Advertisement

Audit-Based Access Control with a Distributed Ledger: Applications to Healthcare Organizations

  • Umberto Morelli
  • Silvio Ranise
  • Damiano Sartori
  • Giada Sciarretta
  • Alessandro TomasiEmail author
Conference paper
  • 114 Downloads
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11738)

Abstract

We propose an audit-based architecture that leverages the Hyperledger Fabric distributed ledger as a means to increase accountability and decentralize the authorization decision process of Attribute-Based Access Control policies by using smart contracts. Our goal is to decrease the trust in administrators and users with privileged accounts, and make the a posteriori verification of access events more reliable. We implement our approach to the use case of Electronic Health Record access control. Preliminary experiments show the viability of the proposed approach.

Keywords

Access control Hyperledger fabric Distributed ledger Trust 

References

  1. 1.
    Alizadeh, M., Lu, X., Fahland, D., Zannone, N., van der Aalst, W.M.: Linking data and process perspectives for conformance analysis. Comput. Secur. 73, 172–193 (2018).  https://doi.org/10.1016/j.cose.2017.10.010CrossRefGoogle Scholar
  2. 2.
    Androulaki, E., et al.: Hyperledger fabric: a distributed operating system for permissioned blockchains. In: EuroSys 2018. ACM, New York (2018).  https://doi.org/10.1145/3190508.3190538
  3. 3.
    Azaria, A., Ekblaw, A., Vieira, T., Lippman, A.: MedRec: using blockchain for medical data access and permission management. In: OBD 2016, pp. 25–30. IEEE (2016).  https://doi.org/10.1109/OBD.2016.11
  4. 4.
    Introduction to oracles. Corda online documentation v3.3. https://docs.corda.net/oracles.html
  5. 5.
    Dekker, M.A., Etalle, S.: Audit-based access control for electronic health records. Electron. Notes Theor. Comput. Sci. 168, 221–236 (2007).  https://doi.org/10.1016/j.entcs.2006.08.028CrossRefGoogle Scholar
  6. 6.
    Di Francesco Maesa, D., Mori, P., Ricci, L.: Blockchain based access control. In: Chen, L.Y., Reiser, H.P. (eds.) DAIS 2017. LNCS, vol. 10320, pp. 206–220. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-59665-5_15CrossRefGoogle Scholar
  7. 7.
    ENISA: Distributed Ledger Technology & Cybersecurity (2017).  https://doi.org/10.2824/80997. https://www.enisa.europa.eu/publications/blockchain-security
  8. 8.
    EU: General Data Protection Regulation (GDPR) (2016). https://data.europa.eu/eli/reg/2016/679/2016-05-04
  9. 9.
    Ferraiolo, D., Chandramouli, R., Hu, V., Kuhn, R.: A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). NIST (2016).  https://doi.org/10.6028/NIST.SP.800-178
  10. 10.
    Fisher, B., et al.: Attribute-Based Access Control. NIST (2017). https://nccoe.nist.gov/projects/building-blocks/attribute-based-access-control
  11. 11.
    Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46803-6_10CrossRefGoogle Scholar
  12. 12.
    Hyperledger fabric documentation. https://hyperledger-fabric.readthedocs.io/
  13. 13.
    Hölbl, M., Kompara, M., Kamišalic̀ A., Nemec Zlatolas, L.: A systematic review of the use of blockchain in healthcare. Symmetry 10(10) (2018).  https://doi.org/10.3390/sym10100470CrossRefGoogle Scholar
  14. 14.
    Hu, V., et al.: Guide to Attribute Based Access Control (ABAC) Definition and Considerations. NIST (2014).  https://doi.org/10.6028/NIST.SP.800-162
  15. 15.
    Hyperledger Performance and Scale Working Group (PSWG): Hyperledger Blockchain Performance Metrics. https://www.hyperledger.org/resources/publications/blockchain-performance-metrics
  16. 16.
    IETF RFC: JSON Web Token (JWT) (2015). https://tools.ietf.org/html/rfc7519
  17. 17.
    IETF RFC: Automatic Certificate Management Environment (ACME) (2019). https://tools.ietf.org/html/rfc8555
  18. 18.
    Jin, X., Krishnan, R., Sandhu, R.: A unified attribute-based access control model covering DAC, MAC and RBAC. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 41–55. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-31540-4_4CrossRefGoogle Scholar
  19. 19.
  20. 20.
    Lampson, B.: Practical principles for computer security, NATO Security through Science Series - D: Information and Communication Security, vol. 9, pp. 151–195. IOS Press (2007)Google Scholar
  21. 21.
    Liang, X., Zhao, J., Shetty, S., Liu, J., Li, D.: Integrating blockchain for data sharing and collaboration in mobile healthcare applications. In: PIMRC, pp. 1–5. IEEE (2017).  https://doi.org/10.1109/PIMRC.2017.8292361
  22. 22.
    Glossary of key information security terms. https://csrc.nist.gov/glossary
  23. 23.
    OASIS: The eXtensible Access Control Markup Language (XACML) (2013). https://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf
  24. 24.
    Dias, J.P., Sereno Ferreira, H., Martins, Â.: A blockchain-based scheme for access control in e-health scenarios. In: Madureira, A.M., Abraham, A., Gandhi, N., Silva, C., Antunes, M. (eds.) SoCPaR 2018. AISC, vol. 942, pp. 238–247. Springer, Cham (2020).  https://doi.org/10.1007/978-3-030-17065-3_24CrossRefGoogle Scholar
  25. 25.
    Sandhu, R., Samarati, P.: Authentication, access control, and audit. ACM Comput. Surv. (CSUR) 28(1), 241–243 (1996).  https://doi.org/10.1145/234313.234412CrossRefGoogle Scholar
  26. 26.
    Thakkar, P., Nathan, S., Viswanathan, B.: Performance benchmarking and optimizing hyperledger fabric blockchain platform. In: MASCOTS 2018, pp. 264–276. IEEE (2018).  https://doi.org/10.1109/MASCOTS.2018.00034
  27. 27.
    Tschantz, M.C., Datta, A., Wing, J.M.: Formalizing and enforcing purpose restrictions in privacy policies. In: S&P 2012, pp. 176–190. IEEE (2012).  https://doi.org/10.1109/SP.2012.21
  28. 28.
    Verizon: Data breach investigations report (2018). https://enterprise.verizon.com/resources/reports/2018/DBIR_2018_Report.pdf
  29. 29.
    Verizon: Protected health information data breach report (2018). https://enterprise.verizon.com/resources/reports/phi/
  30. 30.
    Yaga, D., Mell, P., Roby, N., Scarfone, K.: Blockchain Technology Overview. NIST (2018).  https://doi.org/10.6028/NIST.IR.8202
  31. 31.
    Zhang, P., White, J., Schmidt, D.C., Lenz, G., Rosenbloom, S.T.: FHIRChain: applying blockchain to securely and scalably share clinical data. Comput. Struct. Biotechnol. J. 16, 267–278 (2018).  https://doi.org/10.1016/j.csbj.2018.07.004CrossRefGoogle Scholar
  32. 32.
    Zyskind, G., Nathan, O., Pentland, A.S.: Decentralizing privacy: using blockchain to protect personal data. In: SPW, pp. 180–184. IEEE (2015).  https://doi.org/10.1109/SPW.2015.27

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Security & Trust, Fondazione Bruno KesslerTrentoItaly
  2. 2.EIT Master SchoolTrentoItaly

Personalised recommendations