Information Security in an E-Health World: Policies and ... S114: Information Security in an E -Health World; Policies and Technologies Brisbane Convention Center – Australia. August

11

Information Security in an Information Security in an

EE--Health World: Policies Health World: Policies

and Technologiesand Technologies

1212thth World Congress on Health World Congress on Health

Medical Informatics (MEDinfo) 2007Medical Informatics (MEDinfo) 2007

Panel S114Panel S114

Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies

Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 200722

The Goal of this PanelThe Goal of this Panel

�� To outline information security To outline information security

problems, solutions, practice and trends problems, solutions, practice and trends

in healthcare; starting from real cases in healthcare; starting from real cases

that demonstrate the importance of the that demonstrate the importance of the

appropriate security controls and appropriate security controls and

demonstrating the technical steps and demonstrating the technical steps and

technologies that must be used to technologies that must be used to

ensure system and patient safety.ensure system and patient safety.



Panel OverviewPanel Overview

�� PART I PART I –– Ted CooperTed Cooper

�� Case Study of the Kaiser Permanente Security Breach Case Study of the Kaiser Permanente Security Breach -- Lessons Lessons Learned, International Standards, Enabling High Reliability & Learned, International Standards, Enabling High Reliability & Resilience.Resilience.

�� PART II PART II –– Mike DavisMike Davis

�� Safeguarding Electronic Health Data Achieving Security and PrivaSafeguarding Electronic Health Data Achieving Security and Privacy cy Through Policy and TechnologyThrough Policy and Technology

�� PART III PART III –– Bernd Bernd BlobelBlobel

�� Security Services Security Services –– Key Concepts, Policy and Technology Key Concepts, Policy and Technology ImplicationsImplications

�� PART IV PART IV –– Tyrone Tyrone GrandisonGrandison

�� Security and Privacy Technology Enablers for Healthcare SystemsSecurity and Privacy Technology Enablers for Healthcare Systems



Rules of EngagementRules of Engagement

�� Each panelist will give a fifteen (15) minute Each panelist will give a fifteen (15) minute

presentation, followed by a five (5) minute presentation, followed by a five (5) minute

Q&A session.Q&A session.

�� All cell phones should be off or set to vibrate.All cell phones should be off or set to vibrate.

55

Case Study Kaiser Permanente Security Breach

-- Lessons Learned, International Lessons Learned, International

Standards, High Reliability & Standards, High Reliability &

ResilienceResilience

Ted Cooper, MDTed Cooper, MDStanford University Stanford University

Kaiser Permanente 1973Kaiser Permanente 1973--20032003

MEDINFO 2007S114 Panel: Information Security in an E-Health World: Policies and Technologies



Kaiser PermanenteKaiser Permanente

�� KP OverviewKP Overview

�� IT ExperienceIT Experience

�� Privacy & Security ProgramsPrivacy & Security Programs



KP OnlineKP Online

�� WebWeb--based Patient Portalbased Patient Portal

�� Mission Mission

�� Service Level AgreementsService Level Agreements



Recognizing a BreachRecognizing a Breach

�� Patient advise and message centerPatient advise and message center

�� received a phone callreceived a phone call

�� IT Notification IT Notification -- Escalation Escalation

�� Enterprise Support SystemEnterprise Support System

�� KP Online Business TeamKP Online Business Team

�� Top ManagementTop Management



The Response & The OrganizationThe Response & The Organization’’s Repertoires Repertoire

�� Resources Resources �� Individual Skill SetsIndividual Skill Sets

�� LeadershipLeadership

�� Organizational Culture Organizational Culture

�� Crisis Management TeamCrisis Management Team

�� Root Cause AnalysisRoot Cause Analysis

�� MitigationMitigation

�� Organizational and Procedural ChangesOrganizational and Procedural Changes



Root Cause AnalysisRoot Cause Analysis

Technical Technical �� Changes to servers Changes to servers –– caused caused SendmailSendmail malfunctionmalfunction

�� Repair required because of malfunction causes breachRepair required because of malfunction causes breach

�� Normal Accident Theory Normal Accident Theory �� Tightly Coupled Complex SystemsTightly Coupled Complex Systems

KPKP--IT Organization IT Organization �� Regional to National StructureRegional to National Structure

�� Technical conjunctionTechnical conjunction

�� Organizational disjunctionOrganizational disjunction

�� Departments with conflicting prioritiesDepartments with conflicting priorities�� New rapidly changing technologyNew rapidly changing technology



Lessons Learned from KP Online BreachLessons Learned from KP Online Breach

1.1. Complex, tightlyComplex, tightly--coupled computerized health coupled computerized health information system architectures potentially information system architectures potentially aggravate security breaches or other mistakes.aggravate security breaches or other mistakes.�� They have the cThey have the capacity to transform errors into apacity to transform errors into

cascading system accidentscascading system accidents..

2.2. Security training is necessary but insufficient to Security training is necessary but insufficient to prevent breaches.prevent breaches.•• Individual errors, group failures, and system accidents Individual errors, group failures, and system accidents

may contribute to information security breaches may contribute to information security breaches wwithout ithout violating the HIPAA security rules or standard violating the HIPAA security rules or standard information security policies, procedures or information security policies, procedures or practicespractices..



Lessons Learned from KP Online BreachLessons Learned from KP Online Breach

3.3. Breaches of healthcare information may signify: Breaches of healthcare information may signify: •• broader organizational discontinuities and failuresbroader organizational discontinuities and failures•• particularly likely during periods of reform or transitionparticularly likely during periods of reform or transition

4.4. ISO 1779921, HIPAA, the European Privacy Directive, ISO 1779921, HIPAA, the European Privacy Directive, and other regulatory regimes are forcing healthcare and other regulatory regimes are forcing healthcare organizations throughout the world to pay increasing organizations throughout the world to pay increasing attention to security practicesattention to security practices

•• protecting health information also requires fostering general goprotecting health information also requires fostering general good od information management practices information management practices

•• change control, routine inter and intradepartmental change control, routine inter and intradepartmental communication, and comprehensive failure analysis that communication, and comprehensive failure analysis that transcend the domain typically labeled transcend the domain typically labeled ““information security.information security.””

Breaching the Security of the Kaiser Permanente Internet PatientBreaching the Security of the Kaiser Permanente Internet Patient Portal: the Organizational Foundations of Information Portal: the Organizational Foundations of Information Security. Collmann J, Cooper T, J Am Med Inform Assoc 2007; 14:Security. Collmann J, Cooper T, J Am Med Inform Assoc 2007; 14: 239239--243. 243.



