Medical institutions generate massive amounts of clinical data.
Such data is needed by scientists and medical practitioners for
research purposes and also to provide better care to the patients.
Inadvertent or malicious disclosure of such data to unauthorized
individuals or organizations may have catastrophic consequences.
Consequently, medical institutions must comply with federal and state policies when
they release sensitive medical data to others. The institutes are responsible for interpreting these rules and developing
their own data release procedures. In addition, the institutes often have their own operational protocol
and may provide additional security policies. Moreover, for reasons of security and privacy, the
patients should have control over what data is
released to individuals and also should be aware of how this data is
going to be used by the data requesters.
Access control and sharing of medical data thus poses unique challenges.
We are investigating how the various policies imposed
by the different stakeholders can be specified and enforced, keeping
in mind that the policies by the various agencies or the preferences
of the patient may change any time.
access control has been used to model the security policies of commercial organizations.
Although clinical data may be released to the health care providers
on the basis of roles, such a model is inadequate for disseminating
data to the researchers where the disclosure is dependent on the
attributes of the researcher.
Moreover, it fails to provide a flexible mechanism through
which patients as well as institutes can express their requirements.
It also fails to capture the purpose for which data will be
released to the various stakeholders. Patients may be unwilling to disclose
their data unless they know why the data requesters need access to the
data. The project looks at how attribute-based access control can address such challenges.
Another orthogonal problem arises when researchers need access to data coming from various autonomous healthcare providers having a subset of common patients.
Traditionally, such sharing is performed by sanitizing the identifying information from individual records. However, removing identifying information prevents sanitized
records belonging to the same patient to be linked together or prevents any updates to the source information to be easily propagated to the sanitized records. We are
investigating solutions to this problem by utilizing the services of a third party, which is of very limited capabilities in terms of its abilities to keep a secret, secret
and by encrypting the identification part used to link individual records with different keys. The schemes we are developing are based on strong security primitives that don't
require shared encryption keys.