Slides in PPT - The Stanford University InfoLab
Download
Report
Transcript Slides in PPT - The Stanford University InfoLab
T I H I / SAW / T I D
Security Mediation
To Protect Healthcare Information
Privacy in Collaborative Settings
Gio Wiederhold, PI, Michel Bilello, James Z. Wang.
past: Jahnavi Akella, Andrea Chavez, Chris Donahue,
Vatsala Sarathy, Latanya Sweeney, Yan Tan.
Stanford University
TIHI, SAW support under subcontract to SRI International
TID supported under NSF Digital Libraries II
Feb.2000
TIHI/SAW/TID
1
Gio Wiederhold TIHI/Saw 97
Overview
Security and Privacy when Collaborating
• Background and Current State
• Unaddressed Problem
• Security Mediator Solution
• Examples, including prior work
• Current work
• Demo and Questions
Feb.2000
TIHI/SAW/TID
2
Security: protection and assurance
Crucial progress in protection is being made:
:
Remote Transmission
Authentication
Firewalls around domains
protect against enemies.
Much research based on Cryptography
Feb.2000
TIHI/SAW/TID
Gio Wiederhold TIHI Oct96 3
3
Dominant approach
• Authenticate Customer
• Validate query against database schema
• If both ok, process query and ship results
firewall
customer
result
query
source
authentication
Feb.2000
database access &
authorization agent
TIHI/SAW/TID
Gio Wiederhold TIHI Oct96 4
4
Simple View of Protection:
Prohibit access
.
Internet
Hackers
Enemies,
However, the world is more complex
Feb.2000
TIHI/SAW/TID
5
Collaboration Needs:
Medical Records Insurance Company
Medical Records Medical Researchers
Manufacturer’s Specs Subcontractor
Intelligence Data Front-line soldier
Feb.2000
TIHI/SAW/TID
Gio Wiederhold TIHI Oct96 6
6
False Assumption
Data in the files of an
enterprise is
organized according
to external access rights
Inefficient and risky for
an enterprise
which uses information
mainly internally
Feb.2000
TIHI/SAW/TID
7
Some Failure modes
• Some data were misfiled
• Coverage of releasable and
non-releasable data overlaps
• Unintentionally obtains
• Anonymity process fails
wrong data
• Data replaced
• Can gain broader
Collaborator has
legitimate access
access than intended
Internal user ships
improper data out
• Fails to understand
release constraints
Feb.2000
• (credit card nos instead of MP3)
• Backup to insecure site
• (Deutsch)
• Shows friend neat stuff
• (Los Alamos scientist?)
TIHI/SAW/TID
8
Laboratory staff
Clinics
Laboratory
Accounting
Accreditation
Access Patterns versus Data:
Patient
Physician
Pharmacy
Inpatient
Billing
Insurance Carriers
Ward
staff
Etc.
