可控的BTG:在可互操作的医疗系统中实现灵活的紧急覆盖

Qais Tasali, Christine Sublett, Eugene Y. Vasserman
{"title":"可控的BTG:在可互操作的医疗系统中实现灵活的紧急覆盖","authors":"Qais Tasali, Christine Sublett, Eugene Y. Vasserman","doi":"10.4108/eai.13-7-2018.163213","DOIUrl":null,"url":null,"abstract":"INTRODUCTION: In medical cyber-physical systems (mCPS), availability must be prioritized over other security properties, making it challenging to craft least-privilege authorization policies which preserve patient safety and confidentiality even during emergency situations. For example, unauthorized access to device(s) connected to a patient or an app controlling these devices could result in patient harm. Previous work has suggested a virtual version of “Break the Glass” (BTG), an analogy to breaking a physical barrier to access a protected emergency resource such as a fire extinguisher or “crash cart”. In healthcare, BTG is used to override access controls and allow for unrestricted access to resources, e.g. Electronic Health Records. After a “BTG event” completes, the actions of all concerned parties are audited to validate the reasons and legitimacy for the override. OBJECTIVES: Medical BTG has largely been treated as an all-or-nothing scenario: either a means to obtain unrestricted access is provided, or BTG is not supported. We show how to handle BTG natively within the ABAC model, maintaining full compatibility with existing access control frameworks, putting BTG in the policy domain rather than requiring framework modifications. This approach also makes BTG more flexible, allowing for fine-grained facility-specific policies, and even automates auditing in many situations, while maintaining the principle of least-privilege. METHODS: We do this by constructing a BTG “meta-policy” which works with existing access control policies by explicitly allowing override when requested. RESULTS: We present a sample BTG policy and formally verify that the resulting combined set of access control policies correctly satisfies the goals of the original policy set and allows expanded access during a BTG event. We show how to use the same verification methods to check new policies, easing the process of crafting least-privilege policies. Received on 21 December 2019; accepted on 18 February 2020; published on 19 February 2020","PeriodicalId":335727,"journal":{"name":"EAI Endorsed Trans. Security Safety","volume":"8 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-02-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":"{\"title\":\"Controlled BTG: Toward Flexible Emergency Override in Interoperable Medical Systems\",\"authors\":\"Qais Tasali, Christine Sublett, Eugene Y. Vasserman\",\"doi\":\"10.4108/eai.13-7-2018.163213\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"INTRODUCTION: In medical cyber-physical systems (mCPS), availability must be prioritized over other security properties, making it challenging to craft least-privilege authorization policies which preserve patient safety and confidentiality even during emergency situations. For example, unauthorized access to device(s) connected to a patient or an app controlling these devices could result in patient harm. Previous work has suggested a virtual version of “Break the Glass” (BTG), an analogy to breaking a physical barrier to access a protected emergency resource such as a fire extinguisher or “crash cart”. In healthcare, BTG is used to override access controls and allow for unrestricted access to resources, e.g. Electronic Health Records. After a “BTG event” completes, the actions of all concerned parties are audited to validate the reasons and legitimacy for the override. OBJECTIVES: Medical BTG has largely been treated as an all-or-nothing scenario: either a means to obtain unrestricted access is provided, or BTG is not supported. We show how to handle BTG natively within the ABAC model, maintaining full compatibility with existing access control frameworks, putting BTG in the policy domain rather than requiring framework modifications. This approach also makes BTG more flexible, allowing for fine-grained facility-specific policies, and even automates auditing in many situations, while maintaining the principle of least-privilege. METHODS: We do this by constructing a BTG “meta-policy” which works with existing access control policies by explicitly allowing override when requested. RESULTS: We present a sample BTG policy and formally verify that the resulting combined set of access control policies correctly satisfies the goals of the original policy set and allows expanded access during a BTG event. We show how to use the same verification methods to check new policies, easing the process of crafting least-privilege policies. Received on 21 December 2019; accepted on 18 February 2020; published on 19 February 2020\",\"PeriodicalId\":335727,\"journal\":{\"name\":\"EAI Endorsed Trans. Security Safety\",\"volume\":\"8 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2020-02-19\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"3\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"EAI Endorsed Trans. Security Safety\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.4108/eai.13-7-2018.163213\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"EAI Endorsed Trans. Security Safety","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.4108/eai.13-7-2018.163213","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 3

摘要

简介:在医疗网络物理系统(mCPS)中,可用性必须优先于其他安全属性,这使得即使在紧急情况下也要制定保护患者安全和保密性的最低权限授权策略具有挑战性。例如,未经授权访问连接到患者的设备或控制这些设备的应用程序可能会对患者造成伤害。先前的研究提出了虚拟版的“打破玻璃”(BTG),类似于打破物理障碍,进入受保护的紧急资源,如灭火器或“急救车”。在医疗保健领域,BTG用于覆盖访问控制并允许对资源(例如电子健康记录)的无限制访问。在“BTG事件”完成后,对所有相关方的行为进行审计,以验证推翻的原因和合法性。目的:医疗BTG在很大程度上被视为一个要么全有要么全无的方案:要么提供获得无限制访问的手段,要么不支持BTG。我们将展示如何在ABAC模型中原生地处理BTG,保持与现有访问控制框架的完全兼容性,将BTG置于策略域中,而不需要修改框架。这种方法还使BTG更加灵活,允许细粒度的特定于设施的策略,甚至在许多情况下自动化审计,同时保持最少特权原则。方法:我们通过构建一个BTG“元策略”来实现这一点,该策略通过显式允许在请求时重写与现有的访问控制策略一起工作。结果:我们提供了一个示例BTG策略,并正式验证了所得到的访问控制策略组合集正确地满足了原始策略集的目标,并允许在BTG事件期间扩展访问。我们将展示如何使用相同的验证方法来检查新策略,从而简化制定最少特权策略的过程。2019年12月21日收到;2020年2月18日接受;发布于2020年2月19日
本文章由计算机程序翻译,如有差异,请以英文原文为准。
Controlled BTG: Toward Flexible Emergency Override in Interoperable Medical Systems
INTRODUCTION: In medical cyber-physical systems (mCPS), availability must be prioritized over other security properties, making it challenging to craft least-privilege authorization policies which preserve patient safety and confidentiality even during emergency situations. For example, unauthorized access to device(s) connected to a patient or an app controlling these devices could result in patient harm. Previous work has suggested a virtual version of “Break the Glass” (BTG), an analogy to breaking a physical barrier to access a protected emergency resource such as a fire extinguisher or “crash cart”. In healthcare, BTG is used to override access controls and allow for unrestricted access to resources, e.g. Electronic Health Records. After a “BTG event” completes, the actions of all concerned parties are audited to validate the reasons and legitimacy for the override. OBJECTIVES: Medical BTG has largely been treated as an all-or-nothing scenario: either a means to obtain unrestricted access is provided, or BTG is not supported. We show how to handle BTG natively within the ABAC model, maintaining full compatibility with existing access control frameworks, putting BTG in the policy domain rather than requiring framework modifications. This approach also makes BTG more flexible, allowing for fine-grained facility-specific policies, and even automates auditing in many situations, while maintaining the principle of least-privilege. METHODS: We do this by constructing a BTG “meta-policy” which works with existing access control policies by explicitly allowing override when requested. RESULTS: We present a sample BTG policy and formally verify that the resulting combined set of access control policies correctly satisfies the goals of the original policy set and allows expanded access during a BTG event. We show how to use the same verification methods to check new policies, easing the process of crafting least-privilege policies. Received on 21 December 2019; accepted on 18 February 2020; published on 19 February 2020
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术官方微信