Article

Formal specification of role-based security policies for clinical information systems

Authors:

Michael Drouineaud,

Gail-Joon AhnAuthors Info & Claims

SAC '05: Proceedings of the 2005 ACM symposium on Applied computing

Pages 332 - 339

https://doi.org/10.1145/1066677.1066756

Published: 13 March 2005 Publication History

Abstract

Many healthcare organizations have transited from their old and disparate business models based on ink and paper to a new, consolidated ones based on electronic patient records. There are significant demands on secure mechanisms for collaboration and data sharing among clinicians, patients and researchers through clinical information systems. In order to fulfil the high demands of data protection in such systems, we believe that access control policies play an important role to reduce the risks to confidentiality, integrity, and availability of medical data. In this paper, we attempt to formally specify access control policies in clinical information systems which are highly dynamic and complex environments. We leverage characteristics of temporal linear first-order logic to cope with dynamic access control policies in clinical information systems.

References

[1]

T. Aura, Distributed access-rights management with delegation certificates, Lecture Notes in Computer Science 1603 (1999), 211--236.]]

Digital Library

[2]

E. Barka and R. Sandhu, A role-based delegation model and some extensions, Proceedings of 16th Annual Computer Security Application Conference, December 11--15 2000, pp. 125--134.]]

Digital Library

[3]

E. Bertino, P. A. Bonatti, and E. Ferrari, TRBAC: A temporal role-based access control model, Proc. of the 5th ACM Workshop on Role-Based Access Control (N. Y.), ACM Press, July 26--27 2000, pp. 21--30.]]

Digital Library

[4]

E. Bertino, E. Ferrari, and V. Atluri, An authorization model for supporting the specification and enforcement of authorization constraints in workflow management systems, ACM Transactions on Information and System Security 2 (1999), no. 1, 65--104.]]

Digital Library

[5]

M. Drouineaud, M. Bortin, P. Torrini, and K. Sohr, A first step towards formal verification of security policy properties for RBAC, Proc. of the 4th International Conference on Quality Software, 2004, pp. 60--67.]]

Digital Library

[6]

EU, Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Directive 95/46/EC. http://www.privacy.org/pi/intl_orgs/ec/eudp.html, 1995.]]

[7]

D. Ferraiolo, D. Gilbert, and N. Lynch, An examination of federal and commercial access control policy needs, Proc. of the NIST-NCSC Nat. (U. S.) Comp. Security Conference, 1993, pp. 107--116.]]

[8]

D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramoli, Proposed NIST standard for role-based access control, ACM Transactions on Information and System Security 4 (2001), no. 3, 224--274.]]

Digital Library

[9]

Deutsches Institut für Medizinische Dokumentation und Information, Gesundheitskarte. http://www.dimdi.de/de/ehealth/karte/index.htm, 2004.]]

[10]

M. Gasser and E. McDermott, An architecture for practical delegation in a distributed system, Proc. IEEE Symposium on Research in Security and Privacy, 1990, pp. 20--30.]]

[11]

C. K. Georgiadis, I. Mavridis, G. Pangalos, and R. K. Thomas, Flexible team-based access control using contexts, Proc. of the ACM Symposium on Access Control Models and Technologies, May 3--4 2001, pp. 21--27.]]

Digital Library

[12]

H. M. Gladney, Access control for large collections, ACM Transactions on Information Systems 15 (1997), no. 2, 154--194.]]

Digital Library

[13]

V. D. Gligor, S. I. Gavrila, and D. Ferraiolo, On the formal definition of separation-of-duty policies and their composition, 1998 IEEE Symposium on Security and Privacy (SSP '98), IEEE, May 1998, pp. 172--185.]]

[14]

R. Goldblatt, Logics of time and computation, second edition, revised and expanded, CSLI Lecture Notes, vol. 7, CSLI, Stanford, 1992 (first edition 1987), Distributed by University of Chicago Press.]]

Digital Library

[15]

A. Hagström, S. Jajodia, F. Parisi-Presicce, and D. Wijesekera, Revocations -a classification, 14th IEEE Computer Security Foundations Workshop (CSFW '01), IEEE, June 2001, pp. 44--58.]]

