• No results found

Patient Controlled Encryption: Ensuring Privacy of Electronic Medical Records

N/A
N/A
Protected

Academic year: 2021

Share "Patient Controlled Encryption: Ensuring Privacy of Electronic Medical Records"

Copied!
50
0
0

Loading.... (view fulltext now)

Full text

(1)

Patient

 

Controlled

 

Encryption:

Ensuring

 

Privacy

 

of

 

Electronic

 

Medical

 

Records

Melissa

 

Chase

 

(MSR)

Joint

 

work

 

with

 

Josh

 

Benaloh,

 

Kristin

 

Lauter,

 

(2)

Medical

 

Records

Traditionally,

 

health

 

providers

 

kept

 

paper

 

files

Transferring

 

data

 

very

 

cumbersome

Visiting

 

a

 

new

 

doctor

 

requires

 

paperwork

(3)

Electronic

 

Medical

 

Records

Movement

 

to:

Digitize

 

records

Make

 

accessible

 

to

 

network

 

of

 

providers

Patients’

records

 

will

 

be

 

accessible

 

to

 

any

 

provider

 

who

 

treats

 

them

 

Advantages

Better

 

care

Reduce

 

costs

President Obama: “all medical records

computerized …

within 5 years”

(4)

Privacy

 

concerns

Also

 

dangerous

Much

 

easier

 

to

 

steal

 

digital

 

records

Much

 

easier

 

to

 

attack

 

remotely

 

accessible

 

system

Large

 

system

 

is

 

very

 

vulnerable

 

to

 

abuse

ARR Act: Specific objectives:

Secure communications

“Ensure appropriate authorization”

(5)

Privacy

 

Concerns

Why

 

are

 

we

 

concerned

 

about

 

privacy?

Want

 

patients

 

to

 

be

 

honest

Discrimination

Insurance

Employment

Social

 

stigma

 

(friends/coworkers)

(6)

Patient

 

Bob

Doctor

 

Alice

Upload

 

health

 

info

Upload

 

health

 

info

Standard

 

Approach

 

to

 

Security:

 

Provider

 

Managed

 

+

 

Access

 

Control

Health

 

Record

 

Server

patient

 

records

Permission

s

?

Log

 

File

Must

 

Audit

 

Logs

Sensitive

 

information

Celebrity

 

records

(7)

Privacy

 

Concerns

Wide

 

access

All

 

or

 

nothing

 

permissions

Even

 

more

 

in

 

large

 

network

 

scenario

Roughly

 

150

 

people

 

have

 

access

 

to

 

a

 

patient’s

     

record

 

in

 

a

 

hospitalization

Patient

 

Controlled

 

Record

grant

 

access

 

only

 

to

 

appropriate

 

part

 

of

 

record

allow

 

patient

 

to

 

identify

 

providers

 

who

 

treat

 

him

Patient

 

Controlled

 

Record

grant

 

access

 

only

 

to

 

appropriate

 

part

 

of

 

record

allow

 

patient

 

to

 

identify

 

providers

 

who

 

treat

 

(8)

Privacy

 

Concerns

Wide

 

access

All

 

or

 

nothing

 

permissions

Even

 

more

 

in

 

large

 

network

 

scenario

Roughly

 

150

 

people

 

have

 

access

 

to

 

a

 

patient’s

     

record

 

in

 

a

 

hospitalization

Access

 

control

 

Theft

Attack

Patient

 

must

 

trust

 

owner/administrator

 

of

 

data

 

for

 

physical

 

and

 

electronic

 

security

(9)

Patient

 

Bob

Create

 

Account

Create

 

Account

Upload

 

health

 

info

Upload

 

health

 

info

Search

 

record

Search

 

record

New

 

Approach:

 

Encryption

Health

 

Record

 

Server

Bob’s

 

record

Permission

s

(10)

Using

 

Cryptography

Who

 

holds

 

the

 

key?

Server

Key

 

can

 

be

 

stolen/compromised

 

along

 

with

 

data

Third

 

party

Somewhat

 

more

 

secure

How

 

to

 

maintain

 

functionality?

