Surgical privacy: Information Handling in an Infectious Environment
-
Upload
ian-oliver -
Category
Software
-
view
1.200 -
download
0
description
Transcript of Surgical privacy: Information Handling in an Infectious Environment
PUBLIC
Prepared by
Surgical Privacy:
Ian Oliver
Privacy Architect - SPC
25/10/2013, updated 16/4/2014
Information Handling in an Infectious Environment
PUBLIC2
Contents
• Introduction to Infection Control
• Infection Control as an Analogy
• Understanding Information Contamination through Data Flow Modelling
• Completing the Analogy
PUBLIC3
The Sterile Field
Key:
• Sterile
• Non-sterile
PUBLIC4
The Sterile Field
Key:
• Sterile
• Non-sterile
Movement of materials from one area to the other must be controlled to prevent contamination of the sterile field with non-sterile items
Strict protocols prevent contamination
PUBLIC5
I know what you’re thinking…
PUBLIC6
I know what you’re thinking…
What has this got to do with information privacy and keeping consumer and business data safe?
PUBLIC7
I know what you’re thinking…
© 2013 HERE | Title | Author | Company confidential
It is a great analogy for what we do.
What has this got to do with information privacy and keeping consumer and business data safe?
PUBLIC8
I know what you’re thinking…
It is a great analogy for what we do.
What has this got to do with information privacy and keeping consumer and business data safe?
The Surgical-Privacy ’Isomorphism’*:
SS
Pf
g
S
SP
|=S |=P
*isomorphism up to some level of abstraction....sorry...
PUBLIC9
Material Flow
PUBLIC10
Material Flow – Direct Contamination Points
Strict protocols prevent contamination
• What are these protocols?
• What are the risks?
PUBLIC11
Material Flow – Possible Contamination Flow
How to prevent this?
• Access Control/SegregationMinimise interactions
from ”untrusted” sources
Acts as a checkpoint between instruments and
surgeons
PUBLIC12
Material Flow – Possible Contamination Flow
How to prevent this?
• Access Control (RBAC)
• Physical Segregation
Question: how is this split made in this
environment?
Question: under what circumstances would this
flow happen?
PUBLIC13
An AnalogyS P
Material Surgical tools Information
Material Flow Passing tools into (and out of) the sterile field or between people
Network connection, Data-set cross-references
Role Sterile roles vs non-sterile/circulating roles
Processes, eg: application, analytics, deployments etc
Protocol Draping, movement, restricted areas, sterile clothing etc
Consent, Filtering, Anonymisation, Access control, data handling procedures
Contamination Sterile or not? (definition of sterility/clean in terms of dust, bacteria, viruses)
PII, PCI, HIPPA, COPPA, location, identifiers related data
Risk Infection, disease etc Deanonymisation (leading to fines etc)
Measurement & Metrics
Definition of sterility and cleanliness
Amount and type of information content
PUBLIC14
Material Flow
For example, the typical
dataflow from user via his/her
app/device to the supporting
backend systems, marketing,
analytics and advertising...
PUBLIC15
Material
UserID, Loc, Content, DevID
ID, Loc, DevID,Event
UserID, Token
Loc,DevID
Loc, DevID
f(ID), f(Loc), f(Event), f(DevID)
f(Loc), f(DevID)
PUBLIC16
RolesUser
User’s Device
3rd Party
3rd Party
Here
PUBLIC17
Protocol
Install/Run the app?
Inform/Ability to turn off in the device?
Login?
Service improvment opt-in?
Inform what the app does
Inform about any 3rd parties
Inform supported by adverts
Inform for support reasons
Marketing opt-in?
...
PUBLIC18
city
Metrics for ContaminationWhat does contamination mean in our context?
sterile contaminated
FIN
HLT
LOC
PER
TIM
receipts cc numberstransaction details
exercise data medical data
country lat,long <50mIP/cell
name email ethnicity/religion
day hour second
ID session(1) application device personal session(2)
... information entropy wrt to identifying a single, human being...
CONT email/messagingpicturesevents passwords
PUBLIC19
Metrics: further aspects
FIN
HLT
LOC
PER
TIM
ID
CONT
Information
Longevity
Temporal/Historical
Big Data
PUBLIC20
Contamination with location data
Colours depict degree
of contamination:
• Lat, long & accurate
• City level
• Country level
• Unk/No data
Contamination Routes
PUBLIC21
Contamination with device ID
Colours depict degree
of contamination:
• IMEI or similar
• Hashed
• ”Randomised”
• Unk/No data
Contamination Routes
PUBLIC22
Information classes as metrics
Metrics can be calculated over, eg:
Location DeviceID
• Unk/No Data
• Concern
• Serious Concern
Contamination, Risks,Roles & Metrics
PUBLIC23
I know what you’re thinking…again…
So what? We know this already? Don’t we?
