Ensuring Access Control in Cloud Provisioned Healthcare Systems

Ensuring Access Control in Cloud Provisioned Healthcare Systems Hema Andal Jayaprakash Narayanan Department of Computer Science and Engineering University of Nevada, Reno Abstract An important issues in cloud provisioned multi-tenant healthcare systems is the access control, which focuses on the protection of information against unauthorized access. As different tenants including hospitals, clinics, insurance companies, and pharmacies access the system, sensitive information should be provided only to authorized users and tenants. In this paper, we analyze the requirements of access control for healthcare multitenant cloud systems and propose to adapt Task-Role Based Access Control with constraints such as least privilege, separation of duty, delegation of tasks, and spatial and temporal access. Keywords - Access control, Cloud computing, ehealth. I. INTRODUCTION New technologies provide great opportunities to enhance business models. In particular, cloud computing paradigm moves computing and storage tasks from individual systems into the cloud, which provides hardware and software resources over the Internet. Such cloud computing facilities can be employed for ehealth platforms to provide information flow between multiple entities such as hospital, clinics, pharmacy, labs, and insurance companies [3]. Healthcare is a dynamic complex environment with many participants including patients, nurses, lab technicians, researchers, receptionists, and IT professionals. Recently, the Health Information Technology for Economic and Clinical Health (HITECH) Act is established to convert nation s health care records to digital formats such as Electronic Health Record (EHR) to improve rapid transmission of medical information and making health care systems more efficient [4]. To protect patient information from unauthorized access and comply with the Health Insurance Portability and Accountability (HIPAA) privacy and security rules, health care organizations need global policies for access to patient information. Access control of data should be flexible and fine grained depending on the dynamic nature of the health care system as multiple entities will interact with the data. Access rights to resources must be granted to users only for the amount of time that is necessary. For example, a doctor should be given access to medical history of a patient only when he/she is an active patient of the doctor. Although an organization may trust its employees, errors may also cause leak of sensitive information to non-authorized individuals. Hence, cloud provisioned ehealth systems should provide access to data only when necessary and protect users from unintentional errors [8]. Mehmet Hadi Güneş Department of Computer Science and Engineering University of Nevada, Reno Moreover, access policies should support essential operations to perform an individual s job duties. For instance, the system should limit read, copy, and print operation on sensitive information to only the necessary personnel for a specific duration. Access control should determine who has access to data, which type of accesses are allowed, what functions are provided, under what conditions, and for what duration. In this paper, we adapt Task-Role-Based Access Control, which considers the task in hand and the role of the user [15]. We support both workflow based and non-workflow based tasks and authorize subjects to access necessary objects only during the execution of the task. In order to synchronize the workflow with the authorization flow, we adapt the Workflow Authorization Model [6]. For example, let s assume a patient with acute abdominal pain is admitted to the emergency department and the patient is assigned to an intern on duty. The workflow is initiated once the patient is admitted. The intern first checks the patient s medical history and performs physical exam. The intern may order some lab tests or may ask another specialist s opinion. The workflow concludes with writing diagnosis on the patient s record. In the rest of the paper, we first present the related work in the cloud computing and the access control in Section II. In Section III, we analyze the requirements for access control for cloud provisioned healthcare systems. Then, we present the details of task role based access control model for the ehealth system in Section IV. In Section V, we discuss the implementation details of our deployed system (accessible online at [1]). Finally, we conclude with Section VI. II. RELATED WORK A. Cloud Computing Cloud computing is a recent trend in the cyber world that has the potential to change the Information Technology by deploying cyber infrastructures. The basic idea in cloud computing is to move computing tasks from individual systems into the cloud, which provides hardware and software resources over the Internet [11]. Cloud providers deploy computing, storage and network infrastructure and provide service assurances to its customers, either an individual or a company. The main advantage of cloud computing is that the customers can avoid capital expenditure on hardware, software, and service but pay for only what they use to a cloud provider.

