BAIHAN-1

CSE5810

Exploring Security Techniques for Integrated Access of HIT Systems

Mohammed BaihanComputer Science & Engineering Department

The University of ConnecticutMohammed.baihan@uconn.edu

Spring 2014

BAIHAN-2

CSE5810

Overview Overview Background Background

Access Control Models Limitations w.r.t. HIT systems

Access Control for HIT systemsAccess Control for HIT systems MG-RBAC Towards Dynamic Access Control A Dynamic, Context-Aware Security Infrastructure

ConclusionConclusion Future work

BAIHAN-3

CSE5810

Why Security in HealthcareWhy Security in Healthcare Verizon report 2014

Data theft and loss Insider misuse Unintentional human error

Hackers target Boston Children’s Hospital HIPAA data breaches increased from 2009 to 2012

BAIHAN-4

CSE5810

Access Control Models (DAC)Access Control Models (DAC)

Discretionary Access Control Discretionary Access Control provides the resource’s owner with the discretion

to control access to resources For example, UNIX operating system implements

files permission model to assign resources access rights

A user may restrict access to a file by assigning [rwxr-xr-x] to that file, for example.

BAIHAN-5

CSE5810

Access Control Models (RBAC)Access Control Models (RBAC)

Role-based Access Control Role-based Access Control in RBAC-based system there are roles Each role is associated with access rights for each

resource Each user has a role To change user access rights, remove the current

role from the user and assign him another role.

BAIHAN-6

CSE5810

Access Control Models (RBAC)Access Control Models (RBAC)

Role-based Access Control Role-based Access Control

BAIHAN-7

CSE5810

Access Control Models (XML-based AC)Access Control Models (XML-based AC)

Extensible Access Control Markup Language (XACML) Extensible Access Control Markup Language (XACML) XACML is an access control language that enables

designers to specify policies to secure XML documents

These polices can be used to control access to resources in one system or across multiple connected systems.

Users and resources have attributes and values. XACML uses two components: the policy

enforcement point or PEP and the policy decision point or PDP

BAIHAN-8

CSE5810

Access Control Models (XML-based AC)Access Control Models (XML-based AC)

Extensible Access Control Markup Language (XACML) Extensible Access Control Markup Language (XACML) PEP creates an access request based on the user’s

attributes and requested resource PDP processes this request by querying it against

applicable policy and system state using the policy access point or PAP

PAP returns (permit, deny, indeterminate, or not applicable) to PEP

PEP allows or rejects the user’s access request

BAIHAN-9

CSE5810

Access Control Models (XML-based AC)Access Control Models (XML-based AC)

Extensible Access Control Markup Language (XACML) Extensible Access Control Markup Language (XACML)

XACML architecture

BAIHAN-10

CSE5810

Limitations w.r.t. HIT systems Limitations w.r.t. HIT systems

The healthcare industry requires The healthcare industry requires Flexible, on-demand authentication Flexible, on-demand authentication users are authenticated according to their task-specific situationsExtensible context-aware access controlExtensible context-aware access controlenables administrators to specify more precise and fine-grain authorization polices for any applicationDynamic authorization enforcementDynamic authorization enforcementmakes authorization decisions based upon runtime parameters rather than simply the role of the userEmergency, or exceptions, accessEmergency, or exceptions, accessif the normal access control mechanism won’t grant a user legitimate access, use exception mechanism to gain access to required information

BAIHAN-11

CSE5810

MG-RBACMG-RBAC MG-RBAC: MG-RBAC:

an enhanced access control mode combining RBAC with the use of Medical Guidelines

Medical guidelines contain temporal and contextual information that may be used to make more informed, dynamic access control decisions

BAIHAN-12

CSE5810

Medical Guideline exampleMedical Guideline example treatment of GDM, diabetes in pregnant women treatment of GDM, diabetes in pregnant women

(blood sugar level is 140-200 mg/dl):(blood sugar level is 140-200 mg/dl): Glucose monitoring: patient verifies that glucose

level < 140 mg/dl (1-hour post meals), < 100 mg/dl (fasting and pre-prandial).

Nutrition: solve it with diet. Regular follow-ups (every 1-4 weeks) different for each patient.

