Authorization Models in Medical Information Systems

1
Authorization Models in Medical Information
Systems

• Andrei Bretan
• FAU
• 
  April 2, 2004

2
Definition of termsAuthorization and
Authentication I

• Are separate concepts, sometimes misinterpreted
  (Example Access Authorization).
• Authentication allows entity A to convince entity
  B of As identity with some degree of certainty.
• Entity A may be trying to perform some task
  (e.g., execute an application, invoke a function,
  or access a file).
• B needs to know not who A is as much as
  whether A should be allowed to perform this
  task

3
Definition of termsAuthorization and
Authentication II

• Authorization allows B to make and enforce this
  decision.
• As identity may be almost irrelevant, useful for
  auditing purposes only. Example all executives
  are allowed to see the quarterly results before
  they are announced
• Authentication answers the question Who is this
  entity?
• Authorization answers the question Is this
  entity allowed to do what it is trying to do?

4
Authorization Architecture

• An Authorization Architecture is the set of
  components and data that allows authorization
  decisions to be made and enforced.
• A typical Authorization Model for such
  Architecture includes the requesting
  subject/object, the protected object/operation,
  the request interceptor and the entity which
  holds access rights to objects/operations in the
  system.

5
Attributes I

• An Attribute is a piece of information that may
  be categorized as being associated with the
  subject, action, resource, or environment in an
  authorization architecture.
• Attributes may be static or dynamic.
• Static attributes of the subject are referred to
  by many names in various discussions and
  contexts privileges, permissions, rights,
  authorizations, properties, characteristics,
  entitlements, and grants.
• Static attributes can also be associated with
  resources and with actions. Groups, roles, and
  document labels are all examples of static
  attributes.

6
Attributes II

• Dynamic attributes are those whose values cannot
  be relied upon to remain unchanged.
• Example of dynamic attributes of the subject
  include current account balance, amount of credit
  remaining.
• Dynamic attributes of the resource include the
  number of times it has been accessed.

7
Policies I

• An access control policy with respect to a
  specific resource or set of resources is the set
  of rules governing who can do what to those
  resources under what conditions.
• The resources are data/information or
  functions/operations that the subject requests to
  access.
• The functions/operations will eventually (in most
  cases) translate to access to some
  data/information.

8
Policies II

• Policy expressions are at many levels of
  abstraction
• Organizational goals, guidelines, compliance
  rules.
• Per-system operational policies and organization
  specific or business specific rules.
• Atomic i.e. per-resource controls.

9
Example An Extended Authorization Architecture
Ssubject, Rresource, PEPpolicy enforcement
point, PDPpolicy decision point, PIPpolicy
information point, SAsubject authority,
RAresource authority, EAenvironment authority,
PRPpolicy retrieval point, PAPpolicy
administration point.
10
Enforcing Policies I

• Mandatory Access Control (MAC) secures
  information by assigning sensitivity labels on
  data/operations and comparing this to the level
  of sensitivity a user is operating at.
• MAC is usually appropriate for extremely secure
  systems.
• Discretionary Access Control (DAC) is a means of
  restricting access to data/operations based on
  the identity of users and/or membership in
  certain groups.
• Access to information/operations is determined
  based on authorizations specified by access
  control lists.

11
Enforcing Policies II

• Role Based Access Control (RBAC) access
  decisions are based on an individual's roles and
  responsibilities within the organization.
• Determines who can perform what actions, when,
  from where, in what order, and in some cases
  under what relational circumstances.
• Defining roles based on analyzing the structure
  of an organization and is usually linked to the
  security policy of that organization.
• Each role is designated a profile that includes
  all authorized commands, transactions, operations
  and allowable information access such as all
  access policies of that organization are
  enforced.

12
Research Task Based Authorization (ARPA) I

• Multiple points of access, control, and decision
  making.
• Task-oriented or transaction-oriented perspective
  rather than the traditional subject-object view
  of access control.
• Involves authorizations at various points during
  the completion of tasks in accordance with some
  application logic.
• The subject-object view typically divorces access
  mediation from the larger context in which a
  subject performs an operation on an object.

13
Research Task Based Authorization (ARPA) II

• TBA actively takes part in access control
  management in contrast to traditional passive
  subject-object models that merely store primitive
  access control definition (tuples).
• In the subject-object view, the individual rights
  of subjects to various objects are stored in an
  internal data structure such as an access control
  matrix.
• The information in the access control matrix (or
  access control lists) represents independent and
  unrelated access control information (tuples).

14
Research Task Based Authorization (ARPA) III

• TBA utilizes the emerging (flowing) context of
  activities as they progress, when managing access
  control and authorizations.
• In contrast to the traditional subject-object
  view of access control that usually responds to
  the question Is subject S allowed access A
  (or possess the right A) to object O ? a
  task-based view seeks an answer to the following
  question Can task be authorized to proceed?

15
Research Other types of Authorization Models I

• Multiple Authorization Model (MAM) limiting
  factors of current access control systems is the
  dependence on a single subject for authorization.
• It is usually not possible to directly involve
  other entities, i.e., other
• people in a particular access control
  decision.
• The drawback is that any access decision occurs
  just on the behalf of the single subject that
  makes the access.
• MAM Access control model that allows to include
  authorization of multiple subjects thus
  overcoming this drawback.

16
Research Other types of Authorization Models II

• Authorization Models for Metacomputing
  Applications
• Metacomputing systems cover large networks
  connecting mutually suspicious domains, which are
  independently administered.
• Public Key Infrastructure (PKI)
• Shows great promise.
• Use Public Key Infrastructure standards to
  identify users and create digitally signed
  certificates.

