SlideShare a Scribd company logo

Multi-domain and Privacy-aware Role Based Access Control in eHealth

G
guest3dc8ca

A multi-domain privacy aware access control system based on RBAC extended with role roaming and data profiles

TechnologyBusiness
1 of 16
Download to read offline
Multi-domain and Privacy-aware Role Based Access Control in eHealth Lorenzo D. Martino, Qun Ni Dan Lin, Elisa Bertino This work has been supported by IBM OCR project “Privacy and Security Policy Management” and the NSF grant 0712846 “IPS: Security Services for Healthcare Applications”.
Outline • Healthcare is a multi-domain environment • Privacy in e-Health • Why RBAC? • Core P-RBAC • Multi-domain P-RBAC • Conclusions and future work
Healthcare is a distributed multi-domain environment Contracted service: emergency dept. phyisicians Clinicians Nurses Staff HRO Contracted service: anasthesiologists External Domain Analysis Lab. External Domain Hospital Owning Domain External Domain External Domain Insurance University
Privacy in healthcare • Privacy is an important issue – HIPAA – Healthcare Insurance Portability and Accountability Act (1996) • Privacy protection policies – Privacy notices, policies by NL or P3P • Enforcing privacy policies is the key
Privacy policy management Procedures Processes Controls Application-level policies Laws & Internal privacy & regulations security policies Reconciliation Can generate Machine- processable Data--level policies policies
Why RBAC? • RBAC advantages – It is based on the notion of functional roles in an organization – It provides a simple and natural approach to modeling organizational security policies – It simplifies authorization administration – It meets a large variety of security requirements and has received considerable attention by healthcare organizations: RBAC task force - Department of Veterans Affairs (VA), Department of Defense (DoD) • However, RBAC cannot support privacy policies without some extension
Privacy-aware RBAC (P-RBAC) • P-RBAC extends the RBAC model in order to support privacy-aware access control • Privacy policies are expressed as permission assignments (PA); these permissions differ from permissions in classical RBAC because of the presence of additional components, representing privacy-related information
Core P-RBAC • Privacy Sensitive Data Permission (a, d, p, c, o)
Policies – an example • For treatment purposes, patients’ medical information can be accessed by physicians, nurses, technicians, medical students, or others who are involved in the patients’ care or by other departments of the healthcare organization for the care/therapy coordination or by contracted physician services, such as emergency department physicians, pathologists, anesthesiologists, radiologists.
Permissions in P-RBAC (physician, read, patient.EMR.raw, treatment, subject = patient. duty physician, ;) • the physician role can read patient EMR content • for treatment purpose • patient.EMR.raw is a data object specified according to a condition: – the subject associated to the physician role can access the data only if the subject is the patient’s on duty physician - subject = patient.duty_physician -
Multi-domain P-RBAC • It extends P-RBAC with: – Role precondition: a user can be assigned to a certain role provided that the user is associated to one or more specific roles in his/her home organization – Data profile: it allows to specify set of data such as patient’s identification data, therapy data, prescriptions and so forth
Permissions in Ext P-RBAC ( (GP, HP, physician) , read, patient.EMR.raw, treatment, subject = patient. duty physician, ;) • Role precondition: the physician role can be assigned to a subject provided that he/she plays the GP role in the Healthcare organization HP • the physician role can read patient EMR content • for treatment purpose • patient.EMR.raw is a data object specified according to a condition: – the subject associated to the physician role can access the data only if the subject is the patient’s on duty physician - subject = patient.duty_physician -
Conclusions • Role preconditions enhance security • Role precondition provide a further control in addition to user identification and authentication, by relying upon organizational control processes • Underlying assumptions: – a) there is a trust relationship between the owner organization and the users’ home organization, and – b) the users’ home organization itself adopt a controlled process before declaring that its users play a certain role
Future Work • Investigate different role provisioning strategies • Implementation on LBAC database • Consistency analysis techniques on privacy permissions w.r.t. data profile
Questions?
Thank you! Lorenzo D. Martino Computer & Information Technology Dept. Purdue University lmartino@purdue.edu

Recommended

Galen ACE 2010 Presentation
Galen ACE 2010 PresentationGalen ACE 2010 Presentation
Galen ACE 2010 PresentationJustin Campbell
 
