OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [EXTERNAL] [xacml] Redaction by Multiple Decisions


There are indeed existing marking schemes and vocabularies for health records. This has been the subject of much work over the past few years with the production of several supporting healthcare standards. The Department of Veterans Affairs and the Office of the National Coordinator have demonstrated such capabilities at large Health Information Management Systems Society (HIMSS) healthcare conferences .

Of note, the long-running ONC initiative "Data Segmentation for Privacy" set the stage for a number of core existing normative standards including:

•                 HL7 Data Segmentation for Privacy Implementation Guide (US realm only)
•                 HL7 Privacy and Security Healthcare Classification System (International)
•                 HL7 Privacy and Security Service: Security Labeling Service (International)
•                 HL7 Security and Privacy Vocabulary (International)

Healthcare information is already extensively tagged with codes representing clinical conditions. The security system leverages these codes and rules to provide an initial labeling of data with security and privacy codes representative of healthcare jurisdictional, organizational and patient policy. This first iteration of labeling is used to inform the PDP of access control decision information which combined with rules facilitate a decision and obligations provided to the PEP.  HL7 then identified " Security Labeling Services" and "Privacy Protective Services" among the components of a generalized "Obligation Service".  Obligation services include redaction, masking, anonymization, pseudo-anonymization etc.

As a healthcare policy matter, masking is generally preferred to redaction as labeled data can be used along with in user clearances to enforce attribute-based access control. Only the user holding specific clearances to labeled data would be able to decrypt the sensitive information.  For example a user with an HIV clearance could see unencrypted HIV labeled data containing HIV clinical codes.

Since redaction might have the effect of changing the classification of certain sections and therefore the overall classification of the document, a final round of security labeling is applied prior to release within the Obligation Service. In all of these cases the fulfillment of the security labeling and privacy protective obligations allows for release by the PEP.

This April at HIMSS, VA, HL7, MITRE, ONC, Jericho Systems,  SAMHSA demonstrated a prototypical implementation which integrated Open ID, OAUTH and Kantara UMA  secured mobile applications with enterprise XACML-based authorization service.  The code is open source.

I can only cover the high points of this work here, but if there is sufficient interest we could provide further details and how these standards fit within recent work from NIST and ISO and how they might inform OASIS further work on obligations..

Regards, Mike Davis
VHA Security Architect

-----Original Message-----
From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Steven Legg
Sent: Wednesday, September 23, 2015 11:00 PM
To: xacml@lists.oasis-open.org
Subject: [EXTERNAL] [xacml] Redaction by Multiple Decisions

On the last TC conference call Hal mentioned using multiple authorization requests to redact a document. Basically asking for each discrete piece of the document whether it is visible. This is the obvious way to do it but it is also expensive, even using the Multiple Decision and Hierarchical Resource profiles.

The redaction solution I sketched out was the result of looking for a faster way to do redaction. One request determines whether access to the document is permitted and simultaneously returns the instructions for redacting the document, as obligations, if access is permitted.

A profile for redaction could talk about both methods.

Mohammad mentioned interest in redaction for health documents so I was wondering if there might be existing marking schemes and vocabularies for health records that might feed into some XACML attribute definitions and concrete examples for a redaction profile. Anything similar in the military sphere would be interesting too.


To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at:

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]