An Internet of Things Based Multi-Level Privacy-Preserving Access Control for Smart Living
Abstract
:1. Introduction
2. Related Work
- A privacy protection system that ensures authorization, confidentially and integrity of the information.
- An access control mechanism to manage the collected information, personal information and logs by user groups.
- A provisioning system to secure communication paths, provide auditing capabilities and apply and negotiate privacy policy rules to prevent the collection of personal data without proper authorization.
- Secure collection and integration of electronic health records produced by Care Delivery Organizations (CDOs) and a guarantee that EHR in different formats can be easily integrated.
- Secure storage and access management by implementing data encryption and access control models based on role-based or attribute-based access control policies.
- A secure usage model based on signature and verification.
3. Framework Overview
4. Data Collection Layer
- Remote monitoring healthcare data collected by sensors.
- Electronic healthcare data records, which includes patients’ current health status, medical history and conditions collected from healthcare practitioners and organizations.
- Background information such as authenticity, dietary and lifestyle habits collected from the patient or patient’s family.
- Medical information related to diseases such as early and alarming signs.
5. Activity and Data Management Layer
- Rigidity, which is a resistance to movement. Most affected patients have their neck or leg muscles tense and contracted. When the patient attempts to move s/he may have short and jerky movements called “cog-wheeling”.
- Akinesia which is slowness of movement, which is considered as one of the classic symptoms of Parkinson’s disease. Patients also may develop a stooped posture, shuffling walk and becomes erratic and unsteady and this may lead to falls.
- Tremors, which are one of the most common symptoms. They appear in the head, face, or limbs. Tremors may occur during attempting tasks or even at rest.
- Postural instability which gives patients a stooped posture with bowed head and drooped shoulders. It also affects balance and coordination, which leads to repeated falls with serious injuries as a result.
- Dyskinesia, which is a series of abnormal movements which manifest as rhythmic or pendulous movements of the arms and legs. It also could be in the form of rapid jerky and purposeless movements of the limbs that appear suddenly.
- Restless leg syndrome, which is the feeling of bugs over the legs or arms at bedtime or at rest. The feeling is relieved temporarily by movement of the limbs.
6. Access Control Layer
6.1. Privacy Requirements
- Healthcare organizations such as hospitals, laboratories and imaging centres.
- Healthcare professionals such as family doctors.
- Patients who should have full read access to the complete health records.
- Any family member or a friend who the patients want to grant access to his/her data.
- Each healthcare unit should have the ability to determine the type/classification of the data it produces.
- Owner should have the ability to grant or deny access to sensitive or private healthcare data to particular medical practitioners, healthcare unit or a family member.
- Owner should identify a family doctor who will have access to all data classes.
- Family doctor should be able to review healthcare data classification.
- There must be an emergency attribute which allows the available healthcare practitioner to have access and to be able to provide assistance immediately.
- Access could be granted to a team or a class of health professionals.
- Owner should have the ability to delegate access to the healthcare data to someone else if required.
- No-one should be able to overwrite old information but healthcare units and physicians should have the ability to add corrections to old information/reports.
- Permission could be conditional to a given period of time or location. As an example, all access requests from a particular hospital are authenticated during the patient’s admission time, bearing in mind the provided access level is determined by access policies.
- Healthcare data should be available without obstruction to legitimate users and security policies should be easy to manage, maintain and modify once there is a need.
- All healthcare data is consolidated in one record and controlled by the patient and available to everyone in patient’s health network
- Patients can use privacy labels for each source of data and give privacy label permissions to different teams.
- Patients can see which teams have access to which privacy labels.
- Patients can share their own copy of healthcare data.
- HealthVault user can share access with another healthVault user
- Patients can allow HealthVault programs to access and manage their data.
- Patients can share specific healthcare data with other people or programs that add data to health records
- HealthVault user can manage health records of a family member.
- Logging login issues such as multiple failed logins and multiple login within a short period.
- Logging high transaction rates for a given Healthcare Provider
- Logging after-hours access and all instances of emergency access.
- Setting a Record Access Code (RAC) to allow and prevent access to patient’s record unless in an emergency
- Flagging specific documents in patient’s record as ‘limited access,’ and controlling who can view them.