With the advent of cloud computing as a new computing paradigm, flexible services can be transparently provided to users over the dynamic cloud environment where multiple systems interact. By tapping into the cloud infrastructure, users can gain fast access to best-of-breed applications and drastically boost computing resources in a cost-effective way. Institutions can also improve their information technology s agility and reliability, and obtain device and location independence. B. Access Control Researchers have developed various access control methods to access a resource in computing systems [16]. Among commonly deployed approaches access control lists, which attaches list of permissions to each object, and access control matrix, which characterizes the rights of each subject with respect to every object, are not suitable for large organizations that have many subjects and objects. Discretionary access control depends on the discretion of an object s owner who is authorized to control the information resource access. Discretionary access control is ownership based and doesn't provide high degree of security in distributed systems. In mandatory access control a central authority determines what information is to be accessible by whom. Security labeling in mandatory access control is not flexible and is not convenient for task execution [13]. In role-based access control (RBAC), access rights are associated with roles, and users are assigned to appropriate roles [9]. Figure 1 shows the basic components of role-based access control, i.e., user, role, session and permission. Role Hierarchy allows the senior role to inherit from junior roles. This model has been considered in health systems [10]. Being a passive access control model, role-based access control fails in capturing dynamic responsibilities of users to support workflows, which need dynamic activation of access rights for certain tasks. Figure 1: RBAC Entities and Their Relationships In task-based authorization control (TBAC), permissions are activated or deactivated according to the current task or process state [18]. Task-based authorization control is an active access control model based on tasks but there is no separation between roles and tasks. In Task-Role-Based Access Control (T-RBAC), users have relationship with permissions through roles and tasks [15]. T-RBAC is an active access control model and provides partial authority inheritance in role hierarchy. In this paper, we adapt T-RBAC model to healthcare cloud systems. III. ACCESS CONTROL REQUIREMENTS In determining access control mechanism many factors need to be considered including users, information resources, roles, tasks, workflow and business rules [8]. The following are the factors important to healthcare cloud systems. Tenant: A tenant Tn i is a customer such as hospital, clinic, and pharmacy in the healthcare system. User: A user u i is either an employee of a tenant or a patient of the healthcare provider. Users are subjects of the access control. Each tenant has multiple users which include patients, doctors, nurses, and technicians. Task: A task t i is a fundamental unit of business activity. Tasks are assigned to users based on the role they have and their access rights are determined for fulfilling assigned tasks. Information Resource: Information resources are the objects of access control and include files and databases. Business Role: Business role is provided to each user based on the business activities they perform in the organization. A role r i links a user to certain tasks providing access rights to needed information resources. Permission: A permission p i is the authorization to perform an operation on an object. Session: A session s i maps a user u j to different roles {r k, r l, r m, }, i.e., s i : u j, {r k, r l, r m, }. Workflow: Workflow is a set of tasks to perform a business function. Tasks that are part of a workflow require active access control [12]. On the other hand, tasks that are not part of a workflow require passive access control. Healthcare systems have both workflow and non-workflow tasks and should support both passive and active access control. For instance, Figure 2 shows both passive and active access control. Physician may execute the View Current Patient List task to accesses File1 information resource at any time. This non-workflow task assignment causes immediate activation of the access rights to read File1, a passive access control. On the other hand, the Write Prescription task belongs to a workflow. Executing the tasks in the workflow is done in a defined order and is available for specific time period. Although the Write Prescription task is assigned to physician, he/she can activate his/her access rights only when the prior View Lab Results task is completed. In this case, as an active access control, authorization is separated from the activation of access rights. Figure 2: Passive and Active Access Control

