SlideShare a Scribd company logo

Multi-domain and Privacy-aware Role Based Access Control in eHealth

G
guest3dc8ca

A multi-domain privacy aware access control system based on RBAC extended with role roaming and data profiles

TechnologyBusiness
1 of 16
Download to read offline
Multi-domain and Privacy-aware Role Based Access Control in eHealth Lorenzo D. Martino, Qun Ni Dan Lin, Elisa Bertino This work has been supported by IBM OCR project “Privacy and Security Policy Management” and the NSF grant 0712846 “IPS: Security Services for Healthcare Applications”.
Outline • Healthcare is a multi-domain environment • Privacy in e-Health • Why RBAC? • Core P-RBAC • Multi-domain P-RBAC • Conclusions and future work
Healthcare is a distributed multi-domain environment Contracted service: emergency dept. phyisicians Clinicians Nurses Staff HRO Contracted service: anasthesiologists External Domain Analysis Lab. External Domain Hospital Owning Domain External Domain External Domain Insurance University
Privacy in healthcare • Privacy is an important issue – HIPAA – Healthcare Insurance Portability and Accountability Act (1996) • Privacy protection policies – Privacy notices, policies by NL or P3P • Enforcing privacy policies is the key
Privacy policy management Procedures Processes Controls Application-level policies Laws & Internal privacy & regulations security policies Reconciliation Can generate Machine- processable Data--level policies policies
Why RBAC? • RBAC advantages – It is based on the notion of functional roles in an organization – It provides a simple and natural approach to modeling organizational security policies – It simplifies authorization administration – It meets a large variety of security requirements and has received considerable attention by healthcare organizations: RBAC task force - Department of Veterans Affairs (VA), Department of Defense (DoD) • However, RBAC cannot support privacy policies without some extension
Privacy-aware RBAC (P-RBAC) • P-RBAC extends the RBAC model in order to support privacy-aware access control • Privacy policies are expressed as permission assignments (PA); these permissions differ from permissions in classical RBAC because of the presence of additional components, representing privacy-related information
Core P-RBAC • Privacy Sensitive Data Permission (a, d, p, c, o)
Policies – an example • For treatment purposes, patients’ medical information can be accessed by physicians, nurses, technicians, medical students, or others who are involved in the patients’ care or by other departments of the healthcare organization for the care/therapy coordination or by contracted physician services, such as emergency department physicians, pathologists, anesthesiologists, radiologists.
Permissions in P-RBAC (physician, read, patient.EMR.raw, treatment, subject = patient. duty physician, ;) • the physician role can read patient EMR content • for treatment purpose • patient.EMR.raw is a data object specified according to a condition: – the subject associated to the physician role can access the data only if the subject is the patient’s on duty physician - subject = patient.duty_physician -
Multi-domain P-RBAC • It extends P-RBAC with: – Role precondition: a user can be assigned to a certain role provided that the user is associated to one or more specific roles in his/her home organization – Data profile: it allows to specify set of data such as patient’s identification data, therapy data, prescriptions and so forth
Permissions in Ext P-RBAC ( (GP, HP, physician) , read, patient.EMR.raw, treatment, subject = patient. duty physician, ;) • Role precondition: the physician role can be assigned to a subject provided that he/she plays the GP role in the Healthcare organization HP • the physician role can read patient EMR content • for treatment purpose • patient.EMR.raw is a data object specified according to a condition: – the subject associated to the physician role can access the data only if the subject is the patient’s on duty physician - subject = patient.duty_physician -
Conclusions • Role preconditions enhance security • Role precondition provide a further control in addition to user identification and authentication, by relying upon organizational control processes • Underlying assumptions: – a) there is a trust relationship between the owner organization and the users’ home organization, and – b) the users’ home organization itself adopt a controlled process before declaring that its users play a certain role
Future Work • Investigate different role provisioning strategies • Implementation on LBAC database • Consistency analysis techniques on privacy permissions w.r.t. data profile
Questions?
Thank you! Lorenzo D. Martino Computer & Information Technology Dept. Purdue University lmartino@purdue.edu

Recommended

Galen ACE 2010 Presentation
Galen ACE 2010 PresentationGalen ACE 2010 Presentation
Galen ACE 2010 PresentationJustin Campbell
 
