Abstract
This contribution gives an overview of various access control strategies in use in healthcare scenarios and shows how a variety of policies can be modeled based on a single security policy model for usage control, UCON. The core of this contribution consists of the specialization of the Sectet-Framework for Model Driven Security for complex healthcare scenarios based on UCON. The resulting Domain Architecture comprises a Domain Specific Language for the modeling of policies with advanced security requirements, a target architecture for the enforcement of these policies and model-to-code transformations.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Integrating the Healthcare Enterprise (2007), http://www.ihe.net/
Alam, M., Hafner, M., Breu, R.: Modeling Authorization in an SOA based Application Scenario. In: IASTED Conference on Software Engineering, pp. 79–84 (2006)
Anderson, R.: Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, Inc., New York (2001)
Blobel, B.: Trustworthiness in Distr. Electr. Healthcare Records-Basis for Shared Care. In: ACSAC 2001: Proc. of the 17th Annual Comp. Sec. App. Conf., Washington, DC, USA, p. 433. IEEE Comp. Soc., Los Alamitos (2001)
Breu, R., Breu, M., Hafner, M., Nowak, A.: Web Service Engineering - Advancing a New Software Engineering Discipline. In: Lowe, D.G., Gaedke, M. (eds.) ICWE 2005. LNCS, vol. 3579, pp. 8–18. Springer, Heidelberg (2005)
Chanabhai, P., Holt, A.: Consumers are Ready to Accept the Trans. to Online and Electr. Rec. if They Can be Assured of the Sec. Measures. Medscape Gen. Medicine 9(1) (2007)
Chinaei, A.H., Tompa, F.: User-managed access control for health care systems. In: Secure Data Management, pp. 63–72 (2005)
Gomi, H., et al.: A Delegation Framew. for Fed. Identity Management. In: DIM 2005: Proc. of the 2005 Workshop on Dig. Identity Man, ACM Press, New York (2005)
Hafner, M., et al.: Sectet: An Extensible Framework for the Realization of Secure Inter-Organizational Workflows. Journal of Internet Research 16(5) (2006)
Breu, R., et al.: Model Driven Security for Inter-organizational Workflows in e-Government. In: Böhlen, M.H., Gamper, J., Polasek, W., Wimmer, M.A. (eds.) TCGOV 2005. LNCS (LNAI), vol. 3416, pp. 122–133. Springer, Heidelberg (2005)
Vogl, R., et al.: Architecture for a distributed national electronic health record in Austria. In: Proc. EuroPACS 2006: The 24th International EuroPACS Conference, pp. 67–77 (2006)
Schabetsberger, T., et al.: From a Paper-based Transmission of Discharge Summaries to Electronic Communication in Health Care Regions. Int. Journal of Medical Informatics 75, 3-4, 209–215 (2006)
Zhang, X., et al.: Formal model and policy specification of usage control. ACM Trans. Inf. Syst. Secur. 8(4), 351–387 (2005)
Gritzalis, S.: Enhancing Privacy and Data Protection in Electronic Medical Environments. Journal of Medical Systems 28(6), 535–547 (2004)
Gunter, T., Terry, N.: The Emergence of Nat. Electr. Health Record Arch. in the U.S. and Australia: Models, Costs, and Questions. Journal of Med. Internet Research 7(1):3 (2005)
Hafner, M., Agreiter, B., Breu, R., Nowak, A.: Sectet an extensible framework for the realization of secure inter-organizational workflows. Journal of Internet Research 16(5) (2006)
Hafner, M., Alam, M., Breu, R.: Towards a MOF/QVT-Based Domain Architecture for Model Driven Security. In: Nierstrasz, O., Whittle, J., Harel, D., Reggio, G. (eds.) MoDELS 2006. LNCS, vol. 4199, pp. 275–290. Springer, Heidelberg (2006)
Hafner, M., Breu, R., Breu, M.: A security architecture for inter-organizational workflows: Putting security standards for web services together. ICEIS (3), 128–135 (2005)
Hafner, M., Breu, M., Breu, R., Nowak, A.: Modelling Inter-organizational Workflow Security in a Peer-to-Peer Environment. In: ICWS 2005: Proceedings of the IEEE International Conference on Web Services (ICWS 2005), Washington, DC, USA, pp. 533–540. IEEE Computer Society, Los Alamitos (2005)
