Modern healthcare systems require collaborations between individual social entities such as hospitals, medical centers, emergency services and community services. One of the most critical issues in this setting is security and privacy, i.e., who can access what and based on which condition(s). In the healthcare system that crosses different administrative domains, each business unit has its own security policies defined and enforced. Therefore the challenge is how security policies shall be specified, compared and integrated if necessary depending on the nature of the inter-domain collaboration. In this paper, we discuss the challenging access control issues in cross-domain healthcare systems. A framework is provided to support authorization control in such an environment, which takes collaboration semantics into account, as well as individual participant's authorization policies.
Key words: Authorization Control, Access Control, Service Composition, Web Service Collaboration,Web Service Security
(ProQuest: ... denotes formulae omitted.)
1.1 Security Issues in Business Collaboration
Ankur Laroia from Southern Union Company recorded the following comments: 'People often forget that healthcare is a many-to-many business. You are not just connecting a hospital to a handful of its branch clinics but to an array of internal and external data sources and applications,' notes Leo Sayavedra, an executive at the Sequence Group, an IT consulting company specializing in systems integration. Each healthcare provider, he says, is an information node that sends and receives transactions to entities outside its firewall .
In a complex environment like healthcare, countless interactions are carried out among numerous hospitals and institutes in different forms and based on different devices and systems. Technologies are needed to support seamless, secure and dynamic inter-organizational collaborations. Emerging Web Service technologies have provided technological support for collaborations that cross organizational boundaries. However, security concerns become one of the main barriers that prevent widespread adoption of the new technologies. Authorization control in web services, particularly in collaborative environment is an area that has not seen many developments.
Security control in inter-organizational collaboration has different focus from single organization environments. In a single organization, the authorization control policy can be defined in terms of roles and their privileges with the adoption of Role Based Access Control (RBAC) . Given a request to access a resource or perform an operation, the policy is enforced by analyzing the credentials of the requester and the decision is made on whether the requester can perform the requested actions.
Inter-organizational collaborations in distributed environment, like healthcare, has the following characteristics. Firstly, each organizationmanages its own resources and defines its own authorization policies based on its own interest. Secondly, individual participating organization can join and leave a collaboration at anytime. Thirdly, an organization can play different roles in a collaboration, it can be a service owner, an agent, or a consumer. An organization can also play several roles at a time. Different roles can imply differences on control power of the participant over the collaboration. Fourthly, organizations collaborate with each other in various ways, which require different security control. Due to the nature of the collaboration as just analyzed above, the following issues can happen:
* Unauthorized Service Propagation: in inter-organizational collaboration, a service can be accessed by a party who can pass the access rights to other parties. It is important to understand whether and under what conditions the privilege are allowed to be forwarded to other parties. …