Privacy Preserving HIPAA-Compliant Access Control Model for Web Services

Most of the modern health-related information is collected, maintained, and accessed through computerized systems. However, the interaction with this information needs to comply with the US federal regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Due to the complexity of healthcare regulations, it’s not easy to deploy a complaint system, especially for heterogeneous systems designed to allow data transfer and communication. Web services can be used to solve the problem of incompatible systems intercommunication; however, a generic model for HIPAA enforcement is required. In this paper we propose a generic HIPAA complaint privacy access control model for web services that can be easily applied to any existing covered entity web services

A Logical Method for Policy Enforcement over Evolving Audit Logs

We present an iterative algorithm for enforcing policies represented in a first-order logic, which can, in particular, express all transmission-related clauses in the HIPAA Privacy Rule. The logic has three features that raise challenges for enforcement --- uninterpreted predicates (used to model subjective concepts in privacy policies), real-time temporal properties, and quantification over infinite domains (such as the set of messages containing personal information). The algorithm operates over audit logs that are inherently incomplete and evolve over time. In each iteration, the algorithm provably checks as much of the policy as possible over the current log and outputs a residual policy that can only be checked when the log is extended with additional information. We prove correctness and termination properties of the algorithm. While these results are developed in a general form, accounting for many different sources of incompleteness in audit logs, we also prove that for the special case of logs that maintain a complete record of all relevant actions, the algorithm effectively enforces all safety and co-safety properties. The algorithm can significantly help automate enforcement of policies derived from the HIPAA Privacy Rule.Comment: Carnegie Mellon University CyLab Technical Report. 51 page

A service-oriented privacy model for smart home environments

Smart home technology is an application of ubiquitous computing that equips living environments with different types of sensors, actuators, and appliances under computer control to improve the quality of life for inhabitants. Services such as health and behavior monitoring, personalized customization of home operation, control and automation of the environment, and assistance with physical or mental tasks enable inhabitants to live safer, more comfortable, and more independent lives. Many commercial and research efforts are investigating the vast potential that smart homes and related products provide to assist the activities of daily living. However, the resulting efforts frequently suffer from two main limitations that hinder their widespread use. First, resulting products are usually proprietary, offering closed services that are tailored to specific applications and cannot be easily reused or extended by other services in the smart home. Second, the invasiveness of the technology and use of personal information may allow the privacy of the inhabitants to be violated.;We have previously addressed the privacy issue by calling for a privacy policy-based framework [1][2] to control the collection, storage, use and dissemination of personal information in smart home environments. This framework supports several high level goals, including promoting inhabitant awareness of the abilities of devices/services contained in the smart home space, using privacy policies that express the contextual nature of privacy, providing mechanisms and tool support for the authoring, deployment, enforcement, and auditing of privacy policies, as well as creating and verifying policy models to detect conflicts and incorrect specification of privacy policies. In this thesis, we focus on the modeling and verification of policies by proposing a combination of the service-oriented computing and privacy policy paradigms to create a preliminary privacy model for smart homes. We then offer an example scenario and discuss how we employ model checking techniques to verify various aspects of our proposed policy model. The major contributions of this work are four-fold: (1) We extend the notion of personal privacy to include the control of how household objects are used by smart home services. (2) We introduce the use of service-oriented computing to bind resources to the policy space. (3) We define a novel service-oriented privacy policy model that authorizes both the flow of personally sensitive data and the control of environment objects based on inhabitant preferences and various system contexts. (4) We introduce the use of model checking techniques to verify correctness properties of privacy policy models and their enforcement.;The rest of the paper is organized as follows: section 2 gives background information about smart homes, information privacy, policy-based management in distributed systems, and model checking, section 3 presents existing privacy analyses and policy models, section 4 presents our novel privacy model, section 5 illustrates with an example scenario how model checking can be used to verify our privacy model, and section 6 concludes with discussion and future work. Appendix A contains model implementation files, and Appendix B contains property specification files

