Formalizing and Enforcing Privacy: Semantics and Audit Mechanisms Anupam Datta Carnegie Mellon University Verimag January 13, 2012.

Slides:



Advertisements
Similar presentations
Policy Auditing over Incomplete Logs: Theory, Implementation and Applications Deepak Garg 1, Limin Jia 2 and Anupam Datta 2 1 MPI-SWS (work done at Carnegie.
Advertisements

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Formalization of Health Information Portability and Accountability Act (HIPAA) Simon Berring, Navya Rehani, Dina Thomas.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
1 The Health Insurance Portability and Accountability Act (HIPAA) A guided tutorial for GVSU employees.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Presented by the Office of the General Counsel An Overview of HIPAA.
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.
HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Are you ready for HIPPO??? Welcome to HIPAA
Health Insurance Portability and Accountability Act (HIPAA)
Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell (Stanford), and Helen Nissenbaum (NYU) TRUST Winter.
Information Security Policies and Standards
1 Are “Trusted Systems” Useful for Privacy Protection? Joan Feigenbaum PORTIA Workshop Stanford Univ., July 8-9, 2004.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
The University of Kansas Medical Center Shadow Experience Training.
Sharing Low-Income Customer Information Water & Energy Utilities LIOB Meeting - January 2009 Seaneen M Wilson Division of Water & Audits.
The Use of Health Information Technology in Physician Practices
HIPAA PRIVACY AND SECURITY AWARENESS.
Contextual Integrity & its Logical Formalization 18739A: Foundations of Security and Privacy Anupam Datta Fall 2009.
Confidentiality and Security Issues in ART & MTCT Clinical Monitoring Systems Meade Morgan and Xen Santas Informatics Team Surveillance and Infrastructure.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell (Stanford) Helen Nissenbaum (NYU)
Copyright © 2008 Delmar Learning. All rights reserved. Unit 8 Observation, Reporting, and Documentation.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
Privacy and Security Tiger Team Today’s Discussion: Query/Response Scenarios for Health Information Exchange February 21, 2013.
HIT Policy Committee Privacy & Security Workgroup Update Deven McGraw Center for Democracy & Technology Rachel Block Office of Health Information Technology.
Health Insurance Portability and Accountability Act (HIPAA) CCAC.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.
PricewaterhouseCoopers 1 Administrative Simplification: Privacy Audioconference April 14, 2003 William R. Braithwaite, MD, PhD “Doctor HIPAA” HIPAA Today.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
C HAPTER 34 Code Blue Health Sciences Edition 4. Confidentiality of sensitive information is an important issue in healthcare. Breaches of confidentiality.
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
THE DATA PROTECTION ACT Data Protection Act 1998 DPA 1. Reasons2. People3. Principles 4. Exemptions 4 key points you need to learn/understand/revise.
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
HIPAA HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT.
Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell (Stanford) Helen Nissenbaum (NYU)
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
HIPAA Overview Why do we need a federal rule on privacy? Privacy is a fundamental right Privacy can be defined as the ability of the individual to determine.
HIPAA HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT UI EMS Training Dept.
HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.
HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.
The Medical College of Georgia HIPAA Privacy Rule Orientation.
What is HIPAA? Health Insurance Portability and Accountability Act of HIPAA is a major law primarily concentrating on the prolongation of health.
Juvenile Legislative Update 2013 Confidential Records and Protected Disclosures.
HIPAA Privacy Rule Training
Health Insurance Portability and Accountability Act of 1996
HIPAA PRIVACY RULE IMPLEMENTATION – WHAT’S UP AFTER 4/14/03?
Disability Services Agencies Briefing On HIPAA
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
Enforcement and Policy Challenges in Health Information Privacy
The Health Insurance Portability and Accountability Act
Analysis of Final HIPAA Privacy Modification Rule
18734: Foundations of Privacy
Presentation transcript:

Formalizing and Enforcing Privacy: Semantics and Audit Mechanisms Anupam Datta Carnegie Mellon University Verimag January 13, 2012

2 Personal Information is Everywhere

3 The Privacy Problem How can we ensure that organizations respect privacy expectations in the collection, disclosure and use of personal information?

