Multi-Policy Access Control for Healthcare using Policy Machine
Zahid Pervaiz - Purdue University
Nov 04, 2009Size: 244.6MB
Download: MP4 Video
Watch in your Browser Watch on YouTube
AbstractAccess control policies in healthcare domain define permissions for users to
access different medical records. A Role Based Access Control (RBAC)
mechanism allows management of privileges to medical records for users when they assume certain roles thus mitigating the threat of inside attacks. Such a threat emanates from unauthorized users. We can provide a selective combination of policies where sensitive records can be available only to a specific role, say the primary doctor, under Discretionary Access Control (DAC) whereby in turn he/she may share the record with other physicians for consultation after permission from
the patient. This mechanism allows not only a better compliance of principle of least privilege but also helps to mitigate the threat of authorized insiders disclosing sensitive information. Our research is being prototyped on the Policy Machine (PM) developed by the National Institute of Standards and Technology (NIST). PM allows integration and co-existence of multiple policies. Currently, we are expanding the
capabilities of PM to provide a flexible healthcare access control policy which has the benefits of context awareness and discretionary access. We will present the newly
implemented temporal RBAC model on PM and describe initial capabilities for secure management of healthcare data.
About the SpeakerZahid Pervaiz is a PhD candidate in School of Electrical and Computer Engineering at Purdue University. He received his bachelor's degree in
Electronics engineering from National University of Science and Technology,
Pakistan in 2000. Prior to joining Purdue in 2007, he worked with a research
organization in Pakistan for five years as a senior design engineer. His
research interests include information privacy, data security and access
control. His current research work focuses on access control mechanisms for
healthcare applications. He can be reached at email@example.com.
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.