Privacy-Preserving Data Sharing Michael Siegenthaler Ken Birman Cornell University.

Slides:

Advertisements

Similar presentations

Interactive lesson about operating system

Advertisements

Directory and Trust Services (D&TS) Define an Abstract Model Purpose: Document a common terminology that the group can use between the various tracks Identify.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

+ HEALTH INSURANCE: UNDERSTANDING YOUR COVERAGE Navigator Name Blank County Extension UGA Health Navigators.

CS3771 Today: deadlock detection and election algorithms  Previous class Event ordering in distributed systems Various approaches for Mutual Exclusion.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

David Evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Peer-to-Peer Distributed Search. Peer-to-Peer Networks A pure peer-to-peer network is a collection of nodes or peers that: 1.Are autonomous: participants.

GEPIR What is it? How does it work? Welcome! This is a short introduction to the Global Electronic Party Information Registry – GEPIR for short.

EUropean Best Information through Regional Outcomes in Diabetes Privacy and Disease Registries Technical Aspects Peter Beck JOANNEUM RESEARCH, Austria.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.

Vault: A Secure Binding Service Guor-Huar Lu, Changho Choi, Zhi-Li Zhang University of Minnesota.

Responder Anonymity and Anonymous Peer-to-Peer File Sharing. by Vincent Scarlata, Brian Levine and Clay Shields Presentation by Saravanan.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

Gnutella, Freenet and Peer to Peer Networks By Norman Eng Steven Hnatko George Papadopoulos.

Tcl Agent : A flexible and secure mobile-agent system Paper by Robert S. Gray Dartmouth College Presented by Vipul Sawhney University of Pennsylvania.

1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.

Patient Consent The Massachusetts Health Information Highway

1 Introduction Introduction to database systems Database Management Systems (DBMS) Type of Databases Database Design Database Design Considerations.

Use Case Example.

Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.

Cancer Medications in the Home Cancer Medications in the Home 1.

Moving Forwards with HealthSpace Gillian Braunold Clinical Director Summary Care Record & HealthSpace.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

1 Lecture 18: Security issues specific to security key management services –privacy –integrity/authentication –nonrepudiation/plausible deniability.

On the Anonymity of Anonymity Systems Andrei Serjantov (anonymous)

Digital Cash By Gaurav Shetty. Agenda Introduction. Introduction. Working. Working. Desired Properties. Desired Properties. Protocols for Digital Cash.

Architecture Tutorial Overview of Today’s Talks Provenance Data Structures Recording and Querying Provenance –Break (30 minutes) Distribution and Scalability.

DEMIGUISE STORAGE An Anonymous File Storage System VIJAY KUMAR RAVI PRAGATHI SEGIREDDY COMP 512.

Hospital Pharmacy Chapter 16 Start Quiz. Which health-care team does a technician in a hospital pharmacy NOT interact with?

INSERT GRAPHIC SQUARE HERE World Wide Web EPC Network DNS Authoritative system that routes requests for Web sites and ONS Authoritative record of.

Replication and Distribution CSE 444 Spring 2012 University of Washington.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 4 Electronic Health Records in the Hospital Electronic Health.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 7 Introduction to Practice Partner Electronic Health Records.

Chapter 21 Distributed System Security Copyright © 2008.

1 Security on Social Networks Or some clues about Access Control in Web Data Management with Privacy, Time and Provenance Serge Abiteboul, Alban Galland.

Lecture 17 Page 1 CS 236 Online Privacy CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Chapter No 4 Query optimization and Data Integrity & Security.

Data Access and Security in Multiple Heterogeneous Databases Afroz Deepti.

Medication Error Reduction Principles in Practice Copyright © – Academy of Managed Care Pharmacy (AMCP)Slide 1.

14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.

ICT in Healthcare. Electronic prescription service GPs and nurses can send electronic prescriptions to a dispenser (pharmacy) of the patients choice.

1 Needham-Schroeder A --> S: A,B, N A S --> A: {N A,B,K AB,{K AB,A} KBS } KAS A --> B:{K AB,A} KBS B --> A:{N B } KAB A --> B:{N B -1} KAB.

Authentication Issues and Solutions CSCI 5857: Encoding and Encryption.

Cross-Community Patient Identification (XCPI) Brief Profile Proposal for 2009 presented to the IT Infrastructure Technical Committee Karen Witting November.

Security & Privacy. Learning Objectives Explain the importance of varying the access allowed to database elements at different times and for different.

Database Security Lesson Introduction ●Understand the importance of securing data stored in databases ●Learn how the structured nature of data in databases.

1 Kerberos n Part of project Athena (MIT). n Trusted 3rd party authentication scheme. n Assumes that hosts are not trustworthy. n Requires that each client.

D’Agents 1 Presented by Haiying Tan May, 2002 D’Agents: Security in a multiple-language, mobile-agent system Robert S. Gary, David Kotz, George Cybenko,

BY: CHRIS GROVES Privacy in the Voting Booth. Reason for Privacy Voters worry that their vote may be held against them in the future  People shouldn’t.

Bloom Cookies: Web Search Personalization without User Tracking Authors: Nitesh Mor, Oriana Riva, Suman Nath, and John Kubiatowicz Presented by Ben Summers.

LOOKING UP DATA IN P2P SYSTEMS Hari Balakrishnan M. Frans Kaashoek David Karger Robert Morris Ion Stoica MIT LCS.

