Qais Tasali, Christine Sublett, Eugene Y. Vasserman
{"title":"可控的BTG:在可互操作的医疗系统中实现灵活的紧急覆盖","authors":"Qais Tasali, Christine Sublett, Eugene Y. Vasserman","doi":"10.4108/eai.13-7-2018.163213","DOIUrl":null,"url":null,"abstract":"INTRODUCTION: In medical cyber-physical systems (mCPS), availability must be prioritized over other security properties, making it challenging to craft least-privilege authorization policies which preserve patient safety and confidentiality even during emergency situations. For example, unauthorized access to device(s) connected to a patient or an app controlling these devices could result in patient harm. Previous work has suggested a virtual version of “Break the Glass” (BTG), an analogy to breaking a physical barrier to access a protected emergency resource such as a fire extinguisher or “crash cart”. In healthcare, BTG is used to override access controls and allow for unrestricted access to resources, e.g. Electronic Health Records. After a “BTG event” completes, the actions of all concerned parties are audited to validate the reasons and legitimacy for the override. OBJECTIVES: Medical BTG has largely been treated as an all-or-nothing scenario: either a means to obtain unrestricted access is provided, or BTG is not supported. We show how to handle BTG natively within the ABAC model, maintaining full compatibility with existing access control frameworks, putting BTG in the policy domain rather than requiring framework modifications. This approach also makes BTG more flexible, allowing for fine-grained facility-specific policies, and even automates auditing in many situations, while maintaining the principle of least-privilege. METHODS: We do this by constructing a BTG “meta-policy” which works with existing access control policies by explicitly allowing override when requested. RESULTS: We present a sample BTG policy and formally verify that the resulting combined set of access control policies correctly satisfies the goals of the original policy set and allows expanded access during a BTG event. We show how to use the same verification methods to check new policies, easing the process of crafting least-privilege policies. Received on 21 December 2019; accepted on 18 February 2020; published on 19 February 2020","PeriodicalId":335727,"journal":{"name":"EAI Endorsed Trans. Security Safety","volume":"8 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-02-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":"{\"title\":\"Controlled BTG: Toward Flexible Emergency Override in Interoperable Medical Systems\",\"authors\":\"Qais Tasali, Christine Sublett, Eugene Y. Vasserman\",\"doi\":\"10.4108/eai.13-7-2018.163213\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"INTRODUCTION: In medical cyber-physical systems (mCPS), availability must be prioritized over other security properties, making it challenging to craft least-privilege authorization policies which preserve patient safety and confidentiality even during emergency situations. For example, unauthorized access to device(s) connected to a patient or an app controlling these devices could result in patient harm. Previous work has suggested a virtual version of “Break the Glass” (BTG), an analogy to breaking a physical barrier to access a protected emergency resource such as a fire extinguisher or “crash cart”. In healthcare, BTG is used to override access controls and allow for unrestricted access to resources, e.g. Electronic Health Records. After a “BTG event” completes, the actions of all concerned parties are audited to validate the reasons and legitimacy for the override. OBJECTIVES: Medical BTG has largely been treated as an all-or-nothing scenario: either a means to obtain unrestricted access is provided, or BTG is not supported. We show how to handle BTG natively within the ABAC model, maintaining full compatibility with existing access control frameworks, putting BTG in the policy domain rather than requiring framework modifications. This approach also makes BTG more flexible, allowing for fine-grained facility-specific policies, and even automates auditing in many situations, while maintaining the principle of least-privilege. METHODS: We do this by constructing a BTG “meta-policy” which works with existing access control policies by explicitly allowing override when requested. RESULTS: We present a sample BTG policy and formally verify that the resulting combined set of access control policies correctly satisfies the goals of the original policy set and allows expanded access during a BTG event. We show how to use the same verification methods to check new policies, easing the process of crafting least-privilege policies. Received on 21 December 2019; accepted on 18 February 2020; published on 19 February 2020\",\"PeriodicalId\":335727,\"journal\":{\"name\":\"EAI Endorsed Trans. Security Safety\",\"volume\":\"8 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2020-02-19\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"3\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"EAI Endorsed Trans. Security Safety\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.4108/eai.13-7-2018.163213\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"EAI Endorsed Trans. Security Safety","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.4108/eai.13-7-2018.163213","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Controlled BTG: Toward Flexible Emergency Override in Interoperable Medical Systems
INTRODUCTION: In medical cyber-physical systems (mCPS), availability must be prioritized over other security properties, making it challenging to craft least-privilege authorization policies which preserve patient safety and confidentiality even during emergency situations. For example, unauthorized access to device(s) connected to a patient or an app controlling these devices could result in patient harm. Previous work has suggested a virtual version of “Break the Glass” (BTG), an analogy to breaking a physical barrier to access a protected emergency resource such as a fire extinguisher or “crash cart”. In healthcare, BTG is used to override access controls and allow for unrestricted access to resources, e.g. Electronic Health Records. After a “BTG event” completes, the actions of all concerned parties are audited to validate the reasons and legitimacy for the override. OBJECTIVES: Medical BTG has largely been treated as an all-or-nothing scenario: either a means to obtain unrestricted access is provided, or BTG is not supported. We show how to handle BTG natively within the ABAC model, maintaining full compatibility with existing access control frameworks, putting BTG in the policy domain rather than requiring framework modifications. This approach also makes BTG more flexible, allowing for fine-grained facility-specific policies, and even automates auditing in many situations, while maintaining the principle of least-privilege. METHODS: We do this by constructing a BTG “meta-policy” which works with existing access control policies by explicitly allowing override when requested. RESULTS: We present a sample BTG policy and formally verify that the resulting combined set of access control policies correctly satisfies the goals of the original policy set and allows expanded access during a BTG event. We show how to use the same verification methods to check new policies, easing the process of crafting least-privilege policies. Received on 21 December 2019; accepted on 18 February 2020; published on 19 February 2020
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
