Secure Information Delivery in Mobile Healthcare (mHealth) Applications

Research Mentor: Steven Demurjian

For secure delivery of the correct information at specific times to targeted users, we have focused on the inclusion of role-based (RBAC), mandatory (MAC), and discretionary (DAC) access control to allow information delivered to mobile platforms, based on the responsibilities (RBAC), data sensitivity (MAC), and delegation (DAC). One aspect of our work has targeted a security framework for the eXtensible Markup Language (XML) that allows information to be filtered by role, sensitivity, and delegation, delivering a custom version of an XML instance to a user. We are investigating the deployment of a security model and framework in XML and its realization for mobile computing platforms that will include the automatic generation of eXtensible Access Control Markup Language (XACML) security policies and enforcement code for mobile applications. In addition, we are investigating security issues for healthcare including software architectures that allows secure interactions to multiple health information Technology systems that contain patient data [24] and the use of lattice based access control which subsumes mandatory access control and is capable of modeling the complex security levels in healthcare. Mobile computing has the potential to address a significant barrier to integrated patient care data access by providing sophisticated insecure mobile health (mHealth) applications for medical stakeholders such as physicians, nurses, home care specialists, etc.. Specifically, the situation occurs when a medical stakeholder using a mobile platform needs to access information from an information system he has not been previously authorized to use (e.g., an electronic health record, a pathology laboratory data repository, etc.) The approach that we are exploring is the utilization of X.509 certificates and their ability to be extended via certificate attributes to allow for adaptive certification that dynamically generates a certificate needed for authentication. Over time, a user will acquire multiple X.509 certificates (each to access a specific system) based on their activity being authorized to utilize different systems.

Components for Student Participation

Research tasks for REU participants will include learning about secure mobile computing from the user side. Specifically, this includes access control models, delivering custom content to users, and adaptive certification.