TrustMe: Anonymous Management of Trust Relationships in Decentralized P2P System Aameek Singh, Ling Liu College of Computing, Georgia Tech International.

February 16, 2016 | Slide 1 Pharmacist Working Environment Ophthalmology Hospital in Giza Ramad El-Giza Shimaa Mohamed Shayal Homol Mahmoud, June 2010.

Fall 2006CS 395: Computer Security1 Key Management.

Lecture 19 Page 1 CS 236 Online Privacy Privacy vs. security? Data privacy issues Network privacy issues Some privacy solutions.

The Role of Technology in the Medication Process Domino B. Puson R.N., M.N. Interactive Classroom Version.

JIT Medical Application Project IC System Design Matching Between IC Cards & IC System Zhoulan Zhang

Pertemuan #8 Key Management Kuliah Pengaman Jaringan.

Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.

Institutional Pharmacy

Searchable Encryption in Cloud

Lan Zhou, Vijay Varadharajan, and Michael Hitchens

CHAPTER 4 Information Management in Pharmacy.

Hospital pharmacy.

Point of Dispensing and Counselling Intervention Enhanced Service: Community Pharmacy (PODIS)

Presentation transcript:

Privacy-Preserving Data Sharing Michael Siegenthaler Ken Birman Cornell University

Introduction Today, personal data is typically stored electronically But systems at distinct organizations have no way to communicate with each other ID

SSNName… Alice Bob PatientIDName… X1234John X7890Bob SSNName… Cathy Robert General Hospital Acme Food and Drug Special Treatment Clinic, Inc. Legacy databases System Model (Each stored at at a data owner)

Example Query Drug interaction check at pharmacy –A pharmacist is dispensing a drug, doesn’t know what else the patient may be taking –Patient’s medical record is stored at primary care provider and various specialists Is it safe for the patient to take this drug?

Guarantees Data privacy –E.g. pharmacist receives yes/no answer, not the underlying data Query privacy –E.g. hospital does not learn which drug is currently being dispensed Anonymous communication –E.g. hospital and pharmacy do not learn each other’s identities

Anonymous Communication Onion skin routing –Providers P i –Encryption function E –Public keys K Pi Example: –Reference to patient 34 at Provider 2 routed through provider Provider 1

Requirements “Locate” remote records –Translate a real-world identifier (name, SSN, DOB...) into a data handle, an onion skin route that can be used to communicate with the providers where the data owners Execute the desired query –Use data handles to perform a privacy-preserving query

Global Search Mechanism Search for user with SSN Hierarchy of provider groups –Each group has a designated contact who tracks its membership

Bloom Filters SSN 1 = hash 1 (SSN 1 ) = 2 hash 2 (SSN 1 ) = 4 hash 3 (SSN 1 ) = M = 12 K = 3 SSN 2 = hash 1 (SSN 2 ) = 3 hash 2 (SSN 2 ) = 10 hash 3 (SSN 2 ) = SSN 3 = hash 1 (SSN 3 ) = 4 hash 2 (SSN 3 ) = 3 hash 3 (SSN 3 ) = 8 ? ? ? 111 SSN 3 = hash 1 (SSN 3 ) = 4 hash 2 (SSN 3 ) = 3 hash 3 (SSN 3 ) = 8 ? ? ? Insert SSN 1 Does a record for SSN 3 exist? No! Insert SSN 2 Yes. (false positive!)

Using False Positives

Adjust Bloom filter parameters for desired trade-off between privacy and performance

General HospitalAcme Food and Drug Random Intermediary Query Execution Prescription record with name/address stripped Record access request Yes/no answer Drug interaction query All messages are sent anonymously using a MIX The hospital does not learn the nature of the query The pharmacy does not learn which other drugs the patient is taking The random intermediary cannot do anything nefarious with the data it has received, since that data is out of context Example: A pharmacy checking for drug interactions

SELECT EXISTS ( SELECT * FROM conflicts CROSS JOIN nonces INNER JOIN remote(drug_history) ON nonces.nonce = drug_history.nonce WHERE conflicts.drug = drug_history.drug ); query_table drugnonce A____Ω(34) A____Ω(56) B____Ω(34) B____Ω(56) Query to find drug interactions Query formulated at the pharmacy: nonces nonce Ω(34) Ω(56) conflicts drug A____ B____

mix_host Split query: data gathering drug_history noncedrug 34A____ SEND ( SELECT nonce,drug FROM drug_history WHERE drug_history.nonce = Ω(34) ); Query sent to the data owner(s):

SELECT EXISTS ( SELECT * FROM query_table INNER JOIN drug_history ON query_table.nonce = drug_history.nonce WHERE conflicts.drug = drug_history.drug ); Split query: joining Query executed at the third-party MIX host: result exists 1 drug_history noncedrug 34A____ query_table drugnonce A____Ω(34) A____Ω(56) B____Ω(34) B____Ω(56)

Pharmacy mix_host_1 (on hospital’s behalf) mix_host_2 (on other pharmacy’s behalf) Answering the query (no conflict here) YES Is there a conflict? result exists 1 result exists 0 (conflict found)

Conclusion and Future Work Selective sharing of personal information across distributed databases –Data privacy –Query privacy –Anonymous communication Working on: how to enforce a policy on which data may be revealed to whom Also: how to prevent data mining attacks?