Title: Security Models for Workflow Management in EHealthcare Enterprise
1Security Models for Workflow Management in
E-Healthcare Enterprise
FLORIDA AM UNIVERSITY COLLEGE OF ARTS AND
SCIENCES
- by
- Lang Zhao
- Advisor Dr. Hongmei Chi
- 11/04/2008
2Outline
- Introduction
- Security models
- Case Study
- Implementation of Case Study
- Summary
- Future work
- Publications
3Outline
- Introduction
- Security model
- Case Study
- Implementation of Case Study
- Summary
- Future work
- Publications
4Purpose of project
- Choose a security model which is suitable for
E-healthcare - The security model is role-based
- Roles patient, physician, administrator
- Develop an access control mechanism based on the
security model for E-healthcare - Access Control Mechanism is application-based
- Application-based Windows application, Web
application
5Introduction E-healthcare
- What is E-healthcare?
- E-healthcare
- a relative term for healthcare practice in
electronic processes and communication - provides a way for medical informatics, public
health and business to be delivered via the
Internet. - Within E-healthcare the physician can
- Access patients medical information anywhere
- Send the patient record and medical information
by email - Check schedules online
- Within E-healthcare the patient can
- Access his/her medical information
- Receive records and prescriptions
- Schedule online appointments with doctors
6E-healthcare (contd)
- Why E-healthcare?
- Popular Efficient
- Requirements for E-healthcare
- Privacy
- Access control via Internet
- security standards established by HIPAA
7Introduction Workflow Management
- What is Workflow Management?
- A system of overseeing the progress of automated
business procedures performed by a company,
industry, department or person - Why Workflow Management?
- automatically passes information, documents, and
tasks from one employee or machine within a
business to another - makes efficiency within the business
- makes it easier to track employee and machine
performance
8Introduction my contribution
- A security model Role-based access
- control model is chosen for my case study
- A prototype of Role-based access
- control mechanism is developed for my case
study
9Outline
- Introduction
- Security model
- Case Study
- Implementation of Case Study
- Summary
- Future work
- Publications
10History of Security Models
11History of Security Models (Contd)
12Role-based Access Control Security Model
- IN RBAC
- permissions are organizationally associated with
roles - users are administratively assigned to
appropriate roles
Figure 1
13Role-based Access Control Security Model
- Why RBAC?
- Provides a means of naming and describing
many-to-many relationships between individuals
and rights - Helps to determine efficiently which permissions
are authorized for what users in a large
enterprise system - Reduces the complexity of the security
administration in the large network applications
14Role-based Access Control Security Model (Contd)
- suitable for E-healthcare
- Users can grouped by a role
- Authorization-to-user
- Control of protect resources is based on employee
function (roles) rather than data ownership - Employee in the same role does have the same
functions - Includes cooperative organizations
15Outline
- Introduction
- Security models
- Case Study
- Implementation of Case Study
- Summary
- Future work
- publications
16Workflow for Case Study
Bond Commu Clinic
FAMU Phar2
FAMU RX30
Stored DOH Server
Enter Pat Info
LNHS Clinic
LNHS RX30
Donated DOH Server
FAMU Phar1
TMH ER Pat
Bond Commu Clinic Bond Community Center
Clinic FAMU Phar2 FAMU Pharmacy2 in Bond
Community Center Clinic LNHS Clinic Lincoln
Neighborhood Service Center Clinic FAMU Phar1
FAMU Pharmacy1 in Lincoln Neighborhood Service
Center TMH ER Pat Tallahassee Memorial
Healthcare Emergency Room Patient CRMC ER Pat
Capital Regional Medical Center Emergency Room
Patient RX30 Pharmaceutical operation system
CRMC ER Pat
Problems 1. No automatic interactions among
department within an organization 2. No
systematical interactions among organizations
Figure 2 Current workflow of Leon county
uninsured e-healthcare program in Tallahassee, FL
17Workflow for Case Study
- Ideal workflow
- Automatic interactions among departments within
an organization - Systematical interactions among organizations
Figure 3 Ideal workflow of Leon county uninsured
e-healthcare program in Tallahassee, FL
18Core RBAC Model in E-healthcare
Figure 4
19Outline
- Introduction
- Security model
- Case Study
- Implementation of Case Study
- Summary
- Future work
- Publications
20Open Source Tools
- Microsoft Visual Studio 2008
- the Integrated Development Environment (IDE)
- Web Application
- Windows Forms Application
- Microsoft SQL server 2005
- Microsoft SQL Server Management Studio Express
(SSMSE) - Provides a graphical management tool for SQL
Server 2005
21Access Control of Case Study
- Structure of prototype
- 3-tier Architecture
- GUI tier
- Windows forms, Web sites
- business logic tier
- Functions
- data access tier
- Retrieve data from database
- From Policy to Role
- Database Design
- Applications and Roles
22Three-Tier Architecture
Figure 5
23From Policy to Role
Policy
Management level
XML
Role
Database level
Figure 6
24Database Design (I)
1
M
M
User
Role
1
1
1
1
1
M
SecureQuestion
PatientVisitRecord
1
ER Diagram
Figure 7
25Database Design (II)
Figure 8
26Application Log-in
UserName and Password
Log in
patient
staff
Clinic Form
Patient Website
physician
administrator
Control Panel
Physician Form or Website
Figure 9
27Applications Changing Password and Setting
Secure Questions
Interface
Secure questions
