First Doctoral Symposium on Engineering Secure Software und Systems Access Control Policy Administration supporting User-defined Privacy Preferences A Use-case in the context of Patient-centric Health-care Thomas Trojer and Ruth Breu (Supervisor) Institute of Computer Science, University of Innsbruck, Austria thomas.trojer@uibk.ac.at Abstract. The protection of medical records is understood to be an issue related to privacy and therefore closely bound to the patient her- /himself, playing a crucial role in networked electronic health-care. Award- ing users to have control over personal data stored and processed by information systems is important as it allows a user to communicate in- dividual privacy concerns. Still, users self-maintaining controls of access to their personal data poses challenges regarding its implementation. A major issue is that users are typically non-security experts and have only limited knowledge of the context domain. Regarding our use-case patients may not be fully familiar with all activities related to informa- tion processing e.g., during a medical treatment, therefore not able to properly decide on privacy and authorization measures. In our work we discuss the development of access control authoring tools to allow non- expert users to create, analyse and adjust personal privacy policies. We propose the integration of domain aspects into the development process of such tools. With extended knowledge about the domain the creation of policy rules can be bound to high-level activity descriptions and policy analysis can be performed in a domain-aware manner. 1 Motivation Modern information systems are able to store, retrieve an process vast amounts of data. Further extended by networking capabilities and driven by the increased personal use of information technology a wide range of data can be collected and combined to form new processable content. The collection of data can be critical without means of regulating access to it when requests for provisioning or processing are made. With respect to the actual use-case, data can be considered as e.g., confidential according to its content or sensitive in terms of identifying individual persons. In a common use-case scenario a person responsible for security matters, like an administrator, defines access control policies which constitute appropriate security measures for all protected resources. In the case of person-identifying information, such policies do not necessarily reflect the conception of the identi- fied individual on how to access-protect these information. By declaring privacy as a right about information self-determination, e.g., within the European Data ESSoS-DS 2012 Feb 15, 2012 First Doctoral Symposium on Engineering Secure Software und Systems Protection Directive 1 an individual user is awarded a distinguished role within privacy management processes. This can be interpreted as the required ability of a user to influence the definition of enforceable access control policies which constitute data privacy related to the user’s personal conception. 1.1 Use-case: Patient-centric Electronic Health-care We consider a use-case from the Austrian e-Health initiative which started in 2006 as a governmental workgroup. A central goal of this initiative is the es- tablishment of a distributed shared electronic health-record for all citizens of Austria. It has been shown that a holistic medical history of a patient improves the health-care infrastructure from an economical perspective as well as from a viewpoint of effectiveness regarding medical treatments. Still, because of the high degree of sensitivity which is observed in most medical data, privacy is a concern of utmost importance to be tackled. In the context of this initiative we want to contribute methods with a strong focus on patient-centricity by estab- lishing personal control over privacy-relevant health data. 2 Problem statement A general problem question can be raised as follows: How can a user, considered a non-security and non-domain expert, be supported during the declaration of access control policies in a way that she/he is aware about consequences to certain evaluation criteria, first and foremost personal privacy and e.g., the effectiveness of the information system. Two potential user actions can be derived from this problem question. First, a user has to be provided with tools to create access control policies and second a currently active policy has to be visualized in a way that the user can understand how it influences the information flow of the system. Visualizing active policies is especially important to allow a user to reconsider the policies’ appropriateness. Therefore a user is able to adjust a policy in a way so that it fits her/his personal conception of access control. 3 Contributions We contribute a framework using domain characteristics to develop user inter- faces for access control policy authoring. Further this framework includes a policy analysis component capable of providing users with feedback during their actions within the policy authoring process. A central step to be performed is therefore the modeling of domain entities and their relationships as well as the annota- tion of the domain model with attributes from the access control domain. In the context of our use-case we identify e.g., a medical practitioner or pharmacist as subjects of access control, whereas medical records or referrals are considered 1 see Directive 95/46/EC, http://ec.europa.eu/justice/policies/privacy/ law/index_en.htm ESSoS-DS 2012 Feb 15, 2012 First Doctoral Symposium on Engineering Secure Software und Systems resources to be protected by access control. A basic API to work with domain entities and access control policy elements can be generated from that model. Based on this model we designed a generic authoring process [10] that leads to the creation of access control policies. This process allows for policy creation and adaptation, which can be triggered by the user. In this work we want to emphasize two research directions in order to reach our objective of providing a non-expert user with access control authoring tools to establish privacy policies. These are described in the following sections. 