Cerner Mick Hubner KSOB CBLS FINAL for Web
Cerner Mick Hubner KSOB CBLS FINAL for WebCerner Mick Hubner KSOB CBLS FINAL for Web
Cerner Mick Hubner KSOB CBLS FINAL for WebMick Hubner
 
Improving patient safety through the use of real time clinical data, Mr Giuli...
Improving patient safety through the use of real time clinical data, Mr Giuli...Improving patient safety through the use of real time clinical data, Mr Giuli...
Improving patient safety through the use of real time clinical data, Mr Giuli...mfolkard
 
Week3 lecture
Week3 lectureWeek3 lecture
Week3 lectureShaikha AlQaydi
 
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerRole Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerProlifics
 
Role based access control - RBAC
Role based access control - RBACRole based access control - RBAC
Role based access control - RBACAjit Dadresa
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standardsallychiu
 
Role Based Access Control - Overview
Role Based Access Control - OverviewRole Based Access Control - Overview
Role Based Access Control - OverviewHitachi ID Systems, Inc.
 

Recommended

Galen ACE 2010 Presentation
Galen ACE 2010 PresentationGalen ACE 2010 Presentation
Galen ACE 2010 PresentationJustin Campbell
 
Cerner Mick Hubner KSOB CBLS FINAL for Web
Cerner Mick Hubner KSOB CBLS FINAL for WebCerner Mick Hubner KSOB CBLS FINAL for Web
Cerner Mick Hubner KSOB CBLS FINAL for WebMick Hubner
 
Improving patient safety through the use of real time clinical data, Mr Giuli...
Improving patient safety through the use of real time clinical data, Mr Giuli...Improving patient safety through the use of real time clinical data, Mr Giuli...
Improving patient safety through the use of real time clinical data, Mr Giuli...mfolkard
 
Week3 lecture
Week3 lectureWeek3 lecture
Week3 lectureShaikha AlQaydi
 
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerRole Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerProlifics
 
Role based access control - RBAC
Role based access control - RBACRole based access control - RBAC
Role based access control - RBACAjit Dadresa
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standardsallychiu
 
Role Based Access Control - Overview
Role Based Access Control - OverviewRole Based Access Control - Overview
Role Based Access Control - OverviewHitachi ID Systems, Inc.
 
Role based access control
Role based access controlRole based access control
Role based access controlPeter Edwards
 
Implementing role based access control on Web Application (sample case)
Implementing role based access control on Web Application (sample case)Implementing role based access control on Web Application (sample case)
Implementing role based access control on Web Application (sample case)Deny Prasetia
 
Hospital administration
Hospital administrationHospital administration
Hospital administrationNursing Path
 
Catering Services in a Hospital
Catering Services in a HospitalCatering Services in a Hospital
Catering Services in a HospitalSameer Shinde
 
Hospital Infection Control
Hospital Infection ControlHospital Infection Control
Hospital Infection ControlNc Das
 
INTRODUCTION TO FRONT OFFICE
INTRODUCTION TO FRONT OFFICEINTRODUCTION TO FRONT OFFICE
INTRODUCTION TO FRONT OFFICEJohn Edward Estayo
 
Infinity Success Conference Hit
Infinity Success Conference HitInfinity Success Conference Hit
Infinity Success Conference HitShane Molinari
 
L2 Using Information Technology
L2 Using Information TechnologyL2 Using Information Technology
L2 Using Information Technologyprimary
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin, Inc.
 
CPHIMS Study Guide 2011
CPHIMS Study Guide 2011CPHIMS Study Guide 2011
CPHIMS Study Guide 2011Robert Levy
 
Pentaho Healthcare Solutions
Pentaho Healthcare SolutionsPentaho Healthcare Solutions
Pentaho Healthcare SolutionsPentaho
 
Information technology in health care management
Information technology in health care managementInformation technology in health care management
Information technology in health care managementmohamedmoosa2
 
iHT2 Health IT Summit San Francisco 2013 - Davin Lundquist, MD, CMIO, Dignity...
iHT2 Health IT Summit San Francisco 2013 - Davin Lundquist, MD, CMIO, Dignity...iHT2 Health IT Summit San Francisco 2013 - Davin Lundquist, MD, CMIO, Dignity...
iHT2 Health IT Summit San Francisco 2013 - Davin Lundquist, MD, CMIO, Dignity...Health IT Conference – iHT2
 
