Aspect-oriented design and implementation of adaptable access control for Electronic Medical Records

doi:10.1016/j.ijmedinf.2009.12.007

International Journal of Medical Informatics

Volume 79, Issue 3, March 2010, Pages 181-203

https://doi.org/10.1016/j.ijmedinf.2009.12.007 Get rights and content

Abstract

Objectives

Maintaining proper access control to Electronic Medical Records (EMR) is essential to protecting patients’ privacy. We aim to develop mechanisms and tools that can support fine-grained and adaptable access control for EMR.

Method

This paper presents an aspect-oriented design and implementation scheme to providing adaptable access control for Web-based EMR systems. In our scheme, access control logic is decoupled from the core of the EMR application and collected into separate aspect modules which are automatically synthesized from access control rules in XML format and properly designed aspect templates. The generated aspect modules will then be compiled and integrated into the underlying EMR application using standard aspect tools. At runtime, these binary aspect modules will be executed to enforce the required access control. Future changes of access control rules can also be effectively realized through these mechanisms without actual coding.

Results

A structured form of access control rules based on the Taiwan Electronic Medical Record Template, a suite of abstract aspects and templates for enforcing access control and a translator for synthesizing the complete access control code in AspectJ from such access control rules and aspect templates. We have also built a Web-based EMR prototype implementation to demonstrate our approach.

Conclusion

Our approach can not only accommodate a wide range of fine-grained access control requirements but also enforce them in a modular and easy to adapt manner without incurring extra performance overhead due to rule interpretation. The use of aspect-oriented technology to provide adaptable access control for EMR is a promising approach. We have further enhanced our scheme with a mechanism for dynamic adjustment of access control rules. Other tools for authoring and analyzing the access control rules are the main parts of our future work.

Introduction

There is little doubt that healthcare information systems (HIS) will move towards a fully integrated Electronic Medical Record (EMR). However, as we move closer to a paperless environment and Internet-based applications, we must realize that the risks to privacy and security incurred by using electronic systems are also increased. This is a very complicated issue. Besides social aspects, it also calls for much technological advancement to achieve a proper balance between the needs of the individual with the needs of society [1]. Fortunately, with the advancing of technology, privacy and security of EMR can be enhanced if managed properly. In terms of information system development, an effective and flexible access control mechanism is clearly an essential part of a secure and privacy enhanced EMR system [2].

While there are many works focused on modeling access control requirements for EMR [3], [4], [5], [6], [7], there are very few results concerning the development of an implementation scheme for enforcing access control in HIS with EMR. There are at least two major difficulties. First, like other security requirements, access control is a system-wide concern that permeates through all the major modules of a system. Although there is a generic need to enforce access control for protected resources, yet the specific constraint for granting access to each individual resource may not be the same. Hence it is very often to see the code for implementing access control scattered over the whole system and tangled with other functional code. This makes the coding task error-prone and difficult to verify its correctness and to perform the needed maintenance.

Second, access control rules in healthcare domain are inherently fine-grained and dynamic. It is common for information system developers to partition users into different categories, e.g., by roles in an organization, and define access privileges in terms of the application functions that a particular category of users is authorized to perform, e.g., an administrative clerk is limited to administrative functions and excluded from transaction functions. For EMR, however, we often need to go beyond the function-level and impose an additional level of access control in terms of the data contents being accessed. In other words, users may be allowed to perform a specific function, but some data elements must be excluded from viewing or modifying. For example, while any physician can view some parts of a patient's medical record, only the patient's caring doctor can see the whole record and modify it. On the other hand, we will have to bypass the constraint in an emergency. In addition, changes in legislation or changes in the interpretation of legislation may lead to major revision of the access control rules. All these lead to the conclusion that access control rules in healthcare domain are complex and subject to frequent changes.

Policy-driven access control [8], where policies express rules or constraints, is a well-accepted approach aiming to address the issues described above. Essentially, such an approach advocates a separate and loosely coupled security architecture in which access control decision function and enforcing function are decoupled from the core of the underlying application and are maintained largely independent of the core. This approach is also called adaptable access control [9] since it makes the access control logic much easier to manage and adjust.

In the past, the typical implementation scheme to providing adaptable access control is employing a rule-driven and centralized authorization engine, often referred to as reference monitor [10] or policy interpreter [8]. At runtime, all user requests to any protected resources will be transferred to the authorization engine, which will determine whether such requests should be granted by interpreting the involved access control rules. If we change the access control rules interpreted by the engine, the access control behavior of the underlying system will be adjusted accordingly, thus making the access control of the application very easy to adapt. However, such approaches usually incur a certain amount of runtime overhead due to rule interpretation, and may not give the degree of fine-granularity we need.