- Removing documents from view and requesting healthcare providers to not upload information to the healthcare records.
6.2. Our Multi-Level Access Control Model
6.2.1. Attribute Definitions
- Resource AttributesA resource is an entity that is acted upon by the subject, such as the healthcare records. Resources have attributes that can help group them in records such as medications, medical history, or immunization. We defined six different classes that group healthcare data records.Public: The public class contains all healthcare data that is not sensitive such as;
- Health and activity data collected from sensors which may include; blood pressure, sugar levels, oxygen levels and any alarming information.
- Patient instructions, which is one of the most important fields that healthcare professionals need to view before dealing with the patient. It may contain warnings such as; the patient suffers from severe autism and could act out aggressively under pressure or wearing gloves and report any direct contact with the patient, as the patient could be vulnerable to infection or have an infectious disease.
- The public class could also contain allergies, medications, health maintenance schedules and lifestyle habits such as smoking, drinking and exercise.
Physical: Physical classes contain all medical history related to diagnoses, laboratory and radiology results and all procedures that a patient has had or was scheduled for.Id_ info: ID info class contains all patients’ identifying data such as name, address, emergency contact and ID.Mental: Mental health class contains the information related to mental diseases such as depression, bipolar, autism and personality disorders.Neuro: Neurological health class contains medical history of any nervous system related to issues that may cause some mental disorder symptoms such as Alzheimer’s disease, stroke and injuries to the nervous system.Private: Private classes contain information that the patient does not want to share with anyone unless it is related to their treatment. Private healthcare data could include sexual orientation, history of drug use or social history. - Subject Attributes: A subject is an entity requesting access, in our system s/he could be the healthcare professional, insurance agent, or a researcher. Each subject/user has associated attributes which define his identity such as; name, ID, job title and organization. Our system classifies users into the following groups:Owner: The owner of the healthcare data is the patient or patient’s guardian. Owners should have access to all data classes.Family_doctor: A family doctor is the patient’s primary doctor who is aware of the patient’s health issues and history. Family doctors should have access to all data classes.Friend: A friend is a person who is nominated by the owner to have access to the patient’s healthcare data. By default, the friend group should have access to all data classes except the Private class.GP: A GP is a doctor who temporarily treats patients due to the unavailability of the family doctor. GP should have access to Public, Physical, Id_info and Neuro data classes.Researcher: A researcher uses the data to research new treatments, medicines or statistical purposes. We assume the research is on physical health and the researcher should have access to Public, Physical and Neuro data classes. A new rule should be added to the policy model for different research areas. The researcher must not have access to the identifying information (Id_info) which reveals the patient’s identity.Insurance: Insurance companies need access for claims or policy requirements. Insurance companies could have access to Public, Physical, Id_info and Neuro data classes.Paramedics: Paramedics are trained to provide basic life support in short time frames. We assumed in our system that Public and Id_info should be sufficient for paramedic officers to perform their job.Hospital: Hospitals should have access to all data classes except Private data class for each patient admitted. Hospital clinics should have the same access as GP groups.Allied health: Allied health contains many professionals such as audiologists, dieticians, physiotherapists, occupational therapists, psychologists and social workers. The nature of these professions varies from providing purely physical treatments to purely mental treatments. On the other hand, occupational therapists assist people with illnesses and disabilities to develop and maintain daily living, or assist patients with mental health disorders such as autism. Based on these considerations, we decided to divide the allied health group into the following three subgroups:
- Allied_mental: This group includes professionals such as psychologists and social workers. Professions of this group should have access to Public, Id_info, Mental, Neuro and Private data classes.
- Allied_physical: This group includes professionals such as chiropractors, physiotherapists and podiatrists. Professions of this group should have access to Public, Id_info, Physical and Neurological data classes.
- Allied_both: This group includes all allied health professionals who may deal with mental or physical disorders such as occupational therapists and speech pathologists. For this group, we set an environmental attribute “Require Social” to indicate if this patient has any mental disorder. The “Require Social” attribute allows the professionals of this group to have access to “Mental” data class in addition to the “Allied health physical” group access.
