Role-based security policies management: a health care example

In this paper, an approach is presented to modelling the security policy of a health care department by means of a deductive database tool. The goal of a security policy is to provide a reliable mechanism for information sharing, at the same time ensuring its confidentiality, integrity and availability. Once a policy has been defined, it is essential to be able to verify that it really meets the security requirements and prevents any undesired situations. The aim here is to build a tool to help the security administrator of a health care organisation to handle (define, verify, modify) its security policy. After investigating a number of available security policy models, a role-based approach has been considered and specified in a logical form handled by a logic database management system. Thus, the role-based model specification becomes executable and various properties of the policy can be verified together with its adequacy with respect to the expected behaviour. The approach has been inspired by the security policy for the Radiological Department of the "Lotti" Hospital in Pontedera, Pisa.