Enforcing Minimum Necessary Access in Healthcare Through Integrated Audit and Access Control

One of the most important requirements of HIPAA is the "minimum-necessary" access requirement, which states that healthcare personnel must be granted no more access to electronic healthcare data than is necessary in order to work effectively. Due to the complexity of constructing such a policy, many hospitals do not comply with the regulation and instead manually audit the logs when they suspect that abuse has occurred. This audit-only approach is error-prone and difficult due to the volume of data contained in the logs. To address this problem, we have built a policy engine capable of automatically auditing logs and separating normal accesses from abnormal accesses. Our policy engine implicitly constructs role-based policies from the audit data in order to produce a workable policy that can be used to enforce minimum-necessary access. The policy engine can also audit an existing role-based access policy by comparing it to observed accesses in order to determine whether the existing policy is overpermissive compared to actual usage patterns.

[1]  G. Annas HIPAA regulations - a new era of medical-record privacy? , 2003, The New England journal of medicine.

[2]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[3]  David Chadwick,et al.  Access control: how can it improve patients' healthcare? , 2007, Studies in health technology and informatics.

[4]  Limin Jia,et al.  Policy auditing over incomplete logs: theory, implementation and applications , 2011, CCS '11.

[5]  Jihoon Kim,et al.  Using statistical and machine learning to help institutions detect suspicious access to electronic health records , 2011, J. Am. Medical Informatics Assoc..

[6]  Jerry den Hartog,et al.  Audit-based compliance control , 2007, International Journal of Information Security.

[7]  Lynn A. Karoly,et al.  Health Insurance Portability and Accountability Act of 1996 (HIPAA) Administrative Simplification , 2010, Practice Management Consultant.

[8]  Sanjay Ghemawat,et al.  MapReduce: Simplified Data Processing on Large Clusters , 2004, OSDI.

[9]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[10]  David R. Kuhn,et al.  Role-Based Access Control (RBAC): Features and Motivations | NIST , 1995 .

[11]  Michael J. Flynn,et al.  Some Computer Organizations and Their Effectiveness , 1972, IEEE Transactions on Computers.

[12]  Timothy G. Mattson,et al.  Patterns for parallel programming , 2004 .

[13]  Enis Afgan,et al.  Embarrassingly parallel jobs are not embarrassingly easy to schedule on the grid , 2008, 2008 Workshop on Many-Task Computing on Grids and Supercomputers.

[14]  Eric E. Johnson,et al.  Completing an MIMD multiprocessor taxonomy , 1988, CARN.

[15]  D. Fabbri,et al.  Explaining accesses to electronic medical records using diagnosis information , 2013, J. Am. Medical Informatics Assoc..

[16]  Christoforos E. Kozyrakis,et al.  Evaluating MapReduce for Multi-core and Multiprocessor Systems , 2007, 2007 IEEE 13th International Symposium on High Performance Computer Architecture.

[17]  Samuel T. Chanson,et al.  Process groups and group communications: classifications and requirements , 1990, Computer.

[18]  Meredith Kapushion Hungry, Hungry HIPPA: When Privacy Regulations Go Too Far , 2004 .

[19]  Dennis Shasha,et al.  Algorithms and Experience in Increasing the Intelligibility and Hygiene of Access Control in Large Organizations , 2000, DBSec.

[20]  Peter Loscocco,et al.  Meeting Critical Security Objectives with Security-Enhanced Linux , 2001 .

[21]  S Rehm,et al.  Electronic medical records: the FPM vendor survey. , 2001, Family practice management.

[22]  Rafae Bhatti,et al.  Towards Improved Privacy Policy Coverage in Healthcare Using Policy Refinement , 2007, Secure Data Management.

[23]  Ravi S. Sandhu,et al.  PBDM: a flexible delegation model in RBAC , 2003, SACMAT '03.

[24]  David Horrocks CRISP: an introduction. , 2010, Maryland medicine : MM : a publication of MEDCHI, the Maryland State Medical Society.

[25]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[26]  Paul D. Smith,et al.  Implementing an EMR system: one clinic's experience. , 2003, Family practice management.

[27]  Carl A. Gunter,et al.  Experience-Based Access Management: A Life-Cycle Framework for Identity and Access Management Systems , 2011, IEEE Security & Privacy.

[28]  Young B. Choi,et al.  Challenges Associated with Privacy in Health Care Industry: Implementation of HIPAA and the Security Rules , 2006, Journal of Medical Systems.

[29]  A. Meyer The Health Insurance Portability and Accountability Act. , 1997, Tennessee medicine : journal of the Tennessee Medical Association.

[30]  D. Richard Kuhn,et al.  Role-Based Access Control ( RBAC ) : Features and Motivations , 2014 .

[31]  Ralph Duncan,et al.  A survey of parallel computer architectures , 1990, Computer.