Secure Cloud Based Centralized Health Improvement through homomorphism Encryp...
Secure Cloud Based Centralized Health Improvement through homomorphism Encryp...Secure Cloud Based Centralized Health Improvement through homomorphism Encryp...
Secure Cloud Based Centralized Health Improvement through homomorphism Encryp...IRJET Journal
 
HIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An OverviewHIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An OverviewClearDATACloud
 
Secondary Use of Electronic Health Information – the Way to Guard Patient Sec...
Secondary Use of Electronic Health Information – the Way to Guard Patient Sec...Secondary Use of Electronic Health Information – the Way to Guard Patient Sec...
Secondary Use of Electronic Health Information – the Way to Guard Patient Sec...Plan de Calidad para el SNS
 
Cloud Platform for Remote Patient Monitoring. Case: Stroke Remote Care.
Cloud Platform for Remote Patient Monitoring. Case: Stroke Remote Care.Cloud Platform for Remote Patient Monitoring. Case: Stroke Remote Care.
Cloud Platform for Remote Patient Monitoring. Case: Stroke Remote Care.pselonen
 
Psdot 4 scalable and secure sharing of personal health records in cloud compu...
Psdot 4 scalable and secure sharing of personal health records in cloud compu...Psdot 4 scalable and secure sharing of personal health records in cloud compu...
Psdot 4 scalable and secure sharing of personal health records in cloud compu...ZTech Proje
 
CMS III and eHR
CMS III and eHRCMS III and eHR
CMS III and eHRCharles Mok
 
How to move Forward the Implementation of the EU Interoperability Recommendat...
How to move Forward the Implementation of the EU Interoperability Recommendat...How to move Forward the Implementation of the EU Interoperability Recommendat...
How to move Forward the Implementation of the EU Interoperability Recommendat...Plan de Calidad para el SNS
 
Why Radiology PACS Systems are the Future of Medical Imaging A Comprehensive ...
Why Radiology PACS Systems are the Future of Medical Imaging A Comprehensive ...Why Radiology PACS Systems are the Future of Medical Imaging A Comprehensive ...
Why Radiology PACS Systems are the Future of Medical Imaging A Comprehensive ...PostDICOM
 
ANDS health and medical data webinar 16 May. Storing and Publishing Health an...
ANDS health and medical data webinar 16 May. Storing and Publishing Health an...ANDS health and medical data webinar 16 May. Storing and Publishing Health an...
ANDS health and medical data webinar 16 May. Storing and Publishing Health an...ARDC
 

More Related Content

Viewers also liked

Role based access control
Role based access controlRole based access control
Role based access controlPeter Edwards
 
Implementing role based access control on Web Application (sample case)
Implementing role based access control on Web Application (sample case)Implementing role based access control on Web Application (sample case)
Implementing role based access control on Web Application (sample case)Deny Prasetia
 
Hospital administration
Hospital administrationHospital administration
Hospital administrationNursing Path
 
Catering Services in a Hospital
Catering Services in a HospitalCatering Services in a Hospital
Catering Services in a HospitalSameer Shinde
 
Hospital Infection Control
Hospital Infection ControlHospital Infection Control
Hospital Infection ControlNc Das
 

Viewers also liked (6)

Role based access control
Role based access controlRole based access control
Role based access control
 
Implementing role based access control on Web Application (sample case)
Implementing role based access control on Web Application (sample case)Implementing role based access control on Web Application (sample case)
Implementing role based access control on Web Application (sample case)
 
Hospital administration
Hospital administrationHospital administration
Hospital administration
 
Catering Services in a Hospital
Catering Services in a HospitalCatering Services in a Hospital
Catering Services in a Hospital
 
Hospital Infection Control
Hospital Infection ControlHospital Infection Control
Hospital Infection Control
 
INTRODUCTION TO FRONT OFFICE
INTRODUCTION TO FRONT OFFICEINTRODUCTION TO FRONT OFFICE
INTRODUCTION TO FRONT OFFICE
 

Similar to Multi-domain and Privacy-aware Role Based Access Control in eHealth

Infinity Success Conference Hit
Infinity Success Conference HitInfinity Success Conference Hit
Infinity Success Conference HitShane Molinari
 
L2 Using Information Technology
L2 Using Information TechnologyL2 Using Information Technology
L2 Using Information Technologyprimary
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin, Inc.
 