- Environment Attributes: Environmental attributes describe the operational and technical conditions that affect access, such as the date and time when hospital staff can have access to patients’ records. Environmental attributes also include location; owner could allow all requests from hospital workstations while he is admitted to hospital. We include other environment attributes such as Emergency, location, date and Require_social.
6.2.2. Policy Model
- R1: can_access (u, hd, e) ← ((group (u) є {Paramedics})۸ (data_class (hd) є {Public, Id_info})) ۷((group (u) є {Researcher})۸ (data_class (hd) є {Public, Physical, Neuro})) ۷((group (u) є {Owner, Family_doctor})) ۷((group (u) є {Insurance})۸ (data_class (hd) є {Public, Physical, Neuro, Id_info})) ۷((group (u) є {Friend})۸ (data_class (hd) є {Public, Physical, Neuro, Id_info, Mental}))
- Case1:
- if u belongs to the “Paramedics” group and requests access to healthcare data from the “Public” or “Id_info” classes.
- Case2:
- if u belongs to the “Researcher” group and requests access to healthcare data from the “Public”, “Physical”, or “Neuro” classes.
- Case3:
- if u belongs to the “Owner” or “Family_doctor” groups, access is granted.
- Case4:
- if u belongs to the “Insurance” groups and requests access to healthcare data from the “Public”, “Physical”, “Neuro”, or “Id_info” classes.
- Case5:
- if u belongs to the “Friend” group and s/he requests access to healthcare data from the “Public”, “Physical”, “Neuro”, “Id_info”, or “Mental” classes.
- R2: can_access (u, hd, e) ← ((group (u) є {GP})۸ (data_class (hd) є {Public, Physical, Neuro, Id_info})) ۷ ((group (u) є {Hospital})۸(data_class (hd) є (Public, Physical, Neuro, Id_info, Mental)))
- Case1:
- if u belongs to the “GP” group and requests access to healthcare data from the “Public”, “Physical”, “Neuro” or “Id_info” classes.
- Case2:
- if u belongs to the “Hospital” group and requests access to healthcare data from the “Public”, “Physical”, “Neuro”, “Id_info” or “Mental” classes. We included “Mental” as the patient may be admitted to hospital for a period of time and the hospital staff should be aware of any mental care that patient may require.
- R3: can_access (u, hd, e) ← R2 ۸ ((environment(e) = Date) ۸ (Current date ≥ 01022017) ۸ (Current data < 01032017))
- R4: can_access (u, hd, e) ← ((group (u) є {GP, Hospital})۸(environment (e) є {Emergency}))
- R5: can_access (u, hd, e) ← ((group (u) є {Allied_physical, Allied_both})۸ (data_class (hd) є {Public, Physical, Neuro, Id_info})) ۷ ((group (u) є {Allied_mental})۸(data_class (hd) є (Public, Mental, Neuro, Id_info, Private)))
- Case1:
- if u belongs to the “Allied_physical” or “Allied_both” groups and requests access healthcare data from the “Public”, “Physical,” “Neuro,” or “Id_info” classes.
- Case2:
- if u belongs to the “Allied_mental” group and requests access to healthcare data from the “Public”, “Physical”, “Neuro”, “Id_info” or “Mental” classes.
- R6: can_access (u, hd, e) ← R5۸ ((environment(e) = Location) ۸ (Location(u) є {L}))
- R7: can_access (u, hd, e) ← ((group (u) є {Allied_both})۸ (data_class (hd) є {Public, Physical, Mental, Neuro, Id_info, Private})۸ (environment (e) = Require_social))
6.2.3. Architecture of Multi-Level Access Control
- Access Enforcement Engine (AEE): AEE is responsible for requesting the authorization decision and enforcing it. It is the only point of access for users who request access to healthcare data. Initially authenticated user “u” sends AEE an access request for a healthcare data class “hd”. Then, AEE collects user and healthcare data class attributes and sends them for evaluation. Finally, AEE receives the access decision from the Access Decision Engine and either grants users access or denies their request.
- Healthcare Data Repository: a healthcare data repository is any server used to store the data online.
- Access Decision Engine (ADE): ADE is responsible for evaluating policies and making the access decision (grant or deny). ADE gets attributes of the user and healthcare data classes from AEE, retrieves environment attributes and then checks the policy for the appropriate policy rule and finally forwards the decision to AEE.
