1. Access Control in Healthcare
Bell-LaPadula model application scenario
Rui Filipe Pedro Quelhas PG15590
Tiago Costa Oliveira PG15384
2. Context (BLP)
security model, not policy
- a policy describes a security system requirement
- a model it’s a mechanism that formally implements a policy
developed from the confidentiality point of view
hybrid model that combines both DAC/IBAC and MAC policy specifications
static model, not allowing labels/clearances flexibility
basis of several standards including DoD’s TCSEC aka “Orange Book”
biggest concerns involving the information flow on a system between different levels (Multi-
level Security concept)
relies on the principle “information can’t flow downwards” which it implements with two
clear rules:
- simple security property -> forces a “no read up” approach
- * property -> forces a “no write down” approach
3. Context (healthcare)
considerable group of subjects, like nurses, practicers, doctors, administrators and other
technical staff
restrict set of objects, with special relevance over the patient’s medical record (as of today,
on technological environments, the EMR)
models like BLP were developed with military purposes which’s static and rigid approaches
are in contrast with the healthcare system’s emergency character
conflict of interests is not a critical problem but...
...patient confidentiality, authentication of records and integrity are
ethic compliance policies are strictly demanded
the system needs to adapt itself to the subjects, not the other way around
emergency situations require more flexible mechanisms
4. Proposed lattice (part 1)
the security set b x M x f captures all current permissions and all current instances of
subjects accessing objects defining security states
- b represents the set of current accesses defined by tuples (s,o,a) indicating that the
subject s performs an operation a on the object o
- M is a set of the access control lists or matrices (DAC ideology)
- f is a set of security level assignments defined by tuples (fs,fc,fo) where fs indicates the
maximum security level (clearance) and fc the current security level of a subject, fo gives
the classification of each object (MAC ideology)
as for BLP, an object can be public, confidential, secret and at-most top-secret, and the
access to it is restricted by a certain match to the subject’s security levels
the “no read up” and the “no write down” properties implemented by BLP on a MLS
system are enforced considering these concepts and can be formally represented as a
lattice
the lattice determines a partial order and defines the dominance of each element in the
system representing clearly the allowed operations (read, write) and the direction of the
information flow
5. Proposed lattice (part 2)
Figure: lattice of security labels for a Bell-LaPadula compliant healthcare system
6. Considerations
the existence of a “break the glass” mechanism it’s of vital importance, but...
...flexibility introduces bigger costs, control mechanisms need to be more efficient, more
reports and alerts need to be generated
studies show that most of “healthcare information environments” tend to follow some
standard and generic trends
looks like there’s no much concern about some case-specific scenarios on this kind of
environments
BLP is one in many, and it’s roots make it a very rigid and complex mechanism
the RBAC philosophy gives the “freedom” that we were looking for with the introduction of
a role-based control that can make the task of outlining security/clearance levels more
easy
fancy models like CISSP are becoming a very strong pattern
7. References (bibliographic)
D. Bell, Looking Back at the Bell-LaPadula Model, Reston VA 20191. December 2005.
D. Aspinall, Security Models: Computer Security Lecture, School of Informatics University
of Edinburgh. February 2009.
W. Farmer, CS 31S3 Fall 2007: Security Policies, Department of Computing and Software
McMaster University. November 2009.
L. Viganò, Access Control and Security Policies II, Department of Computer Science ETH
Zurich. January 2004.
C. Clifton, CS525: Information Security Bell-LaPadula Model, Purdue University. September
2004.
A. Ferreira, R. Cruz-Correia, L. Antunes, D. Chadwick, Access Control: how can it improve
patients' healthcare?
A. Ferreira, R. Cruz-Correia, L. Antunes, P. Farinha, E. Oliveira-Palhares, D. Chadwick, A.
Costa-Pereira, How to break access control in a controlled manner.