Sample Application - Medical Records

Please try out simple examples (e.g. simple example 1) before checking this.

Application Description

This application illustrates how the XML access control can be applied to the domains that requires more complicated access control specifications such as a context dependent access control. This application is taken from the medical domain. A medical record stores medical history such as diagnosis results and the chemotherapy history for a patient. The advantages of representing medical records in XML format would be a platform-independent plain-text format and the features of the digital signature. It is often said that patients want to be properly informed by the doctor in charge so they can give their informed consent to treatment. One way to achieve this goal is for the doctor and the patient to sign a document that confirms that the patient was well informed and consented to the procedure. Since XML provides a mechanism to store the digital signature inside the document, XML is an appropriate format to represent medical records.

The medical record we use in this example consists of three sections: a general information section, a medical record section, and an informed consent section. The general information section is used for storing the patient's name and the date s/he checked in, which can be read by many people. The record section is used for storing diagnosis results and the therapeutic history, which is basically read only by the medical staff. The informed consent section is used for recording the grant of informed consent, which should not be modified once it has been written.

Target XML Document (medical_record.xml)
<medical_record> <general_info> <hospital_info> <name>ABC Hospital</name> <department>Surgery</department> </hospital_info> <patient_info> <name>Patricia</name> <age>60</age> <sex>female</sex> <health_insurance>123456</health_insurance> <family>Frank</family> </patient_info> <hospitalization_info> <registration>2000-09-01</registration> <in>2000-09-14</in> <out></out> </hospitalization_info> </general_info> <!-- ========================================== --> <record> <diagnosis_info> <diagnosis> <item type="primary">Gastric Cancer</item> <item type="secondary">Hyper tension</item> </diagnosis> <pathological_diagnosis> <diagnosis> <item type="primary">Well differentiated adeno carcinoma</item> </diagnosis> <date>2000-10-05</date> <malignancy type="yes"/> </pathological_diagnosis> </diagnosis_info> <therapy_info> <operation> <method_of_surgery>total gastrectomy</method_of_surgery> <date>2000-09-20</date> </operation> <chemotherapy> <div> <prescription>5-FU 500mg and CDDP 10mg /day x10days</prescription> <start_date>2000-10-10</start_date> <end_date>2000-10-21</end_date> </div> <po> <prescription>5-FU 200mg/day</prescription> <start_date>2000-12-01</start_date> <end_date/> </po> </chemotherapy> </therapy_info> </record> <!-- ========================================== --> <informed_consent> <family_consent> <date>2000-09-13</date> <disclosure_to_patient>no</disclosure_to_patient> </family_consent> <patient_consent> <date>2000-09-19</date> </patient_consent> </informed_consent> </medical_record>

Target XML Document (medical_record.xml)

<medical_record>
  <general_info>
    <hospital_info>
      <name>ABC Hospital</name>
      <department>Surgery</department>
    </hospital_info>
    <patient_info>
      <name>Patricia</name>
      <age>60</age>
      <sex>female</sex>
      <health_insurance>123456</health_insurance>
      <family>Frank</family>
    </patient_info>
    <hospitalization_info>
      <registration>2000-09-01</registration>
      <in>2000-09-14</in>
      <out></out>
    </hospitalization_info>
  </general_info>
  <!-- ========================================== -->
  <record>
    <diagnosis_info>
      <diagnosis>
        <item type="primary">Gastric Cancer</item>
        <item type="secondary">Hyper tension</item>
      </diagnosis>
      <pathological_diagnosis>
        <diagnosis>
          <item type="primary">Well differentiated adeno carcinoma</item>
        </diagnosis>
        <date>2000-10-05</date>
        <malignancy type="yes"/>
      </pathological_diagnosis>
    </diagnosis_info>
    <therapy_info>
      <operation>
        <method_of_surgery>total gastrectomy</method_of_surgery>
        <date>2000-09-20</date>
      </operation>
      <chemotherapy>
        <div>
          <prescription>5-FU 500mg and CDDP 10mg /day x10days</prescription>
          <start_date>2000-10-10</start_date>
          <end_date>2000-10-21</end_date>
        </div>
        <po>
          <prescription>5-FU 200mg/day</prescription>
          <start_date>2000-12-01</start_date>
          <end_date/>
        </po>
      </chemotherapy>
    </therapy_info>
  </record>
  <!-- ========================================== -->
  <informed_consent>
    <family_consent>
      <date>2000-09-13</date>
      <disclosure_to_patient>no</disclosure_to_patient>
    </family_consent>
    <patient_consent>
      <date>2000-09-19</date>
    </patient_consent>
  </informed_consent>
</medical_record>

