On XACML's adequacy to specify and to enforce HIPAA

Authors:
Omar Chowdhury;Haining Chen;Jianwei Niu;Ninghui Li;Elisa Bertino
Affiliations:
The University of Texas at San Antonio, San Antonio, TX;Purdue University, West Lafayette, IN;The University of Texas at San Antonio, San Antonio, TX;Purdue University, West Lafayette, IN;Purdue University, West Lafayette, IN
Venue:
HealthSec'12 Proceedings of the 3rd USENIX conference on Health Security and Privacy
Year:
2012

Citing 13
Cited 2

Protection in operating systems

Communications of the ACM
Design of a Role-Based Trust-Management Framework

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Privacy and Contextual Integrity: Framework and Applications

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Privacy APIs: Access Control Techniques to Analyze and Verify Legal Privacy Policies

CSFW '06 Proceedings of the 19th IEEE workshop on Computer Security Foundations
A logical framework for history-based access control and reputation systems

Journal of Computer Security
Spin model checker, the: primer and reference manual

Spin model checker, the: primer and reference manual
A Formalization of HIPAA for a Medical Messaging System

TrustBus '09 Proceedings of the 6th International Conference on Trust, Privacy and Security in Digital Business
Toward practical authorization-dependent user obligation systems

ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
Experiences in the logical specification of the HIPAA and GLBA privacy laws

Proceedings of the 9th annual ACM workshop on Privacy in the electronic society
Policy auditing over incomplete logs: theory, implementation and applications

Proceedings of the 18th ACM conference on Computer and communications security
On practical specification and enforcement of obligations

Proceedings of the second ACM conference on Data and Application Security and Privacy
Policy monitoring in first-order temporal logic

CAV'10 Proceedings of the 22nd international conference on Computer Aided Verification
Formalizing and Enforcing Purpose Restrictions in Privacy Policies

SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy

Privacy by design: a formal framework for the analysis of architectural choices

Proceedings of the third ACM conference on Data and application security and privacy
Privacy promises that can be kept: a policy analysis method with application to the HIPAA privacy rule

Proceedings of the 18th ACM symposium on Access control models and technologies

Quantified Score

Hi-index	0.00

Visualization

Abstract

In the medical sphere, personal and medical information is collected, stored, and transmitted for various purposes, such as, continuity of care, rapid formulation of diagnoses, and billing. Many of these operations must comply with federal regulations like the Health Insurance Portability and Accountability Act (HIPAA). To this end, we need a specification language that can precisely capture the requirements of HIPAA. We also need an enforcement engine that can enforce the privacy policies specified in the language. In the current work, we evaluate eXtensible Access Control Markup Language (XACML) as a candidate specification language for HIPAA privacy rules. We evaluate XACML based on the set of features required to sufficiently express HIPAA, proposed by a prior work. We also discuss which of the features necessary for expressing HIPAA are missing in XACML. We then present high level designs of how to enhance XACML's enforcement engine to support the missing features.