Developing Trustworthy Database
Systems for Medical Care
Bharat Bhargava1 (PI)
Mike Zoltowski 2, Arif Ghafoor 2, Leszek Lilien1
1 Department
of Computer Sciences
2 Department of Electrical and Computer Engineering
and
Center for Education and Research in Information Assurance and Security (CERIAS)
Purdue University
bb@cs.purdue.edu, {mikedz, ghafoor}@ecn.purdue.edu, llilien@cs.purdue.edu
This research is supported by CERIAS and NSF grants from ANIR & IIS.
Security and Safety of Medical Care
Environment
• Objectives
– Safety of patients
– Safety of hospital and clinic
– Security of medical databases
• Issues
– Medical care environments are vulnerable to malicious behavior, hostile
settings, terrorism attacks, natural disasters, tampering
– Reliability, security, accuracy can affect timeliness and precision of
information for patient monitoring
– Collaboration over networks among physicians/nurses, pharmacies,
emergency personnel, law enforcement agencies, government and
community leaders should be secure, private, reliable, consistent,
correct and anonymous
Security and Safety of Medical Care
Environment – cont.
• Measures
– Number of incidents per day in patient room, ward, or hospital
– Non-emergency calls to nurses and doctors due to malfunctions,
failures, or intrusions
– False fire alarms, smoke detectors, pagers activation
– Wrong information, data values, lost or delayed messages
– Timeliness, accuracy, precision
Access Control
Auth.
Users
Access Control
Mechanism
Other
Users
Information
System
• Authorized Users
– Validated credentials
AND
– Cooperative and legitimate behavior history
• Other Users
– Lack of required credentials OR
– Non-cooperative or malicious behavior history
Using Trust and Roles for Access Control
• Approach: trust- and role-based access control
cooperates with traditional Role-Based Access Control (RBAC)
– authorization based on evidence, trust, and roles (user profile analysis)
–
Trust Enhanced
Role-Mapping
Server
Request
roles
users’
behaviors
user
user’s trust
trust
information
mgmt
issuer’s trust
Send roles
Request Access
Respond
user/issuer
information
database
role
assignment
assigned
roles
evidence
evaluation evidence
statement,
reliability
evidence
statement
credential
mgmt
RBAC enhanced
Web Server
Component implemented
Component partially
implemented
credentials provided by
third parties or retrieved
from the internet
Architecture of TERM Server
role-assignment
policies specified
by system
administrators
Classification Algorithm for Access Control
to Detect Malicious Users
Training Phase – Build Clusters
Classification Phase – Detect Malicious Users
Input: Training audit log record [X1, X2 ,…,Xn, Input: cluster list, audit log record rec
Role], where X1,,…,Xn are attribute values, and for every cluster C in cluster list
i
Role is the role held by the user
calculate the distance between Rec and Ci
Output: A list of centroid representations of
find the closest cluster Cmin
clusters [M1, M2 ,…, Mn, pNum, Role]
if Cmin.role = Rec.role
then return
Step 1: for every role Ri, create one cluster Ci
else raise alarm
C .role = R
i
i
for every attribute Mk: Ci .M k   r .X k
r .role  Ri
1
r .role  Ri
Step 2: for every training record Reci calculate
its Euclidean distance from existing clusters
find the closest cluster Cmin
if Cmin.role = Reci.role
then reevaluate the attribute values
else create new cluster Cj
Cj.role = Reci.role
for every attribute Mk: Cj.M k = Reci.Mk
Experimental Study: Accuracy of Detection
• Accuracy of detection of malicious users by the
classification algorithm ranges from 60% to 90
• 90% of misbehaviors can be identified in a friendly
environment (in which fewer than 20% of behaviors
are malicious)
• 60% of misbehaviors can be identified in an
unfriendly environment (in which at least 90% of
behaviors are malicious)
Prototype TERM Server for Access Control
Defining role assignment policies
Loading evidence for role assignment
Software: http://www.cs.purdue.edu/homes/bb/NSFtrust.html
Integrity Checking Systems
• Integrity Assertions (IAs)
– Predicates on values of database items
• Examples
– Coordinate shift in a Korean plane shot down by U.S.S.R.
