PARAMETERIZED RBAC AND ARBAC POLICIES FOR A HEALTH CARE FACILITY Mikhail I. Gofman, C.R. Ramakrishnan, Scott D. Stoller, and Ping Yang version: 14 January 2009 This policy is based roughly on the policy for a small aged-care facility described in [Evered 2004]. We extended the policy with parameters and some aspects of the electronic health records policy in [Becker 2005]. References: [Evered 2004] Mark Evered and Serge Bogeholz. A Case Study in Access Control Requirements for a Health Information System, Proc. 2004 Australasian Information Security Workshop (AISW), volume 32 of Conferences in Research and Practice in Information Technology. http://crpit.com/confpapers/CRPITV32Evered.pdf [Becker 2005] Moritz Y. Becker. Cassandra: Flexible Trust Management and its Application to Electronic Health Records. Ph.D. thesis, University of Cambridge, October 2005. http://research.microsoft.com/~moritzb/ TERMINOLOGY =========== personal information: data entered into the system when a patient is admitted, e.g. personal details, medical insurance information, and past medical records. care plan: contains detailed information and instructions regarding the day-to-day care of the resident, e.g. what assistence is required with meals. progress notes: notes about changes in the patient's condition. may indicate updates to the care plan. medical records: after each examination, the doctor adds an entry to the medical records of the patient. Agent (called ResponsiblePerson in [Evered 2004]): someone who can make decisions on a patient's behalf. the agent is normally selected by the patient. Doctor: doctor of a specific patient. The doctor has access to all the medical information of his/her patients and can add entries to their medical records. Can also add private notes about a resident, which are not visible to health care staff or the manager. Occasionally, due to some emergency situation, we may allow a doctor to examine a patient who is not his/her patient. This doctor can then temporarily access the patient's medical records, but not the private notes of the patient's usual doctor. Manager: has broadest access to the information. The manager can enter the past medical records when a resident is admitted, but he/she cannot subsequently add medical entries to the system. Also, the manager cannot view the private notes of doctors and cannot sign legal agreement on behalf of a resident. This means that the manager may not have all the permission the doctor has unless the manager is also a doctor. -- I am not sure if we should assume that the manager is also a doctor. MedicalManager: can assign doctors and nurses to medical teams. Nurse (also called health care worker): need to sign a confidentiality agreement before they have access to any resident data. can view the care plan and add progress entries based on their abservations. can view recent medical records of residents (up to one year old), but cannot view older medical information. Patient (a.k.a. Resident): can view his/her own personal information and medical records, including the private notes of the doctor (which are normally not accessibly by other doctors), but cannot modify the information. PrimaryDoctor: a patient's primary care physician. ReferredDoctor: a doctor to which a patient has been referred by another doctor. the referred doctor gains access to the patient's information. Receptionist: can register patients and make appointments ThirdParty, PatientWithTPC: a third party's consent may be required for a patient to view part of his own medical record. for example, if a medical record contains comments comparing a patient's medical condition with his father's, the father is a third party whose consent is required for the patient to read those comments. in our model, the third party grants consent by adding the patient to the role PatientWithTPC. ROLE SCHEMAS (14) ================ Doctor, Doctor(patient), ReferredDoctor(patient), PrimaryDoctor(patient), Nurse, Receptionist, MedicalTeam(team), ThirdParty(patient), Patient Patient(patient), PatientWithTPC(tpc), Employee, Manager, MedicalManager OBJECT SCHEMAS (17) ================== OldMedicalRecords, OldMedicalRecords(patient), RecentMedicalRecords, RecentMedicalRecords(patient), PrivateNotes(patient), ProgressNotes, Prescriptions(patient), PatientPersonalInfo, PatientFinancialInfo, PatientMedicalInfo, CarePlan, Appointment, LegalAgreement(patient), Bills(patient) ROLE HIERARCHY ============== Employee < Nurse < Doctor < Receptionist < MedicalManager < Manager Patient < Patient(patient) Doctor < Doctor(patient) CAN_ASSIGN RULES ======================== # Doctor can perform various medical duties can_assign(Doctor(patient=P), true, ThirdParty(patient=P)) can_assign(Doctor(patient=P), Doctor, ReferredDoctor(patient=P)) # Medical