Cerner Mick Hubner KSOB CBLS FINAL for Web
Cerner Mick Hubner KSOB CBLS FINAL for WebCerner Mick Hubner KSOB CBLS FINAL for Web
Cerner Mick Hubner KSOB CBLS FINAL for WebMick Hubner
 
Improving patient safety through the use of real time clinical data, Mr Giuli...
Improving patient safety through the use of real time clinical data, Mr Giuli...Improving patient safety through the use of real time clinical data, Mr Giuli...
Improving patient safety through the use of real time clinical data, Mr Giuli...mfolkard
 
Week3 lecture
Week3 lectureWeek3 lecture
Week3 lectureShaikha AlQaydi
 
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerRole Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerProlifics
 
Role based access control - RBAC
Role based access control - RBACRole based access control - RBAC
Role based access control - RBACAjit Dadresa
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standardsallychiu
 
Role Based Access Control - Overview
Role Based Access Control - OverviewRole Based Access Control - Overview
Role Based Access Control - OverviewHitachi ID Systems, Inc.
 

Recommended

Galen ACE 2010 Presentation
Galen ACE 2010 PresentationGalen ACE 2010 Presentation
Galen ACE 2010 PresentationJustin Campbell
 
Cerner Mick Hubner KSOB CBLS FINAL for Web
Cerner Mick Hubner KSOB CBLS FINAL for WebCerner Mick Hubner KSOB CBLS FINAL for Web
Cerner Mick Hubner KSOB CBLS FINAL for WebMick Hubner
 
Improving patient safety through the use of real time clinical data, Mr Giuli...
Improving patient safety through the use of real time clinical data, Mr Giuli...Improving patient safety through the use of real time clinical data, Mr Giuli...
Improving patient safety through the use of real time clinical data, Mr Giuli...mfolkard
 
Week3 lecture
Week3 lectureWeek3 lecture
Week3 lectureShaikha AlQaydi
 
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerRole Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerProlifics
 
Role based access control - RBAC
Role based access control - RBACRole based access control - RBAC
Role based access control - RBACAjit Dadresa
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standardsallychiu
 
Role Based Access Control - Overview
Role Based Access Control - OverviewRole Based Access Control - Overview
Role Based Access Control - OverviewHitachi ID Systems, Inc.
 
Role based access control
Role based access controlRole based access control
Role based access controlPeter Edwards
 
Implementing role based access control on Web Application (sample case)
Implementing role based access control on Web Application (sample case)Implementing role based access control on Web Application (sample case)
Implementing role based access control on Web Application (sample case)Deny Prasetia
 
Hospital administration
Hospital administrationHospital administration
Hospital administrationNursing Path
 
Catering Services in a Hospital
Catering Services in a HospitalCatering Services in a Hospital
Catering Services in a HospitalSameer Shinde
 
Hospital Infection Control
Hospital Infection ControlHospital Infection Control
Hospital Infection ControlNc Das
 
INTRODUCTION TO FRONT OFFICE
INTRODUCTION TO FRONT OFFICEINTRODUCTION TO FRONT OFFICE
INTRODUCTION TO FRONT OFFICEJohn Edward Estayo
 
Infinity Success Conference Hit
Infinity Success Conference HitInfinity Success Conference Hit
Infinity Success Conference HitShane Molinari
 
L2 Using Information Technology
L2 Using Information TechnologyL2 Using Information Technology
L2 Using Information Technologyprimary
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin, Inc.
 
CPHIMS Study Guide 2011
CPHIMS Study Guide 2011CPHIMS Study Guide 2011
CPHIMS Study Guide 2011Robert Levy
 
Pentaho Healthcare Solutions
Pentaho Healthcare SolutionsPentaho Healthcare Solutions
Pentaho Healthcare SolutionsPentaho
 
Information technology in health care management
Information technology in health care managementInformation technology in health care management
Information technology in health care managementmohamedmoosa2
 
iHT2 Health IT Summit San Francisco 2013 - Davin Lundquist, MD, CMIO, Dignity...
iHT2 Health IT Summit San Francisco 2013 - Davin Lundquist, MD, CMIO, Dignity...iHT2 Health IT Summit San Francisco 2013 - Davin Lundquist, MD, CMIO, Dignity...
iHT2 Health IT Summit San Francisco 2013 - Davin Lundquist, MD, CMIO, Dignity...Health IT Conference – iHT2
 