17
Research Other types of Authorization Models III

• Public Key Infrastructure (PKI) (cont.)
• Access based on policy statements made by
  stakeholders.
• Handle multiple independent stakeholders for a
  single resource.
• Provisional Authorization Models
• Almost all studies in access control and
  authorization systems
• have assumed the following model A user
  makes an access
• request of a system in some context, and the
  system either
• authorizes the access request or denies it.

18
Research Other types of Authorization Models IV

• Provisional Authorization Models (cont)
• The notion of a provisional authorization which
  tells the user that his
• request will be authorized provided he
  (and/or the system) takes
• certain security actions such as signing his
  statement prior to
• authorization of his request.
• Examples You are allowed to access confidential
  information, but the access must be logged.
• You are allowed to read sensitive information,
  but you must sign a terms and conditions
  statement first.

19
Research Other types of Authorization Models V

• Team Based Access Control (TMAC) is a role based
  access control in collaborative environments.
• Such an approach needs a hybrid type access
  control model that incorporates the advantages of
  broad role-based permissions across object types,
  yet requires fine-grained, identity-based control
  on individual users in certain roles and to
  individual object instances.
• A second requirement is the need to recognize the
  context associated with collaborative tasks and
  the ability to apply this context to decisions
  regarding permission activation.

20
Medical Information SystemsResearch I

• There are not many existing Authorization Models
  for Medical Information Systems.
• The existing ones are mostly adaptations of
  existing models to some aspects of the Medical
  Domain.
• There is no comprehensive model yet for security
  in the Medical Domain.
• There are no sets of patterns (corresponding to
  sets of policies) for the Medical Domain.

21
Medical Information SystemsResearch II

• Examples R.A.Kemmerer, Formal specification of
  a mental health delivery system, Rept.
  TRCS89-31, Dept. of Computer Science, University
  of California Santa Barbara, November 1989.
• J. Biskup, Protection of privacy and
  confidentiality in medical information systems
  Problems and guidelines, in Database Security
  III, Status and Prospects, Elsevier Science
  Publishing.
• J. Biskup and G. Bleumer, Reflections on
  Security of Database and Datatransfer Systems in
  Health Care, Procs. of the 13th World Computer
  Congress, IFIP 1994.

22
Medical Information SystemsResearch III

• I. Mavridis, G. Pangalos, M. Khair, and L.
  Bozios, Defining access control mechanisms for
  privacy protection in distributed medical
  databases, Procs. IFIP Working Conf. on User
  Identification and Privacy Protection, June 1999.
• G. Pangalos, A. Pomportsis, L. Bozios, and M.
  Khair, Development of secure medical database
  systems, Procs. of DEXA94.
• M. Wilikens, S. Feriti, M. Masera, A
  Context-Related Authorization and Access Control
  Method Based on RBAC A case study from the
  health care domain.

23
Medical Information SystemsResearch IV

• Roshan K. Thomas, Team-based Access Control
  (TMAC) A Primitive for Applying Role-based
  Access Controls in Collaborative Environments ,
  Odyssey Research Associates Cornell Business and
  Technology Park.
• Longhua Zhang, Gail-Joon Ahn,Bei-Tseng Chu, A
  Role-Based Delegation Framework for Healthcare
  Information Systems,
• College of Information Technology, UNC
  Charlotte.
• E.B. Fernandez, M.M. Larrondo-Petrie, and T.
  Sorgente, "Security models for medical and
  genetic information.  FAU, Boca Raton FL.

24
Medical Information SystemsResearch and
Implementations I

• Example PCASSO (Patient Centered Access to
  Secure Systems Online) is a research project and
  technology demonstration that seeks to provide
  secure access to highly sensitive patient
  information over the Internet.
• Developed by Science Applications International
  Corporation (SAIC) and the University of
  California, San Diego, (UCSD) School of Medicine
  and Healthcare Network.
• Funded by the National Library of Medicine (NLM)
  of the National Institutes of Health (NIH)
  through its Health Applications for the National
  Information Infrastructure (NII) initiative.

25
Medical Information SystemsResearch and
Implementations II

• All information in PCASSO is associated with a
  sensitivity label. Information may be
  patient-specific (e.g. patient-record
  information) or patient-independent (e.g.
  clinical research information).
• Individuals may access information only if they
  are acting in a role
• authorized for the requested type of access
  (read, upgrade, downgrade, etc).
• First, the type of information is used to
  determine the default
• label i.e. certain HL7 message types have an
  associated intrinsic sensitivity.

26
Medical Information SystemsResearch and
Implementations III

• Second, an individual acting in an authorized
  role (e.g., primary care provider, PCASSO
  administrator) may explicitly assign a label.
• PCASSO uses label-based access control to
  separate five levels of increasingly sensitive
  patient information
• Low, Standard, Deniable, Guardian Deniable,
  Patient Deniable.
• PCASSO also uses label-based controls to protect
  its system software from malicious or misbehaving
  programs and its system data from unauthorized
  disclosure.

27
Medical Information SystemsResearch and
Implementations IV

• Roles may be patient-specific (e.g., patient,
  primary care provider, secondary care provider,
  emergency provider) or patient independent (e.g.,
  researcher, administrator).
• Each role is associated with a sensitivity level
  range, a set of rights, and an access control
  list (ACL).

28
(No Transcript)