Declarative Privacy Policy: Finite Models and Attribute-Based Encryption 1 November 2 nd, 2011

Healthcare Privacy Problem  Data needed for treatment  Electronic records and health information exchange can improve care, reduce costs  Most patients seen in emergency room were treated in an unaffiliated hospital in last six months  Patient access is important  Required by law  Diabetics can enter glucose data, improve treatment  Personal health devices: Blood pressure, Zeo, Fitbit, Withings Patient DoctorInsurance Electronic Record Patient Portal Drug Co. Quality care HIPAA compliance Patient privacy  Privacy requirements  HIPAA law mandates privacy  Hospitals add policy  Insurer needs data for billing, should not deny coverage based on correlated factors HIE

Privacy theory  automated compliance

Finite Model for HIPAA  Dependency graph  Acyclicity of privacy law  Can we capture the behavior of an acyclic law by its operations on a finite set of exemplary use cases?  Exemplary cases can be used for  Training and education  Testing and debugging for compliance software permitted_by_164_502_ a(A) is_from_coveredEntity (A) permitted_by_164_502_a_1 (A) is_phi(A) permitted_by_164_502_a_1_i( A) Dependency graph

Compliance Tree of an Acyclic Law compliantWithALaw( A ) permittedBySomeClause( A ) forbiddenBySomeClause( A ) AND NOT permittedBy C1( A ) permittedBy C1( A ) permittedBy Cm( A ) permittedBy Cm( A ) … OR coveredBy C1( A ) coveredBy C1( A ) satisfies C1( A ) satisfies C1( A ) permittedBySome RefOfClause1( A ) permittedBySome RefOfClause1( A ) permByClauseRef_1,1( A ) permittedByClause Ref_1,N( A ) permittedByClause Ref_1,N( A ) AND forbiddenBy C1( A ) forbiddenBy C1( A ) forbiddenBy Cm( A ) forbiddenBy Cm( A ) … coveredBy Cm( A ) coveredBy Cm( A ) satisfies Cm ( A ) satisfies Cm ( A ) NOT AND OR

Algorithm to Generate Exemplary Cases for an Acyclic Privacy Law I. Construct the compliance tree for the acyclic law II. Normalize it (push NOT operators to the bottom) Using De Morgan’s Laws and Boolean algebra III. Construct the search trees IV. For each search tree, add an exemplary case instance to the model that satisfies all the nodes in the tree

A Search Tree to Generate an Exemplary Case compliantWithALaw( A ) permittedBySomeClause( A ) notForbiddenBy AnyClause( A ) notForbiddenBy AnyClause( A ) AND permittedBy C1( A ) permittedBy C1( A ) coveredBy C1( A ) coveredBy C1( A ) satisfies C1( A ) satisfies C1( A ) permittedBySome RefOfC1( A ) permittedBySome RefOfC1( A ) permittedByClause Ref_I,J( A ) permittedByClause Ref_I,J( A ) AND notForbidden ByC1( A ) notForbidden ByC1( A ) notForbidden ByCm( A ) notForbidden ByCm( A ) … notCoveredBy Cm( A ) notCoveredBy Cm( A ) AND

Finite Model for Privacy Laws  Our main results regarding the construction  The model for an acyclic law constructed using our algorithm is finite  The acyclic law can be completely characterized by its operation on the exemplary cases in the model

User Hospital Encrypted medical data in the cloud Database Policy Engine Query Attribute- based Encryption Attribute- based Decryption Encrypted Medical Data Credentials EHR Applications: HIE, Affiliated clinics Medical research

Attribute-Based Encryption PK “Doctor” “Neurology” “Nurse” “Physical Therapy” OR Doctor AND Nurse ICU  OR Doctor AND Nurse ICU SK  = =

Extracting ABE data policy  HIPAA, Hospital policy  Policy: Action  {allow, deny}  Action characterized by   from, about, type, consents, to, purpose, beliefs   Data policy  SELECT rows with given attributes: from, about, type, consents  PROJECT them to generate the associated ABE access policy {  to, purpose, beliefs  | Policy (  from, about, type, consents, to, purpose, beliefs  ) = Allow}

Prototype

Performance

Open Issue  No direct support of Parameterized Roles in ABE  Format: R(p 1, p 2, …, p n )  E.g., (g)(3)(ii)A … a covered entity may disclose, or provide access in accordance with § to, protected health information about an unemancipated minor to a parent, guardian, or other person acting in loco parentis;  Workaround  Hardcode parameter values into the attribute name, e.g. inLocoParentis_Tom  Challenges  Identity silos across organizations

References  Declarative privacy policy: Finite models and attribute-based encryption, P.E.Lam, J.C.Mitchell, A.Scedrov, et al., IHI  Scalable Parametric Verification of Secure Systems: How to Verify Reference Monitors without Worrying about Data Structure Size, J. Franklin, S. Chaki, A. Datta, A. Seshadri, Proceedings of 31st IEEE Symposium on Security and Privacy, May  A Formalization of HIPAA for a Medical Messaging System  P.F. Lam, J.C. Mitchell, and S. Sundaram, TrustBus  Privacy and Contextual Integrity: Framework and Applications, A. Barth, A. Datta, J. C. Mitchell, and H. Nissenbaum, Proceedings of 27th IEEE Symposium on Security and Privacy, May  Healthcare privacy project source code   Demo (under construction) 

Backup slides

Compliance Tree of an Acyclic Law

compliantWithALaw( A ) permittedBySomeClause( A ) forbiddenBySomeClause( A ) AND NOT permittedBy C1( A ) permittedBy C1( A ) permittedBy Cm( A ) permittedBy Cm( A ) … OR coveredBy C1( A ) coveredBy C1( A ) satisfies C1( A ) satisfies C1( A ) permittedBySome RefOfClause1( A ) permittedBySome RefOfClause1( A ) permByClauseRef_1,1( A ) permittedByClause Ref_1,N( A ) permittedByClause Ref_1,N( A ) AND forbiddenBy C1( A ) forbiddenBy C1( A ) forbiddenBy Cm( A ) forbiddenBy Cm( A ) … coveredBy Cm( A ) coveredBy Cm( A ) satisfies Cm ( A ) satisfies Cm ( A ) NOT AND OR

A Search Tree to Generate an Exemplary Case