IOS Press, 2008 .... The developed mechanism is certificate-based as it relies on Community ... These certificates specify user-to-role assignments in the form of ...
eHealth Beyond the Horizon – Get IT There S.K. Andersen et al. (Eds.) IOS Press, 2008 © 2008 Organizing Committee of MIE 2008. All rights reserved.
679
Context-Aware Access Control for Pervasive Access to Process-Based Healthcare Systems Vassiliki KOUFI and George VASSILACOPOULOS Department of Digital Systems, University of Piraeus, Piraeus 185 34, Greece
Abstract. Healthcare is an increasingly collaborative enterprise involving a broad range of healthcare services provided by many individuals and organizations. Grid technology has been widely recognized as a means for integrating disparate computing resources in the healthcare field. Moreover, Grid portal applications can be developed on a wireless and mobile infrastructure to execute healthcare processes which, in turn, can provide remote access to Grid database services. Such an environment provides ubiquitous and pervasive access to integrated healthcare services at the point of care, thus improving healthcare quality. In such environments, the ability to provide an effective access control mechanism that meets the requirement of the least privilege principle is essential. Adherence to the least privilege principle requires continuous adjustments of user permissions in order to adapt to the current situation. This paper presents a context-aware access control mechanism for HDGPortal, a Grid portal application which provides access to workflow-based healthcare processes using wireless Personal Digital Assistants. The proposed mechanism builds upon and enhances security mechanisms provided by the Grid Security Infrastructure. It provides tight, just-in-time permissions so that authorized users get access to specific objects according to the current context. These permissions are subject to continuous adjustments triggered by the changing context. Thus, the risk of compromising information integrity during task executions is reduced. Keywords: Grid portal application; process; security; role-based access control (RBAC); managing change.
Introduction Healthcare delivery is a highly complex process involving many individuals and organizations [1]. Providing readily access to integrated healthcare information at the point of care remotely requires a system architecture that enables collaboration and coordination among healthcare services and facilitates the mobility of healthcare professionals. To this end, a prototype Grid portal application, namely HDGPortal, has been developed that provides pervasive access to process-based healthcare systems [1]. This paper focuses on the security mechanism incorporated into the HDGPortal.
680
V. Koufi and G. Vassilacopoulos / Context-Aware Access Control
HDGPortal is a portal application that is used to run healthcare processes implemented in the Business Process Execution Language (BPEL). These processes invoke Grid database services, while on execution, in order to provide integrated access to healthcare information scattered on a Grid computing infrastructure. As tight matching of permissions to actual usage and need is essential in healthcare applications, one important security requirement in HDGPortal is adherence to the least privilege principle. Its enforcement requires continuous adjustments of user permissions to ensure that users assume the minimum sets of permissions required for the execution of each task of a healthcare process selected. To this end, changes in contextual information should be sensed during task executions and relevant actions should be fired in response to these changes. In the last few years, there has been a trend towards using BPEL for Grid service composition [2]. Security aspects, such as authentication and access control, are not standardized through BPEL, but are left to the implementation of BPEL compliant process engine [3,4,5]. In turn, grid middleware, namely Open Grid Services Architecture - Data Access and Integration (OGSA-DAI) [6], that facilitates data federation and distributed query processing through the use of grid database services provides relatively simple and static mechanisms regarding authorization and access control [7]. Several studies have been conducted regarding both the enforcement of access control in BPEL [3,4,5,8] and the enhancement of access control mechanisms used by Grid middleware services [7,9]. Most of these studies argue that both BPEL and Grid middleware services can benefit from incorporating properly enhanced rolebased access control (RBAC) mechanisms [15]. However, they are not concerned with access control in the context of a pervasive process-based healthcare system build on a Grid infrastructure. This paper is mainly concerned with situations, often occurred in healthcare delivery, where the information requested by an authorized user needs to be available when and where needed. Thus, a context-aware access control mechanism is proposed that incorporates the advantages of broad, role-based permission assignment and administration across object types, as in RBAC, and yet provides the flexibility for adjusting role permissions on individual objects during a BPEL process enactment according to the current context. During the execution of a workflow instance, changes in context information are sensed to adapt user permissions to the minimum required for completing a job. Relevant access control policies are enforced at both the BPEL task level and the Grid database service level.
