Declarative Privacy P olicy : Finite Models and Attribute-Based Encryption
description
Transcript of Declarative Privacy P olicy : Finite Models and Attribute-Based Encryption
![Page 1: Declarative Privacy P olicy : Finite Models and Attribute-Based Encryption](https://reader036.fdocuments.net/reader036/viewer/2022062807/568151d8550346895dc013e4/html5/thumbnails/1.jpg)
Declarative Privacy Policy: Finite Models and Attribute-Based Encryption
1
November 2nd, 2011
![Page 2: Declarative Privacy P olicy : Finite Models and Attribute-Based Encryption](https://reader036.fdocuments.net/reader036/viewer/2022062807/568151d8550346895dc013e4/html5/thumbnails/2.jpg)
Healthcare Privacy Problem
Data needed for treatment Electronic records and health
information exchange can improve care, reduce costs
Most patients seen in emergency room were treated in an unaffiliated hospital in last six months
Patient access is important Required by law Diabetics can enter glucose
data, improve treatment Personal health devices:
Blood pressure, Zeo, Fitbit, Withings
Patient
Doctor InsuranceElectronic RecordPatient Portal
Drug Co.
Quality careHIPAA compliance
Patient privacy
Privacy requirements HIPAA law mandates privacy Hospitals add policy Insurer needs data for billing,
should not deny coverage based on correlated factors
HIE
![Page 3: Declarative Privacy P olicy : Finite Models and Attribute-Based Encryption](https://reader036.fdocuments.net/reader036/viewer/2022062807/568151d8550346895dc013e4/html5/thumbnails/3.jpg)
Privacy theory automated compliance
![Page 4: Declarative Privacy P olicy : Finite Models and Attribute-Based Encryption](https://reader036.fdocuments.net/reader036/viewer/2022062807/568151d8550346895dc013e4/html5/thumbnails/4.jpg)
Finite Model for HIPAA Dependency graph Acyclicity of privacy law Can we capture the
behavior of an acyclic law by its operations on a finite set of exemplary use cases?
Exemplary cases can be used for Training and education Testing and debugging
for compliance software
permitted_by_164_502_a(A)
is_from_coveredEntity(A)
permitted_by_164_502_a_1(A)
is_phi(A)
permitted_by_164_502_a_1_i(A)
Dependency graph
![Page 5: Declarative Privacy P olicy : Finite Models and Attribute-Based Encryption](https://reader036.fdocuments.net/reader036/viewer/2022062807/568151d8550346895dc013e4/html5/thumbnails/5.jpg)
Compliance Tree of an Acyclic LawcompliantWithALaw(
A )
permittedBySomeClause( A )
forbiddenBySomeClause( A )
AND
NOT
permittedByC1( A )
permittedByCm( A )
…
OR
coveredByC1( A )
satisfiesC1( A )
permittedBySome
RefOfClause1( A )
permByClauseRef_1,1( A )
permittedByClauseRef_1,N( A )
AND
forbiddenByC1( A )
forbiddenBy
Cm( A )
…
coveredByCm( A )
satisfiesCm ( A )
NOT
AND
OR
OR
![Page 6: Declarative Privacy P olicy : Finite Models and Attribute-Based Encryption](https://reader036.fdocuments.net/reader036/viewer/2022062807/568151d8550346895dc013e4/html5/thumbnails/6.jpg)
Algorithm to Generate Exemplary Cases for an Acyclic Privacy Law
I. Construct the compliance tree for the acyclic law
II. Normalize it (push NOT operators to the bottom)• Using De Morgan’s Laws and Boolean
algebraIII. Construct the search treesIV. For each search tree, add an exemplary case
instance to the model that satisfies all the nodes in the tree
![Page 7: Declarative Privacy P olicy : Finite Models and Attribute-Based Encryption](https://reader036.fdocuments.net/reader036/viewer/2022062807/568151d8550346895dc013e4/html5/thumbnails/7.jpg)
A Search Tree to Generate an Exemplary Case
compliantWithALaw( A )
permittedBySomeClause( A )
notForbiddenByAnyClause( A )
AND
permittedBy
C1( A )
coveredByC1( A )
satisfiesC1( A )
permittedBySome
RefOfC1( A )
permittedByClauseRef_I,J( A )
AND
notForbiddenByC1( A )
notForbiddenByCm( A )
…
notCoveredByCm( A )
AND
![Page 8: Declarative Privacy P olicy : Finite Models and Attribute-Based Encryption](https://reader036.fdocuments.net/reader036/viewer/2022062807/568151d8550346895dc013e4/html5/thumbnails/8.jpg)
