feb.2000tihi/saw/tid1 security mediation to protect healthcare information privacy in collaborative...
Post on 21-Dec-2015
222 views
TRANSCRIPT
Feb.2000 TIHI/SAW/TID 1
Security MediationTo Protect Healthcare InformationPrivacy in Collaborative Settings
Gio Wiederhold, PI, Michel Bilello, James Z. Wang.
past: Jahnavi Akella, Andrea Chavez, Chris Donahue,
Vatsala Sarathy, Latanya Sweeney, Yan Tan.Stanford University
TIHI, SAW support under subcontract to SRI InternationalTID supported under NSF Digital Libraries II
T I H I / SAW / T I DT I H I / SAW / T I D
Gio Wiederhold TIHI/Saw 97
Feb.2000 TIHI/SAW/TID 2
Overview
Security and Privacy when Collaborating • Background and Current State• Unaddressed Problem• Security Mediator Solution• Examples, including prior work• Current work• Demo and Questions
Feb.2000 TIHI/SAW/TID 3
:
SecuritySecurity: protection and assurance: protection and assurance
Crucial progress in protection is being made:
Remote Transmission Authentication Firewalls around domains
protect against enemies.
Much research based on Cryptography
Gio Wiederhold TIHI Oct96 3
Feb.2000 TIHI/SAW/TID 4
Dominant approach
• Authenticate Customer• Validate query against database schema• If both ok, process query and ship results
database access &database access &authorization agentauthorization agent
sourcesource
customercustomer resultresult
queryquery
authenticationauthentication
Gio Wiederhold TIHI Oct96 4
firewallfirewall
Feb.2000 TIHI/SAW/TID 5
However, the world is more complexHowever, the world is more complex
Enemies,Enemies, InternetInternetHackersHackers
Simple View of Protection: Prohibit access .
Feb.2000 TIHI/SAW/TID 6
Collaboration Needs:
Medical Records Medical Records Medical Researchers Medical Researchers
Manufacturer’s Specs Manufacturer’s Specs Subcontractor Subcontractor Manufacturer’s Specs Manufacturer’s Specs Subcontractor Subcontractor
Intelligence Data Intelligence Data Front-line soldier Front-line soldier Intelligence Data Intelligence Data Front-line soldier Front-line soldier
Medical Records Medical Records Insurance Company Insurance Company
Gio Wiederhold TIHI Oct96 6
Feb.2000 TIHI/SAW/TID 7
False Assumption
Data in the files of an enterprise is
organized according to external access rights
Inefficient and risky for
an enterprise
which uses information
mainly internally
Feb.2000 TIHI/SAW/TID 8
Some Failure modes
Collaborator has legitimate access
• Unintentionally obtains wrong data
• Can gain broader access than intended
Internal user ships improper data out
• Fails to understand release constraints
• Some data were misfiled• Coverage of releasable and
non-releasable data overlaps• Anonymity process fails• Data replaced• (credit card nos instead of MP3)
• Backup to insecure site• (Deutsch)• Shows friend neat stuff• (Los Alamos scientist?)
Feb.2000 TIHI/SAW/TID 9
Access Patterns versus Data:
Gio Wiederhold TIHI Oct96 9
Lab
ora
tory
Bill
ing
Patient
Accounting
Physician
Insurance Carriers Insurance Carriers
Clin
ics
Laboratory staff
Ward staff
Medical
Medical
Research
Research
Ph
arm
acy
Inp
atie
nt
Etc.
