Access control for smarter healthcare using policy spaces

doi:10.1016/j.cose.2010.07.001

Computers & Security

Volume 29, Issue 8, November 2010, Pages 848-858

https://doi.org/10.1016/j.cose.2010.07.001 Get rights and content

Abstract

A fundamental requirement for the healthcare industry is that the delivery of care comes first and nothing should interfere with it. As a consequence, the access control mechanisms used in healthcare to regulate and restrict the disclosure of data are often bypassed in case of emergencies. This phenomenon, called “break the glass”, is a common pattern in healthcare organizations and, though quite useful and mandatory in emergency situations, from a security perspective, it represents a serious system weakness. Malicious users, in fact, can abuse the system by exploiting the break the glass principle to gain unauthorized privileges and accesses.

In this paper, we propose an access control solution aimed at better regulating break the glass exceptions that occur in healthcare systems. Our solution is based on the definition of different policy spaces, a language, and a composition algebra to regulate access to patient data and to balance the rigorous nature of traditional access control systems with the “delivery of care comes first” principle.

Introduction

Healthcare systems support interactions among patients, medical practitioners, insurance companies, and pharmacies. The very sensitive nature of the information managed by these systems requires the balance between two contrasting needs: the need for data, to guarantee proper delivery of care; and the need for keeping data secure, to properly protect the privacy of patients. Access control is the base mechanism that healthcare systems adopt for protecting medical data. Traditional access control models and policies are based on the assumption that possible access requests that will have to be obeyed are known in advance and can therefore be captured by authorizations. However, since in healthcare systems an important requirement is that “nothing interferes with the delivery of care” (Grandison and Davis, 2007), access control restrictions may need to be bypassed in case of emergencies, especially when the patient’s life is at risk. For instance, in case of emergency, a nurse may require (and should be granted) access to data that under “normal” conditions she cannot view. This phenomenon is usually referred to as “break the glass”. While useful and mandatory in the name of care delivery, the break the glass can represent a weakness for the security of the system, since allowing it in an unconditional or uncontrolled manner can easily open the door to abuses (Rostad and Edsberg, 2006). To limit (or prevent) such abuses the access control system should minimize the cases in which no regulation applies and the break the glass principle is enforced. An access control system designed to operate in the healthcare scenario should also be flexible and extensible (i.e., it should not be limited to a particular model or language), should protect the privacy of the patients, and should not allow exchange of identity data, in compliance with government legislations (e.g., the Health Insurance Portability and Accountability Act, 2006 in the United States).

In this paper, we address the need for a flexible and powerful access control system for the healthcare scenario by proposing a model that attempts to balance, on one hand, the rigorous nature of access control models and, on the other hand, the priority of care delivery in healthcare scenarios. We introduce the concept of policy space and we describe how policies, which regulate access to medical data, are specified and enforced within each space and how their composition works. Our proposal is aimed at limiting accesses that break the glass, by classifying (a subset of) these access requests as abuses or planned exceptions and by defining specific policies regulating them. In Ardagna et al. (2008b), we presented an early version of our proposal that here is extended to the consideration of context information, to allow environment factors to influence how and when a policy is enforced. With respect to the original paper, we also introduce an algebra for combining policies within spaces.

The remainder of this paper is organized as follows. Section 2 presents the requirements of an access control system in the healthcare scenario. Section 3 introduces our assumptions and an illustrative use case. Section 4 defines policy spaces for the management of exceptions. Section 5 defines our language in terms of authorizations, policies, and composition algebra. Section 6 illustrates how the policies are defined in the different spaces. Section 7 describes the policy evaluation and enforcement. Section 8 discusses related work. Finally, Section 9 presents our concluding remarks.

Section snippets

Requirements for access control in healthcare

The design of a comprehensive solution for protecting personal health information should incorporate the specific security, privacy, and integrity requirements arising in a healthcare scenario (Blobel et al., 2003). In the following, we consider three main categories of requirements: i) healthcare professional and patient requirements, ii) policy and model requirements, and iii) implementation requirements.

