A flexible Content and Context-based Access ... - Semantic Scholar

A flexible Content and Context-based Access Control Model for Multimedia Medical Image Database Systems Sofia Tzelepi and George Pangalos Informatics Lab, Faculty of Technology, Aristotle University of Thessaloniki, 54006, Greece [email protected], [email protected] Abstract In many health care information systems medical images are an important part of the multimedia medical patient record. Most of the work on multimedia medical images security until now has focused on cryptographic approaches. While valuable, cryptography is not enough to control access to medical images. Therefore additional protection approaches should be applied at a higher level. Role-based access control (RBAC) is a good candidate to provide access control in a multimedia medical image database system. Roles accurately describe which types of people need to access to certain types of objects. However, in a multimedia medical image database system, specifications of image access rights are often content and context-dependent as well as time-dependent. Unfortunately, RBAC cannot be used to handle the above requirements. In this paper we describe an extended role-based access control model by considering, in the specification of the Role-Permission relationship phase, the constraints which must be satisfied in order for the holders of the permission to use those permissions. The use of constraints allows role-based access control to be tailored to specify very fine-grained, flexible, content, context and time-based access control policies. The proposed access control model preserves the advantages of scaleable security administration that RBACstyle models offer and yet offers the flexibility to specify complex access restrictions based on the semantic content of the images, the attributes of the user accessing the image, the relationship between the user and the patient whose images are to be accessed and the time. The description of an access control algorithm and a system architecture for a secure medical image DBMS are also presented. 1. Introduction In many health care information systems medical images are an important part of the multimedia medical patient record. Most of the work on multimedia medical images security until now has focused on cryptographic approaches [1]. While valuable, cryptography is not enough to control access to medical images. Cryptography can only control secrecy and authentication aspects, but cannot handle for example different types of access by different users, fine-grained restrictions at the level of individual users and specific images, content, context and timebased access to images [2]. Therefore additional approaches should be applied at a higher level. The health care information systems are generally characterized by users with a diverse set of qualifications and responsibilities that can naturally be mapped to various roles. As such, it appears that role-based access control (RBAC) is a good candidate to provide access control, since roles accurately describe which types of people need access to certain types of objects. Role-based access control (RBAC) is proposed and studied as an alternative for mandatory (MAC) and discretionary (DAC) access control approaches [3]. In RBAC, it is possible to simplify the complicated form of an organization’s access control policy. Access decisions are based on the roles, which is part of an organization. The system administrator divides roles according to operations in an organization. The administrator of the system or organization gives access permissions to roles and users are endowed with roles according to their responsibility

and obligation. Users who are granted a role in system can manage their works with their role permissions. In case of changing access control policy, the system supervisor easily can grant a new permission or can eliminate the existing permission to the role. Because access permissions are granted to roles, not to users, it is possible to manage access control policy more efficiently. The notion of roles is an important factor in authorization rules, but in a multimedia medical image database system context in order to be effective it has to be used in conjunction with the following information: Semantic content of the images: image access is naturally described in terms of its semantic contents, for example, all images presenting a cancer of the lung must not be made available to physicians who are accessing information from no trust domain. Domain: what domain of the health system a particular caregiver works for. For example, medical images belong to certain departments and are not accessible by certain physicians, or a physician may be permitted to access only medical images of his/her subordinates and their subordinates, recursively. Location: where the user is accessing information services from. Location information is used in several types of authorization rules. One type uses location to identify the trust domain where the user is accessing information services from. A reasonable policy would deny access to any sensitive information to anyone accessing it from such areas. Location can also be used to derive the emergency level of access. A policy can allow read access to all images of all patients for any user assigned to the role physician and accessing the information from an emergency room. Time: time constraints specify the validity periods for a policy. Relationship: what is the relationship between the user and the patient whose images are to be accessed. Some types of relationships that need to be managed in the healthcare context are: patient’s primary care provider; admitting, attending, referring, or consulting physician of a particular patient; part of the patient care team; healthcare staff explicitly assigned to take care of the patient; patient’s immediate family; patient’s legal counsel or guard; personal pastoral care provider. Unfortunately, RBAC cannot be used to handle the above requirements [4]. In order to overcome this problem, in this paper we propose an extended role-based access control model by considering, in the specification of the Role-Permission relationship phase the constraints which must be satisfied in order for the holders of the permission to use those permissions. The use of constraints allows role-based access control to be tailored to specify very fine-grained, flexible, content, context and time-based access control policies. The proposed access control model preserves the advantages of scaleable security administration that RBAC-style models offer and yet offers the flexibility to specify complex access restrictions based on the semantic content of the images, the attributes of the user

