Ensuring Access Control in Cloud Provisioned

Healthcare Systems
Hema Andal Jayaprakash Narayanan
Department of Computer Science and Engineering
University of Nevada, Reno
Mehmet Hadi Gne
Department of Computer Science and Engineering
University of Nevada, Reno
Abstract An important issues in cloud provisioned multi-tenant
healthcare systems is the access control, which focuses on the
protection of information against unauthorized access. As different
tenants including hospitals, clinics, insurance companies, and
pharmacies access the system, sensitive information should be
provided only to authorized users and tenants. In this paper, we
analyze the requirements of access control for healthcare multi-
tenant cloud systems and propose to adapt Task-Role Based Access
Control with constraints such as least privilege, separation of duty,
delegation of tasks, and spatial and temporal access.
Keywords - Access control, Cloud computing, eHealth.
I. INTRODUCTION
New technologies provide great opportunities to enhance
business models. In particular, cloud computing paradigm
moves computing and storage tasks from individual systems
into the cloud, which provides hardware and software resources
over the Internet. Such cloud computing facilities can be
employed for eHealth platforms to provide information flow
between multiple entities such as hospital, clinics, pharmacy,
labs, and insurance companies [3].
Healthcare is a dynamic complex environment with many
participants including patients, nurses, lab technicians,
researchers, receptionists, and IT professionals. Recently, the
Health Information Technology for Economic and Clinical
Health (HITECH) Act is established to convert nations health
care records to digital formats such as Electronic Health
Record (EHR) to improve rapid transmission of medical
information and making health care systems more efficient [4].
To protect patient information from unauthorized access and
comply with the Health Insurance Portability and
Accountability (HIPAA) privacy and security rules, health care
organizations need global policies for access to patient
information.
Access control of data should be flexible and fine grained
depending on the dynamic nature of the health care system as
multiple entities will interact with the data. Access rights to
resources must be granted to users only for the amount of time
that is necessary. For example, a doctor should be given access
to medical history of a patient only when he/she is an active
patient of the doctor. Although an organization may trust its
employees, errors may also cause leak of sensitive information
to non-authorized individuals. Hence, cloud provisioned
eHealth systems should provide access to data only when
necessary and protect users from unintentional errors [8].
Moreover, access policies should support essential
operations to perform an individuals job duties. For instance,
the system should limit read, copy, and print operation on
sensitive information to only the necessary personnel for a
specific duration. Access control should determine who has
access to data, which type of accesses are allowed, what
functions are provided, under what conditions, and for what
duration.
In this paper, we adapt Task-Role-Based Access Control,
which considers the task in hand and the role of the user [15].
We support both workflow based and non-workflow based
tasks and authorize subjects to access necessary objects only
during the execution of the task. In order to synchronize the
workflow with the authorization flow, we adapt the Workflow
Authorization Model [6]. For example, lets assume a patient
with acute abdominal pain is admitted to the emergency
department and the patient is assigned to an intern on duty.
The workflow is initiated once the patient is admitted. The
intern first checks the patients medical history and performs
physical exam. The intern may order some lab tests or may
ask another specialists opinion. The workflow concludes with
writing diagnosis on the patients record.
In the rest of the paper, we first present the related work in
the cloud computing and the access control in Section II. In
Section III, we analyze the requirements for access control for
cloud provisioned healthcare systems. Then, we present the
details of task role based access control model for the eHealth
system in Section IV. In Section V, we discuss the
implementation details of our deployed system (accessible
online at [1]). Finally, we conclude with Section VI.
II. RELATED WORK
A. Cloud Computing
Cloud computing is a recent trend in the cyber world that
has the potential to change the Information Technology by
deploying cyber infrastructures. The basic idea in cloud
computing is to move computing tasks from individual systems
into the cloud, which provides hardware and software resources
over the Internet [11]. Cloud providers deploy computing,
storage and network infrastructure and provide service
assurances to its customers, either an individual or a company.
The main advantage of cloud computing is that the customers
can avoid capital expenditure on hardware, software, and
service but pay for only what they use to a cloud provider.
With the advent of cloud computing as a new computing
paradigm, flexible services can be transparently provided to
users over the dynamic cloud environment where multiple
systems interact. By tapping into the cloud infrastructure, users
can gain fast access to best-of-breed applications and
drastically boost computing resources in a cost-effective way.
