A fundamental requirement for the healthcare industry is that the delivery of care comes first and nothing should interfere with it. As a consequence, the access control mechanisms used in healthcare to regulate and restrict the disclosure of data are often bypassed in case of emergencies. This phenomenon, called “break the glass”, is a common pattern in healthcare organizations and, though quite useful and mandatory in emergency situations, from a security perspective, it represents a serious system weakness. Malicious users, in fact, can abuse the system by exploiting the break the glass principle to gain unauthorized privileges and accesses. In this paper, we propose an access control solution aimed at better regulating break the glass exceptions that occur in healthcare systems. Our solution is based on the definition of different policy spaces, a language, and a composition algebra to regulate access to patient data and to balance the rigorous nature of traditional access control systems with the “delivery of care comes first” principle.
Access control for smarter healthcare using policy spaces / C.A. Ardagna, S. De Capitani di Vimercati, S. Foresti, T.W. Grandison, S. Jajodia, P. Samarati. - In: COMPUTERS & SECURITY. - ISSN 0167-4048. - 29:8(2010 Nov), pp. 848-858. [10.1016/j.cose.2010.07.001]
Access control for smarter healthcare using policy spaces
C.A. ArdagnaPrimo
;S. De Capitani di VimercatiSecondo
;S. Foresti;P. SamaratiUltimo
2010
Abstract
A fundamental requirement for the healthcare industry is that the delivery of care comes first and nothing should interfere with it. As a consequence, the access control mechanisms used in healthcare to regulate and restrict the disclosure of data are often bypassed in case of emergencies. This phenomenon, called “break the glass”, is a common pattern in healthcare organizations and, though quite useful and mandatory in emergency situations, from a security perspective, it represents a serious system weakness. Malicious users, in fact, can abuse the system by exploiting the break the glass principle to gain unauthorized privileges and accesses. In this paper, we propose an access control solution aimed at better regulating break the glass exceptions that occur in healthcare systems. Our solution is based on the definition of different policy spaces, a language, and a composition algebra to regulate access to patient data and to balance the rigorous nature of traditional access control systems with the “delivery of care comes first” principle.
| File | Dimensione | Formato | |
|---|---|---|---|
|
cose2010.pdf
accesso aperto
Tipologia:
Pre-print (manoscritto inviato all'editore)
Dimensione
329.28 kB
Formato
Adobe PDF
|
329.28 kB | Adobe PDF | Visualizza/Apri |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