A
ccre
dit
atio
nA
ccre
dit
atio
nCDC
Feb.2000 TIHI/SAW/TID 10
Expected Problems
Query can not specify object preciselyQuery can not specify object precisely Relevant history for low-weight birthsRelevant history for low-weight births (helpful database gets extra stuff) (helpful database gets extra stuff)
Objects (Objects (NN) are not organized according to all ) are not organized according to all
possible access classifications (possible access classifications (aa) = () = (NNaa)) Patients with heart problems, but not HIVPatients with heart problems, but not HIV
Some objects cover multiple classesSome objects cover multiple classes Patient with stroke and HIVPatient with stroke and HIV
Some objects are misfiled Some objects are misfiled (happens easily to others)(happens easily to others), , costly/impossible to guarantee avoidance costly/impossible to guarantee avoidance Psychiatric data in patient with alcoholismPsychiatric data in patient with alcoholismGio Wiederhold TIHI Oct96 10
Healthcare
Feb.2000 TIHI/SAW/TID 11
Securing the Gap
resultresult
queryquery
firewallfirewall Check the content of the result beforeit leaves the firewall
Security mediator : Human & software agent module
Feb.2000 TIHI/SAW/TID 12
Overall Schematic
CustomerCustomer
SecuritySecurity Officer's Officer's MediatorMediator
DatabaseDatabase
InternetInternetGio Wiederhold TIHI Oct96 12
Firewall
Feb.2000 TIHI/SAW/TID 13
Security Mediator
• Software module, intermediate between "customers" and databases within firewall
• Resides on security's officer's machine (may have to be multi-level secure); accessed via firewall protection by customers
• Under control of security officer,via simple security-specific rules
• Performs bidirectional screening (queries and results)
Gio Wiederhold TIHI Oct96 13
Feb.2000 TIHI/SAW/TID 14
Security Officer
• Profile– Human responsible for database security/privacy policies– Must balance data availability vs. data security/privacy
• Tasks (current)– Advises staff on how to try to follow policy– Investigates violations to find & correct staff failures– Has currently no tools
• Tasks (with mediators)– Defines and enters policy rules in security mediator– Monitors exceptions, especially violations– Monitors operation, to obtain feedback for improvements
:-(
Gio Wiederhold TIHI Oct96 14
Feb.2000 TIHI/SAW/TID 15
Security officer screen
Feb.2000 TIHI/SAW/TID 16
Example: Mediation for Privacy
Public Health Application• Needs valid statistical data• No access to private data
Security Mediator• Owned by hospital security officer• Screens query and result• Default is Manual operation• Evolves by adding rules
Physicians’ Databases• Valuable resources• Need to be aggregated
for significance
CDCCDC
SecuritySecurityMediatorMediator
Private Patient DataPrivate Patient Data
certified certified query query
source source query query
certified certified result result
unfiltered unfiltered result result
LogsLogs
Gio Wiederhold TIHI Oct96 16
Feb.2000 TIHI/SAW/TID 17
Patient Screen
Feb.2000 TIHI/SAW/TID 18
part of Patient result
Feb.2000 TIHI/SAW/TID 19
• Rule interpreter
• Primitives to support rule execution
• Rule maintenance tools
• Log analysis tool
• Firewall interface
• Domain database interface
• Logger
Software Components
support
service
mainte- nance
Feb.2000 TIHI/SAW/TID 20
Primitives
Selected by rule for various clique roles • Preprocess drawings or images • Allow / disallow values• Allow / disallow value ranges• Limit results to approved vocabulary• Disallow output containing bad words• Limit output to times, places• Limit number of queries per period• Etc.
Feb.2000 TIHI/SAW/TID 21
Protecting Privacy in Medical Images
Wavelet-based Filtering
Original Image with Patient Identity
Stanford University
Textual Information
Filtered Image
InternetPatient Data System
Locate Text
Analyze Text
RemoveNonreleaseableText
Feb.2000 TIHI/SAW/TID 22
Primitives for Content Check
• Good Word List for Text– domain specific to increase precion and reliability– created by processing good documents– any word not in list shown to SO with context
• Bad Word List (optional)– not reliable (mispellings, accidental or intentional)– no increase in efficiency given good word list processing– trigger special case rules
• Image data (current research)
– extract text and analyze as above– recognize objectionable images by sketch or color
Feb.2000 TIHI/SAW/TID 23
Roles
• Security officer manages security policy, not a computer specialist or database administrator.
• Computer specialist provides tools agent workstation program for security mediation
• Healthcare institution defines policies its security officer uses the program as the tool
• Tool provides logging for– system improvements
– audit trail
– accountability
• Formalizes ad-hoc practices
:-( -)oooo
Gio Wiederhold TIHI Oct96 23
Feb.2000 TIHI/SAW/TID 24
Rule system
• Optional: without rules every interaction goes to the security officer (in & out)
• Creates efficiency: routine requests will be covered by rules: 80% instances / 20% types
• Assures Security officer of control: rules can be incrementally added / deleted / analyzed
• Primitives simplify rule specification: source, transmit date/time, prior request, ...
