|Ph.D Student||Beimel Dizza|
|Subject||Situation-Based Access Control: Privacy Management via|
Modeling of Scenarios of Access to Patient Data
|Department||Department of Industrial Engineering and Management||Supervisors||Professor Dov Dori|
|Dr. Mor Peleg|
|Full Thesis text|
Access control is a central problem in privacy management. A common practice in controlling access to sensitive data, such as electronic health records (EHRs), is Role-Based Access Control (RBAC). RBAC is limited as it does not account for the circumstances under which access to sensitive data is requested. We introduced an alternative approach for restricting access to patient data - Situation-Based Access Control (SitBAC). SitBAC is a conceptual model for representing authorization policies, where health organizations can specify their regulations concerning permissions of access to patients’ data in a formal knowledge-base.
The main concept underlying the SitBAC model is the Situation Schema, which is a pattern consisting of the entities Data-Requestor, Patient, EHR, Access Task, Legal-Authorization, and Response, along with their properties and relations. The various data-access scenarios are expressed via Situations - a formal representation of scenarios.
The research included three main parts: (1) after eliciting data and analyzing it via qualitative research methods, we formulated a conceptual model of data-access requests using Object-Process Methodology (OPM) to specify these requests, (2) we then defined a formal ontology for the SitBAC model and evaluated its usability via a controlled experiment, and (3) we created a knowledge base of access-request situations and an algorithm that compares a new request against the situations in the knowledge base.
While we focus on the medical domain, the model is generic and can be adapted to other domains.