Controlled BTG: Toward Flexible Emergency Override in Interoperable Medical Systems

Qais Tasali; Christine Sublett; Eugene Vasserman

doi:10.4108/eai.13-7-2018.163213

EAI Endorsed Transactions on Security and Safety (May 2020)

Controlled BTG: Toward Flexible Emergency Override in Interoperable Medical Systems

Qais Tasali,
Christine Sublett,
Eugene Vasserman

Affiliations

Qais Tasali: Department of Computer Science, Kansas State University, Manhattan, KS 66506 USA
Christine Sublett: Sublett Consulting, San Mateo, CA 94402 USA
Eugene Vasserman: Department of Computer Science, Kansas State University, Manhattan, KS 66506 USA

DOI: https://doi.org/10.4108/eai.13-7-2018.163213
Journal volume & issue: Vol. 6, no. 22

Abstract

Read online

INTRODUCTION: In medical cyber-physical systems (mCPS), availability must be prioritized over othersecurity properties, making it challenging to craft least-privilege authorization policies which preserve patientsafety and confidentiality even during emergency situations. For example, unauthorized access to device(s)connected to a patient or an app controlling these devices could result in patient harm. Previous work hassuggested a virtual version of “Break the Glass” (BTG), an analogy to breaking a physical barrier to accessa protected emergency resource such as a fire extinguisher or “crash cart”. In healthcare, BTG is used tooverride access controls and allow for unrestricted access to resources, e.g. Electronic Health Records. After a“BTG event” completes, the actions of all concerned parties are audited to validate the reasons and legitimacyfor the override.OBJECTIVES: Medical BTG has largely been treated as an all-or-nothing scenario: either a means to obtainunrestricted access is provided, or BTG is not supported. We show how to handle BTG natively within theABAC model, maintaining full compatibility with existing access control frameworks, putting BTG in thepolicy domain rather than requiring framework modifications. This approach also makes BTG more flexible,allowing for fine-grained facility-specific policies, and even automates auditing in many situations, whilemaintaining the principle of least-privilege.METHODS: We do this by constructing a BTG “meta-policy” which works with existing access control policiesby explicitly allowing override when requested.RESULTS: We present a sample BTG policy and formally verify that the resulting combined set of accesscontrol policies correctly satisfies the goals of the original policy set and allows expanded access during a BTGevent. We show how to use the same verification methods to check new policies, easing the process of craftingleast-privilege policies.

Published in EAI Endorsed Transactions on Security and Safety

ISSN: 2032-9393 (Online)
Publisher: European Alliance for Innovation (EAI)
Country of publisher: Belgium
LCC subjects: Technology
Website: https://eudl.eu/journal/sesa

About the journal

Abstract

Keywords