Chapt. 7 – Hybrid Policies Dr. Wayne Summers Department of Computer Science Columbus State University

2 Chinese Wall Model  Refers equally to confidentiality and integrity  Involves conflict of interest in business  Definitions –Objects (O) of the database are items of information related to a company –Company dataset (CD) contains objects related to a single company –Conflict of interest (COI) class contains the datasets of companies in competition

3 Chinese Wall Model  CW-Simple Security Condition –S can read O iff any of the following holds: There is an object O’ such that S has accessed O’ and CD(O’) = CD(O) For all objects O’, O’ ε PR(S) → COI(O’) ≠ COI(O) O is a sanitized object  CW-*-Property –S may write to an object O iff both of the following hold: The CS-simple security condition permits S to read O. For all unsanitized objects O’, S can read O’ → CD(O’) = CD(O).

4 Chinese Wall Model  Bell-LaPadula and CW Models –Fundamentally different –CW have no associated security labels –Notion of “past accesses” are central to CW  Clark-Wilson & CW Models –Clark-Wilson deals with aspects of integrity (validation & verification) –CW deals exclusively with access control

5 Clinical InfoSys Security Policy  Definitions –Patient – subject of medical records (or agent for who can give consent) –Personal health information – information about a patient’s health or treatment enabling that patient to be identified (medical record) –Clinician – health care professional who has access to personal health information while performing his/her job.

6 Clinical InfoSys Security Policy  Access Principles –Each medical record has an access control list naming the individuals or groups who may read/append information to the record –One of the clinicians on the ACL (responsible clinician) must have the right to add other clinicians to the ACL. –The responsible clinician must notify the patient of the names on the ACL whenever the patient’s medical record is opened. Consent must be obtained from the patient. –The name of the clinician, the date, and the time of access of a medical record must be recorded.

7 Clinical InfoSys Security Policy  Creation Principle – A clinician may open a record, with the clinician and the patient on the ACL.  Deletion Principle – Clinical information cannot be deleted from a medical record until the appropriate time has passed.  Confinement Principle – Information from one medical record may be appended to a different medical record iff the ACL of the second record is a subset of the ACL of the first.  Aggregation Principle – Measures for preventing the aggregation of patient data must be effective.  Enforcement Principle – Any computer system that handles medical records must have a subsystem that enforces the preceding principles.