Bell-La Padula Healthcare


Published on

A brief overview on the application of the Bell-La Padula security model in healthcare access control systems (with a proposed lattice).

  • Be the first to comment

Bell-La Padula Healthcare

  1. 1. Access Control in Healthcare Bell-LaPadula model application scenario Rui Filipe Pedro Quelhas PG15590 Tiago Costa Oliveira PG15384
  2. 2. Context (BLP) security model, not policy - a policy describes a security system requirement - a model it’s a mechanism that formally implements a policy developed from the confidentiality point of view hybrid model that combines both DAC/IBAC and MAC policy specifications static model, not allowing labels/clearances flexibility basis of several standards including DoD’s TCSEC aka “Orange Book” biggest concerns involving the information flow on a system between different levels (Multi- level Security concept) relies on the principle “information can’t flow downwards” which it implements with two clear rules: - simple security property -> forces a “no read up” approach - * property -> forces a “no write down” approach
  3. 3. Context (healthcare) considerable group of subjects, like nurses, practicers, doctors, administrators and other technical staff restrict set of objects, with special relevance over the patient’s medical record (as of today, on technological environments, the EMR) models like BLP were developed with military purposes which’s static and rigid approaches are in contrast with the healthcare system’s emergency character conflict of interests is not a critical problem but... ...patient confidentiality, authentication of records and integrity are ethic compliance policies are strictly demanded the system needs to adapt itself to the subjects, not the other way around emergency situations require more flexible mechanisms
  4. 4. Proposed lattice (part 1) the security set b x M x f captures all current permissions and all current instances of subjects accessing objects defining security states - b represents the set of current accesses defined by tuples (s,o,a) indicating that the subject s performs an operation a on the object o - M is a set of the access control lists or matrices (DAC ideology) - f is a set of security level assignments defined by tuples (fs,fc,fo) where fs indicates the maximum security level (clearance) and fc the current security level of a subject, fo gives the classification of each object (MAC ideology) as for BLP, an object can be public, confidential, secret and at-most top-secret, and the access to it is restricted by a certain match to the subject’s security levels the “no read up” and the “no write down” properties implemented by BLP on a MLS system are enforced considering these concepts and can be formally represented as a lattice the lattice determines a partial order and defines the dominance of each element in the system representing clearly the allowed operations (read, write) and the direction of the information flow
  5. 5. Proposed lattice (part 2) Figure: lattice of security labels for a Bell-LaPadula compliant healthcare system
  6. 6. Considerations the existence of a “break the glass” mechanism it’s of vital importance, but... ...flexibility introduces bigger costs, control mechanisms need to be more efficient, more reports and alerts need to be generated studies show that most of “healthcare information environments” tend to follow some standard and generic trends looks like there’s no much concern about some case-specific scenarios on this kind of environments BLP is one in many, and it’s roots make it a very rigid and complex mechanism the RBAC philosophy gives the “freedom” that we were looking for with the introduction of a role-based control that can make the task of outlining security/clearance levels more easy fancy models like CISSP are becoming a very strong pattern
  7. 7. References (bibliographic) D. Bell, Looking Back at the Bell-LaPadula Model, Reston VA 20191. December 2005. D. Aspinall, Security Models: Computer Security Lecture, School of Informatics University of Edinburgh. February 2009. W. Farmer, CS 31S3 Fall 2007: Security Policies, Department of Computing and Software McMaster University. November 2009. L. Viganò, Access Control and Security Policies II, Department of Computer Science ETH Zurich. January 2004. C. Clifton, CS525: Information Security Bell-LaPadula Model, Purdue University. September 2004. A. Ferreira, R. Cruz-Correia, L. Antunes, D. Chadwick, Access Control: how can it improve patients' healthcare? A. Ferreira, R. Cruz-Correia, L. Antunes, P. Farinha, E. Oliveira-Palhares, D. Chadwick, A. Costa-Pereira, How to break access control in a controlled manner.
  8. 8. References (www) Deployment_Guide/sec-mls-blp.html
  9. 9. Q&A