System assumptions

We assume a closed world scenario involving a healthcare provider (e.g., a hospital), where system users (e.g., doctors, nurses, and patients) are known, meaning that their information is available at access request. In addition to the user id, which uniquely identifies each user in the system, we assume that users are associated with profiles that contain pairs of the form 〈attribute_name,attribute_value〉 representing their properties. Such a user-related information is both static (i.e., it

Exception-aware policy spaces for healthcare

Access control systems tailored to the healthcare scenario are characterized, as illustrated in Fig. 1(a), by the presence of two policy spaces, namely $P^{+} and ɛ^{U}$ . In general, a policy space can be defined as a policy repository, whose policies regulate access to resources. Space $P^{+}$ represents authorized accesses and regulates common practice requests. If a request satisfies a policy in $P^{+}$ , then it is permitted. Space $ɛ^{U}$ represents unplanned exceptions and regulates all those requests for which

Authorization and policy definition

We present an access control model including authorization and policy definition, and an algebra for composing them.

Policy space languages

We now show how policies are defined in the different spaces.

Policy evaluation and enforcement

We now discuss how policies in policy spaces are evaluated and enforced.

Access requests are of the form 〈user_id, action, object, purposes〉, where user_id is the identifier characterizing the requester, action is the action that is being requested, object is the object on which the requester wishes to perform the action, and purposes is the purpose (or set thereof) for which the access is requested. We assume that the personal information of patients is collected for a given purpose (e.g.,

Related work

Although a number of projects and research works about access control models and languages have been presented in the last few years (Ardagna et al., 2008a, XACML, 2005, Bonatti and Samarati, 2002, Jajodia et al., 2001), only few proposals have attempted to provide a comprehensive framework specifically targeted to the healthcare scenario (e.g., Røstad and Nytrø, 2008) and, in particular, to the management of exceptions (e.g., Rostad and Edsberg, 2006, Bhatti and Grandison, 2007, Keppler

Conclusions

In healthcare, nothing should interfere with the delivery of care. Solutions based on the break the glass principle are usually adopted to subvert access control decisions in emergency situations. The break the glass scenario, however, represents a backdoor for malicious users that try to gain unauthorized accesses. In this paper, we presented an exception-based access control solution whose main goal is to better control the break the glass attempts in healthcare systems, to reduce possible

Acknowledgments

This work was supported in part by the EU (project “PrimeLife”, 216483); Italian MIUR (project “PEPPER” 2008SY2PH4); and NSF (grants CT-20013A, CT-0716567, CT-0716323, CT-0627493, and CCF-1037987).

Claudio A. Ardagna is an assistant professor at the Information Technology Department, Università degli Studi di Milano, Italy. He received the laurea and PhD degrees, both in computer science, from the Università degli Studi di Milano in 2003 and 2008, respectively. His research interests are in the area of information security, privacy, access control, mobile networks, and open source. He is the recipient of the ERCIM STM WG 2009 Award for the Best Ph.D. Thesis on Security and Trust

References (30)

R. Agrawal et al.
Securing electronic health records without impeding the flow of information
International Journal of Medical Informatics
(2007)
B. Blobel et al.
Using a privilege management infrastructure for secure web-based e-health applications
Computer Communications
(2003)
Agrawal R, Kiernan J, Srikant R, Xu Y. Hippocratic databases. In: Proc. of the 28th international conference on very...
Agrawal R, Kini A, LeFevre K, Wang A, Xu Y, Zhou D. Managing healthcare data hippocratically. In: Proc. of the 2004 ACM...
Agrawal R, Bayardo R, Faloutsos C, Kiernan J, Rantzau R, Srikant R. Auditing compliance with a hippocratic database....
C. Ardagna et al.
A privacy-aware access control system
Journal of Computer Security
(2008)
Ardagna C, De Capitani di Vimercati S, Grandison T, Jajodia S, Samarati P. Regulating exceptions in healthcare using...
Bettini C, Jajodia S, Wang X, Wijesekera D. Provisions and obligations in policy management and security applications....
Bhatti R, Grandison T. Towards improved privacy policy coverage in healthcare using policy refinement. In: Proc. of the...
P. Bonatti et al.
A uniform framework for regulating service access and information release on the web
Journal of Computer Security
(2002)

P. Bonatti et al.

An algebra for composing access control policies

ACM Transactions on Information and System Security

(2002)

Brucker A, Petritsch H. Extending access control models with break-glass. In: Proc. of the 14th ACM symposium on access...

