An Authoring Framework for Security Policies: A Use-Case within the Healthcare Domain
Traditionally, the definition and the maintenance of security and access control policies has been the exclusive task of system administrators or security officers. In modern distributed and heterogeneous systems, there exist the need to allow different stakeholders to create and edit their security and access control preferences. In order to solve this problem two main challenges need to be met. First, authoring tools with different user interfaces should be designed and adapted to meet domain background and the degree of expertise of each stakeholder. For example, policy authoring tools for a patient or a doctor should be user friendly and not contain any technical details, while those for a security administrators can be more sophisticated, containing more details. Second, conflicts that can arise among security policies defined by different stakeholders must be considered by these authoring tools on runtime. Furthermore, warnings and assisting messages must be provided to help defining correct policies and to avoid potential security risks. Towards meeting these challenges, we propose an authoring framework for security policies. This framework enables building authoring tools that take into consideration the views of different stakeholders.
KeywordsSecurity policy EHR Policy authoring Usability Model-driven engineering
Unable to display preview. Download preview PDF.
- 1.IBM Austria, Feasibility study for implementing the electronic health record (ELGA) in the Austrian health system, IBM (November 2006)Google Scholar
- 4.Blobel, B.: Authorisation and access control for electronic health record systems. International Journal of Medical Informatics 73(3) (2004)Google Scholar
- 7.Katt, B., Trojer, T., Breu, R., Schabetsberger, T., Wozak, F.: Meeting EHR Security Requirements: SeaaS approach. In: EFMI STC 2010, Reykjavik, Iceland (June 2010)Google Scholar
- 8.Katt, B., Trojer, T., Breu, R., Schabetsberger, T., Wozak, F.: Meeting EHR Security Requirements: Athentication as a Security Service. In: Perspegktive Workshop, GMDS 2010, Mannheim, Germany (September 2010)Google Scholar
- 11.Røstad, L.: An initial model and a discussion of access control in patient controlled health records. In: ARES 2008. IEEE Computer Society, Washington, DC, USA (2008)Google Scholar
- 12.Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control models. Computer 29 (1996)Google Scholar
- 13.Trojer, T., Fung, B., Hung, P.: Service-oriented architecture for privacy-preserving data mashup. In: IEEE International Conference on Web Services (2009)Google Scholar