Skip to main content

A Novel Reference Security Model with the Situation Based Access Policy for Accessing EPHR Data

Journal of Medical Systems volume 40, Article number: 242 (2016) Cite this article

Abstract

Electronic Patient Health Record (EPHR) systems may facilitate a patient not only to share his/her health records securely with healthcare professional but also to control his/her health privacy, in a convenient and easy way even in case of emergency. In order to fulfill these requirements, it is greatly desirable to have the access control mechanism which can efficiently handle every circumstance without negotiating security. However, the existing access control mechanisms used in healthcare to regulate and restrict the disclosure of patient data are often bypassed in case of emergencies. In this article, we propose a way to securely share EPHR data under any situation including break-the-glass (BtG) without compromising its security. In this regard, we design a reference security model, which consists of a multi-level data flow hierarchy, and an efficient access control framework based on the conventional Role-Based Access Control (RBAC) and Mandatory Access Control (MAC) policies.

This is a preview of subscription content, access via your institution.

Access options

Buy single article

Instant access to the full article PDF.

43,34 €

Price includes VAT (Finland)
Tax calculation will be finalised during checkout.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

References

  1. Sandhu, R.S., and Samarati, P., Access control: principle and practice. IEEE Commun. Mag. 32(9):40–48, 1994.

    Article  Google Scholar 

  2. Ferraiolo, D.F., and Kuhn, D.R., Role Based Access Control, In: 15th National Computer Security Conf, 554–563, 1992.

  3. Sandhu, R.S., et al., Role-based access control models. Computer. 29(2):38–47, 1996.

    Article  Google Scholar 

  4. NIST. Role Based Access Control, National Institute of Standards and Technology, 1999, available in URL: http://hissa.ncsl.nist.gov/rbac.

  5. Ferraiolo, D.F., et al., Proposed NIST standard for Role-based Access Control. ACM Trans. Inf. Syst. Secur. (TISSEC). 4(3):224–274, 2001.

    Article  Google Scholar 

  6. Sandhu, R. S. et al., The NIST model for role based access control: Toward a Unified Standard, In: Proc. 5th ACM Workshop on Role Based Access Control, New York, pp: 47–63, 2000.

  7. Thomas, R. K., Team-based Access Control (TMAC): A primitive for applying role-based access controls in collaborative environments”, In: Proc. 2nd ACM Workshop on Role based Access Control, New York, pp. 13–19, 1997.

  8. Joshi, J.B.D. et al., A generalized temporal role-based access control model, In Knowledge and Data Engineering IEEE Transactions, pp. 4–23, 2005.

  9. Kulkarni, D., and Tripathi, A., Context-aware role-based access control in pervasive computing systems, In: Proc. 13th ACM Symp. on Access Control Models and Technologies, New York, pp: 113–122, 2008.

  10. Bertino, E. et al., GEORBAC: A Spatially Aware RBAC, In: Proc. 10th ACM Symp. on Access Control Models and Technologies, New York, pp. 29–37, 2005.

  11. Bertino, E. et al., TRBAC: A temporal role based access control model, In: ACM Transactions on Information and System Security (TISSEC), pp. 191–233, 2001.

  12. Covington, M. J., Generalized role based access control for securing future applications, In: Proc. of the Nat. Information Systems Security Conf., 2000.

  13. Park, S.H., et al., Context-role based access control for context-aware application. In: High Performance Computing and Communications. Springer Berlin, Heidelberg, pp. 572–580, 2006.

    Chapter  Google Scholar 

  14. Moyer, M. J. and Ahamad, M., Generalized role-based access control”, In: Proc. of the 21st IEEE Int. Conf. on Distributed Computing Systems, Mesa, AZ, pp. 391–398, 2001.

  15. Motta, G. et al., A contextual role-based access control authorization model for electronic patient record, In: Information Technology in Biomedicine, IEEE Transactions, , pp. 202–207, 2001.

  16. Russell, D., and Gangemi, G.T., Computer System Security and Access Control. In: Computer Security Basics, 2nd edn. O’Reilly, California, pp. 61–69, 2006 ch.3.

    Google Scholar 

  17. Georgiadis, C.K. et al., Flexible team-based access control using contexts, In: Proc. 6th ACM Symp. on Access Control Models and Technologies, New York, pp. 21–27, 2001.

  18. Karp, A.H. et al, From ABAC to ZBAC: the evolution of access control models In: Hewlett-Packard Development Company, LP 21, 2009.

  19. Kuhn, D.R., et al., Adding attribute to role-based access control. Computer. 43(6):79–81, 2010.

    Article  Google Scholar 

  20. Pelega, M., et al., Situation-based access control: privacy management via modeling of patient data access scenarios. J. Biomed. Inform.:1028–1040, 2008.