Cross-Enterprise Security and Privacy Authorization (XSPA) profile of XACML v2.0 for Healthcare

Implementation examples

Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of XACML v2.0 for Healthcare Version 1.0

S. De Capitani di Vimercati et al.

Recent advances in access control

Cited by (60)

HIDE-Healthcare IoT Data Trust ManagEment: Attribute centric intelligent privacy approach
2023, Future Generation Computer Systems
The cloud-based Internet of Things (IoTs) storage enables patients to monitor their health remotely and offers services for physicians of various Medical Institutions (MIs) to diagnose and treat them on time. As a matter of trust, patients are legally expected to hide their real identity and ensure data privacy in the cross-domain of IoT-healthcare, whether it is stored correctly or modified due to external and internal attacks in the cloud. Additionally, physicians treat patients and continuously store duplicated data in cloud storage, which increases the cost of computing. In this context, this paper presents HIDE-Healthcare IoT Data privacy trust management framework, focusing on attributes. Patients’ attributes are used to encrypt and decrypt sensory data between patients and different entities by incorporating the idea of trustworthy and secure shared keys. HIDE uses an intelligent object’s pointer to store the same patient’s sensory data in various versions to prevent data duplication, which will help track MIs that treat patients. An intelligent content-based emergency data access control is developed to monitor multiple patient health criticalities in HIDE. The security analysis and experimental evaluation attest to the benefits of the proposed HIDE framework, considering security and privacy metrics.
Specification and adaptive verification of access control policy for cyber-physical-social spaces
2022, Computers and Security
Citation Excerpt :
This framework can secure information sharing in dynamic and collaborative environments based on the trust and risk values. Ardagna et al. (2010)propose an access control solution to regulate the emergencies that occur in healthcare systems. The definition of policy spaces is introduced to balance the rigorous nature of traditional access control systems.
Cyber-Physical-Social Space (CPSS) is a promising paradigm to provide people with an intelligent environment by emphasizing the deep fusion of cyberspace, physical space, and social space. The interdependence of these spaces makes that CPSS is more likely to be attacked. The attack consequences may directly affect the state of the physical world and even endanger the people’s life. Thus, the most challenging issue for CPSS is to ensure the space security. However, existing security analysis methods focus on the static analysis at the design phase. They do not consider the open and dynamic characteristics which are the core features of CPSS. In this paper, we propose an adaptive security analysis framework for CPSS to prevent the unauthorized flow of information. Firstly, the access control model of CPSS is proposed. It controls the access behaviors by considering the space information covering the social, cyber, and physical spaces. Secondly, Labelled Transition System (LTS) is established to describe the future evolutions of CPSS. The space states in the LTS which violate the security requirements are reasoned by the model checking technology. Thirdly, a policy adjustment method is proposed to prevent the system from entering the violated states or mitigate the bad results caused by the violations. In the end, the effectiveness of our approach is evaluated by a smart building case, and the necessity of our approach is analyzed by the performance evaluation.
Detection time of data breaches
2022, Computers and Security
Recent security reports point to an alarming increase in the number and frequency of data breach attacks against organizations worldwide. With the rise of data breaches, how quickly a firm detects a breach determines the extent of the incident impact on the business and its customers. Although prior studies have focused on several important factors that deal with the functions of detection, prevention and prediction of breach incidents, these studies have overlooked the time factor of breach detection. This research seeks to fulfill the lack of research and attempts to explore the factors that affect detection time of data breaches. Using survival analysis, we examine 696 publicly reported breaches between 2010 and 2017 and measure the impact of threat actors, attack types, affected confidentiality