Feb.2000
CDC
TIHI/SAW/TID
Gio Wiederhold TIHI Oct96 9
9
Healthcare
Expected Problems
Query can not specify object precisely
Relevant history for low-weight births
(helpful database gets extra stuff)
Objects (N) are not organized according to all
possible access classifications (a) = (Na)
Patients with heart problems, but not HIV
Some objects cover multiple classes
Patient with stroke and HIV
Some objects are misfiled (happens easily to others),
costly/impossible to guarantee avoidance
Psychiatric data in patient with alcoholism
Feb.2000
TIHI/SAW/TID
Gio Wiederhold TIHI Oct9610
10
Securing the Gap
Check the content
of the result before
it leaves the firewall
firewall
result
Security mediator :
Human & software
agent module
Feb.2000
query
TIHI/SAW/TID
11
Overall Schematic
Firewall
Database
Security
Officer's
Mediator
Customer
Feb.2000
Internet
TIHI/SAW/TID
12
Gio Wiederhold TIHI Oct96 12
Security Mediator
• Software module, intermediate between
"customers" and databases within firewall
• Resides on security's officer's machine
(may have to be multi-level secure);
accessed via firewall protection by customers
• Under control of security officer,
via simple security-specific rules
• Performs bidirectional screening
(queries and results)
Feb.2000
TIHI/SAW/TID
Gio Wiederhold TIHI Oct9613
13
:-(
Security Officer
• Profile
– Human responsible for database security/privacy policies
– Must balance data availability vs. data security/privacy
• Tasks (current)
– Advises staff on how to try to follow policy
– Investigates violations to find & correct staff failures
– Has currently no tools
• Tasks (with mediators)
– Defines and enters policy rules in security mediator
– Monitors exceptions, especially violations
– Monitors operation, to obtain feedback for improvements
Feb.2000
TIHI/SAW/TID
Gio Wiederhold TIHI Oct9614
14
Security officer screen
Feb.2000
TIHI/SAW/TID
15
Example: Mediation for Privacy
Public Health Application
CDC
• Needs valid statistical data
• No access to private data
source
certified
query
Security Mediator
result
• Owned by hospital security officer
Security
Logs
• Screens query and result
Mediator
• Default is Manual operation
• Evolves by adding rules
certified
unfiltered
query
Physicians’ Databases
result
• Valuable resources
Private Patient Data
• Need to be aggregated
for significance
Feb.2000
TIHI/SAW/TID
Gio Wiederhold TIHI Oct9616
16
Patient Screen
Feb.2000
TIHI/SAW/TID
17
part of Patient result
Feb.2000
TIHI/SAW/TID
18
Software Components
service
maintenance
support
Feb.2000
•
•
•
•
•
•
•
Rule interpreter
Primitives to support rule execution
Rule maintenance tools
Log analysis tool
Firewall interface
Domain database interface
Logger
TIHI/SAW/TID
19
Primitives
Selected by rule for various clique roles
• Preprocess drawings or images
• Allow / disallow values
• Allow / disallow value ranges
• Limit results to approved vocabulary
• Disallow output containing bad words
• Limit output to times, places
• Limit number of queries per period
• Etc.
Feb.2000
TIHI/SAW/TID
20
Protecting Privacy
in Medical Images
Internet
Patient Data System
Filtered Image
Locate Text
Analyze Text
Wavelet-based
Filtering
Original Image with
Patient Identity
Feb.2000
Stanford University
Remove
Nonreleaseable
Text
Textual Information
TIHI/SAW/TID
21
Primitives for Content Check
• Good Word List for Text
– domain specific to increase precion and reliability
– created by processing good documents
– any word not in list shown to SO with context
• Bad Word List (optional)
– not reliable (mispellings, accidental or intentional)
– no increase in efficiency given good word list processing
– trigger special case rules
• Image data (current research)
– extract text and analyze as above
– recognize objectionable images by sketch or color
Feb.2000
TIHI/SAW/TID
22
Roles
:-(
•
Security officer manages security policy,
not a computer specialist or database administrator.
oo
-)
•
Computer specialist provides tools
agent workstation program for security mediation
•
Healthcare institution defines policies
its security officer uses the program as the tool
• Tool provides logging for
– system improvements
– audit trail
– accountability
• Formalizes ad-hoc practices
TIHI/SAW/TID
Feb.2000
Gio Wiederhold TIHI Oct9623
23
Rule system
• Optional: without rules every interaction
goes to the security officer (in & out)
• Creates efficiency: routine requests will be
covered by rules: 80% instances / 20% types
• Assures Security officer of control: rules
can be incrementally added / deleted / analyzed
• Primitives simplify rule specification:
source, transmit date/time, prior request, ...
Feb.2000
TIHI/SAW/TID
24
Primitives get data for Rules
• Requestor roles
• Data names requested and values returned
–
–
–
–
•
•
•
•
dates
value ranges
textual contents --- positive / negative
special indicators: employment, … [Scrub .. ]
Size of base leading to a statistical result
Time and place of request & destination
Interaction history: frequency, overlaps, . . .