Institutions can also improve their information technologys
agility and reliability, and obtain device and location
independence.
B. Access Control
Researchers have developed various access control methods
to access a resource in computing systems [16]. Among
commonly deployed approaches access control lists, which
attaches list of permissions to each object, and access control
matrix, which characterizes the rights of each subject with
respect to every object, are not suitable for large organizations
that have many subjects and objects. Discretionary access
control depends on the discretion of an objects owner who is
authorized to control the information resource access.
Discretionary access control is ownership based and doesn't
provide high degree of security in distributed systems. In
mandatory access control a central authority determines what
information is to be accessible by whom. Security labeling in
mandatory access control is not flexible and is not convenient
for task execution [13].
In role-based access control (RBAC), access rights are
associated with roles, and users are assigned to appropriate
roles [9]. Figure 1 shows the basic components of role-based
access control, i.e., user, role, session and permission. Role
Hierarchy allows the senior role to inherit from junior roles.
This model has been considered in health systems [10]. Being a
passive access control model, role-based access control fails in
capturing dynamic responsibilities of users to support
workflows, which need dynamic activation of access rights for
certain tasks.

Figure 1: RBAC Entities and Their Relationships
In task-based authorization control (TBAC), permissions
are activated or deactivated according to the current task or
process state [18]. Task-based authorization control is an active
access control model based on tasks but there is no separation
between roles and tasks. In Task-Role-Based Access Control
(T-RBAC), users have relationship with permissions through
roles and tasks [15]. T-RBAC is an active access control model
and provides partial authority inheritance in role hierarchy. In
this paper, we adapt T-RBAC model to healthcare cloud
systems.
III. ACCESS CONTROL REQUIREMENTS
In determining access control mechanism many factors
need to be considered including users, information resources,
roles, tasks, workflow and business rules [8]. The following are
the factors important to healthcare cloud systems.
Tenant: A tenant Tn
i
is a customer such as hospital, clinic,
and pharmacy in the healthcare system.
User: A user u
i
is either an employee of a tenant or a
patient of the healthcare provider. Users are subjects of the
access control. Each tenant has multiple users which include
patients, doctors, nurses, and technicians.
Task: A task t
i
is a fundamental unit of business activity.
Tasks are assigned to users based on the role they have and
their access rights are determined for fulfilling assigned tasks.
Information Resource: Information resources are the
objects of access control and include files and databases.
Business Role: Business role is provided to each user based
on the business activities they perform in the organization. A
role r
i
links a user to certain tasks providing access rights to
needed information resources.
Permission: A permission p
i
is the authorization to perform
an operation on an object.
Session: A session s
i
maps a user u
j
to different roles {r
k
,
r
l
, r
m
, }, i.e., s
i
: u
j
, {r
k
, r
l
, r
m
, }.
Workflow: Workflow is a set of tasks to perform a
business function. Tasks that are part of a workflow require
active access control [12]. On the other hand, tasks that are not
part of a workflow require passive access control. Healthcare
systems have both workflow and non-workflow tasks and
should support both passive and active access control.
For instance, Figure 2 shows both passive and active access
control. Physician may execute the View Current Patient List
task to accesses File1 information resource at any time. This
non-workflow task assignment causes immediate activation of
the access rights to read File1, a passive access control. On the
other hand, the Write Prescription task belongs to a
workflow. Executing the tasks in the workflow is done in a
defined order and is available for specific time period.
Although the Write Prescription task is assigned to physician,
he/she can activate his/her access rights only when the prior
View Lab Results task is completed. In this case, as an active
access control, authorization is separated from the activation of
access rights.
Figure 2: Passive and Active Access Control
Business Rule: Business rules are the standard practices of
users which the organization follows and it may differ from one
organization to another. Business rules include
- Least Privilege indicates that permissions are assigned
selectively to users in such a manner such that no user is
given more permissions than is necessary to perform his/her
job [7]. The least privilege policy avoids the problem of an
individual with the ability to perform unnecessary and
potentially harmful actions as merely a side-effect of
granting the ability to perform desired functions.
