Skip to main content
SpringerLink
Log in

Automated Reviewing of Healthcare Security Policies

  • Conference paper
Foundations of Health Information Engineering and Systems (FHIES 2012)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 7789))

Abstract

We present a new formal validation method for healthcare security policies in the form of feedback-based queries to ensure an answer to the question of Who is accessing What in Electronic Health Records. To this end, we consider Role-based Access Control (RBAC) that offers the flexibility to specify the users, roles, permissions, actions, and the objects to secure. We use the Z notation both for formal specification of RBAC security policies and for queries aimed at reviewing these security policies. To ease the effort in creating the correct specification of the security policies, RBAC-based graphical models (such as SecureUML) are used and automatically translated into the corresponding Z specifications. These specifications are then animated using the Jaza tool to execute queries against the specification of security policies. Through this process, it is automatically detected who will gain access to the medical record of the patient and which information will be exposed to that system user.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 72.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Ahn, G.-J., Hu, H.: Towards realizing a formal RBAC model in real systems. In: Lotz, V., Thuraisingham, B.M. (eds.) Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, SACMAT 2007, Sophia Antipolis, France, June 20-22, pp. 215–224. ACM (2007)

    Google Scholar 

  2. Appari, A., Johnson, M.E.: Information security and privacy in healthcare: current state of research. Int. J. of Internet and Enterprise Management 6(4), 279–314 (2010)

    Article  Google Scholar 

  3. Abdallah, A.E., Khayat, E.J.: Formal Z specifications of several flat role-based access control models. In: 30th Annual IEEE/NASA Software Engineering Workshop (SEW), pp. 282–292. IEEE CS (2006)

    Google Scholar 

  4. Basin, D.A., Clavel, M., Doser, J., Egea, M.: Automated analysis of security-design models. Information & Software Technology 51(5), 815–831 (2009)

    Article  Google Scholar 

  5. Bell, D., LaPadula, L.: Secure computer system: Unified exposition and multics interpretation. Technical report, MITRE Corp, Bedford (1975)

    Google Scholar 

  6. Boswell, A.: Specification and validation of a security policy model. IEEE Trans. Software Eng. 21(2), 63–68 (1995)

    Article  Google Scholar 

  7. Bowen, J.: Formal Specification and Documentation using Z: A Case Study Approach. Thomson Publishing (2003)

    Google Scholar 

  8. DOD 5200.28-STD. Trusted computer system evaluation criteria. Technical report, United States Department of Defense (1985)

    Google Scholar 

  9. Davies, J., Woodcock, J.: Using Z: Specification, Refinement, and Proof. Prentice Hall (1996) ISBN 0-13-948472-8

    Google Scholar 

  10. Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001)

    Article  Google Scholar 

  11. Hall, A.: Specifying and interpreting class hierarchies in Z. In: Bowen, J.P., Hall, J.A. (eds.) Z User Workshop, pp. 120–138. Springer (1994)

    Google Scholar 

  12. Hasan, R., Yurcik, W.: A statistical analysis of disclosed storage security breaches. In: Proceedings of the 2006 ACM Workshop on Storage Security and Survivability, StorageSS 2006, Alexandria, VA, USA, October 30, pp. 1–8. ACM (2006)

    Google Scholar 

  13. Rubenstein, S.: Are your medical records at risk? Wall Street Journal (2009)

    Google Scholar 

  14. Jürjens, J.: Secure systems development with UML. Springer (2005)

    Google Scholar 

  15. Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-based modeling language for model-driven security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  16. Ledru, Y., Idani, A., Milhau, J., Qamar, N., Laleau, R., Richier, J.-L., Labiadh, M.-A.: Taking into account functional models in the validation of IS security policies. In: Salinesi, C., Pastor, O. (eds.) CAiSE Workshops 2011. LNBIP, vol. 83, pp. 592–606. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  17. Ledru, Y., Qamar, N., Idani, A., Richier, J.-L., Labiadh, M.-A.: Validation of security policies by the animation of Z specifications. In: Breu, R., Crampton, J., Lobo, J. (eds.) Proceedings of the 16th ACM Symposium on Access Control Models and Technologies, SACMAT 2011, Innsbruck, Austria, June 15-17, pp. 155–164. ACM (2011)

    Google Scholar 

  18. Milhau, J., Idani, A., Laleau, R., Labiadh, M.-A., Ledru, Y., Frappier, M.: Combining UML, ASTD and B for the formal specification of an access control filter. Innov. Syst. Softw. Eng. 7, 303–313 (2011)

    Article  Google Scholar 

  19. Morimoto, S., Shigematsu, S., Goto, Y., Cheng, J.: Formal verification of security specifications with common criteria. In: Proceedings of the 2007 ACM Symposium on Applied Computing (SAC), Seoul, Korea, March 11-15, pp. 1506–1512. ACM (2007)

    Google Scholar 

  20. Qamar, N., Ledru, Y., Idani, A.: Validation of security-design models using Z. In: Qin, S., Qiu, Z. (eds.) ICFEM 2011. LNCS, vol. 6991, pp. 259–274. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  21. Schaad, A., Moffett, J.D.: A lightweight approach to specification and analysis of role-based access control extensions. In: Proceedings of the Seventh ACM Symposium on Access Control Models and Technologies, pp. 13–22. ACM (2002)

    Google Scholar 

  22. Spivey, J.M.: The Z Notation: A Reference Manual, 2nd edn. Prentice Hall International Series in Computer Science (1992)

    Google Scholar 

  23. Teije, A., Marcos, M., Balser, M., et al.: Improving medical protocols by formal methods. Artif. Intell. Med. 36(3), 193–209 (2006)

    Article  Google Scholar 

  24. Toahchoodee, M., Ray, I., Anastasakis, K., Georg, G., Bordbar, B.: Ensuring spatio-temporal access control for real-world applications. In: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, pp. 13–22. ACM, New York (2009)

    Chapter  Google Scholar 

  25. Yuan, C., He, Y., He, J., Zhou, Z.: A verifiable formal specification for RBAC model with constraints of separation of duty. In: Lipmaa, H., Yung, M., Lin, D. (eds.) Inscrypt 2006. LNCS, vol. 4318, pp. 196–210. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  26. Zao, J., Wee, H., Chu, J., Jackson, D.: RBAC schema verification using lightweight formal model and constraint analysis. Technical report, MIT, Cambridge (2002)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. International Institute for Software Technology, United Nations University, Japan

    Nafees Qamar, Johannes Faber & Zhiming Liu

  2. UJF-Grenoble 1/Grenoble-INP/UPMF-Grenoble2/CNRS, LIG, France

    Yves Ledru

Authors
  1. Nafees Qamar
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Johannes Faber
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yves Ledru
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Zhiming Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Faculty of Engineering, Department of Computer Science, University of Victoria, V8W 3P6, Victoria, BC, Canada

    Jens Weber

  2. Inserm, 101 rue de Tolbiac, 75013, Paris, France

    Isabelle Perseil

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Qamar, N., Faber, J., Ledru, Y., Liu, Z. (2013). Automated Reviewing of Healthcare Security Policies. In: Weber, J., Perseil, I. (eds) Foundations of Health Information Engineering and Systems. FHIES 2012. Lecture Notes in Computer Science, vol 7789. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39088-3_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-39088-3_12

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-39087-6

  • Online ISBN: 978-3-642-39088-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation