Your SlideShare is downloading. ×
Using a Policy Spaces Auditor to Check for Temporal Inconsistencies in Healthcare Audit Log Files
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Using a Policy Spaces Auditor to Check for Temporal Inconsistencies in Healthcare Audit Log Files

170

Published on

The core tenet of the healthcare field is that care delivery comes first and nothing should interfere with it. Consequently, the access control mechanisms, used in healthcare to regulate and restrict …

The core tenet of the healthcare field is that care delivery comes first and nothing should interfere with it. Consequently, the access control mechanisms, used in healthcare to regulate and restrict the disclosure of data, are often bypassed, especially in emergency cases. This concept is called ‘break the glass’ (BtG) phenomenon and is common in healthcare organizations. Though useful and necessary in emergency situations, from a security perspective, it is an important system flaw. Malicious users can exploit the system by breaking the glass to gain unauthorized privileges and accesses. Also, as the proportion of system accesses that are BtG increases, it becomes easier for an attacker to hide in the crowd of the audit log. In this paper, we build upon existing work that defined policy spaces to help manage the impact of the break the glass phenomenon in healthcare systems. We present a system that enables the inference and discovery of facts that require further scrutiny. This significantly reduces the burden on the person investigating potentially suspicious activity in the audit logs of healthcare information systems.

