A Framework for Context Sensitive Risk-Based Access Control in Medical Information Systems

Since the access control environment has changed and the threat of insider information leakage has come to the fore, studies on risk-based access control models that decide access permissions dynamically have been conducted vigorously. Medical information systems should protect sensitive data such as medical information from insider threat and enable dynamic access control depending on the context such as life-threatening emergencies. In this paper, we suggest an approach and framework for context sensitive risk-based access control suitable for medical information systems. This approach categorizes context information, estimating and applying risk through context- and treatment-based permission profiling and specifications by expanding the eXtensible Access Control Markup Language (XACML) to apply risk. The proposed framework supports quick responses to medical situations and prevents unnecessary insider data access through dynamic access authorization decisions in accordance with the severity of the context and treatment.

[1]  Ravi S. Sandhu,et al.  RBAC Standard Rationale: Comments on "A Critique of the ANSI Standard on Role-Based Access Control" , 2007, IEEE Security & Privacy.

[2]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[3]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[4]  Jorge Lobo,et al.  Risk-based security decisions under uncertainty , 2012, CODASPY '12.

[5]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[6]  Elisa Bertino,et al.  A risk management approach to RBAC , 2009, Risk Decis. Anal..

[7]  Ed Dawson,et al.  An Approach to Access Control under Uncertainty , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[8]  Ravi S. Sandhu,et al.  An Attribute Based Framework for Risk-Adaptive Access Control Models , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[9]  Hongxia Jin,et al.  Quantified risk-adaptive access control for patient privacy protection in health information systems , 2011, ASIACCS '11.

[10]  Seon-Phil Jeong,et al.  Constructing RBAC Based Security Model in u-Healthcare Service Platform , 2015, TheScientificWorldJournal.

[11]  Liang Chen,et al.  XACML and risk-aware access control , 2013 .

[12]  Sandeep K. S. Gupta,et al.  CAAC -- An Adaptive and Proactive Access Control Approach for Emergencies in Smart Infrastructures , 2014, ACM Trans. Auton. Adapt. Syst..

[13]  Claudia Keser,et al.  Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[14]  Liang Chen,et al.  Risk-Aware Role-Based Access Control , 2011, STM.

[15]  Mei-Yu Wu,et al.  Enterprise Information Security Management Based on Context-Aware RBAC and Communication Monitoring Technology , 2013 .

[16]  Klaus Wehrle,et al.  Modular context-aware access control for medical sensor networks , 2010, SACMAT '10.

[17]  Jorge Lobo,et al.  Risk-based access control systems built on fuzzy inferences , 2010, ASIACCS '10.

[18]  Ravi S. Sandhu,et al.  Risk-Aware RBAC Sessions , 2012, ICISS.