accessing the image, the relationship between the user and the patient whose images are to be accessed and the time. A subset of Object Constraint Language (OCL) [5] is used for specifying constraints. In the development of content-based constraints a simplified medical image model for describing the semantic content of a medical image is used. The medical image can be viewed as pairs of iso-semantic regions and signals in respect with an anatomic and a pathological model [6]. Moreover, medical images are associated with complementary textual patient information. The rest of this paper is structured as follows. Section 2 introduces related work and contrast it with our work. The proposed role based access control and the detailed specification of its components are described in section 3. Section 4 introduces the medical image data model. Section 5 presents the access control mechanisms and the algorithm proposed in this paper. Section 6 introduces the access control architecture and section 7 concludes the paper and outlines future work. 2. Related Work As mentioned above, one of the problems of applying RBAB to multimedia medical image database system is the specification and enforcement of fine-grained access control at the level of individual users and specific images. For example, just because the doctor’s role enables a set of accesses to medical images does not mean that the doctor’s role should provide access to all medical images. A doctor can only access the medical images for those patient currently assigned to this doctor. Unfortunately RBAB cannot met completely the above requirement [4]. There have been several approaches for creating an instance level policy for roles by using the notion of team-based access control (TMAC) [4] or by introducing parameterized roles to RBAC models [7], [8]. An alternative approach to specify and enforce fine-grained access control at the level of individual users and specific images is proposed in this paper by considering, in the specification of the Role-Permission relationship phase, the constraints which must be satisfied in order for the holders of the permission to use those permissions. Furthermore, constraints offer also the ability to specify complex access restrictions based on the semantic content of the images, the attributes of the user accessing the image, the relationship between the user and the patient whose images are to be accessed and the time. Constraints have also been addressed in [8]. In [8] contentbased access control is enforced by simply specifying some constraints against attribute values of data objects. In contrast, due to the nature of medical images, content-dependent access control for a medical image database system must be based on the semantics of the medical images, rather than on the attributes characterizing them. Medical image attributes often only deal with physical characteristics of the medical images (for example, acquisition device, direction, format,…) and therefore are not significant for access control. In the development of content-based constraints specification a simplified medical image model for describing the semantic content of a medical image is described in the next section. 3. The Underlying Medical Image Data Model For content-based access control, medical image databases must have capabilities to recognize and quantitate image content and

merge the quantitated image data with textual patient data into a common data model [9]. For the past three decades, the medical image processing community has actively pursued efficient algorithms that can extract and quantify semantic objects from images. Established algorithms can be readily integrated into a multimedia medical DBMS for image segmentation, texture analysis, content extraction and image registration. These can be performed automatically or interactively depending on the difficulty of segmenting and extracting semantic structures. In the development of our content-based access control model a simplified medical image model introduced in [6]. Our emphasis in this paper will be on the development of our content-based access control model rather than on modeling effectively multimedia medical data. In [6], the medical image model represents what is the image (i.e. the pictorial attributes of image) what is around the image (i.e. the context) and finally what is in the image (i.e. the content) In [6] a medical image is considered as an organic structure, where pathological signals can be detected in special places. Therefore, the semantic content of a medical image can be described in terms of iso-semantic regions and signals. In our proposed access control model, the content-based constraints we are concerned with deal with the presence or absence (and eventually with the characteristics) of a referenced object in a particular location of the image. 4. An Extended Role-Based Access Control Model For Multimedia Medical Image Databases The basic components of a simplified RBAC model are Users, Roles, Permissions, User-Role (U-R) relationship and RolePermission (R-P) relationship. User is a person who uses the system or an application program in the system. Membership to roles is granted to users based on their obligation and responsibility in the organization. The operation of a user can be carried out based on the user’s role. Role is a set of functional responsibilities within the organization. The system administrator defines roles and assigns them to users. A User Role (U-R) relationship represents collection of a user and a role. A permission is the way for the role to access to more than one objects in the system. The terms authorization, access right and privilege are also used in the literature to denote a permission. Permissions are always positive and confer the ability to the holder of the permission to perform some actions in the system. A Role-Permission (R-P) relationship describes which role is assigned to perform what kind of permission in the organization. In this paper, an extended simplified role-based access control model for multimedia medical image database systems is presented. Two major extensions to the model are introduced. The first extension introduces the notion of user attributes. As mentioned above, there is a need to use user attributes for providing access control. User attributes include among other things the user name, his domain (e.g. position) in the management hierarchy and his location. A domain is a collection of subjects/objects which have been explicitly grouped together for the purposes of management. It is used to partition the enterprise management scope according to geographical boundaries, administrative departments, etc. For example, subjects/objects inside a department may be grouped in a domain. The concept of a domain is very similar to that of directory in a typical hierarchical file system. The authorization which implies to a domain will, by default, propagate to

