On Design of A Fine-Grained Access Control Architecture for Securing IoT-Enabled Smart Healthcare Systems

The Internet of Things (IoT) is facilitating the development of novel and cost-effective applications that promise to deliver efficient and improved medical facilities to patients and health organisations. However, the security of patient data is an ever-present concern in the healthcare arena. In the wider deployment of IoT-enabled smart healthcare systems one particular issue is the need to protect smart ‘things’ from unauthorised access. Commonly used access control approaches e.g. Attribute Based Access Control (ABAC), Role Based Access Control (RBAC) and capability based access control do not, in isolation, provide a complete solution for securing access to IoT-enabled smart healthcare devices. They may, for example, require an overly-centralised solution or an unmanageably large policy base. To address these issues we propose a novel access control architecture which improves policy management by reducing the required number of authentication policies in a large-scale healthcare system while providing fine-grained access control. We devise a hybrid access control model employing attributes, roles and capabilities. We apply attributes for role-membership assignment and in permission evaluation. Membership of roles grants capabilities. The capabilities which are issued may be parameterised based on further attributes of the user and are then used to access specific services provided by IoT ‘things’.