• IAs could have detected the error
– Human error: potassium result of 3.5 reported to ICU as 8.5
• IAs caught the error
• Types of IAs
– Allowable value range (e.g.: K_level  [3.0, 5.5], patient_age > 16)
– Relationships to values of other data (e.g.: Wishard_blood_test_results(CBC,
electrol.) consistent_with Methodist_blood_test_results(CBC, electrol.) )
– Conditional value (e.g.: IF patient_on(dyzide) THEN K_trend = “decreasing”)
• Triggers
– For surveillance of medical data and generating suggestions for doctors
Privacy and Anonymity
• Privacy
– Protecting sensitive data from unauthorized access
• Health Insurance Portability and Accountability Act (HIPAA)
• patients rights to request a restriction or limitation on the disclosure
of protected health information (PHI)
• staff rights
• Anonymity
– Protecting identity of the source of data
Preserving Privacy and Anonymity for
Information Integration - Examples
• Example 1: Integration of hospital databases into
research database
– HospitalDB1
– Hospital DB2
– Research DB12
– Mr. Smith coded as “A” (for anonymity)
– Mr. Smith coded as “B”
– assure that “A” = “B”
• Example 2: DB access
– DB should not capture what User X did (anonymity)
– User X should not know more data in DB than needed (privacy)
Privacy and Security of Network and
Computer Systems
•
Integrity and correctness of data
•
Privacy of patient records and identification
•
Protect against changes to patient records or treatment plan
•
Protect against disabling monitoring devices, switching off/crashing computers,
flawed software, disabling messages
•
Decrypting traffic, injection of new traffic, attacks from jamming devices
Information hiding
Applications
Fraud
Privacy
Integrity
Negotiation
Access control
Data provenance
Semantic web security
Security
Biometrics
Trust
Policy making Computer epidemic
Encryption
Anonymity
Data mining
Formal models
System monitoring
Network security
Emerging Technologies:
Sensors and Wireless Communications
• Challenge: develop sensors that detect and
monitor violations in medical care environment
before a threat to life occurs
– Bio sensors to detect anthrax, viruses, toxins, bacteria
• chips coated with antibodies that attract a specific biological agent
– Ion trap mass spectrometer
• aids in locating fingerprints of proteins to detect toxins or bacteria
– Neutron-based detectors
• detect chemical, and nuclear materials
– Electronic sensors, wireless devices
Sensors in a Patient’s Environment
• Safety and Security in Patient’s Room
– Monitor the entrance and access to a patient’s room
– Monitor activity patterns of devices connected to a patient
– Protect patients from neglect, abuse, harm, tampering, movement outside the
safety zone
– Monitor visitor clothing to guarantee hygiene and prevention of infections
• Safety and Security of the Hospital
–
–
–
–
–
Monitor temperature, humidity, air quality
Identify obstacles for mobile stretchers
Protect access to FDA controlled products, narcotics, and special drugs
Monitor tampering with medicine, fraud in prescriptions
Protect against electromagnetic attacks, power outages, and discharge of
biological agents
Research at Purdue
•
•
•
Collaboration with Dr. Clement McDonald, Regenstrief
Institute for Health Care, Indiana U. School of Medicine
Web Site: http://www.cs.purdue.edu/homes/bb/
Over one million dollars in current support from:
NSF, Cisco, Motorola, DARPA
•
Selected Publications
1.
2.
3.
4.
B. Bhargava and Y. Zhong, "Authorization Based on Evidence and Trust", in Proc. of
Data Warehouse and Knowledge Management Conference (DaWaK), Sept. 2002.
E. Terzi, Y. Zhong, B. Bhargava, Pankaj, and S. Madria, "An Algorithm for Building
User-Role Profiles in a Trust Environment", in Proc. of DaWaK, Sept. 2002 .
A. Bhargava and M. Zoltowski, “Sensors and Wireless Communication for Medical
Care,” in Proc. of 6th Intl. Workshop on Mobility in Databases and Distributed
Systems (MDDS), Prague, Czech Republic, Sept. 2003.
B. Bhargava, Y. Zhong, and Y. Lu, "Fraud Formalization and Detection", in Proc. of
DaWaK, Prague, Czech Republic, Sept. 2003.