inis 18(13): e5

Research Article

Fine-Grained Access Control for Smart Healthcare Systems in the Internet of Things

Download1644 downloads
  • @ARTICLE{10.4108/eai.20-3-2018.154370,
        author={Shantanu Pal and Michael Hitchens and Vijay Varadharajan and Tahiry Rabehaja},
        title={Fine-Grained Access Control for Smart Healthcare Systems in the Internet of Things},
        journal={EAI Endorsed Transactions on Industrial Networks and Intelligent Systems},
        keywords={Copyright © 2018 Shantanu Pal et al., licensed to EAI. This is an open access article distributed under the terms of the Creative Commons Attribution license (, which permits unlimited use, distribution and reproduction in any medium so long as the original work is properly cited.},
  • Shantanu Pal
    Michael Hitchens
    Vijay Varadharajan
    Tahiry Rabehaja
    Year: 2018
    Fine-Grained Access Control for Smart Healthcare Systems in the Internet of Things
    DOI: 10.4108/eai.20-3-2018.154370
Shantanu Pal1,*, Michael Hitchens1, Vijay Varadharajan2, Tahiry Rabehaja1
  • 1: Department of Computing, Macquarie University, NSW 2019, Sydney, Australia
  • 2: Advanced Cyber Security Engineering Research Centre, University of Newcastle, NSW 2308, Australia
*Contact email:


There has been tremendous growth in the application of the Internet of Things (IoT) in our daily lives. Yet with this growth has come numerous security concerns and privacy challenges for both the users and the systems. Smart devices have many uses in a healthcare system, e.g. collecting and reporting patient data and controlling the administration of treatment. In this paper, we address the specific security issue of access control for smart healthcare systems and the protection of smart things from unauthorised access in such large scale systems. Commonly used access control approaches e.g. Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC) and Capability-Based Access Control (CapBAC) do not, in isolation, provide a complete solution for securing access to IoT-enabled smart healthcare devices. They may, for example, require an overly-centralised solution or an unmanageably large policy base. We propose a novel access control architecture which improves policy management by reducing the required number of authentication policies in a large-scale healthcare system while providing fine-grained access control. The devised access control model employs attributes, roles and capabilities. We apply attributes for role membership assignment and in permission evaluation. Membership of roles grants capabilities. The capabilities which are issued may be parameterised based on attributes of the user and are then used to access specific services provided by things. We also provide a formal specification of the model and a description of its implementation and demonstrate its application through di erent use-case scenarios. The evaluation results of core functionality of our architecture are provided with the practical testbed experiments.