Developing Trustworthy Database Systems for Medical Care

Developing Trustworthy Database Systems for Medical Care This research is supported by CERIAS and NSF grants from ANIR & IIS.Security and Safety of Medical Care EnvironmentObjectivesSafety of patientsSafety of hospital and clinicSecurity of medical databasesIssuesMedical care environments are vulnerable to malicious behavior, hostile settings, terrorism attacks, natural disasters, tamperingReliability, security, accuracy can affect timeliness and precision of information for patient monitoringCollaboration over networks among physicians/nurses, pharmacies, emergency personnel, law enforcement agencies, government and community leaders should be secure, private, reliable, consistent, correct and anonymousSecurity and Safety of Medical Care Environment – cont.MeasuresNumber of incidents per day in patient room, ward, or hospitalNon-emergency calls to nurses and doctors due to malfunctions, failures, or intrusionsFalse fire alarms, smoke detectors, pagers activationWrong information, data values, lost or delayed messagesTimeliness, accuracy, precisionAccess ControlFrom Yuhuia flawInformationSystemAuth. UsersOther UsersAccess ControlMechanism Authorized Users Validated credentials AND Cooperative and legitimate behavior history Other Users Lack of required credentials OR Non-cooperative or malicious behavior history Approach: trust- and role-based access control cooperates with traditional Role-Based Access Control (RBAC) authorization based on evidence, trust, and roles (user profile analysis)Using Trust and Roles for Access Controlusers’ behaviors credentialmgmtrole-assignment policies specified by system administratorsassigned rolescredentials provided by third parties or retrieved from the internetrole assignmentevidencestatementevidence statement, reliabilityevidenceevaluationissuer’s trust user/issuer information databaseuser’s trust trust informationmgmtArchitecture of TERM ServerComponent implementedComponent partially implementeduserTrust Enhanced Role-MappingServerSend rolesRBAC enhanced Web ServerRequest rolesRequest AccessRespondTraining Phase – Build ClustersInput: Training audit log record [X1, X2 ,,Xn, Role], where X1,,,Xn are attribute values, and Role is the role held by the userOutput: A list of centroid representations of clusters [M1, M2 ,, Mn, pNum, Role]Step 1: for every role Ri, create one cluster CiCi.role = Ri for every attribute Mk:Step 2: for every training record Reci calculateits Euclidean distance from existing clustersfind the closest cluster Cminif Cmin.role = Reci.rolethen reevaluate the attribute valueselse create new cluster Cj Cj.role = Reci.role for every attribute Mk: Cj.M k = Reci.MkClassification Phase – Detect Malicious UsersInput: cluster list, audit log record recfor every cluster Ci in cluster list calculate the distance between Rec and Cifind the closest cluster Cminif Cmin.role = Rec.role then return else raise alarmExperimental Study: Accuracy of Detection Accuracy of detection of malicious users by the classification algorithm ranges from 60% to 90 90% of misbehaviors can be identified in a friendly environment (in which fewer than 20% of behaviors are malicious) 60% of misbehaviors can be identified in an unfriendly environment (in which at least 90% of behaviors are malicious)Classification Algorithm for Access Controlto Detect Malicious UsersDefining role assignment policiesLoading evidence for role assignmentSoftware: TERM Server for Access ControlIntegrity Checking SystemsIntegrity Assertions (IAs)Predicates on values of database itemsExamplesCoordinate shift in a Korean plane shot down by U.S.S.R.IAs could have detected the errorHuman error: potassium result of 3.5 reported to ICU as 8.5IAs caught the errorTypes of IAsAllowable value range (e.g.: K_level  [3.0, 5.5], patient_age > 16)Relationships to values of other data (e.g.: Wishard_blood_test_results(CBC, electrol.) consistent_with Methodist_blood_test_results(CBC, electrol.) )Conditional value (e.g.: IF patient_on(dyzide) THEN K_trend = “decreasing”)TriggersFor surveillance of medical data and generating suggestions for doctorsPrivacy and AnonymityPrivacyProtecting sensitive data from unauthorized accessHealth Insurance Portability and Accountability Act (HIPAA)patients rights to request a restriction or limitation on the disclosure of protected health information (PHI)staff rightsAnonymityProtecting identity of the source of dataPreserving Privacy and Anonymity for Information Integration - ExamplesExample 1: Integration of hospital databases into research databaseHospitalDB1 – Mr. Smith coded as “A” (for anonymity)Hospital DB2 – Mr. Smith coded as “B”Research DB12 – assure that “A” = “B”Example 2: DB accessDB should not capture what User X did (anonymity)User X should not know more data in DB than needed (privacy)Privacy and Security of Network andComputer SystemsIntegrity and correctness of dataPrivacy of patient records and identificationProtect against changes to patient records or treatment planProtect against disabling monitoring devices, switching off/crashing computers, flawed software, disabling messagesDecrypting traffic, injection of new traffic, attacks from jamming devicesPrivacySecurity TrustApplications Policy makingFormal modelsNegotiation Network securityAnonymity Access controlSemantic web security Encryption Information hidingData miningSystem monitoringComputer epidemic Data provenance FraudBiometricsIntegrityEmerging Technologies:Sensors and Wireless CommunicationsChallenge: develop sensors that detect and monitor violations in medical care environment before a threat to life occursBio sensors to detect anthrax, viruses, toxins, bacteriachips coated with antibodies that attract a specific biological agentIon trap mass spectrometeraids in locating fingerprints of proteins to detect toxins or bacteriaNeutron-based detectorsdetect chemical, and nuclear materialsElectronic sensors, wireless devicesSensors in a Patient’s EnvironmentSafety and Security in Patient’s RoomMonitor the entrance and access to a patient’s roomMonitor activity patterns of devices connected to a patientProtect patients from neglect, abuse, harm, tampering, movement outside the safety zoneMonitor visitor clothing to guarantee hygiene and prevention of infectionsSafety and Security of the HospitalMonitor temperature, humidity, air qualityIdentify obstacles for mobile stretchersProtect access to FDA controlled products, narcotics, and special drugsMonitor tampering with medicine, fraud in prescriptionsProtect against electromagnetic attacks, power outages, and discharge of biological agentsResearch at PurdueCollaboration with Dr. Clement McDonald, Regenstrief Institute for Health Care, Indiana U. School of MedicineWeb Site: one million dollars in current support from:NSF, Cisco, Motorola, DARPASelected PublicationsB. Bhargava and Y. Zhong, "Authorization Based on Evidence and Trust", in Proc. of Data Warehouse and Knowledge Management Conference (DaWaK), Sept. 2002. E. Terzi, Y. Zhong, B. Bhargava, Pankaj, and S. Madria, "An Algorithm for Building User-Role Profiles in a Trust Environment", in Proc. of DaWaK, Sept. 2002 .A. Bhargava and M. Zoltowski, “Sensors and Wireless Communication for Medical Care,” in Proc. of 6th Intl. Workshop on Mobility in Databases and Distributed Systems (MDDS), Prague, Czech Republic, Sept. 2003.B. Bhargava, Y. Zhong, and Y. Lu, "Fraud Formalization and Detection", in Proc. of DaWaK, Prague, Czech Republic, Sept. 2003.