Business Rule: Business rules are the standard practices of users which the organization follows and it may differ from one organization to another. Business rules include - Least Privilege indicates that permissions are assigned selectively to users in such a manner such that no user is given more permissions than is necessary to perform his/her job [7]. The least privilege policy avoids the problem of an individual with the ability to perform unnecessary and potentially harmful actions as merely a side-effect of granting the ability to perform desired functions. - Least Separation of Duty reduces the likelihood of collusion by distributing the responsibilities for tasks in a workflow between multiple participants and protects against fraudalent activities of individuals [19]. Distribution of responsibilities could be static, which govern the administration/design-time associations between users and permissions, and dynamic, which govern the way in which permissions are granted at run-time. senior physician to give feedback/suggestions. The task does not belong to a workflow. Figure 4: Class Supervision Class Workflow: In figure 5, Check Patient task is only performed by the assigned physician. For patient privacy, it is not inherited to the superior role senior physician. This task has a relationship with other tasks. - Delegation of Tasks allows to perform a task when the initially assigned user is not available to complete the task. - Spatial and Temporal constraints are used for enhancing the security of applications [5]. Since healthcare cloud system can be accessed from anywhere and at anytime, there is a need to include location and time constraints over access rights. For example, in family practice a doctor/nurse should be given access to patient s record for office hours and only in office. - Classification of Tasks is important to determine inheritable and non-inheritable tasks [15]. Considering active and passive access control there are four classes of tasks depending on business role and workflow, as in Table 1. Table 1: Task Classification Non-Inheritable Inheritable Passive Access Control Private Supervision Active Access Control Workflow Approval Class Private: In figure 3, View Current Patient List is a task for physician. Even though senior physician is a superior role to the physician, it does not inherit the access right to perform the View Current Patient List task. Also the task does not have any relationship with other tasks. Figure 3: Class Private Class Supervision: In figure 4, Diagnosis Details of the physician is reviewed and inherited by the superior role Figure 5: Class Workflow Class Approval: In figure 6, Supervisor Opinion task is assigned to the physician role and the senior physician can inherit the task only if the physician is supervised by that senior physician. The task has relationship with other tasks. Family Practice Do Physical Exam (T1) Senior Physician Check Patient (T2) Physician Perform Lab Tests (T3) Supervisor Opinion View Lab Results (T4) Figure 6: Class Approval Supervisor s Opinion (T6) Write Prescription (T5) Role Hierarchy: Role Hierarchy can be either Supervision as in Figure 4 or Approval as in Figure 6. Scope: Access control is managed at the scope level. Each scope inherits roles, permissions, and business rules from any parent scope according to the health system's relationship strategy and it can modify, add, and delete them as appropriate. In the light of above discussion, we assume different healthcare organizations, e.g., hospitals, clinics, and pharmacies, use different instances of the cloud provided healthcare system with a centralized database accessible through the cloud. Sharing health information between organizations provides up-to-date information about a client when needed. We should note that, access to the information is provided based on the need to know principle.

Moreover, updates to security attributes and configurations to system participants should be only available to healthcare system administrators, who are different from cloud system administrators. That is, healthcare system providers will determine access rights to data sources and decide on proper workflows for business operations. These administrators will not be able to access the data and their activities will be monitored by a third party such as governmental health agency. IV. TASK ROLE BASED ACCESS CONTROL WITH CONSTRAINTS In the healthcare cloud system, we use roles to support passive access control and tasks to support active access control as shown in Figure 7. A tenant in the cloud system has multiple users. Each user is assigned a role, roles are assigned to workflow or non-workflow tasks, and tasks are assigned to permissions. Users with a defined role can run various tasks through either workflow and non-workflow tasks assigned to their role. Permissions are given to roles according to their tasks and assigned permissions dynamically change according to the task in hand. Figure 7:Task-Role Based Access Control with Constraints Authorization determines