Therefore, techniques and tools for implementing adaptable access control are also worth further investigation. Here we present a new implementation scheme to providing adaptable access control for Web-based EMR systems. Instead of using policy interpreters, our scheme takes a policy-compiler-like approach. We show that aspect-oriented programming (AOP) [11] is a key enabler for developing our scheme, and the access control mechanisms we provide will not only retain much of the flexibility of the policy interpreter approach but also improves on it in several ways. Moreover, we demonstrate our implementation scheme by developing a prototype in AspectJ [12] and Java that can support flexible access control for the Taiwan Electronic Medical Record Template (TMT) [13], a local standard for EMR developed by the Taiwan Association for Medical Informatics.

The remainder of the paper is organized as follows. Section 2 introduces AOP and AspectJ briefly. Section 3 outlines our approach to adaptable access control and overviews our system architecture. Sections 4 Structure of the access control rules for EMR, 5 Using aspects to enforce access control explain our design of access control rules and aspect code templates, followed by a description of the main components we devised for synthesizing the access control aspects in Section 6. Section 7 presents some discussions on our approach. Section 8 describes related work. Finally, Section 9 concludes and outlines our future work.

Section snippets

Background: AOP and AspectJ

For the sake of completeness, in this section we highlight the basics of AOP and review the relevant features of AspectJ. Readers familiar with this topic can proceed to the next section.

As described above, access control is a security concern that crosscuts all the modules in a system and is therefore difficult to modularize using current programming methods. Indeed, as well-argued in [14], security requirements such as access control are best addressed in four different facets: what, how,

Overview of our approach

This section gives an overview of our approach to adaptable access control for Web-based EMR systems. Fig. 1 illustrates the system architecture and the major mechanisms of our approach. We provide a high-level form of access control rules in XML format for security administrators to prescribe the rules of access control. The structure of the rules is based on that of the EMR, and can thus support very fine-grained access control requirements. Given the rules for an EMR application, our tools

Structure of the access control rules for EMR

Access control, also known as authorization, is a process by which users, after being identified, are granted certain privileges to information, system functions, or resources. The step to identify a user is called authentication. Username and password check is the most basic form of authentication, while digital certificates and biometrics are advanced ways of authentication.

For access control purpose, we model the interaction between a user and a Web-based EMR application as a sequence of

Using aspects to enforce access control

After describing the structure and format of the access control rules, in this section and the next we present our design and implementation of an adaptable mechanism for checking and enforcing such rules using aspect-oriented technology. First, we illustrate the access control aspects we developed by hand to realize rules of this format in a modular and easy to adapt manner. The generic part of such aspects captures the common code patterns one would develop manually to enforce an access

Synthesizing access control aspects

Our aspect synthesis process employs four key components, namely the access control rules in XML format, the application specification in XML format, the aspect templates, and the rule translator. This section presents the details of these four components in sequence.

Discussion

To evaluate our approach, we have worked with colleagues from Taiwan Association for Medical Informatics to build a Web-based prototype implementation based on TMT. In the process, we have consulted them about the design and specification of the access control rules. Fig. 5 shows a screenshot of our prototype for the discharge note of TMT form. Here a user with clerk role is viewing the discharge note of a patient. Since the access control rule requires that only physicians and nurses can view

Related work

Role-based access control (RBAC) [20] is the most often cited guiding principle for application-level security. Since then there are many extended proposals for modeling fine-grained access control. We have role-templates [30], domain-type enforcement [21], content-based [24], team-based [31], and instance-level constraint [32], to name a few. Basically, they all attempt to base access control constraints on some refined relationships among the user, the function requested, and the data to be

Conclusions and future work

Maintaining proper access control to EMR is essential to protecting patients’ privacy. However, the fine-grained and dynamic nature of access control rules for EMR has imposed great challenges on the healthcare information system developers. In this paper, we have presented an aspect-oriented approach to providing adaptable access control for Web-based EMR systems. Our approach covers the major tasks of enforcing access control all the way from requirement specification medium down to the

Conflict of interest statement

None declared.

Acknowledgements

Contributions. Kung Chen has contributed to the original ideas behind the paper, design of the mechanisms and tools in the proposed solution, and manuscript writing. Yuan-Chun Chang has contributed to the programming parts of the solution, including the translator and the prototype. Da-Wei Wang has contributed to the design of the mechanisms in the proposed solution.

