Declarative Routing: Extensible Routing with Declarative Queries
Declarative Privacy P olicy : Finite Models and Attribute-Based Encryption
description
Transcript of Declarative Privacy P olicy : Finite Models and Attribute-Based Encryption
Declarative Privacy Policy: Finite Models and Attribute-Based Encryption
1
November 2nd, 2011
Healthcare Privacy Problem Data needed for treatment
Electronic records and health information exchange can improve care, reduce costs
Most patients seen in emergency room were treated in an unaffiliated hospital in last six months
Patient access is important Required by law Diabetics can enter glucose
data, improve treatment Personal health devices:
Blood pressure, Zeo, Fitbit, Withings
Patient
Doctor InsuranceElectronic RecordPatient Portal
Drug Co.
Quality careHIPAA compliance
Patient privacy
Privacy requirements HIPAA law mandates privacy Hospitals add policy Insurer needs data for billing,
should not deny coverage based on correlated factors
HIE
Privacy theory automated compliance
Finite Model for HIPAA Dependency graph Acyclicity of privacy law Can we capture the
behavior of an acyclic law by its operations on a finite set of exemplary use cases?
Exemplary cases can be used for Training and education Testing and debugging
for compliance software
permitted_by_164_502_a(A)
is_from_coveredEntity(A)
permitted_by_164_502_a_1(A)
is_phi(A)
permitted_by_164_502_a_1_i(A)
Dependency graph
Compliance Tree of an Acyclic LawcompliantWithALaw(
A )
permittedBySomeClause( A )
forbiddenBySomeClause( A )
ANDNOT
permittedByC1( A )
permittedByCm( A )…
OR
coveredByC1( A )
satisfiesC1( A )
permittedBySome
RefOfClause1( A )
permByClauseRef_1,1( A )
permittedByClauseRef_1,N( A )
AND
forbiddenByC1( A )
forbiddenBy
Cm( A )…
coveredByCm( A )
satisfiesCm ( A )
NOT
AND
OR
OR
Algorithm to Generate Exemplary Cases for an Acyclic Privacy Law
I. Construct the compliance tree for the acyclic law
II. Normalize it (push NOT operators to the bottom)• Using De Morgan’s Laws and Boolean
algebraIII. Construct the search treesIV. For each search tree, add an exemplary case
instance to the model that satisfies all the nodes in the tree
A Search Tree to Generate an Exemplary CasecompliantWithALaw(
A )
permittedBySomeClause( A )
notForbiddenByAnyClause( A )
AND
permittedBy
C1( A )
coveredByC1( A )
satisfiesC1( A )
permittedBySome
RefOfC1( A )
permittedByClauseRef_I,J( A )
AND
notForbiddenByC1( A )
notForbiddenByCm( A )
…
notCoveredByCm( A )
AND
Finite Model for Privacy Laws
Our main results regarding the construction The model for an acyclic law constructed
using our algorithm is finite The acyclic law can be completely
characterized by its operation on the exemplary cases in the model
User
HospitalEncrypted medical data in the cloud
Database
Policy EngineQuery
Attribute-based
Encryption
Attribute-based
Decryption
Encrypted Medical
Data
Credentials EHR
Applications:• HIE, Affiliated clinics• Medical research
Attribute-Based Encryption
PK
“Doctor”“Neurology”
“Nurse”“Physical Therapy”
OR
Doctor AND
Nurse ICU
OR
DoctorAND
Nurse ICU
SKSK
=
Extracting ABE data policy HIPAA, Hospital policy
Policy: Action {allow, deny} Action characterized by
from, about, type, consents, to, purpose, beliefs
Data policy SELECT rows with given attributes: from, about,
type, consents PROJECT them to generate the associated ABE access
policy {to, purpose, beliefs | Policy ( from, about, type, consents, to, purpose, beliefs ) = Allow}
Prototype
Performance
Open Issue No direct support of Parameterized Roles in ABE
Format: R(p1, p2, …, pn) E.g.,164.502 (g)(3)(ii)A … a covered entity may
disclose, or provide access in accordance with §164.524 to, protected health information about an unemancipated minor to a parent, guardian, or other person acting in loco parentis;
Workaround Hardcode parameter values into the attribute name,
e.g. inLocoParentis_Tom Challenges
Identity silos across organizations
References Declarative privacy policy: Finite models and attribute-based
encryption, P.E.Lam, J.C.Mitchell, A.Scedrov, et al., IHI 2012. Scalable Parametric Verification of Secure Systems: How to
Verify Reference Monitors without Worrying about Data Structure Size, J. Franklin, S. Chaki, A. Datta, A. Seshadri, Proceedings of 31st IEEE Symposium on Security and Privacy, May 2010.
A Formalization of HIPAA for a Medical Messaging System P.F. Lam, J.C. Mitchell, and S. Sundaram, TrustBus 2009.
Privacy and Contextual Integrity: Framework and Applications,A. Barth, A. Datta, J. C. Mitchell, and H. Nissenbaum, Proceedings of
27th IEEE Symposium on Security and Privacy, May 2006. Healthcare privacy project source code
http://github.com/healthcareprivacy Demo (under construction)
http://crypto.stanford.edu/privacy/HIPAA/
Backup slides