Secure Cloud Based Centralized Health Improvement through homomorphism Encryp...
Secure Cloud Based Centralized Health Improvement through homomorphism Encryp...Secure Cloud Based Centralized Health Improvement through homomorphism Encryp...
Secure Cloud Based Centralized Health Improvement through homomorphism Encryp...IRJET Journal
 
HIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An OverviewHIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An OverviewClearDATACloud
 
Secondary Use of Electronic Health Information – the Way to Guard Patient Sec...
Secondary Use of Electronic Health Information – the Way to Guard Patient Sec...Secondary Use of Electronic Health Information – the Way to Guard Patient Sec...
Secondary Use of Electronic Health Information – the Way to Guard Patient Sec...Plan de Calidad para el SNS
 
Cloud Platform for Remote Patient Monitoring. Case: Stroke Remote Care.
Cloud Platform for Remote Patient Monitoring. Case: Stroke Remote Care.Cloud Platform for Remote Patient Monitoring. Case: Stroke Remote Care.
Cloud Platform for Remote Patient Monitoring. Case: Stroke Remote Care.pselonen
 
Psdot 4 scalable and secure sharing of personal health records in cloud compu...
Psdot 4 scalable and secure sharing of personal health records in cloud compu...Psdot 4 scalable and secure sharing of personal health records in cloud compu...
Psdot 4 scalable and secure sharing of personal health records in cloud compu...ZTech Proje
 
CMS III and eHR
CMS III and eHRCMS III and eHR
CMS III and eHRCharles Mok
 
How to move Forward the Implementation of the EU Interoperability Recommendat...
How to move Forward the Implementation of the EU Interoperability Recommendat...How to move Forward the Implementation of the EU Interoperability Recommendat...
How to move Forward the Implementation of the EU Interoperability Recommendat...Plan de Calidad para el SNS
 
Why Radiology PACS Systems are the Future of Medical Imaging A Comprehensive ...
Why Radiology PACS Systems are the Future of Medical Imaging A Comprehensive ...Why Radiology PACS Systems are the Future of Medical Imaging A Comprehensive ...
Why Radiology PACS Systems are the Future of Medical Imaging A Comprehensive ...PostDICOM
 
ANDS health and medical data webinar 16 May. Storing and Publishing Health an...
ANDS health and medical data webinar 16 May. Storing and Publishing Health an...ANDS health and medical data webinar 16 May. Storing and Publishing Health an...
ANDS health and medical data webinar 16 May. Storing and Publishing Health an...ARDC
 

More Related Content

Viewers also liked

Role based access control
Role based access controlRole based access control
Role based access controlPeter Edwards
 
Implementing role based access control on Web Application (sample case)
Implementing role based access control on Web Application (sample case)Implementing role based access control on Web Application (sample case)
Implementing role based access control on Web Application (sample case)Deny Prasetia
 
Hospital administration
Hospital administrationHospital administration
Hospital administrationNursing Path
 
Catering Services in a Hospital
Catering Services in a HospitalCatering Services in a Hospital
Catering Services in a HospitalSameer Shinde
 
Hospital Infection Control
Hospital Infection ControlHospital Infection Control
Hospital Infection ControlNc Das
 

Viewers also liked (6)

Role based access control
Role based access controlRole based access control
Role based access control
 
Implementing role based access control on Web Application (sample case)
Implementing role based access control on Web Application (sample case)Implementing role based access control on Web Application (sample case)
Implementing role based access control on Web Application (sample case)
 
Hospital administration
Hospital administrationHospital administration
Hospital administration
 
Catering Services in a Hospital
Catering Services in a HospitalCatering Services in a Hospital
Catering Services in a Hospital
 
Hospital Infection Control
Hospital Infection ControlHospital Infection Control
Hospital Infection Control
 
INTRODUCTION TO FRONT OFFICE
INTRODUCTION TO FRONT OFFICEINTRODUCTION TO FRONT OFFICE
INTRODUCTION TO FRONT OFFICE
 

Similar to Multi-domain and Privacy-aware Role Based Access Control in eHealth

Infinity Success Conference Hit
Infinity Success Conference HitInfinity Success Conference Hit
Infinity Success Conference HitShane Molinari
 
L2 Using Information Technology
L2 Using Information TechnologyL2 Using Information Technology
L2 Using Information Technologyprimary
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin, Inc.
 
