Access Control for Healthcare Data Using Extended XACML-SRBAC Mode

Journal of Medical Systems, 2010

OASIS is a non-for-profit consortium that drives the development convergence and adoption of open standards for the global information society. It involves more than 600 organizations and individuals as well as IT leaders Sun, Microsoft, IBM and Oracle. One of its standards is XACML which appeared a few years ago and now there are about 150,000 hits on Google. XACML (eXtensible Access Control Markup Language) is not technology related. Sun published in 2004 open source Sun XACML which is in compliance with XACML 1.0. specification and now works to make it comply with XACML 2.0. The heart of XACML are attributes values of defined type and name that is to be attached to a subject, a resource, an action and an environment in which a subject request action on resource. In that way XACML is to replace Role Based Access Control which dominated for years. The paper examines performances in CEN 13 606 and ISO 22 600 based healthcare system which uses XACML for access control. Keywords Security and privacy. Access control. Electronic Health Record Related work on using XACML At the RSA 2008 Conference, members of the OASIS open standards consortium, in cooperation with the Health Information Technologies Standards Panel (HITSP), demonstrated interoperability of the Extensible Access Control Markup Language (XACML) version 2.0. Simulating a real world scenario provided by the US Department of Veterans Affairs, the demo showed how XACML ensures successful authorization decision requests and the exchange of authorization policies. The XACML Interop at the RSA 2008 conference utilizes requirements from Health Level Seven (HL7), ASTM International, and the American National Standards Institute (ANSI) [1]. For security reasons, enterprises are frequently unwilling to publicize the security mechanisms they use internally, and many deployments of XACML fall into this category. However, a large and growing number of businesses, institutions and university/research groups are now using XACML in their security systems. An example is children's hospital in Boston. The world's first personally controlled health record system, called Personal Internetworked Notary and Guardian (PING), enables a patient to own a complete, secure copy of his/ her record, integrating health information across sites of care and over time. PING utilizes the XACML Library to implement the necessary authorization functionality [2]. Another example is Australian's project NEHTA (National E-Health Transition Authority) which recommends XACML as a standard method of defining access policies for e-health services. [3] Related work on access control standards Commite European de Normalisation (CEN) standard ENV 13606 [4] In 2008 ISO gave ISO 13 606 on Electronic Healthcare Record Architecture. This standard is a revised Commite

2006

Abstract Medical applications have already been integrated into mobile devices (eg Tablet PCs, PDAs and smart phones) and are being used by medical personnel in treatment centers, for retrieving and examining patient's Electronic Health Records (EHR). In such mobile healthcare applications, specific attention is drawn towards the security requirements since the transmission of sensitive medical data through a public network renders the problem of communication privacy.

2005

Abstract The Extensible Access Control Markup Language (XACML) is a platform independent standard based access control policy specification language. It defines rules on how authorization decisions from evaluating applicable access control policies are combined. However, it fails to incorporate built-in trust and privacy-enhancing mechanisms. There are some possible attacks that are identified in the specification that can potentially breach the security of a system using XACML.

2009

The widespread diffusion of the Internet as the platform for accessing distributed services makes available a huge amount of personal data, and a corresponding concern and demand from users, as well as legislation, for solutions providing users with form of control on their data. Responding to this requirement raises the emerging need of solutions supporting proper information security governance, allowing enterprises managing user information to enforce restrictions on information acquisition as well as its processing and secondary use. While the research community has acknowledged this emerging scenario, and research efforts are being devoted to it, current technologies provide still limited solutions to the problem.

March 29-30, 2015 Singapore, 2015

In a cloud provisioned medical healthcare system, it is very important to ensure that resources and sensitive information (such as prescriptions, medical records and lab test data, etc) are accessed by and provided to authorized users and tenants whenever needed to be accessed. By using Attribute-Based Access Control (ABAC), not only role of the user but also other attributes, such as which resources he is allowed to access, what actions he is allowed to perform on those resources, what time of the date, whether he is at office or not and so on, are used for the fine-grained access control decision. Global policies are also needed to access and protect patient information from unauthorized access and to provide privacy. This ensures who can access what, under what conditions, and for what purpose. In the proposed system, XACML 3.0 standard is implemented to develop a prototype application. Through cloud computing platform (WSO2 Servers), the system can support the patients and healthcare workers to access the digital health records in hospitals easily by ensuring the patient's privacy and access to information.