CPHIMS Study Guide 2011
CPHIMS Study Guide 2011CPHIMS Study Guide 2011
CPHIMS Study Guide 2011Robert Levy
 
Pentaho Healthcare Solutions
Pentaho Healthcare SolutionsPentaho Healthcare Solutions
Pentaho Healthcare SolutionsPentaho
 
Information technology in health care management
Information technology in health care managementInformation technology in health care management
Information technology in health care managementmohamedmoosa2
 
iHT2 Health IT Summit San Francisco 2013 - Davin Lundquist, MD, CMIO, Dignity...
iHT2 Health IT Summit San Francisco 2013 - Davin Lundquist, MD, CMIO, Dignity...iHT2 Health IT Summit San Francisco 2013 - Davin Lundquist, MD, CMIO, Dignity...
iHT2 Health IT Summit San Francisco 2013 - Davin Lundquist, MD, CMIO, Dignity...Health IT Conference – iHT2
 
Secure Cloud Based Centralized Health Improvement through homomorphism Encryp...
Secure Cloud Based Centralized Health Improvement through homomorphism Encryp...Secure Cloud Based Centralized Health Improvement through homomorphism Encryp...
Secure Cloud Based Centralized Health Improvement through homomorphism Encryp...IRJET Journal
 
HIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An OverviewHIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An OverviewClearDATACloud
 
Secondary Use of Electronic Health Information – the Way to Guard Patient Sec...
Secondary Use of Electronic Health Information – the Way to Guard Patient Sec...Secondary Use of Electronic Health Information – the Way to Guard Patient Sec...
Secondary Use of Electronic Health Information – the Way to Guard Patient Sec...Plan de Calidad para el SNS
 
Cloud Platform for Remote Patient Monitoring. Case: Stroke Remote Care.
Cloud Platform for Remote Patient Monitoring. Case: Stroke Remote Care.Cloud Platform for Remote Patient Monitoring. Case: Stroke Remote Care.
Cloud Platform for Remote Patient Monitoring. Case: Stroke Remote Care.pselonen
 
Psdot 4 scalable and secure sharing of personal health records in cloud compu...
Psdot 4 scalable and secure sharing of personal health records in cloud compu...Psdot 4 scalable and secure sharing of personal health records in cloud compu...
Psdot 4 scalable and secure sharing of personal health records in cloud compu...ZTech Proje
 
How to move Forward the Implementation of the EU Interoperability Recommendat...
How to move Forward the Implementation of the EU Interoperability Recommendat...How to move Forward the Implementation of the EU Interoperability Recommendat...
How to move Forward the Implementation of the EU Interoperability Recommendat...Plan de Calidad para el SNS
 
Why Radiology PACS Systems are the Future of Medical Imaging A Comprehensive ...
Why Radiology PACS Systems are the Future of Medical Imaging A Comprehensive ...Why Radiology PACS Systems are the Future of Medical Imaging A Comprehensive ...
Why Radiology PACS Systems are the Future of Medical Imaging A Comprehensive ...PostDICOM
 
ANDS health and medical data webinar 16 May. Storing and Publishing Health an...
ANDS health and medical data webinar 16 May. Storing and Publishing Health an...ANDS health and medical data webinar 16 May. Storing and Publishing Health an...
ANDS health and medical data webinar 16 May. Storing and Publishing Health an...ARDC
 
Ehr by jessica austin, shaun baker, victoria blankenship and kayla boro
Ehr by jessica austin, shaun baker, victoria blankenship and kayla boroEhr by jessica austin, shaun baker, victoria blankenship and kayla boro
Ehr by jessica austin, shaun baker, victoria blankenship and kayla borokayla_ann_30
 
The Basics of Security and Risk Analysis
The Basics of Security and Risk AnalysisThe Basics of Security and Risk Analysis
The Basics of Security and Risk Analysislearfield
 
Cure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the CloudCure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the CloudNetskope
 
IRJET-A Survey on provide security to wireless medical sensor data
IRJET-A Survey on provide security to wireless medical sensor dataIRJET-A Survey on provide security to wireless medical sensor data
IRJET-A Survey on provide security to wireless medical sensor dataIRJET Journal
 

