University of the Philippines Manila College of Arts and Sciences Department of Physical Sciences and Mathematics Fine Grained Access Security Module for DentISt: Dental Information System(DentISt) 3.0 A special problem in partial fulfillment of the requirements for the degree of Bachelor of Science in Computer Science Submitted by: Angela Bernadette S. Jarabelo April 2013 ACCEPTANCE SHEET The Special Problem entitled “Fine Grained Access Security Module for DentISt: Dental Information System(DentISt) 3.0” prepared and submitted by Angela Bernadette S. Jarabelo in partial fulfillment of the requirements for the degree of Bachelor of Science in Computer Science has been examined and is recommended for acceptance. Richard Bryann L. Chua, M.Sc. Adviser EXAMINERS: Approved Disapproved 1. Gregorio B. Baes, Ph.D. (candidate) 2. Avegail D. Carpio, M.Sc. 3. Aldrich Colin K. Co, M.Sc. (candidate) 4. Perlita E. Gasmen, M.Sc. (candidate) 5. Ma. Sheila A. Magboo, M.Sc. 6. Vincent Peter C. Magboo, M.D., M.Sc. 7. Geoffrey A. Solano, Ph.D.(candidate) 8. Bernie B. Terrado, M.Sc. (candidate) Accepted and approved as partial fulfillment of the requirements for the degree of Bachelor of Science in Computer Science. Avegail D. Carpio, M.Sc. Marcelina B. Lirazan, Ph.D. Unit Head Chair Mathematical and Computing Sciences Unit Department of Physical Sciences Department of Physical Sciences and Mathematics and Mathematics Alex C. Gonzaga, Ph.D., Dr.Eng. Dean College of Arts and Sciences i Abstract DentISt 3.0 is the third version of the electronic patient record in UPCD. Compare to the earlier version, the new one no longer uses OpenMRS as its EMR engine thus fixing the compatibility issues that was seen in the earlier version and give a more student-teacher approach. As security in a system is one of the main concerns in converting from paper-based to electronic-based; DentISt has one module concerning the fine- grained access control of the system. To strengthen the access control, the usual placement of the access control in the application layer is change to the database layer and also using some HIPAA policies for sensitive data. Having the access control in the database layer helps us to have a multi-user database login and the use of stored procedure to avoid SQL injection. Some policies also provide us to provide three important security features- data integrity, confidentiality and availability and audit trail of the system. Keywords: Dental Information System, Fine-grained access control, Dental Informatics ii Contents Acceptance Sheet i Abstract ii List of Figures v List of Tables ix I. Introduction 1 A. Background of the Study . . . . . . . . . . . . . . . . . . . . 1 B. Statement of the Problem . . . . . . . . . . . . . . . . . . . . 2 C. Objectives of the Study . . . . . . . . . . . . . . . . . . . . . 3 D. Significance of the Project. . . . . . . . . . . . . . . . . . . . 4 E. Scope and Limitations . . . . . . . . . . . . . . . . . . . . . . 5 F. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 II. Review of Related Literature 9 III. Theoretical Framework 13 A. Dental Informatics . . . . . . . . . . . . . . . . . . . . . . . . 13 B. UP College of Dentistry . . . . . . . . . . . . . . . . . . . . . 14 1. UPCD Structure . . . . . . . . . . . . . . . . . . . . . . 15 C. Health Insurance Portability and Accountability Act (HIPAA) 15 D. Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . 17 1. Fine Grained Access Control . . . . . . . . . . . . . . . . 18 2. Fine Grained Access Control with Stored Procedures . . 19 3. Fine Grained Access Control Features of PostgreSQL . . 19 E. XACML. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 IV. Design and Implementation 23 A. Context Diagram . . . . . . . . . . . . . . . . . . . . . . . . . 23 iii B. Use Case Diagrams . . . . . . . . . . . . . . . . . . . . . . . 24 1. View Statistics . . . . . . . . . . . . . . . . . . . . . . . 25 2. Manage Patient Records . . . . . . . . . . . . . . . . . . 26 3. Manage User Accounts . . . . . . . . . . . . . . . . . . . 27 4. Manage Roles . . . . . . . . . . . . . . . . . . . . . . . . 30 5. Manage Sections . . . . . . . . . . . . . . . . . . . . . . 32 C. Entity Relationship Diagram (ERD) . . . . . . . . . . . . . . 35 D. Data Dictionary . . . . . . . . . . . . . . . . . . . . . . . . . 