3.1 Scenario-based Access Control Policy Authoring John Carroll [3] coined the term scenarios as stories about people and their activities, e.g., related to the tasks of their work. We propose scenario-based authoring as a method to create and further visualize access control policies in a usable way. This is important as users typically lack of knowledge about the underlying access control concepts and therefore have to be supported during the authoring process [12, 2]. The first step of our approach regards the elicitation of typical working activ- ities of the domain. Only working activities which involve information processing in an arbitrary way are considered as they can be related to access control. In our context we tackled this step by performing a case-study about stakeholders and some of their activities in the domain of electronic health records in Austria [9]. Next the selected working activities have to be translated to our template language. A template consists of the attributes identifying and describing the working activity in natural language and further a set of access control rules which are written to the user policy once a template instance is executed. User control is established via user interface form input fields which represent domain and environment information (e.g. time, date, location or cardinalities) and are bound to variables used within the policy rules of the template. Fig. 1 shows a basic scenario from our electronic health-care use-case, namely, the selection of a family practitioner performed by a citizen stakeholder. In this example two inputs are provided, the name of the family practitioner and whether all doc- uments (i.e. also all future ones) shall be accessible or only the ones currently stored about a patient. By executing a template instance one permit-rule is created allowing the selected practitioner (i.e. the subject of the access control target) to access patient health records. Similarly a query can be formed to vi- sualize a selected family practitioner to the user by asking who is permitted to read all documents. The template language including access control rules and queries are cur- rently developed and described in a formal way. With this work we target the field of usable security. 3.2 Domain-based Access Control Policy Analysis We see two situations where a user may be encouraged to reconsider her/his access control settings and to adjust them if necessary. First, if the representation ESSoS-DS 2012 Feb 15, 2012 First Doctoral Symposium on Engineering Secure Software und Systems Fig. 1. Scenario-based policy authoring leading to privacy policies and visualization. of currently active settings can be provided in a readable way the user is able to detect differences between these settings and her/his intended settings. Therefore we propose to use scenario-based policy templates (see Section 3.1) to increase understandability of a user policy. Besides a user adjusting her/his policy based on a manual interpretation, policies may also carry conflicts or influence arbitrary system properties and the user in a negative way. Therefore we identify a second situation for adjust- ing a policy, namely triggered by feedback of a performed policy analysis. In general policy analysis is extensively discussed in literature (see e.g., [7, 8, 1]), but mainly based on conflict detection regarding the interplay of different policy rules. Work, as e.g., done by Michael LeMay [6] and Katie Fisler [4] consider a policy model together with the domain where policies are deployed on. Based on these works we propose the definition of high-level evaluation criteria which interact. These criteria can be attached to the policy authoring activity leading to a balancing act during access control configuration in order to satisfy best all evaluation criteria. In our previous work [9] we considered privacy and informa- tion system effectiveness as evaluation criteria to be balanced. There, based on a domain model and models for each evaluation criteria, domain-aware analysis rules integrating all evaluation aspects can be generated. For our use-case we defined a trivial privacy model consisting of permissions and restrictions and an information system effectiveness model. This effective- ness model consists of personal relationships between subjects and needs-to-know relations between subjects and protected resources (see Fig. 2). Regarding pri- vacy the lack of a permission can be interpreted as increased privacy. On the other hand the absence of one or both the personal relationship or the needs- to-know relation decreases the need of the information system to be effective towards these attributes. E.g. a family practitioner earns an associated personal relationship connecting her/him to the patient, further needs-to-know relations to all patient’s data are established. Now, a patient restricting this practitioner