Patient

What

 

we

 

will

 

look

 

at

(11)

Patient

 

Bob

Create

 

Account

Create

 

Account

Upload

 

health

 

info

Upload

 

health

 

info

Search

 

record

Search

 

record

Health

 

Record

 

Server

Bob’s

 

record

Permission

s

Hide

 

from

 

server

  

=

 

hides

 

from

 

hackers,

 

thieves,

 

etc

Hide

 

from

 

server

  

=

 

hides

 

from

 

hackers,

 

thieves,

 

etc

Must

 

have

 

key

 

backup

(12)

Patient

 

Bob

Create

 

Account

Create

 

Account

Upload

 

health

 

info

Upload

 

health

 

info

Search

 

record

Search

 

record

Health

 

Record

 

Server

Bob’s

 

record

Permission

s

Doctor

 

Alice

Upload

 

health

 

info

Upload

 

health

 

info

Gra

nt

par

tial

 

acc

ess

Gra

nt

par

tial

 

acc

ess

Searc

h

 

reco

rd

Searc

h

 

reco

rd

Pharmacist

 

Charles

How

 

do

 

we

 

allow

 

patient

 

to

 

grant

 

partial

 

access?

How

 

do

 

we

 

allow

 

patient

 

to

 

grant

 

partial

 

access?

Using

 

Cryptography

(13)

How

 

to

 

grant

 

partial

 

access?

Two

 

approaches

Hierarchical

 

record

 

sharing:

 

Patient

 

Controlled

 

Encryption

 

[BCHL09]

 

Assumes

 

hierarchical

 

health

 

record

Based

 

on

 

standard,

 

efficient

 

primitives

 

(hash

 

functions,

 

block

 

ciphers)

Also

 

consider

 

how

 

to

 

incorporate

 

searchability

Re

encryption

 

based

 

sharing:

Functional

 

Re

Encryption

 

[CCV12]

Easier

 

to

 

revoke

 

users

 

/

 

add

 

revocation

 

date

Easier

 

key

 

management

More

 

complex

 

constructions

(14)

Hierarchical

 

Record

 

Sharing

Joint

 

work

 

with

 

Eric

 

Horvitz,

Kristin

 

Lauter,

and

 

Josh

 

Benaloh

(15)

Assumption

 

on

 

types

 

of

 

delegation

Arrange

 

the

 

record

 

in

 

a

 

hierarchy

Allowable

 

delegations:

 

rights

 

to

 

a

 

category

Grant

partial

 

access

Grant

partial

 

access

(16)

Hierarchical

 

Health

 

Records

Ex:

(17)

Hierarchical

 

Health

 

Records

Ex:

 

Give

 

Doctor

 

access

 

to

 

entire

 

record

Give

 

Exercise

 

info

 

to

 

cousin

(18)

Hierarchical

 

Health

 

Records

Ex:

Give

 

Doctor

 

access

 

to

 

entire

 

record

Give

 

Exercise

 

info

 

to

 

cousin

(19)

Hierarchical

 

Health

 

Records

Ex:

Give

 

Doctor

 

access

 

to

 

entire

 

record

Give

 

Exercise

 

info

 

to

 

cousin

(20)

Hierarchical

 

Health

 

Records

Ex:

Give

 

Doctor

 

access

 

to

 

entire

 

record

Give

 

Exercise

 

info

 

to

 

cousin

(21)

Hierarchical

 

Health

 

Records

Ex:

Give

 

Doctor

 

access

 

to

 

entire

 

record

Give

 

Exercise

 

info

 

to

 

cousin

Give

 

Eyeglass

 

Prescription

 

to

 

Retailer

(22)

Hierarchical

 

Health

 

Records

Ex:

Give

 

Doctor

 

access

 

to

 

entire

 

record

Give

 

Exercise

 

info

 

to

 

cousin

Give

 

Eyeglass

 

Prescription

 

to

 

Retailer

(23)

Hierarchical

 

Encryption

Symmetric

 

Key

 

[AT83,

 

S88,

 

…]

Public

 

Key:

 

HIBE[GS02,

 

…]

KeyDer

KeyDer

Security

only

 

have

 

access

 

if

 

an

 

(24)

Patient

 

Bob

Create

 

Account

Create

 

Account

Upload

 

health

 

info

Upload

 

health

 

info

Search

 

record

Search

 

record

Patient

 

Controlled

 

Encryption

Health

 

Record

 

Server

Bob’s

 

record

Permission

s

(25)

Patient

 

Bob

Create

 