subdomains and to the objects within them. User attributes are presented as follows: where, user_id is the user identifier, user_name is the user name, domain is the department of the health system the user works on and location is the place where the user is accessing information services from. The attribute location is dynamic. The second extension concerns the Role-Permission relationship. In the proposed model, we consider in the specification of the Role-Permission relationship phase, the constraints which must be satisfied in order for the holders of the permission to use those permissions. In this case, each RolePermission relationship is a decision rule, which specifies, besides the access modes the holder s of the permission is authorized for on image(s) i, also the constraints to be satisfied in order for s to exercise the access modes. Constraints are based on the semantic content of the images, the attributes of the user accessing the image, the relationship between the user and the patient whose images are to be accessed and the time. In a multimedia medical database context, the general form of a Role-Permission relationship is 5-tuple According to the above definition, a Role-Permission relationship has the following components: -

identifier: it is used to identify uniquely the permission s: subject to which the permissions apply r: role which can process this permission. Subject s is authorized for role “r” action: it is the operation, which is to be processed by role t: object on which actions are to be performed target: it is the object type constraints(s, t): limit the applicability of the permission. Constraints must be satisfied by s and t.

In a multimedia medical database context low level operations, such as physical read and write operations, are not semantically meaningful for access control in multimedia medical image database. Therefore, in our model we introduce a set of abstract operations that are relevant to the way users actually access medical images. Users of medical images database go through the following stages. The user first submit a request for a given image. The medical image database server processes the request, and returns to the user either the annotations associated with the image, or the requested image in thumbnail format. The user can then request the display of the full-resolution image in the main display window. Another group of operations for which access control should also be provided include operations for processing, annotating, deleting the images or for introducing ones. In general, authorizations to perform such operations should be given to few, selected users. For example, Saving, on the main archive, is most always reserved for radiology. Deleting is reserved for the security administrator but only with dual access code security i.e. someone else with security must be present and authorize the deletion. Retrieve, annotate, process can be performed by anyone with the proper access. The different modes of operation, image access privileges, that are provided as part of our model are described in Table 1. Application example: In the following example we consider a health-care organization security policy. In this example we have a health-care organization composed of several hospitals, and each hospital is structured into some divisions. A primary

physician is assigned to a division and he/she can only access medical images for those patients currently assigned in that division and to this doctor. In order to achieve such policy, we define the following role-permission relationship: {dp1, s: Primary_Physician, {view}, t: Image, domain_user(s) = domain(t) ∧ s ∈ carrying_physicians(t)} The function domain_user gives us the domain associated with a user. For instance the domain associated to the primary physician “John Smith” is “hospital1/div2”. Based on the above policy, “John Smith” can only access medical images for those patients currently assigned in the domain “hospital1/div2” and to the doctor “John Smith”. In the following section we present a detailed specification of the constraints. Table 1: Image privileges provided by the access control model Privilege Meaning View_annotation To display the results as the associated annotations only. View_ thumbnail To display the requested image in thumbnail format. It speeds up the query response time. Display To display the full-resolution image in main display window Edit_annotation To edit the annotations of the images Edit_image To process, delete or add images to medical images database

4.1. Constraints As said above, an important element of each role-permission relationship is the set of constraints which must be satisfied in order for the holders of the permission to use the permissions. Constraint definitions allow constraints to be separately defined and multiply used. A subset of Object Constraint Language (OCL) is used for specifying constraints which limit the applicability of the permission, for example to a particular time interval or according to the state of the system. The following are some examples of constraint expressions: domain_user(s) = domain(x) ∧ s ∈ carrying_physicians(x) This expression denotes all images (x) that The function domain_user gives us the domain associated with a user. The function domain gives us the domain associated with an image. The function carrying_physicians(x) gives us the set of physicians associated with patient’s image x. “lung” ∈ regions(x) ∧ “cancer” ∈ signals(x, lung) This expression denotes all images (x) that present a cancer of the lung. The function regions gives us the set of regions associated with an image. The function signals gives us the set of signals located in a particular region of an image. “left ventricle” ∈ regions(x) ∧ “tumor” ∈ signals(x, “left ventricle”) ∧ height(x, “left ventricle”, “tumor”) ≥ 1cm. This expression denotes all images (x) that present a tumor with a height of more than 1 cm on the left ventricle. The function height give us information about the attributes of the signal “tumor”. time.between("1600", "1800") This expression limits the policy to apply between 4:00pm and 6:00pm.

