Beruflich Dokumente
Kultur Dokumente
• Digital asset: Second level, access control to operations on Figure 3: clinical user categories
whole assets. Operations would typically include: create, read,
write, modify, delete. This means the permission or not for a Service physician, Head nurse, nurse (figure 3). In DRIVE, a
user role within a certain context and within a given function single user category can belong to different trust constituencies.
to execute operations on whole assets (e.g. read the whole For instance, in the hospital, a pharmacist belongs to TC2 –
patient record). Clinical Support as well as to TC3 – Administrative & Logistics.
• Data items: Third level, access control to specific groups of The definition of roles (ROLES) in DRIVE is explicitly related
attributes in an asset. The patient record for instance is with the business process tasks that are performed in the clinical
and logistics trust constituencies. For instance, the roles that based on the specific profile of the user. In principle more than
perform clinical activities in the clinical Trust Constituency one role can be assigned. Static exclusion rules and hierarchies
include: Anamnesis Maker, Diagnosis Maker, Therapy Prescriber, will be taken into account for defining user assignment. As an
Consultant, Therapy Preparator, Therapy Administrator and Data example, two role hierarchies are shown in the figures 4 and 5
Collector of patient health state. covering respectively the clinical staff assignment and the clinical
support staff. It is noted that therapy validator, DUR analyzer and
The roles in the Trust Constituency 2 – clinical support include: HF-WP definition are clinical support roles performed by a
Therapy Validator, Hospital Formulary & Ward Profile (HP&WP) pharmacists whereas request validator and drug warehouse
Definition, Drug Utilization Review (DUR) Analyser. manager are two logistics roles performed by pharmacists. The
clinical
manager
anamnesis diagnosis prescriber prescription consultant therapy therapy therapy DUR HF-WP request warehouse
maker maker validator preparator administrator validator analyser definer validator manager
Figure 4: Role hierarchy for clinical staff Figure 5: Role hierarchy for Pharmacist
The set of functions (FUNCTIONS) contains about 50 different latter two roles can only be activated from the logistics trust
functions (e.g. therapy prescription, etc) that are subdivided into constituency.
the four application servers: clinical, logistics, collaborative
logistics and Hospital Information System (HIS). They represent By convention, more authorative roles are towards the top of the
the main Use Case models for the DRIVE application. diagrammes. In figure 4, the head physician is senior to ward
physician and inherits all permissions from ward physician.
The CC standard [3] defines an asset as information or resources
to be protected by the countermeasures of a target of evaluation Session/Role association A user session is associated with a
(TOE). In DRIVE, within the RBAC context the set of assets subset of the roles authorized for the user and this subset, often
(ASSETS) focuses on information assets. Access control to referred to as the active role set (ARS), is determined by dynamic
computing resources is covered by controlling the access to exclusion rules and temporal constraints. The dynamic conditions
functions. The categories of information assets include patient are implemented by an activation/deactivation function. In the
data, drug data and health care professional data. The patient data following table 1 we show an example of an
comprise three groups of data items: patient demographic data, activation/deactivation function for the on-call physician role.
hospital stay data and clinical data. The clinical data are patient Table 1. On-Call Physician session/role association (the trust
health data collected during the hospitalisation episode. The HC constituency context parameter is the ward number)
professional data include credentials and identity information.
Time Ward Formality Priority Event
The set of operations on functions (OPS_FNC) specifies the Context Context
legitimate operations on the set of functions. The basic operations Night- Inwards Routine/ H Activate (On-Call Physican,
on functions are only binary: access to a function or no-access to a time Emergency Prescriber)
function. Day- Inwards Routine/ H Deactivate (On-Call
The set of operations on assets (OPS_ASSET) specifies the set time Emergency Physican,Prescriber)
of legitimate operations that can be performed on whole assets or Night- Inward Routine/ H Activate (On-Call Physican,
groups of attributes contained in them. In Drive, we identify: time Emergency Diagnosis Maker)
create (constructs an object and initializes its data); read (reads an Day- Out- Routine/ H Deactivate (On-Call
object or a subset of attributes of them); write (inserts the data in time Ward Emergency Physican, Diagnosis Maker)
an object or in a subset of attributes of the object in append
mode); modify (writes an object or a subset of attributes of it in
update mode); copy (copies the data of an object in a different Finally as last step in the procedure, the permission assignments
object); delete (delete an object and the data related with them). define access policies for different roles.
