Access Control in Healthcare
Bell-LaPadula model application scenario
Rui Filipe Pedro Quelhas PG15590
Tiago Costa Oliveira PG15384
security model, not policy
- a policy describes a security system requirement
- a model it’s a mechanism that formally implements a policy
developed from the conﬁdentiality point of view
hybrid model that combines both DAC/IBAC and MAC policy speciﬁcations
static model, not allowing labels/clearances ﬂexibility
basis of several standards including DoD’s TCSEC aka “Orange Book”
biggest concerns involving the information ﬂow on a system between different levels (Multi-
level Security concept)
relies on the principle “information can’t ﬂow downwards” which it implements with two
- simple security property -> forces a “no read up” approach
- * property -> forces a “no write down” approach
considerable group of subjects, like nurses, practicers, doctors, administrators and other
restrict set of objects, with special relevance over the patient’s medical record (as of today,
on technological environments, the EMR)
models like BLP were developed with military purposes which’s static and rigid approaches
are in contrast with the healthcare system’s emergency character
conﬂict of interests is not a critical problem but...
...patient conﬁdentiality, authentication of records and integrity are
ethic compliance policies are strictly demanded
the system needs to adapt itself to the subjects, not the other way around
emergency situations require more ﬂexible mechanisms
Proposed lattice (part 1)
the security set b x M x f captures all current permissions and all current instances of
subjects accessing objects deﬁning security states
- b represents the set of current accesses deﬁned by tuples (s,o,a) indicating that the
subject s performs an operation a on the object o
- M is a set of the access control lists or matrices (DAC ideology)
- f is a set of security level assignments deﬁned by tuples (fs,fc,fo) where fs indicates the
maximum security level (clearance) and fc the current security level of a subject, fo gives
the classiﬁcation of each object (MAC ideology)
as for BLP, an object can be public, conﬁdential, secret and at-most top-secret, and the
access to it is restricted by a certain match to the subject’s security levels
the “no read up” and the “no write down” properties implemented by BLP on a MLS
system are enforced considering these concepts and can be formally represented as a
the lattice determines a partial order and deﬁnes the dominance of each element in the
system representing clearly the allowed operations (read, write) and the direction of the
Proposed lattice (part 2)
Figure: lattice of security labels for a Bell-LaPadula compliant healthcare system
the existence of a “break the glass” mechanism it’s of vital importance, but...
...ﬂexibility introduces bigger costs, control mechanisms need to be more efﬁcient, more
reports and alerts need to be generated
studies show that most of “healthcare information environments” tend to follow some
standard and generic trends
looks like there’s no much concern about some case-speciﬁc scenarios on this kind of
BLP is one in many, and it’s roots make it a very rigid and complex mechanism
the RBAC philosophy gives the “freedom” that we were looking for with the introduction of
a role-based control that can make the task of outlining security/clearance levels more
fancy models like CISSP are becoming a very strong pattern
D. Bell, Looking Back at the Bell-LaPadula Model, Reston VA 20191. December 2005.
D. Aspinall, Security Models: Computer Security Lecture, School of Informatics University
of Edinburgh. February 2009.
W. Farmer, CS 31S3 Fall 2007: Security Policies, Department of Computing and Software
McMaster University. November 2009.
L. Viganò, Access Control and Security Policies II, Department of Computer Science ETH
Zurich. January 2004.
C. Clifton, CS525: Information Security Bell-LaPadula Model, Purdue University. September
A. Ferreira, R. Cruz-Correia, L. Antunes, D. Chadwick, Access Control: how can it improve
A. Ferreira, R. Cruz-Correia, L. Antunes, P. Farinha, E. Oliveira-Palhares, D. Chadwick, A.
Costa-Pereira, How to break access control in a controlled manner.