The KIPS Transactions:PartC (정보처리학회논문지C)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

Role-based User Access Control with Working Status for u-Healthcare System

u-Healthcare 시스템을 위한 RBAC-WS

  • 이봉환 (대전대학교 정보통신공학과) ;
  • 조현숙 (대전대학교 교양교육원)
  • Received : 2009.12.08
  • Accepted : 2010.01.18
  • Published : 2010.04.30
Download PDF
⟨ Previous Next ⟩

Abstract

Information technology is being applied to the development of ubiquitous healthcare system, which provides both efficient patient care and convenient treatment regardless of patient's location. However, the increasing number of users and medical information give rise to the problem of user management and the infringement of privacy. In order to address this problem we propose a user access scheme based on the RBAC (Role Based Access Control) model. The preceding trust management model for Grid security, FAS(Federation Agent Server), was analyzed and extended to provide supplementary functions for role-based access control in u-Healthcare system. The RBAC model provides efficient user management and access control, but very vulnerable in case when one with valid role tries to leak confidential inner medical information. In order to resolve this problem, a RBAC-WS (Work Status with RBAC) model has been additionally developed which allows only qualified staffs to access the system while on duty. Th proposed RBAC and RBAC-WS model have been merged together and applied to the PACS (Picture Archiving and Communication System).

IT 기술의 발달에 힘입어 환자들의 위치에 상관없이 편리하게 진료가 가능한 유비쿼터스 헬스케어시스템이 개발되고 있다. 그러나 사용자의 수가 급증하고 다른 병원의 의사나 연구원 또는 환자의 가족들에게 의료 정보를 공개하도록 의료법이 개정되면서 사용자 관리와 프라이버시 침해라는 문제가 발생하였다. 이러한 문제를 해결하기 위하여 본 논문에서는 역할 기반 접근제어 모델에 기반한 사용자 접근 모델은 제안한다. RBAC 모델은 효율적인 사용자 관리 및 접근 제어를 제공하지만, 악의를 가진 사용자가 권한이 있는 역할을 가지고 정보를 유출하고자 할 경우 막을 방법이 없다. 이러한 RBAC의 취약점을 보완하기 위하여 "working status" 파라미터를 역할 속성과 연동하는 RBAC-WS 모델을 제안하였다. 역할에 working 속성을 연동함으로써 허가를 받은 사용자라 하더라도 업무 외 접근을 원천적으로 봉쇄함으로서 내부자에 의한 정보유출 문제를 해결하였다. 또한 RBAC을 위한 함수를 개발하여 도메인이 서로 다른 헬스케어 시스템에서도 유용하게 사용될 수 있도록 하였으며, RBAC-WS 모델의 기능 분석을 위하여 Healthcare 시스템 중 널리 사용되는 PACS에 적용하였다.

Keywords

References

  1. http://www.korcham.net/EconNews/KcciReport/CRE01101L.asp
  2. D.F Ferraiolo and D.R. Kuhn. “Role Based Access Control,” In Proc. of the 15th National Computer Security Conference, Oct., 1992.
  3. David F. Ferraiolo, D. Richard Kuhn, and Ramaswamy Chandramouli. Role-Based Access Control. Information Security and Privacy Series. Artech House, 2 edition, 2007.
  4. Axel Kern and Claudia Walhorn. “Rule Support for Role-Based Access Control.” In Proc. of the Tenth ACM Symposium on Access Control Models and Technologies (SACMAT '05), pp 130-138, New York, NY, USA, 2005. https://doi.org/10.1145/1063979.1064002
  5. National Institute of Standards and Technology, http://csrc.nist.gov/groups/sns/rbac/case studies.html
  6. A. Kern. “Advanced Features for Enterprise-Wide Role-Based Access Control,” In Proc. of the 18th Computer Security Applications Conference, pp.333-342, 2002. https://doi.org/10.1109/CSAC.2002.1176305
  7. Gustaf Neumann and Mark Strembeck. “A Scenario-Driven Role Engineering Process for Functional RBAC Roles,” In Proc. of the Seventh ACM Symposium on Access Control Models and Technologies (SACMAT '02), pp.33-42, New York, USA, 2002. https://doi.org/10.1145/507711.507717
  8. Jaideep Vaidya, Vijayalakshmi Atluri, and Qi Guo, “The Role Mining Problem: Finding a Minimal Descriptive Set of Roles,” In Proc. of the 12th ACM Symposium on Access Control Models and Technologies (SACMAT '07), pp 175-184, New York, NY, USA, 2007. https://doi.org/10.1145/1266840.1266870
  9. Ruslan Dimov, Sean W. Smith, and Sara Sinclair, “Making RBAC Work in Dynamic, Fast-Changing Corporate Environments,” Technical Report of Dartmouth College Computer Science, 2008.
  10. J.B.D. Joshi, E. Bertino, U. Latif, and A. Ghafoor, “A Generalized Temporal Role-Based Access Control Model,” IEEE Transactions on Knowledge and Data Engineering, 17(1):4-23, Jan., 2005. https://doi.org/10.1109/TKDE.2005.1
  11. Seoncheol Hwang et al., “Development of WWW-based TelePACS using Satellite Data Communication System,” In Proc. of the 20th Annual International Conference of the IEEE, Vol.3, pp.1281-1283, Oct.29-Nov.1, 1998. https://doi.org/10.1109/IEMBS.1998.747111
  12. WebPACS, http://www.methodist.healthsystem.org/
  13. 조현숙, 이봉환, “그리드 보안을 위한 역할기반의 신뢰 협상 모델”, 한국정보처리학회논문지 제15-C권, 제6호, pp.455-468, 2008. 12.
  14. http://www.w3c.org/TR/REC-xml
  15. Patrick C. K. Hung, “Towards a Privacy Access Control Model for e-Healthcare Services,” In Proc. of 3th Annual Conference on Privacy, Security and Trust, 2005. 10.
  16. Reid, J. Cheong, I. Henricksen, and M. Smith, J. “A Novel Use of RBAC to Protect Privacy in Distributed Health Care Information Systems,” In Proc. of Lecture Notes in Computer Science, Vol.2727, No.1, pp.403-415, 2003. https://doi.org/10.1007/3-540-45067-X_35
  17. 최준, 김남현, 유선국, “다중 환자 정보 저장소에 대한 웹기반 보안 접근”, 대한의료정보학회지 제 10권 3호, 2004. 9.