This document discusses using User-Managed Access (UMA) to protect personal data in an Internet of Things (IoT) network for a patient-centric use case. UMA allows an individual to control access to their personal data stored across different devices and systems. The summary describes a scenario where a patient's heart rate data collected from an electronic stethoscope is stored and the patient uses UMA to grant their doctor access to view the data. UMA provides a centralized authorization system to help empower individuals to manage access to their personal information distributed throughout an IoT network.

1. Protecting Personal Data in an IoT Network
with UMA
A Patient Centric use case
Domenico Catalano, Oracle Italy
Maciej Machulak, Cloud Identity Limited
Kantara Initiative Workshop 3rd Nov. 2014 - Dublin
1

2. Agenda
Personal Data in an IoT Network
Risks and Challenges about Personal Data
UMA Approach and Use case
Conclusion
Q&A
2

3. 3
With more than seven billion
people and businesses, and at
least 35 billion devices,
communicating, transacting,
and even negotiating with each
other, a new world comes into
being:
The World of
Digital
Business

4. Nike’s Digital Master
4
Nike’s Fuelband allows athletes to
track their workouts, share their
performance online, and even
receive an advice from digital
“coaches”. Meanwhile both social
media and digital products
provide Nike with rich data on
customers, their activities, and
their preferences.

5. Risks about Personal Data
“
5
Individual
Organization
Fully 78% of consumers
think it is hard to trust
companies when it
comes to use of their
personal data.”
Orange, The Future of Digital Trust, 2014
Individuals have little visibility into the practices of the
organizations they are putting their trust in – until their data
is breached or misused.

6. Challenges to Mitigate Risks
Unlocking the value of Personal Data: From Collection to Usage
New approaches for decentralized and distributed
network environment.
Who has data about you?
Where is the data about you located?
6
Protection and Security
Accountability
Right and Responsibility for using Personal Data
New approaches that help
individuals understand how
and when data is collected.
How the data is being
used and the implications
of these actions.
Empower individual
more effectively and
efficiently.
Context Aware
Source:World Economic Forum 2013 Report: Unlocking the Value of Personal Data: From Collection to Usage

7. Personal Data Management Services
A mapping of Market
Source: Word Economic Forum Report (2014): Rethinking Personal Data: A new lens for Strengthening Trust
7

8. User-Managed Access (UMA)
Concept and Terminology
8
UMA defines how to:
Protect resources
Authorize access
Enforce policy
A centralized Authorization
Server governs access
based on Individual Policy.

9. Ubiquitous Networking of IoT
9
TV
PC
PDA
Home Electronics
Vehicle
Sensors
Camera
Smart
Card
RFIDtag
Telematics
Navigation
Device
Home Server
Gateway
Medical
Device
Mobile
Device
Wearable
PC
Data, Resource,
Web/Application
Server, Content
Object-to-Object
Communication
Human-to-Human
Communication
Internet
Human-to-Object
Communication
Human with
Attached Device Objects
Source: Shaping Future Service Environments with the Cloud and Internet of Things: Networking Challenges and Service Evolution

10. A simplified IoT Taxonomy
Dumb Thing Intelligence Thing Smart Thing
10
Intelligence
Web-based Service
Context-awareness
End-to-End connectivity
Data handling and processing
capabilities
Real-time identification and
tracking of object Network capability
Context-aware
Connecting to anything
Tag-based

11. UMA for IoT Network
11
Smart
IoT Network
Intelligence Thing
Thing
Dumb
Thing

12. UMA for IoT Network
A patient-centric use case
12

13. Patient-Centric Use case
Actors and Roles
Intelligence Thing Smart Thing
13
Patient
Doctor
Electronic
Stethoscope
Client
Client
EHR
RS
Patient Monitor
RFIDtag

14. Patient-Centric Use case
Security Domains and Goals
14
Doctor’s Security
Domain
Patient’s Security
Domain
Hospital’s Security
Domain
Heartbeats
data
Control and
authorize
data sharing
EHR
Resource
Owner
Resource
Owner Requesting
Party
Prevent
unauthorized
object
connection