Digital Library

[16]

Z. Manna, N. Bjørner, A. Browne, E. Chang, M. Colón, L. de Alfaro, H. Devarajan, A. Kapur, J. Lee, H. Sipma, and T. E. Uribe, STeP: The stanford temporal prover, TAPSOFT '95: Theory and Practice of Software Development (P. D. Mosses, M. Nielsen, and M. I. Schwartzbach, eds.), LNCS, vol. 915, Springer-Verlag, 1995, pp. 793--794.]]

Digital Library

[17]

Z. Manna and A. Pnueli, Temporal verification of reactive systems: Safety, Springer-Verlag, New York, 1995.]]

Digital Library

[18]

T. Mossakowski, M. Drouineaud, and K. Sohr, A temporal-logic extension of role-based access control covering dynamic separation of duties, Proc. of TIME-ICTL 2003), Cairns, Queensland, Australia, July 8--10 2003.]]

[19]

M. J. Nash and K. R. Poland, Some conundrums concerning separation of duty, Proc. IEEE Symposium on Research in Security and Privacy, 1990, pp. 201--207.]]

[20]

T. Nipkow, L. C. Paulson, and M. Wenzel, Isabelle/HOL --- A proof assistant for higher-order logic, Springer Verlag, 2002.]]

Digital Library

[21]

S. Oh and R. Sandhu, A model for role organization using organizational structures, Proc. of the 7th ACM Symposium on Access Control Models and Technologies (New York), ACM Press, June 3--4 2002, pp. 155--162.]]

Digital Library

[22]

R. Sandhu, V. Bhamidipati, and Q. Munawer, The ARBAC97 model for role-based administration of roles, ACM Transactions on Information and System Security 2 (1999), no. 1, 105--135.]]

Digital Library

[23]

R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman, Role-based access control models, Computer 29 (1996), no. 2, 38--47.]]

Digital Library

[24]

R. Simon and M. Zurko, Separation of duty in role-based environments, 10th IEEE Computer Security Foundations Workshop (CSFW '97), IEEE, June 1997, pp. 183--194.]]

Digital Library

[25]

L. Zhang, G.-J. Ahn, and B.-T. Chu, A rule-based framework for role-based delegation and revocation, ACM Transactions on Information and System Security 6 (2003), no. 3.]]

Digital Library

Cited By

Park SMoon J(2017)Strategic Approach towards Clinical Information SecurityHealthcare Ethics and Training10.4018/978-1-5225-2237-9.ch054(1141-1171)Online publication date: 2017
https://doi.org/10.4018/978-1-5225-2237-9.ch054
Park SMoon J(2016)Strategic Approach towards Clinical Information SecurityImproving Health Management through Clinical Decision Support Systems10.4018/978-1-4666-9432-3.ch015(329-359)Online publication date: 2016
https://doi.org/10.4018/978-1-4666-9432-3.ch015
Miyagawa SYamasaki SUchiyama EAmoroso D(2014)Framework for Information Sharing with Privacy and Priority Control in Long-Term Care in JapanInternational Journal of E-Health and Medical Communications10.4018/ijehmc.20140101035:1(46-62)Online publication date: 1-Jan-2014
https://dl.acm.org/doi/10.4018/ijehmc.2014010103
Show More Cited By

Index Terms

Formal specification of role-based security policies for clinical information systems
1. Security and privacy
  1. Database and storage security
2. Theory of computation
  1. Theory and algorithms for application domains
    1. Database theory
      1. Theory of database privacy and security

Recommendations

Configuring role-based access control to enforce mandatory and discretionary access control policies

Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
Role-based authorization constraints specification

Constraints are an important aspect of role-based access control (RBAC) and are often regarded as one of the principal motivations behind RBAC. Although the importance of contraints in RBAC has been recogni zed for a long time, they have not recieved ...
Mining parameterized role-based policies
CODASPY '13: Proceedings of the third ACM conference on Data and application security and privacy

Role-based access control (RBAC) offers significant advantages over lower-level access control policy representations, such as access control lists (ACLs). However, the effort required for a large organization to migrate from ACLs to RBAC can be a ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '05: Proceedings of the 2005 ACM symposium on Applied computing