Privacy Preserving HIPAA-Compliant Access Control Model for Web Services

Software applications are developed to help companies and organizations process and manage data that support their daily operations. However, this data might contain sensitive clients’ information that should be protected to ensure the clients’ privacy. Besides losing the clients’ trust, neglecting to ensure the clients’ data privacy may also be unlawful and inflict serious legal and financial consequences. Lately, different laws and regulations related to data privacy have been enacted specially in vital sectors such as health care, finance, and accounting. Those regulations dictate how clients’ data should be disclosed and transmitted within the organization as well as with external partners. The privacy rules in these laws and regulations presented a challenge for software engineers who design and implement the software applications used in processing the clients’ private data. The difficulty is linked to the complexity and length of the letter of the law and how to guarantee that the software application is maintaining the clients’ data privacy in compliance with the law. Some healthcare organization are trying to perform their own interpretation of the law privacy rules by creating custom systems. However, the problems with such approach is that the margin of error while interpreting the letter of the law is high specially with separate efforts carried out by individual companies. According to a survey carried out to check the Healthcare Insurance Portability and Accountability Act (HIPAA) requirements interpretation created for medical and healthcare related applications, none of the frameworks were well developed to capture the relationships specified in the law. To solve this problem, a standard framework is required that will analyze the regulatory text and provide a method to extract the relevant component that can be used during software roles engineering and development. The extracted components will include all the possible arrangements of roles, purposes, permissions, temporal factors, and any carried out obligations. In this work we propose a framework to analyze, extract, model, and enforce the privacy requirements from HIPAA regulatory text. The framework goal is to translate the law privacy rules text into more manageable components in the form of entities, roles, purposes, and obligations. Those components together can be used as building blocks to create formal privacy policies. The process concentrates on two main components; entities and their roles, and data access context. To accomplish the first part, the framework will parse the privacy sections of the regulatory text to mine all the subjects, and then categorize those subjects into roles based on their characterization in the law. To acquire the access context, the process will extract all the purposes, temporal clauses and any carried out obligations and classify them based on their permissibility