Over the last few years there has been a rapid development of technologies such as ubiquitous computing and distributed multi-agent systems. As a consequence an increasing need to share information securely in a distributed dynamic environment has arisen. Risk-aware access control (RAAC) has recently shown promise as an approach to addressing this need of flexible and dynamical access control requirements. Additionally, OASIS proposed XACML as a new standard XML-based language for writing access control policies, requests and responses. The standard specification also defines reference architecture for implementing an XACML based system. Despite the fact that XACML is designed to support various access control models, we believe it doesn't provide a natural way for defining RAAC policies. In this paper we propose an approach that uses standard XACML features to implement RAAC. In particular, we abstract core components of RAAC relevant to risk assessment and risk mitigation, and illustrate how to define XACML policies to implement these components. We also propose a modular architecture for the XACML obligations service to handle both system and user obligations, which are typically used as risk mitigation methods in RAAC.

e-Technology, e-Commerce …, 2004

Foundations and Practice of Security, 2019

Mobile Health (mHealth) refers to a healthcare-provision scheme which uses mobile communication devices for effective detection, prognosis and delivery of services. mHealth systems consists of sensors collecting information from patients, cell phones through which users access the data, and a cloud-based remote data store for holding health information of the patients. Healthcare data contains sensitive information and it must be protected from unauthorized access. Although rolebased access control is commonly used for healthcare data, we advocate the use of attribute-based access control as it offers finer granularity of access and can be used across organizational boundaries. Specifically, we use the NIST Next Generation Access Control (NGAC) for representing the access control policies as it is efficient, expressive, and simplifies policy management. We propose an approach that allows constant time evaluation of access decisions based on using a graph database.

International Journal of Advanced Computer Science and Applications, 2016

Patients taking medical treatment in distinct healthcare institutions have their information deeply fragmented between very different locations. All this information-probably with different formats-may be used or exchanged to deliver professional healthcare services. As the exchange of information/ interoperability is a key requirement for the success of healthcare process, various predefined e-health standards have been developed. Such standards are designed to facilitate information interoperability in common formats. Fast Healthcare Interoperability Resources (FHIR) is a newly open healthcare data standard that aims to providing electronic healthcare interoperability. FHIR was coined in 2014 to address limitations caused by the ad-hoc implementation and the distributed nature of modern medical care information systems. Patient's data or resources are structured and standard in FHIR through a highly readable format such as XML or JSON. However, despite the unique features of FHIR, it is not a security protocol, nor does it provide any security-related functionality. In this paper, we propose a security specification model (SecFHIR) to support the development of intuitive policy schemes that are mapping directly to the healthcare environment. The formal semantics for SecFHIR are based on the well-established typing and the independent platform properties of XML. Specifically, patients' data are modeled in FHIR using XML documents. In our model, we assume that these XML resources are defined by a set of schemes. Since XML Schema is a well-formed XML document, the permission specification can be easily integrated to the schema itself, then the specified permissions are applied to instance objects without any change. In other words, our security model (SecFHIR) defines permissions on XML schemes level, which implicitly specify the permissions on XML resources. Using these schemes, SecFHIR can combine them to support complex constraints over XML resources. This will result in reusable permissions, which efficiently simplify the security administration and achieve finegrained access control. We also discuss the core elements of the proposed model, as well as the integration with the FHIR framework.

2007

As mobile adhoc networks (MANETs) are becoming popular for a variety of applications, so are the issues engulfing corresponding implementations. In this paper, a healthcare application is described for the environment where normal network connectivity may not be available hence adhoc networking of small scale healthcare units and corresponding devices becomes necessary. Different roles of such units are discussed to develop policy framework to facilitate role based access control conformant access. Furthermore, implementation of such access control within a typical healthcare environment is investigated.