Published in: Health & Medicine, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
170
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. USING A POLICY SPACES AUDITOR TO CHECK FOR TEMPORAL INCONSISTENCIES IN HEALTHCARE AUDIT LOG FILES Tyrone Grandison, Sean Thorpe LACCEI Symposium of Health Informatics in Latin America and the Caribbean 2013
  • 2. Outline  Motivation  Goal  Prior Work  Policy Spaces  Policy Evaluation Flow  System  Conclusion August 14th, 2013LACCEI Symposium of Health Informatics in Latin America and the Caribbean 2
  • 3. Motivation  Healthcare Core Tenet – Nothing interferes with care delivery.  Healthcare security controls are often bypassed.  Called „break the glass‟ (BtG).  Though useful and necessary in emergencies, it is a security hole.  Malicious users can gain unauthorized privileges & accesses by breaking the glass.  „Break the Glass‟ activity:  Is no longer the exception.  Is logged in healthcare audit files. August 14th, 2013LACCEI Symposium of Health Informatics in Latin America and the Caribbean 3
  • 4. Goal August 14th, 2013LACCEI Symposium of Health Informatics in Latin America and the Caribbean 4  Help to determine when Break the Glass is being abused Leverage prior work. Analyze audit logs to spot temporal inconsistencies. Bring them to the attention of the security team.
  • 5. Prior Work August 14th, 2013LACCEI Symposium of Health Informatics in Latin America and the Caribbean 5  Policy Coverage (Bhatti and Grandison, 2007).  Access Control policy should state what happens in the security system. Increase the coverage of policy by mining BtG requests in audit log.  Policy Spaces (Ardagna et al., 2008)  Builds on Bhatti and Grandison (2007) & defines model of audit log space.  Exception-based access control (Ardagna et al., 2010)  Creates a more rigorous model from Ardagna et. al. (2008).
  • 6. Policy Spaces August 14th, 2013LACCEI Symposium of Health Informatics in Latin America and the Caribbean 6  Authorized Accesses (P+).  Traditional access control policies.  Intuitively, P+ includes positive authorizations regulating „common practice‟.  Denied Accesses (P−).  Access control policies that are used to prevent abuses.  Policies in this space are meant to limit exceptions that can result in unauthorized accesses exploiting BtG.
  • 7. Policy Spaces August 14th, 2013LACCEI Symposium of Health Informatics in Latin America and the Caribbean 7  Planned Exceptions (EP).  Regulate access requests that do not fall into the normal routine.  i.e. exceptions that can be foreseen, for example, according to past observations.  Associated with, and indexed by, conditions on the context information  represented by attributes in exception space E and on dynamic information in the profiles (e.g., status of the patient), which are used to restrict their applicability.  Policies in EP cannot override policies in P−.  Unplanned Exceptions (EU).  Policies regulating all access requests not covered by the previous policy spaces (P+, P−, and EP).  Space EU is composed of two sub-spaces, denoted EU+ and EU-, respectively.  EU- enforces the deny-all default policy and is applicable to all requests that happen in non- emergency cases, when the enforcement of the BtG principle would be an abuse.  EU+ enforces the permit-all default policy and is applicable to all requests that happen in emergency situations, thus allowing all accesses not explicitly allowed or denied by policies in other spaces.  All the accesses falling in EU are inserted into an auditing log for a posteriori analysis.
  • 8. Policy Evaluation Flow August 14th, 2013LACCEI Symposium of Health Informatics in Latin America and the Caribbean 8
  • 9. System August 14th, 2013LACCEI Symposium of Health Informatics in Latin America and the Caribbean 9  Policy Spaces tool identifies log entries belonging to each space.  Our system (BtG policy space auditor) examines rules in EU.  Enables the health care system administrator, an auditor or a forensic user to specify a timeline and an unplanned exceptions (EU) set to be checked for temporal inconsistencies.  Uses  Happened-before relation  Implies an activity timeline.  Assumes a set of records stating when action occurred.  Simple logic
  • 10. System Use August 14th, 2013LACCEI Symposium of Health Informatics in Latin America and the Caribbean 10  Construct an audit log timeline  i.e. a sequence over the set of events  The BtG space log auditor is launched to evaluate all the events ordered by their timestamp.  If an event evta has a happened-before relation to evtb, but the audit kernel log timestamp (tb) of evtb suggests that evtb occurred before evta then ta and tb are inconsistent.
  • 11. Example August 14th, 2013LACCEI Symposium of Health Informatics in Latin America and the Caribbean 11  Event 1: A patient p must be admitted into the hospital before any other actions are.  Event 2: A healthcare practitioner x cannot prescribe medication for patient p before they have been checked in.  If a prescription event evtb occurs, the check-in event evta must happen before it, and evtb must happen before the check-out event evtc.  The physical time tc at which the event evtc must have occurred must be after the physical time tb at which the event evtb must have occurred, which must in turn be after the physical time ta at which the event evta must have occurred.
  • 12. Conclusion August 14th, 2013LACCEI Symposium of Health Informatics in Latin America and the Caribbean 12  Breaking the Glass is a necessary evil.  Policy Spaces streamlines and optimizes the different types of healthcare security requests.  Leveraging Policy Spaces and a rule-based auditing tool, it is possible to easily detect suspicious activity.  We present temporal inconsistencies.  However, we expect to explore a range of other inconsistencies.
  • 13. THANK YOU August 14th, 2013 13 LACCEI Symposium of Health Informatics in Latin America and the Caribbean
  • 14. BACKUP August 14th, 2013 14 LACCEI Symposium of Health Informatics in Latin America and the Caribbean
  • 15. References August 14th, 2013LACCEI Symposium of Health Informatics in Latin America and the Caribbean 15  Ardagna, C. A., De Capitani di Vimercati, S., Foresti, S., Grandison, T. W., Jajodia, S., and Samarati, P. (2010).“Access control for smarter healthcare using policy spaces”. Computers & Security, 29(8), 848-858.  Ardagna, C. A., di Vimercati, S. D. C., Grandison, T., Jajodia, S., and Samarati, P. (2008).“Regulating exceptions in healthcare using policy spaces”. In Data and Applications Security XXII (pp. 254-267). Springer Berlin Heidelberg.  Bhatti, R., and Grandison, T. (2007). “Towards improved privacy policy coverage in healthcare using policy refinement”. In Secure Data Management (pp. 158-173).Springer Berlin Heidelberg.  Grandison, T., and Davis, J. (2007). “The impact of industry constraints on model-driven data disclosure controls”, In Proc. of the 1st International Workshop on Model-Based Trustworthy Health Information Systems, Nashville, Tennessee, USA.  Rostad, L., and Edsberg, O. (2006). “A study of access control requirements for healthcare systems based on audit trails from access logs”, in: Proc. of the 22ndAnnual Computer Security Applications Conference, Miami Beach, Florida, USA.  Thorpe, S., Ray, I., Grandison, T., Barbir, A., France, R. (2013). “Hypervisor Event Logs as a Source of Consistent Virtual Machine Evidence for Forensic Cloud Investigations”, in: Proc. Of the 27th Annual IFIP WG11.3 Working Conference on Data Security and Privacy(DBSEC), Newark, New Jersey, USA.  Gladyshev, P., and Patel, A. (2005). “Formalizing event time bounding in digital investigations,” International Journal of Digital Evidence. Vol. 4.

×