MedVault: Ensuring MedVault: Ensuring Security and Privacy Security and Privacy

for Medical Datafor Medical DataMustaque Ahamad, Douglas Mustaque Ahamad, Douglas

Blough, Ling Liu, David Bauer, Blough, Ling Liu, David Bauer, Apurva Mohan, Daisuke Mashima, Apurva Mohan, Daisuke Mashima, Bhuvan Bamba, Balaji Palanisamy, Bhuvan Bamba, Balaji Palanisamy, Ramkumar Krishnan, Italo DacostaRamkumar Krishnan, Italo Dacosta

http://medvault.gtisc.gatech.edu/

Overall Goal

To develop new techniques for the storage, maintenance, and control of sensitive data that permit open sharing among a wide variety of legitimate users while protecting the data against unauthorized use and disclosure.

Key Research Contributions

• Source-verifiability of medical data.• Privacy-conscious data sharing.• Attribute-based authorization to access EMR.• Monitoring EMR data release and usage.

Source Verifiable PHR Repository

Attribute Providers

Request, Attributes Fetch Records

Evaluate Policy

Requester’s Attributes

Patient’s Policy

DecisionFetch Attributes

Request, Attribute ListDecision

Attribute-based policy EngineEMR Sources uploading Data

Hospital

Lab

Personal Devices

Patient’s Agent

Requester’s Agent

Patient’s trust domain

Requester

4

Minimal Disclosure CredentialsMinimal Disclosure Credentials

Identity Provider

Credential

User/Owner

Relying Parties

Partial CredentialPartial Credential

Network

Relying Parties

David Bauer, Douglas M. Blough, David Cash, “Minimal information disclosure with efficiently verifiable credentials”, 2008.

5

Minimal Disclosure using Merkle Hash Minimal Disclosure using Merkle Hash TreesTrees

• Start with a PKI certificate• Replace the flat identity in a certificate with the

root hash of a Merkle hash tree of claims

H(L,R)

H(L,R)

H(C) H(C)

Claim Claim

Root

H(L,R)

H(C) H(C)

Claim Claim

H(L,R)

H(L,R)

H(C) H(C)

Claim Claim

H(L,R)

H(C) H(C)

Claim Claim

H(L,R)

Patient’s Policy

<Resource Id = Chronic Conditions> < Some Combination of Attributes > < Action = Permit >

<Resource Id = Chronic Conditions> < Other Combination of Attributes > < Action = Deny >

<Resource Id = Prescriptions> < Some Combination of Attributes > < Action = Permit >

<Resource Id = Others> < Some Combination of Attributes > < Action = Permit >

PHR Repository

Chronic Conditions

Prescriptions

Others

Patient’s Agent

Examples of policies on viewing patient’s record

1.A doctor can see the whole record

2.An EMT that has been dispatched to an incident involving a patient can see a subset of the patient’s record

3.Any EMT within 1 mile of the incident can see a subset of the record

Apurva Mohan, David Bauer, Douglas M. Blough, Apurva Mohan, David Bauer, Douglas M. Blough, Mustaque Ahamad, Bhuvan Bamba, Ramkumar Mustaque Ahamad, Bhuvan Bamba, Ramkumar

Krishnan, Ling Liu, Daisuke Mashima, Balaji Krishnan, Ling Liu, Daisuke Mashima, Balaji Palanisamy,Palanisamy,

“A Patient-centric, Attribute-based, Source-“A Patient-centric, Attribute-based, Source-verifiable Framework for Health Record verifiable Framework for Health Record

Sharing”, Sharing”,

Technical Report No. GIT-CERCS-09-11,Technical Report No. GIT-CERCS-09-11, 2009.2009.

http://www.cercs.gatech.edu/tech-reports/tr2009/abstracts/11.html

Protecting E-healthcare Client Protecting E-healthcare Client Devices against Malware and Devices against Malware and

Physical TheftPhysical Theft(Position Paper to appear at USENIX HealthSec ’10)(Position Paper to appear at USENIX HealthSec ’10)

Daisuke Mashima, Abhinav Daisuke Mashima, Abhinav Srivastava,Srivastava,

Jonathon Giffin, Mutaque AhamadJonathon Giffin, Mutaque Ahamad

Georgia Institute of TechnologyGeorgia Institute of Technology

Typical ArchitectureTypical Architecture

EMR Request

EMR

User AuthenticationAccess control

• Access control/authentication at EMR repositories is often insufficient.– What if client devices are compromised?

Threats against Client Threats against Client DevicesDevices

• Malware– Compromise of identity credentials

• Key Loggers, etc.

– Disclosure of sensitive medical data• Botnets, etc.

• Physical theft of devices– Misuse of devices to abuse e-healthcare

system

ApproachApproach• Establishing a trusted domain on client

devices by using virtualization technologies– Secure execution environment– Secure storage– Other security features that are tamer-resistant

• Eliminating a single point of attack– Threshold signature scheme– Augmentation by introducing “Authority” and

“Online Monitoring System”

System OverviewSystem Overview

(Brief) Security Analysis(Brief) Security Analysis• Compromise of User VM by Malware

– Credentials and module integrity are protected.– Tamper-resistant FW prevents information

disclosure.

• Physical Theft– Compromised device can not initiate a valid

request without involving the monitoring agent.– Revocation can be done by updating key shares

on the monitoring system and authority

Thank you very much.Thank you very much.

• Reference– MedVault Project

• http://medvault.gtisc.gatech.edu• Douglas Blough et al.

– VM Wall• “Tamper-resistant, Application-aware Blocking of

Malicious Network Connections”• Srivastava et al., RAID 2008

– User-centric Identity-usage Monitoring System• “User-centric Handling of Identity Agent Compromise”• Mashima et al., ESORICS 2009