International Organization for Standards (ISO)International Organization for Standards (ISO)

�� JTC1 Information Technology JTC1 Information Technology �� SC 27 Security Techniques WorkgroupsSC 27 Security Techniques Workgroups

1.1. Requirements, security services and guidelinesRequirements, security services and guidelines2.2. Security techniques and mechanismsSecurity techniques and mechanisms3.3. Security evaluation criteriaSecurity evaluation criteria4.4. Security controls and servicesSecurity controls and services5.5. Identity management and privacy technologiesIdentity management and privacy technologies

�� TC 215 Health InformaticsTC 215 Health Informatics�� Work Group 4 Security in HealthcareWork Group 4 Security in Healthcare

1.1. Protect and enhance confidentiality, availability and integrity Protect and enhance confidentiality, availability and integrity 2.2. Prevent systems from adversely effecting patient safety Prevent systems from adversely effecting patient safety 3.3. Ensure accountability of users of systemsEnsure accountability of users of systems



International Security StandardsInternational Security Standards

�� ISO/IEC 17799:2005 Information technology ISO/IEC 17799:2005 Information technology -- Security techniques Security techniques -- Code of practice for Code of practice for information security management information security management (not auditable)(not auditable)�� ISO 27799 (under development in TC 215 WG4)ISO 27799 (under development in TC 215 WG4)

�� A guide for applying ISO 17799 for health informationA guide for applying ISO 17799 for health information

�� Minimum set of requirementsMinimum set of requirements

�� ISO/IEC 27001:2005 Information Security ISO/IEC 27001:2005 Information Security Management System Requirements Management System Requirements (auditable)(auditable)



Capability Maturity ModelCapability Maturity Model®® ISO/IEC 21827:2007 ISO/IEC 21827:2007

Systems Security EngineeringSystems Security Engineering

�� Describes security engineering process that Describes security engineering process that

must exist to ensure good security engineering. must exist to ensure good security engineering.

�� A standard metric for security engineering A standard metric for security engineering

practicespractices

�� the entire life cyclethe entire life cycle

�� the whole IT organizationthe whole IT organization

�� concurrent interactions with other disciplinesconcurrent interactions with other disciplines

�� interactions with other organizations interactions with other organizations



COBIT COBIT -- The Control Objectives for Information and The Control Objectives for Information and

Related TechnologyRelated Technology

�� Aimed at maximizing the benefits derived through the use Aimed at maximizing the benefits derived through the use of information technology of information technology �� BBest practicesest practices (framework) for IT management (framework) for IT management

�� Generally accepted Generally accepted measuresmeasures, indicators, , indicators, processesprocesses and best and best practices to assist them in and developing appropriate practices to assist them in and developing appropriate IT IT governancegovernance and and controlcontrol in a company. in a company.

�� Created by theCreated by the�� Information Systems Audit and Control AssociationInformation Systems Audit and Control Association (ISACA)(ISACA)

�� IT Governance InstituteIT Governance Institute (ITGI) in 1992(ITGI) in 1992

�� Motivated by the recognition that organizational missions Motivated by the recognition that organizational missions are dependent on IT functionality and performanceare dependent on IT functionality and performance



ISO/IEC 21827 & COBITISO/IEC 21827 & COBIT

�� Capability Maturity ModelCapability Maturity Model®® ISO/IEC ISO/IEC 21827:2007 Systems Security Engineering 21827:2007 Systems Security Engineering comes from the perspective of software comes from the perspective of software engineering and IT operations.engineering and IT operations.

�� COBIT comes from the perspective of the COBIT comes from the perspective of the organization and its need to achieve value organization and its need to achieve value from ITfrom IT

�� Both involve Capability Maturity ModelsBoth involve Capability Maturity Models



Capability Maturity ModelsCapability Maturity Models

ISO Levels:ISO Levels:�� 0: Incomplete 0: Incomplete

�� 1: Performed 1: Performed

�� 2: Managed 2: Managed

�� 3: Defined 3: Defined

�� 4: Quantitatively Managed4: Quantitatively Managed

�� 5: Optimizing5: Optimizing

COBIT Levels:COBIT Levels:�� 0: Non0: Non--existent existent

�� 1: Initial/1: Initial/ad hocad hoc

�� 2: Repeatable & Intuitive 2: Repeatable & Intuitive

�� 3: Defined Process 3: Defined Process

�� 4: Managed & Measurable 4: Managed & Measurable

�� 5: Optimized5: Optimized



Highly Reliable OrganizationsHighly Reliable Organizations

HallmarksHallmarks

�� Preoccupation with failurePreoccupation with failure

�� Reluctance to simplify interpretationsReluctance to simplify interpretations

�� Sensitivity to operationsSensitivity to operations

�� Commitment to resilienceCommitment to resilience

�� Deference to expertiseDeference to expertise

�� WeickWeick & Sutcliffe & Sutcliffe

�� Managing the Unexpected 2001Managing the Unexpected 2001



Avoiding FailureAvoiding Failure

�� High Reliability TheoryHigh Reliability Theory

Serious accidents with hazardous technologies Serious accidents with hazardous technologies can be prevented through intelligent can be prevented through intelligent organization design, implementation and organization design, implementation and management.management.

�� Normal Accident TheoryNormal Accident Theory

Serious accidents with hazardous technologies Serious accidents with hazardous technologies cannot be prevented no matter how hard we try cannot be prevented no matter how hard we try using organization design, implementation and using organization design, implementation and management.management.



HRO Maturity Model:HRO Maturity Model:Organizational StagesOrganizational Stages

Survival

Containment

OrganizationalStabilization

InstitutionalLearning

HighReliability

© Maxcomm, Inc.



Survival Stage:Survival Stage:Key Challenge & CharacteristicsKey Challenge & Characteristics

Survival Key Challenge: Surviving multiple failures

© Maxcomm, Inc.

Characteristics: (1) unstable dirty process with little opportunity for anomaly spotting and/or containment, (2) little to no capability for early error detection, (3) limited recognition that the organization has crossed the boundary into unknowable complexity; an engineering mindset may still pervade and (4) culture of fear, bewilderment and low confidence



Containment

© Maxcomm, Inc.

Key Challenge: Building containment processes &avoiding a catastrophic event

Characteristics: (1) focus on current critical incidents, (2) HRO infrastructure, processes, roles and governance in very early foundational stages, (3) frightening discoveries in regards to lack of stable foundational processes and (4) culture of both firefighting heroics and sleepy complacency

Containment Stage: Containment Stage: Key Challenge & CharacteristicsKey Challenge & Characteristics



© Maxcomm, Inc.

Key Challenge: Building a robust foundation of solid repeatable processes

Characteristics: (1) focus on building out HRO infrastructure, processes, roles and governance, (2) organization becoming increasingly mindful both anticipating failure events and containing them, (3) widespread acknowledgement of the organization’s mission to become an HRO and (4) cultural confidence growing as organizational foundation improves

Organizational Stabilization Stage:Organizational Stabilization Stage:

Key Challenge & CharacteristicsKey Challenge & Characteristics

Organizational

Stabilization



© Maxcomm, Inc.

Key Challenge: Building enduring organizationalknowledge from incidents & near misses

Characteristics: (1) focus on learning capture and rapiddissemination of new knowledge, (2) organization has leveraged knowledge into greater mindfulness and resilience, (3) time between failure events is increasing and (4) culture connected, confident and growing in knowledge and capability

Institutional Learning Stage: Institutional Learning Stage: Key Challenge & CharacteristicsKey Challenge & Characteristics

InstitutionalLearning



© Maxcomm, Inc.

