Aspect-oriented design and implementation of adaptable access control for Electronic Medical Records
Introduction
There is little doubt that healthcare information systems (HIS) will move towards a fully integrated Electronic Medical Record (EMR). However, as we move closer to a paperless environment and Internet-based applications, we must realize that the risks to privacy and security incurred by using electronic systems are also increased. This is a very complicated issue. Besides social aspects, it also calls for much technological advancement to achieve a proper balance between the needs of the individual with the needs of society [1]. Fortunately, with the advancing of technology, privacy and security of EMR can be enhanced if managed properly. In terms of information system development, an effective and flexible access control mechanism is clearly an essential part of a secure and privacy enhanced EMR system [2].
While there are many works focused on modeling access control requirements for EMR [3], [4], [5], [6], [7], there are very few results concerning the development of an implementation scheme for enforcing access control in HIS with EMR. There are at least two major difficulties. First, like other security requirements, access control is a system-wide concern that permeates through all the major modules of a system. Although there is a generic need to enforce access control for protected resources, yet the specific constraint for granting access to each individual resource may not be the same. Hence it is very often to see the code for implementing access control scattered over the whole system and tangled with other functional code. This makes the coding task error-prone and difficult to verify its correctness and to perform the needed maintenance.
Second, access control rules in healthcare domain are inherently fine-grained and dynamic. It is common for information system developers to partition users into different categories, e.g., by roles in an organization, and define access privileges in terms of the application functions that a particular category of users is authorized to perform, e.g., an administrative clerk is limited to administrative functions and excluded from transaction functions. For EMR, however, we often need to go beyond the function-level and impose an additional level of access control in terms of the data contents being accessed. In other words, users may be allowed to perform a specific function, but some data elements must be excluded from viewing or modifying. For example, while any physician can view some parts of a patient's medical record, only the patient's caring doctor can see the whole record and modify it. On the other hand, we will have to bypass the constraint in an emergency. In addition, changes in legislation or changes in the interpretation of legislation may lead to major revision of the access control rules. All these lead to the conclusion that access control rules in healthcare domain are complex and subject to frequent changes.
Policy-driven access control [8], where policies express rules or constraints, is a well-accepted approach aiming to address the issues described above. Essentially, such an approach advocates a separate and loosely coupled security architecture in which access control decision function and enforcing function are decoupled from the core of the underlying application and are maintained largely independent of the core. This approach is also called adaptable access control [9] since it makes the access control logic much easier to manage and adjust.
In the past, the typical implementation scheme to providing adaptable access control is employing a rule-driven and centralized authorization engine, often referred to as reference monitor [10] or policy interpreter [8]. At runtime, all user requests to any protected resources will be transferred to the authorization engine, which will determine whether such requests should be granted by interpreting the involved access control rules. If we change the access control rules interpreted by the engine, the access control behavior of the underlying system will be adjusted accordingly, thus making the access control of the application very easy to adapt. However, such approaches usually incur a certain amount of runtime overhead due to rule interpretation, and may not give the degree of fine-granularity we need.
Therefore, techniques and tools for implementing adaptable access control are also worth further investigation. Here we present a new implementation scheme to providing adaptable access control for Web-based EMR systems. Instead of using policy interpreters, our scheme takes a policy-compiler-like approach. We show that aspect-oriented programming (AOP) [11] is a key enabler for developing our scheme, and the access control mechanisms we provide will not only retain much of the flexibility of the policy interpreter approach but also improves on it in several ways. Moreover, we demonstrate our implementation scheme by developing a prototype in AspectJ [12] and Java that can support flexible access control for the Taiwan Electronic Medical Record Template (TMT) [13], a local standard for EMR developed by the Taiwan Association for Medical Informatics.
The remainder of the paper is organized as follows. Section 2 introduces AOP and AspectJ briefly. Section 3 outlines our approach to adaptable access control and overviews our system architecture. Sections 4 Structure of the access control rules for EMR, 5 Using aspects to enforce access control explain our design of access control rules and aspect code templates, followed by a description of the main components we devised for synthesizing the access control aspects in Section 6. Section 7 presents some discussions on our approach. Section 8 describes related work. Finally, Section 9 concludes and outlines our future work.
Section snippets
Background: AOP and AspectJ
For the sake of completeness, in this section we highlight the basics of AOP and review the relevant features of AspectJ. Readers familiar with this topic can proceed to the next section.
As described above, access control is a security concern that crosscuts all the modules in a system and is therefore difficult to modularize using current programming methods. Indeed, as well-argued in [14], security requirements such as access control are best addressed in four different facets: what, how,
Overview of our approach
This section gives an overview of our approach to adaptable access control for Web-based EMR systems. Fig. 1 illustrates the system architecture and the major mechanisms of our approach. We provide a high-level form of access control rules in XML format for security administrators to prescribe the rules of access control. The structure of the rules is based on that of the EMR, and can thus support very fine-grained access control requirements. Given the rules for an EMR application, our tools
Structure of the access control rules for EMR
Access control, also known as authorization, is a process by which users, after being identified, are granted certain privileges to information, system functions, or resources. The step to identify a user is called authentication. Username and password check is the most basic form of authentication, while digital certificates and biometrics are advanced ways of authentication.