The authors would like to thank the anonymous reviewers for valuable suggestions on how to improve the previous versions of this

References (39)

B. Blobel et al.
Modelling privilege management and access control
Int. J. Med. Inform.
(2006)
B. Blobel
Authorisation and access control for electronic health record systems
Int. J. Med. Inform.
(2004)
B. Blobel
Advanced tool kits for EPR security
Int. J. Med. Inform.
(2000)
W.S. Jian et al.
Building a portable data and information interoperability infrastructure-framework for a standard Taiwan Electronic Medical Record Template
Comput. Methods Prog. Biomed.
(2007)
Department of Health and Human Services (HHS), U.S.A., Standards for Privacy of Individually Identifiable Health...
Centers for Medicare and Medicaid Services, Department of Health and Human Services (HHS), U.S.A., General Information...
A. Ferreira et al.
Modelling access control for a complex healthcare organization
M. Evered et al.
A case study in access control requirements for a health information system
A. Lin, Integrating Policy-Driven Role Based Access Control with the Common Data Security Architecture. HP...
T. Verhanneman, L. Jaco, B. De Win, F. Piessens, W. Joosen, Adaptable access control policies for medical information...

K. Beznosov et al.

Engineering application-level access control in distributed systems

G. Kiczales, J. Lamping, A. Menhdhekar, C. Maeda, C. Lopes, J.M. Loingtier, J. Irwin, Aspect-oriented programming, in:...

G. Kiczales et al.

Getting started with aspect

J. Commun. ACM

(2001)

B. De Win et al.

On the importance of the separation-of-concerns principle in secure software engineering

The AspectJ project. Available from:...

E. Gamma et al.

Design Patterns

(1995)

The Apache Struts Web Application Framework. Available from:...

F. Steimann

The paradoxical success of aspect-oriented programming

M. Rinard et al.

A classification system and analysis for aspect-oriented programs

ACM SIGSOFT Softw. Eng. Notes

(2004)

Cited by (23)

