Integrating Attribute-Based Access Control with FHIR for ...
Transcript of Integrating Attribute-Based Access Control with FHIR for ...
Integrating Attribute-Based Access Control with FHIR for Privacy Preserving Health Data Disclosure
Mustafa Al Lail and Subhojeet Mukherje
Colorado State UniversityComputer Science Department
2
Motivating Scenario
Patient2: a highly visible politician
Patient1: a former drug addict
Policy: don’t share my drug use info.
Policy: release my treatment data one a yearly basis only
Researcher1: HIPAA compliant studying the effectiveness of a drug on hepatitis C.
Request : get me patient’s drug history and symptoms for every month.
Institute1
Policy: release patient data to HIPAA compliant researchers
Institute2
Policy: release statistics (no less than 10 patients) to researchers.
Doctors
3
The approach integrates the following technologies: 1. Attribute-Based Access Control(ABAC)
2. eXtensible Access Control Markup Language(XACML) An OASIS standard XACML components:
Policy language to specify access rules Request/response protocol to query and evaluates user access request
against policies Reference architecture for deployment
3. Fast Healthcare Interoperability Resources (FHIR) Next generation standards framework for storing and
disseminating health data.
4. IRB authentication protocol
Approach
4
Approach
5
Attribute-Based Access Control
6
XACML Policy Structure
7
XACML Policy Language Model
8
Institute1Policy Set
9
Policy1
10
XACML Request
11
XACML Response
12
IRB Authentication Protocol
IRB Sever
PEP
(1) Request (fills forms + Purpose (GET,POST,PUT etc))
(2) [H(SK,token,PURPOSE),token)]
Researcher
(3) [H(H(SK,token,Purpose),nonce), token,nonce], Request (Purpose)
13
Implementation Solution Architecture
WSO2 Identity Sever
PDPPAP
PEP PIP
FHIR Sever
Health Data Database
14
• Demo
15
We investigated the integration of ABAC, XACML, IRB, and FHIR to preserve the privacy of patients.
Developed the skeleton of a proof of concept prototype implementation
So far, the approach is feasible. Different kinds of policies and requests
Summary
16
Integrating services: Applying the approach to different policies Studying the usability and performance
Dissemination of the work Journal Article FHIR Code-A-Thon competition April 1-2, 2016
Future Work
17
Thank you for listeningQA session & discussion
Colorado State UniversityComputer Science Department