A Patient-centric, Attribute-based, Source-verifiable Framework for Health Record Sharing

The storage of health records in electronic format, and the wide-spread sharing of these records among different health care providers, have enormous potential benefits to the U.S. healthcare system. These benefits include both improving the quality of health care delivered to patients and reducing the costs of delivering that care. However, maintaining the security of electronic health record systems and the privacy of the information they contain is paramount to ensure that patients have confidence in the use of such systems. In this paper, we propose a framework for electronic health record sharing that is patient centric, i.e. it provides patients with substantial control over how their information is shared and with whom; provides for verifiability of original sources of health information and the integrity of the data; and permits fine-grained decisions about when data can be shared based on the use of attribute-based techniques for authorization and access control. We present the architecture of the framework, describe a prototype system we have built based on it, and demonstrate its use within a scenario involving emergency responders' access to health record information

Design and implementation of an attribute-based authorization management system

The proposed research is in the area of attribute-based authorization systems. We address two specific research problems in this area. First, evaluating authorization policies in multi-authority systems where there are multiple stakeholders in the disclosure of sensitive data. The research proposes to consider all the relevant policies related to authorization in real time upon the receipt of an access request and to resolve any differences that these individual policies may have in authorization. Second, to enable a lot of entities to participate in the authorization process by asserting attributes on behalf of the principal accessing resources. Since it is required that these asserted attributes be trusted by the authorization system, it is necessary that these entities are themselves trusted by the authorization system. Two frameworks are proposed to address these issues. In the first contribution a dynamic authorization system is proposed which provides conflict detection and resolution among applicable policies in a multi-authority system. The authorization system is dynamic in nature and considers the context of an access request to adapt its policy selection, execution and conflict handling based on the access environment. Efficient indexing techniques are used to increase the speed of authorization policy loading and evaluation. In the second contribution, we propose a framework for service providers to evaluate trust in entities asserting on behalf of service users in real time upon receipt of an access request. This trust evaluation is done based on a reputation system model, which is designed to protect itself against known attacks on reputation systems.Ph.D.Committee Chair: Blough, Douglas; Committee Member: Ahamad, Mustaque; Committee Member: Ji, Chuanyi; Committee Member: Liu, Ling; Committee Member: Riley, George; Committee Member: Russler, Danie

AttributeTrust: A Framework for Evaluating Trust in Aggregated Attributes via a Reputation System

To enable a rich attribute-based authorization system, it is desirable that a large number of user attributes are available, possibly provided by multiple entities. The user may be required to aggregate his attributes and present them to a service provider to prove he has the right to access some service. In this paper, we present AttributeTrust – a policy-based privacy enhanced framework for aggregating user attributes and evaluating confidence in these attributes. We envision a future where attribute providers will be commonplace and service providers will face the problem of choosing one among multiple attribute providers that can provide the same user attribute. In AttributeTrust, we address this problem by means of a reputation system model based on transitive trust. Entities express confidence in other entities to supply trusted attributes, forming chains from a service provider to different attribute providers. A service provider uses this transitive reputation to decide whether to accept a particular attribute from a specific attribute provider.We discuss how the AttributeTrust model prevents common attacks on reputation systems. AttributeTrust differs from the current approaches by deriving its attack resistance from its specific context of attribute provisioning, its voting mechanism formulation, and unique properties of its confidence relationships. 1

Redactable Signatures on Data with Dependencies

The storage of personal information by service providers entails a significant risk of privacy loss due to data breaches. One way to mitigate this problem is to limit the amount of personal information that is provided. Our prior work on minimal disclosure credentials presented a computationally efficient mechanism to facilitate this capability. In that work, personal data was broken into individual claims, which could be released in arbitrary subsets while still being cryptographically verifiable. In expanding the applications for that work, we encountered the problem of connections between different claims, which manifest as dependencies on the release of those claims. In this new work, we provide an efficient way to provide the same selective disclosure, but with cryptographic enforcement of dependencies between claims, as specified by the certifier of the claims. This constitutes a mechanism for redactable signatures on data with release dependencies. Our scheme was implemented and benchmarked over a wide range of input set sizes, and shown to verify thousands of claims in tens to hundreds of milliseconds. We also describe ongoing work in which the approach is being used within a larger system for holding and dispensing personal health records

Weiterbildung als Potentialentwicklung und Kompetenzerwerb: Prämissen und Handlungsfelder

Abstract—The values of data elements stored in biomedical databases often draw from biomedical ontologies. Authorization rules can be defined on these ontologies to control access to sensitive and private data elements in such databases. Authorization rules may be specified by different authorities at different times for various purposes, and as such policy rules may conflict with each other, inadvertently allowing access to sensitive information. Detecting policy conflicts is nontrivial because it involves identification of applicable rules and detecting conflicts among them dynamically during execution of data access requests. It also requires dynamically verifying conformance with required policies and logging relevant information about decisions for audit. Another problem in biomedical data protection is inference attacks, in which a user who has legitimate access to some data elements is able to infer information related to other data elements. This type of inadvertent data disclosure should be prevented by ensuring policy consistency; that is, data elements which can lead to inference about other data elements should be protected by the same level of authorization policies as the other data elements. We propose two strategies; one for detecting policy consistencies to avoid potential inference attacks and the other for detecting policy conflicts. We have implemented these algorithms in Java language and evaluated their execution times experimentally. Keywords-Authorization policy, Biomedical ontology, Inference attacks, Policy conflicts

Prepubertal OVX increases IGF-I expression and bone accretion in C57BL/6J mice

It is generally well accepted that the pubertal surge in estrogen is responsible for the rapid bone accretion that occurs during puberty and that this effect is mediated by an estrogen-induced increase in growth hormone (GH)/insulin-like growth factor (IGF) action. To test the cause and effect relationship between estrogen and GH/IGF, we evaluated the consequence of ovariectomy (OVX) in prepubertal mice (C57BL/6J mice at 3 wk of age) on skeletal changes and the GH/IGF axis during puberty. Contrary to our expectations, OVX increased body weight (12–18%), bone mineral content (11%), bone length (4%), bone size (3%), and serum, liver, and bone IGF-I (30–50%) and decreased total body fat (18%) at 3 wk postsurgery. To determine whether estrogen is the key ovarian factor responsible for these changes, we performed a second experiment in which OVX mice were treated with placebo or estrogen implants. In addition to observing similar results compared with our first experiment, estrogen treatment partially rescued the increased body weight and bone size and completely rescued body fat and IGF-I levels. The increased bone accretion in OVX mice was due to increased bone formation rate (as determined by bone histomorphometry) and increased serum procollagen peptide. In conclusion, contrary to the known estrogen effect as an initiator of GH/IGF surge and thereby pubertal growth spurt, our findings demonstrate that loss of estrogen and/or other hormones during the prepubertal growth period effect leads to an increase in IGF-I production and bone accretion in mice