Context-aware access control for clinical information systems

Clinical records constitute one of the most sensitive and private information of any individual. With the widespread digitalization of such records - coupled with omnipresence of networks and abundant availability of advanced information communication technologies - personal security and privacy related to clinical data is facing a huge challenge. Security in clinical information systems can be addressed at different levels: securing data collection by medical sensors, controlling access to clinical information, designing legislative frameworks for regulating secure usage of clinical information, and so on. In this paper, we focus on the access control issues in healthcare, with the goals of designing and developing access control mechanisms contingent upon various environmental and application-dependent contexts with provision for secure delegation of access-control rights. In particular, we propose a context-aware approach to access control, building on conventional discretionary access control (DAC) and role-based access control (RBAC) models. Taking a holistic view on access control, we effectively address its all four constituent steps of identification, authentication, authorization, and access decision. The eTRON (Entity and Economy TRON) architecture - which advocates use of tamper-resistant chips equipped with functions for mutual authentication and encrypted communication - is used for authentication and implementing the DAC-based delegation of access-control rights. For realizing the authorization and access decision steps, we used the RBAC model and implemented context verification on top of it. Our approach closely follows regulatory and technical standards of the healthcare domain. Evaluation of the proposed system in terms of various security and performance issues showed promising results.

[1]  Carole S. Jordan A Guide to Understanding Discretionary Access Control in Trusted Systems , 1987 .

[2]  Elisa Bertino,et al.  A generalized temporal role-based access control model , 2005, IEEE Transactions on Knowledge and Data Engineering.

[3]  Roshan K. Thomas,et al.  Team-based access control (TMAC): a primitive for applying role-based access controls in collaborative environments , 1997, RBAC '97.

[4]  Marcelo Masera,et al.  A context-related authorization and access control method based on RBAC: , 2002, SACMAT '02.

[5]  J. Krikke Sunrise for energy harvesting products , 2005, IEEE Pervasive Computing.

[6]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[7]  Gregory D. Abowd,et al.  Securing context-aware applications using environment roles , 2001, SACMAT '01.

[8]  L. Gostin,et al.  Privacy and security of personal information in a new health care system. , 1993, JAMA.

[9]  Takeshi Yashiro,et al.  A Secure and Flexible Electronic-Ticket System , 2009, 2009 33rd Annual IEEE International Computer Software and Applications Conference.

[10]  A. Karp,et al.  From ABAC to ZBAC : The Evolution of Access Control Models , 2009 .

[11]  Elisa Bertino,et al.  GEO-RBAC: a spatially aware RBAC , 2005, SACMAT '05.

[12]  Patrick R. Gallagher A GUIDE TO UNDERSTANDING DISCRETIONARY ACCESS CONTROL IN TRUSTED SYSTEMS , 1987 .

[13]  Roshan K. Thomas,et al.  Flexible team-based access control using contexts , 2001, SACMAT '01.

[14]  Roy H. Campbell,et al.  Access control for Active Spaces , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[15]  Ken Sakamura,et al.  Ubiquitous ID: Standards for Ubiquitous Computing and the Internet of Things , 2010, IEEE Pervasive Computing.

[16]  J. Krikke T-Engine: Japan's ubiquitous computing architecture is ready for prime time , 2005, IEEE Pervasive Computing.

[17]  Ken Sakamura,et al.  The eTRON Wide-Area Distributed-System Architecture for E-Commerce , 2001, IEEE Micro.

[18]  Takeshi Yashiro,et al.  eTNet: A Smart Card Network Architecture for Flexible Electronic Commerce Services , 2011, 2011 4th IFIP International Conference on New Technologies, Mobility and Security.