An Authoring Framework for Security Policies: A Use-Case within the Healthcare Domain

  • Thomas Trojer
  • Basel Katt
  • Florian Wozak
  • Thomas Schabetsberger
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 69)


Traditionally, the definition and the maintenance of security and access control policies has been the exclusive task of system administrators or security officers. In modern distributed and heterogeneous systems, there exist the need to allow different stakeholders to create and edit their security and access control preferences. In order to solve this problem two main challenges need to be met. First, authoring tools with different user interfaces should be designed and adapted to meet domain background and the degree of expertise of each stakeholder. For example, policy authoring tools for a patient or a doctor should be user friendly and not contain any technical details, while those for a security administrators can be more sophisticated, containing more details. Second, conflicts that can arise among security policies defined by different stakeholders must be considered by these authoring tools on runtime. Furthermore, warnings and assisting messages must be provided to help defining correct policies and to avoid potential security risks. Towards meeting these challenges, we propose an authoring framework for security policies. This framework enables building authoring tools that take into consideration the views of different stakeholders.


Security policy EHR Policy authoring Usability Model-driven engineering 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    IBM Austria, Feasibility study for implementing the electronic health record (ELGA) in the Austrian health system, IBM (November 2006)Google Scholar
  2. 2.
    Basin, D., Clavel, M., Egea, M., Schläpfer, M.: Automatic generation of Smart, Security-aware GUI Models. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 201–217. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  3. 3.
    Bézivin, J., Büttner, F., Gogolla, M., Jouault, F., Kurtev, I., Lindow, A.: Model transformations? Transformation models! In: Wang, J., Whittle, J., Harel, D., Reggio, G. (eds.) MoDELS 2006. LNCS, vol. 4199, pp. 440–453. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Blobel, B.: Authorisation and access control for electronic health record systems. International Journal of Medical Informatics 73(3) (2004)Google Scholar
  5. 5.
    Karat, C., Karat, J., Brodie, C., Feng, J.: Evaluating interfaces for privacy policy rule authoring. In: SIGCHI 2006. ACM, New York (2006)Google Scholar
  6. 6.
    Katt, B., Breu, R., Hafner, M., Schabetsberger, T., Mair, R., Wozak, F.: Privacy and Access Control for IHE-Based Systems. In: Weerasinghe, D. (ed.) eHealth 2008. LNICST, vol. 1, pp. 145–153. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  7. 7.
    Katt, B., Trojer, T., Breu, R., Schabetsberger, T., Wozak, F.: Meeting EHR Security Requirements: SeaaS approach. In: EFMI STC 2010, Reykjavik, Iceland (June 2010)Google Scholar
  8. 8.
    Katt, B., Trojer, T., Breu, R., Schabetsberger, T., Wozak, F.: Meeting EHR Security Requirements: Athentication as a Security Service. In: Perspegktive Workshop, GMDS 2010, Mannheim, Germany (September 2010)Google Scholar
  9. 9.
    Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-based modeling language for model-driven security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, p. 426. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Reeder, R.W., Karat, C., Karat, J., Brodie, C.: Usability challenges in security and privacy policy-authoring interfaces. In: Baranauskas, C., Abascal, J., Barbosa, S.D.J. (eds.) INTERACT 2007. LNCS, vol. 4663, pp. 141–155. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. 11.
    Røstad, L.: An initial model and a discussion of access control in patient controlled health records. In: ARES 2008. IEEE Computer Society, Washington, DC, USA (2008)Google Scholar
  12. 12.
    Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control models. Computer 29 (1996)Google Scholar
  13. 13.
    Trojer, T., Fung, B., Hung, P.: Service-oriented architecture for privacy-preserving data mashup. In: IEEE International Conference on Web Services (2009)Google Scholar

Copyright information

© ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering 2011

Authors and Affiliations

  • Thomas Trojer
    • 1
  • Basel Katt
    • 1
  • Florian Wozak
    • 2
  • Thomas Schabetsberger
    • 2
  1. 1.Research Group Quality EngineeringUniversity of InnsbruckAustria
  2. 2.ITH-icoserve GmbHInnsbruckAustria

Personalised recommendations