Exploring Tools and Techniques for Distributed Continuous Quality Assurance
Exploring Security Techniques for Integrated Access of HIT Systems
description
Transcript of Exploring Security Techniques for Integrated Access of HIT Systems
BAIHAN-1
CSE5810
Exploring Security Techniques for Integrated Access of HIT Systems
Mohammed BaihanComputer Science & Engineering Department
The University of [email protected]
Spring 2014
BAIHAN-2
CSE5810
Overview Overview Background Background
Access Control Models Limitations w.r.t. HIT systems
Access Control for HIT systemsAccess Control for HIT systems MG-RBAC Towards Dynamic Access Control A Dynamic, Context-Aware Security Infrastructure
ConclusionConclusion Future work
BAIHAN-3
CSE5810
Why Security in HealthcareWhy Security in Healthcare Verizon report 2014
Data theft and loss Insider misuse Unintentional human error
Hackers target Boston Children’s Hospital HIPAA data breaches increased from 2009 to 2012
BAIHAN-4
CSE5810
Access Control Models (DAC)Access Control Models (DAC)
Discretionary Access Control Discretionary Access Control provides the resource’s owner with the discretion
to control access to resources For example, UNIX operating system implements
files permission model to assign resources access rights
A user may restrict access to a file by assigning [rwxr-xr-x] to that file, for example.
BAIHAN-5
CSE5810
Access Control Models (RBAC)Access Control Models (RBAC)
Role-based Access Control Role-based Access Control in RBAC-based system there are roles Each role is associated with access rights for each
resource Each user has a role To change user access rights, remove the current
role from the user and assign him another role.
BAIHAN-6
CSE5810
Access Control Models (RBAC)Access Control Models (RBAC)
Role-based Access Control Role-based Access Control
BAIHAN-7
CSE5810
Access Control Models (XML-based AC)Access Control Models (XML-based AC)
Extensible Access Control Markup Language (XACML) Extensible Access Control Markup Language (XACML) XACML is an access control language that enables
designers to specify policies to secure XML documents
These polices can be used to control access to resources in one system or across multiple connected systems.
Users and resources have attributes and values. XACML uses two components: the policy
enforcement point or PEP and the policy decision point or PDP
BAIHAN-8
CSE5810
Access Control Models (XML-based AC)Access Control Models (XML-based AC)
Extensible Access Control Markup Language (XACML) Extensible Access Control Markup Language (XACML) PEP creates an access request based on the user’s
attributes and requested resource PDP processes this request by querying it against
applicable policy and system state using the policy access point or PAP
PAP returns (permit, deny, indeterminate, or not applicable) to PEP
PEP allows or rejects the user’s access request
BAIHAN-9
CSE5810
Access Control Models (XML-based AC)Access Control Models (XML-based AC)
Extensible Access Control Markup Language (XACML) Extensible Access Control Markup Language (XACML)
XACML architecture
BAIHAN-10
CSE5810
Limitations w.r.t. HIT systems Limitations w.r.t. HIT systems
The healthcare industry requires The healthcare industry requires Flexible, on-demand authentication Flexible, on-demand authentication users are authenticated according to their task-specific situationsExtensible context-aware access controlExtensible context-aware access controlenables administrators to specify more precise and fine-grain authorization polices for any applicationDynamic authorization enforcementDynamic authorization enforcementmakes authorization decisions based upon runtime parameters rather than simply the role of the userEmergency, or exceptions, accessEmergency, or exceptions, accessif the normal access control mechanism won’t grant a user legitimate access, use exception mechanism to gain access to required information
BAIHAN-11
CSE5810
MG-RBACMG-RBAC MG-RBAC: MG-RBAC:
an enhanced access control mode combining RBAC with the use of Medical Guidelines
Medical guidelines contain temporal and contextual information that may be used to make more informed, dynamic access control decisions
BAIHAN-12
CSE5810
Medical Guideline exampleMedical Guideline example treatment of GDM, diabetes in pregnant women treatment of GDM, diabetes in pregnant women
(blood sugar level is 140-200 mg/dl):(blood sugar level is 140-200 mg/dl): Glucose monitoring: patient verifies that glucose
level < 140 mg/dl (1-hour post meals), < 100 mg/dl (fasting and pre-prandial).
Nutrition: solve it with diet. Regular follow-ups (every 1-4 weeks) different for each patient.