password form
Figure 10
28Applications and Roles
- Administrator
- Physician
- Staff
- Patient
29Administrator Role
Figure 11
Use Case Diagram for Administrator Role
30Administrator Users Management
Personal Info
Medical Records
Inactive patients list
UserName and Password
new user form
Log in
Users Management
Administrator role
choose
Administrator Control panel
user form
Figure 12
secure questions form
31Administrator Roles Management
UserName and Password
UserName and Password
UserName and Password
Log in
new role form
Log in
Log in
Administrator role
Administrator role
Administrator role
Administrator Control panel
Roles Management
Administrator Control panel
Administrator Control panel
choose
Figure 13
32Administrator Delegation Management
UserName and Password
Log in
delegation form
Administrator role
Administrator Control panel
Delegation Management
choose
Delegation record form
Figure 14
33Administrator Assignment Patient to Physician
UserName and Password
Log in
assignment form
Administrator role
Assign Patient to Physician
Administrator Control panel
choose
Assignment Records
Figure 15
34Administrator Control Panel
Figure 16
35Roles and their applications
- Administrator
- Physician
- Staff
- Patient
36Physician Role
Figure 17
Use Case Diagram for Physician Role
37Physician Patient Medical Records
My Patients list
UserName and Password
Log in
patient medical records
physician role
new record form
record form
Figure 18
38Physician Form
Figure 19
39Roles and their applications
- Administrator
- Physician
- Staff
- Patient
40Staff Role
Figure 20
Use Case Diagram for Staff Role
41Staff Operations for Patients
UserName and Password
Log in
Clinic staff role
Current Patients list
choose a patient
new user form
Patient personal info
patient medical records
Modify form
Figure 21
42Staff Operations for Patients (Contd)
Log in
UserName and Password
Clinic staff role
Current Patients list
Inactive patients
Personal Info
Medical Records
Figure 22
43Clinic Management Form
Figure 23
44Roles and their applications
- Administrator
- Physician
- Staff
- Patient
45Patient Modify personal Information
Figure 24
46Patient Website
Figure 25
47Outline
- Introduction
- Security Models
- Case Study
- Implementation of Case Study
- Summary
- Future Work
- Publications
48Summary
- Investigations
- Research on Workflow Management Security Models
- The prototype can be logged in by authorized
users - The prototype automatically Loges off within a
time period - The prototype is easy to maintain and expand
49Outline
- Introduction
- Security models
- Case Study
- Implementation of Case Study
- Future work
- publication
50Future Work
- More roles will added to the prototype
- More complex implementation, such as insurance
and billing information - A mechanism to encrypt the password
51Outline
- Introduction
- Security models
- Case Study
- Implementation of Case Study
- So far and future work
- publication
52Publication
- Hongmei Chi, Lang Zhao, A conceptual model to
support the integration of inter-organizational
healthcare information systems , Winter
Simulation Conference, 2007, Page 2368. - Implementation of a Security Access Control Model
for Inter-OrganizationalHealthcare Information
SystemsH. Chi, E. Jones and L. ZhaoIEEE APSCC
2008, December 9-12, 2008, Yilan, Taiwan
53Work Breakdown Structure (WBS)
- See Thesis of lang.gan created by a tool
GanttProject
54Questions
55References
- 1 E. Weippl, A. Holzinger, A. M. Tjoa,
Security aspects of ubiquitous computing in
health care, e i Elektrotechnik und
Informationstechnik, Volume 123, Number 4 /
April, 2006, 156-161 - 2 Dickson K.W. Chiu, S.C. Cheung and Sven Till,
Kamalakar Karlapalem, Qing Li Eleanna Kafeza,
Workflow View Driven Cross-Organizational
Interoperability in a Web Service Environment,
Information Technology and Management 5, 2004,
221250 - 3 What is e-healthcare?, http//en.wikipedia
.org/wiki/EHealthDefinitions - 4 Edward A. Stohr, J. Leon Zhao, Workflow
Automation Overview and Research Issues,
Information Systems Frontiers 33, 2001, Pages
281296 - 5 Elisa Bertino, Access Control Models,
CERIAS and CS ECE Departments, Purdue University - 6 John A. Miller, Mei Fan, Shengli Wu,
Ismailcem B. Arpinar, Amit P.Sheth, Krys J.
Kochut, Security for the METEOR Workflow
Management System, Large Scale Distributed
Information Systems Lab (LSDIS), Department of
Computer Science, the University of
Georgia,http//LSDIS.cs.uga.edu
56References
- 7 David Ferraiolo, Richard Kuhn, Role-based
Access Controls, National Institute of Standards
and Technology, Technology Administration, U.S.
Department of Commerce http//csrc.nist.gov/rbac/
Role_Based_Access_Control-1992.html - 8 R. K. Thomas, R. S. Sandhu, Task-based
Authorization Controls (TBAC) A Family of Models
for Active and Enterprise-oriented Authorization
Management, Proceedings of the IFIP WG11.3
Workshop on Database Security, Lake Tahoe,
California, August 11-13, 1997 - 9 Patrick Brézillon1 and Ghita Kouadri
Mostéfaoui, Context-Based Security Policies A
New Modeling Approach, Proceedings of the Second
IEEE Annual Conference on Pervasive Computing and
Communications Workshops (PERCOMW04), IEEE,
2004, pages 154 Conference, 2004. COMPSAC 2004.
Proceedings of the 28th Annual International,
vol. 1, 2004, 72-77. 6 Introduction to web
services http//www.w3schools.com/webservices/ws_
intro.asp - 10 Core and Hierarchical role based access
control (RBAC) profile of XACML v2.0, OASIS
Standard, 1 February 2005, http//docs.oasis-open.
org/xacml/2.0/access_control-xacml-2.0-rbac-profil
e1-spec-os.pdf - 11 What is HIPAA? http//en.wikipedia.org/
wiki/Health_Insurance_Portability_and_Accountabili
ty_Act