A Study of Access Control Requirements for Healthcare Systems based on Audit Trails from Access Logs. Rostad, L. and Edsberg, O. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), pages 175-186, 12, 2006. IEEE Press.
A Study of Access Control Requirements for Healthcare Systems based on Audit Trails from Access Logs [link]Website  abstract   bibtex   
In healthcare, role-based access control systems are often extended with exception mechanisms to ensure access to needed information even when the needs don't follow the expected patterns. Exception mechanisms increase the threats to patient privacy, and therefore their use should be limited and subject to auditing. We have studied access logs from a hospital EPR system with extensive use of exception-based access control. We found that the uses of the exception mechanisms were too frequent and widespread to be considered exceptions. The huge size of the log and the use of pre-defined or uninformative reasons for access make it infeasible to audit the log for misuse. The informative reasons that were given provided starting points for requirements on how the usage needs should be accomplished without exception-based access. With more structured and fine-grained logging, analysis of access logs could be a very useful tool for learning how to reduce the need for exception-based access.
@inProceedings{
 title = {A Study of Access Control Requirements for Healthcare Systems based on Audit Trails from Access Logs},
 type = {inProceedings},
 year = {2006},
 identifiers = {[object Object]},
 keywords = {access-control,health-it,healthcare},
 pages = {175-186},
 websites = {http://dx.doi.org/10.1109/ACSAC.2006.8},
 month = {12},
 publisher = {IEEE Press},
 id = {59fe10b8-8f09-3195-b649-43dacfca97e2},
 created = {2018-07-12T21:31:42.290Z},
 file_attached = {false},
 profile_id = {f954d000-ce94-3da6-bd26-b983145a920f},
 group_id = {b0b145a3-980e-3ad7-a16f-c93918c606ed},
 last_modified = {2018-07-12T21:31:42.290Z},
 read = {false},
 starred = {false},
 authored = {false},
 confirmed = {true},
 hidden = {false},
 citation_key = {rostad:acsac2006},
 source_type = {inproceedings},
 private_publication = {false},
 abstract = {In healthcare, role-based access control systems are often extended with exception mechanisms to ensure access to needed information even when the needs don't follow the expected patterns. Exception mechanisms increase the threats to patient privacy, and therefore their use should be limited and subject to auditing. We have studied access logs from a hospital EPR system with extensive use of exception-based access control. We found that the uses of the exception mechanisms were too frequent and widespread to be considered exceptions. The huge size of the log and the use of pre-defined or uninformative reasons for access make it infeasible to audit the log for misuse. The informative reasons that were given provided starting points for requirements on how the usage needs should be accomplished without exception-based access. With more structured and fine-grained logging, analysis of access logs could be a very useful tool for learning how to reduce the need for exception-based access.},
 bibtype = {inProceedings},
 author = {Rostad, Lillian and Edsberg, Ole},
 booktitle = {Proceedings of the Annual Computer Security Applications Conference (ACSAC)}
}
Downloads: 0