Account

Create

 

Account

Upload

 

health

 

info

Upload

 

health

 

info

Search

 

record

Search

 

record

Patient

 

Controlled

 

Encryption

Health

 

Record

 

Server

Bob’s

 

record

Permission

s

Doctor

 

Alice

Upload

 

health

 

info

(26)

Patient

 

Bob

Create

 

Account

Create

 

Account

Upload

 

health

 

info

Upload

 

health

 

info

Search

 

record

Search

 

record

Patient

 

Controlled

 

Encryption

Health

 

Record

 

Server

Bob’s

 

record

Permission

s

Doctor

 

Alice

Upload

 

health

 

info

Upload

 

health

 

info

Gra

nt

par

tial

 

acc

ess

Gra

nt

par

tial

 

acc

ess

Searc

h

 

reco

rd

Searc

h

 

reco

rd

Pharmacist

 

Charles

(27)
(28)

Re

Encryption

 

based

 

Sharing

Joint

 

work

 

with

 

Nishanth

Chandran

and

 

Vinod

Vaikuntanathan

(29)

An

 

example:

 

Cloud

 

storage

 

for

 

patient

 

health

 

records

Bob’s

 

health

 

record

Pharmacist

Research

 

Center

Sister

Doctor

Patient

 

Bob

Medications

Medications

Cardiology

X

Rays

Access

 

Policy

Doctor:

 

everything

Pharmacist:

 

medications

Research:

 

everything

 

except

 

mental

 

health

(30)

Encrypted

 

Cloud

 

Storage

Bob’s

 

health

 

record

Pharmacist

Research

 

Center

Sister

Doctor

Patient

 

Bob

Medications

Medications

Cardiology

X

Rays

Access

 

Policy

Doctor:

 

everything

Pharmacist:

 

medications

Research:

 

everything

 

except

 

mental

 

health

Sister:

 

medications

 

and

 

emergency

 

info

Encrypt

 

(31)

Encrypted

 

Cloud

 

Storage

Bob’s

 

health

 

record

Pharmacist

Research

 

Center

Sister

Doctor

Patient

 

Bob

Medications

Access

 

Policy

Doctor:

 

everything

Pharmacist:

 

medications

Research:

 

everything

 

except

 

mental

 

health

Sister:

 

medications

 

and

 

emergency

 

info

Encrypt

 

files

Medications

Cardiology

(32)

Encrypted

 

Cloud

 

Storage

Bob’s

 

health

 

record

Pharmacist

Research

 

Center

Sister

Doctor

Patient

 

Bob

Medications

Access

 

Policy

Doctor:

 

everything

Pharmacist:

 

medications

Research:

 

everything

 

except

 

mental

 

health

Sister:

 

medications

 

and

 

emergency

 

info

Encrypt

 

files

Medications

Cardiology

X

Rays

How

 

to

 

implement

 

access

 

policy??

(33)

Access

 

control

 

for

 

encrypted

 

data

How

 

can

 

we

 

implement

 

access

 

control

 

when

 

data

 

is

 

encrypted?

Our

 

goal:

Allow

 

server

 

to

 

perform

 

access

 

control

 

on

 

encrypted

 

data

Server

 

will:

take

 

files

 

encrypted

 

for

 

Bob

transform

 

them

 

into

 

files

 

encrypted

 

for

 

appropriate

 

recipient

 

without

 

decrypting

 

anything.

(34)

Access

 

control

 

for

 

encrypted

 

data:

 

Our

 

approach

Bob’s

 

health

 

record

Pharmacist

Research

 

Center

Sister

Doctor

Patient

 

Bob

Medications

Access

 

Policy

Doctor:

 

everything

Pharmacist:

 

medications

Research:

 

everything

 

except

 

mental

 

health

Sister:

 

medications

 

and

 

emergency

 

info

Encrypt

 

files

Medications

Cardiology

X

Rays

Generate

 

policy

 

token

Policy

 

token

Policy

 

token

Policy

Doctor:

 

everything

Pharmacist:

 

medications

Research:

 

everything

 

except

 

mental

 

health

Sister:

 

medications

 

and

 

emergency

 

info

(35)

Access

 

control

 

for

 

encrypted

 

data:

 

Our

 

approach

Bob’s

 

health

 

record

Pharmacist

Research

 

