Encryption and Trusted Base Cluster
Cluster Leader: Avi Rubin
Goal: developing a resilient foundation for sharing health information.
Overview of Contributions
One key change in healthcare is the emergence of many options for how to store and share health information. Health Information Exchanges (HIEs) are a good example. These are infrastructure systems for passing patient records between institutions primarily to support patient care by facilitating ready access to the records at the point of care. Hospitals and other healthcare providers must decide whether to participate in these systems and, if they do, face the question of how it influences the trusted base of the provider. That is, they must decide which systems are their responsibility to secure and which systems must be trusted. Efforts like the Integrating the Healthcare Enterprise (IHE) standards body work on topics like the scope of the trusted base of HIEs and how responsibility for securing the system can be shared with participating providers. Another good example of a shift in trusted base is the rise of mobile health (mHealth) devices, which can be broadly classified as “provider facing” and “patient facing” depending on whether the device is used by a provider (like a nurse or physician) or by a patient (like a fitness device or vitals device for home measurements). Providers must decide which parts of a system that uses mHealth is part of their trusted base. For instance, a provider cell phone is outside the trusted base if it is used for personal purposes only, but if it also displays records from the EMR then it becomes part of the trusted base that includes the EMR. A key strategy for managing the trusted base of a system is encryption. A classic example is routing on the Internet: in order to avoid including routers in the trusted base of an enterprise (at least for integrity and confidentiality), messages are encrypted end-to-end, usually with transport security like the TLS protocol. There are many ways in which healthcare systems can benefit from encryption as part of their management of trusted base. For instance, encrypting patient records if they are stored on a cell phone mitigates the risk of the loss of the cell phone. While there has been considerable progress on the use of encryption for healthcare data “in flight”, that is, on network links, there has been less progress on its use for data “at rest”. Moreover, there has been less uptake of novel ways to use encryption with either of these types of data.
The Encryption and Trusted Base Cluster comprises five projects that study various aspects of encryption and how it can be used to manage trusted base.
CHARM is the primary project in this cluster. It developed a framework for applying the next generation of cryptographic techniques. The package is called CHARM-crypto (or just CHARM) and supports 52 cryptographic schemes. CHARM has supported many of the encryption and authentication protocols used in SHARPS. CHARM is free and open source and has been useful to a broad community with over 1000 downloads. The CHARM system runs on servers, personal computers, and Android mobiles.
FACE TO FACE CRYPTOGRAPHY FOR STDS pursued a study of how one can use face to face meetings enabled by mobile devices to improve security and privacy for the exchange of sensitive information like Sexually Transmitted Disease (STD) status. The project developed protocols for anonymity that could be used to perform functions similar to inSPOT.org’s STD notification system.
AUTOMATIC GENERATION OF EXECUTABLES developed techniques to provide automatic code generation and verification to improve the quality of cryptographic code such as that included in CHARM. The project developed systems for batch verification of signature schemes, cloud-based decryption, and automatic optimization of encryption and signature schemes.
SECURE PORTAL FOR NETWORKING HEALTH collaborated with Networking Health, a healthcare provider in the Baltimore area, to develop a patient portal for access to their OpenMRS system at their clinics. The novel aspect of this work was exploring Knowledge Based Authentication (KBA) as a way to secure the identification of users who might have trouble keeping tokens or remembering passwords. KBA is similar to the ubiquitous security questions used in password recovery but makes additional use of the specific data of the user to frame questions.
OBLIVIOUS ACCESS TO EHRS aimed to apply obvious access to EMR records. Oblivious access enables users to access records while hiding what part of the record is being accessed from an untrusted server. After some preliminary explorations, this project was de-emphasized to provide more time for other projects thought to have more potential.