KEY WORDS. Security, RBAC, Wireless Healthcare Information. Systems. 1. ... devices together with a wireless connection technology will play an important role ...
APPLICATION OF ROLE-BASED ACCESS CONTROL IN WIRELESS HEALTHCARE INFORMATION SYSTEMS Frode Hansen and Vladimir Oleshchuk Agder University College Grooseveien 36, N-4876 Grimstad, Norway
ABSTRACT The paper presents a Spatial Role-based Access Control (SRBAC) framework and its application to healthcare information systems that allows wireless access to information. The framework secures access to medical information and resources accessible through mobile computing devices by healthcare personal and patients. SRBAC use general role-based access control extended with location-based constraints on the set of roles and permissions. The framework utilizes location information in access control decisions, in order to determine the permissions a role encompass at a given location. The permissions of a role are changing dynamically depending of role owner movement. KEY WORDS Security, RBAC, Systems
Wireless
Healthcare
Information
1. INTRODUCTION Today’s healthcare organizations use Electronic Patient Records (EPR) that is distributed over many locations in order to provide access to medical information about a patient to healthcare professionals. Furthermore, the use of handheld- or mobile- computing and communication devices together with a wireless connection technology will play an important role within future healthcare sector (especially hospitals). This enables medical personnel to gain access to personal health information, test results, clinical or pharmaceutical data, from everywhere in and around the healthcare institution. Mobility and improved availability allows health personnel to dynamically access patient information [1] enhancing efficiency in information acquisition. However, according to [7] approximately 1100 accidental deaths world-wide up to 1992 were caused by computer systems failure. Hence, due to the fact that information stored in a healthcare information system, contains highly personal and sensitive medical data and can be accessed from several departments in a healthcare institution, it is vital to remedy the considerable risks to the security and integrity of the system and decrease the likelihood of unauthorized
access and alteration of the sensitive information withheld in the healthcare information system. Role-Based Access Control (RBAC) models [2], [3] are receiving increasing attention as a recent generalized approach to access control. It differs from traditional identity based access control in that it takes advantage of the concept of role relations. In such models, user's rights to access computer resources (objects) are determined by the user's assignment to a role and by the roles' permissions to perform operations on objects. Thus, a role is a collection of permissions (or operations on a set of objects) assigned by the system, based on the role's intended function as well as policies within an organization, in effort to control the operations a role may perform on objects. The advantages of the concept of roles are several. Firstly, it simplifies authorization administration because a security administrator needs only to revoke and assign the new appropriate role memberships if a user changes its job function. Furthermore, RBAC has shown to be policy neutral [4] and supports security policy objectives as least privilege and static and dynamic separation of duty constraints [3]. Moreover, RBAC offers flexibility with respect to different security policies and in fact [5] shows that RBAC can be configured to enforce mandatory and discretionary access control policies. Recent models [4], [5], extend the RBAC model by specifying temporal constraints on roles that is associated with a user. The mobile computing environment presents additional concerns regarding security, because access to the communication medium is constrained by the coverage area (cell area) of the particular wireless access point (rather than a physical connection as for a wired medium). This enables a user (authorized or unauthorized) to access the network from outside a physically enclosed area. Furthermore, Mavridis and al. in [9] argue that it is important in a distributed medical information system to be able to determine the location in which the access request is made from. This is because users can make access requests from several sites. These sites may have different level of trustworthiness or they may be different administrative domains such that a user’s permissions may differ from one site to another. For example, a nurse
working on a particular ward should only be granted access to a patient’s record registered at that ward. In order to cope with the spatial authorization requirements in a healthcare information system, we introduce a Spatial Role-based Access Control (SRBAC) framework, based on the SRBAC model presented in [8], which can be used to constrain the set of roles and permissions a user may activate at a given location.
2. SRBAC IN HEALTHCARE INFORMATION SYSTEM As explained earlier, in traditional RBAC, users are assigned to roles and permissions are associated with roles, such that a user may activate permissions dependent on their role assignments. However, in a wireless healthcare environment, a user’s permission to access objects would not only be based on its role played in the organization, but also on relevant security context, such as location [11]. Thus, in a mobile setting, we can achieve greater flexibility defining the security policy when permissions are assigned dynamically to a role limited by the location in which a user is situated. In the remainder of this section we describe a Spatial Role-Based Access Control framework for use in wireless healthcare information systems. The framework is based on the SRBAC model described in [8].
2.1 Locations For the system to be able to make authorization decisions based on the spatial dimension in which the user is situated, the mediator must be able to obtain the location of the mobile terminal in which the access request was made from. This is particular important in healthcare organizations because unauthorized access to medical data may have serious consequences. In wired systems this can be easily performed based on the physical/logical addresses on the hardware installed. It means that access to a specific sensitive service is based on the physical/logical address of the workstation [10]. However, as mentioned earlier, this cannot be carried out in a wireless network where the coverage area of the wireless access point spans physical boarders. Moreover, a user carrying a mobile device is on the move (constantly changing position), such that constraining the access to a sensitive resource based on physical addresses would not be practical. Therefore, for a wireless healthcare information system it is important that the system can locate the mobile device with an accuracy determined by the organization’s own security policy (some services may require better location accuracy than others). There exists several location sensing techniques with various granularity for both indoor and outdoor position estimation of mobile devices. Refer to [8] for more information on location estimation of mobile devices.
