Protecting Personal Data in an IoT Network with UMA

A Patient Centric use case

Domenico Catalano, Oracle ItalyMaciej Machulak, Cloud Identity Limited

Kantara Initiative Workshop 3rd Nov. 2014 - Dublin

1

Agenda

Personal Data in an IoT Network

Risks and Challenges about Personal Data

UMA Approach and Use case

Conclusion

Q&A

2

3

With more than seven billion people and businesses, and at least 35 billion devices, communicating, transacting, and even negotiating with each other, a new world comes into being:

The World of Digital Business

4

Nike’s Digital Master

Nike’s Fuelband allows athletes to track their workouts, share their performance online, and even receive an advice from digital “coaches”. Meanwhile both social media and digital products provide Nike with rich data on customers, their activities, and their preferences.

Risks about Personal Data

5

Individual

Organization

Individuals have little visibility into the practices of the organizations they are putting their trust in – until their data is breached or misused.

Fully 78% of consumers think it is hard to trust companies when it comes to use of their personal data.”

“Orange, The Future of Digital Trust, 2014

Challenges to Mitigate RisksUnlocking the value of Personal Data: From Collection to Usage

6

Protection and Security

Accountability

Right and Responsibility for using Personal Data

New approaches for decentralized and distributed network environment.

Who has data about you? Where is the data about you located?

New approaches that help individuals understand how and when data is collected.

How the data is being used and the implications of these actions.

Empower individual more effectively and efficiently.

Context Aware

Source:World Economic Forum 2013 Report: Unlocking the Value of Personal Data: From Collection to Usage

Personal Data Management Services A mapping of Market

7Source: Word Economic Forum Report (2014): Rethinking Personal Data: A new lens for Strengthening Trust

User-Managed Access (UMA) Concept and Terminology

8

UMA defines how to:Protect resourcesAuthorize accessEnforce policyA centralized Authorization Server governs access based on Individual Policy.

Ubiquitous Networking of IoT

9

TVPC

PDA

Vehicle

Home Electronics

Sensors

Camera

SmartCard

TelematicsNavigation

DeviceMedicalDevice

Home ServerGateway

MobileDevice

WearablePC

Data, Resource,Web/ApplicationServer, Content

Object-to-Object Communication

Human-to-Human Communication

Human-to-Object Communication

Human withAttached Device Objects

Internet

Source: Shaping Future Service Environments with the Cloud and Internet of Things: Networking Challenges and Service Evolution

RFIDtag

A simplified IoT Taxonomy

10

Dumb Thing Intelligence Thing Smart Thing

Intelligence

Web-based Service

Context-awareness

End-to-End connectivity

Data handling and processing capabilities

Real-time identification and tracking of object Network capability

Context-aware

Connecting to anything

Tag-based

UMA for IoT Network

11

SmartThingIntelligence

Thing

DumbThing

IoT Network

UMA for IoT Network

12

A patient-centric use case

Patient-Centric Use caseActors and Roles

13

Patient

Doctor

Electronic Stethoscope

Client

RS

EHR

Patient Monitor

Client

Smart ThingIntelligence Thing

RFIDtag

Patient-Centric Use caseSecurity Domains and Goals

14

Doctor’s SecurityDomain

Patient’s SecurityDomain

Hospital’s SecurityDomain

Heartbeatsdata

Control andauthorize

data sharing

EHR

ResourceOwner

ResourceOwner Requesting

Party

Preventunauthorized

objectconnection

Patient-Centric scenarioUMA Features

15

Resource Protection Authorization Patient Consent

Resource ProtectionUMA Dynamic Registration

16OAuth 2.0 Dynamic Client Registration Protocol

ElectronicStethoscope

IoT Network

PatientMonitor

RFIDtag

UMA PersonalAuthorization Server

Day HospitalRequest

Patient Registration

Secret

Department

Doctor’s team

sw_stmt

17

UMA as Authorization Mechanism for IoT

Authorization FlowAuthentication and Authorization in Constrained

Environment (ACE)

18

ResourceServer

IntelligenceThing

UMAAuthorization

Server

AuthNManager

Authentication andAuthorization

http://tools.ietf.org/pdf/draft-gerdes-ace-actors-01.pdf

Department

Doctor’s team

Policy

Doctor Patient

Authorization FlowRevealing Electronic Stethoscope

19

Pairing withElectronic Stethoscope

Authorization Requested…

20

National Healthcare SystemAuthentication Process

Fingerprint

Authorization FlowAuthentication and Authorization

21

Electronic StethoscopeData Uploading

Creating a Protected ResourcePatient’s Data Association

New Protected ResourcePatient Notification

22

View Close

Personal UMA ASHeartbeat data added as protected

resource

Patient

EHR Client Access and Patient ConsentUMA Flow

23

PAT: Permission Access TokenAAT: Authorization Access TokenRPT: Requesting Party Token

Heartbeats data

PatientResource Owner

Authorization Server

Authorization API

EHR SystemUMA Client

Prot

ectio

n AP

I

manage

Consent

PAT

RPT AATAccesswith RPT

Protect with PAT

Client redirects theRequesting Party to AS

Patient Monitor

IdP/Claim Provider Requesting Party

Cla

im C

lient

Authenticate

Req

uest

Use

rInfo

EHR: Electronic Healthcare Record

RS

Patient-Centric Platform

24

Healthcare Patient Platform

My Team My Day My Health Data

Main DoctorDr. Alan SmithCardiologists

Dr. Peter DooleRadiologist

Dr. Alice GaleHematologist

8.00-9.00 Cardio Therapy

About Me

Heartbeats

X-Ray

Electro CardioGraph

Mrs. Mary Davidson, 72

Chat with a doctor

Ask

Share my data

Who has data about me

My Consent

Add more12.00 Lunch

Patient-Centric Platform

25

Healthcare Patient Platform

Research

X-Ray

Medical Doctor

Radiology Departiment

Diagnostic research

BiomedicalSaint James

Hospital

X-RAY Specialists

X-Ray Operators

Peter Doole

LifeScienceHospital

Healthdata

Alice Gale

Hospitals

Who has data about me: X-ray< Back

Advantages of UMA Approach

26

Applicable to constrained resources, different nature of things, data and owners.

Designed for centralising the Authorization process for distributed resources.

Developed to meet the Privacy By Design principles.

UMA for Patient-Centric ScenarioBenefits

• Improve Patient-centric Experience.

• Prevent medical errors through authorization processes.

• Empower Patients on controlling their Personal data (healthcare data).

27

Future Works

• Inheriting Data sharing policy

• Delegation with Notification

28

In the News

29

https://kantarainitiative.org/uma-takes-home-award-from-eic-2014/

• User-Managed Access (UMA) Core Protocol

• OAuth 2.0 Dynamic Client Registration Protocol

• Securing Internet of Things

• Actors in the ACE Architecture

• Rethinking Personal Data: A New Lens for Strengthening Trust

30

References

Acknowledgements

• Eve Maler (Chair UMA WG), Adrian Gropper (Hearthurl), George Fletcher (AOL)

• UMA Work Group

31

Questions?Thank you

@UMAWGtinyurl.com/umawg |tinyurl.com/umafaq