New Format for PET

Privacy Enhancing Technologies (PET) will now accept submissions year-round and publish them in a new journal called Proceedings of PET (PoPET). Accepted papers will be invited for presentation at their usual summer symposium. See for more information. This format means that papers can be submitted to the meeting when they are ready rather than possibly waiting many months for a conference deadline or submitting to a less appropriate forum. It also helps students who are concerned about submitting to journals because they will not get a chance to present the work in a meeting or a perception that journals are less helpful on their CV than conferences. PET will now be both at the same time.

Accountable Systems Workshop

I was pleased last Thursday (January 29) to participate in the Workshop on Accountability at MIT. The general idea with the event was to focus on the distinction in cyber-security between developing protections that prevent policy violations or attacks versus developing ways to hold parties accountable for these things. When we think of typical legal frameworks they focus heavily on defining rules, expecting people to follow them, and then punishing them if they do not. For cyber-security the focus is often instead on prevention. Perhaps this is not always the best path; perhaps accountability can be cheaper, simpler, and adequately effective. The general issue is well-articulated in this CACM Article from 2008.

There was an interesting group on hand to discuss the matter. Here is the web page for the meeting. In addition to academics like myself there were some folks speaking on accountability and compliance at organizations such as NSA (John DeLong) and Facebook (Maritza Johnson). For instance, Maritza urged us to have a look at the Ireland Data Commissioner Audit Review of Facebook, a document that provides interesting insight in to privacy policies at Facebook.

I spoke on the topic of audit controls at hospitals in a session with Brad Malin (Vanderbilt) and Maya Bernstein (HHS). Here are my slides, which focus on the Random Object Access Model (ROAM) and how it might be used to validate audit log analytic systems.

I came away from the meeting with at least a new joke I learned from John DeLong. Here’s a version I’ve edited a little (to make the engineer look good):

A compliance officer, a lawyer, and an engineer are meeting to review the compliance of a device required to fill a glass with water. They test the device and find that it only fills the glass halfway.

The compliance officer is deeply concerned and says “This is a bad thing. We should inform the regulating authority immediately and tell management we will need to pay fines.”

The lawyer responds “This is not a problem. Did the regulations specify that the glass needs to be filled `to the top’? We should report that we are complaint.”

The engineer enters the discussion and says “No, no, the two of you are missing the point. This is a good thing. We should tell management we can save money since the glasses we have been buying are apparently twice as large as they need to be.”

I think there is a good learning point here about the need to avoid compliance rules that create too much negative energy or are met with cynical disregard for their meaning or inspire unanticipated distortions in the regulated entity.


AMIA ’13 Featured Presentation on SHARP

It was enjoyable to join my four fellow directors on November 18, 2013 in a Featured Presentation at AMIA entitled The SHARP Program and the Next Generation of Health Information Technology. Chuck Friedman, whose efforts at HHS ONC created the SHARP program, moderated the session. We had about 5 minutes each to present our 4 year projects. This caused some run-overs and a lot of need to keep the discussion high-level, but it was still a good overview of the project as a whole even with its broad scope. Folks were invited to see more details about the projects using dedicated web pages we created for AMIA participants.

After our initial presentations, we settled in on some questions about the future of health information technology beyond SHARP, which ends for the primary ONC programs in March of 2014. A consensus of the panel was the need for more openness for data and platforms and more protections for security, privacy, and safety. To enable this we need more standardization and greater attention to quality and usability. Many of the trends in health IT are indeed headed in this direction. One can already see gains from the SHARP research and how they aid progress in standards bodies, regulatory agencies, and vendors. Personally I hope to see some fruit from these trends in our impending work on the NSF Frontier project Trustworthy Health and Wellness (THaW) which involves a substantial part of the SHARPS team.