Center

Sister

Doctor

Patient

 

Bob

Medications

Access

 

Policy

Doctor:

 

everything

Pharmacist:

 

medications

Research:

 

everything

 

except

 

mental

 

health

Sister:

 

medications

 

and

 

emergency

 

info

Encrypt

 

files

Medications

Cardiology

X

Rays

Generate

 

policy

 

token

Policy

 

token

Policy

 

token

Policy

Doctor:

 

everything

Pharmacist:

 

medications

Research:

 

everything

 

except

 

mental

 

health

Sister:

 

medications

 

and

 

emergency

 

info

Policy

 

token

Policy

 

token

Policy

Doctor: everything

Pharmacist: medications

Research: everything except mental health

Sister: medications and emergency info

Policy

 

token

Policy

 

token

Policy

Doctor: everything

Pharmacist: medications

Research: everything except mental health

Sister: medications and emergency info

Policy

 

token

Policy

 

token

Policy

Doctor: everything

Pharmacist: medications

Research: everything except mental health

Sister: medications and emergency info

+

+

+

(36)

Access

 

control

 

for

 

encrypted

 

data:

 

Our

 

approach

Bob’s

 

health

 

record

Pharmacist

Research

 

Center

Sister

Doctor

Patient

 

Bob

Medications

Access

 

Policy

Doctor:

 

everything

Pharmacist:

 

medications

Research:

 

everything

 

except

 

mental

 

health

Sister:

 

medications

 

and

 

emergency

 

info

Encrypt

 

files

Medications

Cardiology

X

Rays

Generate

 

policy

 

token

Policy

 

token

Policy

 

token

Policy

Doctor:

 

everything

Pharmacist:

 

medications

Research:

 

everything

 

except

 

mental

 

health

Sister:

 

medications

 

and

 

emergency

 

info

Policy

 

token

Policy

 

token

Policy

Doctor: everything

Pharmacist: medications

Research: everything except mental health

Sister: medications and emergency info

Policy

 

token

Policy

 

token

Policy

Doctor: everything

Pharmacist: medications

Research: everything except mental health

Sister: medications and emergency info

Policy

 

token

Policy

 

token

Policy

Doctor: everything

Pharmacist: medications

Research: everything except mental health

Sister: medications and emergency info

+

+

+

Correct

 

recipients

 

retrieve

 

and

 

decrypt

(37)

Access

 

control

 

for

 

encrypted

 

data:

 

Our

 

approach

Bob’s

 

health

 

record

Pharmacist

Research

 

Center

Sister

Doctor

Patient

 

Bob

Medications

Access

 

Policy

Doctor:

 

everything

Pharmacist:

 

medications

Research:

 

everything

 

except

 

mental

 

health

Sister:

 

medications

 

and

 

emergency

 

info

Encrypt

 

files

Medications

Cardiology

X

Rays

Generate

 

policy

 

token

Policy

 

token

Policy

 

token

Policy

Doctor:

 

everything

Pharmacist:

 

medications

Research:

 

everything

 

except

 

mental

 

health

Sister:

 

medications

 

and

 

emergency

 

info

Policy

 

token

Policy

 

token

Policy

Doctor: everything

Pharmacist: medications

Research: everything except mental health

Sister: medications and emergency info

Policy

 

token

Policy

 

token

Policy

Doctor: everything

Pharmacist: medications

Research: everything except mental health

Sister: medications and emergency info

Policy

 

token

Policy

 

token

Policy

Doctor: everything

Pharmacist: medications

Research: everything except mental health

Sister: medications and emergency info

+

+

+

Correct

 

recipients

 

retrieve

 

and

 

decrypt

Server

 

can:

Transform

encrypted

 

files

 

into

 

files

 

readable

 

by

 

appropriate

recipients

Cannot

 

decrypt

or

 

read

 

any

 

files

(38)

Private

 

Access

 

Control

Want

 

“private

 

cloud”,

 

where

 

sensitive

 

data

 

is

 

hidden

 

even

 

from

 

cloud

 

operator

Previous

 

scenario:

 

server

 

can

 

implement

 

policy

 

but

 

cannot

 

decrypt

 

any

 

ciphertexts

But

 

sometimes

 

the

 

policy

 

itself

 

is

 

private!

