Utilizing SELinux to Mandate Ultrasecure Access Control of Medical Records

1
Utilizing SELinux to Mandate Ultra-secure Access
Control of Medical Records

• Professor Peter Croll
• Queensland University of Technology
• MEDINFO 2007
• Brisbane

2
Aims and Motivations

• Security, Privacy, Confidentiality what are we
  talking about?
• What makes Health Information different?
• What are the real risks who are the
  adversaries?
• Sustainability of current approaches
• ...isnt this all just academic?

3
What is Security?

• The safety or safeguarding against danger
• A protection, guard, defence
• Securely fixed or attached
• Well-founded confidence, certainty
• Information Security?
• Focus on Information Security
  Security ? Safety
• specifically digital electronic information

4
What is Privacy?

• What do we mean by Privacy?
• Physical Privacy
• Communication Privacy
• Personal Privacy
• Information Privacy?
• Focus on Information Privacy Privacy ? Security
• specifically digital electronic information

WHAT YOU STARING AT?
Confidentiality what you entrust to others
5
User name - password
Identification Authentication Authorization
6
Security technologies supporting Privacy

• what Security measures will provide adequate and
  acceptable Privacy with Health Information?

7
Security and Privacy failures

• Financial Errors
• detectable and reversible with compensation
• Medical Errors
• detectable and potentially irreversible damage
• Revealing Sensitive Information
• not always detectable or notified BUT
  irreversible - always

8
NO APPLICATION CAN BE MORE SECURE THAN THE
MIDDLEWARE ITS USES, THE OPERATING SYSTEM THEY
RUN UPON, AND THE HARDWARE THAT UNDERLIES THE
WHOLE.
IS 15408
9
Healthcare
A Vital and Viable Area for Research
Development into Hardened OS / Application
Security
10
Scenario 1
Trusted Computing Base
Shared Virtual Machine
MAC Policy Enforcement Server
Risk Evaluation (environment factors)
Applications
Encrypted Channels
System status monitor
Layered Applications
Middleware
Encrypted Channels
Encrypted Channels
Control / Management Data
User Data
Networked Resources
Networked Resources
Open Access
Trusted and Isolated Nodes
11
Scenario 2
12
Discretionary Access Controls
13
Discretionary Access Controls
Apache Web Server
Medical Application
DAC
ptrace
SU process
14
Problems with DAC

• Two levels of privilege
• ordinary-user
• Ability to change permissions of their files at
  will
• super-user / administrator
• Ability to execute kernel level processes
• Restrict or extend the permissions of Ordinary
  Users
• Can be unbounded
• Typical DAC Systems
• Dont conform to Principle of Least Privilege
• Dont implement domain separation
• Dont implement role-based access control
• Never intended for current environment

15
Mandatory Access Controls

• Centralized policy determined by enterprise
• programs run in sandboxes that provide domain
  separation
• all users are equally bound by the policy
• no super-user
• Fine-grained control
• User is enabled to act upon Objects
• many-many relationship
• has been characterized by poor scalability early
  on
• Orthogonal Role-based access technology
• User acting in Role is enabled to act upon
  Objects
• great reduction in number of configurations
• can provide permission through inheritance

16
Three-tiered Architecture
Medical Application
Sanitizer
General Databases
Sensitive Databases
Encryption Primitives
Decryption Key
Privileged Sandboxes
Clinician Sandboxes
Operating System Layer
SELinux
Risk Assessment Unit
RBAC3 extensions
Policy Enforcement Server
Security Server
Hardware Layer
Decryption Key
17
Hardware Layer

• Trusted Platform Module
• Key storage
• Trusted boot
• Remote attestation
• Limitations
• Requires O/S support
• Does not secure application layer without full
  trusted subsystems
• See SELinux, RHEL-5, ..

18
Operating System Layer

• SELinux
• Views system as sets of subjects and objects
• Permissions between sets controlled by
  policy-driven domain definition table
• Challenges
• Suitable RBAC
• Large configuration files
• Education and training / awareness

19
Final Architecture
Final Architecture
Medical Application
Sanitizer
Sensitive Databases
General Databases
Encryption Primitives
Privileged Sandbox
Clinician Sandbox
Decryption Key
Operating System Layer
SELinux
Risk Assessment Unit
Policy Enforcement Server
Security Server
Hardware Layer
Decryption Key
20
(No Transcript)
21
Dr Steve Marsh Director, Cabinet Office /
UK Central Sponsor for Information Assurance
(CSIA). 2 March 2006.
SELinux the only way for end-to-end
application security
Ready NOW!
22
Establishing critical issues with Privacy and
Security (PS)

• 5Ws
• What are we protecting?
• Who are our adversaries?
• Will current technologies suffice (sustainable)?
• Where are our qualified professional PS staff?
• When do we take action?

23
Whats been happening in Australia?

• National Health and Social Services Access
  (Smart) Card
• National E-Health Transition Authority
• Australian Law Reform Commission review of
  Privacy Laws
• NCRIS population health
• NHMRC - National statement on ethics
• Data Linkage technologies and centres

24
(No Transcript)
25
(No Transcript)
26
(No Transcript)
27
NEHTA Privacy and shared EHR
28
Privacy and Related Legislation in Australia
Privacy and Related Legislation in Australia
29
ALRC review of Privacy
30
can legislation be neutral?
31
NHMRC National statement on ethics
32
National Statement on Ethical Conduct in Human
Research

• individually identifiable data, where the
  identity of a specific individual can reasonably
  be ascertained. Examples of identifiers include
  the individuals name, image, date of birth or
  address
• re-identifiable data, from which identifiers have
  been removed and replaced by a code, but it
  remains possible to re-identify a specific
  individual by, for example, using the code or
  linking different data sets
• non-identifiable data, which have never been
  labelled with individual identifiers or from
  which identifiers have been permanently removed,
  and by means of which no specific individual can
  be identified. A subset of non-identifiable data
  are those that can be linked with other data so
  it can be known that they are about the same data
  subject, although the persons identity remains
  unknown.

33
PIA on smart homes

• Initial risk analysis indicates
• Personal safety - location, movements
• Emergency service or carer not informed i.e.
  non response to alarms, system failure
• Revealing medical and private health information
• Interfering with or integrity of medical
  information.
• Inappropriate treatment or care
• Info in wrong hands- Insurance, Pharmaceutical
  co., Government, Market research, etc.
• Social isolation - nobody calls anymore
• Nosiness

34
maintaining anonymity

• The future start with anonymity where end user
  controls identity

• Interface between real and virtual world

• No real names are used (allowed)
• This can be driven by real-world activities
• Partners (buddies) can be linked
• Trusted partners from the real world

35

• - Thank you!

36
defining the scope

• 1. Privacy and Security
• 2. Health Information

Why combine PS? All of health information? All
aspects? - Legal, social, technical, ethical,
organizational, political, individual,
psychological, etc.. Should we move towards a
unified approach?
37
Aims

• Outline the critical issues with Privacy and
  Security (PS)
• Establish what PS covers in Health and
  Healthcare Services
• Outline what has been happening with PS in
  Australia and Internationally
• Where does Trust fit in?
• Discuss the way forward to an International
  approach

38
Establish what PS covers in Health and
Healthcare Services

• EHR
• People
• Prescriptions
• Telehealth homecare
• - are these all safety
  issues?