160 likes | 338 Views
Declarative Privacy P olicy : Finite Models and Attribute-Based Encryption. November 2 nd , 2011. Healthcare Privacy Problem. Data needed for treatment Electronic records and health information exchange can improve care, reduce costs
E N D
Declarative Privacy Policy: Finite Models and Attribute-Based Encryption November 2nd, 2011
Healthcare Privacy Problem • Data needed for treatment • Electronic records and health information exchange can improve care, reduce costs • Most patients seen in emergency room were treated in an unaffiliated hospital in last six months • Patient access is important • Required by law • Diabetics can enter glucose data, improve treatment • Personal health devices: Blood pressure, Zeo, Fitbit, Withings HIE Doctor Insurance Electronic Record Patient Portal Quality care HIPAA compliance Patient privacy Drug Co. Patient • Privacy requirements • HIPAA law mandates privacy • Hospitals add policy • Insurer needs data for billing, should not deny coverage based on correlated factors
Finite Model for HIPAA • Dependency graph • Acyclicity of privacy law • Can we capture the behavior of an acyclic law by its operations on a finite set of exemplary use cases? • Exemplary cases can be used for • Training and education • Testing and debugging for compliance software Dependency graph permitted_by_164_502_a(A) is_from_coveredEntity(A) is_phi(A) permitted_by_164_502_a_1(A) permitted_by_164_502_a_1_i(A)
Compliance Tree of an Acyclic Law compliantWithALaw( A ) AND NOT permittedBySomeClause( A ) forbiddenBySomeClause( A ) OR OR … permittedBy C1( A ) … permittedBy Cm( A ) forbiddenBy Cm( A ) forbiddenBy C1( A ) AND AND NOT permittedBySome RefOfClause1( A ) satisfies C1( A ) coveredBy C1( A ) coveredBy Cm( A ) satisfies Cm ( A ) OR permittedByClause Ref_1,N( A ) permByClauseRef_1,1( A )
Algorithm to Generate Exemplary Cases for an Acyclic Privacy Law • Construct the compliance tree for the acyclic law • Normalizeit (push NOT operators to the bottom) • Using De Morgan’s Laws and Boolean algebra • Construct the search trees • For each search tree, add an exemplary case instance to the model that satisfies all the nodes in the tree
A Search Tree to Generate an Exemplary Case compliantWithALaw( A ) AND permittedBySomeClause( A ) notForbiddenBy AnyClause( A ) AND permittedBy C1( A ) … notForbidden ByCm( A ) notForbidden ByC1( A ) AND permittedBySome RefOfC1( A ) satisfies C1( A ) coveredBy C1( A ) notCoveredBy Cm( A ) permittedByClause Ref_I,J( A )
Finite Model for Privacy Laws • Our main results regarding the construction • The model for an acyclic law constructed using our algorithm is finite • The acyclic law can be completely characterized by its operation on the exemplary cases in the model
Encrypted medical data in the cloud Hospital Policy Engine • Applications: • HIE, Affiliated clinics • Medical research Query Encrypted Medical Data Attribute-based Encryption Database User Attribute-based Decryption EHR Credentials
OR OR SK SK AND AND Doctor Doctor Nurse ICU Nurse ICU Attribute-Based Encryption = PK “Doctor” “Neurology” “Nurse” “Physical Therapy”
Extracting ABE data policy • HIPAA, Hospital policy • Policy: Action {allow, deny} • Action characterized by • from, about, type, consents, to, purpose, beliefs • Data policy • SELECT rows with given attributes: from, about, type, consents • PROJECT them to generate the associated ABE access policy {to, purpose, beliefs | Policy (from, about, type, consents, to, purpose, beliefs ) = Allow}
Open Issue • No direct support of Parameterized Roles in ABE • Format: R(p1, p2, …, pn) • E.g.,164.502 (g)(3)(ii)A … a covered entity may disclose, or provide access in accordance with §164.524 to, protected health information about an unemancipated minor to a parent, guardian, or other person acting in loco parentis; • Workaround • Hardcode parameter values into the attribute name, e.g. inLocoParentis_Tom • Challenges • Identity silos across organizations
References • Declarative privacy policy: Finite models and attribute-based encryption, P.E.Lam, J.C.Mitchell, A.Scedrov, et al., IHI 2012. • Scalable Parametric Verification of Secure Systems: How to Verify Reference Monitors without Worrying about Data Structure Size, J. Franklin, S. Chaki, A. Datta, A. Seshadri, Proceedings of 31st IEEE Symposium on Security and Privacy, May 2010. • A Formalization of HIPAA for a Medical Messaging System • P.F. Lam, J.C. Mitchell, and S. Sundaram, TrustBus 2009. • Privacy and Contextual Integrity: Framework and Applications, A. Barth, A. Datta, J. C. Mitchell, and H. Nissenbaum, Proceedings of 27th IEEE Symposium on Security and Privacy, May 2006. • Healthcare privacy project source code • http://github.com/healthcareprivacy • Demo (under construction) • http://crypto.stanford.edu/privacy/HIPAA/