Title: Utilizing SELinux to Mandate Ultrasecure Access Control of Medical Records
1Utilizing SELinux to Mandate Ultra-secure Access
Control of Medical Records
- Professor Peter Croll
- Queensland University of Technology
- MEDINFO 2007
- Brisbane
2Aims and Motivations
- Security, Privacy, Confidentiality what are we
talking about? - What makes Health Information different?
- What are the real risks who are the
adversaries? - Sustainability of current approaches
- ...isnt this all just academic?
3What is Security?
- The safety or safeguarding against danger
- A protection, guard, defence
- Securely fixed or attached
- Well-founded confidence, certainty
- Information Security?
- Focus on Information Security
Security ? Safety - specifically digital electronic information
4What is Privacy?
- What do we mean by Privacy?
- Physical Privacy
- Communication Privacy
- Personal Privacy
- Information Privacy?
- Focus on Information Privacy Privacy ? Security
- specifically digital electronic information
WHAT YOU STARING AT?
Confidentiality what you entrust to others
5User name - password
Identification Authentication Authorization
6Security technologies supporting Privacy
- what Security measures will provide adequate and
acceptable Privacy with Health Information?
7Security and Privacy failures
- Financial Errors
- detectable and reversible with compensation
- Medical Errors
- detectable and potentially irreversible damage
- Revealing Sensitive Information
- not always detectable or notified BUT
irreversible - always
8NO APPLICATION CAN BE MORE SECURE THAN THE
MIDDLEWARE ITS USES, THE OPERATING SYSTEM THEY
RUN UPON, AND THE HARDWARE THAT UNDERLIES THE
WHOLE.
IS 15408
9Healthcare
A Vital and Viable Area for Research
Development into Hardened OS / Application
Security
10Scenario 1
Trusted Computing Base
Shared Virtual Machine
MAC Policy Enforcement Server
Risk Evaluation (environment factors)
Applications
Encrypted Channels
System status monitor
Layered Applications
Middleware
Encrypted Channels
Encrypted Channels
Control / Management Data
User Data
Networked Resources
Networked Resources
Open Access
Trusted and Isolated Nodes
11Scenario 2
12Discretionary Access Controls
13Discretionary Access Controls
Apache Web Server
Medical Application
DAC
ptrace
SU process
14Problems with DAC
- Two levels of privilege
- ordinary-user
- Ability to change permissions of their files at
will - super-user / administrator
- Ability to execute kernel level processes
- Restrict or extend the permissions of Ordinary
Users - Can be unbounded
- Typical DAC Systems
- Dont conform to Principle of Least Privilege
- Dont implement domain separation
- Dont implement role-based access control
- Never intended for current environment
15Mandatory Access Controls
- Centralized policy determined by enterprise
- programs run in sandboxes that provide domain
separation - all users are equally bound by the policy
- no super-user
- Fine-grained control
- User is enabled to act upon Objects
- many-many relationship
- has been characterized by poor scalability early
on - Orthogonal Role-based access technology
- User acting in Role is enabled to act upon
Objects - great reduction in number of configurations
- can provide permission through inheritance
16Three-tiered Architecture
Medical Application
Sanitizer
General Databases
Sensitive Databases
Encryption Primitives
Decryption Key
Privileged Sandboxes
Clinician Sandboxes
Operating System Layer
SELinux
Risk Assessment Unit
RBAC3 extensions
Policy Enforcement Server
Security Server
Hardware Layer
Decryption Key
17Hardware Layer
- Trusted Platform Module
- Key storage
- Trusted boot
- Remote attestation
- Limitations
- Requires O/S support
- Does not secure application layer without full
trusted subsystems - See SELinux, RHEL-5, ..
18Operating System Layer
- SELinux
- Views system as sets of subjects and objects
- Permissions between sets controlled by
policy-driven domain definition table - Challenges
- Suitable RBAC
- Large configuration files
- Education and training / awareness
19Final Architecture
Final Architecture
Medical Application
Sanitizer
Sensitive Databases
General Databases
Encryption Primitives
Privileged Sandbox
Clinician Sandbox
Decryption Key
Operating System Layer
SELinux
Risk Assessment Unit
Policy Enforcement Server
Security Server
Hardware Layer
Decryption Key
20(No Transcript)
21Dr Steve Marsh Director, Cabinet Office /
UK Central Sponsor for Information Assurance
(CSIA). 2 March 2006.
SELinux the only way for end-to-end
application security
Ready NOW!
22Establishing critical issues with Privacy and
Security (PS)
- 5Ws
- What are we protecting?
- Who are our adversaries?
- Will current technologies suffice (sustainable)?
- Where are our qualified professional PS staff?
- When do we take action?
23Whats been happening in Australia?
- National Health and Social Services Access
(Smart) Card - National E-Health Transition Authority
- Australian Law Reform Commission review of
Privacy Laws - NCRIS population health
- NHMRC - National statement on ethics
- Data Linkage technologies and centres
24(No Transcript)
25(No Transcript)
26(No Transcript)
27NEHTA Privacy and shared EHR
28Privacy and Related Legislation in Australia
Privacy and Related Legislation in Australia
29ALRC review of Privacy
30can legislation be neutral?
31NHMRC National statement on ethics
32National Statement on Ethical Conduct in Human
Research
- individually identifiable data, where the
identity of a specific individual can reasonably
be ascertained. Examples of identifiers include
the individuals name, image, date of birth or
address - re-identifiable data, from which identifiers have
been removed and replaced by a code, but it
remains possible to re-identify a specific
individual by, for example, using the code or
linking different data sets - non-identifiable data, which have never been
labelled with individual identifiers or from
which identifiers have been permanently removed,
and by means of which no specific individual can
be identified. A subset of non-identifiable data
are those that can be linked with other data so
it can be known that they are about the same data
subject, although the persons identity remains
unknown.
33PIA on smart homes
- Initial risk analysis indicates
- Personal safety - location, movements
- Emergency service or carer not informed i.e.
non response to alarms, system failure - Revealing medical and private health information
- Interfering with or integrity of medical
information. - Inappropriate treatment or care
- Info in wrong hands- Insurance, Pharmaceutical
co., Government, Market research, etc. - Social isolation - nobody calls anymore
- Nosiness
34maintaining anonymity
- The future start with anonymity where end user
controls identity
- Interface between real and virtual world
- No real names are used (allowed)
- This can be driven by real-world activities
- Partners (buddies) can be linked
- Trusted partners from the real world
35 36defining the scope
- 1. Privacy and Security
- 2. Health Information
Why combine PS? All of health information? All
aspects? - Legal, social, technical, ethical,
organizational, political, individual,
psychological, etc.. Should we move towards a
unified approach?
37Aims
- Outline the critical issues with Privacy and
Security (PS) - Establish what PS covers in Health and
Healthcare Services - Outline what has been happening with PS in
Australia and Internationally - Where does Trust fit in?
- Discuss the way forward to an International
approach
38Establish what PS covers in Health and
Healthcare Services
- EHR
- People
- Prescriptions
- Telehealth homecare
- - are these all safety
issues?