Security Models for Workflow Management in EHealthcare Enterprise

1
Security Models for Workflow Management in
E-Healthcare Enterprise
FLORIDA AM UNIVERSITY COLLEGE OF ARTS AND
SCIENCES

• by
• Lang Zhao
• Advisor Dr. Hongmei Chi
• 11/04/2008

2
Outline

• Introduction
• Security models
• Case Study
• Implementation of Case Study
• Summary
• Future work
• Publications

3
Outline

• Introduction
• Security model
• Case Study
• Implementation of Case Study
• Summary
• Future work
• Publications

4
Purpose of project

• Choose a security model which is suitable for
  E-healthcare
• The security model is role-based
• Roles patient, physician, administrator
• Develop an access control mechanism based on the
  security model for E-healthcare
• Access Control Mechanism is application-based
• Application-based Windows application, Web
  application

5
Introduction E-healthcare

• What is E-healthcare?
• E-healthcare
• a relative term for healthcare practice in
  electronic processes and communication
• provides a way for medical informatics, public
  health and business to be delivered via the
  Internet.
• Within E-healthcare the physician can
• Access patients medical information anywhere
• Send the patient record and medical information
  by email
• Check schedules online
• Within E-healthcare the patient can
• Access his/her medical information
• Receive records and prescriptions
• Schedule online appointments with doctors

6
E-healthcare (contd)

• Why E-healthcare?
• Popular Efficient
• Requirements for E-healthcare
• Privacy
• Access control via Internet
• security standards established by HIPAA

7
Introduction Workflow Management

• What is Workflow Management?
• A system of overseeing the progress of automated
  business procedures performed by a company,
  industry, department or person
• Why Workflow Management?
• automatically passes information, documents, and
  tasks from one employee or machine within a
  business to another
• makes efficiency within the business
• makes it easier to track employee and machine
  performance

8
Introduction my contribution

• A security model Role-based access
• control model is chosen for my case study
• A prototype of Role-based access
• control mechanism is developed for my case
  study

9
Outline

• Introduction
• Security model
• Case Study
• Implementation of Case Study
• Summary
• Future work
• Publications

10
History of Security Models
11
History of Security Models (Contd)
12
Role-based Access Control Security Model

• IN RBAC
• permissions are organizationally associated with
  roles
• users are administratively assigned to
  appropriate roles

Figure 1
13
Role-based Access Control Security Model

• Why RBAC?
• Provides a means of naming and describing
  many-to-many relationships between individuals
  and rights
• Helps to determine efficiently which permissions
  are authorized for what users in a large
  enterprise system
• Reduces the complexity of the security
  administration in the large network applications

14
Role-based Access Control Security Model (Contd)

• suitable for E-healthcare
• Users can grouped by a role
• Authorization-to-user
• Control of protect resources is based on employee
  function (roles) rather than data ownership
• Employee in the same role does have the same
  functions
• Includes cooperative organizations

15
Outline

• Introduction
• Security models
• Case Study
• Implementation of Case Study
• Summary
• Future work
• publications

16
Workflow for Case Study
Bond Commu Clinic
FAMU Phar2
FAMU RX30
Stored DOH Server
Enter Pat Info
LNHS Clinic
LNHS RX30
Donated DOH Server
FAMU Phar1
TMH ER Pat
Bond Commu Clinic Bond Community Center
Clinic FAMU Phar2 FAMU Pharmacy2 in Bond
Community Center Clinic LNHS Clinic Lincoln
Neighborhood Service Center Clinic FAMU Phar1
FAMU Pharmacy1 in Lincoln Neighborhood Service
Center TMH ER Pat Tallahassee Memorial
Healthcare Emergency Room Patient CRMC ER Pat
Capital Regional Medical Center Emergency Room
Patient RX30 Pharmaceutical operation system
CRMC ER Pat
Problems 1. No automatic interactions among
department within an organization 2. No
systematical interactions among organizations
Figure 2 Current workflow of Leon county
uninsured e-healthcare program in Tallahassee, FL
17
Workflow for Case Study

