Table of Contents

Privacy Model (PM) Example

For demonstration purposes a simple application example has been developed together with Simone Fischer-Hübner. Although several modules are used, our focus clearly lay on the privacy model, being the most complex and powerful. Other modules are used for special purposes.

Demonstration Goal

A small medical treatment center wants to use a centralized data management. High level privacy is to be guaranteed for all patient data, but statistical research on operations and selective data transmission to other centers must remain possible. The principles of minimal knowledge and separation of duties are to be enforced.

Storing and processing of data are done within one protected system without remote access from and transfer to other systems. The only exceptions are the transfer of billing data to the patient's medical insurance company and the necessary transfer of diagnosis data to another medical treatment center. Both require a secure network connection.

The patient's way through treatment shall follow the following steps:

  1. Reception by a clerk
  2. Diagnosis and treatment instruction by an examination specialist
  3. Operation by a surgeon or transfer to another medical treatment center
  4. Recovering therapy
  5. Dismissal by a clerk
  6. Billing to the patient's medical insurance company

Transferral into Privacy Model

First of all, the purposes of data storage and their tasks are defined:

Purpose Treatment Management Research
Tasks Diagnosis Reception Statistics
Operation Dismissal
Therapy Billing
Transfer Data Transfer

For storage the following object classes are needed:

Object class Purpose Contents
Reception data Management Basic patient data
Billing data Management Data needed for billing
Diagnosis Treatment Diagnosis data
Treatment instruction Treatment Instructions for surgeons and therapists
Operation data Treatment Operation protocol
Action data Management, Treatment Protocol of treatment actions
Statistics Research Statistics on operations

Next, users are defined and authorized for their tasks:

User Authorized Tasks
Examinator Diagnosis, Therapy, Transfer
Surgeon Operation, Transfer
Therapist Therapy
Clerk Reception, Dismissal
Billing clerk Billing, Data transfer
Scientist Statistics

Data processing is done by transformation procedures:

TP Usage for
pm_create Creation of data files of a class
Appending editor Appending text to an existing file
Editor Modifying a text file
Display program Displaying a text file on the screen
Deletion program Deletion of a file
Transfer program Encrypted data transfer by interprocess communication
Statistics program Reading files, calculating statistics, writing those to another file

The next step is the definition of authorized TPs for all tasks:

Task Authorized TP
Diagnosis pm_create, Appending editor, Editor, Display program
Operation pm_create, Appending editor, Editor, Display program
Therapy Appending editor, Display program
Transfer Transfer program
Reception pm_create, Editor
Dismissal Appending editor
Billing Editor, Display program
Data transfer Transfer program
Statistics pm_create, Editor, Statistics program

Finally, all necessary accesses are to be given. Possible accesses are Read, Write, Delete, Create and Append.

Task Object class TP Accesses
Diagnosis Diagnosis pm_create Create
Editor Read, Write, Append
Display program Read
Action data Appending editor Append
Treatment instruction pm_create Create
Editor Read, Write, Append
Operation Treatment instruction Display program Read
Operation data pm_create Create
Editor Read, Write, Append
Action data Appending editor Append
Therapy Treatment instruction Display program Read
Action data Appending editor Append
Transfer Diagnosis Transfer program Read
Treatment instruction Transfer program Read
Interprocess Communication Transfer program Create, Write, Append
Reception Reception data pm_create Create
Editor Read, Write, Append
Action data pm_create Create
Appending editor Append
Dismissal Reception data Appending editor Append
Action data Appending editor Append
Billing Action data Display program Read
Billing data pm_create Create
Editor Read, Write, Append
Data transfer Billing data Transfer program Read
Interprocess Communication Transfer program Create, Write, Append
Statistics Statistics data pm_create Create
Editor Read, Write, Append
Deletion program Delete
Statistics program Write, Append
Diagnosis Statistics program Read
Treatment instruction Statistics program Read
Operation data Statistics program Read

All data must be entered by a security officer with rsbac_pm, using tickets provided by a data protection officer with the same program. Currently, all object classes, tasks, purposes etc. must be entered as numbers, leaving the encoding for humans. Other Models

Since the Privacy Model only protects personal data and system calls, other data are still only protected by discretionary access control and should be protected by another security model. At least the identification and authentification file /etc/shadow should also be declared as personal data with its own object class, so that only necessary accesses by authorized programs can be performed.

In this example Functional Control can be used to restrict access to security relevant files. In this model, objects of categories security and system object are only accessible by security officers (not necessarily the same users as in PM) and administrators. If only unauthorized modification must be prevented, e.g. for /etc/passwd, the Security Information Modification model with its attribute data type should be sufficient.

The Mandatory Model should be additionally used for confident, but not personal data, e.g. business data. Steps of Treatment from the System's Point of View

A patient's progress through the medical treatment center is covered by the following steps:

  1. The Clerk checks in the patient. She creates a file for action data with pm_create and a file for reception data with the editor, appending reception to the action file.
  2. The examination specialist creates a diagnosis file and uses the editor to write and change her diagnosis. The she creates and fills a treatment instruction file for this patient with the editor, changing it when necessary. Finally she appends her actions to the action file. If necessary, she can transfer a patient to another specialist or medical treatment center. For this she can transfer diagnosis and treatment instruction data by the transfer program.
  3. The surgeon reads her treatment instruction with the display program and operates the patient. Afterwards she creates and edits the operation data file, writing a protocol of the operation. As before, all actions are appended to the action file. Like the examinator, the surgeon can transfer patients to another specialist or medical treatment center. For this she can also transfer diagnosis and treatment instruction data by the transfer program.
  4. The therapist also reads her treatment instructions, works with the patient and appends her actions to the action file.
  5. When the treatment has been completed, the patient is dismissed by the clerk, who finishes reception and action data with the append editor.
  6. At last, the billing clerk reads the action file and creates and edits the billing file, which she transfers to the patient's medical insurance company by transfer program.
  7. Diagnosises, treatment instructions and operation data can be read by the scientist's statistics program, generating statistical data. Reading of other data requires the patient's consent for the purpose research. Statistical data files can only be created, changed and deleted by users with the current task statistics.



Table of Contents: RSBAC Handbook
Back: Administration Examples