A Secure Multiparty Computation Solution to Healthcare Frauds and Abuses

Priyanka Jangde Information Technology

Sri Satya Sai Institute of Science and Technology Sehore, India

priyankajangde@gmail.com

Durgesh Kumar Mishra Computer Science

Acropolis Institute of Technology and Research Indore, India

mishra_research@rediffmail.com

ABSTRACT-Medical facilities are vital ingredients which can make or break lives. In such critical matters, proper management of Private Health Information (PHI) of each individual is very necessary. In many foreign countries, Information Technology has made a revolutionary impact in the medical sector too, providing with absolute paperless hospitals. Several emergency facilities are available, and doctors too use a tablet PC or a palmtop for complete patient’s record retrieval and for diagnosis and treatment. No more files needs to be managed for individual patients. Thus, the hospital server is most vulnerable to all the threats pertaining to information thefts, frauds, unauthorized modification or any other crime. In such a scenario, the server and its information safety is a crucial concern for all the hospital management, as any invalid access can cost a life or even more. Keyword: Privacy, Security, Secure Multi-party Computation, Healthcare.

I. INTRODUCTION

Healthcare not only affects the person, but now its scope has widened and has now gained political, social and economic importance too. Several charity organizations are around the globe to serve humanity, but these are mostly subjected to frauds and thefts in the absence of proper and correct information channels. These are mostly befooled by common and even rich people who hardly need such monetary support. Therefore, proper validation of a person before granting him funds or monetary help is must. Moreover, insurance sector too is an indivisible part of healthcare which needs to keep an eye on all the insurance claims and information so that the money always reaches the correct person by means of proper channels.

The medical expenditure obligatory to meet public demand for expert and best technology services is ample and it is likely to swell and intensify, as the average lifespan and decreasing birth rates of humans in many societies is continuously increasing. Insurance system and policies of either Government or Private sector are of great importance for common people because these financial aids help them to share and compensate with the high healthcare costs. So, healthcare is an important need for the hour, but this has also got infected with the fraudulent and abusive activities and problems, which need careful and attentive measures, so that the needy is not left out and the malicious components don’t take over the services. As per the report (Health Insurance 1992), published by the General Accounting Office in the US, the cost of the

healthcare fraud and abuse costs in US was as much as 10% of its annual spending on healthcare ( which comes up to US$ 100 billion per year). Similar problems have been found in other developed countries (Lassey, Lassey, & Jinks, 1997) also. Thus, the above figures can easily give an insight of the extent to which losses can be incurred by such frauds and abuses. Legal framework cannot be a sufficient and complete answer to all frauds as with computers, these thefts are online and even hard to diagnose.

Data and rule mining has been extensively applied nowadays to a wide range of applications including business, transport and tourisms, education, market-basket analysis etc... This has been suggested as a solution to healthcare also where historical and current database can serve as a data store in mining various trends of patients and these can well be used to find extravagant and deviating trends. Thus, classification, cluster analysis, outlier analysis, prediction, correlation and regression can be some data mining techniques which can be readily adopted for making healthcare decisions. But, this suffer from the obvious drawback that the data store is open for all. As mentioned above, hospital database is sensitive and can’t be kept accessible to all. Therefore, other provisions available are encryption/decryption, data modification, identity/role/policy based access control mechanism, PKI (Public Key Infrastructure) and so on. All the provisions mentioned above have their pros and cons and are thus, none can be considered to provide a complete packaged solution.

Secure Multiparty Computation (SMC) is a method of Privacy Preserving Data Mining which can be the answer to all the fore mentioned problems and can give a complete solution for the entire healthcare infrastructure. Secure Multiparty Computation discusses a class of problems which helps in making joint computations between n mutually untrusted parties without any affecting the confidentiality, secrecy and privacy on each individual. The healthcare issue is also similar, in which all the hospitals, other medical organization, charitable trusts, insurance companies, all wish to use the hospitals data for their own varying purposes. But hospital data being confidential must not be disclosed before these institutions as they can affect its integrity and correctness. Also, insurance database must be kept away from the hospitals and the trusts, and even in some case if they wish to make some sort of joint computation, the data of individual should not be revealed. This essence of SMC can help maintain a safe and sound healthcare infrastructure.

2011 Second International Conference on Intelligent Systems, Modelling and Simulation

978-0-7695-4336-9/11 $26.00 © 2011 IEEEDOI 10.1109/ISMS.2011.75

139

II. LITERATURE SURVEY

The Healthcare sector is no more untouched to IT Revolution, although its impact is not much evident in India, in other countries it has gained far more importance and is now practiced. E-healthcare services and systems have been developed to provide computerized services to citizens. As these are at elementary stage, the systems developed so far have very little concerns about data privacy and security. Due to this, healthcare frauds and abuses have become common place.

Therefore, a need for some regulatory provisions regarding data security and privacy was felt and so HIPAA was introduced in 1996 [3,7]. Such protection has been provided by several means like Himms[2], a e p networks using SSL VPN [6], RSA enVision and RSA SecureId[5], etc. Healthcare can achieve data and physical compliance today with biometrics-based environment security [6]. According to the National Healthcare Anti-Fraud Association, as much as 10 percent of every dollar spent on healthcare claims involves some sort of fraud. This constitutes more than 100 billion dollars a year [8]. Advanced Decision Support System can be considered as a solution in detecting and predicting fraudulent activities by pattern matching [8]. The current challenges, trends and initiatives around the various regulations as related to Health Informatics in the United States is also analyzed and presented by Sanajaya Joshi [9]. The U.S. healthcare system has several disparate components like Medicare, Medicaid, private insurance, VA and government insurance, out-of-pocket and uncompensated care. A macro-informatics view with the healthcare informatics workflow as the centralized component, and related components either using the workflow or affecting it is necessary in designing a complete solution [9]. IWebCare is yet another technological approach for the Fraud Detection in this field [10].

Thus, a set of solutions are available and many projects have provided certain solutions to the healthcare problems but the complete solution has not yet been achieved.

III. PROPOSED ARCHITECTURE

The architecture for secure healthcare sector is shown in fig. 1. It uses the arithmetic cryptographic protocol that is among the best SMC protocols for ensuring privacy and security. As we have already seen, there may be situations in which multiple correlated organizations may wish to make a joint computation but at a condition that the privacy of each individual must be ensured. For instance, hospital data may also be sometimes referred by the insurance agencies and the charitable trusts for some of their computations to validate the patient’s honesty. But, the hospital database too is tamper proof and secure. Therefore, in such situations, we can use this protocol that allows joint computation without compromising with the privacy and confidentiality of individual. Here, each party submits

encrypted data for computation to the Trusted Third Parties (TTP). The TTP collects encrypted data from all the parties and then makes computation on encrypted data only and returns the results. These results are the decrypted using suitable decrypting function and then all the parties in the end get the decrypted result and nothing else.

The data at no point along the path and also at the TTP is real, it is totally encrypted and so no one can predict the actual data and so there are no chances of data theft or hacking.

Fig.1 Architecture for Arithmetic Cryptographic for Healthcare

Encryption can be done using any of the high

degree polynomial functions. No matter whether the TTP is reliable or not, in all the cases transaction success is guaranteed. Also, as the polynomial computations are just simple mathematical operations, these can be evaluated very quickly and correctly. Higher the degree of polynomial, fewer are the chances of it being decrypted easily.

IV. INFORMAL DESCRIPTION

As the proposed architecture, the complete set of

tasks may be divided amongst the parties and the TTP. The parties can be the hospitals, insurance agencies or the charitable trusts or any of their combinations. Each party has its own confidential database which it can’t reveal before anyone. Moreover, TTP although referred to as a ‘Trusted’ component is not always reliable.

Under all the above conditions, we define the following functions of each component that altogether constitute the overall protocol working.

Parties: At the lowest level are the databases that may belong to certain hospitals, insurance companies or charitable trusts. All these may be considered to be the competitors. They use some polynomial

Hospitals Databases

Insurance Databases

Charitable Trusts Databases

Trusted Third Party

…………………………

Cryptographic Functions

Encrypted Data

Decrypted Computation

Results

140

cryptographic procedures for data encryption. In no case can they forward raw data, it must be always sent in an encrypted form. This is done with the help of the cryptographic functions.

After the computation by the TTP, the received data is again decrypted using the same polynomial by the use of inverse functions to get the final computation results. It provides a completely safe data transfer with no chances of data ever being eavesdropped.

TTP: The task of TTP is somewhat augmented as the computations are made on encrypted data, but still it is affordable as data security and privacy is the key issue and not simplicity. It makes the necessary computations and then sends the encrypted results back to the parties that then decrypt it to get the final results.

V. FORMAL DESCRIPTION The parties in this architecture play an important

role, as their data security and privacy is entrusted to them only. Depending on the extent to which they require data security, they can decide to adopt a particular encryption procedure. The TTP acts similar to the ALU in computer that just makes computations on the data provided and handovers the results back. Assumptions: 1. The cryptographic procedures are polynomial

functions that can be inversed to get the original data.

2. Higher the degree of the polynomial, safer and more secure is the encryption.

3. p1, p2…, pn be the n parties that wish to make a joint computation.

4. D1, D2, …, Dn be that data from n parties. Variables List: n- Number of parties. m- Degree of polynomial. DEni refers to the encrypted data from ith party. REni is the encrypted result returned to the ith party. Ri is the actual results obtained after decryption by ith party F(x) is a polynomial of degree m:

f(x) =

n

i

in

in xa0

*

Where ai ni ,,...1,0 is coefficients and x is a variable.

F1

(x) is the inverse polynomial function that is used to decrypt corresponding F(x). Algorithm: Data_Encrypt ()

Begin For i=1 to n do Begin /* Select an encryption polynomial and encrypt the data using that polynomial.*/ Select a suitable F(x) for encryption

Compute DEni= F (Di) Forward DEni to the TTP End

End TTP_Compute () Begin

// receive the encrypted data DEni from individual parties, do the computations and // return the results (in encrypted form only)

For i=1 to n do Begin TTP receive the encrypted data DEni End TTP makes computation on the encrypted

data received from all the parties For i=1 to n do Begin

TTP returns results REni to all the parties End

End Data_Decrypt () Begin

// each party decrypt the encrypted results obtained from TTP to get the final // computation result.

Apply inverse function F1

(x) to decrypt the REni

Ri= F1

(REni) Ri is the final Computation result.

End

VI. ANALYSIS AND RESULTS Arithmetic Cryptographic Protocol provides

extremely secure data computing environment in which the chances of data thefts and related frauds are just minimized at the cost of some computations.

This proposed architecture is also full proof secure against all the threats, provided proper encryption/decryption procedures and network channels are employed. By using this protocol for healthcare, we can ensure security, privacy and correctness while computation and while data transfer. By the performance analysis made for arithmetic cryptographic protocol, we can conclude the following:

Secure polynomial functions can greatly reduce

the chances of eavesdropping. The polynomial of degree three or higher (with at

least three coefficients) has been found acceptable.

141

Also, if the coefficients are known but their positions are not known, then also it guarantees high degree of security. Even if m out of n places are known (where m<n), then also a considerable security is guaranteed.

The chances of decryption are also reduced as data is not encrypted using the conventional encryption procedures, but by our own polynomial functions.

The redundancy need not to be maintained as there are no chances of data ever being corrupted or manipulated along the path. Thus, a simple architecture with just a few

cryptographic procedures is capable to handle all the peculiarities and threats involved in the healthcare sector.

VII. CONCLUSION

From the above discussion, it can be concluded

that arithmetic cryptography is an altogether effective and affordable solution that can help overcome all the threats of frauds in healthcare field. It is guaranteed to provide data security and privacy along with the confirmation for the correctness of results. This simple architecture of Secure Multiparty Computation can prove to be a better solution than the previous ones in the sense of simplicity, Privacy, reliability, performance, results and robustness.

REFERENCES: [1] Kathryn Garson, Carlisle Adams, “Security and Privacy

System Architecture for an e-Hospital Environment”, IDtrust ’08, March 4-6, 2008 Gaithersburg, in the proceedings of ACM 1978-1-60558-066-1…$5.00.

[2] Steven J. Fox, David S. Szabo, Howard A. Burde, “Managing Information Privacy & Security in Healthcare, RHIOs and HIPAA (Himss Privacy and Security Toolkit)”.

[3] Comments of Virginia Hospital & Healthcare Association to the Privacy Advisory Committee of the Joint Commission on Technology and Science August 3, 2005.

[4] Durgesh .Kumar Mishra, M Chandwani, “Secure multi-party computation for arithmetic cryptography”, in the proceeding of IEEE international conference SouthEastcon 2007, pp 1-8.

[5] Akershus University Hospital, RSA The Security Division of RMC, RSA Security Inc., RSA Security Ireland Ltd., www.rsa.com.

“Secure Access For Healthcare : SSL VPN Advantages”, An AEP Networks White Paper, www.aepnetworks.com, pp 1-7.

[6] “HIPPA Security & Privacy Issues”, Ultramatics (Innovation through strategic thinking) Inc., 2005, Tech-Insights, pp 1-3.

[7] Joel Portice, Roland Goity “Using Advanced Decisioning Tools to Curtail Healthcare Fraud by Joel Portice”, rolandgoity@sbcglobal.net,pp 1-6.

[8] Sanjaya Joshi, “HIPAA, HIPAA, Hooray? Current Challenges and Initiatives in Health Informatics in the United States”, Review, Biomedical Informatics Insights 2008:1, pp 45–54.

[9] Panos Alexopoulos, Xanthi Benetou, Tassos Tagaris, Panos Georgolios, Kostas Kafentzis, “IWEBCARE: An Ontological Approach for Fraud Detection in the Healthcare Domain”, IMC Research,{palexopoulos,pgeorgolios,kkafentzis}@imc.com.gr,Institute of Communication and Computer Systems,{ xbenetou,tassos} @biomed. ntua.gr, Greece.

142