CPHIMS Study Guide 2011
CPHIMS Study Guide 2011CPHIMS Study Guide 2011
CPHIMS Study Guide 2011Robert Levy
 
Pentaho Healthcare Solutions
Pentaho Healthcare SolutionsPentaho Healthcare Solutions
Pentaho Healthcare SolutionsPentaho
 
Information technology in health care management
Information technology in health care managementInformation technology in health care management
Information technology in health care managementmohamedmoosa2
 
iHT2 Health IT Summit San Francisco 2013 - Davin Lundquist, MD, CMIO, Dignity...
iHT2 Health IT Summit San Francisco 2013 - Davin Lundquist, MD, CMIO, Dignity...iHT2 Health IT Summit San Francisco 2013 - Davin Lundquist, MD, CMIO, Dignity...
iHT2 Health IT Summit San Francisco 2013 - Davin Lundquist, MD, CMIO, Dignity...Health IT Conference – iHT2
 
Secure Cloud Based Centralized Health Improvement through homomorphism Encryp...
Secure Cloud Based Centralized Health Improvement through homomorphism Encryp...Secure Cloud Based Centralized Health Improvement through homomorphism Encryp...
Secure Cloud Based Centralized Health Improvement through homomorphism Encryp...IRJET Journal
 
HIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An OverviewHIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An OverviewClearDATACloud
 
Secondary Use of Electronic Health Information – the Way to Guard Patient Sec...
Secondary Use of Electronic Health Information – the Way to Guard Patient Sec...Secondary Use of Electronic Health Information – the Way to Guard Patient Sec...
Secondary Use of Electronic Health Information – the Way to Guard Patient Sec...Plan de Calidad para el SNS
 
Cloud Platform for Remote Patient Monitoring. Case: Stroke Remote Care.
Cloud Platform for Remote Patient Monitoring. Case: Stroke Remote Care.Cloud Platform for Remote Patient Monitoring. Case: Stroke Remote Care.
Cloud Platform for Remote Patient Monitoring. Case: Stroke Remote Care.pselonen
 
Psdot 4 scalable and secure sharing of personal health records in cloud compu...
Psdot 4 scalable and secure sharing of personal health records in cloud compu...Psdot 4 scalable and secure sharing of personal health records in cloud compu...
Psdot 4 scalable and secure sharing of personal health records in cloud compu...ZTech Proje
 
How to move Forward the Implementation of the EU Interoperability Recommendat...
How to move Forward the Implementation of the EU Interoperability Recommendat...How to move Forward the Implementation of the EU Interoperability Recommendat...
How to move Forward the Implementation of the EU Interoperability Recommendat...Plan de Calidad para el SNS
 
Why Radiology PACS Systems are the Future of Medical Imaging A Comprehensive ...
Why Radiology PACS Systems are the Future of Medical Imaging A Comprehensive ...Why Radiology PACS Systems are the Future of Medical Imaging A Comprehensive ...
Why Radiology PACS Systems are the Future of Medical Imaging A Comprehensive ...PostDICOM
 
ANDS health and medical data webinar 16 May. Storing and Publishing Health an...
ANDS health and medical data webinar 16 May. Storing and Publishing Health an...ANDS health and medical data webinar 16 May. Storing and Publishing Health an...
ANDS health and medical data webinar 16 May. Storing and Publishing Health an...ARDC
 
Ehr by jessica austin, shaun baker, victoria blankenship and kayla boro
Ehr by jessica austin, shaun baker, victoria blankenship and kayla boroEhr by jessica austin, shaun baker, victoria blankenship and kayla boro
Ehr by jessica austin, shaun baker, victoria blankenship and kayla borokayla_ann_30
 
The Basics of Security and Risk Analysis
The Basics of Security and Risk AnalysisThe Basics of Security and Risk Analysis
The Basics of Security and Risk Analysislearfield
 
Cure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the CloudCure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the CloudNetskope
 
IRJET-A Survey on provide security to wireless medical sensor data
IRJET-A Survey on provide security to wireless medical sensor dataIRJET-A Survey on provide security to wireless medical sensor data
IRJET-A Survey on provide security to wireless medical sensor dataIRJET Journal
 