Insulin therapy: initiated if blood sugar is consistently high and diet modification has failed

BAIHAN-13

CSE5810

Medical Guideline exampleMedical Guideline example First: guideline is selected based on diagnosis (blood First: guideline is selected based on diagnosis (blood

sugar measurement of 140-200 mg/dl) as following:sugar measurement of 140-200 mg/dl) as following:

BAIHAN-14

CSE5810

Medical Guideline exampleMedical Guideline example One possibility is periodic consultations, then One possibility is periodic consultations, then

physician should be assigned a role to access patient physician should be assigned a role to access patient data only at each visit as following: data only at each visit as following:

BAIHAN-15

CSE5810

Medical Guideline exampleMedical Guideline example Another possibility is an event that triggers access Another possibility is an event that triggers access

needs, then physician should be assigned a role to needs, then physician should be assigned a role to access patient data only at that time as following:access patient data only at that time as following:

BAIHAN-16

CSE5810

MG-RBAC modelMG-RBAC model Based on the this example, an MG-RBAC model can Based on the this example, an MG-RBAC model can

be created as following:be created as following:

BAIHAN-17

CSE5810

MG-RBAC modelMG-RBAC model The Guideline Monitor receives triggered events and The Guideline Monitor receives triggered events and

track time for next periodic event. track time for next periodic event. Then, the Access Control Monitor will be requested to Then, the Access Control Monitor will be requested to

activate roles. activate roles. Then, Access Control Monitor alerts users for their Then, Access Control Monitor alerts users for their

roles. roles.

BAIHAN-18

CSE5810

Dynamic Access ControlDynamic Access Control Workflow knowledge:Workflow knowledge:

Medical guidelines work plans and observed behavior audit data

all contain information about workflow in healthcareall contain information about workflow in healthcare

BAIHAN-19

CSE5810

Medical GuidelinesMedical Guidelines The Guideline Monitor receives triggered events and The Guideline Monitor receives triggered events and

track time for next periodic event. track time for next periodic event. Then, the Access Control Monitor will be requested to Then, the Access Control Monitor will be requested to

activate roles. activate roles. Then, Access Control Monitor alerts users for their Then, Access Control Monitor alerts users for their

roles.roles.

BAIHAN-20

CSE5810

Observational dataObservational data

Information needs in pre-rounds meeting

BAIHAN-21

CSE5810

Observational dataObservational data Clinicians were observed at work in the pre-rounds Clinicians were observed at work in the pre-rounds

meeting and ward rounds meeting and ward rounds The observed information are:The observed information are:

who were present the subject of discussion (patient) information sources (written/electronic and oral) type of information used

BAIHAN-22

CSE5810

Observational dataObservational data Patient NN is new to doctor Patient NN is new to doctor nurse fills in some background info. nurse fills in some background info. Several information sources are used:Several information sources are used:

paper-based (the patient list and the patient chart) computer-based information systems (the

electronic patient record (EPR) and the radiology imaging system (IDS))

observations may be used to uncover information observations may be used to uncover information needs in specific situations with a specific diagnosis needs in specific situations with a specific diagnosis and link these to rolesand link these to roles

BAIHAN-23

CSE5810

Usage patterns from audit logsUsage patterns from audit logs audit logs have traces of user actions: audit logs have traces of user actions:

the user's role at the time what information was accessed for which patient and what actions were performed

From these audit logs it is possible to create From these audit logs it is possible to create generalized usage patterns per rolegeneralized usage patterns per role

BAIHAN-24

CSE5810

Usage patterns from audit logsUsage patterns from audit logs this information can be used for access control as:this information can be used for access control as:

Examine the reasons for using exception access

Most frequent reasons are candidates for inclusion in Most frequent reasons are candidates for inclusion in the access control rule setthe access control rule set

BAIHAN-25

CSE5810

Usage patterns from audit logsUsage patterns from audit logs Look for common usage patterns that describe

workflows inwards. Examples are: Temporal patterns:

– If action X occurs – then action Y occurs within Z time.

Responsibility patterns– If action X is performed by Role A – then action Y is

performed by role B.

Location patterns– If action X is performed at ward 1 – then action Y is performed

at ward 2.

Situation patterns– Role X is in situation S in a guideline, and requires specific

information.

BAIHAN-26

CSE5810

Future workFuture work exploring MG-RBAC further by creating a more exploring MG-RBAC further by creating a more

detailed model and developing a proof-of-concept detailed model and developing a proof-of-concept implementation.implementation.

optimistic access control, based on analysis and optimistic access control, based on analysis and learning from practice as intended and as enacted, is a learning from practice as intended and as enacted, is a first step towards both effective relevance ranking and first step towards both effective relevance ranking and optimal access controloptimal access control