Key Challenge: Remaining ever mindful and evervigilant as time between failure events stretches

Characteristics: (1) focus is on maintaining and improving all aspects of high reliability, (2) mindfulness pervades the organization, (3) time between failure events is significant, (4) use of increasingly complex and sophisticated simulations to model failure and the unexpected, (5) learning now from merely “interesting” events and (6) the “brand” is synonymous with high reliability

High Reliability Stage: High Reliability Stage: Key Challenge & CharacteristicsKey Challenge & Characteristics

HighReliability



ConclusionConclusion

�� HIPAA compliance does not preclude HIPAA compliance does not preclude

breaches of privacybreaches of privacy

�� Breaches are likely, plan for themBreaches are likely, plan for them

�� Become a Highly Reliable OrganizationBecome a Highly Reliable Organization

�� Develop ResiliencyDevelop Resiliency

2828

Safeguarding Electronic Health Data Safeguarding Electronic Health Data Achieving Security and Privacy Achieving Security and Privacy

Through Policy and TechnologyThrough Policy and Technology

Mike DavisMike DavisVeterans AdministrationVeterans Administration




Electronic Health Record Security policy and Electronic Health Record Security policy and technologies in light of recent Federal technologies in light of recent Federal experiences.experiences.

��Policy and Technology Implications/DriversPolicy and Technology Implications/Drivers

��CautionsCautions--Katrina and Identity TheftKatrina and Identity Theft

��Advanced Architecture RequirementsAdvanced Architecture Requirements

AgendaAgenda



Global Technology TrendsGlobal Technology Trends

�� Complexity Complexity –– Managing authentication/authorization for multiple Managing authentication/authorization for multiple

different systems, protocols and implementationsdifferent systems, protocols and implementations

�� Scalability Scalability –– Managing hundreds of systems and tens of Managing hundreds of systems and tens of

thousands of users, millions of patients/membersthousands of users, millions of patients/members

�� Adaptability Adaptability -- New laws, policies and practices not originally New laws, policies and practices not originally planned for, new technologies. Need for future proof planned for, new technologies. Need for future proof

technologies.technologies.

�� Interoperability Interoperability –– Open, secure data exchange within/ across Open, secure data exchange within/ across

enterprises. Logical and semantic interoperability with businesenterprises. Logical and semantic interoperability with business s partners.partners.

�� Assurability Assurability -- Certification, testing and maintaining assurance Certification, testing and maintaining assurance

of security function over system lifeof security function over system life--cyclecycle



Legal and Social IssuesLegal and Social Issues

�� Rise of universal access to information Rise of universal access to information ((authn/authzauthn/authz). How do we extend trust across ). How do we extend trust across organizations? What are liabilities?organizations? What are liabilities?

�� Common credentials for Feds but no standard for Common credentials for Feds but no standard for citizens. What are the tradeoffs of privacy citizens. What are the tradeoffs of privacy vsvssecurity?security?

�� What are the privacy rights of clinicians? Do What are the privacy rights of clinicians? Do clinicians have rights?clinicians have rights?

�� We are seeing a convergence of Security and We are seeing a convergence of Security and Privacy enforcement in electronic environments. Privacy enforcement in electronic environments. Solution or train wreck?Solution or train wreck?

�� At what point do patient safety concerns trump At what point do patient safety concerns trump security/privacy?security/privacy?

HIPAASarbanes-

Oxley

HSPD-

12

E-Gov



American Health Information CommunityAmerican Health Information Community

1. Secure Communications Channel

2. Collect and Communicate Secure Audit Trail

3. Privacy Consents4. Verify Privacy

Consents5. Manage Identity

Credentials6. Document Integrity 7. Manage and Control

Data Access8. Non-repudiation



Emerging Technology Example: Emerging Technology Example:

HC DRMHC DRM

�� VA is implementing DRM to protect MS VA is implementing DRM to protect MS Exchange messages (internally)Exchange messages (internally)

�� Clinical use cases/requirements currently Clinical use cases/requirements currently limited to confidentialitylimited to confidentiality

�� Potential for patients to use DRM to enforce Potential for patients to use DRM to enforce readread--only access to PHR. For example, in only access to PHR. For example, in Trustee Model, Personal EHR data is readTrustee Model, Personal EHR data is read--only protected once it leaves control of the only protected once it leaves control of the patient. patient.

Digital Rights Management (Content Management) is the technology used by the music industry to protect IPR



Hurricane KatrinaHurricane Katrina

�� Hurricane Katrina reaches Hurricane Katrina reaches

landfall Monday August 29, landfall Monday August 29,

2005.2005.

�� Power and communications Power and communications

lost to Jackson, Biloxi, and lost to Jackson, Biloxi, and

New Orleans New Orleans VAMCsVAMCs..

�� Generators provide emergency Generators provide emergency

power.power.

�� Patient records inaccessible Patient records inaccessible

from remote facilities where from remote facilities where

displaced patients are treated.displaced patients are treated.

�� VA team set up to restore full VA team set up to restore full

access to impacted sites.access to impacted sites.

Landfall August 29, 2005

Health care support during disasters is Health care support during disasters is

missing from the list of EHR benefitsmissing from the list of EHR benefits……



New Orleans VAMC New Orleans VAMC -- BeforeBefore



New Orleans VAMC New Orleans VAMC -- AfterAfter



Gulfport VAMC Gulfport VAMC -- BeforeBefore



Gulfport VAMC Gulfport VAMC -- AfterAfter



Katrina VA EHR PerformanceKatrina VA EHR Performance

1.831.8310881088Radiology Radiology

reportsreports

1.901.9011281128Discharge Discharge

summarysummary

2.162.1612831283

Lab results: Lab results:

chemistry & chemistry &

hematologyhematology

2.522.5214991499DoctorsDoctors’’

ordersorders

3.163.1618801880

PatientsPatients’’

medical medical

problem listproblem list

8.098.0948094809Medications: Medications:

OutpatientOutpatient

12.8812.8876597659Medications: Medications:

InpatientInpatient

17.5217.521041710417TextText--based based

notes catalognotes catalog

19.6319.631167211672Progress note Progress note

texttext

22.6722.671347813478

TextText--based based

reports, otherreports, other

Percentage Percentage

of Total of Total

RequestsRequestsRequestsRequestsData TypeData Type

http://www.ajph.org/cgi/content/abstract/97/Supplement_1/S136

� VA’s Single Organizational Structure, Trained Staff, and EHR System permitted responses to be well underway by 31 Aug, 2005.

� By Sept 30, 2005, clinical data were accessed electronically for at least 38% (14,941 of 39,910) of patients cared for prior to Hurricane Katrina by New Orleans VA medical facilities.

� Approximately, 1000 patients per day (2/3 pre-Katrina values) had data accessed during the month following Hurricane Katrina.

� Health care data were transmitted to more than 200 sites in 48 states and to at least 2300 users.



Lessons LearnedLessons Learned

1.1. When When ““displaceddisplaced”” persons seek medical care, it is persons seek medical care, it is usually in the absence of their medical charts.usually in the absence of their medical charts.

2.2. More complete More complete EHRsEHRs are needed but are needed but secure data sharing secure data sharing among different among different EHRsEHRs is also importantis also important..

3.3. Satellite network access for data communication is a Satellite network access for data communication is a critical option. critical option.

4.4. Reviews of privacy regulations are needed to enable Reviews of privacy regulations are needed to enable protective yet flexible protective yet flexible ““breakbreak--thethe--glassglass”” to allow for to allow for timely disaster responses outside of normal operations.timely disaster responses outside of normal operations.

5.5. Pharmacy and laboratory computerization alone, Pharmacy and laboratory computerization alone, although among the most commonly available, will not be although among the most commonly available, will not be sufficient for future disaster support systems.sufficient for future disaster support systems.

6.6. Requests for textRequests for text--based data was significantly greater based data was significantly greater

than medications and lab.than medications and lab.While VA recovered from Katrina While VA recovered from Katrina

another storm was brewinganother storm was brewing……



Identity Theft DisasterIdentity Theft Disaster

VA required encryption on all VA required encryption on all ““thumbdrivesthumbdrives”” and prohibited use and prohibited use

of most other USB storage devices.of most other USB storage devices.April 2007April 2007

VA encrypted all laptops (22K)VA encrypted all laptops (22K)August 2006August 2006

OMB (MOMB (M--0606--16) issued a memorandum requiring Federal 16) issued a memorandum requiring Federal

Departments and Agencies to:Departments and Agencies to:

•• Encrypt all data on mobile computers/devices whichEncrypt all data on mobile computers/devices which

carry agency data.carry agency data.

•• Allow remote access only with twoAllow remote access only with two--factorfactor

authentication.authentication.

June 2006June 2006

Theft of a VA employeeTheft of a VA employee’’s hard drive left in its wake the loss of s hard drive left in its wake the loss of

personal information on at least 26.8 million veterans, active personal information on at least 26.8 million veterans, active

military, and dependentsmilitary, and dependents……characterized as the largest data characterized as the largest data

breach ever in the Government. Policies in place did NOT:breach ever in the Government. Policies in place did NOT:

•• Prohibit removal of protected information from the Prohibit removal of protected information from the

worksite, storing protected information on a worksite, storing protected information on a

personally owned computer.personally owned computer.

•• Provide safeguards for electronic data stored on Provide safeguards for electronic data stored on

portable media.portable media.

May 2006May 2006



Rise of Identity TheftRise of Identity Theft

Card processor, Card processor, CardSystemsCardSystems Solutions had its IT systems Solutions had its IT systems

hacked to the tune of more than 40 million consumer hacked to the tune of more than 40 million consumer

records. records.

Mid 2005Mid 2005

For more than a decade, the Census Bureau posted on a For more than a decade, the Census Bureau posted on a

public Web site 63,000 Social Security numbers of people public Web site 63,000 Social Security numbers of people

who received financial aid. The apparent violation of Federal who received financial aid. The apparent violation of Federal

privacy law prompted concerns about identity theft.privacy law prompted concerns about identity theft.

April April

20072007

TJX Companies suffered a longTJX Companies suffered a long--term hacker breach and term hacker breach and

information related to more than 45 million credit cards was information related to more than 45 million credit cards was

accessed by unauthorized parties. Assuming most of those accessed by unauthorized parties. Assuming most of those

adults had some form of available credit this breach alone adults had some form of available credit this breach alone

compromised a quarter of the U.S. populationcompromised a quarter of the U.S. population’’s cards.s cards.

2006 2006 --

20072007

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard

provides basic security. Many older systems remain provides basic security. Many older systems remain

vulnerable despite the guideline. Require encryption over vulnerable despite the guideline. Require encryption over

public networks but not at rest.public networks but not at rest.

20042004



Distributed Services FrameworkDistributed Services Framework

IAM



�� Identity and Access Management provides Identity and Access Management provides enterpriseenterprise--wide servicewide service--oriented architecture oriented architecture solutions for user authentication, authorization and solutions for user authentication, authorization and audit, including directories, single signaudit, including directories, single sign--on, and on, and identity and access provisioning.identity and access provisioning.

�� Part of a servicePart of a service--oriented security architectureoriented security architecture�� Provides common security infrastructure for identity and Provides common security infrastructure for identity and

access managementaccess management�� Allows for sharing of security informationAllows for sharing of security information�� ““DecouplesDecouples”” security mechanisms formerly tightly integrated security mechanisms formerly tightly integrated

with specific applications.with specific applications.

�� Authentication component Authentication component �� Authorization/access control componentAuthorization/access control component�� Provisioning component (e.g., Role assignment)Provisioning component (e.g., Role assignment)

Enterprise Solutions: IAM InfrastructuresEnterprise Solutions: IAM Infrastructures

Cross cuttin

g Audit



RoleRole--based Access Controlbased Access Control

–DSTU included 224 possible Permissions based upon 56

defined objects

Health Level 7 balloted the first-ever world-wide role-based access control permission definitions (Jan 2006).

HL7

RBAC Permission Vocabulary

HL7 Security Technical CommitteeJan 2006

Session=Workflow

Authenticated

Basic

Roles

OPS=Operations

OBJ=Objects

PERM=Permissions

OBJOPS

(PA)

Permission

Assignment

(UA)

User

Assignment

PERM

UsersFunctional

RolesAuthenticated

HL7 permission vocabulary successfully balloted (May 2007) but will be re-balloted for consensus

http://www.va.gov/rbac* Adapted from ANSI INCITS 359-2004

*

PhysicianPhysician PermissionsPermissionsuserid=SmithJ



How It All Fits TogetherHow It All Fits Together

ROLEROLE = Physician= Physician

PERMISSION = Write Medication OrderPERMISSION = Write Medication Order

BUSINESS RULE = 1st year Oncology BUSINESS RULE = 1st year Oncology Residents need Orders coResidents need Orders co--signed by Attending signed by Attending PhysicianPhysician

PRIVACY RULE = Dr. Smith may see my recordPRIVACY RULE = Dr. Smith may see my record

CONSTRAINTS = Express further restrictions CONSTRAINTS = Express further restrictions based upon separation of duties, cardinality, time, based upon separation of duties, cardinality, time, location, etc.location, etc.

Dr. Joe Smith is an Oncologist

Inheritance



General Security Service FrameworkGeneral Security Service Framework

PACS

LOB Systems/

Applications

OperatingSystems

Systems/ Applications

(HR, etc.)

Portalsand

Self Service

Access Management

Identity Administration

Identity Provisioning

Directory Services

Auditin

g a

nd R

eport

ing

• Identification, authentication and enterprise SSO• Authorization and access control• Federated Identity Management (FIM)

• Identity proofing• User and group management• Credential management• Self-service

• Integrated user provisioning• Cross-enterprise provisioning

• LDAP, meta and virtual directories

4848

Future Future IdMIdM/IAM Framework/IAM Framework

Enterprise Data

Security Services

Authorization

DirectoryServices

Authentication

Provisioning

Identity

Services

LOB Data

Identity

Correlation

Identity Administration

Business Services

LOB Data Services

Applications

Portal

Identity Enumeration

Audit

Identity

Synchronization

Personal IdentityPersonal Identity

Verification (PIV)Verification (PIV)



SummarySummary

�� EHRsEHRs provide the means to implement provide the means to implement interoperable HIT infrastructures, including support interoperable HIT infrastructures, including support during disasters, but carry increased risk of during disasters, but carry increased risk of massive data loss.massive data loss.

�� Future proof architectures implementing serviceFuture proof architectures implementing service--oriented approaches provide flexibility, adaptability, oriented approaches provide flexibility, adaptability, interoperability by separating security from interoperability by separating security from application business functions.application business functions.

�� Greater security and privacy integration will be Greater security and privacy integration will be needed to meet healthcare business and policy needed to meet healthcare business and policy requirements.requirements.

5050

Security Services Security Services ––

Key Concepts, Policy and Technology Key Concepts, Policy and Technology

ImplicationsImplications

Bernd Bernd BlobelBlobelPhD, Associate ProfessorPhD, Associate Professor

Head, German National Head, German National eHealtheHealth Competence CenterCompetence Center

University of Regensburg Medical CenterUniversity of Regensburg Medical Center

Regensburg, GermanyRegensburg, Germany

eHCC




The eHealth ChallengeThe eHealth Challenge

�� For meeting the challenges for high quality and efficient healthFor meeting the challenges for high quality and efficient health systems, all systems, all

developed and increasingly also developing countries are faced tdeveloped and increasingly also developing countries are faced to, following o, following

paradigm changes are inevitable:paradigm changes are inevitable:

�� Turning health systems to customisable, comprehensive and compleTurning health systems to customisable, comprehensive and completely tely

integrated care in close relation to efficient public health.integrated care in close relation to efficient public health.

�� Current development from organisationCurrent development from organisation--centred to processcentred to process--oriented has to oriented has to

continue to personalised care (body map area, patient monitoringcontinue to personalised care (body map area, patient monitoring). ).

Emphasis of prevention and home care.Emphasis of prevention and home care.

�� Such development must be supported by appropriate, trustworthy ISuch development must be supported by appropriate, trustworthy ICT to CT to

support health telematics and telemedicine support health telematics and telemedicine –– summarized as eHealth. summarized as eHealth.



Security andProtection

Security of personaldata (data protection)

Protection of thedata subject

Protection ofprivacy

Protection ofthe user

Patient safety ...

Aspects of Protection and Security Aspects of Protection and Security (after C. (after C. LaskeLaske))



Legal frameworkLegal framework

�� Council of Europe: Strasbourg Convention 108 Council of Europe: Strasbourg Convention 108 (1981)(1981)

�� European Union: Directive 95/46/ECEuropean Union: Directive 95/46/EC

�� national legislation following 95/46/ECnational legislation following 95/46/EC

�� specific provisions for HCspecific provisions for HC

�� HIPAAHIPAA

�� details filled in by standardisationdetails filled in by standardisation((““new approachnew approach”” in EU)in EU)



Standards Classification Health Informatics Standards Classification Health Informatics

Security (1/2)Security (1/2)�� Architecture standardsArchitecture standards

�� HL7 versions 2.x/3, CORBA, MDA, HISAHL7 versions 2.x/3, CORBA, MDA, HISA

�� Modelling standardsModelling standards

�� UML, CEN 15300: UML, CEN 15300: ““CEN Report: Framework for formal modelling of CEN Report: Framework for formal modelling of

healthcare security policieshealthcare security policies””

�� Communication standardsCommunication standards

�� CEN 13608: CEN 13608: ““Security for healthcare communicationSecurity for healthcare communication””, CEN 13606: , CEN 13606:

““Electronic healthcare record communicationElectronic healthcare record communication””

�� Infrastructure standardsInfrastructure standards

�� ISO 17090: ISO 17090: ““Public key infrastructurePublic key infrastructure””, ETSI TS 101733: , ETSI TS 101733: ““Electronic Electronic

Signature FormatsSignature Formats””



�� Privacy standardsPrivacy standards

�� ASTM E1987ASTM E1987--98: 98: ““Standard guide for individual rights regarding health Standard guide for individual rights regarding health

informationinformation””, CEN 13729: , CEN 13729: ““Secure user identification Secure user identification -- Strong Strong

authentication using microprocessor cardsauthentication using microprocessor cards””; ; ISO/IEC PDTS ISO/IEC PDTS

PseudonymisationPseudonymisation Practices for the Protection of Personal Health Practices for the Protection of Personal Health

Information and Health Related ServicesInformation and Health Related Services

�� Safety standardsSafety standards

�� CEN 13694: CEN 13694: ““CEN Report: Safety and security related software quality CEN Report: Safety and security related software quality

standards for healthcarestandards for healthcare””; ; ISO/DTS 25238 Classification of Safety RisksISO/DTS 25238 Classification of Safety Risks

�� Terminology and ontology standardsTerminology and ontology standards

�� UMLS, SNOMEDUMLS, SNOMED

�� Identifier and identification schemesIdentifier and identification schemes

�� LOINC, ASTM E1714LOINC, ASTM E1714--00: 00: ““Standard guide for properties of a Universal Standard guide for properties of a Universal

Healthcare IdentifierHealthcare Identifier””

Standards Classification Health Informatics Standards Classification Health Informatics

Security (2/2)Security (2/2)



ResponsibilitiesResponsibilities

�� Government: legal and ethical frameworkGovernment: legal and ethical framework

�� Base: EU directive 95/46/ECBase: EU directive 95/46/EC

�� National privacy legislation and supporting lawsNational privacy legislation and supporting laws

�� Statements by HC InspectorateStatements by HC Inspectorate

�� Professional bodies: Professional bodies:

active participation in standardisation workactive participation in standardisation work

�� Management: Management:

organisational culture, definition of responsibilities, clear storganisational culture, definition of responsibilities, clear statements about atements about

policypolicy

�� All users: All users:

awareness for quality, safety and securityawareness for quality, safety and security



Fair Information Principles Fair Information Principles after E.after E.--H. KlugeH. Kluge

�� Openness, publicityOpenness, publicity

�� Limitation of data collectionLimitation of data collection

�� Limitation of information disclosureLimitation of information disclosure

�� Limitation of information useLimitation of information use

�� SecuritySecurity

�� Access controlAccess control

Ethical Principles Ethical Principles after E.after E.--H. KlugeH. Kluge

�� Autonomy and respect of personAutonomy and respect of person

�� Exclusion of impossibility for realising the rightExclusion of impossibility for realising the right

�� Exclusion of relevant differences between right and realisation Exclusion of relevant differences between right and realisation (praxis)(praxis)

�� Obligation for best actionObligation for best action

�� Assurance of range of priority (logic, natural, voluntary)Assurance of range of priority (logic, natural, voluntary)

�� Assurance of equality and legalityAssurance of equality and legality



Common TTP policy ⇓⇓⇓⇓

Based on the Electronic signature directive

Based on the EESSI electronic signature standard

⇓⇓⇓⇓ ⇓⇓⇓⇓ Legal coherence with European rules

Technical coherence with European (international) standards

⇓⇓⇓⇓ ⇓⇓⇓⇓ Legal coherence with national rules, i.e. legal interoperability

Technical coherence with standards, i.e. technical interoperability



TTP functions and requirements

Identification & authentication

Integrity

Confidentiality

Non-repudiation

Security loggingBasic

services

Infrastructuralservices

Value added

services

Directories

Certificate handling

Card issuing

NameingKey management

Anony-misation

Time stamping

Access control Services directly related tothe secure communicationbetween two users

Services which facilitates securecommunications in a large scaleinvolving mututal distrustful users

Services related to the business value orsecurity of document or message exchange,given by agreements or by regulations.

Registration

Prof. registration



Entity of usersEntity of users

Entity of medicalinformation

Entity of medicalinformation

Special user classesSpecial user classes

Temporary userteams

Temporary userteams

Responsiblecaring doctor

Responsiblecaring doctor

Visit-relatedinformation

Visit-relatedinformation

Anonymizedinformation

Anonymisedinformation

Identified generalinformation

Identified generalinformation

Ind

ivid

uali

ty,

Resp

on

sib

ilit

y

Deta

il,

Sp

ecia

lity

, S

en

sit

ivit

y

Am

ou

nt

of

Info

rmati

on

Nu

mb

er

of

Users



Security PolicySecurity Policy

�� Security policy is a complex of legal, Security policy is a complex of legal, organisational, functional, medical, organisational, functional, medical, social, ethical and technical aspects, social, ethical and technical aspects, which must be considered in the which must be considered in the context of data protection and data context of data protection and data security.security.

