Enforcing Minimum Necessary Access in Healthcare Through Integrated Audit and Access Control

Authors:
Paul Martin;Aviel D. Rubin;Rafae Bhatti
Affiliations:
Information Security Institute, Johns Hopkins University;Information Security Institute, Johns Hopkins University;PwC, USA
Venue:
Proceedings of the International Conference on Bioinformatics, Computational Biology and Biomedical Informatics
Year:
2013

Citing 16
Cited 0

Completing an MIMD multiprocessor taxonomy

ACM SIGARCH Computer Architecture News
A Survey of Parallel Computer Architectures

Computer
Role-Based Access Control Models

Computer
Configuring role-based access control to enforce mandatory and discretionary access control policies

ACM Transactions on Information and System Security (TISSEC)
Proposed NIST standard for role-based access control

ACM Transactions on Information and System Security (TISSEC)
Algorithms and Experience in Increasing the Intelligibility and Hygiene of Access Control in Large Organizations

Proceedings of the IFIP TC11/ WG11.3 Fourteenth Annual Working Conference on Database Security: Data and Application Security, Development and Directions
PBDM: a flexible delegation model in RBAC

Proceedings of the eighth ACM symposium on Access control models and technologies
Challenges Associated with Privacy in Health Care Industry: Implementation of HIPAA and the Security Rules

Journal of Medical Systems
Audit-based compliance control

International Journal of Information Security
Evaluating MapReduce for Multi-core and Multiprocessor Systems

HPCA '07 Proceedings of the 2007 IEEE 13th International Symposium on High Performance Computer Architecture
MapReduce: simplified data processing on large clusters

Communications of the ACM - 50th anniversary issue: 1958 - 2008
Patterns for parallel programming

Patterns for parallel programming
Towards improved privacy policy coverage in healthcare using policy refinement

SDM'07 Proceedings of the 4th VLDB conference on Secure data management
Some computer organizations and their effectiveness

IEEE Transactions on Computers
Policy auditing over incomplete logs: theory, implementation and applications

Proceedings of the 18th ACM conference on Computer and communications security
Experience-Based Access Management: A Life-Cycle Framework for Identity and Access Management Systems

IEEE Security and Privacy

Quantified Score

Hi-index	0.00

Visualization

Abstract

One of the most important requirements of HIPAA is the "minimum-necessary" access requirement, which states that healthcare personnel must be granted no more access to electronic healthcare data than is necessary in order to work effectively. Due to the complexity of constructing such a policy, many hospitals do not comply with the regulation and instead manually audit the logs when they suspect that abuse has occurred. This audit-only approach is error-prone and difficult due to the volume of data contained in the logs. To address this problem, we have built a policy engine capable of automatically auditing logs and separating normal accesses from abnormal accesses. Our policy engine implicitly constructs role-based policies from the audit data in order to produce a workable policy that can be used to enforce minimum-necessary access. The policy engine can also audit an existing role-based access policy by comparing it to observed accesses in order to determine whether the existing policy is overpermissive compared to actual usage patterns.