Skip to main content
SpringerLink
Log in
Book cover

International Conference on Model Driven Engineering Languages and Systems

MODELS 2007: Models in Software Engineering pp 132–144Cite as

Modeling and Enforcing Advanced Access Control Policies in Healthcare Systems with Sectet

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 5002))

Abstract

This contribution gives an overview of various access control strategies in use in healthcare scenarios and shows how a variety of policies can be modeled based on a single security policy model for usage control, UCON. The core of this contribution consists of the specialization of the Sectet-Framework for Model Driven Security for complex healthcare scenarios based on UCON. The resulting Domain Architecture comprises a Domain Specific Language for the modeling of policies with advanced security requirements, a target architecture for the enforcement of these policies and model-to-code transformations.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Integrating the Healthcare Enterprise (2007), http://www.ihe.net/

  2. Alam, M., Hafner, M., Breu, R.: Modeling Authorization in an SOA based Application Scenario. In: IASTED Conference on Software Engineering, pp. 79–84 (2006)

    Google Scholar 

  3. Anderson, R.: Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, Inc., New York (2001)

    Google Scholar 

  4. Blobel, B.: Trustworthiness in Distr. Electr. Healthcare Records-Basis for Shared Care. In: ACSAC 2001: Proc. of the 17th Annual Comp. Sec. App. Conf., Washington, DC, USA, p. 433. IEEE Comp. Soc., Los Alamitos (2001)

    Google Scholar 

  5. Breu, R., Breu, M., Hafner, M., Nowak, A.: Web Service Engineering - Advancing a New Software Engineering Discipline. In: Lowe, D.G., Gaedke, M. (eds.) ICWE 2005. LNCS, vol. 3579, pp. 8–18. Springer, Heidelberg (2005)

    Google Scholar 

  6. Chanabhai, P., Holt, A.: Consumers are Ready to Accept the Trans. to Online and Electr. Rec. if They Can be Assured of the Sec. Measures. Medscape Gen. Medicine 9(1) (2007)

    Google Scholar 

  7. Chinaei, A.H., Tompa, F.: User-managed access control for health care systems. In: Secure Data Management, pp. 63–72 (2005)

    Google Scholar 

  8. Gomi, H., et al.: A Delegation Framew. for Fed. Identity Management. In: DIM 2005: Proc. of the 2005 Workshop on Dig. Identity Man, ACM Press, New York (2005)

    Google Scholar 

  9. Hafner, M., et al.: Sectet: An Extensible Framework for the Realization of Secure Inter-Organizational Workflows. Journal of Internet Research 16(5) (2006)

    Google Scholar 

  10. Breu, R., et al.: Model Driven Security for Inter-organizational Workflows in e-Government. In: Böhlen, M.H., Gamper, J., Polasek, W., Wimmer, M.A. (eds.) TCGOV 2005. LNCS (LNAI), vol. 3416, pp. 122–133. Springer, Heidelberg (2005)

    Google Scholar 

  11. Vogl, R., et al.: Architecture for a distributed national electronic health record in Austria. In: Proc. EuroPACS 2006: The 24th International EuroPACS Conference, pp. 67–77 (2006)

    Google Scholar 

  12. Schabetsberger, T., et al.: From a Paper-based Transmission of Discharge Summaries to Electronic Communication in Health Care Regions. Int. Journal of Medical Informatics 75, 3-4, 209–215 (2006)

    Article  Google Scholar 

  13. Zhang, X., et al.: Formal model and policy specification of usage control. ACM Trans. Inf. Syst. Secur. 8(4), 351–387 (2005)

    Article  Google Scholar 

  14. Gritzalis, S.: Enhancing Privacy and Data Protection in Electronic Medical Environments. Journal of Medical Systems 28(6), 535–547 (2004)

    Article  Google Scholar 

  15. Gunter, T., Terry, N.: The Emergence of Nat. Electr. Health Record Arch. in the U.S. and Australia: Models, Costs, and Questions. Journal of Med. Internet Research 7(1):3 (2005)

    Google Scholar 

  16. Hafner, M., Agreiter, B., Breu, R., Nowak, A.: Sectet an extensible framework for the realization of secure inter-organizational workflows. Journal of Internet Research 16(5) (2006)

    Google Scholar 

  17. Hafner, M., Alam, M., Breu, R.: Towards a MOF/QVT-Based Domain Architecture for Model Driven Security. In: Nierstrasz, O., Whittle, J., Harel, D., Reggio, G. (eds.) MoDELS 2006. LNCS, vol. 4199, pp. 275–290. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  18. Hafner, M., Breu, R., Breu, M.: A security architecture for inter-organizational workflows: Putting security standards for web services together. ICEIS (3), 128–135 (2005)

    Google Scholar 

  19. Hafner, M., Breu, M., Breu, R., Nowak, A.: Modelling Inter-organizational Workflow Security in a Peer-to-Peer Environment. In: ICWS 2005: Proceedings of the IEEE International Conference on Web Services (ICWS 2005), Washington, DC, USA, pp. 533–540. IEEE Computer Society, Los Alamitos (2005)