4 Privacy Laws and Promises

5 Privacy Laws HIPAA Privacy Rule for Healthcare Organizations  A covered entity is permitted…to use and disclose protected health information, without an individual’s authorization, for the treatment, payment, and health care operations;  A covered entity must obtain an authorization for any disclosure or use of psychotherapy notes  …80+ other clauses  Many other laws: GLBA, FERPA in US, EU Privacy Directive,…

6 Privacy Promises Self-regulated sectors (e.g., the Web)  Yahoo!'s practice is not to use the content of messages […] for marketing purposes.  Google's computers process the information in your messages for various purposes, including formatting […] and other purposes relating to offering you Gmail.

7 Are Promises Actually Kept? 7

What can computer scientists do to address this problem? 8

9 A Concrete Scenario and Privacy Policy

10 Healthcare Privacy Patient medical bills Insurance CompanyHospitalDrug Company Patient information Patient Advertising Complex Process within a HospitalPatient Privacy threats from insiders (humans)

11 A covered entity may disclose an individual’s protected health information (phi) to law-enforcement officials for the purpose of identifying an individual if the individual made a statement admitting participating in a violent crime that the covered entity believes may have caused serious physical harm to the victim Example from HIPAA Privacy Rule  Concepts in privacy policies  Actions: send(p1, p2, m)  Roles: inrole(p2, law-enforcement)  Data attributes: attr_in(prescription, phi)  Temporal constraints: in-the-past(state(q, m))  Purposes: purp_in(u, id-criminal))  Beliefs: believes-crime-caused-serious-harm(p, q, m) Black-and- white concepts Grey concepts Preventive enforcement (access control or runtime monitoring) does not suffice

12 A Research Area  Formalize Privacy Policies  Precise semantics of privacy concepts  Enforce Privacy Policies  Audit  Detect violations of policy  Accountability  Identify agents to blame for policy violations  Punish to deter policy violations

13 Approach Privacy Policy Computer-readable privacy policy Organizational audit log Detect policy violations Audit Complete formalization of HIPAA, GLBA Automated audit for black- and-white policy concepts Oracles to audit for grey policy concepts Environment Model The Oracle The MatrixThe Matrix character SpeciesComputer Program TitleA program designed to investigate the human psyche.

14 Auditing Black-and-White Policy Concepts With D. Garg (CMU  MPI-SWS) and L. Jia (CMU)

15 Key Challenge for Auditing Audit Logs are Incomplete Future: store only past and current events Example: Timely data breach notification refers to future event Subjective: no “grey” information Example: May not record evidence for purposes and beliefs Spatial: remote logs may be inaccessible Example: Logs distributed across different departments of a hospital

16 Abstract Model of Incomplete Logs Model all incomplete logs uniformly as 3-valued structures Define semantics (meanings of formulas) over 3-valued structures

17 reduce: The Iterative Algorithm reduce ( L, φ ) = φ' φ0φ0 φ0φ0 φ1φ1 φ1φ1 φ2φ2 φ2φ2 reducereduce reducereduce reducereduce reducereduce Logs Policy Time

18 Syntax of Policy Logic  First-order logic with restricted quantification over infinite domains (challenge for reduce)  Can express timed temporal properties, “grey” predicates

19 Example from HIPAA Privacy Rule A covered entity may disclose an individual’s protected health information (phi) to law-enforcement officials for the purpose of identifying an individual if the individual made a statement admitting participating in a violent crime that the covered entity believes may have caused serious physical harm to the victim 19

20 reduce: Formal Definition c is a formula for which finite satisfying substitutions of x can be computed General Theorem: If initial policy passes a syntactic mode check, then finite substitutions can be computed Applications: The entire HIPAA and GLBA Privacy Rules pass this check

