Information about http://www.eecs.harvard.edu/~greenie/portia-slides.pdf

Applications of Trusted Computing for Medical Privacy …

Tags: administrative domains, billing procedures, case applications, digital rights management, eecs, ehrs, electronic health records, greenie, healthcare costs, human intervention, insurance premiums, liability issues, medical errors, medical privacy, patient billing, patient records, problem applications, security methods, support patient, traditional security,
Pages: 18
Language: english
Display cached document
Page 1
image
Page 2
image
Page 3
image
Page 4
image
Page 5
image
Page 6
image
Page 7
image
Page 8
image
Page 9
image
Page 10
image
Page 11
image
Page 12
image
Page 13
image
Page 14
image
Page 15
image
Page 16
image
Page 17
image
Page 18
image
  Applications of Trusted
Computing for Medical Privacy
                 Rachel Greenstadt
             Jean-Francois Raymond
      {greenie,jraymond}@eecs.harvard.edu

       Portia Workshop on Sensitive Data
                  July 8, 2004




                        Applications of Trusted Computing for Medical Privacy ­ p.1/18
Electronic Health Records
 Buzz about EHRs for 40 years:
    Ease sharing of patient records among
    practitioners
    Improve patient safety, reduce medical errors
    Support patient billing procedures
    Reduce healthcare costs
    Current status: Paper records mailed
    between providers, faxed in emergencies.
 So, what's the problem?
                           Applications of Trusted Computing for Medical Privacy ­ p.2/18
Privacy and Liability Issues
    Majority of Individuals Concerned about
    Medical Privacy
      Discrimination--stigma of certain
      illnesses, medications
      Disclosure might discourage treatment
      Increased insurance premiums
      Incidents of misuse increase concerns
    Regulation (HIPAA)
    Other Obstacles to EHR: cost of transition,
    finding good products, making business case
                         Applications of Trusted Computing for Medical Privacy ­ p.3/18
Traditional Security                              Methods
Won't Work
    Normally solved with access control and
    cryptography
    Rules may not be followed after decryption
    Heterogeneous Domains--Need human
    intervention for transfers between
    administrative domains
    Compromised machines still a problem
    But, these technologies are well established


                          Applications of Trusted Computing for Medical Privacy ­ p.4/18
Medical Privacy and DRM
   Goals
      Data-centric security across
      administrative domains
      Prevent unauthorized use of sensitive
      data as well as unauthorized access
   Same goal as Trusted Computing (TC) and
   Digital Rights Management (DRM)




                       Applications of Trusted Computing for Medical Privacy ­ p.5/18
Contrasts with
"Traditional DRM Applications"
    Similar tech: prevent rule circumvention
    Need increased flexibility
      Data may need to flow--lives at stake
    Incentive structures are different:
       Keeping honest people honest
       Benefit to the consumer (bureaucracy,
       liability)
       Power balances?
       Better chance to succeed?

                          Applications of Trusted Computing for Medical Privacy ­ p.6/18
What is Trusted Computing (TC)?
    Industry consortium to "Improve security
    and confidence in computer systems"
    Many pages of specifications and chip
    (in IBM thinkpads now)
    Widely distrusted
      Unpopular DRM uses
      Can leverage monopoly power to create
      lock-in
    Can it be useful in the medical privacy space

                          Applications of Trusted Computing for Medical Privacy ­ p.7/18
What Does TC Buy?
   Secure ID of remote computer R
   Answers: Is R running software I trust? If yes
   R will follow rules with regard to data I send




                         Applications of Trusted Computing for Medical Privacy ­ p.8/18
How does TC Work?
   Consists of TPM chip and software specs
   Provides a secure means for
      Verifying software integrity--hashes of
      software stored on chip in platform
      configuration registers (PCRs)
      Sharing measurements--Chip stores a key
      inaccessible to the machine adminstrator
   Example: Allow decrypting a "blob"
   contingent on software measurements

                        Applications of Trusted Computing for Medical Privacy ­ p.9/18
Design Properties
    Secure data transfer between administrative
    domains
    Emergency overrides and secure audit
    Hardware key management and encryption
    primitives for increased data security
    Simple and transparent




                         Applications of Trusted Computing for Medical Privacy ­ p.10/18
File Transfer Example
    Patient Alice is admitted to a hospital in
    N.Y., needs records transferred from D.C.
    D.C. physician learns that N.Y. hospital has
    a machine with a TPM chip and a particular
    key
    D.C. physician sends the records
    conditionally encrypted with the recipient's
    key--the records can only be opened if the
    PCR values of the machine are correct


                          Applications of Trusted Computing for Medical Privacy ­ p.11/18
Reading Files
    When record is received
       Decrypted by TPM chip
       PCR checks are executed
       The signature is verified
    If checks succeed
       Decrypted file is passed to the Secure Data
       Manager (SDM)
       SDM looks up the Rule Set for the data
       Polices access and usage for the administrative
       domain
                              Applications of Trusted Computing for Medical Privacy ­ p.12/18
Logging and Secure Overrides
 What if the hospital isn't running a correct
 software configuration?
     Some administrative domains should
     send data anyway
     System can provide secure documentation
     of how the data left
     Logging software can be protected with
     a PCR check



                            Applications of Trusted Computing for Medical Privacy ­ p.13/18
Limitations of TC
    Physical Attacks
    Small data items
    Reading memory?
    Underspecified




                       Applications of Trusted Computing for Medical Privacy ­ p.14/18
Microsoft NGSCB
   New MS operating system, in development
   Uses TPM-like hardware
   Often associated/confused with TC
   May solve the memory problems
   Can cause widespread adoption of TC




                       Applications of Trusted Computing for Medical Privacy ­ p.15/18
Fitting in with HIPAA Regulations
    HIPAA privacy rule specifies industry
    should use best practices
    TC could improve these practices
      File transfer--improved security and
      efficiency
      Secure Logging
      Data security




                         Applications of Trusted Computing for Medical Privacy ­ p.16/18
Conclusions
   DRM technology seems like the right answer
   Can mediate trust between administrative
   domains
   Not ready for prime time yet
     Hardware chips in some computers (IBM
     laptops)
     Most of software unimplemented
     No one knows how it will play out


                       Applications of Trusted Computing for Medical Privacy ­ p.17/18
Architecture

           App 1   App 2

  User




         SDM        TSS
  Kernel



  Hardware

                   TPM
                           Applications of Trusted Computing for Medical Privacy ­ p.18/18