Feb.2000 TIHI/SAW/TID 25
Primitives get data for Rules
• Requestor roles• Data names requested and values returned
– dates– value ranges– textual contents --- positive / negative– special indicators: employment, … [Scrub .. ]
• Size of base leading to a statistical result• Time and place of request & destination• Interaction history: frequency, overlaps, . . .
• Measure of Risk: [Datafly]
• more . . . .
Feb.2000 TIHI/SAW/TID 26
Participants in Setting Rules
• Security officer manages security policy, not a computer specialist or database administrator.
• Computer specialist provides tools agent workstation program for security mediation
• Healthcare institution defines policies its security officer uses the program as the tool
• Tool provides logging for– system improvements– audit trail
– accountability • Formalizes ad-hoc practices
:-( -)oooo
Feb.2000 TIHI/SAW/TID 27
Disallowed result
Feb.2000 TIHI/SAW/TID 28
Security officer reaction
Choices:1. Reject result2. Edit result3. Pass result(& Update the list of good-words, making approval persistent )
Feb.2000 TIHI/SAW/TID 29
Rules implement policy• Tight security policy:
– simple rules– many requests/responses referred to security officer– much information output denied by security officer– low risk– poor public and community physician relations
• Liberal but careful security policy– complex rules– few requests/responses referred to security officer– of remainder, much information output denied by security officer– low risk– good public and community physician relations
• Sloppy security policy– simple rules– few requests/responses referred to security officer– little information output denied by security officer– high risk– unpredictable public and community physician relations
Gio Wiederhold TIHI Oct96 29
30TIHI/SAW/TIDFeb.2000 Database
Coverage of Access Paths
DB schema- based control
Authentication based controlgood/bad
Security officer
Databaseadminis-trator
performance,function requests
securityneeds
result islikely ok
validatedto be ok
ancillaryinformation
prior use
Security Mediator
good guy
good query
processable query
his-tory
:-(
ok
-)oooo
Gio Wiederhold TIHI Oct96 30
Feb.2000 TIHI/SAW/TID 31
A mediator is not just static software
Software & People
ApplicationInterface
Resource Interfaces
Owner/ Creator Maintainer Lessor - Seller Advertiser
Changes ofuser needs
Domainchanges
Resource changes
Models, programs,rules, caches, . . .
Gio Wiederhold TIHI Oct96 31
Feb.2000 TIHI/SAW/TID 32
Be helpful to customer Tell cust. re problems,
query may be fixed Exploit DB meta-data Isolate transactions Ship result to customer
Be helpful to security off.Tell sec.off. re problems,
sec.off. may contact cust.Exploit customer inform.Use history of usageShip result to sec.off.
with result description (source, cardinality)
Finding: the differences are greater than we imagined initially
Agent System Differences Agent System Differences DBA/SODBA/SO
Gio Wiederhold TIHI Oct96 32
-)oooo
:-(
Feb.2000 TIHI/SAW/TID 33
Security Mediator Benefits
• Dedicated to security task (may be multi-level secure)
• Uses only its rules and relevant function, all directly, avoids interaction with DB views and procedures
• Maintained by responsible authority: the security officer
• Policy setting independent of database(s) and DBA(s)
• Logs just those transactions that penetrate the firewall, records attempted violations independent of DB logs*
• Systems behind firewall need not be multi-level secure
• Databases behind firewall need not be perfect * also used for replication, recovery, warehousing
Gio Wiederhold TIHI Oct96 33
Feb.2000 TIHI/SAW/TID 34
TIHI / SAW / TID Summary
Collaboration is an underemphasized issuebeyond encrypted transmits, firewalls, passwords,
authentication
There is a need for flexible, selective access to datawithout the risk of exposing related information in an enterprise
In TIHI service is provided by the Security Mediator:
a rule-based gateway processor of queries and results under control of a security officer who implements enterprise policies
Our solution applies not only to Healthcare but equally to Collaborating (virtual) enterprises and
in many Military situations.
Gio Wiederhold TIHI Oct96 34