Modeling and Enforcing Advanced Access Control Policies in Healthcare Systems with Sectet

This contribution gives an overview of various access control strategies in use in healthcare scenarios and shows how a variety of policies can be modeled based on a single security policy model for usage control, UCON. The core of this contribution consists of the specialization of the Sectet -Framework for Model Driven Security for complex healthcare scenarios based on UCON. The resulting Domain Architecture comprises a Domain Specific Language for the modeling of policies with advanced security requirements, a target architecture for the enforcement of these policies and model-to-code transformations.

[1]  Raimund Vogla,et al.  Architecture for a Distributed National Electronic Health Record System in Austria , 2006 .

[2]  Jaehong Park,et al.  Towards usage control models: beyond traditional access control , 2002, SACMAT '02.

[3]  Walt Yao,et al.  Trust management for widely distributed systems , 2003 .

[4]  Stefan Brands,et al.  Digital Identity Management based on Digital Credentials , 2002, GI Jahrestagung.

[5]  A. Policy Review of the 2002 Department of Health and Human Service Notice of Proposed Rule Making for The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Regulations , 2002 .

[6]  Shigeru Hosono,et al.  A delegation framework for federated identity management , 2005, DIM '05.

[7]  Jaehong Park,et al.  Formal model and policy specification of usage control , 2005, TSEC.

[8]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[9]  Ruth Breu,et al.  Model Driven Security for Inter-organizational Workflows in e-Government , 2005, TCGOV.

[10]  Siani Pearson,et al.  Towards accountable management of identity and privacy: sticky policies and enforceable tracing services , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[11]  Tobias Straub,et al.  Usability challenges of PKI , 2006 .

[12]  Ruth Breu,et al.  Modelling inter-organizational workflow security in a peer-to-peer environment , 2005, IEEE International Conference on Web Services (ICWS'05).

[13]  N. Terry,et al.  The Emergence of National Electronic Health Record Architectures in the United States and Australia: Models, Costs, and Questions , 2005, Journal of medical Internet research.

[14]  Gareth Hagger-Johnson,et al.  Internet research [7] , 2003 .

[15]  M. Breu,et al.  Model driven security for Web services (MDS4WS) , 2004, 8th International Multitopic Conference, 2004. Proceedings of INMIC 2004..

[16]  P. Maurette [To err is human: building a safer health system]. , 2002, Annales francaises d'anesthesie et de reanimation.

[17]  Ruth Breu,et al.  A Security Architecture for Inter-Organizational Workflows: Putting Security Standards for Web Services Together , 2005, ICEIS.

[18]  Ruth Breu,et al.  Sectet: an extensible framework for the realization of secure inter-organizational workflows , 2006, Internet Res..

[19]  Elske Ammenwerth,et al.  From a paper-based transmission of discharge summaries to electronic communication in health care regions , 2006, Int. J. Medical Informatics.

[20]  David F. Ferraiolo,et al.  Assessment of Access Control Systems , 2006 .

[21]  Ruth Breu,et al.  A framework for modelling restricted delegation of rights in the SECTET , 2007, Comput. Syst. Sci. Eng..

[22]  Bernd Blobel Trustworthiness in distributed electronic healthcare records - basis for shared care , 2001, Seventeenth Annual Computer Security Applications Conference.

[23]  A. Wall,et al.  Book ReviewTo Err is Human: building a safer health system Kohn L T Corrigan J M Donaldson M S Washington DC USA: Institute of Medicine/National Academy Press ISBN 0 309 06837 1 $34.95 , 2000 .

[24]  David B Allison,et al.  Divergence in popular diets relative to diets consumed by Americans, and implications for diet selection. , 2007, MedGenMed : Medscape general medicine.

[25]  Frédéric Cuppens,et al.  Organization based access control , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[26]  Jan Mendling,et al.  From Inter-organizational Workflows to Process Execution: Generating BPEL from WS-CDL , 2005, OTM Workshops.

[27]  Frank Wm. Tompa,et al.  User-Managed Access Control for Health Care Systems , 2005, Secure Data Management.

[28]  David W. Chadwick,et al.  Patient Privacy in Electronic Prescription Transfer , 2003, IEEE Secur. Priv..

[29]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[30]  Gerald Vogt Multiple authorization: a model and architecture for increased, practical security , 2003, IFIP/IEEE Eighth International Symposium on Integrated Network Management, 2003..

[31]  Michael H. Böhlen,et al.  E-Government: Towards Electronic Democracy, International Conference, TCGOV 2005, Bolzano, Italy, March 2-4, 2005, Proceedings , 2005, TCGOV.

[32]  Ruth Breu,et al.  Towards a MOF/QVT-Based domain architecture for model driven security , 2006, MoDELS'06.

[33]  Muhammad Alam,et al.  Model driven security engineering for the realization of dynamic security requirements in collaborative systems , 2006, MoDELS'06.

[34]  George Yee,et al.  An agent architecture for e-services privacy policy compliance , 2005, 19th International Conference on Advanced Information Networking and Applications (AINA'05) Volume 1 (AINA papers).

[35]  L. Kohn,et al.  To Err Is Human : Building a Safer Health System , 2007 .

[36]  Gustavo Rossi,et al.  Web Engineering , 2001, Lecture Notes in Computer Science.

[37]  Alec Holt,et al.  Consumers are ready to accept the transition to online and electronic records if they can be assured of the security measures. , 2007, MedGenMed : Medscape general medicine.

[38]  Ruth Breu,et al.  A Framework for Modeling Restricted Delegation in Service Oriented Architecture , 2006, TrustBus.

[39]  Mingyan Li,et al.  Enabling Distributed Addition of Secure Access to Patient's Records in A Tele-Referring Group , 2005, 2005 IEEE Engineering in Medicine and Biology 27th Annual Conference.

[40]  Ruth Breu,et al.  Web Service Engineering - Advancing a New Software Engineering Discipline , 2005, ICWE.

[41]  Ruth Breu,et al.  Modeling Authorization in an SOA based Application Scenario , 2006, IASTED Conf. on Software Engineering.

[42]  Athman Bouguettaya,et al.  Preserving privacy in web services , 2002, WIDM '02.

[43]  Trent Jaeger,et al.  Attestation-based policy enforcement for remote access , 2004, CCS '04.

[44]  L. Kohn,et al.  COMMITTEE ON QUALITY OF HEALTH CARE IN AMERICA , 2000 .

[45]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[46]  Ruth Breu,et al.  Modeling permissions in a (U/X)ML world , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[47]  Stefanos Gritzalis Enhancing Privacy and Data Protection in Electronic Medical Environments , 2004, Journal of Medical Systems.

[48]  Siani Pearson,et al.  Trusted Computing Platforms: TCPA Technology in Context , 2002 .

[49]  David Caplan,et al.  SELinux by Example: Using Security Enhanced Linux (Prentice Hall Open Source Software Development Series) , 2006 .

[50]  Jaehong Park,et al.  The UCONABC usage control model , 2004, TSEC.

[51]  Drew Pg Integrating the healthcare enterprise. , 2000, M.D. computing : computers in medical practice.

[52]  Ravi S. Sandhu,et al.  Identity management , 2003, IEEE Internet Computing.