who can do which tasks with what role under what conditions. It is defined by the states or tuples (U, R, T, P, C) where U is the set of users u i, R is the set of roles r i, T is the set of tasks t i, P is the set of permissions p i, and C is the set of constraints c i. For example, the tuple (John, doctor, read patient information, read, daytime and office location) defines the policy that John as a doctor reads patient information from office during office hours. A. Assignments Following are possible pair of entity assignments in the access control mechanism. Tenant-User Assignment: A cloud system has several tenants each with various users. User-Role Assignment: A user can be assigned one or more roles. Similarly, a role can be assigned to multiple users. Users and roles have many-to-many relationship. Task-Role Assignment: A role can be assigned multiple tasks and a task can be assigned to multiple roles. Tasks and roles have many-to-many relationship. Permission-Task Assignment: Tasks are assigned permission to be executed. Task-Workflow Assignment: Only tasks belonging to workflow or approval classes are assigned to a certain workflow. B. Task Constraints Following are major constraints in access control. Least Privilege: Least privilege is achieved through task instances. The access permission starts when the task is initiated and the access control permissions are revoked when the task is completed. The task instance is created for each user and the user gets to see only certain information. For example, if a dentist initiates the workflow for a patient, the task instance shows only the details of dental records. Once the task is completed, his/her access rights to the records are revoked. This mechanism supports least privilege and fine grained access control. Static and Dynamic Separation of Duty: Separation of duty is done at task definition and task instance levels. The task unit has a smaller scope of access rights than the role unit. Static separation of duty is done at task definition level and applies to tasks belonging to the same workflow. For example if t i and t j are mutually exclusive and belong to different workflow, seperation of duty does not apply to them. Static seperation of duty prohibits assigning two or more mutual tasks to the same role at the same time. Dynamic separation of duty is done at task instances level. Task instances are created when the task is initiated and dynamic separation of duty prohibits concurrent execution of two or more exclusive tasks by the same role. Delegation: Delegation is done through fine grained task assignment by the initially assigned user. For example, if a doctor can not attend a patient, the task can be delegated to another doctor. Delegation happens in supervision, workflow and approval classes. Spatio-Temporal Constraints: User s location and time is taken into consideration for granting access to a task. When a tenant registers in the system, its office and clinic locations are stored for later authorizations requiring temporal verification. V. IMPLEMENTATION DETAILS We have implemented the task-role based access control in our online healthcare system 1 in Amazon Elastic Compute Cloud (Amazon EC2). Amazon EC2 is chosen as it provides the flexibility of choosing the operating system, software packages and instance types [2]. Instance type depends on the memory size and computing power. Small standard instance type for Windows Server base is chosen as the development environment with 1.7GB of memory, an EC2 compute unit and 160GB of instance storage. Tomcat is used as the servlet container for deploying the application. Java Server Pages (JSPs), java servlets and java beans are used as the programming languages for developing access control security modules for the healthcare system. The information for taskrole based access control and the healthcare application is stored in a relational SQL database. Figure 8 shows the high level design for the access control implementation. System administrator for the tenant manages 1 http://ec2-184-72-45-148.us-west-1.compute.amazonaws.com/cloudwebproject/login.jsp

the management system to define users, roles, tasks, permissions, resources, constraints and policies for the authorization. All of the information is stored in a relational database. User, role, task information are taken from the respective tables and the authorization is done using the policies. Healthcare applications have many users which are classified into different roles such as system administrator, physician, senior physician, helpdesk, nurse, lab technician, and patient. In our model, the provider creates system administrator role for each tenant and assigns access rights to them so that they manage authentication and authorization for their own domain. VI. CONCLUSION ehealth systems have multiple tenants with differing users. Access to sensitive resources should be provided only to authorized users and tenants. In this paper, we analyzed the requirements of access