Access control for smarter healthcare using policy spaces

A fundamental requirement for the healthcare industry is that the delivery of care comes first and nothing should interfere with it. As a consequence, the access control mechanisms used in healthcare to regulate and restrict the disclosure of data are often bypassed in case of emergencies. This phenomenon, called ''break the glass'', is a common pattern in healthcare organizations and, though quite useful and mandatory in emergency situations, from a security perspective, it represents a serious system weakness. Malicious users, in fact, can abuse the system by exploiting the break the glass principle to gain unauthorized privileges and accesses. In this paper, we propose an access control solution aimed at better regulating break the glass exceptions that occur in healthcare systems. Our solution is based on the definition of different policy spaces, a language, and a composition algebra to regulate access to patient data and to balance the rigorous nature of traditional access control systems with the ''delivery of care comes first'' principle.

[1]  David W. Chadwick,et al.  How to Break Access Control in a Controlled Manner , 2006, 19th IEEE Symposium on Computer-Based Medical Systems (CBMS'06).

[2]  Sandeep K. S. Gupta,et al.  Criticality aware access control model for pervasive applications , 2006, Fourth Annual IEEE International Conference on Pervasive Computing and Communications (PERCOM'06).

[3]  Christos Faloutsos,et al.  Auditing Compliance with a Hippocratic Database , 2004, VLDB.

[4]  Lillian Røstad,et al.  A Study of Access Control Requirements for Healthcare Systems Based on Audit Trails from Access Logs , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[5]  Sushil Jajodia,et al.  Redirection policies for mission-based information sharing , 2006, SACMAT '06.

[6]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[7]  Sabrina De Capitani di Vimercati,et al.  An algebra for composing access control policies , 2002, TSEC.

[8]  Rakesh Agrawal,et al.  Managing healthcare data hippocratically , 2004, ACM SIGMOD Conference.

[9]  Sushil Jajodia,et al.  Flexible support for multiple access control policies , 2001, TODS.

[10]  Sabrina De Capitani di Vimercati,et al.  Recent Advances in Access Control , 2008, Handbook of Database Security.

[11]  Mike A. Lockyer,et al.  The tees confidentiality model: an authorisation model for identities and roles , 2003, SACMAT '03.

[12]  Sushil Jajodia,et al.  Provisions and Obligations in Policy Management and Security Applications , 2002, VLDB.

[13]  Achim D. Brucker,et al.  Extending access control models with break-glass , 2009, SACMAT '09.

[14]  Xiping Song,et al.  Managing exceptions in the medical workflow systems , 2006, ICSE.

[15]  Sabrina De Capitani di Vimercati,et al.  A privacy-aware access control system , 2008, J. Comput. Secur..

[16]  Lillian Røstad,et al.  Personalized access control for a personally controlled health record , 2008, CSAW '08.

[17]  Rakesh Agrawal,et al.  Securing electronic health records without impeding the flow of information , 2007, Int. J. Medical Informatics.

[18]  Sushil Jajodia,et al.  Regulating Exceptions in Healthcare Using Policy Spaces , 2008, DBSec.

[19]  Rafae Bhatti,et al.  Towards Improved Privacy Policy Coverage in Healthcare Using Policy Refinement , 2007, Secure Data Management.

[20]  Tyrone Grandison,et al.  The Impact of Industry Constraints on Model-Driven Data Disclosure Controls , 2007 .

[21]  Tyrone Grandison,et al.  Compliance with data protection laws using Hippocratic Database active enforcement and auditing , 2007, IBM Syst. J..

[22]  Sabrina De Capitani di Vimercati,et al.  Access Control: Policies, Models, and Mechanisms , 2000, FOSAD.

[23]  Michael Gertz,et al.  Handbook of Database Security - Applications and Trends , 2007, Handbook of Database Security.

[24]  Bernd Blobel,et al.  Using a privilege management infrastructure for secure web-based e-health applications , 2003, Comput. Commun..

[25]  David J. DeWitt,et al.  Limiting Disclosure in Hippocratic Databases , 2004, VLDB.

[26]  Pierangela Samarati,et al.  A Uniform Framework for Regulating Service Access and Information Release on the Web , 2002, J. Comput. Secur..

[27]  Duane DeCouteau,et al.  Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of XACML v2.0 for Healthcare Version 1.0 , 2008 .

[28]  A. Meyer The Health Insurance Portability and Accountability Act. , 1997, Tennessee medicine : journal of the Tennessee Medical Association.

[29]  Ramakrishnan Srikant,et al.  Hippocratic Databases , 2002, VLDB.