from reading any data would obviously contribute to the her/his privacy, still the health-care information system would not effectively operate anymore. An ESSoS-DS 2012 Feb 15, 2012 First Doctoral Symposium on Engineering Secure Software und Systems effectiveness warning with detailed information about its reasons is provided to the user, which in turn may react on it by adjusting her/his settings. Effectiveness model <> <> Personal relationship Needs to know [Association, Class] [Association] e.g. conditions, obligations, etc. from to references defined for refined by <> Access decision <> <> <> Permit Subject Resource Action Deny [Class] [Class] [Class] ... defined by defined by defined by results in <> Authorization rule Access target based on Authorization policy model Core policy entities (privacy model) Fig. 2. Evaluation criteria privay and effectiveness applied to core policy entities and used for domain-aware policy analysis. 4 Research Plan In an ongoing project with our industry partner ITH-icoserve for healthcare technology, a subsidiary company of Siemens and a local hospital provider, we are developing an access control policy authoring application based on a secured IHE-based infrastructure 2 for shared patient health-records. Currently we have considered access control enforcement based on IHE XDS2 and auxiliary profiles [5, 10], for which our industry partner is an implementer and tested for conformity and interoperability. Further a prototypical author- ing portal application was developed [9]. In order to let the policy authoring reflect the actual domain, we employ a model-driven process which generates a policy API based on a domain and access control model [11]. Our approach for domain-aware policy analysis, which is based on balancing of evaluation criteria will also build upon the policy API. Evaluation criteria we currently consider is the correlation between permitted or restricted access, personal relationships between stakeholders and the importance to have certain data available to spe- cific stakeholders. In future work we also want to study other criteria, e.g., the purpose-relatedness of permitted data accesses. 2 see IHE IT-Infrastructure Technical Framework, http://www.ihe.net/ Technical_Framework/index.cfm#IT ESSoS-DS 2012 Feb 15, 2012 First Doctoral Symposium on Engineering Secure Software und Systems Generally we apply methods from design science to develop the aforemen- tioned artifacts for patient-controlled access control. Usable methods for au- thoring and analysis of policies are our main focus. Further we will perform additional case studies to justify the application of these approaches within our use-case. As human interaction with the authoring application is a central part of this work, therefore we will also conduct a usability study to evaluate the use- fulness of working scenarios and templates to maintain access control policies. A fully features authoring portal application is planned to be integrated into a health information system built by our industry partner and deployed to our regional health-care infrastructure. This will consist of templates for adapting authorization policies as well as policy analysis to inform a citizen about the consequences of certain access control settings. Finally the deployed system has to be evaluated regarding its performance and user acceptance. References 1. E. Bertino, B. Catania, E. Ferrari, and P. Perlasca. A logical framework for rea- soning about access control models. In Proceedings of the sixth ACM symposium on Access control models and technologies, SACMAT ’01, 2001. 2. S. Brostoff, M. A. Sasse, D. Chadwick, J. Cunningham, U. Mbanaso, and S. Otenko. R-What? Development of a Role-Based Access Control (RBAC) Policy-Writing Tool for e-Scientists. Software: Practice and Experience, 35(9):835–856, July 2005. 3. J. Carroll. Five reasons for scenario-based design. Interacting with Computers, 13(1):43 – 60, 2000. 4. K. Fisler and S. Krishnamurthi. A model of triangulating environments for policy authoring. In Proceeding of the 15th ACM symposium on Access control models and technologies, SACMAT ’10, 2010. 5. B. Katt, T. Trojer, R. Breu, T. Schabetsberger, and F. Wozak. Meeting ehr security requirements: Seaas approach. In EFMI STC 2010. Accepted, June 2010. 6. M. LeMay, O. Fatemieh, and C. A. Gunter. PolicyMorph: interactive policy trans- formations for a logical attribute-based access control framework. In Proceedings of the 12th ACM symposium on Access control models and technologies, SACMAT ’07, 2007. 7. E. Lupu and M. Sloman. Conflicts in Policy-based Distributed Systems Manage- ment. IEEE Transactions on Software Engineering, 25, 1999. 8. J. D. Moffett and M. S. Sloman. Policy conflict analysis in distributed system management, 1993. 9. T. Trojer, B. Katt, T. Schabetsberger, R. Breu, and R. Mair. Considering privacy and effectiveness of authorization policies for shared electronic health records. In ACM IHI 2012 (in press), 2012. 10. T. Trojer, B. Katt, T. Schabetsberger, R. Mair, and R. Breu. The Process of Policy Authoring of Patient-controlled Privacy Preferences. In eHealth 2011. 11. T. Trojer, B. Katt, F. Wozak, and T. Schabetsberger. An Authoring Framework for Security Policies: A Use-case within the Healthcare Domain. In eHealth 2010, 2010. 12. T. Whalen, D. Smetters, and E. F. Churchill. User experiences with sharing and access control. In CHI ’06 extended abstracts on Human factors in computing systems, CHI EA ’06, pages 1517–1522, New York, NY, USA, 2006. ACM. ESSoS-DS 2012 Feb 15, 2012