Although there are many different models available for expressing access control in information technology (IT) environments, emergency situations are usually handled in a way that is either complex to manage for the policy designer or adds additional tasks for the users who are facing the emergency situation. As the title suggests, this book tackles the problem of handling emergency situations that most IT systems have to face.

Almost all policy models existing today are written in a machine-readable format and remain mostly static at runtime. This places a lot of responsibility on the policy designer, since he/she needs to provision beforehand all the possible normal and emergency situations that may arise in the lifetime of the IT system under analysis. However, even a talented IT policy designer can define a “sufficiently faithful approximation” of the future contexts that may trigger the emergency situation. This is particularly true for the healthcare domain, where healthcare information exchange (HIE) software is used to manage patient data, which is often classified as private healthcare information. When there is an emergency situation, the healthcare professionals and patients are usually under stressful conditions; HIE software will not interfere with the work yet preserve patient consent (for example, avoid too many security rules).

The healthcare domain is highly regulated: legislation and rules exist that must be fulfilled in order to operate, for example, the Healthcare Insurance Portability and Accountability Act (HIPAA) in the US or the epSOS guidelines in Europe. This fact imposes on the HIE software usage of consolidated libraries and procedures whose lifetime spans more than ten years.

The authors present a HIPAA-compliant model, Break-Glass, using electronic healthcare as a motivation. Break-Glass aims at providing a framework where the access control decision and enforcement are made at the pre-access, at-access, and post-access stages. The author explains: “The generic idea of Break-Glass is to empower users to decide if a denied access should be overridden, e.g., can be legitimized by an exceptional situation.”

Break-Glass enhances the security and the usability of a system: the access control engine is set up by the policy designer to filter access in normal operations, while the model manages emergency access. The principles of Break-Glass are governance of the model, accessibility (there should be no complicated procedure to override access control), awareness (the user must be warned that an investigation process will occur), and accountability. The model for the policy decision is defined by a policy lattice and a corresponding evaluation algorithm, to define at which level a user can escalate privileges. Policy obligations are used to notify the evaluation context of the occurred override of permissions.

Although the model is generic enough, all of the examples use Extensible Access Control Markup Language (XACML) 2.0 standard. Implementation of the model uses off-the-shelf components, and the source code is provided in the book’s appendix. It integrates well with existing deployments.

The book is well structured and self-contained. The reader is not required to master any policy model in order to enjoy reading it. The necessary background is presented in the introductory material and the core of the model is shown in the central chapters. In the very exhaustive “Related Work” chapter Break-Glass is compared to other approaches.