Healthcare Group: The 12 Stories
Peng (group lead), Paul, Bhavani, Le, Gail, Prabhakaran, Khan,
Murat
Feb 19-20, 2009
NSF Data & Application Security Workshop
Arlington, VA
1
The Context (1)
electronic
records
&
handwritten
physician notes
coexist
Current status
Obama's
healthcare policy:
-Improved health;
-Reduced costs
EHR national
standard
electronic
records
everywhere
Future
2
The Context (2)
• Data characteristics
•
•
•
•
•
Structured;
unstructured;
semi-structured;
multimedia
time-series; data
stream;
• temporal vs. spatial
dimensions
• 1: Patient records at hospital
and across hospitals
• 2: Remote healthcare at home
• 3: Data sharing for research
• 4: Doctors consult with other
doctors
• 5: Medical info system
• Billing fraud
• 6: Cyber-physical systems
– Bugs in heart monitors
3
The main security issues
Integrity
Privacy
Fraud
Current
6 aspects
6 aspects
6 aspects
Transition
6 aspects
6 aspects
6 aspects
Future
unknown
unknown
unknown
4
Integrity + Current (1)
• Story 1: The Oklahoma state children health
care database is a set of records contributed
by physicians at multiple hospitals
– The database is used to generate official state
level statistics
– The database cannot generate correct statistics
• Reason: the same kid has multiple records: “baby A”
“baby B” “last name 1” “last name 2”
• Research problem: the attribution problem
5
Integrity + Current (2)
• Story 2: My doctors or nurses or lab
technicians make mistakes; they told me that I
am now 50 pounds heavier.
– Reality checks
– Consistency checks
– Some kind of alarming measures
• Bigger research question: How to
systematically cleanse health records?
6
Integrity + Transition
• Story 3: To create jobs, people are hired to
type physicians’ handwritten notes into
computers
– How to alert human typing errors in real time?
– Are these people trusted?
– Do they really understand the notes?
7
Privacy + Current (1)
• Story 4: A patient’s doctor wants to consult
with other doctors (via an online forum) to get
comments and second opinions:
– How much to disclose?
– How much is too much?
– Via the online forum, indirect inference attack could
succeed through attribute aggregation & correlation
(between related postings)
– Can the patient have any “control” of this process?
– Economic and social issues
8
Privacy + Current (2)
Story 5: For research purpose, a provider can multicast needdriven data requests to her federated partners.
Result: Patient records pulled together then used by researchers:
great privacy threat
• How to accommodate patients’ concerns during data
gathering?
• Privacy aware patient record integration
• Patient record set anonymization
• Group based inference
• Purpose driven access control (PDAC)
• The government may have a different purpose from researchers
• How to do selective sharing?
• Policy requirements
9
Privacy + Current (3)
• Story 6: RHIO (Regional Health InterOrganization) systems are being promoted by
federal and state governments to let providers
share patient records:
– Privacy threats:
– Query content privacy
– Data location privacy
– Patient location privacy
– How to construct privacy preserving RHIO
systems?
10
Fraud + Current
• Story 7: Doctor double charging multiple
insurance companies; insurance company
double billing
– Fraud detection
– Collusion attack
– Healthcare info system auditing
11
Integrity + Current (3)
• Story 8: Bugs in medical devices could kill
people (see Kevin Fu’s paper).
– In remote healthcare, could a criminal misuse the
remote control channel to trigger bugs?
– Bug isolation
12
Integrity + Current (4)
• Story 9: Data tampering leads to wrong
diagnosis.
– Prevent tampering: tampering proof
– Integrity check
– Tampering of real time health condition
monitoring data
13
Privacy + Current (4)
• Story 10: My hospital shares my X-Ray images
with researchers; however, these images could
be used to reconstruct (the shape of) my face
 hurt privacy
– Privacy preserving digital image processing
14
Privacy + Current (5)
• Story 11: In remote healthcare, monitors send
a data stream of health data to a remote
doctor:
– Correlation attacks to infer sensitive medical
condition
– Time is critical: time series analysis
15
Privacy + Current (6)
• Story 12: A patient sits with doctor Bob at
hospital A, asking for information from
hospital B
– The answer from hospital B: I need to ask my
lawyer  now this process discontinues
– Could need new delegation models
– Need some assurance mechanisms
16