2.2 Roles and Hierarchies Traditionally, the level of access and permissions assigned to users in a healthcare organization are determined by their responsibilities obtained in the organization. Therefore, a user may be assigned to a set of roles in order to carry out its tasks. Healthcare work flows involve several healthcare professionals playing different roles. A patient are in contact with general practitioners, specialist doctors, nurses and administrative employees, each one has his/her own job functions and needs to access patient specific information and applications, determined by their responsibilities. Since job functions are usually associated with predefined location (office, home office, ward etc.), the job responsibilities are vary depending on locations. To enhance security and safety we need to differentiate between what permissions are allowed utilize in different locations. Considering the case of wireless access to healthcare information system we can note that user’s location may change while he/she access information. Therefore we need framework that makes it possible to specify a security policy where the roles can be dynamic in the sense that it may have different permissions assigned to it for distinct locations. The framework has to contain the notion of hierarchies that are natural means for structuring roles to reflect the organization's lines of authority and responsibility [3]. Each level in a hierarchy is equivalent to the role a particular worker takes up in the healthcare organization. Role hierarchies define an inheritance relation (or dominance relation) between roles, such that a role ri inherits the permissions from role rj if all permissions of rj are also permissions of ri. In our framework, the permission inheritance relationship among roles in presence of a role hierarchy also depends on location. That is, a role ri would inherit the permissions of role rj in locations L if all the permissions of rj in locations L are also permissions of ri in locations L . R a d io
C a rd io
G y n o
N u rse
D o c
E m p
Figure 1. Role hierarchy example where the role Gyno would inherit permissions from the roles Doc and Emp in locations specified by L. Figure 1 shows an example of role hierarchy where the role Gyno (Gynecologist) can activate all the permissions inherited from the roles Doc and Emp constrained by location together with the permissions assigned to the Gyno directly.
2.3 Permissions Permissions are approvals to execute some operation (e.g. read, write, copy, open, close, etc.) on one or more objects (e.g. EPR, Psychiatric Ward), and is dependent on the role and role owner location. Thus, permissions are dynamically assigned to the roles dependant on the location in which the access request is made from. A similar approach is suggested in [12], however our approach differs in that permissions are dynamically assigned such that roles may have different permissions for distinct locations in the same session. In [12], a role’s permissions are determined constrained by the specific user context constraints (e.g. location, time, trust etc.) at session start time (i.e. when the user is starting to perform some task). The problem with this approach is that in a wireless environment one must assume that a user can change its position during the same session, such that the rights determined for the role at session start time may not be valid for the role when the user moves to another location. This could be solved by making the user log into the system again when changing its position, but this would be tedious and bothersome for the user if the user constantly changes its position (for example an on duty doctor performing the doctor’s visit). Our approach differs in that it facilitates for a user to log on to the system once, and based on the user’s job function are assigned the appropriate “dynamic” roles to complete its tasks within the healthcare institution. The permission set assigned to the role may be different for various locations, such that the system must be able to track the users (as described in section 2.1) in order to correctly determine the currently assigned permissions to for particular role the user wants to activate. Table 1 shows an example on a list of permissions for roles at various locations in a healthcare environment. Here the doctors that are assigned to the role DocRadio may use permission sets p1, p2 and p3 in locations Zone1 and Zone3 and permission set p1 in Zone4. In addition, doctors that are assigned to the role DocGyno may use permissions set p1, p4, p5 and p6 in locations Zone2 and permission set p1 in Zone4. This can indicate that the permission set p1 is inherited from a more general role (e.g. the role Doc, see Figure 1) in the role hierarchy. Take notice that the only permission set that doctors assigned to roles DocRadio and DocGyno can activate in Zone4, is permission set p1. Zone4 can here represent a location that is less trustworthy as a hospital cafeteria or hospital reception, where there can be a considerable accumulation of people (doctors, nurses, patients, visitors etc.) and therefore it may not be suitable to allow access to for example EPR’s from this location.
