Abstract
Traditionally, the definition and the maintenance of security and access control policies has been the exclusive task of system administrators or security officers. In modern distributed and heterogeneous systems, there exist the need to allow different stakeholders to create and edit their security and access control preferences. In order to solve this problem two main challenges need to be met. First, authoring tools with different user interfaces should be designed and adapted to meet domain background and the degree of expertise of each stakeholder. For example, policy authoring tools for a patient or a doctor should be user friendly and not contain any technical details, while those for a security administrators can be more sophisticated, containing more details. Second, conflicts that can arise among security policies defined by different stakeholders must be considered by these authoring tools on runtime. Furthermore, warnings and assisting messages must be provided to help defining correct policies and to avoid potential security risks. Towards meeting these challenges, we propose an authoring framework for security policies. This framework enables building authoring tools that take into consideration the views of different stakeholders.
This work was partially supported by the Austrian Federal Ministry of Economy as part of the Laura-Bassi – Living Models for Open Systems – project FFG 822740/QE LaB, see http://lab.q-e.at/
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
IBM Austria, Feasibility study for implementing the electronic health record (ELGA) in the Austrian health system, IBM (November 2006)
Basin, D., Clavel, M., Egea, M., Schläpfer, M.: Automatic generation of Smart, Security-aware GUI Models. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 201–217. Springer, Heidelberg (2010)
Bézivin, J., Büttner, F., Gogolla, M., Jouault, F., Kurtev, I., Lindow, A.: Model transformations? Transformation models! In: Wang, J., Whittle, J., Harel, D., Reggio, G. (eds.) MoDELS 2006. LNCS, vol. 4199, pp. 440–453. Springer, Heidelberg (2006)
Blobel, B.: Authorisation and access control for electronic health record systems. International Journal of Medical Informatics 73(3) (2004)
Karat, C., Karat, J., Brodie, C., Feng, J.: Evaluating interfaces for privacy policy rule authoring. In: SIGCHI 2006. ACM, New York (2006)
Katt, B., Breu, R., Hafner, M., Schabetsberger, T., Mair, R., Wozak, F.: Privacy and Access Control for IHE-Based Systems. In: Weerasinghe, D. (ed.) eHealth 2008. LNICST, vol. 1, pp. 145–153. Springer, Heidelberg (2009)
Katt, B., Trojer, T., Breu, R., Schabetsberger, T., Wozak, F.: Meeting EHR Security Requirements: SeaaS approach. In: EFMI STC 2010, Reykjavik, Iceland (June 2010)
Katt, B., Trojer, T., Breu, R., Schabetsberger, T., Wozak, F.: Meeting EHR Security Requirements: Athentication as a Security Service. In: Perspegktive Workshop, GMDS 2010, Mannheim, Germany (September 2010)
Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-based modeling language for model-driven security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, p. 426. Springer, Heidelberg (2002)
Reeder, R.W., Karat, C., Karat, J., Brodie, C.: Usability challenges in security and privacy policy-authoring interfaces. In: Baranauskas, C., Abascal, J., Barbosa, S.D.J. (eds.) INTERACT 2007. LNCS, vol. 4663, pp. 141–155. Springer, Heidelberg (2007)
Røstad, L.: An initial model and a discussion of access control in patient controlled health records. In: ARES 2008. IEEE Computer Society, Washington, DC, USA (2008)
Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control models. Computer 29 (1996)
Trojer, T., Fung, B., Hung, P.: Service-oriented architecture for privacy-preserving data mashup. In: IEEE International Conference on Web Services (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Trojer, T., Katt, B., Wozak, F., Schabetsberger, T. (2011). An Authoring Framework for Security Policies: A Use-Case within the Healthcare Domain. In: Szomszor, M., Kostkova, P. (eds) Electronic Healthcare. eHealth 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 69. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23635-8_1
Download citation
DOI: https://doi.org/10.1007/978-3-642-23635-8_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-23634-1
Online ISBN: 978-3-642-23635-8
eBook Packages: Computer ScienceComputer Science (R0)