15. Patient-Centric scenario
UMA Features
Resource
Protection Authorization Patient Consent
15

16. Resource Protection
UMA Dynamic Registration
IoT Network
Electronic
Stethoscope
UMA Personal
Authorization Server
Secret
Patient
Monitor
RFIDtag
OAuth 2.0 Dynamic Client Registration Protocol 16
Day Hospital
Request
Patient Registration
Department
Doctor’s team
sw_stmt

17. UMA as Authorization
Mechanism for IoT
17

18. Authorization Flow
Authentication and Authorization in Constrained
Environment (ACE)
18
Resource
Server
Intelligence
Thing
UMA
Authorization
Server
AuthN
Manager
Authentication and
Authorization
http://tools.ietf.org/pdf/draft-gerdes-ace-actors-01.pdf
Policy
Department
Doctor’s team
Doctor Patient

19. Authorization Flow
Revealing Electronic Stethoscope
Pairing with
Electronic Stethoscope
Authorization Requested…
19

20. Authorization Flow
Authentication and Authorization
National Healthcare System
Authentication Process
Fingerprint
20

21. Creating a Protected Resource
Patient’s Data Association
Electronic Stethoscope
Data Uploading
21

22. New Protected Resource
Patient Notification
Personal UMA AS
Heartbeat data added as protected
resource
View Close
22
Patient

23. EHR Client Access and Patient Consent
UMA Flow
Protect with PAT
23
Heartbeats data
PAT: Permission Access Token
AAT: Authorization Access Token
RPT: Requesting Party Token
Patient
Resource Owner
Authorization
Server
Authorization API
EHR System
UMA Client
Protection API
manage
Consent
PAT
Access RPT AAT
with RPT
Client redirects the
Requesting Party to AS
Patient Monitor
Requesting Party IdP/Claim Provider
Claim Client
Authenticate
Request UserInfo
EHR: Electronic Healthcare Record
RS

24. Patient-Centric Platform
Healthcare Patient Platform
My Team My Day My Health Data
Add more 12.00 Lunch
24
Main Doctor
Dr. Alan Smith
Cardiologists
Dr. Peter Doole
Radiologist
Dr. Alice Gale
Hematologist
8.00-9.00 Cardio Therapy
About Me
Heartbeats
X-Ray
Electro Cardio
Graph
Mrs. Mary
Davidson, 72
Chat with a doctor
Ask
Share my data
Who has data about me
My Consent

25. Patient-Centric Platform
< Back Who has data about me: X-ray
25
Healthcare Patient Platform
Research
X-Ray
Medical Doctor
Radiology
Departiment
Diagnostic research
Biomedical
Saint James
Hospital
X-RAY Specialists
X-Ray Operators
Peter Doole
LifeScience
Hospital
Healthdata
Alice Gale
Hospitals

26. Advantages of UMA Approach
Applicable to
constrained
resources,
different nature of
things, data and
owners.
26
Designed for
centralising the
Authorization
process for
distributed
resources.
Developed to
meet the
Privacy By
Design
principles.

27. UMA for Patient-Centric Scenario
Benefits
• Improve Patient-centric Experience.
• Prevent medical errors through
authorization processes.
• Empower Patients on controlling their
Personal data (healthcare data).
27

28. Future Works
• Inheriting Data sharing policy
• Delegation with Notification
28

29. In the News
https://kantarainitiative.org/uma-takes-home-award-from-eic-2014/
29

30. Acknowledgements
• Eve Maler (Chair UMA WG), Adrian Gropper (Hearthurl), George
Fletcher (AOL)
• UMA Work Group
• User-Managed Access (UMA) Core Protocol
• OAuth 2.0 Dynamic Client Registration Protocol
• Securing Internet of Things
• Actors in the ACE Architecture
• Rethinking Personal Data: A New Lens for Strengthening Trust
30
References

31. Questions?
Thank you
@UMAWG
tinyurl.com/umawg |tinyurl.com/umafaq
31