manager can assign doctors and nurses to medical teams can_assign(MedicalManager, Doctor, MedicalTeam(team=T)) can_assign(MedicalManager, Nurse, MedicalTeam(team=T)) # Manager can hire new workers can_assign(Manager, true, Employee) can_assign(Manager, true, MedicalManager) can_assign(Manager, true, Receptionist) can_assign(Manager, true, Nurse) can_assign(Manager, true, Doctor) # Patient can choose his/her own doctors and agents can_assign(Patient, true, Agent(patient=Self)) can_assign(Patient, Doctor, PrimaryDoctor(patient=Self)) # Receptionist can admit new patients, and assign them to doctors can_assign(Receptionist, true, Patient(patient=P)) can_assign(Receptionist, Doctor, Doctor(patient=P)) # Third party can grant approvals can_assign(ThirdParty(patient=P), Patient(patient=P), PatientWithTPC(tpc=Self)) CAN_REVORK RULES ================= For each rule can_assign(r_a, c, r), there is a corresponding rule can_revoke(r_a, r), except that a doctor, not a receptionist, can revoke the Patient role. this reflects the policy that a patient must be discharged from the facility by a doctor. or, we could make the patient role irrevocable. The explicit rules are as follows: can_revoke(Doctor, ThirdParty(patient=P)) can_revoke(Doctor(patient=P), ReferredDoctor(patient=P) can_revoke(MedicalManager, MedicalTeam(team=T)) can_revoke(MedicalManager, MedicalTeam(team=T)) can_revoke(Manager, Employee) can_revoke(Manager, MedicalManager) can_revoke(Manager, Receptionist) can_revoke(Manager, Nurse) can_revoke(Manager, Doctor) can_revoke(Patient, Agent(self)) can_revoke(Patient, PrimaryDoctor(self)) can_revoke(Doctor(patient=P), Patient(patient=P)) can_revoke(Receptionist, Doctor(patient=P)) can_revoke(ThirdParty(patient=P), PatientWithTPC(tpc=Self)) SMER CONSTRAINTS ================ # No user can be his/her own primary doctor SMER(Patient(p_patient=P), PrimaryDoctor(p_patient=P)) # No user can be both, the doctor and the receptionist SMER(Receptionist, Doctor) The SMER constraint SMER(Nurse, Doctor) should probably hold for the RBAC state to be well-formed, but it does not seem necessary for security, since doctors have more permissions than nurses, so we omit this constraint from the policy. ROLE-PERMISSION ASSIGNMENT ========================== note: we wrote parts of the RBAC policy, to help illustrate the functions of each role, but since our main interest is the ARBAC policy, we did not write a complete RBAC policy. # Permissions of the doctor PA(Doctor(patient=P), [View, OldMedicalRecords(patient=P)]) PA(Doctor(patient=P), [View, RecentMedicalRecords(patient=P)]) PA(Doctor(patient=P), [View, PrivateNotes(patient=P)]) PA(Doctor(patient=P), [Add, PrivateNotes(patient=P)]) PA(Doctor(patient=P), [Add, RecentMedicalRecords(patient=P)]) PA(Doctor(patient=P), [View, Prescriptions(patient=P)]) PA(Doctor(patient=P), [Modify, Prescriptions(patient=P)]) # Permissions of the facility manager PA(Manager, [Access, PatientPersonalInfo]) PA(Manager, [Access, PatientFinancialInfo]) PA(Manager, [Access, PatientMedicalInfo]) PA(Manager, [Enter, OldMedicalRecords]) PA(Manager, [Enter, RecentMedicalRecords]) PA(Manager, [Update, CarePlan]) # Permissions of the receptionist PA(Receptionist, [Create, Appointment]) # Permissions of the nurse PA(Nurse, [Access, OldMedicalRecords]) PA(Nurse, [View, CarePlan]) PA(Nurse, [Add, ProgressNotes]) PA(Nurse, [View, RecentMedicalRecords]) # Permissions of the patient PA(Patient, (View, [OldMedicalRecords(patient=Self)]) PA(Patient, (View, [RecentMedicalRecords(patient=Self)]) PA(Patient, [Sign, LegalAgreement(patient=Self)]) PA(Patient, [View, Prescriptions(patient=Self)]) PA(Patient, [View, Bills(patient=Self)]) # Permissions of the patientWithTPC PA(PatientWithTPC, [View, MedicalRecordsWithThirdPartyInfo(patient=Self)]) SAMPLE ANALYSIS QUESTIONS ========================= 1. (reachability) Can a user initially in Doctor(patient=P) and a user intially in patient(patient=P) together assign the latter user to PatientWithTPC(tpc=Self)? answer: Yes. The Doctor(patient=P) can assign himself to ThirdParty(patient=P) and then assign the target user to PatientWithTPC(tpc=Self). 2. (role-role containment) Is every Doctor an Employee? (i.e., is Doctor contained in Employee?) answer: Yes. This follows directly from the role-hierarchy. 3. (permission-role containment) Is every user with permission [View, RecentMedicalRecords(patient=P)] a member of some role in {Doctor(patient=P), Patient(patient=P)}? answer: No. Nurse also has that permission. 4. (other) Can a user have both of the permissions [Add, ProgressNotes] and [Add, PrivateNotes]. answer: yes, if the user is a member of both Doctor and Nurse. The policy does not enforce disjointness of those roles.