Authorization in cross-border eHealth systems

Modern eHealth systems require collaborations between individual social entities such as hospitals, medical centers, emergency services and community services. Security and privacy are critical issues in this interoperability challenge. In an eHealth system that crosses different administrative domains, individual organisations usually define their authorization control policies independently. When a collaboration opportunity arises a number of issues may be raised. For example, is the collaboration possible given the authorization policies of collaboration participants? How can policy inconsistencies among collaboration participants be identified and resolved? What kind of authorization control support is needed as the collaboration proceeds? In this paper, we analyze different types of collaborations and provide insights into authorization control in individual organisations as well as in collaboration activities. We propose a model to capture the necessary elements for specifying authorization policy for cross-border collaboration. Based on the model, various inconsistencies between authorization policies from different business units are discussed and handling strategies are suggested according to the intended collaboration types. We also briefly discuss how a description logic reasoner can be used to test whether two set of policies are suitable for collaboration. This work lays a foundation for policy development, negotiation and enforcement for cross-border collaboration.

[1]  Elisa Bertino,et al.  Access Control in Dynamic XML-Based Web-Services with X-RBAC , 2003, ICWS.

[2]  Arif Ghafoor,et al.  Web services discovery in secure collaboration environments , 2007, TOIT.

[3]  Elisa Bertino,et al.  A trust-based context-aware access control model for Web-services , 2004 .

[4]  Carlisle M. Adams,et al.  XACML-Based Policy-Driven Access Control for Mobile Environments , 2006, 2006 Canadian Conference on Electrical and Computer Engineering.

[5]  Stephen S. Yau,et al.  Security Policy Integration and Conflict Reconciliation for Collaborations among Organizations in Ubiquitous Computing Environments , 2008, UIC.

[6]  Ravi S. Sandhu,et al.  Toward a Usage-Based Security Framework for Collaborative Computing Systems , 2008, TSEC.

[7]  Mark H. Linehan SBVR Use Cases , 2008, RuleML.

[8]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[9]  Ian Horrocks,et al.  The Even More Irresistible $\mathcal{SROIQ}$ , 2006 .

[10]  Frank van Harmelen,et al.  Web Ontology Language: OWL , 2004, Handbook on Ontologies.

[11]  Tim Benson Comprar Principles of Health Interoperability HL7 and SNOMED | Benson, Tim | 9781848828025 | Springer , 2009 .

[12]  Kerry L. Taylor,et al.  Implementing Role Based Access Control for Federated Information Systems on the Web , 2003, ACSW.

[13]  Peter F. Patel-Schneider,et al.  OWL 2 Web Ontology Language , 2009 .

[14]  Craig E. Kuziemsky,et al.  An eBusiness-based Framework for eHealth Interoperability , 2009 .

[15]  Ke Wang,et al.  An access control language for web services , 2002, SACMAT '02.

[16]  Sushil Jajodia,et al.  Provisions and Obligations in Policy Management and Security Applications , 2002, VLDB.

[17]  Massimo Mecella,et al.  Verification of Access Control Requirements in Web Services Choreography , 2008, 2008 IEEE International Conference on Services Computing.

[18]  A Min Tjoa,et al.  Authorization and access control in IRO-DB , 1996, Proceedings of the Twelfth International Conference on Data Engineering.

[19]  Leon Gommans,et al.  Using SAML and XACML for Complex Resource Provisioning in Grid Based Applications , 2007, Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07).

[20]  Vijayalakshmi Atluri,et al.  Migrating to optimal RBAC with minimal perturbation , 2008, SACMAT '08.

[21]  John Swarbrooke,et al.  Case Study 18 – Las Vegas, Nevada, USA , 2007 .

[22]  Jian Yang,et al.  Access control: what is required in business collaboration? , 2009, ADC 2009.

[23]  Jian Yang,et al.  Security Policy Specification and Integration in Business Collaboration , 2007, IEEE International Conference on Services Computing (SCC 2007).

[24]  Basile Spyropoulos,et al.  Enhancing Continuity in Care: An Implemantation of the ASTM E2369-05 Standard Specification for Continuity of Care Record in a Homecare Application , 2006, AMIA.

[25]  Timothy W. Finin,et al.  Authorization and privacy for semantic Web services , 2004, IEEE Intelligent Systems.

[26]  Ian Horrocks,et al.  The Even More Irresistible SROIQ , 2006, KR.

[27]  Peter R. Croll,et al.  Quality Assurance of Electronic Health Information Systems Using Q.U.i.P.S , 2005 .

[28]  Elisa Bertino,et al.  XML-based specification for Web services document security , 2004, Computer.

[29]  Yarden Katz,et al.  Pellet: A practical OWL-DL reasoner , 2007, J. Web Semant..

[30]  Roshan K. Thomas,et al.  Team-based access control (TMAC): a primitive for applying role-based access controls in collaborative environments , 1997, RBAC '97.

[31]  Kami Brooks Migrating to role-based access control , 1999, RBAC '99.