40 E. XACML and PostgreSQL Setting . . . . . . . . . . . . . . . 57 V. Architecture 60 A. System Architecture . . . . . . . . . . . . . . . . . . . . . . . 60 1. PostgreSQL Database and Privilege Management . . . . 61 B. Technical Architecture . . . . . . . . . . . . . . . . . . . . . . 61 VI. Results 63 A. User-System Interface . . . . . . . . . . . . . . . . . . . . . . 63 B. Procedures for Adding Section . . . . . . . . . . . . . . . . . 77 VII. Discussion 82 VIII. Conclusion 90 IX. Recommendation 92 X. Bibliography 93 XI. Appendix 97 A. XACML. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 B. Source Code . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 XII. Acknowledgement 375 iv List of Figures 1 Dental informatics combines its methodological foundations to address problems in practice, research, and education [1]. . . . . 13 2 XACML Structure . . . . . . . . . . . . . . . . . . . . . . . . . . 21 3 XACML Example . . . . . . . . . . . . . . . . . . . . . . . . . . 21 4 Context Diagram of DentISt . . . . . . . . . . . . . . . . . . . . 23 5 TopLevelUseCase of DentISt . . . . . . . . . . . . . . . . . . . . 24 6 View Statistics Use Case Diagram of the System Administrator and Faculty of DentISt . . . . . . . . . . . . . . . . . . . . . . . 25 7 Search For Patients according to Specified Parameters Activity Diagram of DentISt . . . . . . . . . . . . . . . . . . . . . . . . . 25 8 Manage Patient Records Use Case Diagram of Student Clini- cians in other sections and Clinicians in Oral Diagnosis of DentISt 26 9 Search and View Patient Record Activity Diagram of DentISt . 27 10 Manage User Accounts Use Case Diagram of the System Ad- ministrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 11 Add User Accounts Activity Diagram of DentISt . . . . . . . . . 28 12 Edit User Accounts Activity Diagram of DentISt . . . . . . . . . 29 13 Delete User Accounts Activity Diagram of DentISt . . . . . . . . 29 14 Search and View User Accounts Activity Diagram of DentISt . . 30 15 Manage User Accounts Use Case Diagram of the System Ad- ministrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 16 Add Roles Activity Diagram of DentISt . . . . . . . . . . . . . . 31 17 Edit Roles Activity Diagram of DentISt . . . . . . . . . . . . . . 31 18 Delete Roles Activity Diagram of DentISt . . . . . . . . . . . . . 32 19 Manage Sections Use Case Diagram of the System Administra- tor and Faculty. . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 20 Add Sections Activity Diagram of DentISt . . . . . . . . . . . . 33 v 21 Edit Sections Activity Diagram of DentISt . . . . . . . . . . . . 33 22 Delete Sections Activity Diagram of DentISt . . . . . . . . . . . 34 23 Search and View Sections Activity Diagram of DentISt . . . . . 34 24 ERD for User Cluster . . . . . . . . . . . . . . . . . . . . . . . . 35 25 ERD for Patient Cluster in terms of patient information . . . . . 37 26 ERDforPatientClusterintermsofdentalchartanddentalstatus 39 27 Standard XACML framework for access control in DentISt . . . 57 28 Standard XACML framework for access control in DentISt . . . 58 29 User Role XACML file for Prosthodontics section . . . . . . . . 59 30 Equivalent SQL files of User Role XACML file . . . . . . . . . . 59 31 System Architecture of DentISt . . . . . . . . . . . . . . . . . . 60 32 PostgreSQL management in DentISt [2] . . . . . . . . . . . . . 61 33 Login Page for DentISt . . . . . . . . . . . . . . . . . . . . . . . 63 34 Homepage for DentISt-System Administrator . . . . . . . . . . 63 35 Homepage for DentISt-Student Clinician . . . . . . . . . . . . . 64 36 Homepage for DentISt-Faculty . . . . . . . . . . . . . . . . . . . 64 37 Homepage for DentISt-Workflow Administrator . . . . . . . . . 65 38 Add User form in DentISt . . . . . . . . . . . . . . . . . . . . . 65 39 Edit User form in DentISt . . . . . . . . . . . . . . . . . . . . . 66 40 Apply role to user form in DentISt . . . . . . . . . . . . . . . . 66 41 View User form in DentISt . . . . . . . . . . . . . . . . . . . . . 67 42 View Role form in DentISt . . . . . . . . . . . . . . . . . . . . . 67 43 Edit Role form in DentISt . . . . . . . . . . . . . . . . . . . . . 68 44 View users given a role in DentISt . . . . . . . . . . . . . . . . . 