PUBLIC24
…well…
So what? We know this already? Don’t we?
O.R. protocols and terms are very well defined and adhered to; Privacy terms are loosely defined, formal underpinning and adherence is often minimal.
PUBLIC25
…ah ha… (or “uh oh”?)
So what? We know this already? Don’t we?
O.R. protocols and terms are very well defined and adhered to; Privacy terms are loosely defined, formal underpinning and adherence is minimal.
Classification structures and aspects, eg: what does ”Secret” mean? What does location data mean? What does ”anonymised data” mean?
PUBLIC26
So what do we need?
PUBLIC27
So what do we need?Classification
• one or more information classes• purpose (primary vs secondary)• usage (context defined)• security class (maybe)
Inference Rules
• eg: default handling for certain kinds of information
Metrics
• Comparison and calculation over classifications
Policies, Protocols, Maxims and Requirements
• Evaluation of compliance, not enforcement of compliance• Non-monotonicity & retrenchment• Architectural patterns• Catalouging and automatic ”enforcement”• Mathematics and engineering
PUBLIC28
So what do we have?Classification
• one or more information classes• purpose (primary vs secondary)• usage (context defined)• security class (maybe)
Inference Rules
• eg: default handling for certain kinds of information
Metrics
• Comparison and calculation over classifications
Policies, Protocols, Maxims and Requirements
• Evaluation of compliance, not enforcement of compliance• Non-monotonicity & retrenchment• Architectural patterns• Catalouging and automatic ”enforcement”• Mathematics and engineering
PUBLIC29
Classifying Information
© 2013 HERE | Title | Author | Company confidential
Each data point (and by inference data-set) is classified by
• one or more information classes
• purpose (primary vs secondary)
• usage (context defined)• security class (maybe)
PUBLIC30
Classification by Inference
© 2013 HERE | Title | Author | Company confidential
Security classifications can be made by inference over what data is being handled, context etc..
For example:
• Data sets containing ”Lat,Longs should be handled according to the ”confidential” classification”
• If a dataset can be inferred to contain confidential and secret data, then we take the highest level of secrecy
PUBLIC31
So…
Starting with a simple analogy:
• the transfer of infectious materials
PUBLIC32
So…
Starting with a simple analogy:
• the transfer of infectious materials
• defined the transfer points
• defined the transfer mechanisms
• identified the protocols to minimise transfer
• defined a mechanism for classifying the infectious agents
• defined a metric for measuring the amount of infectious agent
• identified the risk of the infectious agents
We:
PUBLIC33
• transfer of infectious materials
• defined the transfer points
• defined the transfer mechanisms
• identified the protocols to minimise transfer
• defined a mechanism for classifying the infectious agents
• defined a metric for measuring the amount of infectious agent
• identified the risk of the infectious agents
• placed all of the above into a formal, generally applicable context
• ie: externalised OUR internal knowledge => R&D team can more effectively apply this.
So…
Starting with a simple analogy:
We:
and most importantly:
PUBLIC34
…some maxims…
S P
All tools are considered unsterile unless explicitly stated and proven to be sterile.
All information is considered to be containing PII, PCI/HIPPA/COPPA/SOX uncompliant,secret etc unless explicitly stated and documented
Only designated persons/roles are allowed to handle sterile items
Access control is based upon the need to handle that information, eg: only PCI compliant system can handle financial data
Passing or transport of a sterile items to a unsterile person/role/area makes them unsterile
Moving data means that the target and transport be as protecting and compliant and the source, unless the data can be cleaned
Potential contamination routes are explicitly known and guaraded against
Storage, transport and processing of data must adhere to the requirements or better for the data being handled
Contamination guards exist inherently in the system through protocol, procedure or physical barrier
Contamination is prevented by the source ensuring data is cleaned sufficiently in explicity stated/mandated manners
The stronger the disinfectant the more sterile an item will be
The more information content removed the cleaner the dataset will be
PUBLIC35
Exercise left for reader• what materials are being
transported?
• what protocols for controlling the flow are there?
• where are the control points?
• how much contamination could happen?
• how much risk do we take?
sterilecontaminated
Movement of materials from one area to the other must be controlled to prevent contamination of the sterile field with non-sterile items
PUBLIC36
fin.