Policy Description

A set of access control policies for the above medical record is described as follows:

Doctor and nurse can read the entire medical records.
The doctor in charge can write every element of the medical record (unless the policy explicitly specify the denial of access.)
The hospital staff can read general information.
Patients can read their own general information.
A patient's family can read his/her family's general information.
A hospital receptionist can write a patient's name in a blank medical record.
Patients can read their own medical records only after informed consent has been given and the family has agreed to the disclosure of the results of the diagnosis.
A patient's family can read their family's medical records if informed consent has been given.
Even the doctor in charge cannot modify the informed consent section once it has been granted.

Note that we assume that the patient Patricia does not have enough willpower to overcome her disease. Thus, her family Frank has not approved to release the result of the diagnosis to her (this policy is realistic in certain regions but may not be applied in other regions.) The above policies are described in the XACL language as follows:

Target XML Document (medical_policy.xml)
<policy xmlns="http://www.trl.ibm.com/projects/xml/xacl"> <!-- ================================================== 1. Doctor and nurse can read medical records. =================================================== --> <xacl> <object href="/medical_record"/> <rule> <acl> <subject> <group>doctor</group> </subject> <subject> <group>nurse</group> </subject> <action name="read" permission="grant"/> </acl> <!-- ================================================== 2. The doctor in charge can write every element of the medical record. =================================================== --> <acl> <subject> <role>doctor_in_charge</role> <group>doctor</group> </subject> <action name="write" permission="grant"/> </acl> </rule> </xacl> <!-- ================================================== 3. The hospital staff can read general information. =================================================== --> <xacl> <object href="/medical_record/general_info"/> <rule> <acl> <subject> <group>hospital_staff</group> </subject> <action name="read" permission="grant"/> </acl> <!-- ================================================== 4. Patients can read the general_info of their own medical records. =================================================== --> <acl> <subject> <group>patient</group> </subject> <action name="read" permission="grant"/> <condition operation="and"> <predicate name="compareStr"> <parameter value="eq"/> <parameter><function name="getValue"> <parameter value="/medical_record/general_info/patient_info/name"/> </function></parameter> <parameter><function name="getUid"/></parameter> </predicate> </condition> </acl> <!-- ================================================== 5. A patient's family can read the general information of their family's madical records. =================================================== --> <acl> <subject> <group>family</group> </subject> <action name="read" permission="grant"/> <condition operation="and"> <predicate name="compareStr"> <parameter value="eq"/> <parameter><function name="getValue"> <parameter value="/medical_record/general_info/patient_info/family"/> </function></parameter> <parameter><function name="getUid"/></parameter> </predicate> </condition> </acl> </rule> </xacl> <!-- ================================================== 6. A hospital receptionist can write a patient's name in a blank medical record. =================================================== --> <xacl> <object href="/medical_record/general_info/patient_info/name"/> <rule> <acl> <subject> <group>receptionist</group> </subject> <action name="write" permission="grant"/> <condition operation="and"> <predicate name="compareStr"> <parameter value="eq"/> <parameter><function name="getValue"><parameter value="."/> </function></parameter> <parameter/> </predicate> </condition> </acl> </rule> </xacl> <!-- ================================================== 7. Patients can read their own medical records if informed consent has been given and family has agreed to the release of the results of the diagnosis to the patient. =================================================== --> <xacl> <object href="/medical_record/record"/> <rule> <acl> <subject> <group>patient</group> </subject> <action name="read" permission="grant"/> <condition operation="and"> <predicate name="compareStr"> <parameter value="neq"/> <parameter><function name="getValue"> <parameter value="/medical_record/informed_consent/patient_consent/date"/> </function></parameter> <parameter/> </predicate> <predicate name="compareStr"> <parameter value="eq"/> <parameter><function name="getValue"> <parameter value="/medical_record/general_info/patient_info/name"/> </function></parameter> <parameter><function name="getUid"/></parameter> </predicate> <predicate name="compareStr"> <parameter value="eq"/> <parameter><function name="getValue"> <parameter value="/medical_record/informed_consent/family_consent/disclosure_to_patient"/> </function></parameter> <parameter value="yes"/> </predicate> </condition> </acl> <!-- ================================================== 8. A patient's family can read the medical record if informed consent has been given. =================================================== --> <acl> <subject> <group>family</group> </subject> <action name="read" permission="grant"/> <condition operation="and"> <predicate name="compareStr"> <parameter value="neq"/> <parameter><function name="getValue"> <parameter value="/medical_record/informed_consent/family_consent/date"/> </function></parameter> <parameter/> </predicate> <predicate name="compareStr"> <parameter value="eq"/> <parameter><function name="getValue"> <parameter value="/medical_record/general_info/patient_info/family"/> </function></parameter> <parameter><function name="getUid"/></parameter> </predicate> </condition> </acl> </rule> </xacl> <!-- ================================================== 9. The doctor in charge cannot modify the informed consent section once consent has been granted. =================================================== --> <xacl> <object href="/medical_record/informed_consent"/> <rule> <acl> <subject> <role>doctor_in_charge</role> </subject> <action name="write" permission="deny"/> <condition operation="or"> <predicate name="compareStr"> <parameter value="neq"/> <parameter><function name="getValue"> <parameter value="/medical_record/informed_consent/family_consent/date"/> </function></parameter> <parameter/> </predicate> <predicate name="compareStr"> <parameter value="neq"/> <parameter><function name="getValue"> <parameter value="/medical_record/informed_consent/patient_consent/date"/> </function></parameter> <parameter/> </predicate> </condition> </acl> </rule> </xacl> </policy>