�� Security policy defines the framework, Security policy defines the framework, rights and duties of principals rights and duties of principals involved, but also consequences and involved, but also consequences and penalties in the case of disregard of penalties in the case of disregard of the fixings taken. the fixings taken.



Access Control Service

1

System 1

A1 DB1

Access Control Service

2

DB2

AccessControl 2System

2

A2

Access Control for System to System

Communication Request for Information

Granted Information

Authority Assignment

Domain 1

Authority Assignment

Domain 2

Role Assigner 1

Role Assigner 1

Role A according to Assigner 1

Role A according to Assigner 2

ID ID

Policy Agreement

Security Domain 1 Security Domain 2

Security Domain 1 Security Domain 2

Access Control 1

Directory Service



communicationsecurity

applicationsecurity

authori-sation

accesscontrol

availa-bility

concepts

serv

ices

mechanis

ms

data

digitalsignature

... fire pro-tection

digitalsignature

encryp-tion

key es-crowing

...

... fire pro-tection

...

account-ability

notary’sfunctions

audit

availa-bility

notary’sfunctions

identi-fication

authen-tication

account-ability

non-re-pudiation

confi-dentialityintegrity

non-re-pudiation

confi-dentiality

multiplecomp.hashing encryp-

tionkey re-coveryhashing

multiplecomp.

alg

orith

ms

DES RSAIDEA DSA

EL-GAMAL

DSARSAIDEADES

EL-GAMAL

data keys certifi-cates

certifi-cateskeysdata

SHA-1 MD5 MD5SHA-1

security qualitysafety

accesscontrol accuracyintegrity

This is

the

criti

cal p

art o

f the

game



PervasiveComputing

Location-independentservice provision

Telematics,, Telemedicine

MobileComputingAccessabilityTele-consultation

AutonomicComputing

Self-organisationHealth information

systems

UbiquitousComputing

Ubiquitous Care Technology ParadigmsUbiquitous Care Technology Paradigms



System RequirementsSystem Requirements

��OpennessOpenness

��FlexibilityFlexibility

��ScalabilityScalability

��PortabilityPortability

��User acceptanceUser acceptance

��Service orientationService orientation

��Distribution at Internet levelDistribution at Internet level

��LawfulnessLawfulness

��Based on standardsBased on standards

��ServiceService--oriented interoperabilityoriented interoperability

��Appropriate security and privacy servicesAppropriate security and privacy services

Model-driven approach



Ente

rprise V

iew

Info

rmation V

iew

Com

puta

tiona

l V

iew

Engin

eeri

ng V

iew

Technolo

gy

Vie

w

Business Concepts

Relations Network

Basic Services/Functions

Basic Concepts

Domain n

Domain 2

Domain 1

Component View

Com

pon

en

tD

ecom

positio

n

The Generic Component

Model



Architecture Paradigms for FutureArchitecture Paradigms for Future--Proof Proof

Health Information SystemsHealth Information Systems

�� DistributionDistribution�� ComponentComponent--orientation (flexibility, scalability)orientation (flexibility, scalability)�� Separation of platformSeparation of platform--independent and platformindependent and platform--

specific modelling specific modelling �� Separation of logical and technological views Separation of logical and technological views

(portability)(portability)�� Specification of reference and domain models at Specification of reference and domain models at

metameta--levellevel�� Interoperability at service level (concepts, Interoperability at service level (concepts,

contexts, knowledge)contexts, knowledge)�� Appropriate data protection and data security Appropriate data protection and data security

measuresmeasures



BasicsBasics

��Two basic class types must be dealt with:Two basic class types must be dealt with:

��EntitiesEntities

�� PoliciesPolicies

�� RolesRoles

�� PrincipalsPrincipals

�� DocumentsDocuments

��ActsActs

�� Policy managementPolicy management

�� Principal managementPrincipal management

�� Privilege managementPrivilege management

�� AuthenticationAuthentication

�� AuthorisationAuthorisation

�� Access control managementAccess control management

�� AuditAudit



ActorsActors

��Principals, e.g.,Principals, e.g.,

�� PersonPerson

�� OrganisationOrganisation

�� SystemSystem

�� DeviceDevice

�� ApplicationApplication

�� ComponentComponent

�� ObjectObject



Sy stem Ad ministra tor

Audit

User

Patient C onsent

Information Ac c ess

Authentic ation

TTP

Information

Legal & E thic al Framework

Ac c ess C ontrol

P rivilegesAc c ess C ontrol Rules

Polic yPolic y C ounc il



Policy

policy_identifier : IIpolicy_name : CSpolicy_authority_ID : OIDpolicy_authority_name : STpolicy_domain_identifier : OIDpolicy_domain_name : ENpolicy_target_list : LIST <INT>

AuthorisationPolicy

Obligation Policy

event : CVexception : Exception

RefrainPolicy

action : CE

Delegation Policy

grantee : OIDaccessRights : CE

Auth+

action : CE

Auth-

action : CE

Deleg+ Deleg-

MetaPolicy

meta_expressionraised_action : CE

BasicPolicy

policy_subject_ID : OIDpolicy_subject_name : STtarget_identifier : IItarget_name : ENtarget_object : IIoperation_code : CEpermission_policy : CDconstraint : OCL

CompositePolicy

event : CVpolicy : CDmpolicy : CDpolicy_group : IIconstraint : OCL

Group

group_identifier : IIgroup_name : CSgroup_description : CD

ManagementStructure

roles : Rolerels : Relmstructs : Mstruct

Relationship

roles : Role

Role

subjectDomain : OIDrole_identifier : IIrole_name : CSrole_description : CD



Control ModelControl Model

Claimant Target

ControlPolicy

EnvironmentVariables

Verifierrequests service authorises request

defines conditions

influences conditions



Delegation ModelDelegation Model

delegates privileges

SourceOfAuthority

Verifier

trusts unconditionally

Claimant

assigns privileges

asserts privileges



RolesRoles

��For managing roleFor managing role--relationships between the relationships between the entities, organisational and functional roles can be entities, organisational and functional roles can be defined.defined.

��Organisational roles specify relations between Organisational roles specify relations between entities in the sense of competence (RIM roles) entities in the sense of competence (RIM roles) often reflecting organisational or structural often reflecting organisational or structural relations (hierarchies). relations (hierarchies).

��Functional roles are bound to an act. Functional Functional roles are bound to an act. Functional roles can be assigned to be performed during an roles can be assigned to be performed during an act. They correspond to the RIM participation. act. They correspond to the RIM participation.



<security_role><role_name/><role_ID/><role_authority/><role_authority/><role_description>

…</role_description>

</security_role>



Structural Role (ISO TS 17090)Structural Role (ISO TS 17090)

�� Regulated Health ProfessionalRegulated Health Professional

�� Non Regulated Health ProfessionalNon Regulated Health Professional

�� Sponsored Health Care ProviderSponsored Health Care Provider

�� Supporting Organisation EmployeeSupporting Organisation Employee

�� Patient / ConsumerPatient / Consumer



““Functional RolesFunctional Roles”” Established in the Established in the

EN/ISO 13606 EHR communicationEN/ISO 13606 EHR communication�� Subject of care (normally the patient)Subject of care (normally the patient)

�� Subject of care agent (parent, guardian, carer, or other legal rSubject of care agent (parent, guardian, carer, or other legal representative)epresentative)

�� Responsible (personal) healthcare professional (the healthcare pResponsible (personal) healthcare professional (the healthcare professional rofessional

with the closest relationship to the patient, often his GP)with the closest relationship to the patient, often his GP)

�� Privileged healthcare professionalPrivileged healthcare professional

�� nominated by the subject of care nominated by the subject of care

�� nominated by the healthcare facility of care (there is a nominatnominated by the healthcare facility of care (there is a nomination by ion by

regulation, practice, etc.)regulation, practice, etc.)

