RBAC FHIR Extension to Define and Enforce Security ... · RBAC FHIR Extension to Define and Enforce...
Transcript of RBAC FHIR Extension to Define and Enforce Security ... · RBAC FHIR Extension to Define and Enforce...
RBAC FHIR Extension to Define and Enforce
Security Policies on FHIR Resources
Mohammed Baihan, Ph.D. Student
Steven A. Demurjian, Professor Computer Science & Engineering Department
Thomas Agresta, MD, Professor & Director Medical Informatics Family Medicine Department
The University of Connecticut
[email protected], [email protected], [email protected]
http://www.engr.uconn.edu/~steve/UConnUCHCFHIR.pdf
1
Motivation
• Unauthorized access to a larger set of patients data in
multiple systems:
– FHIR provides unrestricted access to its Resources and API
• Users (e.g. patients) need to control access to their data:
– patients may grant/revoke a physician access to specific part of
their medical record
• Apps developers need an easy way to add security:
– most developers focus only on the app functionalities
2
Background
• Connecticut Concussion Tracker (CT2) mHealth App
– New State Law (HB6722) to track concussion of kids between ages
7 to 19 in public schools
– iOS and Andriod Versions
– MySQL Database and RESTful API
– Screens for: Student Demo, Cause, Symptoms, Follow-up, Return
• Collaboration Between Departments of:
– Physiology and Neurobiology
– Computer Science & Engineering
– Schools of Nursing and Medicine
3
CT2 (iOS Version)
4
CT2 (iOS Version)
5
Multi-Focal Approach
• Incorporate RBAC into CT2 to Control by User/Role
– Accessible Screens
– Read/Enter/Edit Content on Screen-by-Screen Basis
– Control which RESTful Services are Called
• Integrate CT2 with OpenEMR for a Central Secure
Repository
• Investigate Alternative Blueprints for Integration via FHIR
• Design and Develop an RBAC Interceptor for HAPI FHIR
for CT2 integrated with OpenEMR
• End Result: A user/role is Restricted to only the needed
data (FHIR resources) at API level (FHIR CRUD APIs)
6
Specific Steps
• Map CT2 Database Content to OpenEMR via FHIR
• Explain the RBAC Interceptor in HAPI FHIR
• Extend the Mapping with RBAC Interceptor
• Sample RBAC Policy for CT2
• Illustrate HAPI FHIR RBAC Interceptor (AuthInterceptor)
• Code Level Demonstration:
– AuthInterceptor usage:
• JSON format for policy
• Extending AuthInterceptor
– Policy enforcement example
• Allowed Access
• Denied Access 7
Map CT2 DB Content to OpenEMR via FHIR
8
Role-based Access Control Interceptor
• Extends HAPI FHIR reference library with Access Control on the CRUD APIs of FHIR Resources.
• Specifically, the InterceptorAdapter Class of HAPI FHIR is extended with a new interceptor class (AuthInterceptor) to support: – Definition of policy: assign roles to users, and authorize FHIR
resources (with CRUD) to roles
– Specific JSON format for policy
– Dynamic policy enforcement: restrict a user to access specific set of FHIR resources (with CRUD) based on the user’s role
Contact [email protected] for AuthInterceptor Code
9
HAPI FHIR InterceptorAdapter
10
HAPI FHIR AuthInterceptor
11
12
HAPI FHIR AuthInterceptor
Sample RBAC Policy for CT2
• Four different roles:
– Athletic Trainer, Coach, Nurse, Parent
13
How to use AuthInterceptor
14
• A developer needs to:
– Design simple API that retrieves RBAC policy
– Extend the AuthInterceptor class and provide a link to
the RBAC policy API
JSON format for policy
15
Extending AuthInterceptor
16
Allowed Access
17
Denied Access
18
Relevant Work Published
• Rivera Sánchez, Y., K. Demurjian, S., and Baihan, M. “Achieving
RBAC on RESTful APIs for Mobile Apps using FHIR,” accepted, to
appear in http://www.mobile-cloud.net/, April 2017.
• Baihan, M., K. Rivera Sánchez, Y., Shao, X., Gilman, C., Demurjian,
S., and Agresta, T., “A Blueprint for Designing and Developing an
mHealth Application for Diverse Stakeholders Utilizing Fast Healthcare
Interoperability Resources”, accepted, to appear in Contemporary
Applications of Mobile Computing in Healthcare Settings, R. Rajkumar
(ed.), IGI Global. http://www.igi-global.com/publish/call-for-papers/call-
details/2287
• Baihan, M., and Demurjian, S., “A Framework for Secure and
Interoperable Cloud Computing,” accepted, to appear in Springer
Research Advances in Cloud Computing, under second review, S.
Chaudhary (ed.), http://www.cloudbus.org/racc/ .
19
Current Ongoing BMI Research
Current Ph.D. Doctoral Students:
• Framework for Secure and Interoperable Cloud
Computing – Mohammed Baihan
• Role-Based Access Control (RBAC) for Mobile
Computing – Yaira Rivera Sanchez
• Adaptive Trust Negotiation for Time-Critical Access to
Healthcare Data – Eugene Sanzi
• Spatio-Situation-Based Access Control Model for
Dynamic Permissions – Xian Shao
• Architectural Alternatives for HIE using FHIR – Timo
Ziminski
20
Questions & Answers
Thanks!
21