Authorization in interoperable medical systems

Abstract

Robust authentication and authorization are vital to next-generation distributed medical systems - the Medical Internet of Things (MIoT). Although future interoperable medical systems carry the potential for improvement of accuracy, consistency, and reliability in the practice of medicine, they also introduce new concerns – novel risks to patients’ safety and privacy. For example, unauthorized access to the device(s) connected to a patient or a medical app (e.g. automated workflow) controlling these devices could result in patient harm, or even death. Furthermore, while in non-safety-critical systems confidentiality is generally prioritized over availability – an explicit “fail-closed” requirement – in medical cyber-physical systems (mCPS) availability must be prioritized over other security properties (because cessation of therapy may be lethal to the patient). This makes it challenging to craft least-privilege authorization policies which preserve patient safety and confidentiality even during emergency situations. Previous work has suggested a virtual version of “Break the Glass” (BTG), an analogy to breaking a physical barrier to access a protected emergency resource such as a fire extinguisher or “crash cart”. In healthcare, BTG is used to override access controls and allow for unrestricted access to resources, e.g. Electronic Health Records. After a “BTG event” completes, the actions of all concerned parties are audited to validate the reasons and legitimacy for the override. In this dissertation, we present a flexible authorization architecture for interoperable medical systems, and implementation and evaluation of the proposed architecture in the context of the Medical Device Coordination Framework (MDCF) high-assurance middleware. We also show how to handle emergency access control override natively within the attribute- based access control (ABAC) model, maintaining full compatibility with existing access control frameworks, putting BTG in the policy domain rather than requiring framework modifications to support it. This approach makes BTG more flexible, allowing for fine- grained facility-specific policies, and even automated auditing in many situations, while maintaining the principle of least-privilege. We do this by constructing a BTG “meta- policy” which works with existing access control policies by explicitly allowing override when requested, with well-defined procedures to return the system to a known secure state with minimal manual auditing. Finally, we formally verify that the resulting combined set of access control policies (as joined with the BTG meta-policy) correctly satisfies the goals of both the original policy set and of BTG. We show how to use the same verification methods to check new or modified policies in real time, easing the process of crafting least-privilege policies.