�� Healthcare professional (involved in providing direct care to thHealthcare professional (involved in providing direct care to the patient)e patient)

�� HealthHealth--related professional (indirectly involved in patient care, teachrelated professional (indirectly involved in patient care, teaching, ing,

research, etc.)research, etc.)

�� Administrator (and any other parties supporting service provisioAdministrator (and any other parties supporting service provision to the n to the

patient)patient)



PolicyPolicy--Driven, RoleDriven, Role--Based Access Based Access

ControlControl

Principal

SR_Policy

Structural_Role

Role_Hierarchy

1..*

1

FR_Policy

Functional_Role

0..*0..* 0..*0..*

User_Assignment1..*1

Process_PolicySession

1..*

0..*

1..*

0..*

User_Session

1

1..*

1

1..*

Session_Role

1..* 1

Target_Policy

Target_Component

0..*0..* 0..*0..*

Permission_Assignment1..*

1

1..*

1

1 1..*

1..* 1

1

1..*



Interrelations of the Models and Interrelations of the Models and

Documents Used and Produced in the Documents Used and Produced in the

Role Engineering Process Role Engineering Process (after Neumann & (after Neumann & StrembeckStrembeck))



Workflow

Scenario

Transaction

Step

Ente

rprise V

iew

Info

rmatio

n V

iew

Com

puta

tio

nal V

iew

Engin

eeri

ng V

iew

Technolo

gy V

iew

ComponentView

ComponentDecomposition(Granularity)

Business Concepts

Relations Network


Basic Concepts



Business Concepts

Relations Network


Basic Concepts

ComponentDecomposition(Granularity)

StructuralRoles

FunctionalRoles

Role Assigment

Comparing the Generic Component Model and the VA Role Engineering Process



Important eHealth Components Important eHealth Components

(logical view)(logical view)

PolicyServices

ClientServices

ApplicationServices

AuditServices

PMIEHR

Systems

DirectoryServices

ID CAServices

ACAServices

PKI

TerminologyServices

GesundheitskarteGesundheitskarte

Name Zeile 1Name Zeile 2Name der Krankenkasse

123456789 A123456789Kassennummer Versichertennummer

KnowledgeServices



Security, Privacy and Safety Challenge in Security, Privacy and Safety Challenge in

HealthHealth

�� Security services in health are policy driven in the broad interSecurity services in health are policy driven in the broad interpretation of pretation of

policy as any legal, social, ethical, psychological, organisatiopolicy as any legal, social, ethical, psychological, organisational, functional nal, functional

and technical implication affecting trustworthy deployment of heand technical implication affecting trustworthy deployment of healthalth--related related

applications. applications.

�� Moving towards advanced care paradigms such as personal care, thMoving towards advanced care paradigms such as personal care, the actors e actors

involved in the business cover the entire set of principals defiinvolved in the business cover the entire set of principals defined at ned at

OMG/CORBA such as persons, organisations, systems, devices, OMG/CORBA such as persons, organisations, systems, devices,

applications, components and even single objects. All those actoapplications, components and even single objects. All those actors have to rs have to

meet the aforementioned policy challenges. meet the aforementioned policy challenges.



ConclusionsConclusions

�� As a conclusion from the presented scenarios and the mechanisms As a conclusion from the presented scenarios and the mechanisms to run, to run,

different management services are needed: principal management idifferent management services are needed: principal management including ncluding

user management, organisation management, device management, etcuser management, organisation management, device management, etc., which ., which

are combined with registry and directory services, but also roleare combined with registry and directory services, but also role management, management,

privilege management, policy management, etc.privilege management, policy management, etc.

8585

Security and Privacy Technology Security and Privacy Technology

Enablers for Healthcare SystemsEnablers for Healthcare Systems

Tyrone Grandison PhDIBM Healthcare Center of Excellence

Almaden Research CenterSan Jose, California




IntroductionIntroduction

�� CaveatCaveat

�� As medical information moves to electronic platforms, As medical information moves to electronic platforms,

policy and social education programs policy and social education programs mustmust be augmented be augmented

by appropriate, corresponding technologyby appropriate, corresponding technology11..

�� ObjectivesObjectives

�� Define the addressable.Define the addressable.

�� Define the current major problems.Define the current major problems.

�� Outline technological solutions to each of these problems.Outline technological solutions to each of these problems.

1Christopher Johnson, Rakesh Agrawal, "Intersections of Law and Technology in Balancing Privacy Rights with Free Information Flow", Proceedings of the Fourth IASTED International Conference on Law and Technology, Cambridge, Massachusetts, USA, October 2006.



Scope of Current Technical EnablersScope of Current Technical Enablers

��The Problem SpaceThe Problem Space�� Tightly Coupled Complex SystemsTightly Coupled Complex Systems

�� Each SiloEach Silo’’ed System has its own Protection Mechanismsed System has its own Protection Mechanisms

�� Conflicting Priorities and PoliciesConflicting Priorities and Policies

�� New (and changing) TechnologyNew (and changing) Technology

��Solution RequirementsSolution Requirements�� Reduce the complexity and workReduce the complexity and work--load in integrating and deploying load in integrating and deploying

systems, i.e. allow systems to worry about their core function asystems, i.e. allow systems to worry about their core function and nd

leverage security and privacy controls in the data system.leverage security and privacy controls in the data system.

�� Do not impact the performance/efficiency of the currently runninDo not impact the performance/efficiency of the currently running g

systemsystem

�� Enable the current (clinical) workflow and do not require it to Enable the current (clinical) workflow and do not require it to change.change.



Current Major Problems Current Major Problems

�� PolicyPolicy--based Private Data Management.based Private Data Management.

�� How does one enforce data disclosure policies and patient How does one enforce data disclosure policies and patient

preferences?preferences?

�� How does one enable privacyHow does one enable privacy--preserving data mining?preserving data mining?

�� Secure Information ExchangeSecure Information Exchange

�� How does one selective share the minimum amount of data How does one selective share the minimum amount of data

necessary for a task?necessary for a task?

�� How does one deHow does one de--identify data for information exchange?identify data for information exchange?

�� Efficient Data Access TrackingEfficient Data Access Tracking

�� How do you efficiently track access and disclosure?How do you efficiently track access and disclosure?

�� How do you protect data sent to outsourced agents?How do you protect data sent to outsourced agents?



Technology SolutionsTechnology Solutions

�� PolicyPolicy--based Private Data Management.based Private Data Management.

