Alberto De la Rosa Algarín

A security framework for XML schemas and documents for healthcare

The extensible Markup Language (XML) has wide usage in healthcare to facilitate health information exchange via the Continuity of Care Record (CCR) for storing/managing patient data, diagnoses, medical notes, tests, scans, etc. Health IT products like electronic health record (EHR, e.g., GE Centricity) and personal health record (PHR, e.g., MS Health Vault) use CCR for data representation. To manage patient data in CCR, security as governed by HTPAA must be attained when using XML and its technologies (XACML, XSLT, etc.). Our objective is to have an XML document (CCR instance) appear differently to authorized users at different times based on a users role, constraints, separation of duty, delegation of authority, etc. In this paper, we propose a security framework that targets XML schémas and documents, in general, and CCR schémas and documents, in particular with control capabilities that achieve customizable access to an XML documents elements by applying secure software engineering methodologies and defining new UML XML-focused diagrams for schémas and permissions. This allows us to generate XACML policies, and enforce security at the runtime level on XML instances to insure that correct and required patient data is securely delivered. In a market of rapidly emerging mobile healthcare applications to allow patients to manage their own data (PHRs) and for self-management of chronic diseases, the need for secure access to information and its authorization and transmission to providers (and EHRs) will be critical.

A Software Modeling Approach to Ontology Design via Extensions to ODM and OWL

Ontologies are built to establish standard terminologies representing a semantic agreement between humans and knowledge systems via representational frameworks (e.g., KIF, DAML+OIL, OWL, etc.) that have been proposed in the research community, with limited adoption in industry. One possible reason is a lack of a formal model and associated process to more precisely and accurately design and develop ontologies. The authors’ prior work explored UML, entity-relationship diagrams, and XML as compared to RDF and OWL, identifying modeling capabilities lacking in ontologies. In all three approaches, design precedes instantiation which contrasts with ontology developers who build ontologies at the application level targeted to a specific domain. The paper proposes design-level modeling enhancements to ontologies by extending the OMG Ontology Definition Model (ODM) and OWL grammar with capabilities from the three aforementioned approaches, promoting a software engineering-based process. As a result, this work provides a more software engineering-oriented process to ontology design and development.

Chapter 4 – An Approach to Facilitate Security Assurance for Information Sharing and Exchange in Big-Data Applications

Security assurance is the guarantee provided with regard to access control, security privileges, and enforcement over time as users interact with an application. For a big-data application that shares and exchanges information from multiple sources in different formats, security assurance must reconcile local security capabilities to meet stakeholder needs. This chapter presents a role-based access control (RBAC) approach to modeling a global security policy and generating an enforcement mechanism for a big-data application by integrating the local policies of the sources, which are assumed to communicate via XML, the de facto standard for information sharing/exchange. Towards this goal, the Unified Modeling Language (UML) is extended to define new diagrams to capture XML for RBAC security and for policy modeling. To illustrate, we use a big-data application in law enforcement for motor vehicle crashes, showing how global security can be achieved in a repository that links different crash data repositories from multiple sources.

Generating XACML Enforcement Policies for Role-Based Access Control of XML Documents

Ensuring the security of electronic data has morphed into one of the most important requirements in domains such as health care, where the eXtensible Markup Language (XML) has been leveraged via standards such as the Health Level 7’s Clinical Document Architecture and the Continuity of Care Record. These standards dictate a need for approaches to secure XML schemas and documents. In this paper, we present a secure information engineering method that is capable of generating eXtensible Access Control Markup Language (XACML) enforcement policies, defined in a role-based access control model (RBAC), that target XML schemas and their instances, allowing instances to be customized for users depending on their roles. To achieve this goal, we extend the Unified Modeling Language (UML) with two new diagrams: the XML Schema Class Diagram, which defines the structure of an XML document in UML style; and, the XML Role-Slice Diagram, which defines roles and associated privileges at a granular access control level. We utilize a personal health assistant mobile application for medication and chronic disease management to demonstrate the enforcement component of our work.

Towards knowledge level privacy and security using RDF/RDFS and RBAC

Information privacy and security plays a major role in domains where sensitive information is handled, such as case studies of rare diseases. Currently, security for accessing any sensitive information is provided by various mechanisms at the user/system level by employing access control models such as Role Based Access Control. However, these approaches leave security at the knowledge level unattended, which can be inadequate. For example, in healthcare, ontology-based information extraction is employed for extracting medical knowledge from sensitive structured/unstructured data sources. These information extraction systems act on sensitive data sources which are protected against unauthorized access at the system level based on the user, context and permissions, but the knowledge that can be extracted from these sources is not. In this paper we tackle the security or access control at the knowledge level by presenting a model, to enforce knowledge security/access by leveraging knowledge sources (currently focused on RDF) with the RBAC model. The developed model filters out knowledge by means of binary permissions on the knowledge source, providing each user with a different view of the knowledge source.

Extending the UML Standards to Model Tree-Structured Data and Their Access Control Requirements

Secure data sharing between computational systems is a necessity to many workflows across domains such as healthcare informatics, law enforcement and national security. While there exist many approaches towards securing data for the purpose of dissemination, the vast majority follows the traditional thought of security engineering that occurs as the last step of the overall software engineering process. In this paper we extend the Unified Modeling Language (UML) standard to: (1) modeling tree-structured data and associated schemas and (2) information security via role-based, lattice-based, and discretionary access control; both push it towards the forefront of the software development life-cycle. Tree structured data and associated schemas are dominant in information modeling and exchange formats including: the eXtensible Markup Language (XML), JavaScript Object Notation (JSON), etc. New UML artifacts for tree-structured data and schemas would allow the modeling of generalized information solutions from which XML, JSON, RDF, etc., could be generated; this is akin to generating different object-oriented programming language code from UML class diagrams. This UML extension also allows security experts to model and define information security requirements at the schema level as well, before code is written. The end-result is the assurance of information security for the purpose of sharing across computational systems.