Hu, J., Weaver, A.: Dynamic, context-aware access control for distributed healthcare applications (August 2004), http://www.cs.virginia.edu/papers/
Hu, V., Ferraiolo, D., Kuhn, D.: Assessment of access control systems. Technical Report NISTIR 7316, National Inst. of Standards and Technology, US Department of Commerce (September 2006)
Kohn, L., Corrigan, J., Donaldson, M.: To Err is Human: Building a Safer Health System. National Academy Press, Washington DC (2000)
Li, M., Poovendran, R.: Enabling Distributed Addition of Secure Access to Patient’s Records in A Tele-Referring Group. In: IEEE-EMBS 2005: Proceedings of the 27th IEEE EMBS Annual International Conference, pp. 308–317. IEEE, Los Alamitos (2005)
Alam, M., Hafner, M., Seifert, J.P., Zhang, X.: Extending SELinux Policy Model and Enforcement Architecture for Trusted Platforms Paradigms. In: Annual SELinux Symposium (2007), http://selinux-symposium.org/2007/agenda.php
Alam, M., Breu, R., Hafner, M.: Modeling Permissions in a (U/X)ML World. In: IEEE ARES (2006), ISBN: 0-7695-2567-9
United States Department of Health & Human Services. Health insurance portability and accountability act of 1996, http://aspe.hhs.gov/admnsimp/pl104191.htm
Office of the Privacy Commissioner of Canada. Personal information protection and electronic documents act (pipeda), http://laws.justice.gc.ca/en/P-8.6/
Committee on Quality of Health Care in America. Inst. of Medicine. In: Crossing the Quality Chasm: A New Health System for the 21st Century, Nat. Acad. Press, Washington DC (2001)
OpenArchitectureWare XPAND Language available at, http://www.eclipse.org/gmt/oaw/doc/r20_xPandReference.pdf
Park, J., Sandhu, R.: The UCON ABC Usage Control Model. ACM Transactions on Information and Systems Security 7, 128–174 (2004)
Europ. Parliament. Directive 95-46-ec of the europ. parl. and of the counc. of 24 october 1995 on the p protection of individuals with regard to the processing of personal data and on the free movement of such data (1995), http://www.cdt.org/privacy/eudirective/EU_Directive_.html
Role Based Access Control (RBAC) avialable at, csrc.nist.gov/rbac/
Schabetsberger, T.: Reference Implementation of a Shared Electr. Health Record Using Med. Data Grids with an RBAC Based Security Model. In: Proc. of the 2nd AGRID Symp. in conj. with 6th Austrian-Hungarian Workshop on Distributed and Parallel Syst. (2007)
Joint NEMA/COCIR/JIRA Sec. and Priv. Committee. Break-Glass – An Approach to Granting Emergency Access to Healthcare Systems, http://www.nema.org/prod/med/security/
SECTETPL : A Predicative Language for the Specification of Access Rights available at, http://qe-informatik.uibk.ac.at/~muhammad/TechnicalReportSECTETPL.pdf
Pearson, S.: Trusted Computing Platforms: TCPA Technology in Context. Prentice Hall PTR, Upper Saddle River (2002)
Straub, T.: Usability Challenges of PKI (2005)
Vogt, G.: Multiple Authorization – A Model and Arch. for Increased, Practical Security. In: Proc. of the IFIP/IEEE 8th Int. Symp. on Integrated Network Management (IM 2003), Colorado Springs, USA, March 2003, pp. 109–112. IFIP/IEEE, Kluwer Academic Publishers (2003)
Xacml v3.0 administration policy working draft 05 (December 2005), http://www.oasis-open.org/committees/documents.php?wg_abbrev=xacml
Yao, W.: Trust Management for Widely Distributed Systems. PhD thesis, University of Cambridge (2003)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Hafner, M., Memon, M., Alam, M. (2008). Modeling and Enforcing Advanced Access Control Policies in Healthcare Systems with Sectet . In: Giese, H. (eds) Models in Software Engineering. MODELS 2007. Lecture Notes in Computer Science, vol 5002. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-69073-3_15
Download citation
DOI: https://doi.org/10.1007/978-3-540-69073-3_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-69069-6
Online ISBN: 978-3-540-69073-3
eBook Packages: Computer ScienceComputer Science (R0)