declarative privacy p olicy : finite models and attribute-based encryption

Declarative Privacy Policy: Finite Models and Attribute-Based Encryption

1

November 2nd, 2011

Healthcare Privacy Problem

Data needed for treatment Electronic records and health

information exchange can improve care, reduce costs

Most patients seen in emergency room were treated in an unaffiliated hospital in last six months

Patient access is important Required by law Diabetics can enter glucose

data, improve treatment Personal health devices:

Blood pressure, Zeo, Fitbit, Withings

Patient

Doctor InsuranceElectronic RecordPatient Portal

Drug Co.

Quality careHIPAA compliance

Patient privacy

Privacy requirements HIPAA law mandates privacy Hospitals add policy Insurer needs data for billing,

should not deny coverage based on correlated factors

HIE

Privacy theory automated compliance

Finite Model for HIPAA Dependency graph Acyclicity of privacy law Can we capture the

behavior of an acyclic law by its operations on a finite set of exemplary use cases?

Exemplary cases can be used for Training and education Testing and debugging

for compliance software

permitted_by_164_502_a(A)

is_from_coveredEntity(A)

permitted_by_164_502_a_1(A)

is_phi(A)

permitted_by_164_502_a_1_i(A)

Dependency graph

Compliance Tree of an Acyclic LawcompliantWithALaw(

A )

permittedBySomeClause( A )

forbiddenBySomeClause( A )

AND

NOT

permittedByC1( A )

permittedByCm( A )

…

OR

coveredByC1( A )

satisfiesC1( A )

permittedBySome

RefOfClause1( A )

permByClauseRef_1,1( A )

permittedByClauseRef_1,N( A )

AND

forbiddenByC1( A )

forbiddenBy

Cm( A )

…

coveredByCm( A )

satisfiesCm ( A )

NOT

AND

OR

OR

Algorithm to Generate Exemplary Cases for an Acyclic Privacy Law

I. Construct the compliance tree for the acyclic law

II. Normalize it (push NOT operators to the bottom)• Using De Morgan’s Laws and Boolean

algebraIII. Construct the search treesIV. For each search tree, add an exemplary case

instance to the model that satisfies all the nodes in the tree

A Search Tree to Generate an Exemplary Case

compliantWithALaw( A )

permittedBySomeClause( A )

notForbiddenByAnyClause( A )

AND

permittedBy

C1( A )

coveredByC1( A )

satisfiesC1( A )

permittedBySome

RefOfC1( A )

permittedByClauseRef_I,J( A )

AND

notForbiddenByC1( A )

notForbiddenByCm( A )

…

notCoveredByCm( A )

AND

Finite Model for Privacy Laws

Our main results regarding the construction The model for an acyclic law constructed

using our algorithm is finite The acyclic law can be completely

characterized by its operation on the exemplary cases in the model

User

Hospital

Encrypted medical data in the cloud

Database

Policy EngineQuery

Attribute-based

Encryption

Attribute-based

Decryption

Encrypted Medical

Data

Credentials EHR

Applications:• HIE, Affiliated clinics• Medical research

Attribute-Based Encryption

PK

“Doctor”“Neurology”

“Nurse”“Physical Therapy”

OR

Doctor AND

Nurse ICU

OR

DoctorAND

Nurse ICU

SKSK

=

Extracting ABE data policy HIPAA, Hospital policy

Policy: Action {allow, deny} Action characterized by

from, about, type, consents, to, purpose, beliefs

Data policy SELECT rows with given attributes: from, about,

type, consents PROJECT them to generate the associated ABE access

policy

{to, purpose, beliefs | Policy ( from, about, type, consents, to, purpose, beliefs ) = Allow}

Prototype

Performance

Open Issue No direct support of Parameterized Roles in ABE

Format: R(p1, p2, …, pn) E.g.,164.502 (g)(3)(ii)A … a covered entity may

disclose, or provide access in accordance with §164.524 to, protected health information about an unemancipated minor to a parent, guardian, or other person acting in loco parentis;

Workaround Hardcode parameter values into the attribute name,

e.g. inLocoParentis_Tom Challenges

Identity silos across organizations

References Declarative privacy policy: Finite models and attribute-based

encryption, P.E.Lam, J.C.Mitchell, A.Scedrov, et al., IHI 2012. Scalable Parametric Verification of Secure Systems: How to

Verify Reference Monitors without Worrying about Data Structure Size, J. Franklin, S. Chaki, A. Datta, A. Seshadri, Proceedings of 31st IEEE Symposium on Security and Privacy, May 2010.

A Formalization of HIPAA for a Medical Messaging System P.F. Lam, J.C. Mitchell, and S. Sundaram, TrustBus 2009.

Privacy and Contextual Integrity: Framework and Applications,A. Barth, A. Datta, J. C. Mitchell, and H. Nissenbaum, Proceedings of

27th IEEE Symposium on Security and Privacy, May 2006. Healthcare privacy project source code

http://github.com/healthcareprivacy Demo (under construction)

http://crypto.stanford.edu/privacy/HIPAA/

Backup slides