68 45 Add Section form in DentISt . . . . . . . . . . . . . . . . . . . . 69 46 View Section form in DentISt . . . . . . . . . . . . . . . . . . . 69 47 Edit Section form in DentISt . . . . . . . . . . . . . . . . . . . . 69 48 Add roles to a section form in DentISt . . . . . . . . . . . . . . 70 49 Email setting form in DentISt . . . . . . . . . . . . . . . . . . . 70 vi 50 Statistics form in DentISt . . . . . . . . . . . . . . . . . . . . . 71 51 View Statistics result in DentISt . . . . . . . . . . . . . . . . . 72 52 AuditTrailsearchingforinsertionofpatientsinaspecificperiod of time in DentISt . . . . . . . . . . . . . . . . . . . . . . . . . . 73 53 View clinicians in a section in DentISt . . . . . . . . . . . . . . 73 54 View Statistics in a specific section (Oral Medicine) in DentISt 74 55 Query patient form in DentISt . . . . . . . . . . . . . . . . . . . 75 56 Query patient result in DentISt . . . . . . . . . . . . . . . . . . 76 57 Add Role in DentISt . . . . . . . . . . . . . . . . . . . . . . . . 77 58 XAML for DentISt table Role . . . . . . . . . . . . . . . . . . . 78 59 XACML for PostgreSQL in DentISt . . . . . . . . . . . . . . . . 79 60 BPMN2 file to XACML files in DentISt . . . . . . . . . . . . . 79 61 Create specific XACML file for a form in DentISt . . . . . . . . 80 62 XACML file to SQL file in DentISt . . . . . . . . . . . . . . . . 80 63 XACML file to SQL file in DentISt . . . . . . . . . . . . . . . . 80 64 Privileges in role table-database of DentISt . . . . . . . . . . . . 81 65 Privileges in role table-database of DentISt . . . . . . . . . . . . 84 66 Privilege deny in database . . . . . . . . . . . . . . . . . . . . . 85 67 SQL Injection example . . . . . . . . . . . . . . . . . . . . . . . 85 68 Stored procedure for Login . . . . . . . . . . . . . . . . . . . . . 85 69 SQL injection and example . . . . . . . . . . . . . . . . . . . . . 86 70 DentISt denies Login . . . . . . . . . . . . . . . . . . . . . . . . 86 71 Stored procedure for Login in DentISt . . . . . . . . . . . . . . 87 72 ERROR in stored procedure after SQL injection . . . . . . . . . 87 73 Stored procedure for privilege check . . . . . . . . . . . . . . . . 87 74 alee starts a new case . . . . . . . . . . . . . . . . . . . . . . . . 88 75 alee assigns a clinician to the patient . . . . . . . . . . . . . . . 88 76 amjamie30 starts another case . . . . . . . . . . . . . . . . . . . 88 77 amjamie30 assigning a clinician to the patient . . . . . . . . . . 89 vii 78 amjamie30 changes the patientid owned by another clinician in the URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 79 amjamie30 is not allowed in the record and returns to its task list 89 viii List of Tables 1 users Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 2 section Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 3 role Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 4 role section Table . . . . . . . . . . . . . . . . . . . . . . . . . . 41 5 user role Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 6 database role Table . . . . . . . . . . . . . . . . . . . . . . . . . 41 7 auddittrail Table . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 8 configuration Table . . . . . . . . . . . . . . . . . . . . . . . . . 42 9 Patient Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 10 PatientInformation Table . . . . . . . . . . . . . . . . . . . . . . 44 11 MedicalandSocialHistory Table . . . . . . . . . . . . . . . . . . . 45 12 MedicalandSocialHistory Table . . . . . . . . . . . . . . . . . . . 46 13 DentalData Table . . . . . . . . . . . . . . . . . . . . . . . . . . 47 14 TreatmentPlan Table . . . . . . . . . . . . . . . . . . . . . . . . 48 15 ServicesRendered Table . . . . . . . . . . . . . . . . . . . . . . . 49 16 caries status Table . . . . . . . . . . . . . . . . . . . . . . . . . . 50 17 recurrent status Table . . . . . . . . . . . . . . . . . . . . . . . . 51 18 restoration status Table . . . . . . . . . . . . . . . . . . . . . . . 52 19 service needed Table . . . . . . . . . . . . . . . . . . . . . . . . . 53 20 service needed Table . . . . . . . . . . . . . . . . . . . . . . . . . 54 21 dentalchart Table . . . . . . . . . . . . . . . . . . . . . . . . . . 55 22 dentalchart Table . . . . . . . . . . . . . . . . . . . . . . . . . . 56 ix