• Ideal workflow
• Automatic interactions among departments within
  an organization
• Systematical interactions among organizations

Figure 3 Ideal workflow of Leon county uninsured
e-healthcare program in Tallahassee, FL
18
Core RBAC Model in E-healthcare
Figure 4
19
Outline

• Introduction
• Security model
• Case Study
• Implementation of Case Study
• Summary
• Future work
• Publications

20
Open Source Tools

• Microsoft Visual Studio 2008
• the Integrated Development Environment (IDE)
• Web Application
• Windows Forms Application
• Microsoft SQL server 2005
• Microsoft SQL Server Management Studio Express
  (SSMSE)
• Provides a graphical management tool for SQL
  Server 2005

21
Access Control of Case Study

• Structure of prototype
• 3-tier Architecture
• GUI tier
• Windows forms, Web sites
• business logic tier
• Functions
• data access tier
• Retrieve data from database
• From Policy to Role
• Database Design
• Applications and Roles

22
Three-Tier Architecture
Figure 5
23
From Policy to Role
Policy
Management level
XML
Role
Database level
Figure 6
24
Database Design (I)
1
M
M
User
Role
1
1
1
1
1
M
SecureQuestion
PatientVisitRecord
1
ER Diagram
Figure 7
25
Database Design (II)
Figure 8
26
Application Log-in
UserName and Password
Log in
patient
staff
Clinic Form
Patient Website
physician
administrator
Control Panel
Physician Form or Website
Figure 9
27
Applications Changing Password and Setting
Secure Questions
Interface
Secure questions
password form
Figure 10
28
Applications and Roles

• Administrator
• Physician
• Staff
• Patient

29
Administrator Role
Figure 11
Use Case Diagram for Administrator Role
30
Administrator Users Management
Personal Info
Medical Records
Inactive patients list
UserName and Password
new user form
Log in
Users Management
Administrator role
choose
Administrator Control panel
user form
Figure 12
secure questions form
31
Administrator Roles Management
UserName and Password
UserName and Password
UserName and Password
Log in
new role form
Log in
Log in
Administrator role
Administrator role
Administrator role
Administrator Control panel
Roles Management
Administrator Control panel
Administrator Control panel
choose
Figure 13
32
Administrator Delegation Management
UserName and Password
Log in
delegation form
Administrator role
Administrator Control panel
Delegation Management
choose
Delegation record form
Figure 14
33
Administrator Assignment Patient to Physician
UserName and Password
Log in
assignment form
Administrator role
Assign Patient to Physician
Administrator Control panel
choose
Assignment Records
Figure 15
34
Administrator Control Panel
Figure 16
35
Roles and their applications

• Administrator
• Physician
• Staff
• Patient

36
Physician Role
Figure 17
Use Case Diagram for Physician Role
37
Physician Patient Medical Records
My Patients list
UserName and Password
Log in
patient medical records
physician role
new record form
record form
Figure 18
38
Physician Form
Figure 19
39
Roles and their applications

• Administrator
• Physician
• Staff
• Patient

40
Staff Role
Figure 20
Use Case Diagram for Staff Role
41
Staff Operations for Patients
UserName and Password
Log in
Clinic staff role
Current Patients list
choose a patient
new user form
Patient personal info
patient medical records
Modify form
Figure 21
42
Staff Operations for Patients (Contd)
Log in
UserName and Password
Clinic staff role
Current Patients list
Inactive patients
Personal Info
Medical Records
Figure 22
43
Clinic Management Form
Figure 23
44
Roles and their applications

• Administrator
• Physician
• Staff
• Patient

45
Patient Modify personal Information
Figure 24
46
Patient Website
Figure 25
47
Outline

• Introduction
• Security Models
• Case Study
• Implementation of Case Study
• Summary
• Future Work
• Publications

