KIISE Transactions on Computing Practices (정보과학회 컴퓨팅의 실제 논문지)

Korean Institute of Information Scientists and Engineers (한국정보과학회)
권호 표지
DOI QR코드

DOI QR Code

Treatment Information based Risk Evaluation Method in Medical Information Systems

의료정보시스템에서 치료정보 기반 위험도 평가 방법론

  • 최동희 (서강대학교 컴퓨터공학과) ;
  • 박석 (서강대학교 컴퓨터공학과)
  • Received : 2016.06.08
  • Accepted : 2016.07.03
  • Published : 2016.09.15
⟨ Previous Next ⟩

Abstract

RBAC(Role-Based Access Control), which is widely used in Medical Information Systems, is vulnerable to illegal access through abuse/misuse of permissions. In order to solve this problem, treatment based risk assessment of access requests is necessary. In this paper, we propose a risk evaluation method based on treatment information. We use network analysis to determine the correlation between treatment information and access objects. Risk evaluation can detect access that is unrelated to the treatment. It also provides indicators for information disclosure threats of insiders. We verify the validity using large amounts of data in real medical information systems.

의료 정보시스템에서 널리 이용되는 역할기반접근제어는 승인된 권한을 오용/남용하여 비정상적인 접근 시도가 가능하다. 이를 해결하기 위해서는 접근 요청이 얼만큼의 위험도를 가지고 있는지 치료정보에 기반한 위험도의 평가가 필요하다. 따라서, 본 논문에서는 환자의 치료정보와 접근되는 정보객체간의 네트워크 연관성 분석을 수행하여 치료정보기반 위험도 평가 방법을 제안하고자 한다. 즉, 위험도 산출은 업무와 관련이 적은 접근의 탐지와 내부자의 정보 유출 위협을 판단할 수 있는 초기 지표로 활용하였고, 분석의 정확도 검증을 위하여 실제 의료정보시스템의 대용량 실증 데이터를 활용하였다.

Keywords

Acknowledgement

Supported by : 한국연구재단

References

  1. Buntin, M. B., Jain, S. H., and Blumenthal, D. 2010. Health information technology: Laying the infrastructure for national health reform. Health Affairs 29, 6, 1214-1219. https://doi.org/10.1377/hlthaff.2010.0503
  2. Chaudhry, B., Wang, J., Wu, S., Maglione, M., Mojica, W., Roth, E., Morton, S. C., and Shekelle, P. G. 2006. Systematic review: Impact of health information technology on quality, efficiency, and costs of medical care. Ann. Intern. Med. 144, 10, 742-752. https://doi.org/10.7326/0003-4819-144-10-200605160-00125
  3. Bosch, M., Faber, M. J., Cruijsberg, J., Voerman, G. E., Leatherman, S., Grol, R. P., Hulscher, M., and Wensing, M. 2009. Review article: Effectiveness of patient care teams and the role of clinical expertise and coordination: A literature review. Med. Care Res. and Rev. 66, 6 Suppl., 5S-35S. https://doi.org/10.1177/1077558709343295
  4. Wang, Qihua, and Hongxia Jin, "Quantified riskadaptive access control for patient privacy protection in health information systems," Proc. of the 6th ACM Symposium on Information, Computer and Communications Security, ACM, 2011.
  5. Ni, Qun, Elisa Bertino, and Jorge Lobo. "Risk-based access control systems built on fuzzy inferences," Proc. of the 5th ACM Symposium on Information, Computer and Communications Security, ACM, 2010.
  6. Celikel, Ebru, et al., "A risk management approach to RBAC," Risk and Decision Analysis 1.1 (2009): 21-33.
  7. Bijon, Khalid Zaman, Ram Krishnan, and Ravi Sandhu, "Risk-aware RBAC sessions," Information Systems Security, Springer Berlin Heidelberg, 2012, 59-74.
  8. Kandala, Savith, Ravi Sandhu, and Venkata Bhamidipati, "An attribute based framework for riskadaptive access control models," Availability, Reliability and Security (ARES), 2011 Sixth International Conference on. IEEE, 2011.
  9. Park, J., Sandhu, R.. "Towards usage control models: beyond traditional access control," 7th ACM symposium on Access control models and technologies (SACMAT "02), ACM Press, New York, pp. 57-64, 2002.
  10. John Scott, "Social Network Analysis," Third Edition, SAGE Publications Ltd., 2012.
  11. C. Ni, C. Sugimoto, and J. Jiang, "Degree, closeness, and betweenness: application of group centrality measurements to explore macro-disciplinary evolution diachronically," Proc. of the ISSI, pp. 1-13, Durban, South Africa, 2011.
  12. SALTZER, J. H. AND SCHROEDER, M. D. 1975. The protection of information in computer systems, Proc. IEEE 63, 9 (Sept.), 1278-1308. https://doi.org/10.1109/PROC.1975.9939
  13. D. H. Kim, Y.-G. Kim, H. P. In, and H. C. Jeong, "A method for risk measurement of botnet's malicious activities," Information Journal, Vol. 17, No. 1, pp. 165-180, 2014.
  14. Choi Donghee, Dohoon Kim, and Seog Park, "A Framework for Context Sensitive Risk-Based Access Control in Medical Information Systems," Computational and mathematical methods in medicine 2015 (2015).
  15. [Online]. Available: http://openmrs.org/