Abstract
In this paper, we present an enhanced use of RBAC features in articulating a security policy for access control in medical database systems. The main advantage of this implementation is that it supports both MAC and DAC features at the same time; a feature that has been proved to be necessary in healthcare environments. The eMEDAC security policy that results from the above implementation provides an enhanced redefinition of a number of mechanisms of the already known MEDAC security policy. The concept of hyper node hierarchies is proposed for deriving totally ordered security levels while preserving the role hierarchy levels required satisfying particular administration needs. Finally, a demonstration example is given based on the pilot implementation of the proposed security policy in a major Greek hospital. The advantages offered are related to the efficiency of access control, the flexibility and decentralisation of administration, and the storage savings.
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-0-387-35508-5_22
Chapter PDF
Similar content being viewed by others
References
Blobel B., Bleumer G., Muller A., Flikkenschild E. and Ottes F. (1996). Current security issues faced by health care establishments. HC1028 Implementing Secure Healthcare Telematics Applications in Europe (ISHTAR).
Castano S., Fugini M., Martella G. and Samarati P. (1994). Database security, Addison Wesley.
Ceri S. and Pelagatti G. (1985). Distributed Databases: Principles and Systems, McGraw-Hill.
Essmayr W., Kapsammer. E., Wagner R.R. and Tjoa A.M. (1998). Using role templates for handling recurring role structures. Proceedings of eMEDAC: RBAC Supporting Discretionary and Mandatory Features 77 the Twelfth International IFIP WG11.3 Working Conference on Database Security.
Ferraiolo D. and Kuhn R. (1992). Role-based access control. Proceedings of Fifteenth National Computer Security Conference.
Ferraiolo D., Cugini J. and Kuhn R. (1995). Role-based access control (RBAC): Features and motivations. Proceedings of the Annual Computer Security Applications Conference.
Khair M. (1996). Design and Implementation of Secure Database Systems with Application on Heatlhcare Information Systems. Dissertation.
Khair M., Mavridis I. and Pangalos G. (1998). Design of secure distributed medical database system. Proceedings of Database and EXpert systems Applications, DEXA’98.
Pangalos G. (1995). Medical Database Systems Security. EEC/AIM, SEISMED (A2033) Project Report, No. AIM/SEISMED/SP-07/20–0495/3.
Pangalos G. (1996). Secure medical databases. Proceedings of the IMIA security conference.
Pangalos G. and Khair M. (1996). Design of a secure medical database systems. Proceedings of IFIP/SEC’96, the Twelfth International Information Security Conference.
Pangalos, G., Gritzalis D., Khair, M. and Bozios, L. (1995). Improving the security of medical database systems. Information Security - the Next Decade (eds. J. Eloff and S. Von Solms ), Chapman & Hall.
Pangalos, G., Khair, M. and Bozios, L. (1995). An integrated secure design of a medical database system. MEDINFO ‘85, The Eighth World Congress on Medical Informatics.
Poole J., Barkley J., Brady K., Cincotta A. and Salamon W. NISTIR 5820 Distributed Communication Methods and Role-Based Access Control for Use in Health Care Applications. http://www.itl.nist.gov/div897/staff/poole/documents/nistir5820.htm
Sandhu R. and Samarati P. (1997). Authentication, access control, and intrusion detection. The Computer Science and Engineering Handbook.
Sandhu R. (1996). Access control: The neglected frontier. Proceedings of First Australian Conference on Information Security and Privacy.
Sandhu R. (1996). Rationale for the RBAC96 family of access control models. Proceedings of the First ACM Workshop on RBAC.
Sandhu R. (1998). Role-based access control. Advances in Computers, 46, Academic Press.
Sandhu R., Coyne E., Feinstein H. and Youman C. (1996). Role-based access control models. IEEE Computer, 29 (2), pp. 38–47.
Tari Z., and Chan S.-W. (1997). A role-based access control for intranet security. IEEE Internet Computing, pp. 24–34.
Vandenwauver M., Govaerts R. and Vandewalle J. (1997). Role based access control in distributed systems. Communications and Multimedia Security, 3, pp. 169–177.
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2000 IFIP International Federation for Information Processing
About this chapter
Cite this chapter
Mavridis, I., Pangalos, G., Khair, M. (2000). Emedac: Role-Based Access Control Supporting Discretionary and Mandatory Features. In: Atluri, V., Hale, J. (eds) Research Advances in Database and Information Systems Security. IFIP — The International Federation for Information Processing, vol 43. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-35508-5_5
Download citation
DOI: https://doi.org/10.1007/978-0-387-35508-5_5
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-6411-6
Online ISBN: 978-0-387-35508-5
eBook Packages: Springer Book Archive