Securing XML with Role-Based Access Control

Author(s):  
Alberto De la Rosa Algarín ◽  
Steven A. Demurjian ◽  
Timoteus B. Ziminski ◽  
Yaira K. Rivera Sánchez ◽  
Robert Kuykendall

Today’s applications are often constructed by bringing together functionality from multiple systems that utilize varied technologies (e.g. application programming interfaces, Web services, cloud computing, data mining) and alternative standards (e.g. XML, RDF, OWL, JSON, etc.) for communication. Most such applications achieve interoperability via the eXtensible Markup Language (XML), the de facto document standard for information exchange in domains such as library repositories, collaborative software development, health informatics, etc. The use of a common data format facilitates exchange and interoperability across heterogeneous systems, but challenges in the aspect of security arise (e.g. sharing policies, ownership, permissions, etc.). In such situations, one key security challenge is to integrate the local security (existing systems) into a global solution for the application being constructed and deployed. In this chapter, the authors present a Role-Based Access Control (RBAC) security framework for XML, which utilizes extensions to the Unified Modeling Language (UML) to generate eXtensible Access Control Markup Language (XACML) policies that target XML schemas and instances for any application, and provides both the separation and reconciliation of local and global security policies across systems. To demonstrate the framework, they provide a case study in health care, using the XML standards Health Level Seven’s (HL7) Clinical Document Architecture (CDA) and the Continuity of Care Record (CCR). These standards are utilized for the transportation of private and identifiable information between stakeholders (e.g. a hospital with an electronic health record, a clinic’s electronic health record, a pharmacy system, etc.), requiring not only a high level of security but also compliance to legal entities. For this reason, it is not only necessary to secure private information, but for its application to be flexible enough so that updating security policies that affect millions of documents does not incur a large monetary or computational cost; such privacy could similarly involve large banks and credit card companies that have similar information to protect to deter identity theft. The authors demonstrate the security framework with two in-house developed applications: a mobile medication management application and a medication reconciliation application. They also detail future trends that present even more challenges in providing security at global and local levels for platforms such as Microsoft HealthVault, Harvard SMART, Open mHealth, and open electronic health record systems. These platforms utilize XML, equivalent information exchange document standards (e.g., JSON), or semantically augmented structures (e.g., RDF and OWL). Even though the primary use of these platforms is in healthcare, they present a clear picture of how diverse the information exchange process can be. As a result, they represent challenges that are domain independent, thus becoming concrete examples of future trends and issues that require a robust approach towards security.

2016 ◽  
pp. 487-522
Author(s):  
Alberto De la Rosa Algarín ◽  
Steven A. Demurjian ◽  
Timoteus B. Ziminski ◽  
Yaira K. Rivera Sánchez ◽  
Robert Kuykendall

Today's applications are often constructed by bringing together functionality from multiple systems that utilize varied technologies (e.g. application programming interfaces, Web services, cloud computing, data mining) and alternative standards (e.g. XML, RDF, OWL, JSON, etc.) for communication. Most such applications achieve interoperability via the eXtensible Markup Language (XML), the de facto document standard for information exchange in domains such as library repositories, collaborative software development, health informatics, etc. The use of a common data format facilitates exchange and interoperability across heterogeneous systems, but challenges in the aspect of security arise (e.g. sharing policies, ownership, permissions, etc.). In such situations, one key security challenge is to integrate the local security (existing systems) into a global solution for the application being constructed and deployed. In this chapter, the authors present a Role-Based Access Control (RBAC) security framework for XML, which utilizes extensions to the Unified Modeling Language (UML) to generate eXtensible Access Control Markup Language (XACML) policies that target XML schemas and instances for any application, and provides both the separation and reconciliation of local and global security policies across systems. To demonstrate the framework, they provide a case study in health care, using the XML standards Health Level Seven's (HL7) Clinical Document Architecture (CDA) and the Continuity of Care Record (CCR). These standards are utilized for the transportation of private and identifiable information between stakeholders (e.g. a hospital with an electronic health record, a clinic's electronic health record, a pharmacy system, etc.), requiring not only a high level of security but also compliance to legal entities. For this reason, it is not only necessary to secure private information, but for its application to be flexible enough so that updating security policies that affect millions of documents does not incur a large monetary or computational cost; such privacy could similarly involve large banks and credit card companies that have similar information to protect to deter identity theft. The authors demonstrate the security framework with two in-house developed applications: a mobile medication management application and a medication reconciliation application. They also detail future trends that present even more challenges in providing security at global and local levels for platforms such as Microsoft HealthVault, Harvard SMART, Open mHealth, and open electronic health record systems. These platforms utilize XML, equivalent information exchange document standards (e.g., JSON), or semantically augmented structures (e.g., RDF and OWL). Even though the primary use of these platforms is in healthcare, they present a clear picture of how diverse the information exchange process can be. As a result, they represent challenges that are domain independent, thus becoming concrete examples of future trends and issues that require a robust approach towards security.