Measure of Risk: [Datafly]
• more . . . .
Feb.2000
TIHI/SAW/TID
25
Participants in Setting Rules
:-(
•
Security officer manages security policy,
not a computer specialist or database administrator.
oo
-)
•
Computer specialist provides tools
agent workstation program for security mediation
•
Healthcare institution defines policies
its security officer uses the program as the tool
• Tool provides logging for
– system improvements
– audit trail
– accountability
TIHI/SAW/TID
• Formalizes ad-hoc practices
Feb.2000
26
Disallowed result
Feb.2000
TIHI/SAW/TID
27
Security officer reaction
Choices:
1. Reject result
2. Edit result
3. Pass result
(& Update the
list of good-words,
making approval
persistent )
Feb.2000
TIHI/SAW/TID
28
Rules implement policy
• Tight security policy:
–
–
–
–
–
simple rules
many requests/responses referred to security officer
much information output denied by security officer
low risk
poor public and community physician relations
• Liberal but careful security policy
–
–
–
–
–
complex rules
few requests/responses referred to security officer
of remainder, much information output denied by security officer
low risk
good public and community physician relations
• Sloppy security policy
–
–
–
–
–
simple rules
few requests/responses referred to security officer
little information output denied by security officer
high risk
unpredictable public and community physician relations
Feb.2000
TIHI/SAW/TID
Gio Wiederhold TIHI Oct9629
29
Coverage of Access Paths
Security officer
:-(
Authentication
based
good/bad control
prior use
good guy
Security Mediator
security
needs
-)
Database oo
administrator
good
query DB schemabased
ok
control
ancillary
information
validated
to be ok
history
result is
likely ok
processable query
performance,
function
Feb.2000 requests
Database
TIHI/SAW/TID
Gio Wiederhold TIHI Oct9630
30
A mediator is not just
static software
Application
Interface
Changes of
user needs
Software & People
Owner/ Creator
Maintainer
Lessor - Seller
Advertiser
Models, programs,
rules, caches, . . .
Resource Interfaces
Feb.2000
TIHI/SAW/TID
Resource
changes
Domain
changes
Gio Wiederhold TIHI Oct9631
31
Agent System Differences DBA/SO
-)
Be helpful to customer
Tell cust. re problems,
oo
query may be fixed
Exploit DB meta-data
Isolate transactions
Ship result to customer
Finding: the differences are greater
than we imagined initially
Feb.2000
TIHI/SAW/TID
:-(
Be helpful to security off.
Tell sec.off. re problems,
sec.off. may contact cust.
Exploit customer inform.
Use history of usage
Ship result to sec.off.
with result description
(source, cardinality)
Gio Wiederhold TIHI Oct9632
32
Security Mediator Benefits
• Dedicated to security task (may be multi-level secure)
• Uses only its rules and relevant function, all directly,
avoids interaction with DB views and procedures
• Maintained by responsible authority: the security officer
• Policy setting independent of database(s) and DBA(s)
• Logs just those transactions that penetrate the firewall,
records attempted violations independent of DB logs*
• Systems behind firewall need not be multi-level secure
• Databases behind firewall need not be perfect
*
Feb.2000
also used for replication, recovery, warehousing
TIHI/SAW/TID
Gio Wiederhold TIHI Oct9633
33
TIHI / SAW / TID Summary
Collaboration is an underemphasized issue
beyond encrypted transmits, firewalls, passwords, authentication
There is a need for flexible, selective access to data
without the risk of exposing related information in an enterprise
In TIHI service is provided by the Security Mediator:
a rule-based gateway processor of queries and results
under control of a security officer who implements enterprise policies
Our solution applies not only to Healthcare
but equally to Collaborating (virtual) enterprises
in many
Military situations.
Feb.2000
TIHI/SAW/TID
and
34
Gio Wiederhold TIHI Oct96 34