Abstract
In healthcare information management, privacy and confidentiality are two major concerns usually satisfied by access control means. Traditional access control mechanisms prevent illegal access by controlling access right before executing an action. They have some limitations like inflexibility in unanticipated circumstances (e.g., emergency). Recently, a posteriori access control has been proposed to complete a priori protection for a more effective and flexible solution. It controls the access by deterring user from having unauthorized access. To be deployed, a posteriori access control needs evidence to prove the users’ violations. In this paper, we show how log records defined by the Integrating the Healthcare Enterprise-Audit Trail and Node Authentication (ATNA) profile can be used to deploy an a posteriori access control system. To develop an efficient method for finding violations, we propose a framework that customizes ATNA log records according to a contextual security policy like the Organization-Based Access Control. Experiments we conducted are also presented.
Similar content being viewed by others
References
Corin, R., Etalle, S., den Hartog, J., Lenzini, G., Staicu, I.: A Logic for Auditing Accountability in Decentralized Systems, vol. 173, pp. 187–202. Springer, Berlin (2004)
Cederquist, J.G., Corin, R., Dekker, M.A.C., Etalle, S., den Hartog, J..: An Audit Logic for Accountability. In: IEEE Computer Society, pp. 34–43 (2005)
Department of Defense Trusted Computer System Evaluation Criteria, CSC-STD-011-83, Fort Meade, MD (1983)
Bell, D., LaPadula, L.: Secure Computer System: Unified Exposition and Multics Interpretation. MITRE, Bedford (1975)
Ferraiolo, D., Kuhn, R.: Role-based access controls. In: 15th NIST-NCSC National Computer Security Conference, Baltimore, MD (1992)
Cuppens, F., Cuppens-Boulahia, N.: Modeling contextual security policies. Int. J. Inf. Secur. 7(4), 285–305 (2008)
Abou El Kalam, A., Deswarte, Y.: Security Model for HealthCare Computing and Communication Systems. In: SEC 2003, pp. 277–288. Greece, Athens (2003)
Lonvick, C.: The BSD Syslog Protocol, RFC 3164 (2001)
New, D., Rose, M.: Reliable Delivery for Syslog, RFC 3195 (2001)
Integrating the Healthcare Enterprise, IHE Radiology Technical Framework Volume I (RAD TF-1) Integration Profiles (2008)
Integrating the Healthcare Enterprise, IHE IT Infrastructure Technical Framework Volume I (ITI TF-1) Integration Profiles (2009)
Integrating the Healthcare Enterprise, IHE IT Infrastructure Technical Framework Supplement 2004–2005 Audit Trail and Node Authentication Profile (ATNA) (2004)
Cederquist, J.G., Corin, R., Dekker, M.A.C., Etalle, S., den Hartog, J.: The Audit Logic-Policy Compliance in Distributed Systems. In: Technical Report TR-CTIT-06-33 (2006)
Dekker, M.A.C., Etalle, S.: Audit-based access control for electronic health records. Electron. Notes Theor. Comput. Sci. 168, 221–236 (2007)
Etalle, S., Winsborough, W.H.: A posteriori compliance control. In: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, pp. 11–20. New York, USA (2007)
Health Level Seven Implementation Support Guide for HL7 Standard Version 2.3 (1998)
DICOM Standards Committee, Working Group 14, Digital Imaging and Communications in Medicine (DICOM) Supplement 95: Audit Trail Messages, Virginia USA (2004)
Marshall, G.: Security Audit and Access Accountability Message XML, RFC 3881 (2004)
Cuppens, F., Cuppens-Boulahia, N., Coma, C.: O2O: Virtual Private Organizations to Manage Security Policy Interoperability, ICISS, pp. 101–115 (2006)
Cuppens, F., Miège, A.: Administration Model for Or-BAC. Comput. Syst. Sci. Eng. 19(3) (2004)
Integrating the Healthcare Enterprise, IHE Radiology Technical Framework Volume II (RAD TF-2) Integration Profiles (2008)
Integrating the Healthcare Enterprise, IHE Radiology Technical Framework Volume III (RAD TF-3) Integration Profiles (2008)
Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Commun. ACM 19(8), 461–471 (1976)
Acknowledgments
The work presented in this paper is supported by a grant from The Britany Region, France, and by funding from the ANR SELKIS project.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Azkia, H., Cuppens-Boulahia, N., Cuppens, F. et al. Deployment of a posteriori access control using IHE ATNA. Int. J. Inf. Secur. 14, 471–483 (2015). https://doi.org/10.1007/s10207-014-0265-6
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-014-0265-6