March 2005

1814 pages

ISBN:1581139640

DOI:10.1145/1066677

Conference Chair:
Hisham M. Haddad
Kennesaw State University
,
Editor:
Lorie M. Liebrock
New Mexico Institute of Mining and Technology, Socorro, NM
,
Program Chairs:
Andrea Omicini
Alma Mater Studiorum, Universita di Bologna, Italy
,
Roger L. Wainwright
Univerity of Tulsa, OK

Copyright © 2005 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 March 2005

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SAC05

Sponsor:

SIGAPP

SAC05: The 2005 ACM Symposium on Applied Computing

March 13 - 17, 2005

New Mexico, Santa Fe

Acceptance Rates

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Upcoming Conference

SAC '25

Sponsor:
sigapp

The 40th ACM/SIGAPP Symposium on Applied Computing

March 31 - April 4, 2025

Catania , Italy

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

18
Total Citations
View Citations
1,160
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 08 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Park SMoon J(2017)Strategic Approach towards Clinical Information SecurityHealthcare Ethics and Training10.4018/978-1-5225-2237-9.ch054(1141-1171)Online publication date: 2017
https://doi.org/10.4018/978-1-5225-2237-9.ch054
Park SMoon J(2016)Strategic Approach towards Clinical Information SecurityImproving Health Management through Clinical Decision Support Systems10.4018/978-1-4666-9432-3.ch015(329-359)Online publication date: 2016
https://doi.org/10.4018/978-1-4666-9432-3.ch015
Miyagawa SYamasaki SUchiyama EAmoroso D(2014)Framework for Information Sharing with Privacy and Priority Control in Long-Term Care in JapanInternational Journal of E-Health and Medical Communications10.4018/ijehmc.20140101035:1(46-62)Online publication date: 1-Jan-2014
https://dl.acm.org/doi/10.4018/ijehmc.2014010103
Hilbert FScherer RAraujo L(2012)Multi-model-based Access Control in Construction ProjectsElectronic Proceedings in Theoretical Computer Science10.4204/EPTCS.83.183(1-9)Online publication date: 26-Apr-2012
https://doi.org/10.4204/EPTCS.83.1
Qamar NLedru YIdani A(2011)Validation of security-design models using ZProceedings of the 13th international conference on Formal methods and software engineering10.5555/2075089.2075113(259-274)Online publication date: 26-Oct-2011
https://dl.acm.org/doi/10.5555/2075089.2075113
Matteucci IMori PPetrocchi MWiegand L(2011)Controlled data sharing in E-health2011 1st Workshop on Socio-Technical Aspects in Security and Trust (STAST)10.1109/STAST.2011.6059251(17-23)Online publication date: Sep-2011
https://doi.org/10.1109/STAST.2011.6059251
Buzzi MDonini FGebrehiwot ALunardelli ALucchesi CMori P(2011)Federation and security aspects for the management of the EHR in italyProceedings of the Second international conference on Advances in New Technologies, Interactive Interfaces and Communicability10.1007/978-3-642-34010-9_3(26-37)Online publication date: 5-Dec-2011
https://dl.acm.org/doi/10.1007/978-3-642-34010-9_3
Garcia-Morchon OWehrle KJoshi JCarminati B(2010)Modular context-aware access control for medical sensor networksProceedings of the 15th ACM symposium on Access control models and technologies10.1145/1809842.1809864(129-138)Online publication date: 9-Jun-2010
https://dl.acm.org/doi/10.1145/1809842.1809864
Hasebe KMabuchi MMatsushita AJoshi JCarminati B(2010)Capability-based delegation model in RBACProceedings of the 15th ACM symposium on Access control models and technologies10.1145/1809842.1809861(109-118)Online publication date: 9-Jun-2010
https://dl.acm.org/doi/10.1145/1809842.1809861
Hembroff GMuftic S(2010)SAMSONProceedings of the 2010 IEEE International Symposium on A World of Wireless, Mobile and Multimedia Networks (WoWMoM)10.1109/WOWMOM.2010.5534982(1-6)Online publication date: 14-Jun-2010
https://dl.acm.org/doi/10.1109/WOWMOM.2010.5534982
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten