Feb.2000TIHI/SAW/TID1 Security Mediation To Protect Healthcare Information Privacy in Collaborative...

Feb.2000 TIHI/SAW/TID 1

Security MediationTo Protect Healthcare InformationPrivacy in Collaborative Settings

Gio Wiederhold, PI, Michel Bilello, James Z. Wang.

past: Jahnavi Akella, Andrea Chavez, Chris Donahue,

Vatsala Sarathy, Latanya Sweeney, Yan Tan.Stanford University

TIHI, SAW support under subcontract to SRI InternationalTID supported under NSF Digital Libraries II

T I H I / SAW / T I DT I H I / SAW / T I D

Gio Wiederhold TIHI/Saw 97


Overview

Security and Privacy when Collaborating • Background and Current State• Unaddressed Problem• Security Mediator Solution• Examples, including prior work• Current work• Demo and Questions


:

SecuritySecurity: protection and assurance: protection and assurance

Crucial progress in protection is being made:

Remote Transmission Authentication Firewalls around domains

protect against enemies.

Much research based on Cryptography

Gio Wiederhold TIHI Oct96 3


Dominant approach

• Authenticate Customer• Validate query against database schema• If both ok, process query and ship results

database access &database access &authorization agentauthorization agent

sourcesource

customercustomer resultresult

queryquery

authenticationauthentication


firewallfirewall


However, the world is more complexHowever, the world is more complex

Enemies,Enemies, InternetInternetHackersHackers

Simple View of Protection: Prohibit access .


Collaboration Needs:

Medical Records Medical Records Medical Researchers Medical Researchers

Manufacturer’s Specs Manufacturer’s Specs Subcontractor Subcontractor Manufacturer’s Specs Manufacturer’s Specs Subcontractor Subcontractor

Intelligence Data Intelligence Data Front-line soldier Front-line soldier Intelligence Data Intelligence Data Front-line soldier Front-line soldier

Medical Records Medical Records Insurance Company Insurance Company



False Assumption

Data in the files of an enterprise is

organized according to external access rights

Inefficient and risky for

an enterprise

which uses information

mainly internally


Some Failure modes

Collaborator has legitimate access

• Unintentionally obtains wrong data

• Can gain broader access than intended

Internal user ships improper data out

• Fails to understand release constraints

• Some data were misfiled• Coverage of releasable and

non-releasable data overlaps• Anonymity process fails• Data replaced• (credit card nos instead of MP3)

• Backup to insecure site• (Deutsch)• Shows friend neat stuff• (Los Alamos scientist?)


Access Patterns versus Data:


Lab

ora

tory

Bill

ing

Patient

Accounting

Physician

Insurance Carriers Insurance Carriers

Clin

ics

Laboratory staff

Ward staff

Medical

Medical

Research

Research

Ph

arm

acy

Inp

atie

nt

Etc.

A

ccre

dit

atio

nA

ccre

dit

atio

nCDC


Expected Problems

Query can not specify object preciselyQuery can not specify object precisely Relevant history for low-weight birthsRelevant history for low-weight births (helpful database gets extra stuff) (helpful database gets extra stuff)

Objects (Objects (NN) are not organized according to all ) are not organized according to all

possible access classifications (possible access classifications (aa) = () = (NNaa)) Patients with heart problems, but not HIVPatients with heart problems, but not HIV

Some objects cover multiple classesSome objects cover multiple classes Patient with stroke and HIVPatient with stroke and HIV

Some objects are misfiled Some objects are misfiled (happens easily to others)(happens easily to others), , costly/impossible to guarantee avoidance costly/impossible to guarantee avoidance Psychiatric data in patient with alcoholismPsychiatric data in patient with alcoholismGio Wiederhold TIHI Oct96 10

Healthcare


Securing the Gap

resultresult

queryquery

firewallfirewall Check the content of the result beforeit leaves the firewall

Security mediator : Human & software agent module


Overall Schematic

CustomerCustomer

SecuritySecurity Officer's Officer's MediatorMediator

DatabaseDatabase

InternetInternetGio Wiederhold TIHI Oct96 12

Firewall


Security Mediator

• Software module, intermediate between "customers" and databases within firewall

• Resides on security's officer's machine (may have to be multi-level secure); accessed via firewall protection by customers

• Under control of security officer,via simple security-specific rules

• Performs bidirectional screening (queries and results)



Security Officer

• Profile– Human responsible for database security/privacy policies– Must balance data availability vs. data security/privacy

• Tasks (current)– Advises staff on how to try to follow policy– Investigates violations to find & correct staff failures– Has currently no tools

• Tasks (with mediators)– Defines and enters policy rules in security mediator– Monitors exceptions, especially violations– Monitors operation, to obtain feedback for improvements

:-(



Security officer screen


Example: Mediation for Privacy

Public Health Application• Needs valid statistical data• No access to private data

Security Mediator• Owned by hospital security officer• Screens query and result• Default is Manual operation• Evolves by adding rules

Physicians’ Databases• Valuable resources• Need to be aggregated

for significance

CDCCDC

SecuritySecurityMediatorMediator

Private Patient DataPrivate Patient Data

certified certified query query

source source query query

certified certified result result

unfiltered unfiltered result result

LogsLogs



Patient Screen


part of Patient result


• Rule interpreter

• Primitives to support rule execution

• Rule maintenance tools

• Log analysis tool

• Firewall interface

• Domain database interface

• Logger

Software Components

support

service

maintenance


Primitives

Selected by rule for various clique roles • Preprocess drawings or images • Allow / disallow values• Allow / disallow value ranges• Limit results to approved vocabulary• Disallow output containing bad words• Limit output to times, places• Limit number of queries per period• Etc.


