A Clark-Wilson and ANSI role-based access control model

Purpose An electronic health record (EHR) enables clinicians to access and share patient information electronically and has the ultimate goal of improving the delivery of healthcare. However, this can create security and privacy risks to patient information. This paper aims to present a model for securing the EHR based on role-based access control (RBAC), attribute-based access control (ABAC) and the Clark-Wilson model. Design/methodology/approach A systematic literature review was conducted which resulted in the collection of secondary data that was used as the content analysis sample. Using the MAXQDA software program, the secondary data was analysed quantitatively using content analysis, resulting in 2,856 tags, which informed the discussion. An expert review was conducted to evaluate the proposed model using an evaluation framework. Findings The study found that a combination of RBAC, ABAC and the Clark-Wilson model may be used to secure the EHR. While RBAC is applicable to healthcare, as roles are linked to an organisation’s structure, its lack of dynamic authorisation is addressed by ABAC. Additionally, key concepts of the Clark-Wilson model such as well-formed transactions, authentication, separation of duties and auditing can be used to secure the EHR. Originality/value Although previous studies have been based on a combination of RBAC and ABAC, this study also uses key concepts of the Clark-Wilson model for securing the EHR. Countries implementing the EHR can use the model proposed by this study to help secure the EHR while also providing EHR access in a medical emergency.

Download Full-text

A Security Framework for Electronic Medical Record

International Journal of Scientific Research in Computer Science Engineering and Information Technology ◽

10.32628/cseit20634 ◽

2020 ◽

pp. 01-11

Author(s):

Obaloje Nkem Daniel

Keyword(s):

Access Control ◽

Medical Record ◽

Electronic Medical Record ◽

Health Sector ◽

Security And Privacy ◽

Role Based Access Control ◽

Security Framework ◽

Record System ◽

Wide Range ◽

Role Based

Electronic Medical Record (EMR) is basically the digital equivalent of paper records, or charts at a clinician’s office. EMR assist and make easier the services rendered by a wide range of medical practitioners such as physicians, nurses, pharmacists and many others, hence, increasing the safety of patients. It's importance in the health sector cannot be overemphasized. The designed framework aims at identifying security challenges in the use and adoption of EMR, to design and implement a framework that will address issues identified in the use and adoption of EMR. This study presented a security framework to improve the security and privacy issues of EMRs by adopting Role Based Access Control and RSA cryptography. Role Based Access Control (RBAC) model was used because of its flexibility to support minimal functionality and its simplistic mode of assigning roles and permissions to users. In conclusion, this research was able to improve the security of EMRs and hence will increase its acceptance by health institutions which will bring about improved health services, especially in developing countries were manual record system are still prominent.

Download Full-text

Towards a flexible framework to support a generalized extension of XACML for spatio-temporal RBAC model with reasoning ability

International Journal of Web Information Systems ◽

10.1108/ijwis-12-2013-0037 ◽

2014 ◽

Vol 10 (2) ◽

pp. 131-150 ◽

Cited By ~ 2

Author(s):

Tran Khanh Dang ◽

Tuyen Thi Kim Le ◽

Anh Tuan Dang ◽

Ha Duc Son Van

Keyword(s):

Access Control ◽

Research Result ◽

Security Requirements ◽

Role Based Access Control ◽

Reasoning Ability ◽

Content Type ◽

Flexible Framework ◽

Spatio Temporal ◽

Role Based ◽

Suitable Framework

Purpose – The paper aims to propose a flexible framework to support X-STROWL model. Extensible access control markup language (XACML) is an international standard used for access control in distributed systems. However, XACML and its existing extensions are not sufficient to fulfill sophisticated security requirements (e.g. access control based on user’s roles, context-aware authorizations and the ability of reasoning). Remarkably, X-STROWL, a generalized extension of XACML for spatiotemporal role-based access control (RBAC) model with reasoning ability, is a comprehensive model that overcomes these shortcomings. It mainly focuses on the architecture design as well as the implementation and evaluation of proposed framework and the comparison with others. Design/methodology/approach – Based on the concept of X-STROWL model, the paper reviewed a large amount of open sources implementing XACML with defined criteria and chose the most suitable framework to be extended for the implementation. The paper also presented a case study used to evaluate the research result. Findings – Holistic enterprise-ready application security framework – architecture framework (HERAS-AF) is chosen as the most suitable framework to be extended to implement X-STROWL model. Extending HERAS-AF to support spatiotemporal aspect and other contextual conditions as well as the way to integrate security in the access request, together with ability of reasoning for hierarchical roles, are striking features that make the proposed framework able to meet more sophisticated security requirements in comparison with others. Research limitations/implications – Due to the research content, the performance of proposed framework is not the focused issue of this work. Originality/value – The proposed framework is a crucial contribution of our research to provide a holistic, extensible and intelligent authorization decision engine.