E.g.:

Whether

 

patient

 

has

 

chosen

 

to

 

participate

 

in

 

research

 

project

 

Policy

 

for

 

mental

 

health

 

records

May

 

want

 

to

 

give

 

access

 

to

 

one

 

family

 

member

 

without

 

revealing

 

that

 

fact

 

to

 

others

Question:

 

Can

 

we

 

allow

 

the

 

same

 

functionality,

 

but

 

(39)

Access

 

control

 

for

 

encrypted

 

data:

 

Our

 

approach

Bob’s

 

health

 

record

Pharmacist

Research

 

Center

Sister

Doctor

Patient

 

Bob

Medications

Access

 

Policy

Doctor:

 

everything

Pharmacist:

 

medications

Research:

 

everything

 

except

 

mental

 

health

Sister:

 

medications

 

and

 

emergency

 

info

Encrypt

 

files

Medications

Cardiology

X

Rays

Generate

 

policy

 

token

Policy

 

token

Policy

 

token

Policy

Doctor:

 

everything

Pharmacist:

 

medications

Research:

 

everything

 

except

 

mental

 

health

Sister:

 

medications

 

and

 

emergency

 

info

Policy

 

token

Policy

 

token

Policy

Doctor: everything

Pharmacist: medications

Research: everything except mental health

Sister: medications and emergency info

Policy

 

token

Policy

 

token

Policy

Doctor: everything

Pharmacist: medications

Research: everything except mental health

Sister: medications and emergency info

Policy

 

token

Policy

 

token

Policy

Doctor: everything

Pharmacist: medications

Research: everything except mental health

Sister: medications and emergency info

+

+

+

Correct

 

recipients

 

retrieve

 

and

 

decrypt

(40)

Access

 

control

 

for

 

encrypted

 

data:

 

Our

 

approach

Bob’s

 

health

 

record

Pharmacist

Research

 

Center

Sister

Doctor

Patient

 

Bob

Medications

Access

 

Policy

Doctor:

 

everything

Pharmacist:

 

medications

Research:

 

everything

 

except

 

mental

 

health

Sister:

 

medications

 

and

 

emergency

 

info

Encrypt

 

files

Generate

 

policy

 

token

Policy

 

token

Policy

 

token

Policy

Doctor:

 

everything

Pharmacist:

 

medications

Research:

 

everything

 

except

 

mental

 

health

Sister:

 

medications

 

and

 

emergency

 

info

Policy

 

token

Policy

 

token

Policy

Doctor: everything

Pharmacist: medications

Research: everything except mental health

Sister: medications and emergency info

Policy

 

token

Policy

 

token

Policy

Doctor: everything

Pharmacist: medications

Research: everything except mental health

Sister: medications and emergency info

Policy

 

token

Policy

 

token

Policy

Doctor: everything

Pharmacist: medications

Research: everything except mental health

Sister: medications and emergency info

+

+

+

Correct

 

recipients

 

retrieve

 

and

 

decrypt

Medications

Cardiology

X

Rays

(41)

Access

 

control

 

for

 

encrypted

 

data:

 

Our

 

approach

Bob’s

 

health

 

record

Pharmacist

Research

 

Center

Sister

Doctor

Patient

 

Bob

Medications

Access

 

Policy

Doctor:

 

everything

Pharmacist:

 

medications

Research:

 

everything

 

except

 

mental

 

health

Sister:

 

medications

 

and

 

emergency

 

info

Encrypt

 

files

Generate

 

policy

 

token

Policy

 

token

Policy

 

token

Policy

 

token

Policy

 

token

Policy

 

token

Policy

 

token

Policy

 

token

Policy

 

token

+

+

+

Correct

 

recipients

 

retrieve

 

and

 

decrypt

Medications

Cardiology

X

Rays

Policy Doctor: everything Pharmacist: medications

Research: everything except mental health

Sister: medications and emergency info

Policy

Doctor: everything

Pharmacist: medications

Research: everything except mental health

Sister: medications and emergency info

Policy

Doctor: everything

Pharmacist: medications

Research: everything except mental health

Sister: medications and emergency info

Policy

Doctor:

 

everything

Pharmacist:

 

medications

Research:

 

everything

 

except

 

mental

 

health

Sister:

 

medications

 

and

 

emergency

 

info

(42)

Access

 

control

 

for

 

encrypted

 

data:

 