Insulin therapy: initiated if blood sugar is consistently high and diet modification has failed
BAIHAN-13
CSE5810
Medical Guideline exampleMedical Guideline example First: guideline is selected based on diagnosis (blood First: guideline is selected based on diagnosis (blood
sugar measurement of 140-200 mg/dl) as following:sugar measurement of 140-200 mg/dl) as following:
BAIHAN-14
CSE5810
Medical Guideline exampleMedical Guideline example One possibility is periodic consultations, then One possibility is periodic consultations, then
physician should be assigned a role to access patient physician should be assigned a role to access patient data only at each visit as following: data only at each visit as following:
BAIHAN-15
CSE5810
Medical Guideline exampleMedical Guideline example Another possibility is an event that triggers access Another possibility is an event that triggers access
needs, then physician should be assigned a role to needs, then physician should be assigned a role to access patient data only at that time as following:access patient data only at that time as following:
BAIHAN-16
CSE5810
MG-RBAC modelMG-RBAC model Based on the this example, an MG-RBAC model can Based on the this example, an MG-RBAC model can
be created as following:be created as following:
BAIHAN-17
CSE5810
MG-RBAC modelMG-RBAC model The Guideline Monitor receives triggered events and The Guideline Monitor receives triggered events and
track time for next periodic event. track time for next periodic event. Then, the Access Control Monitor will be requested to Then, the Access Control Monitor will be requested to
activate roles. activate roles. Then, Access Control Monitor alerts users for their Then, Access Control Monitor alerts users for their
roles. roles.
BAIHAN-18
CSE5810
Dynamic Access ControlDynamic Access Control Workflow knowledge:Workflow knowledge:
Medical guidelines work plans and observed behavior audit data
all contain information about workflow in healthcareall contain information about workflow in healthcare
BAIHAN-19
CSE5810
Medical GuidelinesMedical Guidelines The Guideline Monitor receives triggered events and The Guideline Monitor receives triggered events and
track time for next periodic event. track time for next periodic event. Then, the Access Control Monitor will be requested to Then, the Access Control Monitor will be requested to
activate roles. activate roles. Then, Access Control Monitor alerts users for their Then, Access Control Monitor alerts users for their
roles.roles.
BAIHAN-20
CSE5810
Observational dataObservational data
Information needs in pre-rounds meeting
BAIHAN-21
CSE5810
Observational dataObservational data Clinicians were observed at work in the pre-rounds Clinicians were observed at work in the pre-rounds
meeting and ward rounds meeting and ward rounds The observed information are:The observed information are:
who were present the subject of discussion (patient) information sources (written/electronic and oral) type of information used
BAIHAN-22
CSE5810
Observational dataObservational data Patient NN is new to doctor Patient NN is new to doctor nurse fills in some background info. nurse fills in some background info. Several information sources are used:Several information sources are used:
paper-based (the patient list and the patient chart) computer-based information systems (the
electronic patient record (EPR) and the radiology imaging system (IDS))
observations may be used to uncover information observations may be used to uncover information needs in specific situations with a specific diagnosis needs in specific situations with a specific diagnosis and link these to rolesand link these to roles
BAIHAN-23
CSE5810
Usage patterns from audit logsUsage patterns from audit logs audit logs have traces of user actions: audit logs have traces of user actions:
the user's role at the time what information was accessed for which patient and what actions were performed
From these audit logs it is possible to create From these audit logs it is possible to create generalized usage patterns per rolegeneralized usage patterns per role
BAIHAN-24
CSE5810
Usage patterns from audit logsUsage patterns from audit logs this information can be used for access control as:this information can be used for access control as:
Examine the reasons for using exception access
Most frequent reasons are candidates for inclusion in Most frequent reasons are candidates for inclusion in the access control rule setthe access control rule set
BAIHAN-25
CSE5810
Usage patterns from audit logsUsage patterns from audit logs Look for common usage patterns that describe
workflows inwards. Examples are: Temporal patterns:
– If action X occurs – then action Y occurs within Z time.
Responsibility patterns– If action X is performed by Role A – then action Y is
performed by role B.
Location patterns– If action X is performed at ward 1 – then action Y is performed
at ward 2.
Situation patterns– Role X is in situation S in a guideline, and requires specific
information.
BAIHAN-26
CSE5810
Future workFuture work exploring MG-RBAC further by creating a more exploring MG-RBAC further by creating a more
detailed model and developing a proof-of-concept detailed model and developing a proof-of-concept implementation.implementation.
optimistic access control, based on analysis and optimistic access control, based on analysis and learning from practice as intended and as enacted, is a learning from practice as intended and as enacted, is a first step towards both effective relevance ranking and first step towards both effective relevance ranking and optimal access controloptimal access control