5. Access Control The main goal of the access control mechanism is to verify whether user u, trying to access image i, using a privilege p, under a certain role r, is authorized to do so, according to access

control restrictions enforced by that role. The access control algorithm is specified in Figure 1.

6. System Architecture The complete system architecture is depicted in Figure 2. The authorization manager is responsible for the full management of both the Role-Permission relationships base, User-Role relationships base and User attributes base. Through the authorization manager, the security administrator can add, modify, or delete User-Role relationships, Role-Permission relationships and User attributes. The access control manager implements the access control algorithm in section 5. The image data manager is responsible for handling of images. Each time a new image is acquired by the medical image database system, it is first processed by the image postprocessing manager, which extracts the semantic content from this image. Information on the semantic content are then stored and used to perform content-based access control restrictions.

administration that RBAC-style models offer and yet offers the flexibility to specify complex access restrictions. From our development and implementation experience we are convinced that the proposed model provides significant capabilities to model and implement access control restrictions in a flexible manner, so as to meet the needs of multimedia medical image database management systems.

Security Administrator GUI Authorization manager

----------------------------------------------------------------------------ALGORITHM 1. Access control Algorithm INPUT: [1] An access request (u, r, i, p), [2] The User-Role relationship set, [3] The Role-Permission relationship set, [4] The user attributes set OUTPUT: [1] ACCEPT, [2] REJECT otherwise METHOD: If (Is_role_members(u, r) ∧ Is_role_operations(p, r)) then If (evaluation_constraints(u, i, p, r, cn)) then Return (ACCEPT) Else Return (REJECT) Else Return (REJECT) Is_role_members(u, r) returns TRUE if user u is authorized for role r, else return FALSE Is_role_operations(p, r) returns TRUE if operation p is associated with role r, else return FALSE evaluation_constraints(u, i, p, r, cn)) returns TRUE if image i and user u satisfies the constraints cn that are associated to the role r, else return FALSE

R-P relationship base

The RBAC model and mechanism have proven to be useful and effective. Nevertheless, there are many common examples where access decisions must include other factors, in particular, as the semantic content of the images, the attributes of the user accessing the image, the relationship between the user and the patient whose images are to be accessed and the time. In this paper, the above factors are expressed using constraints in the specification of the Role-Permission relationship. The use of constraints allows role-based access control to be tailored to specify very fine-grained, flexible, content, context and timebased access control policies. The proposed access control model preserves the advantages of scaleable security

Application Programs

Access Control Manager

Image Postprocessing manager

Image Data Manager

Other Components of Medical Image Database System

Figure 2: System architecture for a secure multimedia medical image database management system

8. REFERENCES 1.

2.

7. SUMMARY

U-R relationship base

User attributes base

Figure 1: Access control algorithm We used a relational database management system to implement our image model as described in section 3 and to store all necessary data (e.g. Role-Permission relationships, User-Role relationships, User attributes). In our implementation a constraint is evaluated only when a role is activated for a user. A more sophisticated solution might be implemented within an active database system. Trigger mechanisms might be used to dynamically change the user’s set of permissions as soon as a specified constraint is no more satisfied.

End User

3. 4.

5. 6.

7. 8.

9.

R. B. Wolfang and E. J. Delp, “Overview of image security techniques with applications in multimedia systems”, SPIE Conference on Multimedia Networks: Security, Displays, Terminals and Gateways, Vol. 3228, November 2-5, 1997, Dallas, Texas, pp:297-3308. E. B. Fernandez and K. R. Nair, ”An Abstract Authorization System for the Internet”, in Proceedings of the 9th International Workshop on Database and Expert Systems Applications, 1998. R. Sandhu, E. J. Coynee, H. L. Feinsteinn, and C. E. Youman, “ Role-based access control models”, IEEE Computer, 29(2), February, 1996. R. K. Thomas, “Team-based access control (TMAC): A primitive for applying role-based access controls in collaborative environments”, ACM RBAC’97, 1997. Rational Software Corporation, Object Constraint Language Specification, Version 1.1, Available at http://www.rational.com/uml/, September 1997. A. Tchounikine, “Creation and content-based retrieval in a radiological documentary record”, in Proceedings of the 3rd Basque International Workshop on Information Technology, 1997. L. Giuri and P. Iglio, “Role templates for content-based access control”, in Proceedings of the Second ACM RoleBased Access Control Workshop, November 1997. E. C. Lupu and M. Sloman, “Reconciling role-based management and role-based access control”, in Proceedings of the Second ACM Role-Based Access Control Workshop, November 1997. S. T. C. Wong and H. K. Huang, “Design methods and architectural issues of integrated medical image data based systems”, Computerized Medical Imaging and Graphics, Vol. 20, No 4, pp. 285-299, 1996.