Our

 

approach

Bob’s

 

health

 

record

Pharmacist

Research

 

Center

Sister

Doctor

Patient

 

Bob

Medications

Access

 

Policy

Doctor:

 

everything

Pharmacist:

 

medications

Research:

 

everything

 

except

 

mental

 

health

Sister:

 

medications

 

and

 

emergency

 

info

Encrypt

 

files

Generate

 

policy

 

token

Policy

 

token

Policy

 

token

Policy

 

token

Policy

 

token

Policy

 

token

Policy

 

token

Policy

 

token

Policy

 

token

+

+

+

Correct

 

recipients

 

retrieve

 

and

 

decrypt

Medications

Cardiology

X

Rays

Policy Doctor: everything Pharmacist: medications

Research: everything except mental health

Sister: medications and emergency info

Policy

Doctor: everything

Pharmacist: medications

Research: everything except mental health

Sister: medications and emergency info

Policy

Doctor: everything

Pharmacist: medications

Research: everything except mental health

Sister: medications and emergency info

Policy

Doctor:

 

everything

Pharmacist:

 

medications

Research:

 

everything

 

except

 

mental

 

health

Sister:

 

medications

 

and

 

emergency

 

info

Server

 

can:

Transform

 

encrypted

 

files

 

into

 

files

 

readable

 

by

 

appropriate

 

recipients

Cannot

 

decrypt

 

or

 

read

 

any

 

files

Cannot

 

learn

anything

 

about

 

policy

(43)

Constructions

Private

 

access

 

control

 

on

 

encrypted

 

data

 

Hides

 

policy

 

and

 

tags

For

 

very

 

simple

 

policies

Construction

 

based

 

on

 

pairings

Relatively

 

mild

 

assumptions

 

about

 

pairing

 

curves

Can

 

also

 

achieve

 

more

 

efficient

 

constructions

 

where

Policy

 

and

 

tags

 

are

 

not

 

hidden

Fairly

 

general

 

formulas

Similar

 

to

 

work

 

on

 

outsourcing

 

ABE

 

decryption

 

[GHW

 

(44)

Advantages

Private

 

data

 

is

 

hidden

 

from

 

server:

 

Security

 

against

 

server

 

compromise,

 

theft,

 

untrusted

operators,

 

etc

As

 

secure

 

as

patient

 

downloading,

 

decrypting,

 

re

encrypting

Even

 

if

 

server

 

colludes

 

with

 

recipients

 

Patient

 

only

 

online

 

to

 

set/change

 

policy

Access

 

control

 

is

 

invisible

 

to

 

recipients

Decryptor’s

efficiency

 

independent

 

of

 

policy

Policy

 

is

 

hidden

 

from

 

recipients

(45)
(46)

Open

 

Issues

Additional

 

privacy

 

concerns

Key

 

backup

Identification

(47)

Conclusions

Electronic

 

Medical

 

Records

 

present

 

risks

 

to

 

privacy

Access

 

control

 

is

 

not

 

sufficient

Encryption

 

+

 

Patient

 

Control

 

is

 

the

 

right

 

approach

2

 

approaches

 

for

 

partial

 

access

 

when

 

files

 

are

 

encrypted

 

Hierarchical

 

sharing

(48)
(49)
(50)

References

Related documents

The Court further described the scope of s 718.2(e) as: placing 'a new empha- sis upon decreasing the use of incarceration' for Aboriginal offenders but providing

With the use of panel data constructed from the 1995 and 1997 Bulgarian Integrated Household Surveys, this paper explores the reallocation of male and female labor in Bulgaria

In the first scenario studied in this project (see Figure 4.12 and Annex B.1), the data is acquired from the Duemilanove Module, and a part of the application

If not enjoined by this Court, Defendants and their agents, representatives, and employees will continue to enforce the requirement that licensees maintain a principal place of

(E and F) Caco-2 cells were infected with MERS-CoV or MERS-Uganda chimeric viruses expressing RFP, showing microscopy images of cell monolayer and RFP expression with and

To more stringently assess the therapeutic potential of RDV and LPV/RTV-IFNb and to better model the human scenario where MERS-CoV patients most likely would initiate treatment

Cost to Collect is a subset of Cost to Operate and Maintain and additionally excludes insurance, supporting roadway expansion, maintaining bridges/roads, providing ongoing