preserving EHR system using attribute-based infrastructure , 2010, CCSW '10.

[2]  Ahmed Tamrawi,et al.  eHealth Cloud Security Challenges: A Survey , 2019, Journal of healthcare engineering.

[3]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[4]  Indrajit Ray,et al.  Attribute Based Access Control for Healthcare Resources , 2017, ABAC '17.

[5]  Achim D. Brucker,et al.  Extending access control models with break-glass , 2009, SACMAT '09.

[6]  Bian Yang,et al.  Observational Measures for Effective Profiling of Healthcare Staffs' Security Practices , 2019, 2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC).

[7]  Samee Ullah Khan,et al.  > REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 1 , 2008 .

[8]  Yao Zheng,et al.  Scalable and Secure Sharing of Personal Health Records in Cloud Computing Using Attribute-Based Encryption , 2019, IEEE Transactions on Parallel and Distributed Systems.

[9]  Luis Filipe Coelho Antunes,et al.  Usability of authentication and access control: A case study in healthcare , 2011, 2011 Carnahan Conference on Security Technology.

[10]  Vladimir A. Oleshchuk,et al.  A Patient-Centric Attribute Based Access Control Scheme for Secure Sharing of Personal Health Records Using Cloud Computing , 2016, 2016 IEEE 2nd International Conference on Collaboration and Internet Computing (CIC).

[11]  Vimal Kumar,et al.  Fine Grained Attribute Based Access Control of Healthcare Data , 2018, 2018 12th International Symposium on Medical Information and Communication Technology (ISMICT).

[12]  Indrajit Ray,et al.  Applying attribute based access control for privacy preserving health data disclosure , 2016, 2016 IEEE-EMBS International Conference on Biomedical and Health Informatics (BHI).

[13]  Brent Waters,et al.  Attribute-based encryption for fine-grained access control of encrypted data , 2006, CCS '06.

[14]  Vladimir A. Oleshchuk,et al.  An Efficient Multi-Show Unlinkable Attribute Based Credential Scheme for a Collaborative E-Health Environment , 2017, 2017 IEEE 3rd International Conference on Collaboration and Internet Computing (CIC).

[15]  Vladimir A. Oleshchuk,et al.  An attribute based access control scheme for secure sharing of electronic health records , 2016, 2016 IEEE 18th International Conference on e-Health Networking, Applications and Services (Healthcom).

[16]  David W. Chadwick,et al.  How to Securely Break into RBAC: The BTG-RBAC Model , 2009, 2009 Annual Computer Security Applications Conference.

[17]  Verónica Orvalho,et al.  Log Analysis of Human Computer Interactions Regarding Break The Glass Accesses to Genetic Reports , 2013, ICEIS.

[18]  Noam Weingarten,et al.  HealthShare: Using Attribute-Based Encryption for Secure Data Sharing between Multiple Clouds , 2017, 2017 IEEE 30th International Symposium on Computer-Based Medical Systems (CBMS).

[19]  Dongxi Liu,et al.  Unified Fine-Grained Access Control for Personal Health Records in Cloud Computing , 2019, IEEE Journal of Biomedical and Health Informatics.

[20]  Nureni Ayofe Azeez,et al.  Security and privacy issues in e-health cloud-based system: A comprehensive content analysis , 2019, Egyptian Informatics Journal.

[21]  Dong-Yuan Shi,et al.  An Efficient Cloud-Based Personal Health Records System Using Attribute-Based Encryption and Anonymous Multi-receiver Identity-Based Encryption , 2014, 2014 Ninth International Conference on P2P, Parallel, Grid, Cloud and Internet Computing.

[22]  Doo-Kwon Baik,et al.  Privacy-Preserving Attribute-Based Access Control Model for XML-Based Electronic Health Record System , 2018, IEEE Access.

[23]  Timothy W. Finin,et al.  Attribute Based Encryption for Secure Access to Cloud Based EHR Systems , 2018, 2018 IEEE 11th International Conference on Cloud Computing (CLOUD).

[24]  Helen Balinsky,et al.  Fine Grained Access of Interactive Personal Health Records , 2015, DocEng.