21 Example Finite Substitutions { p1  UPMC, p2  allegeny-police, m  M2, q  Bob, u  id-bank-robber, t  date-of-treatment m’  M1 } ∧ purp_in(id-bank-robber, id-criminal) ∧ is-admission-of-crime(M1) ∧ believes-crime-caused-serious-harm(UPMC, M1) Incomplete Log Jan 1, 2011 state(Bob, M1) Jan 5, 2011 send(UPMC, allegeny-police, M2) tagged(M2, Bob, date-of-treatment, id-bank-robber) T φ' =

22  Implementation and evaluation over simulated audit logs for compliance with all 84 disclosure-related clauses of HIPAA Privacy Rule  Performance:  Average time for checking compliance of each disclosure of protected health information is 0.12s for a 15MB log  Mechanical enforcement:  reduce can automatically check 80% of all the atomic predicates Implementation and Case Study

23 Related Work Specification Languages & Logics for Privacy Policies P3P[Cranor et al.], XACML[OASIS], EPAL[Backes et al.], Logic of Privacy and Utility [Barth et al.], PrivacyAPIs [Gunter et al.], …

24 Related Work Logical Specification of Privacy Laws Logic of Privacy and Utility [Barth et al.]: Example clauses from HIPAA and GLBA PrivacyAPIs [Gunter et al.]: HIPAA Datalog HIPAA [Lam et al.]: HIPAA , ,

25 Related Work Runtime monitoring in MFOTL [Basin et al ’10] Pre-emptive enforcement Efficient implementation Assumes past-completeness of logs Less expressive mode checking (“safe-range check”) Cannot express HIPAA or GLBA

26 Approach Privacy Policy Computer-readable privacy policy Organizational audit log Detect policy violations Audit Complete formalization of HIPAA, GLBA Automated audit for black- and-white policy concepts Oracles to audit for grey policy concepts The Oracle The MatrixThe Matrix character SpeciesComputer Program TitleA program designed to investigate the human psyche. Environment Model

27 Formalizing and enforcing purpose restrictions With M. C. Tschantz (CMU) and J. M. Wing (CMU)

28 Components of a Purpose Restriction Rule (Example) The registrant’s name is transmitted for the purpose of registering your web address.

29 Components of a Rule (Example) Information The registrant’s name is transmitted for the purpose of registering your web address. Action Purpose Restriction

30 Purpose Restrictions  This information is transmitted […] for the purpose of registering your web address […].  Yahoo!'s practice is not to use the content of messages […] for marketing purposes.  […] you give [SSA] consent to use the information only for the purpose for which it was collected. For Not for Only for

31 Goal  Give a semantics to  “For” purpose restrictions  “Not for” purpose restrictions  “Only for” purpose restrictions that is parametric in the purpose, information, and action Provide an auditing algorithm for that semantics

32 Medical Office Example X-ray taken Add x-ray Send record X-ray added Medical Record Diagnosis by specialist Med records only use for diagnosis

33 Label Actions with Purposes  Attempt 1: An action is for a purpose, if it labeled as such  Problem 1: Begs the question  Problem 2: One action can have different purposes depending upon context

34 Medical Office Example X-ray taken Add x-ray Send record X-ray added Diagnosis by specialist

35 X-ray taken Add x-ray Send record X-ray added Diagnosis by specialist No diagnosis Send record Medical Office Example

36 Add x-ray Send record Label Actions with Purposes 36 X-ray taken Send record X-ray added Diagnosis by specialist For diagnosis No diagnosis Add x-ray: diagnosis Send record: diagnosis Not for diagnosis For diagnosis

37 States Matter  The purpose of an action may depend upon the state from which the agent takes that action  Formalization of purpose must include states

38 Continuing Example X-ray taken Add x-ray Send record X-ray added Diagnosis by specialist Send record No diagnosis

39 X-ray taken Add x-ray Send record X-ray added Diagnosis by specialist Send record No diagnosis Not sufficient Necessary and sufficient

