Current Research

This page summarizes some of the more interesting challenges related to security and privacy that we are currently focusing on. The intent is both to explain the nature of the problems and, where possible, to suggest or recommend ways to address them.

Maintaining Privacy Protection in Information Exchanges

One of the primary obstacles to widespread adoption of electronic health records is agreeing on appropriate privacy protections for the personal information contained in medical records. Much of the current debate centers on what classes of data must be protected, how they should be protected, and under whose control. Special challenges exist where different stewards and users of health records (e.g., federal government agencies, health care providers, state public health agencies, private companies) are subject to different privacy and security rules and regulations. Organizations with relatively stringent privacy requirements are understandably reluctant to share data with others subject to less rigorous requirements. Complicating this issue is the fact that the primary means of enforcement for privacy requirements is manual auditing for compliance in accordance with legal constucts or contractual agreements. The lack of automated technical means of enforcing or monitoring compliance with privacy rules means that enforcement of any new health IT privacy standards must rely on non-technical means. If the experience with HIPAA enforcement is any guide, the rules put in place for maintaining privacy of electronic health records should include more severe penalties for failure to comply and, where feasible, should seek to augment manual monitoring and auditing methods with technical measures, such as tagging data with privacy requirement information and using policy evaluation and enformement tools to validate the provision and use of that data complies with the requirements.

Trust Management Among Organizations

Trust has long been an important topic in organizational theory, where the emphasis is on the need to engender trust among key organizational stakeholders in order to operate businesses more effectively. In the information age where data sharing, information exchange, and interoperability are among the primary goals, trust (and distrust) among organizations is a key factor. Our initial thinking on this topic is centers on the creation and maintenance of trust relationships, which, as nicely described in NIST's draft Special Publication 800-39, can be established either authoritatively or through negotiation:

In the authoritative approach, an organization with appropriate authority establishes the essential conditions for trust. The authoritative organization initially: (i) identifies the goals and objectives for the provision of services/information or the participation in information sharing activities; (ii) determines the risk associated with the provision of such services/information or the information sharing activities; (iii) establishes the degree of trustworthiness of the information systems providing the services/information or supporting the information sharing operations; and (iv) determines how compliance to the trust requirements is demonstrated and measured. Once established, the trust relationship can continue as long as the information system trustworthiness remains unchanged and the organizational risk remains acceptable.

When a single authoritative organization does not exist over the organizations desiring to share information or to use services/information from external providers, or when such an organization might exist but is not willing or able to accept the risks to be incurred or to be accountable for risk management decisions, an alternative approach for developing trust relationships may be in order. The alternative, negotiated approach establishes trust through agreements among potential partners and relies on negotiating the provisions for the elements of trust among those partners. In developing negotiated trust relationships, there must be explicit agreement on all elements of trust including the identification of goals and objectives for the provision of services/information or information sharing, the associated risk in conducting those activities, the trustworthiness for information systems involved in the partnership, how trustworthiness is to be demonstrated and measured, and how the trust relationship is to be maintained over time. The objective is to achieve a sufficient understanding of the partner’s information security programs and information systems in order to establish and maintain an environment conducive to information sharing or to obtaining services/information.

Trust relationships depend on the specific actions taken by the participating/cooperating partners to provide appropriate security controls for the information systems supporting the partnerships and the evidence needed to demonstrate that the controls have been implemented as intended. This evidence can include, for example, security plans (including risk assessments), security assessment reports, plans of action and milestones, or any other information that the organization can produce to demonstrate the trustworthiness of its information systems (NIST SP800-39, pp. 17-18).

One area of particular interest for investigation is the potential for building trust frameworks, implementable through technical means, as an alternative to the predominantly legal approaches seen in contexts such as international data sharing (safe harbor program between the U.S. and the European Union) and health information technology.

Integrity Assertion

All conventional treatments (and indeed most definitions) of data integrity in general and message integrity in particular consider only threats to integrity during transit – that is, that the message as received is the same as the message when sent. This problem space is tangentially related to a class of fault-tolerance intended to address "Byzantine failures", so-called because of its reference to the Byzantine Generals Problem first described by Lamport, Shostak, and Pease in 1982. The Byzantine Generals Problem considers ways to ensure system (or decision-maker) reliability when both message sources and communication channels cannot be trusted. This model specifically focuses on communication among multiple participating nodes, but it has relevance for contemporary data integration patterns bringing data from multiple sources into a single point of aggregation. In a distributed system that performs calculations, reporting, or analysis on data aggregated from multiple sources, errors or inaccuracies in some of the data can invalidate the aggregate and any results produced with it. This translates into a need both for effective protective measures for stored data and a means for transmitting entities to determine the accuracy of the data they hold and to provide an assertion of the data's validity when it is transmitted to another entity. While there are many procedural and techinical controls designed to protect integrity of data at rest, the ability to first establish and then assert data validity is a problem with no current solution, making it a good topic for further investigation.