Jim Longstaff

A model of accountability, confidentiality and override for healthcare and other applications

A UML model of Authorisation is described, which was developed for an Electronic Medical Records application in collaboration with the UK NHS Information Authority. The model is an enhancement of the UK Healthcare Model (HcM), in that it provides extra classes for use with HcM classes. It provides powerful confidentiality specification capabilities, which can also be used in other applications. A Role (actually called AgentActivityType for consistency with the HcM) may be directly associated with an Accountability. An Accountability is an agreement where one Party commissions a second Party to undertake Activities under the authority of that Accountability. Four types of Confidentiality Permission are defined which allow access to data items (SubjectPhenomena), or to data items with specific types (SubjectPhenomenonType). Access can be granted to individual Agents, or to AuthorizedAgents acting in specified Roles. A model of override allows the Confidentiality Permissions to be overridden in a strictly controlled way. Override facilities are granted to Agents by establishing appropriate Accountabilities, and any use of override is logged. Access to data can be granted to groups of Agents, and to group of Roles. Establishing access rights for a group involves defining a set of Confidentiality Permissions for the group. The Authorisation Model is illustrated throughout the paper by examples from healthcare. In particular a demanding scenario (child abuse) is presented. In this scenario complex restrictions must be placed on the data, which might result in inappropriate actions if clinicians and other professionals are denied access to the data.

The tees confidentiality model: an authorisation model for identities and roles

We present a model of authorisation that is more powerful than Role Based Access Control (RBAC), and is suitable for complex web applications in addition to computer systems administration. It achieves its functionality by combining Identity Based Access Control (IBAC) and RBAC in novel ways. A particular feature of the model is a rigorous definition of override, for granting access to data and resources in exceptional circumstances. Despite its power, the model can be implemented by a single algorithm, as an extension to RBAC. The basis of the model is a new concept of permission, which we call Confidentiality Permission. There are five types of confidentiality permission, for granting access rights for identities and roles; also negative confidentiality permissions, for denying access to data and resources, exist. A single concept of Collection is used for structuring roles, identities, resource and resource type, although the RBAC general and limited role hierarchies can be used if desired. Confidentiality permissions may be defined to inherit within collections, thereby providing a mechanism for confidentiality permission assignment; however confidentiality permissions may be assigned in other ways that do not depend on collections. We use a demanding scenario from Electronic Health Records to illustrate the power of the model. We have produced several demonstrators, one of which utilises the model to control data retrieval from commercial GP and Social Services systems.

Attribute Based Access Control for Big Data Applications by Query Modification

We present concepts which can be used for the efficient implementation of Attribute Based Access Control (ABAC) in large applications using maybe several data storage technologies, including Hadoop, NoSQL and relational database systems. The ABAC authorization process takes place in two main stages. Firstly a sequence of permissions is derived which specifies permitted data to be retrieved for the users transaction. Secondly, query modification is used to augment the users transaction with code which implements the ABAC controls. This requires the storage technologies to support a high-level language such as SQL or similar. The modified user transactions are then optimized and processed using the full functionality of the underlying storage systems. We use an extended ABAC model (TCM2) which handles negative permissions and overrides in a single permissions processing mechanism. We illustrate these concepts using a compelling electronic health records scenario.

EHR and EPR confidentiality based on accountability and consent: tools for the Caldicott Guardian

The primary care-based electronic health record (EHR) and the electronic patient record (EPR) are key features of the UK National Health Service (NHS) Information Strategy. We propose a model for EHR/EPR confidentiality - that is, for restricting access to their contents to authorized users, assuming secure transmission of data. We summarize a UML model for EHR/EPR confidentiality which is consistent with the NHS Healthcare Model. A prototype implementation of the model based on OODB and Internet techniques is described. The work is intended as a contribution to the development of confidentiality systems for the EHR and EPR, and also of computerized tools for Caldicott Guardians to specify and implement privacy policies and procedures.

Extending Attribute Based Access Control to Facilitate Trust in eHealth and Other Applications

We describe a new model for Attribute Based Access Control (ABAC) which handles negative permissions and overrides in a single permissions processing mechanism. The model lends itself to the generation of explanations and permissions review, which can be used to foster end-user trust and confidence in the authorization system. We illustrate using a scenario in which a patient, with the assistance of an information specialist, develops consent directives for her medical records while receiving explanations and demonstrations. The model extends the approaches of ABAC and parameterized Role Based Access Control (RBAC) in that users, operations, and protected objects have properties, which we call classifiers. The simplest form of classifier is an attribute, as defined for ABAC; additional information is also handled by classifiers. Classifier values themselves are hierarchically-structured. A permission consists of a set of classifier values, and permissions review/determining an individual’s risk exposure is carried out by database querying. The model has general applicability to areas where tightly-controlled sharing of data and applications, with well-defined overrides, is required.

The Tees Confidentiality Model: Mechanisms for implementing the sealed envelope

This paper offers mechanisms capable of implementing the authorization functionality to be supported by the NHS Care Records Service. The patient-confidentiality model for the Care Records Service includes restricting access to data by placing the data in a Sealed Envelope; providing access to data based on Legitimate Relationship, and other concepts; and the overriding of access restrictions in extraordinary or emergency situations. We informally show through examples how the Tees Confidentiality Model, a sophisticated model of authorization, can be used to implement Care Records Service authorization functionality to the level currently proposed, and also to much greater levels if they ever were to be required. The mechanisms discussed include using a range of permission types, called Confidentiality Permission Types; processing Confidentiality Permissions in a defined order according to complexity of type; using negative permissions to deny access; and providing override mechanisms for negative permissions.

Authorisation Models for Complex Computing Applications

This paper presents the Tees Confidentiality Model, an authorisation model which is suitable for complex web applications in addition to computer systems administration. It achieves its functionality by combining Identity-Based Access Control (IBAC) and Role-Based Access Control (RBAC) in novel ways. The model is based on a range of permission types, called Confidentiality Permission Types, which are processed in a defined order. Confidentiality Permissions may have negative values (ie they may deny access), and may be overridden by authorised users in carefully specified ways. A single concept of Collection is used for structuring roles, identities, resource and resource type, although the RBAC general and limited role hierarchies can be used if desired. Confidentiality permissions may be defined to inherit within collections, thereby providing a mechanism for confidentiality permission assignment. We use a demanding scenario from Electronic Health Records to illustrate the power of the model.

Functionality and implementation issues for complex authorisation models

The concepts and benefits of Role-Based Access Control (RBAC) are first reviewed. As an example of enhanced authorisation functionality, the Tees Confidentiality Model (TCM), which is an authorisation model suitable for complex web applications in addition to computer systems administration is then presented. The TCM is based on a range of permission types, called Confidentiality Permission Types, which are processed in a defined order. Confidentiality permissions may have negative values (i.e. they may deny access), and may be overridden by authorised users in carefully specified ways. An arbitrary number of Authorisation Classifiers for users and protected objects may be specified. Confidentiality Permission Types are defined in terms of classifiers. A single concept of Collection is used for structuring classifier values, including roles, although the RBAC general and limited role hierarchies can be used if desired. Confidentiality permissions specify inheritance within collections, thereby providing a mechanism for confidentiality permission assignment. A demanding scenario from electronic health records is used to illustrate the power of the model.