Target XML Document (medical_policy.xml)

<policy xmlns="http://www.trl.ibm.com/projects/xml/xacl">
<!-- ==================================================
  1. Doctor and nurse can read medical records.
 =================================================== -->
  <xacl>
    <object href="/medical_record"/>
    <rule>
      <acl>
        <subject>
          <group>doctor</group>
        </subject>
        <subject>
          <group>nurse</group>
        </subject>
        <action name="read" permission="grant"/>
      </acl>
<!-- ==================================================
  2. The doctor in charge can write every element of the 
     medical record.
 =================================================== -->
      <acl>
        <subject>
          <role>doctor_in_charge</role>
          <group>doctor</group>
        </subject>
        <action name="write" permission="grant"/>
      </acl>
    </rule>
  </xacl>
<!-- ==================================================
  3. The hospital staff can read general information.
 =================================================== -->
  <xacl>
    <object href="/medical_record/general_info"/>
    <rule>
      <acl>
        <subject>
          <group>hospital_staff</group>
        </subject>
        <action name="read" permission="grant"/>
      </acl>
<!-- ==================================================
  4. Patients can read the general_info of their own 
     medical records.
 =================================================== -->
      <acl>
        <subject>
          <group>patient</group>
        </subject>
        <action name="read" permission="grant"/>
        <condition operation="and">
          <predicate name="compareStr">
            <parameter value="eq"/>
            <parameter><function name="getValue">
              <parameter value="/medical_record/general_info/patient_info/name"/>
            </function></parameter>
            <parameter><function name="getUid"/></parameter>
          </predicate>
        </condition>
      </acl>
<!-- ==================================================
  5. A patient's family can read the general information of 
     their family's madical records.
 =================================================== -->
      <acl>
        <subject>
          <group>family</group>
        </subject>
        <action name="read" permission="grant"/>
        <condition operation="and">
          <predicate name="compareStr">
            <parameter value="eq"/>
            <parameter><function name="getValue">
              <parameter value="/medical_record/general_info/patient_info/family"/>
            </function></parameter>
            <parameter><function name="getUid"/></parameter>
          </predicate>
        </condition>
      </acl>
    </rule>
  </xacl>
<!-- ==================================================
  6. A hospital receptionist can write a patient's name 
     in a blank medical record.
 =================================================== -->
  <xacl>
    <object href="/medical_record/general_info/patient_info/name"/>
    <rule>
      <acl>
        <subject>
          <group>receptionist</group>
        </subject>
        <action name="write" permission="grant"/>
        <condition operation="and">
          <predicate name="compareStr">
            <parameter value="eq"/>
            <parameter><function name="getValue"><parameter value="."/>
            </function></parameter>
            <parameter/>
          </predicate>
        </condition>
      </acl>
    </rule>
  </xacl>
<!-- ==================================================
  7. Patients can read their own medical records if informed 
     consent has been given and family has agreed to the 
     release of the results of the diagnosis to the patient.
 =================================================== -->
  <xacl>
    <object href="/medical_record/record"/>
    <rule>
      <acl>
        <subject>
          <group>patient</group>
        </subject>
        <action name="read" permission="grant"/>
        <condition operation="and">
          <predicate name="compareStr">
            <parameter value="neq"/>
            <parameter><function name="getValue">
              <parameter value="/medical_record/informed_consent/patient_consent/date"/>
            </function></parameter>
            <parameter/>
          </predicate>
          <predicate name="compareStr">
            <parameter value="eq"/>
            <parameter><function name="getValue">
              <parameter value="/medical_record/general_info/patient_info/name"/>
            </function></parameter>
            <parameter><function name="getUid"/></parameter>
          </predicate>
          <predicate name="compareStr">
            <parameter value="eq"/>
            <parameter><function name="getValue">
              <parameter value="/medical_record/informed_consent/family_consent/disclosure_to_patient"/>
            </function></parameter>
            <parameter value="yes"/>
          </predicate>
        </condition>
      </acl>
<!-- ==================================================
  8. A patient's family can read the medical record if
     informed consent has been given.
 =================================================== -->
      <acl>
        <subject>
          <group>family</group>
        </subject>
        <action name="read" permission="grant"/>
        <condition operation="and">
          <predicate name="compareStr">
            <parameter value="neq"/>
            <parameter><function name="getValue">
              <parameter value="/medical_record/informed_consent/family_consent/date"/>
            </function></parameter>
            <parameter/>
          </predicate>
          <predicate name="compareStr">
            <parameter value="eq"/>
            <parameter><function name="getValue">
              <parameter value="/medical_record/general_info/patient_info/family"/>
            </function></parameter>
            <parameter><function name="getUid"/></parameter>
          </predicate>
        </condition>
      </acl>
    </rule>
  </xacl>
<!-- ==================================================
  9. The doctor in charge cannot modify the informed consent 
     section once consent has been granted.
 =================================================== -->
  <xacl>
    <object href="/medical_record/informed_consent"/>
    <rule>
      <acl>
        <subject>
          <role>doctor_in_charge</role>
        </subject>
        <action name="write" permission="deny"/>
        <condition operation="or">
          <predicate name="compareStr">
            <parameter value="neq"/>
            <parameter><function name="getValue">
              <parameter value="/medical_record/informed_consent/family_consent/date"/>
            </function></parameter>
            <parameter/>
          </predicate>
          <predicate name="compareStr">
            <parameter value="neq"/>
            <parameter><function name="getValue">
              <parameter value="/medical_record/informed_consent/patient_consent/date"/>
            </function></parameter>
            <parameter/>
          </predicate>
        </condition>
      </acl>
    </rule>
  </xacl>
</policy>

