Security and Complexity Analysis of User and Data based Access Control (UDBAC) Model

Health Information System is a composite environment with many types of users and confidential data. To protect the confidentiality of this data and privacy of users, healthcare organizations need to have a flexible and line-grained approach depending on the dynamic role, interacting with this data on daily-basis. Access control is one such mechanism, which prevents any unauthorized user to access the data to protect the security and privacy of healthcare data. Several access control models like Role-Based Access Control (RBAC) model were devised, but due to their complex nature, it is difficult to apply them in any access control policy. It puts security and privacy of health data at risk. To address these risks, this paper presents a User and Data Based Access Control Model (UDBAC) that is integrated with a Healthcare Markup Language (HML) to provide built-in security and privacy enhancing mechanism. UDBAC model attaches security levels within the HML Schema with a mandatory safety condition, providing enhanced security and privacy with less complexity. The paper also analyses the complexity and security metrics for the UDBAC model in comparison with RBAC model, and shows that UDBAC model is more secure, less complex and can be easily incorporated in an access control policy. Based on the security analysis, this paper also analyses the confidentiality, integrity and availability impacts on the UDBAC model in health information system if any vulnerability enters into the system.