Similar to Multi-domain and Privacy-aware Role Based Access Control in eHealth (20)

Infinity Success Conference Hit
Infinity Success Conference HitInfinity Success Conference Hit
Infinity Success Conference Hit
 
L2 Using Information Technology
L2 Using Information TechnologyL2 Using Information Technology
L2 Using Information Technology
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
 
CPHIMS Study Guide 2011
CPHIMS Study Guide 2011CPHIMS Study Guide 2011
CPHIMS Study Guide 2011
 
Pentaho Healthcare Solutions
Pentaho Healthcare SolutionsPentaho Healthcare Solutions
Pentaho Healthcare Solutions
 
Information technology in health care management
Information technology in health care managementInformation technology in health care management
Information technology in health care management
 
iHT2 Health IT Summit San Francisco 2013 - Davin Lundquist, MD, CMIO, Dignity...
iHT2 Health IT Summit San Francisco 2013 - Davin Lundquist, MD, CMIO, Dignity...iHT2 Health IT Summit San Francisco 2013 - Davin Lundquist, MD, CMIO, Dignity...
iHT2 Health IT Summit San Francisco 2013 - Davin Lundquist, MD, CMIO, Dignity...
 
Secure Cloud Based Centralized Health Improvement through homomorphism Encryp...
Secure Cloud Based Centralized Health Improvement through homomorphism Encryp...Secure Cloud Based Centralized Health Improvement through homomorphism Encryp...
Secure Cloud Based Centralized Health Improvement through homomorphism Encryp...
 
HIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An OverviewHIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An Overview
 
Secondary Use of Electronic Health Information – the Way to Guard Patient Sec...
Secondary Use of Electronic Health Information – the Way to Guard Patient Sec...Secondary Use of Electronic Health Information – the Way to Guard Patient Sec...
Secondary Use of Electronic Health Information – the Way to Guard Patient Sec...
 
Cloud Platform for Remote Patient Monitoring. Case: Stroke Remote Care.
Cloud Platform for Remote Patient Monitoring. Case: Stroke Remote Care.Cloud Platform for Remote Patient Monitoring. Case: Stroke Remote Care.
Cloud Platform for Remote Patient Monitoring. Case: Stroke Remote Care.
 
Psdot 4 scalable and secure sharing of personal health records in cloud compu...
Psdot 4 scalable and secure sharing of personal health records in cloud compu...Psdot 4 scalable and secure sharing of personal health records in cloud compu...
Psdot 4 scalable and secure sharing of personal health records in cloud compu...
 
CMS III and eHR
CMS III and eHRCMS III and eHR
CMS III and eHR
 
How to move Forward the Implementation of the EU Interoperability Recommendat...
How to move Forward the Implementation of the EU Interoperability Recommendat...How to move Forward the Implementation of the EU Interoperability Recommendat...
How to move Forward the Implementation of the EU Interoperability Recommendat...
 
Why Radiology PACS Systems are the Future of Medical Imaging A Comprehensive ...
Why Radiology PACS Systems are the Future of Medical Imaging A Comprehensive ...Why Radiology PACS Systems are the Future of Medical Imaging A Comprehensive ...
Why Radiology PACS Systems are the Future of Medical Imaging A Comprehensive ...
 
ANDS health and medical data webinar 16 May. Storing and Publishing Health an...
ANDS health and medical data webinar 16 May. Storing and Publishing Health an...ANDS health and medical data webinar 16 May. Storing and Publishing Health an...
ANDS health and medical data webinar 16 May. Storing and Publishing Health an...
 
