Comparing and Integrating Break-the-Glass and Delegation in Role-based Access Control for Healthcare

Ana Ferreira, Gabriele Lenzini

2016

Abstract

In healthcare security, Role-based Access Control (RBAC) should be flexible and include capabilities such as Break-the-Glass and Delegation. The former is useful in emergencies to overcome otherwise a denial of access, the latter to transfer rights temporarily, for example, to substitute doctors. Current research studies these policies separately, but it is unclear whether they are different and independent capabilities. Motivated to look into this matter, we present a formal characterization of Break-the-Glass and Delegation in the RBAC model and we inquire on how these two policies relate. After giving arguments in favour of keeping them apart as different policies, we propose an RBAC model that includes them.

References

  1. Barka, E. and Sandhu, R. (2000). Framework for role-based delegation models. In Proc. of 6th Ann. Conf. on Computer Security Applications (ACSAC'00), pages 168-176.
  2. Barka, E. and Sandhu, R. (2007). Framework for Agentbased Role Delegation. In Proc. of the IEEE Int. Conf. on Communications (ICC'07, pages 1361-1367
  3. Becker, M. Y. (2005). A Formal Security Policy for an NHS Electronic Health Record Service. Technical Report UCAM-CL-TR-628, University of Cambridge.
  4. Brucker, A. D. and Petritsch, H. (2009). Extending Access Control Models with Break-glass. In Proc. of the 14th ACM Symposium on Access Control Models and Technologies (SACMNAT 7809), pages 197-206. ACM.
  5. Crampton, J. and Khambhammettu, H. (2008). Delegation in role-based access control. Int. J. of Information Security, 7(1):123-136.
  6. Crampton, J. and Morisset, C. (2011). An auto-delegation mechanism for access control systems. In Proc. of Security and Trust Management (STM), volume 6710 of LNCS, pages 1-16. Springer Berlin Heidelberg.
  7. Ferreira, A., Chadwick, D., Farinha, P., Correia, R., Zao, G., Chilro, R., and Antunes, L. (2009). How to Securely Break into RBAC: The BTG-RBAC Model. In Proc. of 5th Ann. Conf. on Computer Security Applications Conference (ACSAC'09), pages 23-31.
  8. Ferreira, A., Cruz-Correia, R., Antunes, L., and Chadwick, D. (2007). Access control: how can it improve patients'healthcare? In Medical and Care Compunetics, volume 127 of Studies in Health Technology and Informatics, pages 65-76.
  9. Ferreira, A., Cruz-Correia, R., Antunes, L., Farinha, P., Oliveira-Palhares, E., Chadwick, D., and CostaPereira, A. (2006). How to break access control in a controlled manner. In Proc. of 19th IEEE Int. Symp. on Computer-Based Medical Systems (CBMS), pages 847-854.
  10. Hasebe, K. and Mabuchi, M. (2010). Capabilityrole-based delegation in workflow systems. In Proc. of IEEE/IFIP 8th Int. Conf. on Embedded and Ubiquitous Computing (EUC 10), pages 711-717.
  11. ISO/TS (2009). ISO/TS 13606-4: Health informatics - electronic health record communication - part 4: Security.
  12. Krautsevich, L., Martinelli, F., Morisset, C., and Yautsiukhin, A. (2012). Risk-Based Auto-delegation for Probabilistic Availability. In Data Privacy Management and Autonomous Spontaneus Security, volume 7122 of LNCS, pages 206-220. Springer Berlin Heidelberg.
  13. Li, M. and Wang, H. (2008). ABDM: An extended flexible delegation model in RBAC. In Proc. of the 8th Int. Conf. on Computer and Information Technology (CIT 2008), pages 390-395.
  14. Maw, H., Xiao, H., Christianson, B., and Malcolm, J. (2014). An evaluation of break-the-glass access control model for medical data in wireless sensor networks. In Proc. of IEEE 16th Int. Conf. on e-Health Networking, Applications and Services (Healthcom), pages 130-135.
  15. Rajesh, K. and Nayak, A. (2012). Modified BTG-RBAC model for SaaS. In Cloud Computing Technologies, Applications and Management (ICCCTAM), 2012 International Conference on, pages 77-81.
  16. Rissanen, E., Firozabadi, B., and Sergot, M. (2006). Towards a Mechanism for Discretionary Overriding of Access Control. In Security Protocols, volume 3957 of LNCS, pages 312-319. Springer Berlin Heidelberg.
  17. Rostad, L. and Edsberg, O. (2006). A study of access control requirements for healthcare systems based on audit trails from access logs. In Proc. of the 22nd Annual Computer Security Applications Conference (ACSAC 7806), pages 175-186.
  18. Sandhu, R., Coyne, E., Feinstein, H., and Youman, C. (1996). Role-based access control models. Computer, 29(2):38-47.
  19. Wainer, J. (2005). A fine-grained, controllable, user-touser delegation method in RBAC. In Proc. of 10th ACM Symp. on Access Control Models and Technologies (SACMAT 7805), pages 59-66. ACM Press.
  20. Wang, H. and Osborn, S. L. (2006). Delegation in the role graph model. In Proc. of 11st ACM Symp. on Access Control Models and Technologies (SACMAT 7806), pages 91-100. ACM.
  21. Zhang, X., Oh, S., and Sandhu, R. (2003). PBDM: A Flexible Delegation Model in RBAC. In Proc. of the 8th ACM Symp. on Access Control Models and Technologies (SACMAT 7803), pages 149-157, New York, NY, USA. ACM.
  22. Zhao, G., Chadwick, D., and Otenko, S. (2007). Obligations for Role Based Access Control. In Proc. of the 21st Int. Conf. on Advanced Information Networking and Applications Workshop (AINAW'07), volume 1, pages 424-431.
Download


Paper Citation


in Harvard Style

Ferreira A. and Lenzini G. (2016). Comparing and Integrating Break-the-Glass and Delegation in Role-based Access Control for Healthcare . In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-167-0, pages 63-73. DOI: 10.5220/0005683600630073


in Bibtex Style

@conference{icissp16,
author={Ana Ferreira and Gabriele Lenzini},
title={Comparing and Integrating Break-the-Glass and Delegation in Role-based Access Control for Healthcare},
booktitle={Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2016},
pages={63-73},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005683600630073},
isbn={978-989-758-167-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Comparing and Integrating Break-the-Glass and Delegation in Role-based Access Control for Healthcare
SN - 978-989-758-167-0
AU - Ferreira A.
AU - Lenzini G.
PY - 2016
SP - 63
EP - 73
DO - 10.5220/0005683600630073