data, affected assets, and industries on breach detection time. Findings show that the time to detect data breaches caused by privilege misuse is 2.5 times slower, followed by 1.4 times for breaches that target servers. On the other hand, data breaches that involve payment card skimmers are 79% faster to detect. To gain further insight into these factors that slow down detection time, we perform subgroup analyses. Findings show that data breaches involving privilege misuse through LAN access are 2.2 times slower to detect. Furthermore, data breaches targeting servers are 5.7 times slower to detect in the accommodation industry, followed by 2.8 times in the administrative industry, and 2.4 times in the healthcare industry.
Emergency role-based access control (E-RBAC) and analysis of model specifications with alloy
2019, Journal of Information Security and Applications
Citation Excerpt :
This problem can be solved through an administrative model. Therefore, the scheme in [3] does not support administrative model and obligation while the model's tools and constraint are ignored. Brucker and Petritsch [7] extended the secure UML to support BTG.
In role-based access control (RBAC), users gain access to predetermined roles and permissions. Thus, desired results are not achieved in emergency situations through policy in RBAC. In emergency situations, users should sometimes gain access to resources not authorized in normal situations. To increase the flexibility of access control, Break the Glass (BTG) policy was proposed. It allows users to break or override access controls, while every operation is documented to create maximum responsibility for users. Users with BTG access have maximum freedom to override the access controls and constraints of the model. In this paper, the flexibility of RBAC is enhanced by proposing an Emergency RBAC (E-RBAC), which uses BTG policy for managing the system in emergency situation. However, separation of duty (SOD) constraint is included to control and limit user access in this situation. Then, an administrative model is proposed to manage large E-RBAC systems. An administrative model reduces excessive burden for an administrator in large E-RBAC systems. At the next stage, E-RBAC is illustrated with medical and drug-dispensation scenarios and is then implemented through Alloy (the first logic language) so as to analyze the validity of model specifications.
Developing a ubiquitous health management system with healthy diet control for metabolic syndrome healthcare in Taiwan
2017, Computer Methods and Programs in Biomedicine
Self-management in healthcare can allow patients managing their health data anytime and everywhere for prevention of chronic diseases. This study established a prototype of ubiquitous health management system (UHMS) with healthy diet control (HDC) for people who need services of metabolic syndrome healthcare in Taiwan.
System infrastructure comprises of three portals and a database tier with mutually supportive components to achieve functionality of diet diaries, nutrition guides, and health risk assessments for self-health management. With the diet, nutrition, and personal health database, the design enables the analytical diagrams on the interactive interface to support a mobile application for diet diary, a Web-based platform for health management, and the modules of research and development for medical care. For database integrity, dietary data can be stored at offline mode prior to transformation between mobile device and server site at online mode.
The UHMS-HDC was developed by open source technology for ubiquitous health management with personalized dietary criteria. The system integrates mobile, internet, and electronic healthcare services with the diet diary functions to manage healthy diet behaviors of users. The virtual patients were involved to simulate the self-health management procedure. The assessment functions were approved by capturing the screen snapshots in the procedure. The proposed system development was capable for practical intervention.
This approach details the expandable framework with collaborative components regarding the self-developed UHMS-HDC. The multi-disciplinary applications for self-health management can support the healthcare professionals to reduce medical resources and improve healthcare effects for the patient who requires monitoring personal health condition with diet control. The proposed system can be practiced for intervention in the hospital.
An Optimized Role-Based Access Control Using Trust Mechanism in E-Health Cloud Environment
2023, IEEE Access