Download Full-text

Deploying Privacy Improved RBAC in Web Information Systems

International Journal of Information Technologies and Systems Approach ◽

10.4018/jitsa.2011070105 ◽

2011 ◽

Vol 4 (2) ◽

pp. 70-87

Author(s):

Ioannis Mavridis

Keyword(s):

Information Systems ◽

Access Control ◽

System Development ◽

Security And Privacy ◽

Just In Time ◽

Role Based Access Control ◽

Fine Grained ◽

Web Information ◽

Web Information Systems ◽

Role Based

Access control technology holds a central role in achieving trustworthy management of personally identifiable information in modern information systems. In this article, a privacy-sensitive model that extends Role-Based Access Control (RBAC) to provide privacy protection through fine-grained and just-in-time access control in Web information systems is proposed. Moreover, easy and effective mapping of corresponding components is recognized as an important factor for succeeding in matching security and privacy objectives. Such a process is proposed to be accomplished by capturing and modeling privacy requirements in the early stages of information system development. Therefore, a methodology for deploying the mechanisms of an access control system conforming to the proposed Privacy Improved Role-Based Access Control (PIRBAC) model is presented. To illustrate the application of the proposed methodology, an application example in the healthcare domain is described.

Download Full-text

A novel approach of privacy-preserving data sharing system through data-tagging with role-based access control

World Journal of Engineering ◽

10.1108/wje-04-2021-0218 ◽

2021 ◽

Vol ahead-of-print (ahead-of-print) ◽

Author(s):

Tanvi Garg ◽

Navid Kagalwalla ◽

Shubha Puthran ◽

Prathamesh Churi ◽

Ambika Pawar

Keyword(s):

Health Care ◽

Access Control ◽

International Classification Of Diseases ◽

Role Based Access Control ◽

Content Type ◽

Health Care Data ◽

Novel Approach ◽

Classification Of Diseases ◽

Role Based ◽

Access Policies

Purpose This paper aims to design a secure and seamless system that ensures quick sharing of health-care data to improve the privacy of sensitive health-care data, the efficiency of health-care infrastructure, effective treatment given to patients and encourage the development of new health-care technologies by researchers. These objectives are achieved through the proposed system, a “privacy-aware data tagging system using role-based access control for health-care data.” Design/methodology/approach Health-care data must be stored and shared in such a manner that the privacy of the patient is maintained. The method proposed, uses data tags to classify health-care data into various color codes which signify the sensitivity of data. It makes use of the ARX tool to anonymize raw health-care data and uses role-based access control as a means of ensuring only authenticated persons can access the data. Findings The system integrates the tagging and anonymizing of health-care data coupled with robust access control policies into one architecture. The paper discusses the proposed architecture, describes the algorithm used to tag health-care data, analyzes the metrics of the anonymized data against various attacks and devises a mathematical model for role-based access control. Originality/value The paper integrates three disparate topics – data tagging, anonymization and role-based access policies into one seamless architecture. Codifying health-care data into different tags based on International Classification of Diseases 10th Revision (ICD-10) codes and applying varying levels of anonymization for each data tag along with role-based access policies is unique to the system and also ensures the usability of data for research.

Download Full-text

Deploying Privacy Improved RBAC in Web Information Systems

Systems Approach Applications for Developments in Information Technology ◽

10.4018/978-1-4666-1562-5.ch020 ◽

2012 ◽

pp. 298-315

Author(s):

Ioannis Mavridis

Keyword(s):

Information Systems ◽

Access Control ◽

System Development ◽

Security And Privacy ◽

Just In Time ◽

Role Based Access Control ◽

Fine Grained ◽

Web Information ◽

Web Information Systems ◽

Role Based

Download Full-text

A Comparative Analysis of Chain-Based Access Control and Role-Based Access Control in the Healthcare Domain

International Journal of Information Security and Privacy ◽

10.4018/jisp.2013070103 ◽

2013 ◽

Vol 7 (3) ◽

pp. 36-52 ◽

Cited By ~ 3

Author(s):

Esraa Omran ◽

Tyrone Grandison ◽

David Nelson ◽

Albert Bokma

Keyword(s):

Comparative Analysis ◽

Access Control ◽

Personal Information ◽

Security And Privacy ◽

Role Based Access Control ◽

Patient Privacy ◽

Privacy Policies ◽

Healthcare Applications ◽

Seamless Integration ◽

Role Based

The importance of electronic healthcare has caused numerous changes in both substantive and procedural aspects of healthcare processes. These changes have produced new challenges for patient privacy and information secrecy. Traditional privacy policies cannot respond to rapidly increased privacy needs of patients in electronic healthcare. Technically enforceable privacy policies are needed in order to protect patient privacy in modern healthcare with its cross-organizational information sharing and decision making. This paper proposes a personal information flow model that proposes a limited number of acts on this type of information. Ontology-classified chains of these acts can be used instead of the “intended business purposes” in the context of privacy access control. This enables the seamless integration of security and privacy into existing healthcare applications and their supporting infrastructures. In this paper, the authors present their idea of a Chain-Based Access Control (ChBAC) mechanism and provide a comparative analysis of it to Role-Based Access Control (RBAC). The evaluation is grounded in the healthcare domain and examines a range of typical access scenarios and approaches.

Download Full-text