Declarative Privacy Policy: Finite Models
and Attribute-Based Encryption
November 2nd, 2011
1
Healthcare Privacy Problem

Data needed for treatment



HIE
Electronic records and health
information exchange can
improve care, reduce costs
Most patients seen in
emergency room were
treated in an unaffiliated
hospital in last six months
Doctor


Required by law
Diabetics can enter glucose
data, improve treatment
Personal health devices: Blood
pressure, Zeo, Fitbit, Withings
Insurance
Patient Portal
Patient
Patient access is important

Electronic Record

Quality care
HIPAA compliance
Patient privacy
Drug Co.
Privacy requirements



HIPAA law mandates privacy
Hospitals add policy
Insurer needs data for billing,
should not deny coverage based
on correlated factors
Privacy theory  automated compliance
Finite Model for HIPAA




Dependency graph
Dependency graph
Acyclicity of privacy law
permitted_by_164_502_
a(A)
Can we capture the
behavior of an acyclic law by
its operations on a finite set
of exemplary use cases? is_from_coveredEntity
is_phi(A)
(A)
Exemplary cases can be used
permitted_by_164_502_a_1
for
(A)
 Training and education
 Testing and debugging for
compliance software
permitted_by_164_502_a_1_i(
A)
Compliance Tree of an Acyclic Law
compliantWithALaw( A )
AND
NOT
permittedBySomeClause( A )
forbiddenBySomeClause( A )
OR
OR
permittedBy
C1( A )
…
permittedBy
Cm( A )
forbiddenBy
C1( A )
…
forbiddenBy
Cm( A )
AND
AND
NOT
coveredBy
C1( A )
satisfies
C1( A )
permittedBySome
RefOfClause1( A )
OR
permByClauseRef_1,1( A )
permittedByClause
Ref_1,N( A )
coveredBy
Cm( A )
satisfies
Cm ( A )
Algorithm to Generate Exemplary Cases for
an Acyclic Privacy Law
I.
II.
III.
IV.
Construct the compliance tree for the acyclic law
Normalize it (push NOT operators to the bottom)
•
Using De Morgan’s Laws and Boolean algebra
Construct the search trees
For each search tree, add an exemplary case instance
to the model that satisfies all the nodes in the tree
A Search Tree to Generate an Exemplary Case
compliantWithALaw( A )
AND
notForbiddenBy
AnyClause( A )
permittedBySomeClause( A )
AND
permittedBy
C1( A )
notForbidden
ByC1( A )
AND
coveredBy
C1( A )
satisfies
C1( A )
permittedBySome
RefOfC1( A )
permittedByClause
Ref_I,J( A )
…
notForbidden
ByCm( A )
notCoveredBy
Cm( A )
Finite Model for Privacy Laws

Our main results regarding the construction
 The model for an acyclic law constructed using our
algorithm is finite
 The acyclic law can be completely characterized by its
operation on the exemplary cases in the model
Encrypted medical data in the cloud
Hospital
Policy
Engine
Query
Applications:
• HIE, Affiliated clinics
• Medical research
Attributebased
Encryption
Encrypted
Medical Data
User
Attributebased
Decryption
Database
Credentials
EHR
Attribute-Based Encryption
=
OR
Doctor
PK
AND
OR
Nurse
SK

“Doctor”
“Neurology”
ICU
Doctor

SK
“Nurse”
“Physical Therapy”
Nurse
AND
ICU
Extracting ABE data policy

HIPAA, Hospital policy


{allow, deny}
Action characterized by


Policy: Action
 from, about, type, consents, to, purpose, beliefs 
Data policy

SELECT rows with given attributes: from, about, type,
consents

PROJECT them to generate the associated ABE access policy
{to, purpose, beliefs |
Policy ( from, about, type, consents, to, purpose, beliefs ) =
Allow}
Prototype
F i gu r e 4: P r ot ot y p e Scr een Sh ot
Performance
Performance%
120000"
100000"
1"Thread"
Time%
(ms)%
80000"
2"Threads"
60000"
4"Threads"
40000"
8"Threads"
20000"
0"
0"
50"
100"
150"
200"
250"
300"
OR%Clauses%
F i gu r e 5: P er for m an ce
350"
400"
Open Issue

No direct support of Parameterized Roles in ABE



Workaround


Format: R(p1, p2, …, pn)
E.g.,164.502 (g)(3)(ii)A … a covered entity may disclose, or provide
access in accordance with §164.524 to, protected health
information about an unemancipated minor to a parent, guardian, or
other person acting in loco parentis;
Hardcode parameter values into the attribute name, e.g.
inLocoParentis_Tom
Challenges

Identity silos across organizations
References


Declarative privacy policy: Finite models and attribute-based
encryption, P.E.Lam, J.C.Mitchell, A.Scedrov, et al., IHI 2012.
Scalable Parametric Verification of Secure Systems: How to
Verify Reference Monitors without Worrying about Data
Structure Size, J. Franklin, S. Chaki, A. Datta, A. Seshadri, Proceedings
of 31st IEEE Symposium on Security and Privacy, May 2010.

A Formalization of HIPAA for a Medical Messaging System

P.F. Lam, J.C. Mitchell, and S. Sundaram, TrustBus 2009.
Privacy and Contextual Integrity: Framework and Applications,
A. Barth, A. Datta, J. C. Mitchell, and H. Nissenbaum, Proceedings of
27th IEEE Symposium on Security and Privacy, May 2006.

Healthcare privacy project source code



http://github.com/healthcareprivacy
Demo (under construction)

http://crypto.stanford.edu/privacy/HIPAA/
Backup slides