- Least Separation of Duty reduces the likelihood of
collusion by distributing the responsibilities for tasks in a
workflow between multiple participants and protects against
fraudalent activities of individuals [19]. Distribution of
responsibilities could be static, which govern the
administration/design-time associations between users and
permissions, and dynamic, which govern the way in which
permissions are granted at run-time.
- Delegation of Tasks allows to perform a task when the
initially assigned user is not available to complete the task.
- Spatial and Temporal constraints are used for enhancing
the security of applications [5]. Since healthcare cloud
system can be accessed from anywhere and at anytime,
there is a need to include location and time constraints over
access rights. For example, in family practice a doctor/nurse
should be given access to patients record for office hours
and only in office.
- Classification of Tasks is important to determine inheritable
and non-inheritable tasks [15]. Considering active and
passive access control there are four classes of tasks
depending on business role and workflow, as in Table 1.
Table 1: Task Classification
Non-Inheritable Inheritable
Passive Access Control Private Supervision
Active Access Control Workflow Approval
Class Private: In figure 3, View Current Patient List is a
task for physician. Even though senior physician is a
superior role to the physician, it does not inherit the access
right to perform the View Current Patient List task. Also
the task does not have any relationship with other tasks.

Figure 3: Class Private
Class Supervision: In figure 4, Diagnosis Details of the
physician is reviewed and inherited by the superior role
senior physician to give feedback/suggestions. The task
does not belong to a workflow.

Figure 4: Class Supervision
Class Workflow: In figure 5, Check Patient task is only
performed by the assigned physician. For patient privacy,
it is not inherited to the superior role senior physician.
This task has a relationship with other tasks.

Figure 5: Class Workflow
Class Approval: In figure 6, Supervisor Opinion task is
assigned to the physician role and the senior physician can
inherit the task only if the physician is supervised by that
senior physician. The task has relationship with other
tasks.
Perform
Lab Tests
(T3)
Do Physical
Exam(T1)
Check
Patient (T2)
Supervisors
Opinion (T6)
Write
Prescription
(T5)
View Lab
Results
(T4)
Supervisor
Opinion
Physician Senior Physician
Family Practice

Figure 6: Class Approval
Role Hierarchy: Role Hierarchy can be either Supervision
as in Figure 4 or Approval as in Figure 6.
Scope: Access control is managed at the scope level. Each
scope inherits roles, permissions, and business rules from any
parent scope according to the health system's relationship
strategy and it can modify, add, and delete them as appropriate.
In the light of above discussion, we assume different
healthcare organizations, e.g., hospitals, clinics, and
pharmacies, use different instances of the cloud provided
healthcare system with a centralized database accessible
through the cloud. Sharing health information between
organizations provides up-to-date information about a client
when needed. We should note that, access to the information is
provided based on the need to know principle.
Moreover, updates to security attributes and configurations
to system participants should be only available to healthcare
system administrators, who are different from cloud system
administrators. That is, healthcare system providers will
determine access rights to data sources and decide on proper
workflows for business operations. These administrators will
not be able to access the data and their activities will be
monitored by a third party such as governmental health agency.
IV. TASK ROLE BASED ACCESS CONTROL WITH CONSTRAINTS
In the healthcare cloud system, we use roles to support
passive access control and tasks to support active access
control as shown in Figure 7. A tenant in the cloud system has
multiple users. Each user is assigned a role, roles are assigned
to workflow or non-workflow tasks, and tasks are assigned to
permissions. Users with a defined role can run various tasks
through either workflow and non-workflow tasks assigned to
their role. Permissions are given to roles according to their
tasks and assigned permissions dynamically change according
to the task in hand.

Figure 7:Task-Role Based Access Control with Constraints
Authorization determines who can do which tasks with
what role under what conditions. It is defined by the states or
tuples (U, R, T, P, C) where U is the set of users u
i
, R is the set
of roles r
i
, T is the set of tasks t
i
, P is the set of permissions p
i
,
and C is the set of constraints c
i
. For example, the tuple (John,
doctor, read patient information, read, daytime and office
location) defines the policy that John as a doctor reads patient
information from office during office hours.
A. Assignments
Following are possible pair of entity assignments in the
access control mechanism.
Tenant-User Assignment: A cloud system has several
tenants each with various users.