control model for healthcare cloud systems and proposed an improved access control model for cloud instances by extending Task-Role Based Access Control to include task and user constraints to support multitenant cloud applications. Our model provides flexible access rights which are modified dynamically as tasks change. It also uses fine grained constraints such as task and user constraints in addition to scope level for each tenant. We have implemented the system on Amazon EC2 and is publicly accessible at [1]. REFERENCES Figure 8: Overview of the System Design Flexible policies are created and constraints are imposed on users and tasks so that permission misuse is prohibited. Role inheritance is driven through the role hierarchy and involved tasks. Separation of duty is done with different task definitions and task instances to support both static and dynamic policies. Tasks may be delegated and the delegation rights are revoked once the task is completed leading to the least privilege principle. Scope level is used in the cloud so different business units in the same tenant can use the same access control model. When a user logins, the system verifies user credentials and determines his/her roles. According to the role, the task selection page displays the tasks for active roles. For a system administrator, user, role, and workflow maintenance tasks are also provided. In role maintenance, the system administrator may add a new role, delete a role, and update the roles in the system. In user maintenance, the system administrator can add, modify, and delete user credentials and determine role assignment to users. In workflow maintenance, the system administrator can create, modify, and delete workflows for the tenant. Multiple tasks are assigned to each workflow and a certain flow of the tasks is determined. Finally, passwords are stored in the database as a hash value using the MD5 message digest algorithm [17]. As large databases may have users with the same password, we use a random salt value. Using salt values also protects against attackers that use large pre-computed hash values in rainbow tables to break passwords [14]. When a user wants to login, their salt value is provided to them and they send resulting hash value over a secure SSL connection to be compared with the stored one. [1] http://ec2-184-72-45-148.us-west-1.compute.amazonaws.com/ CloudWebProject/Login.jsp [2] Amazon EC2, Available at: http://aws.amazon.com/ec2 [3] Healthcare SaaS Vs. Licensed Software, Healthcare Technology Online, September 2009. [4] Meeting HITECH s Challenge to the Health Care Industry, An Oracle White Paper, May 2010. [5] Kyriakos Anastasakis, Behzad Bordbar, Geri Georg, Indrakshi Ray, and Manachai Toahchoodee, Ensuring Spatio-Temporal Access Control for Real-World Applications, Proceedings of the 14th ACM symposium on Access control models and technologies, SACMAT June 2009. [6] V. Atluri and W.-K. Huang. An authorization model for workflows. In proc. of the ESORIC 1996, LNCS1146, pages 44 64, September 1996. [7] J. F. Barkley, D. F. Ferraiolo, and D. R. Kuhn, A Role based Access Control Model and Reference Implementation within a Corporate Intranet, ACM Trans. on Information and System Security, Feb 1999. [8] Reinhardt A.Botha, CoSAWoE A Model for Context-sensitive Access Control in Workflow Environments, South Africa (2001). [9] E. Coyne, H. Fenstein, R. Sandhu and C. Youman, "Role-Based Access Control Models", IEEE Computer, 29(2):38-47,1996. [10] O. Edsberg and L. Røstad, A Study of Access Control Requirements for Healthcare Systems Based on Audit Trails from Access Logs, In Proc. of 22nd Annual Computer Security Applications Conference, Miami, Florida, December, 2006. [11] Robert Elsenpeter, Anthony T. Velte, and Toby J. Velte, Cloud Computing A Practical Approach, McGraw Hill, 2010. [12] Y. Fan, W. Shi, C. Wu, Fundamentals of Workflow Management Technology, Tsinghua New York: Springer Verlag, 2001, pp. 30-35. [13] Hao Jiang, Shengye Lu, RTFW: An Access Control Model for Workflow Environment, Computer Supported Cooperative Work in Design, 10th International Conference on, May 2006. [14] P. Oechslin, Making a faster cryptanalytic time-memory trade-off, Advances in Cryptology - CRYPTO 2003. Lecture Notes in Computer Science, vol. 2729, pp 617--630. [15] Sejong Oh, Seog Park, Task-Role-Based Access Control Model, Information System, September 2003. [16] C.P. Pfleger, Security in Computing, 2nd Edition, Prentice-Hall International Inc., Englewood Cliffs, NJ, 1997. [17] R. Riverst, The MD5 Message-Digest Algorithm, RFC 1321, Apr 1992. [18] R. S. Sandhu and R. K. Thomas, Task-based authorization controls (TBAC): A family of models for active and enterprise-oriented authorization management, In proceedings of the IFIP WG11.3 Workshop on Database Security, August 1997. [19] Mary Ellen Zurko and Richard Simon, Separation of duty in rolebased environments, Proceedings of the 10 th IEEE Computer Security Foundations Workshop (CSFW '97), pages 183.194, 1997.