Skip to main content
SpringerLink
Log in
Book cover

Australasian Conference on Information Security and Privacy

ACISP 2003: Information Security and Privacy pp 403–415Cite as

A Novel Use of RBAC to Protect Privacy in Distributed Health Care Information Systems

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2727))

Abstract

This paper examines the access control requirements of distributed health care information networks. Since the electronic sharing of an individual’s personal health information requires their informed consent, health care information networks need an access control framework that can capture and enforce individual access policies tailored to the specific circumstances of each consumer. Role Based Access Control (RBAC) is examined as a candidate access control framework. While it is well suited to the task in many regards, we identify a number of shortcomings, particularly in the range of access policy expression types that it can support. For efficiency and comprehensibility, access policies that grant access to a broad range of entities whilst explicitly denying it to subgroups of those entities need to be supported in health information networks. We argue that RBAC does not support policies of this type with sufficient flexibility and propose a novel adaptation of RBAC principles to address this shortcoming. We also describe a prototype distributed medical information system that embodies the improved RBAC model.

This research was funded and supported by the Commonwealth of Australia — Department of Health and Ageing.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. J. Bacon, M. Lloyd, and K. Moody. Translating role-based access control policy within context. In Policy 2001, Workshop on Policies for Distributed Systems and Networks, pages 107–120. Springer-Verlag, 2001.

    Google Scholar 

  2. Y. Bartal, A. J. Mayer, K. Nissim, and A. Wool. Firmato: A novel firewall management toolkit. In IEEE Symposium on Security and Privacy, pages 17–31, 1999.

    Google Scholar 

  3. R. Chandramouli. A framework for multiple authorization types in a healthcare application system. In 17th Annual Computer Security Applications Conference (ACSAC), December 2001.

    Google Scholar 

  4. R. Clarke. e-Consent: a critical element of trust in e-business. In 15th Bled Electronic Commerce Conference. e-Reality: Constructing the e-Economy — Research Volume, 2002.

    Google Scholar 

  5. E. Coeira. “e-Consent” Consumer Consent in Electronic Health Data Exchange. downloaded from http://www.health.gov.au/hsdd/primcare/it/pdf/coiera.pdf on 3 February 2003.

    Google Scholar 

  6. I. Denley and S. Weston Smith. Privacy in clinical information systems in secondary care. British Medical Journal, 318:1328–1331, May 1999.

    Google Scholar 

  7. D. Ferraiolo, J. Barkley, and D. Kuhn. A role-based access control model and reference implementation within a corporate intranet. ACM Transactions on Information and System Security, 2(1):34–64, February 1999.

    Article  Google Scholar 

  8. D. Ferraiolo, J. Cugini and R. Kuhn. Role based access control (RBAC): Features and motivations. In Annual Computer Security Applications Conference. IEEE Computer Society Press, 1995.

    Google Scholar 

  9. D. Ferraiolo and R. Kuhn. Role-based access controls. In 15th NIST-NCSC National Computer Security Conference, pages 554–563, 1992.

    Google Scholar 

  10. D. Ferraiolo, R. Sandhu, S. Gavrila, D. Kuhn, and R. Chandramouli. Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security (TISSEC), 4(3):224–274, 2001.

    Article  Google Scholar 

  11. L. Giuri and P. Iglio. A formal model for role-based access control with constraints. In 9th IEEE Computer Security Foundations Workshop, pages 136–145, 1996.

    Google Scholar 

  12. R.J. Hayton, J.M. Bacon, and K. Moody. Access control in an open distributed environment. In 19th IEEE Computer Society Symposium on Research in Security and Privacy, pages 3–14.

    Google Scholar 

  13. J. J. Longstaff, M. A. Lockyer, and M. G. Thick. A model of accountability, confidentiality and override for healthcare and other applications. In 5th ACM workshop on Role-based access control, pages 71–76. ACM Press, 2000.

    Google Scholar 

  14. I. Mavridis, G. Pangalos, and M. Khair. eMEDAC: Role-based access control supporting discretionary and mandatory features. In 13th IFIP WG 11.3 Working Conference on Database Security, 1999.

    Google Scholar 

  15. T. Rindfleisch. Privacy, information technology, and health care. Communications of the ACM, 40(8):93–100, August 1997.

    Article  Google Scholar 

  16. R. Simon and M. E. Zurko. Separation of duty in role-based environments. In IEEE Computer Security Foundations Workshop, pages 183–194, 1997.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Information Security Research Centre, Queensland University of Technology, GPO Box 2434, Brisbane, Queensland, 4001, Australia

    Jason Reid, Ian Cheong, Matthew Henricksen & Jason Smit

Authors
  1. Jason Reid
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ian Cheong
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Matthew Henricksen
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jason Smit
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Information Technology and Computer Science, University of Wollongong, Wollongong, NSW, 2522, Australia

    Rei Safavi-Naini  & Jennifer Seberry  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2003 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Reid, J., Cheong, I., Henricksen, M., Smit, J. (2003). A Novel Use of RBAC to Protect Privacy in Distributed Health Care Information Systems. In: Safavi-Naini, R., Seberry, J. (eds) Information Security and Privacy. ACISP 2003. Lecture Notes in Computer Science, vol 2727. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45067-X_35

Download citation

  • DOI: https://doi.org/10.1007/3-540-45067-X_35

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-40515-3

  • Online ISBN: 978-3-540-45067-2

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation