Access control in medical information systems distributed over the Internet is an important issue directly related to the protection of patients’ privacy. It is therefore essential to satisfy the increasing demand for exploiting Internet mechanisms in order to achieve a secure health information network. This can only be done, however, if it can be guaranteed that appropriate measures have been taken to preserve a satisfactory level of security for the information concerned. Recent efforts in this direction rely on public-key cryptography and digital certificates. Identity certificates are suitable for identification and authentication purposes. In addition, attribute certificates are another type of certificate particularly suitable for authorization purposes. In order to fully exploit digital certificates to protect distributed healthcare applications over the Internet, we propose the use of a third type of certificate, called access-rule certificates, which are useful for the enforcement of global access-control mechanisms between different organizations. In this paper, we present the structure of those three types of certificate, as well as the access-control procedures when using them; we describe the architecture of the proposed system whose purpose is to explore the use of certificates for the implementation of a suitable security policy for healthcare environments.
The Computer-Based Patient Record Institute. Description of the computer-based patient record (CPR) and computer-based patient record system. Prepared by the CPRI Work Group on CPR Description (WDES). http://www.cpri.org/resource/docs/hldd.html May 1995.
2.
Ahuja V.Secure commerce on the internet. AP Professional Press, 1997.
3.
Grimson J, Grimson W, Hasselbring W.The SI challenge in health care. Communications of the ACM2000; 43(6).
4.
Mavridis I, Georgiadis C, Pangalos G, Khair M.Using digital certificates for access control in clinical intranet applications. Proceedings of the fifth World Congress on the Internet in Medicine (MEDNET 2000). Brussels, November 2000.
5.
HealthKey project. http://www.healthkey.org September 2000.
6.
Lynch C.White paper on authentication and access management issues in cross-organizational use of networked information resources. Coalition for Networked Information, revised discussion draft, 1998.
7.
Netscape Center. Security basics. http://www.netscape.com/security/basics/index.html October 2000.
8.
Farrel S, Housley R.An internet attribute certificate profile for authorization. IETF Group, Internet draft: draft.ietf.pkix.ac509prof-03.txt; work in progress. http://www.ietf.org/shadow.html May 2000.
9.
Linn J, Nyström M.Attribute certification: an enabling technology for delegation and role-based controls in distributed environments. Proceedings of the fourth ACM Workshop on RBAC, Fairfax VA, USA, October 1999.
10.
Arsenault A, Turner S.Internet X.509 public key infrastructure - PXIX roadmap. IETF Group, Internet draft: draft.ietf.pkix.roadmap-05.txt. Work in progress. http://www.ietf.org/shadow.html March 2000.
11.
Sandhu R, Samarati P.Authentication, access control, and intrusion detection. The Computer Science and Engineering Handbook,1997.
12.
Tari Z, Chan S.A role-based access control for intranet security. IEEE Internet Computing September-October 1997: 24-34.
13.
Mavridis I. Information system and database system security issues in mobile computing environments. PhD dissertation, Aristotle University of Thessaloniki, Greece, 2000.
14.
Pangalos G, Gritzalis D, Khair M, Bozios L.Improving the security of medical database systems, information security - the next decade. (eds) J. Eloff and S. Von Solms. Chapman and Hall, 1995.
15.
Pangalos G, Khair M, Bozios L.An integrated secure design of a medical database system. MEDINFO’95. The eighth World Congress on Medical Informatics, Vancouver, Canada, 1995.
16.
Mavridis I, Pangalos G, Khair M, Bozios L.Defining access control mechanisms for privacy protection in distributed medical databases. Proceedings of IFIP Working Conference on User Identification and Privacy Protection, Stockholm, Sweden, 1999.
17.
Yialelis N. Domain-based security for distributed object systems. PhD dissertation, Imperial College of Science, London (UK), 1996.
18.
Sandhu R.Role-based access control. Advances in Computers1998; 46.
19.
Mavridis I, Pangalos G, Khair M.eMEDAC: Role-based access control supporting discretionary and mandatory features. Proceedings of 13th IFIP WG 11.3 Working Conference on Database Security, Seattle, USA, 1999.
20.
Ceri S, Pelagatti G.Distributed Databases: principles and systems. New York: McGraw-Hill, 1985.
21.
Pernul G.Database security. Advances in Computers1994; 38.
