integrating attribute-based access control with fhir for
TRANSCRIPT
![Page 1: Integrating Attribute-Based Access Control with FHIR for](https://reader036.vdocuments.us/reader036/viewer/2022062420/62aeaa4eda332a56ec614744/html5/thumbnails/1.jpg)
Integrating Attribute-Based Access Control with FHIR for Privacy Preserving Health Data Disclosure
Mustafa Al Lail and Subhojeet Mukherje
Colorado State UniversityComputer Science Department
![Page 2: Integrating Attribute-Based Access Control with FHIR for](https://reader036.vdocuments.us/reader036/viewer/2022062420/62aeaa4eda332a56ec614744/html5/thumbnails/2.jpg)
2
Motivating Scenario
Patient2: a highly visible politician
Patient1: a former drug addict
Policy: don’t share my drug use info.
Policy: release my treatment data one a yearly basis only
Researcher1: HIPAA compliant studying the effectiveness of a drug on hepatitis C.
Request : get me patient’s drug history and symptoms for every month.
Institute1
Policy: release patient data to HIPAA compliant researchers
Institute2
Policy: release statistics (no less than 10 patients) to researchers.
Doctors
![Page 3: Integrating Attribute-Based Access Control with FHIR for](https://reader036.vdocuments.us/reader036/viewer/2022062420/62aeaa4eda332a56ec614744/html5/thumbnails/3.jpg)
3
The approach integrates the following technologies: 1. Attribute-Based Access Control(ABAC)
2. eXtensible Access Control Markup Language(XACML) An OASIS standard XACML components:
Policy language to specify access rules Request/response protocol to query and evaluates user access request
against policies Reference architecture for deployment
3. Fast Healthcare Interoperability Resources (FHIR) Next generation standards framework for storing and
disseminating health data.
4. IRB authentication protocol
Approach
![Page 4: Integrating Attribute-Based Access Control with FHIR for](https://reader036.vdocuments.us/reader036/viewer/2022062420/62aeaa4eda332a56ec614744/html5/thumbnails/4.jpg)
4
Approach
![Page 5: Integrating Attribute-Based Access Control with FHIR for](https://reader036.vdocuments.us/reader036/viewer/2022062420/62aeaa4eda332a56ec614744/html5/thumbnails/5.jpg)
5
Attribute-Based Access Control
![Page 6: Integrating Attribute-Based Access Control with FHIR for](https://reader036.vdocuments.us/reader036/viewer/2022062420/62aeaa4eda332a56ec614744/html5/thumbnails/6.jpg)
6
XACML Policy Structure
![Page 7: Integrating Attribute-Based Access Control with FHIR for](https://reader036.vdocuments.us/reader036/viewer/2022062420/62aeaa4eda332a56ec614744/html5/thumbnails/7.jpg)
7
XACML Policy Language Model
![Page 8: Integrating Attribute-Based Access Control with FHIR for](https://reader036.vdocuments.us/reader036/viewer/2022062420/62aeaa4eda332a56ec614744/html5/thumbnails/8.jpg)
8
Institute1Policy Set
![Page 9: Integrating Attribute-Based Access Control with FHIR for](https://reader036.vdocuments.us/reader036/viewer/2022062420/62aeaa4eda332a56ec614744/html5/thumbnails/9.jpg)
9
Policy1
![Page 10: Integrating Attribute-Based Access Control with FHIR for](https://reader036.vdocuments.us/reader036/viewer/2022062420/62aeaa4eda332a56ec614744/html5/thumbnails/10.jpg)
10
XACML Request
![Page 11: Integrating Attribute-Based Access Control with FHIR for](https://reader036.vdocuments.us/reader036/viewer/2022062420/62aeaa4eda332a56ec614744/html5/thumbnails/11.jpg)
11
XACML Response
![Page 12: Integrating Attribute-Based Access Control with FHIR for](https://reader036.vdocuments.us/reader036/viewer/2022062420/62aeaa4eda332a56ec614744/html5/thumbnails/12.jpg)
12
IRB Authentication Protocol
IRB Sever
PEP
(1) Request (fills forms + Purpose (GET,POST,PUT etc))
(2) [H(SK,token,PURPOSE),token)]
Researcher
(3) [H(H(SK,token,Purpose),nonce), token,nonce], Request (Purpose)
![Page 13: Integrating Attribute-Based Access Control with FHIR for](https://reader036.vdocuments.us/reader036/viewer/2022062420/62aeaa4eda332a56ec614744/html5/thumbnails/13.jpg)
13
Implementation Solution Architecture
WSO2 Identity Sever
PDPPAP
PEP PIP
FHIR Sever
Health Data Database
![Page 14: Integrating Attribute-Based Access Control with FHIR for](https://reader036.vdocuments.us/reader036/viewer/2022062420/62aeaa4eda332a56ec614744/html5/thumbnails/14.jpg)
14
• Demo
![Page 15: Integrating Attribute-Based Access Control with FHIR for](https://reader036.vdocuments.us/reader036/viewer/2022062420/62aeaa4eda332a56ec614744/html5/thumbnails/15.jpg)
15
We investigated the integration of ABAC, XACML, IRB, and FHIR to preserve the privacy of patients.
Developed the skeleton of a proof of concept prototype implementation
So far, the approach is feasible. Different kinds of policies and requests
Summary
![Page 16: Integrating Attribute-Based Access Control with FHIR for](https://reader036.vdocuments.us/reader036/viewer/2022062420/62aeaa4eda332a56ec614744/html5/thumbnails/16.jpg)
16
Integrating services: Applying the approach to different policies Studying the usability and performance
Dissemination of the work Journal Article FHIR Code-A-Thon competition April 1-2, 2016
Future Work
![Page 17: Integrating Attribute-Based Access Control with FHIR for](https://reader036.vdocuments.us/reader036/viewer/2022062420/62aeaa4eda332a56ec614744/html5/thumbnails/17.jpg)
17
Thank you for listeningQA session & discussion
Colorado State UniversityComputer Science Department