- Policy Repository: Policy repository stores all access rules. Policies are defined by the owners and healthcare professionals through a designated user interface.
7. Discussion
- Default access rule: in the case of uploaded healthcare data that have the minimum set of attributes and with no data class defined, there should be a generic access rule to allow or deny access, or to classify these data under certain classes. For example, if a decision was made to collect environmental data such as temperature or radiation levels and add this data to healthcare data, a default rule must be defined to grant access to all requests, assuming no category means public class, or to deny access, assuming these data are categorized as private.
- Joint Ownership: The owner could give (delegate) one or more ownerships over his data. For example, all children could be owners for their elderly parents. In the case of a joint ownership, we should have more than one access policy over the same data class, as owners can specify their own access rules. Our system grants access to some data when any one of the policies permits the access, which means the relation between the access policies is the logical “or” relationship. Assume both parents are owners of their child’s healthcare data. The father grants Dr. John access to the healthcare data of his child while the mother denies the access. The Access Decision Engine (ADE) will check both access policies in a policy repository and the Access Enforcement Engine (AEE) will return with permission to access the healthcare data of the child because one of the policies grants Dr. John access.
- Owner authority: in our system, healthcare data could have more than one owner, thus there may be conflicts when not all owners agree or disagree to grant access. This raises more concerns about authorization: do all owners have equal authority, does any owner have the ability to add more owners, or does a new owner have the authority to turn certain private data to public. Our system has only one primary owner who has full control over the data. The primary owner could be either the patient or one of his guardians, any other owners will be a secondary owner who can only grant and deny access requests but cannot add more owners or change data sensitivity.
8. Conclusions
Author Contributions
Conflicts of Interest
References
- Yao, L.; Sheng, Q.Z.; Benatallah, B.; Dustdar, S.; Wang, X.; Shemshadi, A.; Kanhere, S.S. WITS: An IoT-endowed computational framework for activity recognition in personalized smart homes. Computing 2018, 100, 369–385. [Google Scholar] [CrossRef]
- Memon, M.; Wagne, S.R.; Hansen, F.O. Ambient assisted living ecosystems of personal healthcare systems, applications, and devices. In Proceedings of the Scandinavian Conference on Health Informatics, Copenhagen, Denmark, 20 August 2013. [Google Scholar]
- Li, M.; Yu, S.; Zheng, Y.; Ren, K.; Lou, K. Scalable and secure sharing of personal health records in cloud computing using attribute-based encryption. IEEE Trans. Parallel Distrib. Syst. 2013, 24, 131–143. [Google Scholar] [CrossRef]
- Park, N. Customized healthcare infrastructure using privacy weight level based on smart device. In Proceedings of the International Conference on Hybrid Information Technology, Daejeon, Korea, 22–24 September 2011. [Google Scholar]
- Premarathne, U.; Abuadbba, A.; Alabdulatif, A.; Khalil, I.; Tari, Z.; Zomaya, A.; Buyya, R. Hybrid cryptographic access control for cloud-based EHR systems. IEEE Cloud Comput. 2016, 3, 58–64. [Google Scholar] [CrossRef]
- Gajanayake, R.; Iannella, R.; Sahama, T. Privacy oriented access control for electronic health records. Electron. J. Health Inform. 2014, 8, e15. [Google Scholar]
- Abbas, A.; Khan, S.U. e-Health Cloud: Privacy Concerns and Mitigation Strategies. In Medical Data Privacy Handbook; Springer: Berlin, Germany, 2015; pp. 389–421. [Google Scholar]
- Begum, M.; Mamun, Q.; Kaosar, M. A privacy-preserving framework for personally controlled electronic health record (PCEHR) system. In Proceedings of the 2nd Australian eHealth Informatics and Security Conference, Perth, Australia, 2–4 December 2013. [Google Scholar]
- Fabian, B.; Ermakova, T.; Junghanns, P. Collaborative and secure sharing of healthcare data in multi-clouds. Inf. Syst. 2015, 48, 132–150. [Google Scholar] [CrossRef]
- Zhang, R.; Liu, L. Security models and requirements for healthcare application clouds. In Proceedings of the 2010 IEEE 3rd International Conference on Cloud Computing (CLOUD), Miami, FL, USA, 5–10 July 2010. [Google Scholar]
- Yao, L.; Ruan, W.; Sheng, Q.Z.; Li, X.; Falkner, N.J.G. Exploring tag-free RFID-based passive localization and tracking via learning-based probabilistic approaches. In Proceedings of the 23rd ACM International Conference on Information and Knowledge Management, Shanghai, China, 3–7 November 2014. [Google Scholar]
- Yao, L.; Sheng, Q.Z.; Li, X.; Gu, T.; Tan, M.; Wang, X.; Wang, S.; Ruan, W. Compressive representation for device-free activity recognition with passive RFID signal strength. IEEE Trans. Mob. Comput. 2018, 17, 293–306. [Google Scholar] [CrossRef]
- Mandal, A. Symptoms of Movement Disorders. News Medical 2012. Available online: http://www.news-medical.net/health/Symptoms-of-movement-disorders.aspx (accessed on 10 February 2018).