2013 ◽  
pp. 1876-1903
Author(s):  
Philippe Massonet ◽  
Arnaud Michot ◽  
Syed Naqvi ◽  
Massimo Villari ◽  
Joseph Latanicki

This chapter describes an open source solution for securing the Claudia service manager and the OpenNebula virtual execution environment manager when combined in a federated RESERVOIR architecture. The security services provide confidentiality, authentication, and integrity by securing the external API. The chapter describes how to integrate the security solution in an open source cloud computing system, how to install it, and provides an illustrative case study showing its potential for the community. The aim of the chapter is to help those who want to build their own secure infrastructure clouds. The open source security code provides mutual authentication between clients and the Claudia service manager, and secures the SMI interface with role based access control. The same security services can also secure the VMI with role based access control and X509 certificates. Finally the federation can be secured by combining an LDAP server to manage the federation and XACML security policies, and using policy matching to guarantee the respect of security policies within the federation.


2016 ◽  
pp. 1001-1016
Author(s):  
Robert P Schumaker ◽  
Kavya P. Reganti

The purpose of this research is to demonstrate the efficiency of the Electronic Health Record (EHR) software that is adopted in the healthcare industry to provide better patient care. The authors examine the impact of EHRs on the efficient delivery of healthcare services. More specifically, they detail the origin of EHR, its significance in modern healthcare delivery along with the selection and implementation criteria for EHR software. They present a survey on the extent of adoption of EHR by clinicians. They also highlight the challenges and barriers faced by organizations in adopting EHR software such as cost, workflow impact and data security. Finally, the authors contemplate the future of EHR, its role in the implementation of health information exchange and its implementation in the cloud. They conclude that the implementation of EHR in the cloud is an important step towards better health management across the population with the end-goal of better health outcomes.


2019 ◽  
Vol 27 (3) ◽  
pp. 480-490 ◽  
Author(s):  
Adam Rule ◽  
Michael F Chiang ◽  
Michelle R Hribar

Abstract Objective To systematically review published literature and identify consistency and variation in the aims, measures, and methods of studies using electronic health record (EHR) audit logs to observe clinical activities. Materials and Methods In July 2019, we searched PubMed for articles using EHR audit logs to study clinical activities. We coded and clustered the aims, measures, and methods of each article into recurring categories. We likewise extracted and summarized the methods used to validate measures derived from audit logs and limitations discussed of using audit logs for research. Results Eighty-five articles met inclusion criteria. Study aims included examining EHR use, care team dynamics, and clinical workflows. Studies employed 6 key audit log measures: counts of actions captured by audit logs (eg, problem list viewed), counts of higher-level activities imputed by researchers (eg, chart review), activity durations, activity sequences, activity clusters, and EHR user networks. Methods used to preprocess audit logs varied, including how authors filtered extraneous actions, mapped actions to higher-level activities, and interpreted repeated actions or gaps in activity. Nineteen studies validated results (22%), but only 9 (11%) through direct observation, demonstrating varying levels of measure accuracy. Discussion While originally designed to aid access control, EHR audit logs have been used to observe diverse clinical activities. However, most studies lack sufficient discussion of measure definition, calculation, and validation to support replication, comparison, and cross-study synthesis. Conclusion EHR audit logs have potential to scale observational research but the complexity of audit log measures necessitates greater methodological transparency and validated standards.


2015 ◽  
Vol 139 (3) ◽  
pp. 319-327 ◽  
Author(s):  
Myra L. Wilkerson ◽  
Walter H. Henricks ◽  
William J. Castellani ◽  
Mark S. Whitsitt ◽  
John H. Sinard

Sign in / Sign up

Export Citation Format

Share Document