Finite Model for Privacy Laws
Our main results regarding the construction The model for an acyclic law constructed
using our algorithm is finite The acyclic law can be completely
characterized by its operation on the exemplary cases in the model
![Page 9: Declarative Privacy P olicy : Finite Models and Attribute-Based Encryption](https://reader036.fdocuments.net/reader036/viewer/2022062807/568151d8550346895dc013e4/html5/thumbnails/9.jpg)
User
Hospital
Encrypted medical data in the cloud
Database
Policy EngineQuery
Attribute-based
Encryption
Attribute-based
Decryption
Encrypted Medical
Data
Credentials EHR
Applications:• HIE, Affiliated clinics• Medical research
![Page 10: Declarative Privacy P olicy : Finite Models and Attribute-Based Encryption](https://reader036.fdocuments.net/reader036/viewer/2022062807/568151d8550346895dc013e4/html5/thumbnails/10.jpg)
Attribute-Based Encryption
PK
“Doctor”“Neurology”
“Nurse”“Physical Therapy”
OR
Doctor AND
Nurse ICU
OR
DoctorAND
Nurse ICU
SKSK
=
![Page 11: Declarative Privacy P olicy : Finite Models and Attribute-Based Encryption](https://reader036.fdocuments.net/reader036/viewer/2022062807/568151d8550346895dc013e4/html5/thumbnails/11.jpg)
Extracting ABE data policy HIPAA, Hospital policy
Policy: Action {allow, deny} Action characterized by
from, about, type, consents, to, purpose, beliefs
Data policy SELECT rows with given attributes: from, about,
type, consents PROJECT them to generate the associated ABE access
policy
{to, purpose, beliefs | Policy ( from, about, type, consents, to, purpose, beliefs ) = Allow}
![Page 12: Declarative Privacy P olicy : Finite Models and Attribute-Based Encryption](https://reader036.fdocuments.net/reader036/viewer/2022062807/568151d8550346895dc013e4/html5/thumbnails/12.jpg)
Prototype
![Page 13: Declarative Privacy P olicy : Finite Models and Attribute-Based Encryption](https://reader036.fdocuments.net/reader036/viewer/2022062807/568151d8550346895dc013e4/html5/thumbnails/13.jpg)
Performance
![Page 14: Declarative Privacy P olicy : Finite Models and Attribute-Based Encryption](https://reader036.fdocuments.net/reader036/viewer/2022062807/568151d8550346895dc013e4/html5/thumbnails/14.jpg)
Open Issue No direct support of Parameterized Roles in ABE
Format: R(p1, p2, …, pn) E.g.,164.502 (g)(3)(ii)A … a covered entity may
disclose, or provide access in accordance with §164.524 to, protected health information about an unemancipated minor to a parent, guardian, or other person acting in loco parentis;
Workaround Hardcode parameter values into the attribute name,
e.g. inLocoParentis_Tom Challenges
Identity silos across organizations
![Page 15: Declarative Privacy P olicy : Finite Models and Attribute-Based Encryption](https://reader036.fdocuments.net/reader036/viewer/2022062807/568151d8550346895dc013e4/html5/thumbnails/15.jpg)
References Declarative privacy policy: Finite models and attribute-based
encryption, P.E.Lam, J.C.Mitchell, A.Scedrov, et al., IHI 2012. Scalable Parametric Verification of Secure Systems: How to
Verify Reference Monitors without Worrying about Data Structure Size, J. Franklin, S. Chaki, A. Datta, A. Seshadri, Proceedings of 31st IEEE Symposium on Security and Privacy, May 2010.
A Formalization of HIPAA for a Medical Messaging System P.F. Lam, J.C. Mitchell, and S. Sundaram, TrustBus 2009.
Privacy and Contextual Integrity: Framework and Applications,A. Barth, A. Datta, J. C. Mitchell, and H. Nissenbaum, Proceedings of
27th IEEE Symposium on Security and Privacy, May 2006. Healthcare privacy project source code
http://github.com/healthcareprivacy Demo (under construction)
http://crypto.stanford.edu/privacy/HIPAA/
![Page 16: Declarative Privacy P olicy : Finite Models and Attribute-Based Encryption](https://reader036.fdocuments.net/reader036/viewer/2022062807/568151d8550346895dc013e4/html5/thumbnails/16.jpg)
Backup slides