Inquiry-Based Requirements Analysis
IEEE Software
The NIST model for role-based access control: towards a unified standard
RBAC '00 Proceedings of the fifth ACM workshop on Role-based access control
Protection in operating systems
Communications of the ACM
Towards usage control models: beyond traditional access control
SACMAT '02 Proceedings of the seventh ACM symposium on Access control models and technologies
Lattice-Based Access Control Models
Computer
Access Control: Policies, Models, and Mechanisms
FOSAD '00 Revised versions of lectures given during the IFIP WG 1.7 International School on Foundations of Security Analysis and Design on Foundations of Security Analysis and Design: Tutorial Lectures
SP '92 Proceedings of the 1992 IEEE Symposium on Security and Privacy
Privacy Enforcement with an Extended Role-Based Access Control Model
Privacy Enforcement with an Extended Role-Based Access Control Model
The UCONABC usage control model
ACM Transactions on Information and System Security (TISSEC)
Purpose based access control of complex data for privacy protection
Proceedings of the tenth ACM symposium on Access control models and technologies
Privacy and Contextual Integrity: Framework and Applications
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Privacy APIs: Access Control Techniques to Analyze and Verify Legal Privacy Policies
CSFW '06 Proceedings of the 19th IEEE workshop on Computer Security Foundations
RE '06 Proceedings of the 14th IEEE International Requirements Engineering Conference
Formal model and analysis of usage control
Formal model and analysis of usage control
Privacy-aware role based access control
Proceedings of the 12th ACM symposium on Access control models and technologies
Analyzing Regulatory Rules for Privacy and Security Requirements
IEEE Transactions on Software Engineering
Developing Production Rule Models to Aid in Acquiring Requirements from Legal Texts
RE '09 Proceedings of the 2009 17th IEEE International Requirements Engineering Conference, RE
A Method for Identifying Software Requirements Based on Policy Commitments
RE '10 Proceedings of the 2010 18th IEEE International Requirements Engineering Conference
A legal cross-references taxonomy for identifying conflicting software requirements
RE '11 Proceedings of the 2011 IEEE 19th International Requirements Engineering Conference
Hi-index | 0.00 |
Developing an access control system that satisfies the requirements expressed in regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), can help ensure regulatory compliance in software systems. A usage control model that specifies the rules governing information access and usage, as expressed in law, is an important step towards achieving such compliance. Software systems that handle health records must comply with regulations in the HIPAA Privacy and Security Rules. Herein, we analyze the HIPAA Privacy Rule using a grounded theory methodology coupled with an inquiry driven approach to determine the components that must be supported by a usage control model to achieve regulatory-compliant health records usage. In this paper, we propose a usage control model, UCONLEGAL, which extends UCONABC with components to model purposes, cross-references, exceptions, conditions, and logs. We also employ UCONLEGAL to show how to express the access and usage rules we identified in the HIPAA Privacy Rule. Our analysis yielded seven types of conditions specific to HIPAA that we include in UCONLEGAL; these conditions were previously unsupported by existing usage control models.