User-Role Assignment: A user can be assigned one or
more roles. Similarly, a role can be assigned to multiple users.
Users and roles have many-to-many relationship.
Task-Role Assignment: A role can be assigned multiple
tasks and a task can be assigned to multiple roles. Tasks and
roles have many-to-many relationship.
Permission-Task Assignment: Tasks are assigned
permission to be executed.
Task-Workflow Assignment: Only tasks belonging to
workflow or approval classes are assigned to a certain
workflow.
B. Task Constraints
Following are major constraints in access control.
Least Privilege: Least privilege is achieved through task
instances. The access permission starts when the task is
initiated and the access control permissions are revoked when
the task is completed. The task instance is created for each
user and the user gets to see only certain information. For
example, if a dentist initiates the workflow for a patient, the
task instance shows only the details of dental records. Once
the task is completed, his/her access rights to the records are
revoked. This mechanism supports least privilege and fine
grained access control.
Static and Dynamic Separation of Duty: Separation of
duty is done at task definition and task instance levels. The task
unit has a smaller scope of access rights than the role unit.
Static separation of duty is done at task definition level and
applies to tasks belonging to the same workflow. For example
if t
i
and t
j
are mutually exclusive and belong to different
workflow, seperation of duty does not apply to them. Static
seperation of duty prohibits assigning two or more mutual tasks
to the same role at the same time. Dynamic separation of duty
is done at task instances level. Task instances are created when
the task is initiated and dynamic separation of duty prohibits
concurrent execution of two or more exclusive tasks by the
same role.
Delegation: Delegation is done through fine grained task
assignment by the initially assigned user. For example, if a
doctor can not attend a patient, the task can be delegated to
another doctor. Delegation happens in supervision, workflow
and approval classes.
Spatio-Temporal Constraints: Users location and time is
taken into consideration for granting access to a task. When a
tenant registers in the system, its office and clinic locations are
stored for later authorizations requiring temporal verification.
V. IMPLEMENTATION DETAILS
We have implemented the task-role based access control in
our online healthcare system
1
in Amazon Elastic Compute
Cloud (Amazon EC2). Amazon EC2 is chosen as it provides
the flexibility of choosing the operating system, software
packages and instance types [2]. Instance type depends on the
memory size and computing power. Small standard instance
type for Windows Server base is chosen as the development
environment with 1.7GB of memory, an EC2 compute unit
and 160GB of instance storage. Tomcat is used as the servlet
container for deploying the application. J ava Server Pages
(J SPs), java servlets and java beans are used as the
programming languages for developing access control security
modules for the healthcare system. The information for task-
role based access control and the healthcare application is
stored in a relational SQL database.
Figure 8 shows the high level design for the access control
implementation. System administrator for the tenant manages

1
http://ec2-184-72-45-148.us-west-1.compute.amazonaws.com/CloudWebProject/Login.jsp
the management system to define users, roles, tasks,
permissions, resources, constraints and policies for the
authorization. All of the information is stored in a relational
database. User, role, task information are taken from the
respective tables and the authorization is done using the
policies. Healthcare applications have many users which are
classified into different roles such as system administrator,
physician, senior physician, helpdesk, nurse, lab technician,
and patient. In our model, the provider creates system
administrator role for each tenant and assigns access rights to
them so that they manage authentication and authorization for
their own domain.
Figure 8: Overview of the System Design
Flexible policies are created and constraints are imposed
on users and tasks so that permission misuse is prohibited.
Role inheritance is driven through the role hierarchy and
involved tasks. Separation of duty is done with different task
definitions and task instances to support both static and
dynamic policies. Tasks may be delegated and the delegation
rights are revoked once the task is completed leading to the
least privilege principle. Scope level is used in the cloud so
different business units in the same tenant can use the same
access control model.
When a user logins, the system verifies user credentials
and determines his/her roles. According to the role, the task
selection page displays the tasks for active roles. For a system
administrator, user, role, and workflow maintenance tasks are
also provided. In role maintenance, the system administrator
may add a new role, delete a role, and update the roles in the
system. In user maintenance, the system administrator can
add, modify, and delete user credentials and determine role
assignment to users. In workflow maintenance, the system
administrator can create, modify, and delete workflows for the
tenant. Multiple tasks are assigned to each workflow and a
certain flow of the tasks is determined.