The User assignment (UA) is a key association in an RBAC Permission assignment 1 covers the Role/OPS_FNC association.
policy definition. It assigns roles to each individual user category For each role, the access rights on applications and functions are
defined. For example covering applications: Clinical staff → (towards bottom in the role hierarchy) with the possibility to
clinical application server; For example covering functions: Ward specialise the role subsequently if needed. Thus a ward
Physician → all clinical functions; service physician → physician, would typically log a session as ward physician for
Diagnosis. performing all the normal ward tasks. Dynamic context
control applies and some form of automated control is
Permission assignment 2 covers Role/OPS_ASSET association. possible here. Indeed, the dynamic exclusion rules explained
For each role, permissions on assets are defined. The RBAC in the previous chapter put constraints on the choice of roles
model should allow for roles having overlapping permissions. For in a certain context. For instance, time context for an on-call
example, read permission rights may be allowed for all clinical physician. The set of activated roles and the user context form
staff (physicians and nurses) belonging to the trust constituency a session/role association.
(ward) where the patient record originates, while writing the
therapy on the patient record may be specific for the “therapy
User assignment: authorization credentials (roles)
prescriber” role. The framework should also leave the possibility are assigned to user
for more restricted ACL’s, in particular lists containing a single
named health professional (e.g. in case of very sensitive health
data or in case of celebrity patients).
User/session association: Identification and
For example: Prescriber, Consultant → Read (Patient authentication of user
Demographic Data, Hospital Stay Data, Patient Clinical Data,
Therapy Sheet); Prescriber, Consultant → Read (Drug product
data); Prescriber→ Create/Write/Modify (Therapy Sheet);
Session/role association:
Prescriber → Create/Write/Modify (Therapy Data); Consultant →
User activates roles and the user context is
Write(Therapy.Therapy Advice) determined
5. FUNCTIONAL ARCHITECTURE
Access a function in a particular session
Taking into account the RBAC principles and model explained in
the previous chapters, the functional architecture for authorisation
and access control in DRIVE consists of the following instances
(figure 6).
Access control to the application/function
The first instance, user assignment, is executed off-line. Each
potential DRIVE user of clinical or logistics systems registers
with the DRIVE Certificate Authority (CA) and obtains an
X509 identity certificate. Authorisation credentials (Roles) are Access control on the operations on assets
assigned based on the identity of the user and additional
identity properties (profession, specialty, etc..). In addition,
the default trust constituency of the user is specified (e.g. ward
number 5 or pharmacy or logistics, etc). This assignment is Log out of the session
performed on behalf of a Credential Issuer (e.g. clinical
director of a Hospital for clinical roles or personnel Figure 6: DRIVE RBAC functional architecture
department for other roles). By issuing a credential certificate
next to the identity certificate, the Credential Issuer certifies After activation of a subset of roles and determination of the
that the user owns a specific property that determines his/her context, the actual access control decision-making process
role(s) in the business process. Static exclusion rules are takes place following a 3-level process. The decision making
applied here for roles assignment. Credential systems are not process is specified as a set of permission assignments on
new in IT security. In [3], a credential system is described but applications, functions and assets as outlined in the RBAC
applied to identity management and anonymity services on the model. The user requests access to one of the functions in the
Internet. In DRIVE, its prime use is RBAC applied to a multi- DRIVE application servers. For instance the therapy
user health care business environment. prescription function in the clinical application system. Also
here dynamic context control applies based on context
The subsequent instances of the architecture apply online; i.e.
parameters for refining the permission assignments.
during a session of a user. During user/session association,
before users can start a new DRIVE session with one of the The first level access control mechanism is activated for
DRIVE applications, they are identified and authenticated. determining if the session/role association is authorized or not
Strong authentication supported by smart card and identity to access the function.
certificates are used.