Protecting Privacy in Medical Images

Wavelet-based Filtering

Original Image with Patient Identity

Stanford University

Textual Information

Filtered Image

InternetPatient Data System

Locate Text

Analyze Text

RemoveNonreleaseableText


Primitives for Content Check

• Good Word List for Text– domain specific to increase precion and reliability– created by processing good documents– any word not in list shown to SO with context

• Bad Word List (optional)– not reliable (mispellings, accidental or intentional)– no increase in efficiency given good word list processing– trigger special case rules

• Image data (current research)

– extract text and analyze as above– recognize objectionable images by sketch or color


Roles

• Security officer manages security policy, not a computer specialist or database administrator.

• Computer specialist provides tools agent workstation program for security mediation

• Healthcare institution defines policies its security officer uses the program as the tool

• Tool provides logging for– system improvements

– audit trail

– accountability

• Formalizes ad-hoc practices

:-( -)oooo



Rule system

• Optional: without rules every interaction goes to the security officer (in & out)

• Creates efficiency: routine requests will be covered by rules: 80% instances / 20% types

• Assures Security officer of control: rules can be incrementally added / deleted / analyzed

• Primitives simplify rule specification: source, transmit date/time, prior request, ...


Primitives get data for Rules

• Requestor roles• Data names requested and values returned

– dates– value ranges– textual contents --- positive / negative– special indicators: employment, … [Scrub .. ]

• Size of base leading to a statistical result• Time and place of request & destination• Interaction history: frequency, overlaps, . . .

• Measure of Risk: [Datafly]

• more . . . .


Participants in Setting Rules

• Security officer manages security policy, not a computer specialist or database administrator.

• Computer specialist provides tools agent workstation program for security mediation

• Healthcare institution defines policies its security officer uses the program as the tool

• Tool provides logging for– system improvements– audit trail

– accountability • Formalizes ad-hoc practices

:-( -)oooo


Disallowed result


Security officer reaction

Choices:1. Reject result2. Edit result3. Pass result(& Update the list of good-words, making approval persistent )


Rules implement policy• Tight security policy:

– simple rules– many requests/responses referred to security officer– much information output denied by security officer– low risk– poor public and community physician relations

• Liberal but careful security policy– complex rules– few requests/responses referred to security officer– of remainder, much information output denied by security officer– low risk– good public and community physician relations

• Sloppy security policy– simple rules– few requests/responses referred to security officer– little information output denied by security officer– high risk– unpredictable public and community physician relations


30TIHI/SAW/TIDFeb.2000 Database

Coverage of Access Paths

DB schema- based control

Authentication based controlgood/bad

Security officer

Databaseadminis-trator

performance,function requests

securityneeds

result islikely ok

validatedto be ok

ancillaryinformation

prior use

Security Mediator

good guy

good query

processable query

his-tory

:-(

ok

-)oooo



A mediator is not just static software

Software & People

ApplicationInterface

Resource Interfaces

Owner/ Creator Maintainer Lessor - Seller Advertiser

Changes ofuser needs

Domainchanges

Resource changes

Models, programs,rules, caches, . . .



Be helpful to customer Tell cust. re problems,

query may be fixed Exploit DB meta-data Isolate transactions Ship result to customer

Be helpful to security off.Tell sec.off. re problems,

sec.off. may contact cust.Exploit customer inform.Use history of usageShip result to sec.off.

with result description (source, cardinality)

Finding: the differences are greater than we imagined initially

Agent System Differences Agent System Differences DBA/SODBA/SO


-)oooo

:-(


Security Mediator Benefits

• Dedicated to security task (may be multi-level secure)

• Uses only its rules and relevant function, all directly, avoids interaction with DB views and procedures

• Maintained by responsible authority: the security officer

• Policy setting independent of database(s) and DBA(s)

• Logs just those transactions that penetrate the firewall, records attempted violations independent of DB logs*

• Systems behind firewall need not be multi-level secure

• Databases behind firewall need not be perfect * also used for replication, recovery, warehousing



TIHI / SAW / TID Summary

Collaboration is an underemphasized issuebeyond encrypted transmits, firewalls, passwords,

authentication

There is a need for flexible, selective access to datawithout the risk of exposing related information in an enterprise

In TIHI service is provided by the Security Mediator:

a rule-based gateway processor of queries and results under control of a security officer who implements enterprise policies

Our solution applies not only to Healthcare but equally to Collaborating (virtual) enterprises and

in many Military situations.


Feb.2000TIHI/SAW/TID1 Security Mediation To Protect Healthcare Information Privacy in Collaborative...

Documents

Transcript of Feb.2000TIHI/SAW/TID1 Security Mediation To Protect Healthcare Information Privacy in Collaborative...