Finally, passwords are stored in the database as a hash
value using the MD5 message digest algorithm [17]. As large
databases may have users with the same password, we use a
random salt value. Using salt values also protects against
attackers that use large pre-computed hash values in rainbow
tables to break passwords [14]. When a user wants to login,
their salt value is provided to them and they send resulting
hash value over a secure SSL connection to be compared with
the stored one.
VI. CONCLUSION
eHealth systems have multiple tenants with differing users.
Access to sensitive resources should be provided only to
authorized users and tenants. In this paper, we analyzed the
requirements of access control model for healthcare cloud
systems and proposed an improved access control model for
cloud instances by extending Task-Role Based Access Control
to include task and user constraints to support multitenant
cloud applications. Our model provides flexible access rights
which are modified dynamically as tasks change. It also uses
fine grained constraints such as task and user constraints in
addition to scope level for each tenant. We have implemented
the system on Amazon EC2 and is publicly accessible at [1].
REFERENCES
[1] http://ec2-184-72-45-148.us-west-1.compute.amazonaws.com/
CloudWebProject/Login.jsp
[2] Amazon EC2, Available at: http://aws.amazon.com/ec2
[3] Healthcare SaaS Vs. Licensed Software, Healthcare Technology
Online, September 2009.
[4] Meeting HITECHs Challenge to the Health Care Industry, An Oracle
White Paper, May 2010.
[5] Kyriakos Anastasakis, Behzad Bordbar, Geri Georg, Indrakshi Ray, and
Manachai Toahchoodee, Ensuring Spatio-Temporal Access Control for
Real-World Applications, Proceedings of the 14th ACM symposiumon
Access control models and technologies, SACMAT J une 2009.
[6] V. Atluri and W.-K. Huang. An authorization model for workflows. In
proc. of the ESORIC 1996, LNCS1146, pages 4464, September 1996.
[7] J . F. Barkley , D. F. Ferraiolo, and D. R. Kuhn, A Role based Access
Control Model and Reference Implementation within a Corporate
Intranet, ACM Trans. on Information and SystemSecurity, Feb 1999.
[8] Reinhardt A.Botha, CoSAWoE A Model for Context-sensitive Access
Control in Workflow Environments, South Africa (2001).
[9] E. Coyne, H. Fenstein, R. Sandhu and C. Youman, "Role-Based Access
Control Models", IEEE Computer, 29(2):38-47,1996.
[10] O. Edsberg and L. Rstad, A Study of Access Control Requirements for
Healthcare Systems Based on Audit Trails from Access Logs, In Proc.
of 22nd Annual Computer Security Applications Conference, Miami,
Florida, December, 2006.
[11] Robert Elsenpeter, Anthony T. Velte, and Toby J . Velte, Cloud
Computing A Practical Approach, McGraw Hill, 2010.
[12] Y. Fan, W. Shi, C. Wu, Fundamentals of Workflow Management
Technology, Tsinghua New York: Springer Verlag, 2001, pp. 30-35.
[13] Hao J iang, Shengye Lu, RTFW: An Access Control Model for Workflow
Environment, Computer Supported Cooperative Work in Design, 10th
International Conference on, May 2006.
[14] P. Oechslin, Making a faster cryptanalytic time-memory trade-off,
Advances in Cryptology - CRYPTO 2003. Lecture Notes in Computer
Science, vol. 2729, pp 617--630.
[15] Sejong Oh, Seog Park, Task-Role-Based Access Control Model,
Information System, September 2003.
[16] C.P. Pfleger, Security in Computing, 2nd Edition, Prentice-Hall
International Inc., Englewood Cliffs, NJ , 1997.
[17] R. Riverst, The MD5 Message-Digest Algorithm, RFC 1321, Apr
1992.
[18] R. S. Sandhu and R. K. Thomas, Task-based authorization controls
(TBAC): A family of models for active and enterprise-oriented
authorization management, In proceedings of the IFIP WG11.3
Workshop on Database Security, August 1997.
[19] Mary Ellen Zurko and Richard Simon, Separation of duty in role-
based environments, Proceedings of the 10
th
IEEE Computer Security
Foundations Workshop (CSFW '97), pages 183.194, 1997.