Table 1. Location Permission Assignment List (LPAL) that shows the permissions for various roles in different locations ROLES DocRadio DocRadio DocGyno DocGyno NurseRadio NurseGyno
LOCATION Zone1, Zone3 Zone4 Zone2 Zone4 Zone1, Zone3 Zone2
PERMISSIONSETS p1, p2, p3 p1 p1, p4, p5, p6 p1 p7, p2 p7, p5
2.4 Application Scenario General RBAC systems consider roles as static in the sense that they do not change permissions frequently. However, consider the following scenario; whenever a doctor log on to the wireless healthcare information system, roles is assigned to the doctor based on identity and the responsibilities within the organization. A doctor that is going to perform the daily doctor’s visit is assigned to the appropriate roles that gives access to his/hers patients. Thus, whenever the doctor visits a patient on his/hers round, the doctor may view, update, and revise parts of the patient’s Electronic Patient Record (EPR) by help of a mobile computing device. However, the doctor’s permissions to access the particular patient’s EPR may differ depending on the location of both the doctor and the patient. For example, on_call_doctor Alice’ right to prescribe medication to patient Bob, is only allowed when both Alice and Bob is located around Bob’s bedside. This is necessary because when Alice is on the doctor’s visit, Alice may access all her patients EPR’s assigned to Alice, through her mobile device. Thus, in order to prevent that Alice access the EPR of a different patient, believing it is Bob’s EPR, and risking that she prescribes the wrong medication to Bob, Alice is only allowed access Bob’s EPR when located at Bob’s bedside and Bob is also located there. When Alice moves towards her next patient on her round, the system registers that she is moving outside Bob’s area and have no longer access to Bob’s EPR. This can be illustrated as depicted in Figure 2. 1.
Alice requests to prescribe medication to Bob. It is assumed here that Alice must present her role data for the particular access request, e.g. on_call_doctor.
2.
The Reference Monitor (RM), that mediates the access request, sends a request to a Location Information Database (LID) about the presence of Alice and Bob.
3.
The LID returns to RM the location information on both Alice and Bob. The RM rejects the access request if Alice is not within the same location as Bob (6).
4.
The RM then requests the on_call_doctor’s authorization data from the Authorization Database (ADB) for this location.
5.
The ADB returns the on_call_doctor’s permissions for the location where the access request was made from. The RM then determines if the on_call_doctor is permitted to prescribe medication for Bob in this area. L o c a tio n In fo rm a tio n D a ta b a s e
2 3
1
o n _ c a ll_ d o c to r
R e fe re n c e M o n ito r 6
5
7
E P R
B O B
4
A u th o riz a tio n D a ta b a s e
Figure 2. Example of an application scenario where the clients right to access RBAC objects is constrained by its present position. 6.
7.
The RM Accepts or Rejects the access request dependent on if on_call_doctor is allowed to prescribe medication for Bob at the present location. If the access request was accepted, the EPR must be updated in order to contain information about the medication prescribed and other relevant information regarding the treatment.
3. CONCLUSION We presented and discussed the framework for securing access to healthcare information system accessible through of mobile computing devices by healthcare personal and patients. The framework utilizes location information in access control decisions, in order to determine the permissions the roles encompass at a given location. It extends traditional means to define organizational security policy by utilizing location information in access control decisions.
4. REFERENCES [1] M. Alsaker & B. Aksnes, Informasjonssikkerhet ved bruk av lommedatamaskiner: Trusselvurderinger, sikkerhetsvurderinger og anbefalinger, Kompetansesenter for IT i helsevesenet AS, Rapport, R 11/02, 2002.
[2] R.S Sandhu, E.J. Coyne, H.L. Feinstein & C.E. Youman, Role-based access control models, IEEE Computer 29(2), 1996, 38-47. [3] D.F. Ferraiolo, R. Sandhu, S. Gavrila, D.R. Kuhn & R. Chandramouli, Proposed NIST standard for rolebased access control, ACM Transactions on Information and System Security 4(3), 2001, 224-274. [4] E. Bertino, P.A. Bonatti & E. Ferrari, TRBAC: A temporal role-based access control model. ACM Transactions on Information and System Security 4(3), 2001, 191-223. [5] S. Osborn, R. Sandhu & Q. Munawer, Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Transactions on Information and System Security 3(2), 2000, 85-106. [6] J. B. D. Joshi, E. Bertino, U. Latif & A. Ghafoor, Generalized temporal role based access control model (GTRBAC) (Part I) - specification and modeling. Technical report, CERIAS TR 2001-47, Purdue University, USA, 2001. [7] D. Gritzalis, A baseline security policy for distributed healthcare information systems", Journal of Computers & Security, 16(8), 1997, 709-719. [8] F. Hansen & V. Oleshchuk, SRBAC: A Spatial Role-Based Access Control Model for Mobile Systems, Submitted, 2003. [9] I. Mavridis, C. Georgiadis, G. Pangalos & M. Khair, Access Control based on Attribute Certificates for Medical Intranet Applications, Journal of Medical Internet Research, 3(1), 2001, e9. [10] T. Grøtan & Bjarte Aksnes, Veiledning i informasjonssikkerhet ved helseinstitusjoners tilkopling til eksterne nett, Kompetansesenter for IT i helsevesenet AS, Rapport, R 8/99, 1999. [11] L. Zhang, G. Ahn & B. Chu, A role-based delegation framework for healthcare information systems, Seventh ACM Symposium on Access Control Models and Technologies, Monterey, California, USA, 2002, 125-134. [12] M. Wilikens, S. Feriti, A. Sanna & M. Masera, A context-related authorization and access control method based on RBAC: A case study from the health care domain, Seventh ACM Symposium on Access Control Models and Technologies, Monterey, California, USA, 2002, 117-124.
