Controlled BTG: Toward Flexible Emergency Override in Interoperable Medical Systems.

INTRODUCTION: In medical cyber-physical systems (mCPS), availability must be prioritized over othersecurity properties, making it challenging to craft least-privilege authorization policies which preserve patientsafety and confidentiality even during emergency situations. For example, unauthorized access to device(s)connected to a patient or an app controlling these devices could result in patient harm. Previous work hassuggested a virtual version of “Break the Glass” (BTG), an analogy to breaking a physical barrier to accessa protected emergency resource such as a fire extinguisher or “crash cart”. In healthcare, BTG is used tooverride access controls and allow for unrestricted access to resources, e.g. Electronic Health Records. After a“BTG event” completes, the actions of all concerned parties are audited to validate the reasons and legitimacyfor the override.OBJECTIVES: Medical BTG has largely been treated as an all-or-nothing scenario: either a means to obtainunrestricted access is provided, or BTG is not supported. We show how to handle BTG natively within theABAC model, maintaining full compatibility with existing access control frameworks, putting BTG in thepolicy domain rather than requiring framework modifications. This approach also makes BTG more flexible,allowing for fine-grained facility-specific policies, and even automates auditing in many situations, whilemaintaining the principle of least-privilege.METHODS: We do this by constructing a BTG “meta-policy” which works with existing access control policiesby explicitly allowing override when requested.RESULTS: We present a sample BTG policy and formally verify that the resulting combined set of accesscontrol policies correctly satisfies the goals of the original policy set and allows expanded access during a BTGevent. We show how to use the same verification methods to check new policies, easing the process of craftingleast-privilege policies.