Modelling privilege management and access control

OBJECTIVES For establishing trustworthiness in advanced architectures for future-proof health information systems being open, flexible, scaleable, portable, and semantically interoperable, security and privacy services needed must be designed as an inherent part of the architecture. Such architecture has to meet the paradigms of distribution, component orientation, formal modelling, separation of logical and technological aspects, etc. METHODS In model-driven architectures components providing security and privacy services have to be specified using the same methodology of formal models with meta-languages as expression means, as deployed in computational, technical, or medical domains. The resulting approach must be based on the ISO Reference Model-Open Distributed Processing. RESULTS Currently, standards developing organisation are defining emerging tasks and standards for semantic interoperability and trustworthy collaboration for advanced health information systems. Communication security issues have been specified and implemented, while application security challenges such as privilege management and access control are still under development. Therefore, a series of formal models have been developed by the authors covering, e.g. domains, service delegation, claims control, policies, roles, authorisations, and access control. The required models are introduced and interpreted in a generic way. The crucial concept of security policy and its relationship to the other concepts has been considered in detail. CONCLUSION Based on formal models, security services can be integrated into advanced systems architectures enabling semantic interoperability in the context of trustworthiness of communication and co-operation.

[1]  Vijay T. Ahuja Network and Internet security , 1996 .

[2]  Mark Strembeck,et al.  A scenario-driven role engineering process for functional RBAC roles , 2002, SACMAT '02.

[3]  Bernd Blobel Open Information Systems and Data Security in Medicine , 1996, Towards Security in Medical Telematics.

[4]  Luuc Posthumus,et al.  Use of the ISO/IEC 17799 framework in healthcare information security management. , 2004, Studies in health technology and informatics.

[5]  William Stallings Network and Internetwork Security: Principles and Practice , 1994 .

[6]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[7]  Bernd Blobel,et al.  Implementing MDA-based distributed, interoperable, flexible, scalable, portable, and secure EHR systems. , 2004, Studies in health technology and informatics.

[8]  Bernd Blobel Analysis, Design and Implementation of Secure and Interoperable Distributed Health Information Systems , 2002, Studies in Health Technology and Informatics.

[9]  Marion Kee,et al.  Analysis , 2004, Machine Translation.

[10]  Jon Siegel Quick CORBA 3 , 2001 .

[11]  Silvana Castano,et al.  Database Security , 1997, IFIP Advances in Information and Communication Technology.

[12]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[13]  B Cohen A Formal Model of Healthcare Security Policy , 1996 .

[14]  Bernd Blobel,et al.  Medical and Care Compunetics 2 , 2005 .

[15]  Bernd Blobel Assessment of Middleware Concepts Using a Generic Component Model , 1997 .

[16]  Bernd Blobel,et al.  A systematic approach for analysis and design of secure health information systems , 2001, Int. J. Medical Informatics.

[17]  Bernd Blobel,et al.  Privilege Management and Access Control in Shared Care IS and EHR , 2003, MIE.

[18]  Emil C. Lupu,et al.  Ponder: A Language for Specifying Security and Management Policies for Distributed Systems , 2000 .

[19]  Glen Marshall Security Audit and Access Accountability Message XML Data Definitions for Healthcare Applications , 2004, RFC.

[20]  Bernd Blobel,et al.  Model-Based Design and Implementation of Secure, Interoperable EHR Systems , 2003, AMIA.

[21]  Frédéric Cuppens,et al.  Organization based access control , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.