For access control purpose, we model the interaction between a user and a Web-based EMR application as a sequence of
Using aspects to enforce access control
After describing the structure and format of the access control rules, in this section and the next we present our design and implementation of an adaptable mechanism for checking and enforcing such rules using aspect-oriented technology. First, we illustrate the access control aspects we developed by hand to realize rules of this format in a modular and easy to adapt manner. The generic part of such aspects captures the common code patterns one would develop manually to enforce an access
Synthesizing access control aspects
Our aspect synthesis process employs four key components, namely the access control rules in XML format, the application specification in XML format, the aspect templates, and the rule translator. This section presents the details of these four components in sequence.
Discussion
To evaluate our approach, we have worked with colleagues from Taiwan Association for Medical Informatics to build a Web-based prototype implementation based on TMT. In the process, we have consulted them about the design and specification of the access control rules. Fig. 5 shows a screenshot of our prototype for the discharge note of TMT form. Here a user with clerk role is viewing the discharge note of a patient. Since the access control rule requires that only physicians and nurses can view
Related work
Role-based access control (RBAC) [20] is the most often cited guiding principle for application-level security. Since then there are many extended proposals for modeling fine-grained access control. We have role-templates [30], domain-type enforcement [21], content-based [24], team-based [31], and instance-level constraint [32], to name a few. Basically, they all attempt to base access control constraints on some refined relationships among the user, the function requested, and the data to be
Conclusions and future work
Maintaining proper access control to EMR is essential to protecting patients’ privacy. However, the fine-grained and dynamic nature of access control rules for EMR has imposed great challenges on the healthcare information system developers. In this paper, we have presented an aspect-oriented approach to providing adaptable access control for Web-based EMR systems. Our approach covers the major tasks of enforcing access control all the way from requirement specification medium down to the
Conflict of interest statement
None declared.
Acknowledgements
Contributions. Kung Chen has contributed to the original ideas behind the paper, design of the mechanisms and tools in the proposed solution, and manuscript writing. Yuan-Chun Chang has contributed to the programming parts of the solution, including the translator and the prototype. Da-Wei Wang has contributed to the design of the mechanisms in the proposed solution.
The authors would like to thank the anonymous reviewers for valuable suggestions on how to improve the previous versions of this
References (39)
- et al.
Modelling privilege management and access control
Int. J. Med. Inform.
(2006) Authorisation and access control for electronic health record systems
Int. J. Med. Inform.
(2004)Advanced tool kits for EPR security
Int. J. Med. Inform.
(2000)- et al.
Building a portable data and information interoperability infrastructure-framework for a standard Taiwan Electronic Medical Record Template
Comput. Methods Prog. Biomed.
(2007) - Department of Health and Human Services (HHS), U.S.A., Standards for Privacy of Individually Identifiable Health...
- Centers for Medicare and Medicaid Services, Department of Health and Human Services (HHS), U.S.A., General Information...
- et al.
Modelling access control for a complex healthcare organization
- et al.
A case study in access control requirements for a health information system
- A. Lin, Integrating Policy-Driven Role Based Access Control with the Common Data Security Architecture. HP...
- T. Verhanneman, L. Jaco, B. De Win, F. Piessens, W. Joosen, Adaptable access control policies for medical information...
Engineering application-level access control in distributed systems
Getting started with aspect
J. Commun. ACM
On the importance of the separation-of-concerns principle in secure software engineering
Design Patterns
The paradoxical success of aspect-oriented programming
A classification system and analysis for aspect-oriented programs
ACM SIGSOFT Softw. Eng. Notes
Cited by (23)
Systematic mapping study of template-based code generation
2018, Computer Languages, Systems and StructuresCitation Excerpt :Table 5 shows the distribution of the output languages that appeared in more than five papers, representing 74% of the corpus. This includes papers like [45] where Java code is generated an adaptable access control tool for electronic medical records. Java and C are the most targeted programming languages.
An authentication and authorization mechanism for long-term electronic health records management
2017, Procedia Computer ScienceDistributed clinical data sharing via dynamic access-control policy transformation
2016, International Journal of Medical InformaticsCitation Excerpt :A local access-control (LAC) system enables the transformation and administration of access policies by using XML, RBAC, and selective encryption. In addition, Chen et al. [20] developed a fine-grained and adaptable access control for healthcare systems through a structured access-control rules in XML. In a further study, Duftschmid et al. [21] undertook an EHR-ARCHE project in order to address the needs to patient's shared EHR during a treatment process through EHR ISO/EN 13606 archetypes into an IHE XDS environment.
An enhancement of the Role-Based Access Control model to facilitate information access management in context of team collaboration and workflow
2012, Journal of Biomedical InformaticsCitation Excerpt :Detailed descriptions of the study design, measurement, and analysis can be found in a separate report [67]. Access control has been applied to several applications in healthcare settings [2,4,44–52]. Since confidentiality of clinical information is an essential requirement, most of the previous work focused on applications for patient care.
What is the solution for clinical nurse educators and the electronic medical record?
2012, Teaching and Learning in NursingCitation Excerpt :Although the use of EMRs offers many possibilities to improve the quality, delivery, and continuity of clinical care, the potential for sharing information among multiple providers raises concerns about patient privacy (Phillips & Fleming, 2009; West et al., 2009). Chen, Chang, and Wang (2010) suggested that maintaining proper access control is the better method for protecting a patient's privacy. All organizations should enforce strict guidelines and security measures for all who access patients' electronic records.
Aspect-Oriented Adaptation of Access Control Rules
2021, Proceedings - 2021 47th Euromicro Conference on Software Engineering and Advanced Applications, SEAA 2021