Site Navigation

Access Control for Healthcare using Policy Machine

Page Content

Get BibTex-formatted data

Author

Zahid Pervaiz, Arjmand Samuel, David Ferraiolo, Serban Gavrila, Arif Ghafoor

Tech report number

CERIAS TR 2009-20

Entry type

unpublished

Abstract

Access control policies in healthcare domain define permissions for users to access different medical records. Role Based Access Control (RBAC) helps to restrict medical records to users in a certain role but sensitive information in medical records can still be compromised by authorized insiders. The threat is from users who are not treating the patient but have access to medical records .We propose selective combination of policies where sensitive records are only available to primary doctor under Discretionary Access Control (DAC). This helps not only better compliance of principle of least privilege but also helps to mitigate the threat of authorized insiders disclosing sensitive patient information. We use Policy Machine (PM) proposed by NIST to combine policies and develop a flexible healthcare access control policy which has benefits of context awareness and discretionary access. Temporal constrains have been added to RBAC in PM and after combination of Generalized Temporal RBAC and DAC an example healthcare scenario has been setup.

Download

PDF

Key alpha

Zahid Pervaiz

Publication Date

2009-08-31

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.

@Unpublished{ Zahid Pervaiz,
	title = "Access Control for Healthcare using Policy Machine",
	author = "Zahid Pervaiz, Arjmand Samuel, David Ferraiolo, Serban Gavrila, Arif Ghafoor",
	month = "1",
	day = "1",
	abstract = "Access control policies in healthcare domain define permissions for users to access different medical records. Role Based Access Control (RBAC) helps to restrict medical records to users in a certain role but sensitive information in medical records can still be compromised by authorized insiders. The threat is from users who are not treating the patient but have access to medical records .We propose selective combination of policies where sensitive records are only available to primary doctor under Discretionary Access Control (DAC). This helps not only better compliance of principle of least privilege but also helps to mitigate the threat of authorized insiders disclosing sensitive patient information. We use Policy Machine (PM) proposed by NIST to combine policies and develop a flexible healthcare access control policy which has benefits of context awareness and discretionary access. Temporal constrains have been added to RBAC in PM and after combination of Generalized Temporal RBAC and DAC an example healthcare scenario has been setup.",
}

Current News

Blog

Footer

RSS Feeds

Combined XML Feed News XML Feed Events XML Feed Weblogs XML Feed Security Seminar Podcast Twitter: @cerias, @ceriasarchive, #cerias

CERIAS, Purdue University / Recitation Building / 656 Oval Drive / West Lafayette IN 47907-2086
phone (765)494-7841 / fax (765)496-3181

Copyright © 2013, Purdue University, all rights reserved. Purdue University is an equal access/equal opportunity university.
If you have trouble accessing this page because of a disability, please contact the CERIAS webmaster at webmaster@cerias.purdue.edu. Some content on this site may require the use of a special plug-in or application. Please visit our plug-ins page for links to download these applications.
Privacy Policy

Intranet Site