�� Active EnforcementActive Enforcement

�� PrivacyPrivacy--Preserving Data MiningPreserving Data Mining

�� Secure Information ExchangeSecure Information Exchange

�� Sovereign Information SharingSovereign Information Sharing

�� Optimal Optimal kk--anonymization (deanonymization (de--identification)identification)

�� Efficient Data Access TrackingEfficient Data Access Tracking

�� Compliance AuditingCompliance Auditing

�� Database WatermarkingDatabase Watermarking



DATABASE

Application DataRetrieval

EnforcementHDB Driver

Personal Data

Subject Preferences& Data Collection

NegotiationSubject Preferences& Policy Matching

Installed Policy

Policy Creation

InstallationPolicyParser

Hippocratic Database Active EnforcementHippocratic Database Active Enforcement

� Privacy Policy: Organizations define a set of policies describing who may access data (users or roles), for what purposes data may be accessed (purposes) and to whom data may be disclosed (recipients).

� Consent: Data subjects are given control, through opt-in and opt-out choices, over who may see their data and under what circumstances

� Active Enforcement: Intercepts and rewrites incoming queries to comply with policies, subject choices, and context.

� Efficiency: Rewritten queries benefit from all of the optimizations and performance enhancements provided by the underlying engine (e.g. parallelism).

� Advantages:• Cell-level access and disclosure control.• Application modification not required.• Database agnostic; does not require

changes to the database engine.

--4040DanielDaniel44

(333) 333(333) 333--33333333--BobBob33

(111) 111(111) 111--111111112525AdamAdam11

PhonePhoneAgeAgeNameName##



PrivacyPrivacy--Preserving Data MiningPreserving Data Mining

0

200

400

600

800

1000

1200

2 10 18 26 34 42 50 58 66 74 82

Original Randomized Reconstructed

0

20

40

60

80

100

120

10 20 40 60 80 100 150 200

Randomization Level

Original Randomized Reconstructed

50 | 40K | ... 30 | 70K | ...

Randomizer Randomizer

Reconstruct

distribution

of age

Reconstruct

distribution

of income

Data Mining Algorithms

Data Mining Model

65 | 20K | ... 25 | 60K | ...

Alice’s age

Alice’s income

Bob’s age

30+35

� Preserves privacy at the individual level, but allows accurate data mining models to be constructed at the aggregate level.

� Adds random noise to individual values to protect data subject privacy.

� EM algorithm estimates original distribution of values given randomized values + randomization function.

� Algorithms for building classification models and discovering association rules on top of privacy-preserved data with only small loss of accuracy.



Sovereign Information IntegrationSovereign Information Integration

Medical

Research

Institution

DNA

Sequences

Drug

Reactions

� Autonomous databases for competitive, statutory, or security reasons.

• Provides selective, minimal sharing on need-to-know basis.

� Example: Which DNA expressions correlate with reactions to certain drugs?

� Algorithms for computing secure joins and join counts without revealing any additional information among the databases.

Minimal Necessary Sharing

R S

� R must not know that S has b & y

� S must not know that R has a & x vv

uu

R S

xxvvuuaa

yyvvuubb

R

S

Count (R S)

� R & S do not learn anything except that the result is 2.



Optimal Optimal kk--AnonymizationAnonymization

(k=2, on name,

address, age)

130 Harry Road

Name

Erica

Paul $88,000

28210 Almaden PkwyHenry

19 Main Street

Mark

42

26

Income AgeAddress

$120,000

$42,000

$50,000

474800 17th Street

San Jose

City

San Jose

San Jose

San Jose

95120

Name

*

* $88,000

20-2995131*

95131

*

40-49

20-29

AgeAddress

$120,000

$42,000

$50,000

40-4995120

San Jose

City

San Jose

San Jose

San Jose

Income

� Optimal k-Anonymization (Bayardo, Agrawal, 2005)

• Algorithm finds optimal k-anonymizations under two representative cost measures and variations of k.

� Advantages of optimal k-anonymization:

• Truthful - Unlike other disclosure protection techniques that use data scrambling, swapping, or adding noise, all information within a k-anonymized dataset is truthful.

• Secure - More secure than other de-identification methods, which may inadvertently reveal confidential information.



Compliance AuditingCompliance Auditing

DataTables

20042004--0202……

20042004--0202……

TimestampTimestamp

S. RobertsS. RobertsAccount serviceAccount serviceS. RobertsS. RobertsSelect Select ……22

MortgageCo.MortgageCo.MarketingMarketingB. JonesB. JonesSelect Select ……11

RecipientRecipientPurposePurposeUserUserQueryQueryIDID

Query Audit Log

DatabaseLayer

Query with purpose, recipient

Generate audit recordfor each query

Updates, inserts, deletes

Backlog

Database triggers or replication

Audit

DatabaseLayer

Audit expression

IDs of log queries having accessed data specified by the audit query

� Audits: Determine whether specified particular data has been accessed in violation of privacy policies or choices.

� Audit expression: Auditor specifies the information disclosures that he or she would like to track.

� Suspicious Queries: Audit system identifies logged queries that accessed the specified data

� Audit Results: Returns the queries that accessed the specified information and the circumstances of access.

� Advantages:

• Cell-level disclosure auditing.

• Low storage overhead; reuses existing database infrastructure.

• Low performance impact; defers computation until audit time.



Watermarking DatabasesWatermarking Databases

Watermark

Insertion

Watermark

Detection

DatabaseSuspiciousDatabase

3. Pseudo randomly select a subset of the rows for marking

Function of secret key and attribute values

3. Identify marked rows/attributes, compare marks with expected mark values

Requires neither original unmarked data nor the watermark

1. Choose secret key

2. Specify table/attributes to be marked

1. Specify secret key

2. Specify table/attributes which should contain marks

4. Confirm presence or absence of the watermark

� Deters data theft and asserts ownership of pirated copies by intentionally introduced pattern in the data.

• Very unlikely to occur by chance.

• Hard to find => hard to destroy (robust against malicious attacks).

� Existing watermarking techniques developed for multimedia are not applicable to database tables.

• Rows in a table are unordered.

• Rows can be inserted, updated, deleted.

• Attributes can be added, dropped.

� New algorithm for watermarking database tables.

• Watermark can be detected using only a subset of the rows and attributes of a table.

• Robust against updates, incrementally updatable.



ConclusionConclusion

�� Technology controls for security and privacy must be used in conTechnology controls for security and privacy must be used in conjunction with junction with

legal policy, organizational requirements and social awareness plegal policy, organizational requirements and social awareness programs in rograms in

order to address the current and future problems in medical infoorder to address the current and future problems in medical informatics rmatics

systems.systems.

�� Controls must be moved to the data level in order to:Controls must be moved to the data level in order to:

�� Reduce the complexity in current system.Reduce the complexity in current system.

�� Provide a unified protection framework.Provide a unified protection framework.

�� Allow the resolution of conflicts at the data level.Allow the resolution of conflicts at the data level.

�� Scale to future technology without infrastructure modification.Scale to future technology without infrastructure modification.

�� There is a current set of enablers that would avert breaches andThere is a current set of enablers that would avert breaches and integrate integrate

seamlessly into current systems.seamlessly into current systems.



THE ENDTHE END

Slides available at http://www.almaden.ibm.com/cs/people/tgrandison/talks.html

��Ted Cooper: Ted Cooper: [email protected]@sbcglobal.net

��Mike Davis Mike Davis [email protected]@va.gov

��Bernd Bernd BlobelBlobel [email protected]@klinik.uni--regensburg.deregensburg.de, , [email protected]@ehealth--cc.decc.de

��Tyrone Tyrone GrandisonGrandison [email protected]@us.ibm.com