    Chapter  Google Scholar 

  20. Hu, J., Weaver, A.: Dynamic, context-aware access control for distributed healthcare applications (August 2004), http://www.cs.virginia.edu/papers/

  21. Hu, V., Ferraiolo, D., Kuhn, D.: Assessment of access control systems. Technical Report NISTIR 7316, National Inst. of Standards and Technology, US Department of Commerce (September 2006)

    Google Scholar 

  22. Kohn, L., Corrigan, J., Donaldson, M.: To Err is Human: Building a Safer Health System. National Academy Press, Washington DC (2000)

    Google Scholar 

  23. Li, M., Poovendran, R.: Enabling Distributed Addition of Secure Access to Patient’s Records in A Tele-Referring Group. In: IEEE-EMBS 2005: Proceedings of the 27th IEEE EMBS Annual International Conference, pp. 308–317. IEEE, Los Alamitos (2005)

    Google Scholar 

  24. Alam, M., Hafner, M., Seifert, J.P., Zhang, X.: Extending SELinux Policy Model and Enforcement Architecture for Trusted Platforms Paradigms. In: Annual SELinux Symposium (2007), http://selinux-symposium.org/2007/agenda.php

  25. Alam, M., Breu, R., Hafner, M.: Modeling Permissions in a (U/X)ML World. In: IEEE ARES (2006), ISBN: 0-7695-2567-9

    Google Scholar 

  26. United States Department of Health & Human Services. Health insurance portability and accountability act of 1996, http://aspe.hhs.gov/admnsimp/pl104191.htm

  27. Office of the Privacy Commissioner of Canada. Personal information protection and electronic documents act (pipeda), http://laws.justice.gc.ca/en/P-8.6/

  28. Committee on Quality of Health Care in America. Inst. of Medicine. In: Crossing the Quality Chasm: A New Health System for the 21st Century, Nat. Acad. Press, Washington DC (2001)

    Google Scholar 

  29. OpenArchitectureWare XPAND Language available at, http://www.eclipse.org/gmt/oaw/doc/r20_xPandReference.pdf

  30. Park, J., Sandhu, R.: The UCON ABC Usage Control Model. ACM Transactions on Information and Systems Security 7, 128–174 (2004)

    Article  Google Scholar 

  31. Europ. Parliament. Directive 95-46-ec of the europ. parl. and of the counc. of 24 october 1995 on the p protection of individuals with regard to the processing of personal data and on the free movement of such data (1995), http://www.cdt.org/privacy/eudirective/EU_Directive_.html

  32. Role Based Access Control (RBAC) avialable at, csrc.nist.gov/rbac/

  33. Schabetsberger, T.: Reference Implementation of a Shared Electr. Health Record Using Med. Data Grids with an RBAC Based Security Model. In: Proc. of the 2nd AGRID Symp. in conj. with 6th Austrian-Hungarian Workshop on Distributed and Parallel Syst. (2007)

    Google Scholar 

  34. Joint NEMA/COCIR/JIRA Sec. and Priv. Committee. Break-Glass – An Approach to Granting Emergency Access to Healthcare Systems, http://www.nema.org/prod/med/security/

  35. SECTETPL : A Predicative Language for the Specification of Access Rights available at, http://qe-informatik.uibk.ac.at/~muhammad/TechnicalReportSECTETPL.pdf

  36. Pearson, S.: Trusted Computing Platforms: TCPA Technology in Context. Prentice Hall PTR, Upper Saddle River (2002)

    Google Scholar 

  37. Straub, T.: Usability Challenges of PKI (2005)

    Google Scholar 

  38. Vogt, G.: Multiple Authorization – A Model and Arch. for Increased, Practical Security. In: Proc. of the IFIP/IEEE 8th Int. Symp. on Integrated Network Management (IM 2003), Colorado Springs, USA, March 2003, pp. 109–112. IFIP/IEEE, Kluwer Academic Publishers (2003)

    Google Scholar 

  39. Xacml v3.0 administration policy working draft 05 (December 2005), http://www.oasis-open.org/committees/documents.php?wg_abbrev=xacml

  40. Yao, W.: Trust Management for Widely Distributed Systems. PhD thesis, University of Cambridge (2003)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Innsbruck, Austria

    Michael Hafner, Mukhtiar Memon & Muhammad Alam

Authors
  1. Michael Hafner
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mukhtiar Memon
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Muhammad Alam
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Holger Giese

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Hafner, M., Memon, M., Alam, M. (2008). Modeling and Enforcing Advanced Access Control Policies in Healthcare Systems with Sectet . In: Giese, H. (eds) Models in Software Engineering. MODELS 2007. Lecture Notes in Computer Science, vol 5002. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-69073-3_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-69073-3_15

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-69069-6

  • Online ISBN: 978-3-540-69073-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation