Abstract
Health Care Computing and Communication Systems (HCCS) are characterized by the complexity of the organizations to take into account and the richness of properties that are required. To address this complexity and richness, we propose a security policy based on roles, groups of objects and context. Indeed, similarly to roles that structure the subjects, we introduce the new concept “group of objects„ which structures objects. Our major aim is to facilitate the security policy management, to cope with access right complexity, and to reduce administration errors. Then we develop a security model that covers the diversity of HCCS while achieving a good compromise between the respect of the least privilege principle and the flexibility of the access control. Following a logical approach, we design a formal system that extends the deontic logic, and we express the security policy in our language.
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-0-387-35691-4_52
Chapter PDF
References
Resolution A/RES/45/95 of the General Assembly of United Nations: “Guidelines for the Regulation of Computerized Data Files”, 14 December 1990.
Recommendations R(81) of the Council of Europe: on Automated Medical Data Banks “,Strasbourg, January 23, 1981.
Directive 95/46/CE of the European Parliament and the Council of the European Union: “On the protection of individuals”,October 24, 1995.
Directive 97/66/CE of the European Parliament and of the Council of 15 on: the treatment of the personal data and privacy protection on the telecommunications sector“,December 15, 1997, Official Journal L 24, 30–1–1998, p. 1–8.
Directive 2002/58/EC of the European Parliament on: “the processing of personal data and the protection of privacy in the electronic communications sector”,July 12, 2002, Official Journal L 201, 31–7–2002, p. 37–47.
D. Powell and R. Stroud (Eds.), Malicious and Accidental-Fault Tolerance in Internet Applications: conceptual model and architecture, MAFTIA project Deliverable D2, November 2001, http://www.research.ec.org/maftia/deliverables/index.html
B.F. Chellas, Modal Logic: An Introduction,295p., Cambridge University Press, 1980, ISBN 0–521–29515–7.
B. Woodward, “The computer-based patient record and confidentiality, New England Journal of Medicine, v 333 N° 21, 1995, pp 1419–1422.
Audit Commission, Ghost in the Machine – An Analysis of IT Fraud and Abuse, Audit Commission Publications, United Kingdom, ISBN 1–86240–05603, 1998.
R. Anderson, Personal Medical Information Security , Engineering , and Ethics,Personal Information Workshop proceedings, Cambridge, UK, June 21–22, 1996, Springer ISBN 3–540–63244–1.
S.I. Gavrila, J.F. Barkley “Formal Specification for Role-Based Access Control„, Third ACM Workshop on Role-Based Access Control, Fairfax, VA, USA. 22–23, October 1998.
D.F. Ferraiolo, R. Sandhu, S. Gavrila, D.R. Kuhn and R. Chandramouli “A Proposed Standard for Role-Based Access Control, ACM Transactions on Information and System Security, Volume 4, Number 3, August 2001.
Roshan K.Thomas, “TMAC: A primitive for Applying RBAC in collaborative environment, 2” d ACM , Workshop on RBAC, Fairfax, Virginia, USA, November 1997.
Christos K. Georgiadis, Loannis Mavridis et al.,“Flexible Team-Based Access Control Using Contexts, ACM Symposium on Access Control Models and Technologies (SACMAT’01),Chantilly, Virginia, USA, May 3–4, 2001, pp. 21–27.
M. Willikens, S. Feriti, M. Masera, “A Context-related authorisation and access control method based on RBAC, ACM Symposium on Access Control Models and Technologies (SACMAT’02), California, USA, June 3–4, 2002, pp. 117–124.
P. Bonatti, E. Damiani, S. di Vimercati, P. Samarati, “An access Control Model for data archives, 16 r ” IFIP TC I I International Conference on Information Security (IFIP/Sec’01), Paris, France, June 11–13, 2001, pp. 261–276.
E. Damiani, S. De Capitani di Vimercati, S. Paraboschi, P. Samarati, “A Fine-Grained Access Control System for XML Documents, in ACM Transactions on Information and System Security (TISSEC), vol. 5, n. 2, May 2002, pp. 169–202.
B.F. Chellas, Modal Logic: An Introduction,295p., Cambridge University Press, 1980, ISBN 0–521–29515–7.
Y. Deswarte, N. Abghour, V. Nicomette, D. Powell, “An Intrusion-Tolerant Authorization Scheme for Internet Applications, in Sup. of the Proceedings of the 2002 International Conference on Dependable Systems and Networks (DSN2002),Washington, D.C. (USA), 23–26 June 2002, pp. C-1.1 - C-1.6.
A.K. Dey, G.D. Abowd (1999). Towards a better understanding of context and context-awareness. GVU Technical Report GITGVU-99–22, College of Computing, Georgia Institute of Technology.
M. Covington, W. Long, S. Srinivasan, A.K. Dey, M. Ahamad, G.D. Abowd, “Securing Context-Aware Applications Using Environment Roles, ACM Symposium on Access Control Models and Technologies (SACMAT’01), Chantilly (Va), USA, May 3–4, 2001, pp. 10–20.
E. Bertino, C. Bettini, E. Ferrari, P. Samarati, “A Temporal access control mechanism for database systems, IEEE Transactions on Knowledge and Data Engineering, v8, 1996.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 IFIP International Federation for Information Processing
About this paper
Cite this paper
El Kalam, A.A., Deswarte, Y. (2003). Security Model for Health Care Computing and Communication Systems. In: Gritzalis, D., De Capitani di Vimercati, S., Samarati, P., Katsikas, S. (eds) Security and Privacy in the Age of Uncertainty. SEC 2003. IFIP — The International Federation for Information Processing, vol 122. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-35691-4_24
Download citation
DOI: https://doi.org/10.1007/978-0-387-35691-4_24
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-6489-5
Online ISBN: 978-0-387-35691-4
eBook Packages: Springer Book Archive