Team for Research in
Ubiquitous Secure Technology

Declarative privacy policy: finite models and attribute-based encryption
Peifung E. Lam, John C. Mitchell, Andre Scedrov, sharada sundaram, Frank Wang

Citation
Peifung E. Lam, John C. Mitchell, Andre Scedrov, sharada sundaram, Frank Wang. "Declarative privacy policy: finite models and attribute-based encryption". Proceedings of the 2nd ACM SIGHIT International Health Informatics Symposium (IHI'12), 2012.

Abstract
Regulations and policies regarding Electronic Health Information (EHI) are increasingly complex. Federal and State policy makers have called for both education to increase stakeholder understanding of complex policies and improved systems that impose policy restrictions on access and transmission of EHI. Building on prior work formalizing privacy laws as logic programs, we prove that for any privacy policy that conforms to patterns evident in HIPAA, there exists a finite representative hospital database that illustrates how the law applies in all possible hospitals. This representative illustrative example can support new education, new policy development, and new policy debugging tools. Addressing the need for secure transmission of usable EHI, we show how policy formalized as a logic program can also be used to automatically generate a form of access control policy used in Attribute-Based Encryption (ABE). This approach, testable using our representative hospital model, makes it possible to share policy-encrypted data on untrusted cloud servers, or send strategically encrypted data across potentially insecure networks. As part of our study, we built a prototype to secure Health Information Exchange (HIE), with automatically generated ABE policies, and measure its performance.

Electronic downloads

Citation formats  
  • HTML
    Peifung E. Lam, John C. Mitchell, Andre Scedrov, sharada
    sundaram, Frank Wang. <a
    href="http://www.truststc.org/pubs/890.html"
    >Declarative privacy policy: finite models and
    attribute-based encryption</a>, Proceedings of the 2nd
    ACM SIGHIT International Health Informatics Symposium
    (IHI'12), 2012.
  • Plain text
    Peifung E. Lam, John C. Mitchell, Andre Scedrov, sharada
    sundaram, Frank Wang. "Declarative privacy policy:
    finite models and attribute-based encryption".
    Proceedings of the 2nd ACM SIGHIT International Health
    Informatics Symposium (IHI'12), 2012.
  • BibTeX
    @inproceedings{LamMitchellScedrovsundaramWang12_DeclarativePrivacyPolicyFiniteModelsAttributebased,
        author = {Peifung E. Lam and John C. Mitchell and Andre
                  Scedrov and sharada sundaram and Frank Wang},
        title = {Declarative privacy policy: finite models and
                  attribute-based encryption},
        booktitle = {Proceedings of the 2nd ACM SIGHIT International
                  Health Informatics Symposium (IHI'12)},
        year = {2012},
        abstract = {Regulations and policies regarding Electronic
                  Health Information (EHI) are increasingly complex.
                  Federal and State policy makers have called for
                  both education to increase stakeholder
                  understanding of complex policies and improved
                  systems that impose policy restrictions on access
                  and transmission of EHI. Building on prior work
                  formalizing privacy laws as logic programs, we
                  prove that for any privacy policy that conforms to
                  patterns evident in HIPAA, there exists a finite
                  representative hospital database that illustrates
                  how the law applies in all possible hospitals.
                  This representative illustrative example can
                  support new education, new policy development, and
                  new policy debugging tools. Addressing the need
                  for secure transmission of usable EHI, we show how
                  policy formalized as a logic program can also be
                  used to automatically generate a form of access
                  control policy used in Attribute-Based Encryption
                  (ABE). This approach, testable using our
                  representative hospital model, makes it possible
                  to share policy-encrypted data on untrusted cloud
                  servers, or send strategically encrypted data
                  across potentially insecure networks. As part of
                  our study, we built a prototype to secure Health
                  Information Exchange (HIE), with automatically
                  generated ABE policies, and measure its
                  performance.},
        URL = {http://www.truststc.org/pubs/890.html}
    }
    

Posted by Mary Stewart on 4 Apr 2012.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.