1. Motivating Scenario To illustrate the main principles of the security architecture incorporated into the HDGPortal, a sample integration project is described which is concerned with the automation of a cross-organizational healthcare process spanning a health district. Typically, a health district consists of one district general hospital (DGH) and a number of peripheral hospitals and health centers. As patient referrals are usually made among various healthcare providers within a district (e.g. for hospitalization, for outpatient consultation or for performing specialized medical procedures), there is a need to ensure authorized access to the tasks comprising the relevant healthcare
V. Koufi and G. Vassilacopoulos / Context-Aware Access Control
681
processes and, then, to patient information required through the execution of these tasks. Suppose that a healthcare process is concerned with a radiological request issued by physicians on a ward round, for their patients. The radiological department
Figure 1. Radiological request process model using IBM WebSphere Workflow
receives each request, schedules the radiological procedures requested and sends a message to the requesting physician notifying him/her on the date and time scheduled for its performance. On performing the radiological procedure requested, the radiologist accesses the relevant part of the patient record and issues a radiological report, incorporating both the radiological images and the associated assessment, which is send to the requesting physician. Figure 1 shows a high-level view of the healthcare process using IBM Websphere Workflow build-time tool [10]. In this business process the hospital organizational units involved are the clinical department and the radiology department of a hospital and the roles participating in the healthcare process are physician and radiologist. From an authorization perspective, the healthcare process of Figure 1 surfaces several requirements with regard to task execution and Grid database services invocation. These requirements include the following: • Restricted task execution In certain circumstances the candidates for a task instance execution should be dynamically determined and be either a sub-group of the authorized users or only one, specific authorized user. For example, a request for performing a radiological procedure on a patient (e.g. CT or MRI), issued by a physician, should be routed only to the sub-group of on-duty radiologists who hold the relevant sub-specialty and the radiological report, issued by the radiologist, should be routed only to the requesting physician. • Restricted grid database service invocation Given that a role holder can execute a specific task, he/she should be allowed to exercise a dynamically determined set of permissions on certain data only which are accessible via the associated Grid database services. For example, during the execution of the “IssueRadRequest” task, the relevant Grid database services invoked should allow a physician to write and read patient record data and to issue (write, edit and send) radiological requests only for his/her patients while on duty and only within the hospital premises. The above requirements suggest that certain permissions of the healthcare process participants depend on the process execution context. In particular, contextual information available at access time, such as proximity, location and time, can
682
V. Koufi and G. Vassilacopoulos / Context-Aware Access Control
influence the authorization decision that allows a user to perform a task and, given this permission, to invoke the associated Grid database services. This enables a more flexible and precise access control policy specification that satisfies the least privilege principle.
2. Access Control Architecture Access control constitutes a major research issue in traditional and pervasive Grid environments [1]. Figure 2 shows a high-level view of the security architecture implemented in HDGPortal. This is described by a two-tier model consisted of a global access control service, residing on a server at the DGH site, and one local access control service, residing at each healthcare organization within the health district. 2.1. Access Control Mechanism In the HDGPortal prototype, access control is provided at two levels: the BPEL task level and the Grid database service level [1]. Hence, a middleware-based access control mechanism has been developed which is employed to mediate between subjects (healthcare professionals) and objects (BPEL tasks and Grid database services) and to decide whether access of a given subject to given object should be permitted or denied by taking into account the current context. In particular, the Java Authentication and Authorization Service (JAAS) [11] was used for the development of an external to the BPEL engine access control service that regulates user access to tasks, and an external to OGSA-DAI, access control service that enhances its mechanism by adding context-awareness features. The developed mechanism is certificate-based as it relies on Community Authorization Service (CAS) certificates issued to healthcare professionals by a CAS server residing at the DGH site. These certificates specify user-to-role assignments in the form of security assertions, expressed in Security Assertion Markup Language (SAML) [12,13]. CAS certificates accompany every request (either for task execution or Grid database service invocation) issued through HDGPortal. The roles used in the certificates are functional and, hence, they remain unchanged until the certificate expires as they are independent of the constraints held at the time of attempted access. The mapping of the aforementioned roles to the relevant permissions is performed by means of access control policies expressed by using the RBAC profile of eXtensible Access Control Markup Language (XACML) [13]. These policies are specified at the site where the target object (task or Grid database service) resides (tasks are hosted on the BPEL engine at the DGH site and Grid database services are hosted on the web servers at the hospital sites) and assist in the derivation of the exact permissions a subject should acquire for performing a task. In particular, on issuing a request for a task execution, the roles contained in the CAS certificate accompanying the request are extracted and their relevant permissions regarding access to BPEL tasks are specified using a file storing the XACML policies [13]. This file resides on the same server of the DGH site with the BPEL engine. Then, during task execution, a request for invocation of the underlying Grid database services is issued which is accompanied by the same CAS certificate. The roles extracted from this certificate are