Similar to Multi-domain and Privacy-aware Role Based Access Control in eHealth (20)

Infinity Success Conference Hit
Infinity Success Conference HitInfinity Success Conference Hit
Infinity Success Conference Hit
 
L2 Using Information Technology
L2 Using Information TechnologyL2 Using Information Technology
L2 Using Information Technology
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
 
CPHIMS Study Guide 2011
CPHIMS Study Guide 2011CPHIMS Study Guide 2011
CPHIMS Study Guide 2011
 
Pentaho Healthcare Solutions
Pentaho Healthcare SolutionsPentaho Healthcare Solutions
Pentaho Healthcare Solutions
 
Information technology in health care management
Information technology in health care managementInformation technology in health care management
Information technology in health care management
 
iHT2 Health IT Summit San Francisco 2013 - Davin Lundquist, MD, CMIO, Dignity...
iHT2 Health IT Summit San Francisco 2013 - Davin Lundquist, MD, CMIO, Dignity...iHT2 Health IT Summit San Francisco 2013 - Davin Lundquist, MD, CMIO, Dignity...
iHT2 Health IT Summit San Francisco 2013 - Davin Lundquist, MD, CMIO, Dignity...
 
Secure Cloud Based Centralized Health Improvement through homomorphism Encryp...
Secure Cloud Based Centralized Health Improvement through homomorphism Encryp...Secure Cloud Based Centralized Health Improvement through homomorphism Encryp...
Secure Cloud Based Centralized Health Improvement through homomorphism Encryp...
 
HIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An OverviewHIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An Overview
 
Secondary Use of Electronic Health Information – the Way to Guard Patient Sec...
Secondary Use of Electronic Health Information – the Way to Guard Patient Sec...Secondary Use of Electronic Health Information – the Way to Guard Patient Sec...
Secondary Use of Electronic Health Information – the Way to Guard Patient Sec...
 
Cloud Platform for Remote Patient Monitoring. Case: Stroke Remote Care.
Cloud Platform for Remote Patient Monitoring. Case: Stroke Remote Care.Cloud Platform for Remote Patient Monitoring. Case: Stroke Remote Care.
Cloud Platform for Remote Patient Monitoring. Case: Stroke Remote Care.
 
Psdot 4 scalable and secure sharing of personal health records in cloud compu...
Psdot 4 scalable and secure sharing of personal health records in cloud compu...Psdot 4 scalable and secure sharing of personal health records in cloud compu...
Psdot 4 scalable and secure sharing of personal health records in cloud compu...
 
CMS III and eHR
CMS III and eHRCMS III and eHR
CMS III and eHR
 
How to move Forward the Implementation of the EU Interoperability Recommendat...
How to move Forward the Implementation of the EU Interoperability Recommendat...How to move Forward the Implementation of the EU Interoperability Recommendat...
How to move Forward the Implementation of the EU Interoperability Recommendat...
 
Why Radiology PACS Systems are the Future of Medical Imaging A Comprehensive ...
Why Radiology PACS Systems are the Future of Medical Imaging A Comprehensive ...Why Radiology PACS Systems are the Future of Medical Imaging A Comprehensive ...
Why Radiology PACS Systems are the Future of Medical Imaging A Comprehensive ...
 
ANDS health and medical data webinar 16 May. Storing and Publishing Health an...
ANDS health and medical data webinar 16 May. Storing and Publishing Health an...ANDS health and medical data webinar 16 May. Storing and Publishing Health an...
ANDS health and medical data webinar 16 May. Storing and Publishing Health an...
 