48
Summary

• Investigations
• Research on Workflow Management Security Models
• The prototype can be logged in by authorized
  users
• The prototype automatically Loges off within a
  time period
• The prototype is easy to maintain and expand

49
Outline

• Introduction
• Security models
• Case Study
• Implementation of Case Study
• Future work
• publication

50
Future Work

• More roles will added to the prototype
• More complex implementation, such as insurance
  and billing information
• A mechanism to encrypt the password

51
Outline

• Introduction
• Security models
• Case Study
• Implementation of Case Study
• So far and future work
• publication

52
Publication

• Hongmei Chi, Lang Zhao, A conceptual model to
  support the integration of inter-organizational
  healthcare information systems , Winter
  Simulation Conference, 2007, Page 2368.
• Implementation of a Security Access Control Model
  for Inter-OrganizationalHealthcare Information
  SystemsH. Chi, E. Jones and L. ZhaoIEEE APSCC
  2008, December 9-12, 2008, Yilan, Taiwan

53
Work Breakdown Structure (WBS)

• See Thesis of lang.gan created by a tool
  GanttProject

54
Questions
55
References

• 1 E. Weippl, A. Holzinger, A. M. Tjoa,
  Security aspects of ubiquitous computing in
  health care, e i Elektrotechnik und
  Informationstechnik, Volume 123, Number 4 /
  April, 2006, 156-161
• 2 Dickson K.W. Chiu, S.C. Cheung and Sven Till,
  Kamalakar Karlapalem, Qing Li Eleanna Kafeza,
  Workflow View Driven Cross-Organizational
  Interoperability in a Web Service Environment,
  Information Technology and Management 5, 2004,
  221250
• 3 What is e-healthcare?, http//en.wikipedia
  .org/wiki/EHealthDefinitions
• 4 Edward A. Stohr, J. Leon Zhao, Workflow
  Automation Overview and Research Issues,
  Information Systems Frontiers 33, 2001, Pages
  281296
• 5 Elisa Bertino, Access Control Models,
  CERIAS and CS ECE Departments, Purdue University
• 6 John A. Miller, Mei Fan, Shengli Wu,
  Ismailcem B. Arpinar, Amit P.Sheth, Krys J.
  Kochut, Security for the METEOR Workflow
  Management System, Large Scale Distributed
  Information Systems Lab (LSDIS), Department of
  Computer Science, the University of
  Georgia,http//LSDIS.cs.uga.edu

56
References

• 7 David Ferraiolo, Richard Kuhn, Role-based
  Access Controls, National Institute of Standards
  and Technology, Technology Administration, U.S.
  Department of Commerce http//csrc.nist.gov/rbac/
  Role_Based_Access_Control-1992.html
• 8 R. K. Thomas, R. S. Sandhu, Task-based
  Authorization Controls (TBAC) A Family of Models
  for Active and Enterprise-oriented Authorization
  Management, Proceedings of the IFIP WG11.3
  Workshop on Database Security, Lake Tahoe,
  California, August 11-13, 1997
• 9 Patrick Brézillon1 and Ghita Kouadri
  Mostéfaoui, Context-Based Security Policies A
  New Modeling Approach, Proceedings of the Second
  IEEE Annual Conference on Pervasive Computing and
  Communications Workshops (PERCOMW04), IEEE,
  2004, pages 154 Conference, 2004. COMPSAC 2004.
  Proceedings of the 28th Annual International,
  vol. 1, 2004, 72-77. 6 Introduction to web
  services http//www.w3schools.com/webservices/ws_
  intro.asp
• 10 Core and Hierarchical role based access
  control (RBAC) profile of XACML v2.0, OASIS
  Standard, 1 February 2005, http//docs.oasis-open.
  org/xacml/2.0/access_control-xacml-2.0-rbac-profil
  e1-spec-os.pdf
• 11 What is HIPAA? http//en.wikipedia.org/
  wiki/Health_Insurance_Portability_and_Accountabili
  ty_Act