Lillian Røstad

A Study of Access Control Requirements for Healthcare Systems Based on Audit Trails from Access Logs

In healthcare, role-based access control systems are often extended with exception mechanisms to ensure access to needed information even when the needs don¿t follow the expected patterns. Exception mechanisms increase the threats to patient privacy, and therefore their use should be limited and subject to auditing. We have studied access logs from a hospital EPR system with extensive use of exception-based access control. We found that the uses of the exception mechanisms were too frequent and widespread to be considered exceptions. The huge size of the log and the use of pre-defined or uninformative reasons for access make it infeasible to audit the log for misuse. The informative reasons that were given provided starting points for requirements on how the usage needs should be accomplished without exception-based access. With more structured and fine-grained logging, analysis of access logs could be a very useful tool for learning how to reduce the need for exception-based access.

Combining Misuse Cases with Attack Trees and Security Activity Models

Misuse cases and attack trees have been suggested for security requirements elicitation and threat modeling in software projects. Their use is believed to increase security awareness throughout the software development life cycle. Experiments have identified strengths and weaknesses of both model types. In this paper we present how misuse cases and attack trees can be linked to get a high-level view of the threats towards a system through misuse case diagrams and a more detailed view on each threat through attack trees. Further, we introduce links to security activity descriptions in the form of UML activity graphs. These can be used to describe mitigating security activities for each identified threat. The linking of different models makes most sense when security modeling is supported by tools, and we present the concept of a security repository that is being built to store models and relations such as those presented in this paper.

Personalized access control for a personally controlled health record

Access control is a key feature of healthcare systems. Up until recently most healthcare information systems have been local to a healthcare facility and accessible only to clinicians. Currently there is a move towards making health information more accessible to patients. One example is the Personally Controlled Health Record (PCHR) where the patient is in charge of deciding who gets access to the information. In the PCHR the patient is the administrator of access control. While it certainly is possible to create roles representing people most patients would want to share with, like primary physician, it is also likely, and desirable, to afford the patients a high level of control and freedom to be able to create specialized access policies tailored to their personal wishes. We entitle this personalized access control. In this paper we present a semi-formal model for how we believe personalized access control may be realized. The model draws on and combines properties and concepts of both Role-Based Access Control (RBAC) and Discretionary Access Control (DAC) to achieve the desired properties. Throughout the paper we use the PCHR as a motivating example and to explain our reasoning and practical use of the model.

Access Control and Integration of Health Care Systems: An Experience Report and Future Challenges

Health information about a patient is usually scattered among several clinical systems, which limits the availability of the information. Integration of the most central systems is a possible solution to this problem. In this paper we present one such integration effort, with a focus on how access control is handled in the integrated system. Although this effort has not yet solved all the issues of access control integration, it demonstrates a practical approach for creating something that works today and serves as input to the discussion on future challenges for access control when integrating multiple systems

Software Security Maturity in Public Organisations

Software security is about building software that will be secure even when it is attacked. This paper presents results from a survey evaluating software security practices in software development lifecycles in 20 public organisations in Norway using the practices and activities of the Building Security In Maturity Model BSIMM. The findings suggest that public organisations in Norway excel at Compliance and Policy activities when developing their own code, but that there is a large potential for improvement with respect to Metrics, Penetration testing, and Training of developers in secure software development.

hACMEgame: A Tool for Teaching Software Security

Digital game-based learning has a great potential and can make a strong addition to traditional teaching within the field of software security. It can help improve the education of current and future software developers, by giving them hands-on experience in a controlled environment. This paper presents the results from the development process and evaluation of a digital learning game for teaching software security to computer science students. The purpose has been to design and implement a learning game, but also to test the game on the student body, in order to gather data to help evaluate and improve it. The game is not meant to replace traditional teaching, but as an alternative and complementary way of teaching software security and help raise awareness and interest in the subject as well as train developers.The implemented game is Web-based, which means the users only need a Web browser to play it. It simulates security vulnerabilities commonly found in Web applications, to help give students hands-on security experience in a controlled environment.The game is based on design suggestions from other studies within digital game-based learning and evaluated based on data collected from user testing and user feedback. The game evaluation has resulted in several suggestions on how to improve the learning game and the overall learning process, as well as suggestions for further studies.

MAFIIA — An Architectural Description Framework: Experience from the Health Care Domain

Healthcare information systems are characterized by having many stakeholders, roles, complex and diverse information systems, high degree of formalized working practices and an intense focus on quality concerns like interoperability, security and reliability. There is an emerging need for a structured architectural tool for supporting system developers and architects working with this kind of critical infrastructure. This paper presents MAFIIA - an architectural description framework specialized for the health care domain. The framework has been used in the development of three different healthcare information systems: a system for individual care plans, a platform for image-guided surgery and a patient evacuation support system. The experience from the case studies shows that the framework is a useful and flexible tool for creating an architectural description, and assists in keeping the focus on selected quality concerns.

Learning by Failing (and Fixing)

Unfortunately, students can graduate with a software engineering degree without learning anything about building secure systems. However, for the past two years at the Norwegian University of Science and Technology, a software security course has been giving students the theoretical foundation and practical experience necessary to start comprehending software security issues.

From Incident Response to Incident Response Management

In this paper we propose the development of a methodology for efficient handling of computer security related incidents. Such a methodology should include technical, cultural, and organisational issues.