Healthcare Group: The 12 Stories Peng (group lead), Paul, Bhavani, Le, Gail, Prabhakaran, Khan, Murat Feb 19-20, 2009 NSF Data & Application Security Workshop Arlington, VA 1 The Context (1) electronic records & handwritten physician notes coexist Current status Obama's healthcare policy: -Improved health; -Reduced costs EHR national standard electronic records everywhere Future 2 The Context (2) • Data characteristics • • • • • Structured; unstructured; semi-structured; multimedia time-series; data stream; • temporal vs. spatial dimensions • 1: Patient records at hospital and across hospitals • 2: Remote healthcare at home • 3: Data sharing for research • 4: Doctors consult with other doctors • 5: Medical info system • Billing fraud • 6: Cyber-physical systems – Bugs in heart monitors 3 The main security issues Integrity Privacy Fraud Current 6 aspects 6 aspects 6 aspects Transition 6 aspects 6 aspects 6 aspects Future unknown unknown unknown 4 Integrity + Current (1) • Story 1: The Oklahoma state children health care database is a set of records contributed by physicians at multiple hospitals – The database is used to generate official state level statistics – The database cannot generate correct statistics • Reason: the same kid has multiple records: “baby A” “baby B” “last name 1” “last name 2” • Research problem: the attribution problem 5 Integrity + Current (2) • Story 2: My doctors or nurses or lab technicians make mistakes; they told me that I am now 50 pounds heavier. – Reality checks – Consistency checks – Some kind of alarming measures • Bigger research question: How to systematically cleanse health records? 6 Integrity + Transition • Story 3: To create jobs, people are hired to type physicians’ handwritten notes into computers – How to alert human typing errors in real time? – Are these people trusted? – Do they really understand the notes? 7 Privacy + Current (1) • Story 4: A patient’s doctor wants to consult with other doctors (via an online forum) to get comments and second opinions: – How much to disclose? – How much is too much? – Via the online forum, indirect inference attack could succeed through attribute aggregation & correlation (between related postings) – Can the patient have any “control” of this process? – Economic and social issues 8 Privacy + Current (2) Story 5: For research purpose, a provider can multicast needdriven data requests to her federated partners. Result: Patient records pulled together then used by researchers: great privacy threat • How to accommodate patients’ concerns during data gathering? • Privacy aware patient record integration • Patient record set anonymization • Group based inference • Purpose driven access control (PDAC) • The government may have a different purpose from researchers • How to do selective sharing? • Policy requirements 9 Privacy + Current (3) • Story 6: RHIO (Regional Health InterOrganization) systems are being promoted by federal and state governments to let providers share patient records: – Privacy threats: – Query content privacy – Data location privacy – Patient location privacy – How to construct privacy preserving RHIO systems? 10 Fraud + Current • Story 7: Doctor double charging multiple insurance companies; insurance company double billing – Fraud detection – Collusion attack – Healthcare info system auditing 11 Integrity + Current (3) • Story 8: Bugs in medical devices could kill people (see Kevin Fu’s paper). – In remote healthcare, could a criminal misuse the remote control channel to trigger bugs? – Bug isolation 12 Integrity + Current (4) • Story 9: Data tampering leads to wrong diagnosis. – Prevent tampering: tampering proof – Integrity check – Tampering of real time health condition monitoring data 13 Privacy + Current (4) • Story 10: My hospital shares my X-Ray images with researchers; however, these images could be used to reconstruct (the shape of) my face hurt privacy – Privacy preserving digital image processing 14 Privacy + Current (5) • Story 11: In remote healthcare, monitors send a data stream of health data to a remote doctor: – Correlation attacks to infer sensitive medical condition – Time is critical: time series analysis 15 Privacy + Current (6) • Story 12: A patient sits with doctor Bob at hospital A, asking for information from hospital B – The answer from hospital B: I need to ask my lawyer now this process discontinues – Could need new delegation models – Need some assurance mechanisms 16