Systematic mapping study of template-based code generation
2018, Computer Languages, Systems and Structures
Citation Excerpt :
Table 5 shows the distribution of the output languages that appeared in more than five papers, representing 74% of the corpus. This includes papers like [45] where Java code is generated an adaptable access control tool for electronic medical records. Java and C are the most targeted programming languages.
Context: Template-based code generation (TBCG) is a synthesis technique that produces code from high-level specifications, called templates. TBCG is a popular technique in model-driven engineering (MDE) given that they both emphasize abstraction and automation. Given the diversity of tools and approaches, it is necessary to classify existing TBCG techniques to better guide developers in their choices.
Objective: The goal of this article is to better understand the characteristics of TBCG techniques and associated tools, identify research trends, and assess the importance of the role of MDE in this code synthesis approach.
Method: We survey the literature to paint an interesting picture about the trends and uses of TBCG in research. To this end, we follow a systematic mapping study process.
Results: Our study shows, among other observations, that the research community has been diversely using TBCG over the past 16 years. An important observation is that TBCG has greatly benefited from MDE. It has favored a template style that is output-based and high-level modeling languages as input. TBCG is mainly used to generate source code and has been applied to many domains.
Conclusion: TBCG is now a mature technique and much research work is still conducted in this area. However, some issues remain to be addressed, such as support for template definition and assessment of the correctness and quality of the generated code.
An authentication and authorization mechanism for long-term electronic health records management
2017, Procedia Computer Science
In the past five decades, major improvement on sanitation, new invention on medicines, and novel development on medical technologies had been widely deployed and adopted in modern societies. In consequence, the average lifetime of human being is much longer than it was before. Therefore, to safely establish and manage personal health records for each individual during his/her lifetime within the electronic form has gradually become an interesting topic for individual citizens and social welfare departments; the reason is that a well-maintained health records document of an individual can help doctors and hospitals know important and necessary medical and body conditions of the targeted patient in time before conducting any therapy. In this paper, we proposed an authentication and authorization protocol to manage which organization (usually a hospital) is allowed to have the access right on the long-term historical electronic health records of a targeted individual. By using the proposed scheme, a person can migrate his/her health records to a specific organization along with access right authorization. In our protocol, the cumulatively notarized signature mechanism is introduced to preserve the evidence on the ownership transfer of targeted electronic health records between two organizations. A trusted notary is used to verify the management privilege of involved organizations on those health records of targeted individuals. In addition, we show that the protocol achieves data integrity, non-repudiation for data authorization and data availability.
Distributed clinical data sharing via dynamic access-control policy transformation
2016, International Journal of Medical Informatics
Citation Excerpt :
A local access-control (LAC) system enables the transformation and administration of access policies by using XML, RBAC, and selective encryption. In addition, Chen et al. [20] developed a fine-grained and adaptable access control for healthcare systems through a structured access-control rules in XML. In a further study, Duftschmid et al. [21] undertook an EHR-ARCHE project in order to address the needs to patient's shared EHR during a treatment process through EHR ISO/EN 13606 archetypes into an IHE XDS environment.
Data sharing in electronic health record (EHR) systems is important for improving the quality of healthcare delivery. Data sharing, however, has raised some security and privacy concerns because healthcare data could be potentially accessible by a variety of users, which could lead to privacy exposure of patients. Without addressing this issue, large-scale adoption and sharing of EHR data are impractical. The traditional solution to the problem is via encryption. Although encryption can be applied to access control, it is not applicable for complex EHR systems that require multiple domains (e.g. public and private clouds) with various access requirements.
This study was carried out to address the security and privacy issues of EHR data sharing with our novel access-control mechanism, which captures the scenario of the hybrid clouds and need of access-control policy transformation, to provide secure and privacy-preserving data sharing among different healthcare enterprises.
We introduce an access-control mechanism with some cryptographic building blocks and present a novel approach for secure EHR data sharing and access-control policy transformation in EHR systems for hybrid clouds.
We propose a useful data sharing system for healthcare providers to handle various EHR users who have various access privileges in different cloud environments. A systematic study has been conducted on data sharing in EHR systems to provide a solution to the security and privacy issues.
In conclusion, we introduce an access-control method for privacy protection of EHRs and EHR policy transformation that allows an EHR access-control policy to be transformed from a private cloud to a public cloud. This method has never been studied previously in the literature. Furthermore, we provide a protocol to demonstrate policy transformation as an application scenario.
An enhancement of the Role-Based Access Control model to facilitate information access management in context of team collaboration and workflow
2012, Journal of Biomedical Informatics
Citation Excerpt :
Detailed descriptions of the study design, measurement, and analysis can be found in a separate report [67]. Access control has been applied to several applications in healthcare settings [2,4,44–52]. Since confidentiality of clinical information is an essential requirement, most of the previous work focused on applications for patient care.
Although information access control models have been developed and applied to various applications, few of the previous works have addressed the issue of managing information access in the combined context of team collaboration and workflow. To facilitate this requirement, we have enhanced the Role-Based Access Control (RBAC) model through formulating universal constraints, defining bridging entities and contributing attributes, extending access permissions to include workflow contexts, synthesizing a role-based access delegation model to target on specific objects, and developing domain ontologies as instantiations of the general model to particular applications. We have successfully applied this model to the New York State HIV Clinical Education Initiative (CEI) project to address the specific needs of information management in collaborative processes. An initial evaluation has shown this model achieved a high level of agreement with an existing system when applied to 4576 cases (kappa = 0.801). Comparing to a reference standard, the sensitivity and specificity of the enhanced RBAC model were at the level of 97–100%. These results indicate that the enhanced RBAC model can be effectively used for information access management in context of team collaboration and workflow to coordinate clinical education programs. Future research is required to incrementally develop additional types of universal constraints, to further investigate how the workflow context and access delegation can be enriched to support the various needs on information access management in collaborative processes, and to examine the generalizability of the enhanced RBAC model for other applications in clinical education, biomedical research, and patient care.
What is the solution for clinical nurse educators and the electronic medical record?
2012, Teaching and Learning in Nursing
Citation Excerpt :
Although the use of EMRs offers many possibilities to improve the quality, delivery, and continuity of clinical care, the potential for sharing information among multiple providers raises concerns about patient privacy (Phillips & Fleming, 2009; West et al., 2009). Chen, Chang, and Wang (2010) suggested that maintaining proper access control is the better method for protecting a patient's privacy. All organizations should enforce strict guidelines and security measures for all who access patients' electronic records.
Health care facilities are implementing the electronic medical record for a variety of reasons. The purpose of this article will summarize the challenges nurse educators and students face as a result of recent changes in documentation. A review of literature revealed impacting technology, curriculum considerations, ethical considerations, and economic influences evolving from these changes. The summarized data is presented along with possible solutions as increased technology enters the clinical setting.
Aspect-Oriented Adaptation of Access Control Rules
2021, Proceedings - 2021 47th Euromicro Conference on Software Engineering and Advanced Applications, SEAA 2021

View all citing articles on Scopus

View full text

Aspect-oriented design and implementation of adaptable access control for Electronic Medical Records

Abstract

Objectives

Method

Results

Conclusion

Introduction

Section snippets

Background: AOP and AspectJ

Overview of our approach

Structure of the access control rules for EMR

Using aspects to enforce access control

Synthesizing access control aspects

Discussion

Related work

Conclusions and future work

Conflict of interest statement

Acknowledgements

Int. J. Med. Inform.

Int. J. Med. Inform.

Int. J. Med. Inform.

Comput. Methods Prog. Biomed.

Modelling access control for a complex healthcare organization

A case study in access control requirements for a health information system

Engineering application-level access control in distributed systems

Getting started with aspect

J. Commun. ACM

On the importance of the separation-of-concerns principle in secure software engineering

Design Patterns

The paradoxical success of aspect-oriented programming

A classification system and analysis for aspect-oriented programs

ACM SIGSOFT Softw. Eng. Notes