Multi-Policy Access Control for Healthcare using Policy Machine

Nov 04, 2009

Download: MP4 Video Size: 244.6MB  
Watch on YouTube

Abstract

Access control policies in healthcare domain define permissions for users to
access different medical records. A Role Based Access Control (RBAC)
mechanism allows management of privileges to medical records for users when they assume certain roles thus mitigating the threat of inside attacks. Such a threat emanates from unauthorized users. We can provide a selective combination of policies where sensitive records can be available only to a specific role, say the primary doctor, under Discretionary Access Control (DAC) whereby in turn he/she may share the record with other physicians for consultation after permission from
the patient. This mechanism allows not only a better compliance of principle of least privilege but also helps to mitigate the threat of authorized insiders disclosing sensitive information. Our research is being prototyped on the Policy Machine (PM) developed by the National Institute of Standards and Technology (NIST). PM allows integration and co-existence of multiple policies. Currently, we are expanding the
capabilities of PM to provide a flexible healthcare access control policy which has the benefits of context awareness and discretionary access. We will present the newly
implemented temporal RBAC model on PM and describe initial capabilities for secure management of healthcare data.