683
V. Koufi and G. Vassilacopoulos / Context-Aware Access Control
used in order to specify the relevant permissions regarding Grid database services using XACML policies stored in one file at each Grid node (i.e. healthcare Application Services Presentation Layer Integration Layer
Grid Database Services
HDGPortal
Authentication & Authorization Services
Authentication Service
Policy Repository
Global Access Control Service BPEL Engine
CAS
Service Integration Agent
Context Information
Application Server Local Access Control Service
Existing Databases Database
Grid Resource Agent
Database
… Database
Local Policy Repository
Figure 2. Security architecture in HDGPortal
organization) providing the portion of medical information requested. Permissions on both BPEL tasks and Grid database services are dynamically adapted by the constraints imposed by the current context. 2.2. Context Information Management In the HDGPortal prototype, the contextual information is determined by a predefined set of attributes related to the user (e.g. user certificate, user/patient relationship), to the environment (e.g. client location and time of attempted access) and to the data resource provider, namely to the healthcare organization (e.g. local security policy). For example, the permissions of a physician using HDGPortal on his/her PDA, are adapted depending on his/her identity (included in the CAS certificate), location and time of access as well as the security policy of each healthcare organization where a portion of the requested information is stored. Context information is collected by a Context Manager which has been implemented as a multi-agent system. Thus, the Context Manager consists of two kinds of agents, developed in JADE [14]: � Service Integration Agent: it is hosted on a server at the DGH site and manages user permissions on BPEL tasks � Grid Resource Agent: it is hosted on a server at the site of each healthcare organization participating in a healthcare process and manages user permissions on Grid database services. Each agent uses middleware context collection services to monitor context and interacts with a state machine that maintains the permission subset of each role. The state machine consists of variables that encode state (permissions of each role), and events that transform its state. At the time of an attempted access (either to a task or to
684
V. Koufi and G. Vassilacopoulos / Context-Aware Access Control
a Grid database service), the relevant agent generates an event to trigger a transition of the state machine. Changes in user and environment context are sensed by both agents, whereas changes in resource context are sensed and dealt with by the Grid resource agent lying at each Grid node.
3. Concluding Remarks Development of pervasive applications that provide readily access to integrated healthcare information at the point of care, introduces security risks especially with regard to authorization and access control. Hence, relevant mechanisms must be in place that can conveniently regulate user access to information while providing confidence that security policies are faithfully and consistently enforced within and across organizations residing in a health district. In particular, when adherence to the least privilege principle is considered a prominent feature of a system, the incorporated access control mechanism should provide tight, just-in-time permissions so that authorized users get access to specific objects subject to the current context. The access control mechanism presented in this paper meets the aforementioned requirements and is embedded into a Grid portal application, namely HDGPortal. In particular, the mechanism ensures authorized execution of BPEL tasks and invocation of relevant Grid database services in accordance with the current context. Thus, a tight matching of permissions to actual usage and need is ensured. References [1] Koufi V, Vassilacopoulos G. HDGPortal: A Grid Portal Application for Pervasive Access to ProcessBased Healthcare Systems, Proceedings of the 2nd International Conference in Pervasive Computing Technologies in Healthcare, 2008. [2] Emmerich W, Butchart B, Chen L, Wassermann B, Price S. Grid Service Orchestration Using the Business Process Execution Language (BPEL), Journal of Grid Computing (2006) 3: 283-304. [3] Mendling J, Strembeck M, Stermsek G, Neumann G. An Approach to Extract RBAC Models for BPEL4WS Processes, Proceedings of the 13th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 2004. [4] Thomas J, Paci F, Bertino E, Eugster P. User Tasks and Access Control over Web Services, Proceedings of the 15th IEEE International Conference on Web Services, 2007. [5] Bertino E, Crampton J, Paci F. Access Control and Authorization Constraints for WS-BPEL, Proceedings of the IEEE International Conference on Web Services, 2006. [6] Open Grid Services Architecture - Data Access and Integration (OGSA-DAI), http://www.ogsadai.org.uk/. [7] Adamski M, Kulczewski M, Kurowski K, Nabrzyski J, Hume A. Security and Performance Enhancements to OGSA-DAI for Grid Data Virtualization, Concurrency and Computation.: Practice and Experience, 2007. [8] Dou W, Cheung SC, Chen G, Cai S. Certificate-Driven Grid Workflow Paradigm Based on Service Computing, Lecture Notes in Computer Science (2005) 3795: 155-160. [9] Power D, Slaymaker M, Politou E, Simpson A. A Secure Wrapper for OGSA-DAI, Lecture Notes in Computer Science (2005) 3470: 485-494. [10] IBM Corporation. IBM Websphere Workflow – Getting Started with Buildtime V. 3.6, 2005. [11] Java Authentication and Authorization Service, http://java.sun.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html. [12] Pearlman L, Welch V, Foster I, Kesselman C, Tuecke S. A Community Authorization Service for Group Collaboration. Proceedings of the 3rd IEEE International Workshop on Policies for Distributed Systems and Networks, 2002. [13] OASIS Standards, http://www.oasis-open.org/ [14] Java Agent Development Framework, http://jade.tilab.com/ [15] National Institute of Standards and Technology (NIST) RBAC, http://csrc.nist.gov/groups/SNS/rbac/