Six Research Challenges for the Security and Privacy of Health Information Technology

Health Information Technology (HIT)has the potential to improve the health of individuals of all ages, aid medical research, and reduce the costs of delivering healthcare, but its effective use and acceptance by the public and healthcare professionals depend on employing proper protections for the security and privacy of health information. While considerable progress can be made by applying current best practices for managing data, there are a number of areas specific to HIT where more research is needed to provide technology to support better practices. At least six key areas need to be addressed by the security and privacy research community: (1) access controls and audit, (2) encryption and trusted base, (3) automated policy, (4) mobile health (mHealth), (5) identification and authentication, and (6) data segmentation and de-identification.

(1) Access Controls and Audit. Workflows at Health Care Organizations (HCOs) are complex and safety critical; this makes it difficult to achieve least privilege in assigning access to HCO personnel. HCOs react to this by allowing broad access and relying on accountability and education to control insider threats. These strategies can be augmented by auditing computer records; this is currently done largely in reaction to specific complaints. These procedures are increasingly inadequate because they do not scale to developments like broader sharing of records in Health Information Exchanges (HIEs) or to emerging threats like large-scale fraud. Research is needed to provide better automation so that large volumes of records can be examined by computer algorithms that are thorough and flexible enough to learn and infer threats quickly and feed experience from operational behavior back into preventative measures. HCOs can begin this process by learning from other areas such as the financial services sector (credit card fraud detection) and messaging (spam detection) while addressing issues specific to healthcare, such as the potentially high cost of a mistaken denial of access.

(2) Encryption and Trusted Base. HCOs are struggling with rapid changes in the systems they need to secure. Early HCO computing systems used mainframe computers that could be accessed from terminals located in a hospital facility. This trusted base was relatively easy to secure until the Internet offered remote access, but standard enterprise protections such as firewalls were accepted as being sufficiently effective. Now the situation is increasingly complicated by technology changes such as: Bring Your Own Device (BYOD) arrangements in which HCO employees put sensitive data on their own cell phones and tablets, the use of cloud services in which Electronic Health Records (EHRs) are held by third parties, participation in HIE systems that move data between a changing collection of HCOs, and the deployment of patient portals, which provide a new attack surface for access to the EHR. Encryption is a powerful tool for addressing challenges with trusted base. For instance, if the data stored on a lost laptop or maintained by a compromised cloud service is encrypted, the threat of a privacy compromise is greatly reduced. Research is needed to make such strategies efficient and convenient enough to enable their universal deployment, particularly to protect data at rest (that is, in storage). These problems and the required solutions also apply to secondary use data for medical research or public health. Another area of concern is the rise of Advanced Persistent Threats (APTs), which entail sophisticated attacks, possibly supported by foreign governments. While these attacks do not currently target EHRs, they are creating significant levels of collateral damage to EHR systems, especially when such systems are attached to certain types of targets like government and university networks.

(3) Automated Policy. A key challenge faced by many HCOs is the need to share EHRs securely though HIEs such as those being set up by many states and regions, and the need to share them though rapidly evolving partnerships with various business associates. Current techniques are too informal and manual to provide the desired efficiency and convenience. For instance, if it is necessary to get an attorney to review each interstate data exchange, then a high level of exchange of EHR data will lead to a high level of expense (and delayed access). Enabling computers to settle policy decisions automatically can lead to reduced costs, improved care (though timely information exchange), and better support for secondary use of data. Research is needed to determine reliable ways to express policies. We also require strategies to integrate and enforce formally expressed policies into common HCO and HIE information architectures. Such advances will touch on other important areas like legal and medical ontologies and will inform the development of legal codes and consent management in the future.

(4) Mobile Health (mHealth). Mobile devices, including intelligent medical implants, cell phones that sense and process health data, and a variety of new types of sensors and actuators that can be worn on the body, are creating a changing landscape for managing health information. Data are collected everywhere, not just in an HCO facility, and are collected by just about everyone, not just HIPAA-compliant HCOs. Participants include HCOs and patients themselves together with large and small companies that specialize in health guidance, sensor hardware, information technology, communications, and other areas. This diversity, the pervasiveness of the information collection, and the rapid rate of technology and regulatory change in this area raise security and privacy concerns that range from modest risks to the privacy of activity data (like data collected by a pedometer) to safety-critcal risks (like the integrity of software in an insulin pump). These changes have also blurred the distinction between areas like medical devices and the EHR, with corresponding overlaps between government regulatory agencies. Research is needed to determine threats and requirements and ‘safe rules of the road’ such as proper procedures for securing device software and the way data are handled by the intermediaries that stand between the EHR and patients using mobile health devices.

