Policy-based access control for constrained healthcare resources in the context of the Internet of Things

The Internet of Things (IoT), smart sensors and mobile wearable devices are helping to provide healthcare systems that are more ubiquitous, smarter, faster and easily accessible to users. However, security is a significant concern for the IoT, with access control being one of the major issues. With the growing size and presence of these systems an important question is how to manage policies in a manner that is both scalable and flexible. In this paper, we propose an access control architecture for constrained healthcare resources in the IoT. Our policy-based approach provides fine-grained access for authorized users to services while protecting valuable resources from unauthorized access. We use a hybrid approach by employing attributes, roles and capabilities for our authorization design. We apply attributes for role membership assignment and in permission evaluation. Membership of roles grants capabilities. The capabilities which are issued may be parameterized based on further attributes of the user and are then used to access specific services provided by IoT devices. This significantly reduces the number of policies required for specifying access control settings. The proposed scheme is XACML driven. We have implemented a proof of concept prototype and provide a detailed performance analysis of the implementation. Evaluation results show that, our approach requires minimal additional overhead when compared to other proposals employing capabilities for access control in the IoT.