40 Necessary and Sufficient  Attempt 2: an action is for a purpose if it is necessary and sufficient as a part of a chain of actions for achieving that purpose

41 Modified Example 41 X-ray taken Add x-ray Send record 2 Diagnosis by specialist 2 Diagnosis by specialist 1 Send record 1 X-ray added

42 Necessity Too Strong 42 X-ray taken Add x-ray Send record 2 Diagnosis by specialist 2 Diagnosis by specialist 1 Send record 1 X-ray added Both sends for diagnosis despite not being necessary

43 Sends Are Needed 43 X-ray taken Add x-ray Send record 2 Diagnosis by specialist 2 Diagnosis by specialist 1 Send record 1 X-ray added Neither send, no diagnosis

44 Non-redundancy  Given a sequence of actions that reaches a goal state, an action in that sequence is non-redundant if removing that action from the sequence results in the goal no longer being reached  Adapted counterfactual definition of causality  Attempt 3: an action is for a purpose if it is part of a sufficient and non-redundant chain of actions for achieving that purpose

45 Continuing Example 45 X-ray taken Add x-ray Send record 2 Diagnosis by specialist 2 Diagnosis by specialist 1 Send record 1 X-ray added

46 Quantitative Purposes 46 X-ray taken Add x-ray Send record 2 Diagnosis by specialist 2 Diagnosis by specialist 1 Send record 1 X-ray added Diagnosis: 6 A more accurate diagnosis should be used Diagnosis: 2 Diagnosis: 0

47 Probabilistic Systems 47 X-ray taken Add x-ray Send record 1 Specialist fails Diagnosis by specialist X-ray added Diagnosis: 6 Might not get a diagnosis, but still for getting a diagnosis Diagnosis: 0 1/4 3/4 1

48 Thesis: Plans Matter An action is for a purpose if the agent planned to perform the action while considering that purpose

49 Still Open Questions  How do we know that our planning hypothesis is true?  What does that formally mean?  How do we audit for that?

50 Survey  Gave two hundred people a questionnaire  Compared predictions of two hypotheses to provided responses: 1. Planning hypothesis: An action is for a purpose iff that action is part of a plan for furthering the purpose 2. Furthering purpose hypothesis: An action is for a purpose iff that action furthers the purpose CLEAR WINNER

51 Auditing Environment Model for Planning Privacy Policy Agent Behavior Obeyed Violated Inconclusive

52 Auditing Markov Decision Process Privacy Policy Audit Log Obeyed Violated Inconclusive

53 Auditing Method  Find all plans calling for action a that could have resulted in the log l in model m  If none of these plans optimize the purpose p in the model m, then the agent violated the policy

54 Algorithm  Compares the optimal solution of an MDP to the optimal solution of an MDP restricted to match the actions seen in the log  If the restricted MDP has a lower value than the unrestricted MDP, know that log shows suboptimal actions

55 Example 55 X-ray taken Add x-ray Send record 2 Diagnosis by specialist 2 Diagnosis by specialist 1 Send record 1 X-ray added Diagnosis: 6 Diagnosis: 2 Diagnosis: 0

56 Past Approaches  While useful, past approaches were not semantically justified  Labeling actions  Labeling sequences of actions  Labeling agent roles  Labeling code  Our work provides a semantic foundation for these approaches  Shows the limitations of each approach

57 Future Work  Automated support for construction of environment models (e.g., via machine learning)  Alternative models of planning  Case study with real audit logs

58 Summary: Audit Approach Privacy Policy Computer-readable privacy policy Organizational audit log Detect policy violations Audit Complete formalization of HIPAA, GLBA Automated audit for black- and-white policy concepts Oracles to audit for grey policy concepts Environment Model

59 Summary: Research Area  Formalize Privacy Policies  Precise semantics of privacy concepts  Enforce Privacy Policies  Audit  Detect violations of policy  Accountability  Identify agents to blame for policy violations  Punish to deter policy violations

60 Thanks! Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.