- Zissis, D.; Lekkas, D. Addressing cloud computing security issues. Future Gener. Comput. Syst. 2012, 28, 583–592. [Google Scholar] [CrossRef]
- Fido-Alliance. Simpler, Stronger Authentication. Available online: https://fidoalliance.org (accessed on 28 February 2018).
- Seitz, L.; Pierson, J.M.; Brunie, L. Semantic access control for medical applications in grid environments. In Proceedings of the Euro-Par 2003 Parallel Processing, Berlin, Germany, 2–5 September 2003; pp. 374–383. [Google Scholar]
- Strickland, M. Patients Know Best: A Changemaker Health Case Study. Available online: https://medium.com/change-maker/patients-know-best-a-changemaker-health-case-study-2f203b0971ae (accessed on 31 January 2018).
- Australian Government. National Authentication Service for Health, D.H.S. Available online: https://www.humanservices.gov.au/organisations/health-professionals/services/medicare/national-authentication-service-health (accessed on 31 January 2018).
Microsoft Vault | PKB | NASH | Proposed System | |
---|---|---|---|---|
Default access | User chooses who has access to what information | Everyone in patient’s health network | Any healthcare professional authorised by a healthcare organisation | Minimum set of data that is required in life threatening situations |
Granularity | Patient can specify what data to share | Patient can share their own copy or give consent | Patient can choose which healthcare organisations have access to their data | Using subject and object classifications to grant access considering environment factors |
Environment factors | Use time limited access | Nothing mentioned in relation to environment but consent engine can provide temporary access when required | Nothing mentioned in relation to environment factors when granting access to system users | Utilise environment factors such as date, time and location. Other factors could be added |
Sharing | Co-manage health record of another user. | Patient can share their own copy of their health data or give consent | Using consent | Using policy model or adding someone to a group |
Flexibility to add more control | No available information published in relation to the system design to indicate how the system handles new requirements | No available information published in relation to the system design to indicate how the system handles new requirements | No available information published in relation to the system design to indicate how the system handles new requirements | New classes can be added to subjects or objects. New environment factors can also be added. |
© 2018 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Share and Cite
Salama, U.; Yao, L.; Paik, H.-y. An Internet of Things Based Multi-Level Privacy-Preserving Access Control for Smart Living. Informatics 2018, 5, 23. https://doi.org/10.3390/informatics5020023
Salama U, Yao L, Paik H-y. An Internet of Things Based Multi-Level Privacy-Preserving Access Control for Smart Living. Informatics. 2018; 5(2):23. https://doi.org/10.3390/informatics5020023
Chicago/Turabian StyleSalama, Usama, Lina Yao, and Hye-young Paik. 2018. "An Internet of Things Based Multi-Level Privacy-Preserving Access Control for Smart Living" Informatics 5, no. 2: 23. https://doi.org/10.3390/informatics5020023
APA StyleSalama, U., Yao, L., & Paik, H. -y. (2018). An Internet of Things Based Multi-Level Privacy-Preserving Access Control for Smart Living. Informatics, 5(2), 23. https://doi.org/10.3390/informatics5020023