Access Requests

Try the following access requests. The resulting access decisions as shown in the XACL Visual Tool are described in the right-most column.

Access request file	Object	Subject (group)	Action	Brief description of access decisions
medical_request1.xml	/medical_record	Dave (doctor)	read	The doctor Dave can read all of the medical records.
medical_request2.xml	/medical_record	Dave doctor_in_charge (doctor)	write	Dave is Patricia's doctor in charge and he can write any fields except for the informed consent section.
medical_request3.xml	/medical_record	Don (doctor)	write	The doctor Don is not allowed to update any fields of Patricia's medical record because he is not a doctor in charge.
medical_request4.xml	/medical_record	Nancy (nurse)	read	The nurse Nancy can read all of the medical records.
medical_request5.xml	/medical_record	Rose (receptionist)	read	The receptionist Rose can read only the general_information section.
medical_request6.xml	/medical_record	Patricia (patient)	read	The patient Patricia is not allowed to read her medical record except for the general information because her family Frank did not agree to let her know the truth.
medical_request7.xml	/medical_record	Frank (family)	read	Patricia's family Frank is allowed to read Patricia's medical record because informed consent was granted on 13th September 2000.
medical_request8.xml	/medical_record	Paul (patient)	read	The patient Paul cannot read any other patient's medical record.

Other Information

Group Membership

Group membership is defined in group.xml as follows.

Group	Member
doctor	Dave, Don
nurse	Nancy
receptionist	Rose
patient	Patricia, Paul
family	Frank, Fred

Binding Target XML and Policy

The binding table is defined as follows:

Binding Definition
<bind_table> <bind> <target href="medical_record.dtd"/> <policy href="medical_policy.xml"/> <status href="medical_status.xml"/> </bind> </bind_table>

Next Example

[ IBM | alphaWorks | XML Security Suite | Discussion about XML Security Suite ]

Last modified: March 29, 2001