Ehr by jessica austin, shaun baker, victoria blankenship and kayla boro
Ehr by jessica austin, shaun baker, victoria blankenship and kayla boroEhr by jessica austin, shaun baker, victoria blankenship and kayla boro
Ehr by jessica austin, shaun baker, victoria blankenship and kayla boro
 
The Basics of Security and Risk Analysis
The Basics of Security and Risk AnalysisThe Basics of Security and Risk Analysis
The Basics of Security and Risk Analysis
 
Cure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the CloudCure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the Cloud
 
IRJET-A Survey on provide security to wireless medical sensor data
IRJET-A Survey on provide security to wireless medical sensor dataIRJET-A Survey on provide security to wireless medical sensor data
IRJET-A Survey on provide security to wireless medical sensor data
 

Recently uploaded

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 

Recently uploaded (20)

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 

Multi-domain and Privacy-aware Role Based Access Control in eHealth

  • 1. Multi-domain and Privacy-aware Role Based Access Control in eHealth Lorenzo D. Martino, Qun Ni Dan Lin, Elisa Bertino This work has been supported by IBM OCR project “Privacy and Security Policy Management” and the NSF grant 0712846 “IPS: Security Services for Healthcare Applications”.
  • 2. Outline • Healthcare is a multi-domain environment • Privacy in e-Health • Why RBAC? • Core P-RBAC • Multi-domain P-RBAC • Conclusions and future work
  • 3. Healthcare is a distributed multi-domain environment Contracted service: emergency dept. phyisicians Clinicians Nurses Staff HRO Contracted service: anasthesiologists External Domain Analysis Lab. External Domain Hospital Owning Domain External Domain External Domain Insurance University
  • 4. Privacy in healthcare • Privacy is an important issue – HIPAA – Healthcare Insurance Portability and Accountability Act (1996) • Privacy protection policies – Privacy notices, policies by NL or P3P • Enforcing privacy policies is the key
  • 5. Privacy policy management Procedures Processes Controls Application-level policies Laws & Internal privacy & regulations security policies Reconciliation Can generate Machine- processable Data--level policies policies
  • 6. Why RBAC? • RBAC advantages – It is based on the notion of functional roles in an organization – It provides a simple and natural approach to modeling organizational security policies – It simplifies authorization administration – It meets a large variety of security requirements and has received considerable attention by healthcare organizations: RBAC task force - Department of Veterans Affairs (VA), Department of Defense (DoD) • However, RBAC cannot support privacy policies without some extension
  • 7. Privacy-aware RBAC (P-RBAC) • P-RBAC extends the RBAC model in order to support privacy-aware access control • Privacy policies are expressed as permission assignments (PA); these permissions differ from permissions in classical RBAC because of the presence of additional components, representing privacy-related information
  • 8. Core P-RBAC • Privacy Sensitive Data Permission (a, d, p, c, o)
  • 9. Policies – an example • For treatment purposes, patients’ medical information can be accessed by physicians, nurses, technicians, medical students, or others who are involved in the patients’ care or by other departments of the healthcare organization for the care/therapy coordination or by contracted physician services, such as emergency department physicians, pathologists, anesthesiologists, radiologists.
  • 10. Permissions in P-RBAC (physician, read, patient.EMR.raw, treatment, subject = patient. duty physician, ;) • the physician role can read patient EMR content • for treatment purpose • patient.EMR.raw is a data object specified according to a condition: – the subject associated to the physician role can access the data only if the subject is the patient’s on duty physician - subject = patient.duty_physician -
  • 11. Multi-domain P-RBAC • It extends P-RBAC with: – Role precondition: a user can be assigned to a certain role provided that the user is associated to one or more specific roles in his/her home organization – Data profile: it allows to specify set of data such as patient’s identification data, therapy data, prescriptions and so forth
  • 12. Permissions in Ext P-RBAC ( (GP, HP, physician) , read, patient.EMR.raw, treatment, subject = patient. duty physician, ;) • Role precondition: the physician role can be assigned to a subject provided that he/she plays the GP role in the Healthcare organization HP • the physician role can read patient EMR content • for treatment purpose • patient.EMR.raw is a data object specified according to a condition: – the subject associated to the physician role can access the data only if the subject is the patient’s on duty physician - subject = patient.duty_physician -
  • 13. Conclusions • Role preconditions enhance security • Role precondition provide a further control in addition to user identification and authentication, by relying upon organizational control processes • Underlying assumptions: – a) there is a trust relationship between the owner organization and the users’ home organization, and – b) the users’ home organization itself adopt a controlled process before declaring that its users play a certain role
  • 14. Future Work • Investigate different role provisioning strategies • Implementation on LBAC database • Consistency analysis techniques on privacy permissions w.r.t. data profile
  • 16. Thank you! Lorenzo D. Martino Computer & Information Technology Dept. Purdue University lmartino@purdue.edu