Architektur- und Werkzeugkonzepte für föderiertes Identitäts-Management

Als essentielle Komponente des IT-Security Managements umfasst das Identity & Access Management (I&AM) saemtliche organisatorischen und technischen Prozesse der Verwaltung von Dienstnutzern einer Einrichtung und deren Berechtigungen; dabei werden die Datenbestaende verschiedenster autoritativer Datenquellen wie Personal- und Kundenverwaltungssysteme aggregiert, korreliert und in aufbereiteter Form den IT-Services zur Verfuegung gestellt. Das Federated Identity Management (FIM) hat zum Ziel, die so geschaffenen integrierten Datenbestaende auch organisationsuebergreifend nutzbar zu machen; diese Funktionalitaet wird beispielsweise im Rahmen von Business-to-Business-Kooperationen, Outsourcing-Szenarien und im Grid-Computing zunehmend dringender benoetigt. Die Vermeidung von Redundanz und Inkonsistenzen, aber auch die garantierte Verfuegbarkeit der Daten und die Einhaltung von Datenschutzbestimmungen stellen hierbei besonders kritische Erfolgsfaktoren dar. Mit der Security Assertion Markup Language (SAML), den Spezifikationen der Liberty Alliance und WS-Federation als integralem Bestandteil des Web Services WS-*-Protokollstacks haben sich industrielle und partiell standardisierte technische Ansaetze fuer FIM herauskristallisiert, deren praktische Umsetzung jedoch noch haeufig an der nur unzureichend geklaerten, komplexen organisatorischen Einbettung und den technischen Unzulaenglichkeiten hinsichtlich der Integration in bestehende IT-Infrastrukturen scheitert. In dieser Arbeit wird zunaechst eine tiefgehende und in diesem Umfang neue Anforderungsanalyse durchgefuehrt, die neben I&AM und FIM auch die als User-Centric Identity Management (UCIM) bezeichnete Benutzerperspektive beruecksichtigt; die Schwerpunkte der mehr als 60 strukturierten und gewichteten Anforderungen liegen dabei auf der Integration von I&AM- und FIM-Systemen sowohl auf der Seite der organisation, der die Benutzer angehoeren (Identity Provider), als auch beim jeweiligen Dienstleister (Service Provider), und auf dem Einbezug von organisatorischen Randbedingungen sowie ausgewaehlten Sicherheits- und Datenschutzaspekten. Im Rahmen eines umfassenden, gesamtheitlichen Architekturkonzepts wird anschliessend eine Methodik zur systematischen Integration von FIM-Komponenten in bestehende I&AM-Systeme erarbeitet. Neben der praezisen Spezifikation der technischen Systemschnittstellen, die den bestehenden Ansaetzen fehlt, fokussiert diese Arbeit auf die organisatorische Eingliederung aus Sicht des IT Service Managements, wobei insbesondere das Security Management und das Change Management nach ITIL vertieft werden. Zur Kompensation weiterer grundlegender Defizite bisheriger FIM-Ansaetze werden im Rahmen eines Werkzeugkonzepts fuenf neue FIM-Komponenten spezifiziert, die auf eine verbesserte Interoperabilitaet der FIM-Systeme der an einer so genannten Identity Federation beteiligten organisationen abzielen. Darueber hinaus wird auf Basis der eXtensible Access Control Markup Language (XACML) eine policy-basierte Privacy Management Architektur spezifiziert und integriert, die eine dezentrale Steuerung und Kontrolle von Datenfreigaben durch Administratoren und Benutzer ermoeglicht und somit essentiell zur Einhaltung von Datenschutzauflagen beitraegt. Eine Beschreibung der prototypischen Implementierung der Werkzeugkonzepte mit einer Diskussion ihrer Performanz und die methodische Anwendung des Architekturkonzepts auf ein komplexes, realistisches Szenario runden die Arbeit ab

Foundations of Security Analysis and Design III, FOSAD 2004/2005- Tutorial Lectures

he increasing relevance of security to real-life applications, such as electronic commerce and Internet banking, is attested by the fast-growing number of research groups, events, conferences, and summer schools that address the study of foundations for the analysis and the design of security aspects. This book presents thoroughly revised versions of eight tutorial lectures given by leading researchers during two International Schools on Foundations of Security Analysis and Design, FOSAD 2004/2005, held in Bertinoro, Italy, in September 2004 and September 2005. The lectures are devoted to: Justifying a Dolev-Yao Model under Active Attacks, Model-based Security Engineering with UML, Physical Security and Side-Channel Attacks, Static Analysis of Authentication, Formal Methods for Smartcard Security, Privacy-Preserving Database Systems, Intrusion Detection, Security and Trust Requirements Engineering

A toolkit for managing enterprise privacy policies

Abstract. Enterprise privacy enforcement allows enterprises to internally enforce a privacy policy that the enterprise has decided to comply to. An enterprise privacy policy often reflects different legal regulations, promises made to customers, as well as more restrictive internal practices of the enterprise. Further, it may allow customer preferences. Hence it may be authored, maintained, and audited in a distributed fashion. Our goal is to provide the tools for such management of enterprise privacy policies. The syntax and semantics is a superset of the Enterprise Privacy Authorization Language (EPAL) recently proposed by IBM. The basic definition is refinement, i.e., the question whether fulfilling one policy automatically fulfills another one. This underlies auditing of a policy against an old or new regulation or promise and transferring data into a realm with a different policy. It is also the semantic basis for composition operators. We further define such composition operators for different purposes. Our main focus it to combine usability for enterprises, e.g., by treating multiple terminologies, incomplete data, and different types of errors and defaults, with the formal rigor needed to make privacy compliance meaningful and predictable.