View all citing articles on Scopus

Sabrina De Capitani di Vimercati is a professor at the Information Technology Department, Università degli Studi di Milano, Italy. She received the Laurea and PhD degrees both in Computer Science from the Università degli Studi di Milano, Italy, in 1996 and 2001, respectively. Her research interests are in the area of information security, databases, and information systems. On these topics she has published more than 100 refereed technical papers in international journals and conferences. She has been an international fellow in the Computer Science Laboratory at SRI, CA (USA). She is member of the Steering Committees of the European Symposium on Research in Computer Security (ESORICS) and of the ACM Workshop on Privacy in the Electronic Society (WPES). She is vice-chair of the IFIP WG 11.3 on Data and Application Security. She is co-recipient of the ACM-PODS’99 Best Newcomer Paper Award. The URL for her web page is http://www.dti.unimi.it/decapita.

Sara Foresti received the PhD in Computer Science from the Università degli Studi di Milano, Italy in April 2009. She is a post-doc at the Information Technology Department, University of Milan, Italy. Her research interests are in the area of data security and privacy, with particular consideration of access control and information protection.

Tyrone W. Grandison leads the Intelligent Information Systems in the Computer science department at the IBM Almaden Research Center. Dr. Grandison received his B.Sc. and M.Sc. from the University of the West Indies, Jamaica, and his Ph.D. from the Imperial College of Sciences, Technology, and Medicine in the University of London, United Kingdom. He is a senior member of both the Association of Computer Machinery (ACM) and the Institute of Electrical and Electronics Engineers (IEEE). His research interests include database privacy and security, RFID traceability, privacy-preserving mobile computing, secure healthcare information systems and management of very large text corpii.

Sushil Jajodia is University Professor, BDM International Professor of Information Technology, and the director of Center for Secure Information Systems at the George Mason University, Fairfax, Virginia. He served as the chair of the Department of Information and Software Engineering during 1998–2002. He joined Mason after serving as the director of the Database and Expert Systems Program within the Division of Information, Robotics, and Intelligent Systems at the National Science Foundation. Before that he was the head of the Database and Distributed Systems Section in the Computer Science and Systems Branch at the Naval Research Laboratory, Washington and Associate Professor of Computer Science and Director of Graduate Studies at the University of Missouri, Columbia. He has also been a visiting professor at the University of Milan and University of Rome “La Sapienza”, Italy and at the Isaac Newton Institute for Mathematical Sciences, Cambridge University, England.

Dr. Jajodia received his PhD from the University of Oregon, Eugene. The scope of his current research interests encompasses information secrecy, privacy, integrity, and availability problems in military, civil, and commercial sectors. He has authored six books, edited thirty four books and conference proceedings, and published more than 350 technical papers in the refereed journals and conference proceedings. He is also a holder of three patents and has several patent applications pending. He received the 1996 Kristian Beckman award from IFIP TC-11 for his contributions to the discipline of Information Security, 2000 Outstanding Research Faculty Award from Mason’s Volgenau School of Information Technology and Engineering, and 2008 ACM SIGSAC Outstanding Contributions Award for his research and teaching contributions to the information security field and his service to ACM SIGSAC and the computing community. His h-index is 65.

Dr. Jajodia has served in different capacities for various journals and conferences. He is the founding editor-in-chief of the Journal of Computer Security and on the editorial boards of IET Information Security, International Journal of Cooperative Information Systems, International Journal of Information and Computer Security, and International Journal of Information Security and Privacy. He is a past editor of ACM Transactions on Information and Systems Security and IEEE Transactions on Knowledge and Data Engineering. He is the consulting editor of the Springer International Series on Advances in Information Security. He has been named a Golden Core member for his service to the IEEE Computer Society, and received International Federation for Information Processing (IFIP) Silver Core Award ”in recognition of outstanding services to IFIP” in 2001. He is a past chair of the ACM Special Interest Group on Security, Audit, and Control (SIGSAC), IEEE Computer Society Technical Committee on Data Engineering, and IFIP WG 11.5 on Systems Integrity and Control. He is a senior member of the IEEE and a member of IEEE Computer Society and Association for Computing Machinery. The URL for his web page is http://csis.gmu.edu/jajodia.

Pierangela Samarati is a professor at the Department of Information Technology, Università degli Studi di Milano, Italy. Her main research interests are in data protection, access control models, and information privacy and security. She has published more than 170 papers in international journals and conferences. She has been a computer scientist at SRI International, CA (USA) and a visiting researcher at Stanford University, CA (USA), and George Mason University, VA (USA). She is the chair of the Steering Committees of the ACM Workshop on Security and Privacy, and of the European Symposium on Research in Computer Security. She is the Coordinator of the Working Group on Security of the Italian Association for Information Processing (AICA), the Italian representative in the IFIP (International Federation for Information Processing) Technical Committee 11 (TC-11) on “EDP Security”. She is a member of the Steering Committee of: ACM Symposium on InformAtion, Computer and Communications Security (ASIACCS), International Conference on Information Systems Security (ICISS), and International Conference on Information and Communications Security (ICICS). She has served as program chair and on the program committees of various conferences. In 2009, she has been named ACM Distinguished Scientist. The URL for her web page is http://www.dti.unimi.it/samarati.

^☆: A preliminary version of this paper appeared under the title “Regulating Exceptions in Healthcare Using Policy Spaces,” in Proc. of the 22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security, London, U.K., July 2008 (Ardagna et al., 2008b).

View full text

Access control for smarter healthcare using policy spaces☆