  21. Rissanen, E. et al., Towards a Mechanism for Discretionary Overriding of Access Control, In: Proc. 12th Int. Workshop on Security Protocols, Cambridge, 2004.

  22. Povey, D., Optimistic security: a new access control paradigm, In: Proc. 1999 workshop on New Security Paradigms, ACM Press, pp. 40–45, 2000.

  23. Ferreira, A. et al., How to break access control in a controlled manner, In: Proc. 19th IEEE Symp. on Computer-Based Medical Systems, pp. 847–851, 2006.

  24. Break-glass: An approach to granting emergency access to healthcare systems, White paper, Joint –NEMA/COCIR/JIRA Security and Privacy Committee (SPC), 2004.

  25. Juan, Y., Simon, D., and Susan, M., Situation identification techniques in pervasive computing: a review. Pervasive Mob. Comput. 8(1):36–66, 2012.

    Article  Google Scholar 

  26. Zhang, R., Liu, L., and Xue, R., Role-based and time-bound access and management of EHR data, Security and Communication Networks, doi:10.1002/sec, 2010.

  27. Schefer-Wenzl, S. and Strembeck, M., Generic support for RBAC breakglass policies in process-aware information systems. Proceedings of the 28th Annual ACM Symposium on Applied Computing, pages 1441–1446, 2013.

  28. Rostad, L., An Initial Model and a Discussion of Access Control inPatient Controlled Health Records”, In: The 3rd Int. Conf. on Availability, Reliability and Security, pp. 935–942, 2008.

  29. Kim, M.I., and Johnson, K.B., Personal health records: evaluation of functionality and utility. J. Am. Med. Inform. Assoc. 9(2):171–180, 2002.

    Article  PubMed  PubMed Central  Google Scholar 

  30. Ardagna, C.A., et al., Access control for smarter healthcare using policy spaces. Computers & Security. 29(8):848–858, 2010.

    Article  Google Scholar 

  31. Zhao, G. et al., Obligation for Role Based Access Control, In: IEEE Int. Symp. on Security in Networks and Distributed Systems (SSNDS07), 2007.

  32. Ferreira, A. et al., How to Securely Break into RBAC: The BTG-RBAC Model, Computer Security Applications Conference, 2009. ACSAC ‘09. Annual, Honolulu, pp. 23–31, 2009. doi:10.1109/ACSAC.2009.12

  33. Maw, H. A., Xiao, H., Christianson, B., Malcolm, J. A. An evaluation of break-the-glass access control model for medical data in wireless sensor networks, e-Health Networking, Applications and Services (Healthcom), IEEE 16th International Conference on, On page(s): pp. 130–135, 2014.

  34. Adriansyah, A., van Dongen, B-F., Zannone, N., Controlling Break-the-Glass through Alignment. SocialCom, pp. 606–611, 2013.

  35. Randike, G., Iannella, R., and Sahama, T.,Privacy oriented access control for electronic health records. electronic Journal of Health Informatics 8.2 (2014): 15.

  36. P. Gope, T. Hwang, “BSN-Care: A Secure IoT-based Modern Healthcare System Using Body Sensor Network,” IEEE Sensors Journal, Vol. 16 (5), pp. 1368–1376, 2016.

  37. Amin, R., Biswas, G. P., A Novel User Authentication and Key Agreement Protocol for Accessing Multi-Medical Server Usable in TMIS, J. Medical Systems 39(3) 2015.

  38. He, D., Zeadally, S., Kumar, N., and Lee, J.H., Anonymous authentication for wireless body area networks with provable security. IEEE Syst. J., 2016. doi:10.1109/JSYST.2016.2544805.

    Google Scholar 

  39. He, D., Zeadally, S., and Wu, L., Certificatelesspublic auditing scheme for cloud-assisted wireless body area networks. IEEE Syst. J., 2015. doi:10.1109/JSYST.2015.2428620.

    Google Scholar 

Download references

Acknowledgments

All the healthy criticism, valuable comments, and positive suggestions from the all three anonymous referees are greatly appreciated.

Author information

Affiliations

  1. iTrust, Centre for Research in Cyber Security, Singapore University of Technology and Design, Singapore, Singapore

    Prosanta Gope

  2. Department of Computer Science & Engineering, Thapar university, Patiala, Punjab, India

    Ruhul Amin

Authors
  1. Prosanta Gope
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ruhul Amin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Prosanta Gope.

Additional information

This article is part of the Topical Collection on Patient Facing Systems

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Gope, P., Amin, R. A Novel Reference Security Model with the Situation Based Access Policy for Accessing EPHR Data. J Med Syst 40, 242 (2016). https://doi.org/10.1007/s10916-016-0620-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s10916-016-0620-4

Keywords

  • EPHR
  • Access control
  • Break-the-glass
  • RBAC
  • Mac