Proposing hierarchy-similarity based access control framework: A multilevel Electronic Health Record data sharing approach for interoperable environment

Abstract Interoperability in healthcare environment deals with sharing of patient’s Electronic Health Records (EHR) with fellow professionals in inter as well as intra departments or organizations. Healthcare environment experiences frequent shifting of doctors, paramedical staff in inter as well as intra departments or hospitals. The system exhibits dynamic attributes of users and resources managed through access control policies defined for that environment. Rules obtained on merging of such policies often generate policy-conflicts thereby resulting in undue data leakages to unintended users. This paper proposes an access control framework that applies a Hierarchy Similarity Analyzer (HSA) on the policies need to be merged. It calculates a Security_Level (SL) and assigns it to the users sharing data. The SL determines the authorized amount of data that can be shared on successful collaboration of two policies. The proposed framework allows integration of independent policies and identifies the possible policy-conflicts arising due to attribute disparities in defined rules. The framework is implemented on XACML policies and compared with other access models designed using centralized and decentralized approaches. Conditional constraints and properties are defined that generate policy-conflicts as prevalent in the policies.

[1]  Federica Cena,et al.  User model interoperability: a survey , 2011, User Modeling and User-Adapted Interaction.

[2]  Deepti Mehrotra,et al.  Exploring Interoperability Approaches and Challenges in Healthcare Data Exchange , 2013, ICSH.

[3]  Tao Xie,et al.  ACPT: A Tool for Modeling and Verifying Access Control Policies , 2010, 2010 IEEE International Symposium on Policies for Distributed Systems and Networks.

[4]  Mahieddine Djoudi,et al.  Task Collaborative Resolution Tool for Elearning Environment , 2006 .

[5]  Bo Hu,et al.  A knowledgeable security model for distributed health information systems , 2010, Comput. Secur..

[6]  Tao Xie,et al.  Model Checking for Verification of Mandatory Access Control Models and Properties , 2011, Int. J. Softw. Eng. Knowl. Eng..

[7]  Mark Ryan,et al.  A Knowledge-Based Verification Method for Dynamic Access Control Policies , 2011, ICFEM.

[8]  Deepti Mehrotra,et al.  Applying CHAID algorithm to investigate critical attributes of secured interoperable health data exchange , 2015, Int. J. Electron. Heal..

[9]  Ramaswamy Chandramouli Business Process Driven Framework for Defining an Access Control Service Based on Roles and Rules , 2000 .

[10]  Giuseppe De Pietro,et al.  Middleware mechanisms for interaction interoperability in Collaborative Virtual Environments , 2010, Int. J. Adv. Media Commun..

[11]  Ning Zhang,et al.  A Purpose-Based Access Control Model , 2007 .

[12]  Ibrahim M. Alabdulmohsin,et al.  Techniques and algorithms for access control list optimization , 2009, Comput. Electr. Eng..

[13]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[14]  Sylvia L. Osborn,et al.  The role graph model and conflict of interest , 1999, TSEC.

[15]  Michael Carl Tschantz,et al.  Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[16]  Marco Pistore,et al.  NuSMV 2: An OpenSource Tool for Symbolic Model Checking , 2002, CAV.

[17]  Jorge Lobo,et al.  An approach to evaluate policy similarity , 2007, SACMAT '07.

[18]  Tao Xie,et al.  Automated Test Generation for Access Control Policies via Change-Impact Analysis , 2007, Third International Workshop on Software Engineering for Secure Systems (SESS'07: ICSE Workshops 2007).

[19]  Isabella M. Venter,et al.  Towards ensuring scalability, interoperability and efficient access control in a multi-domain grid-based environment , 2013 .