Ehr by jessica austin, shaun baker, victoria blankenship and kayla boro
Ehr by jessica austin, shaun baker, victoria blankenship and kayla boroEhr by jessica austin, shaun baker, victoria blankenship and kayla boro
Ehr by jessica austin, shaun baker, victoria blankenship and kayla boro
 
The Basics of Security and Risk Analysis
The Basics of Security and Risk AnalysisThe Basics of Security and Risk Analysis
The Basics of Security and Risk Analysis
 
Cure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the CloudCure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the Cloud
 
IRJET-A Survey on provide security to wireless medical sensor data
IRJET-A Survey on provide security to wireless medical sensor dataIRJET-A Survey on provide security to wireless medical sensor data
IRJET-A Survey on provide security to wireless medical sensor data
 

Recently uploaded

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

Multi-domain and Privacy-aware Role Based Access Control in eHealth

  • 1. Multi-domain and Privacy-aware Role Based Access Control in eHealth Lorenzo D. Martino, Qun Ni Dan Lin, Elisa Bertino This work has been supported by IBM OCR project “Privacy and Security Policy Management” and the NSF grant 0712846 “IPS: Security Services for Healthcare Applications”.
  • 2. Outline • Healthcare is a multi-domain environment • Privacy in e-Health • Why RBAC? • Core P-RBAC • Multi-domain P-RBAC • Conclusions and future work
  • 3. Healthcare is a distributed multi-domain environment Contracted service: emergency dept. phyisicians Clinicians Nurses Staff HRO Contracted service: anasthesiologists External Domain Analysis Lab. External Domain Hospital Owning Domain External Domain External Domain Insurance University
  • 4. Privacy in healthcare • Privacy is an important issue – HIPAA – Healthcare Insurance Portability and Accountability Act (1996) • Privacy protection policies – Privacy notices, policies by NL or P3P • Enforcing privacy policies is the key
  • 5. Privacy policy management Procedures Processes Controls Application-level policies Laws & Internal privacy & regulations security policies Reconciliation Can generate Machine- processable Data--level policies policies
  • 6. Why RBAC? • RBAC advantages – It is based on the notion of functional roles in an organization – It provides a simple and natural approach to modeling organizational security policies – It simplifies authorization administration – It meets a large variety of security requirements and has received considerable attention by healthcare organizations: RBAC task force - Department of Veterans Affairs (VA), Department of Defense (DoD) • However, RBAC cannot support privacy policies without some extension
  • 7. Privacy-aware RBAC (P-RBAC) • P-RBAC extends the RBAC model in order to support privacy-aware access control • Privacy policies are expressed as permission assignments (PA); these permissions differ from permissions in classical RBAC because of the presence of additional components, representing privacy-related information
  • 8. Core P-RBAC • Privacy Sensitive Data Permission (a, d, p, c, o)
  • 9. Policies – an example • For treatment purposes, patients’ medical information can be accessed by physicians, nurses, technicians, medical students, or others who are involved in the patients’ care or by other departments of the healthcare organization for the care/therapy coordination or by contracted physician services, such as emergency department physicians, pathologists, anesthesiologists, radiologists.
  • 10. Permissions in P-RBAC (physician, read, patient.EMR.raw, treatment, subject = patient. duty physician, ;) • the physician role can read patient EMR content • for treatment purpose • patient.EMR.raw is a data object specified according to a condition: – the subject associated to the physician role can access the data only if the subject is the patient’s on duty physician - subject = patient.duty_physician -
  • 11. Multi-domain P-RBAC • It extends P-RBAC with: – Role precondition: a user can be assigned to a certain role provided that the user is associated to one or more specific roles in his/her home organization – Data profile: it allows to specify set of data such as patient’s identification data, therapy data, prescriptions and so forth
  • 12. Permissions in Ext P-RBAC ( (GP, HP, physician) , read, patient.EMR.raw, treatment, subject = patient. duty physician, ;) • Role precondition: the physician role can be assigned to a subject provided that he/she plays the GP role in the Healthcare organization HP • the physician role can read patient EMR content • for treatment purpose • patient.EMR.raw is a data object specified according to a condition: – the subject associated to the physician role can access the data only if the subject is the patient’s on duty physician - subject = patient.duty_physician -
  • 13. Conclusions • Role preconditions enhance security • Role precondition provide a further control in addition to user identification and authentication, by relying upon organizational control processes • Underlying assumptions: – a) there is a trust relationship between the owner organization and the users’ home organization, and – b) the users’ home organization itself adopt a controlled process before declaring that its users play a certain role
  • 14. Future Work • Investigate different role provisioning strategies • Implementation on LBAC database • Consistency analysis techniques on privacy permissions w.r.t. data profile
  • 16. Thank you! Lorenzo D. Martino Computer & Information Technology Dept. Purdue University lmartino@purdue.edu