Then second level checking determines if operations on whole
The subsequent instance covers Session/role association. After assets can be performed.
successful authentication, the user context is determined
(time, place from which a session is started). The user The third-level access control mechanism checks permissions
activates one or more of the roles previously assigned to him on the groups of data items. Permitted access requests are
in order to accomplish a certain task in the business process. performed by the database server and results returned.
As a general approach and for efficiency reasons, we allow The session is logged off and the cycle starts again at step 2:
users in DRIVE to choose a common role with less authority user/session association.
It is noted that the functional architecture explained above is • Authenticity assurance: Covers the authenticity of the
privacy enhancing because it allows for selective access to critical (critical) data content by creating digital signature envelopes
personal assets in the complex multi-user environment of DRIVE. around changed parts of critical assets.
Strong authentication of actors is necessary for accountability
reasons. Privacy concerns primarily regard patient data protection. • Identity protection: Covers anonymising technology applied
In some instances of the business process, there are also privacy to patient records for protecting patient and clinician’s
needs of the actors themselves. For instance, clinicians’ identity privacy after patient dismissal from ward.
should not be disclosed when patient records are legitimately • Trust support functions: A set of functions that support the
accessed from outside the clinical trust constituency. In this case, implementation of the trust functions specified above. They
RBAC needs to be combined with anonymity technologies. In an include for instance identification/authentication,
e-commerce environment on the other hand, privacy can be key/certificate management, digital signature,
enhanced notwithstanding the need for strong authentication. encryption/decryption.
Indeed, the approach allows for a clear separation between
user/session association on one side and session/role association • IT infrastructure protection: Covers secured communication
on the other. The former can be performed by means of strong channels that assure integrity and confidentiality between
authentication of the user to a trusted third party. For the latter the systems in the distributed DRIVE system architecture.
trusted third party performs the session/role association on behalf
of the service provider without disclosing the real identity of the The part of the DRIVE trust infrastructure that supports the
user to the service provider. authorsisation and access control functions covers the following
instances (figure 7):
6. TRUST INFRASTRUCTURE WITH • DRIVE CA: Certificate Authority. Issues identity certificates
to users and to the Credential Issuer. In addition, manages the
RBAC FUNCTIONALITY life-cycle of keys and certificates. All published and certified
The RBAC authorization and access control approach is keys can be fetched from its directory function.
integrated in the DRIVE trust infrastructure. The DRIVE trust
infrastructure covers a wider set of trust functions needed to • The Credential Issuer: Assigns roles to the different users of
support the safety and security requirements, and is composed of: the DRIVE applications. By issuing a role, the credential
issuer certifies that the user owns a specific characteristic.
• Real-time validation and verification: Covers data correlation Therefore, the data structure containing the roles of a
and integrity checks on physical and digital assets. particular user is digitally signed by credential issues. In
• Authorisation and access control: Covers the role-based addition it publishes its public key that can be used to verify
access control policy and mechanisms. these roles.
Certificates
generation Directory
Roles
Assignment Certificate services Crypto
services
Credential issuer
API
DRIVE
Authentication
Server signature/en (de)cryption
Smart
Card User R
Work DRIVE
B
station Application
session login A servers
DRIVE C
actor
8. ACKNOWLEDGEMENTS
We would like to thank the whole DRIVE project team for their
contributions to the development of the DRIVE trust
infrastructure, in particular Stefania Petrini, Sandro Buso, Gunnar
Klein and Francesco Faenzi.