html5-img
1 / 16

Declarative Privacy P olicy : Finite Models and Attribute-Based Encryption

Declarative Privacy P olicy : Finite Models and Attribute-Based Encryption. November 2 nd , 2011. Healthcare Privacy Problem. Data needed for treatment Electronic records and health information exchange can improve care, reduce costs

elu
Télécharger la présentation

Declarative Privacy P olicy : Finite Models and Attribute-Based Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Declarative Privacy Policy: Finite Models and Attribute-Based Encryption November 2nd, 2011

  2. Healthcare Privacy Problem • Data needed for treatment • Electronic records and health information exchange can improve care, reduce costs • Most patients seen in emergency room were treated in an unaffiliated hospital in last six months • Patient access is important • Required by law • Diabetics can enter glucose data, improve treatment • Personal health devices: Blood pressure, Zeo, Fitbit, Withings HIE Doctor Insurance Electronic Record Patient Portal Quality care HIPAA compliance Patient privacy Drug Co. Patient • Privacy requirements • HIPAA law mandates privacy • Hospitals add policy • Insurer needs data for billing, should not deny coverage based on correlated factors

  3. Privacy theory  automated compliance

  4. Finite Model for HIPAA • Dependency graph • Acyclicity of privacy law • Can we capture the behavior of an acyclic law by its operations on a finite set of exemplary use cases? • Exemplary cases can be used for • Training and education • Testing and debugging for compliance software Dependency graph permitted_by_164_502_a(A) is_from_coveredEntity(A) is_phi(A) permitted_by_164_502_a_1(A) permitted_by_164_502_a_1_i(A)

  5. Compliance Tree of an Acyclic Law compliantWithALaw( A ) AND NOT permittedBySomeClause( A ) forbiddenBySomeClause( A ) OR OR … permittedBy C1( A ) … permittedBy Cm( A ) forbiddenBy Cm( A ) forbiddenBy C1( A ) AND AND NOT permittedBySome RefOfClause1( A ) satisfies C1( A ) coveredBy C1( A ) coveredBy Cm( A ) satisfies Cm ( A ) OR permittedByClause Ref_1,N( A ) permByClauseRef_1,1( A )

  6. Algorithm to Generate Exemplary Cases for an Acyclic Privacy Law • Construct the compliance tree for the acyclic law • Normalizeit (push NOT operators to the bottom) • Using De Morgan’s Laws and Boolean algebra • Construct the search trees • For each search tree, add an exemplary case instance to the model that satisfies all the nodes in the tree

  7. A Search Tree to Generate an Exemplary Case compliantWithALaw( A ) AND permittedBySomeClause( A ) notForbiddenBy AnyClause( A ) AND permittedBy C1( A ) … notForbidden ByCm( A ) notForbidden ByC1( A ) AND permittedBySome RefOfC1( A ) satisfies C1( A ) coveredBy C1( A ) notCoveredBy Cm( A ) permittedByClause Ref_I,J( A )

  8. Finite Model for Privacy Laws • Our main results regarding the construction • The model for an acyclic law constructed using our algorithm is finite • The acyclic law can be completely characterized by its operation on the exemplary cases in the model

  9. Encrypted medical data in the cloud Hospital Policy Engine • Applications: • HIE, Affiliated clinics • Medical research Query Encrypted Medical Data Attribute-based Encryption Database User Attribute-based Decryption EHR Credentials

  10. OR OR SK SK AND AND Doctor Doctor Nurse ICU Nurse ICU Attribute-Based Encryption = PK   “Doctor” “Neurology” “Nurse” “Physical Therapy”

  11. Extracting ABE data policy • HIPAA, Hospital policy • Policy: Action  {allow, deny} • Action characterized by • from, about, type, consents, to, purpose, beliefs  • Data policy • SELECT rows with given attributes: from, about, type, consents • PROJECT them to generate the associated ABE access policy {to, purpose, beliefs | Policy (from, about, type, consents, to, purpose, beliefs ) = Allow}

  12. Prototype

  13. Performance

  14. Open Issue • No direct support of Parameterized Roles in ABE • Format: R(p1, p2, …, pn) • E.g.,164.502 (g)(3)(ii)A … a covered entity may disclose, or provide access in accordance with §164.524 to, protected health information about an unemancipated minor to a parent, guardian, or other person acting in loco parentis; • Workaround • Hardcode parameter values into the attribute name, e.g. inLocoParentis_Tom • Challenges • Identity silos across organizations

  15. References • Declarative privacy policy: Finite models and attribute-based encryption, P.E.Lam, J.C.Mitchell, A.Scedrov, et al., IHI 2012. • Scalable Parametric Verification of Secure Systems: How to Verify Reference Monitors without Worrying about Data Structure Size, J. Franklin, S. Chaki, A. Datta, A. Seshadri, Proceedings of 31st IEEE Symposium on Security and Privacy, May 2010. • A Formalization of HIPAA for a Medical Messaging System • P.F. Lam, J.C. Mitchell, and S. Sundaram, TrustBus 2009. • Privacy and Contextual Integrity: Framework and Applications, A. Barth, A. Datta, J. C. Mitchell, and H. Nissenbaum, Proceedings of 27th IEEE Symposium on Security and Privacy, May 2006. • Healthcare privacy project source code • http://github.com/healthcareprivacy • Demo (under construction) • http://crypto.stanford.edu/privacy/HIPAA/

  16. Backup slides

More Related