Unanticipated Role Accesses

Prior to the application of IS-RBAC, expected user roles access controls may be defined. However, some unforeseen circumstances may occur such as instrument and user failures and environmental situations which without proper thought could allow elevated privileges. This section depicts such a situation for access to patient PII, located within a Socio-Technical System made up of two Technical Computer-Based Systems (TCBS). The first TCBS is an insulin pump worn by the patient, such as the one described in Section 2.2.1. The second TCBS is the Web server that hosts the PII, such as the Google Health or Google Analytics also described in Appendix A. This section describes four user-roles and their access types to the patient‘s PII on the two TCBS, respectively. The access is partitioned into four types: create (C), read (R), update (U), and delete (D). The types of failures are described earlier in Section 2.3.

The elevated privileges, as a result of failure, negatively impact the confidentiality, availability, and integrity of the Patient‘s PII. These impacts weaken the protections of the Patient‘s PII, expose the data to threat actors, and potentially harm the privacy or even safety of the Patient.

Table 4 shows the access controls to a patient‘s PII, located on the insulin pump, for the Patient and Hospital Nurse roles. The access controls here lack proper consideration of failures and environmental situations. We see that under normal conditions the Hospital Nurse has no access to the patient‘s PII. However, given any type of impediment situation, the Hospital Nurse gains full CDRU privileges.

One could argue that the elevated privileges are the result of good intentions to allow the Hospital Nurse to provide uninhibited medical care. However, the principle of least privilege begs the question as to whether the Hospital Nurse truly requires full access to the patient‘s PII under these conditions. The intentions of the Hospital Nurse may result in harm to the Patient. Specifically, the Hospital Nurse could affect the confidentiality of the Patient‘s PII in the insulin pump by disclosing it to unauthorized persons. Such an act would violate the Patient‘s privacy, especially given HIPPA regulations. The Hospital Nurse could affect the availability of the Patient‘s PII in the insulin pump by disabling its display either intentionally or accidentally. This could affect the safety of the Patient since other users, including the Patient, may be denied access to the dosage or medication data. The Hospital Nurse could affect the integrity of the information in the insulin pump by changing the dosage settings. Such a change could adversely affect the safety of the Patient.

Table 4. Expected and unforseen access to patient PII located on the insulin pump. Expected Unforeseen Roles Normal Conditions Insulin Pump Clogged Tube Patient Failure: Coma scale, best verbal

response, incomprehensible words

(R40.222)

Environment: Hospital Code Red

Patient CDRU CDRU CDRU CDRU Hospital

Nurse

CDRU CDRU CDRU

Table 5 shows the access controls to a patient‘s PII located on the web server for the Patient, Physician‘s Assistant, Web Server Global Support, and Web Server Technical Support roles. Here too we see the access controls lack proper consideration given a Web Server Overload failure. We see that under normal conditions the web support roles have no access to the patient‘s PII. But, as soon as there is a Web Server Overload, users in both support roles gain full CDRU privileges.

One could argue that the elevated privileges are the result of good intentions to allow the support users to provide uninhibited repairs to the server should, in the unlikely event, a Patient‘s PII becomes the source of a system failure. However, the principle of least privilege begs the question as to whether these support roles truly requires full access to the patient‘s PII under these conditions. Their intentions may include a sinister goal which may result in harm to the Patient.

Specifically, the Web Server Technical Support user could affect the confidentiality of the Patient‘s PII on the Web Server by disclosing it to unauthorized persons across the Internet. Such an act would violate the Patient‘s privacy, especially given HIPPA regulations. The Web Server Global Support user could affect the availability of the Patient‘s PII on the web server by moving content to other locations in the web server‘s file structure either intentionally or accidentally (e.g., backup and delete original). This could affect the safety of the Patient since

other users, including the patient‘s physician, may be denied access to the dosage or medication data at a point in time when the patient suffers from a serious condition (e.g., insulin shock). The support users could affect the integrity of the information on the web site by deleting the patient‘s data. Such a change could also adversely affect the safety of the Patient.

Table 5. Expected and unforeseen access to patient PII, located on the web server. Expected Unforeseen Roles Normal Conditions Web Server Overload Patient Failure: Coma scale, best verbal response, incomprehensible

words (R40.222)

Environment: Hospital Code

Red Patient CDRU CDRU CDRU CDRU Physician Assistant R CDRU CDRU Web Server Global Support CDRU Web Server Technical Support CDRU