(5) Identification and Authentication. A long-standing problem in healthcare delivery is the risk of mis-identifying a patient. Mis-identifications cost lives, but procedures to reduce this risk are often cumbersome and may impede effective sharing of data between institutions. In addition to the problem of identification there is an emerging problem with authentication, that is, in proving identity. Inadequate authentifcation procedures are exploited by attacks like medical identity theft. Increasing use of computer-based access diminishes traditional mechanisms of authentication like face-to-face meetings between individuals who know each other personally. This problem will become worse with the deployment of HIEs, which greatly increase the pool of people for whom identification and authentication are required within a single system. While some of the problems in this area are non-technical policy concerns and many issues will be sufficiently addressed by broader Public Key Infrastructure (PKI), there is also a need for novel contributions. What is especially needed is a ‘science of identification and authentication’ in which studies that involve the full gamut of regulatory, human factor, cryptographic, computer system, and other relevant considerations are subjected to analysis so that meaningful progress can be made and measured. Current research in this area needs to be expanded and integrated with operational approaches, most of which have not improved substantially for a long period of time. There is also a need to consider the special risks and circumstances of the healthcare sector; for instance, methods that work for employees may not be practical for patients.

(6) Data Segmentation and De-Identification. It is widely recognized by both HCOs and government regulators that patients feel that some types of health data are especially sensitive. Examples include records related to mental health, drug abuse, genetics, sexually transmitted diseases, and more. When health data is shared, there is a desire to transmit this information only when it is necessary. For example, a provider who needs immunization records may not need to see mental health notes. Interest in how to perform this kind of data segmentation has intensified with the growth of HCOs and the introduction of HIEs. However, there is little understanding of exactly how this type of segmentation can deliver meaningful privacy with acceptable impact on the safety and quality of care. Vendor products that claim to segment data may mislead patients and caregivers if they are poorly designed. A technology closely related to data segmentation is de-identification, wherein records are transformed so it is difficult to determine whether a given record is associated with a given individual. The data segmentation problem needs some of the rigor that has been applied to the de-identification problem. In particular, we require ways to measure the tradeoffs between privacy, safety, and quality. These measures should be used to determine tradeoffs for specific segmentation technologies. The de-identification problem itself also faces new challenges such as how to protect privacy of genomic data. New techniques are emerging in this area, but new research is required to determine information flows and privacy risks and to design sufficiently efficient protective measures.

Acknowledgement. This position paper draws heavily on ideas in the Strategic Health Advanced Research Projects on Security (SHARPS) ( funded by the Office of the National Coordinator for Health Information Technology in the Department of Health and Human Services. However, the opinions offered are those of the author only. This is an abstract from the following work published as an expert report by the OECD in their report on information and communication technologies and the health sector:

Integrity Aware Architectures

Remote attestation provides a capability to query systems to determine if they are running trusted software or firmware. New technologies for integrity aware architectures provide the low level support to implement such integrity measures on a wide range of systems, including embedded processors.

Technologies like the Trusted Platform Module (TPM) enable remote attestation, but rely on a dedicated co-processor to perform the necessary integrity assumptions. Applications like Advanced Meter Infrastructure (AMI) in which electric power meters contain computers, communicate over digital networks, and are able to accept remote software updates, cannot easily provide remote attestation based on TPMs because of constraints like the cost of having a co-processor, which are considered excessive for this type of embedded processor application. However, advances in the design of security kernels and processors can address these challenges effectively.

Michael LeMay, a PhD student at the University of Illinois, has demonstrated a series of strategies for providing integrity guarantees based on technologies ranging from mote-sized coprocessors to compact software kernels to new hardware that supports integrity functions directly. The first work along these lines showed, for the first time, how to use security technologies to address the challenge of privacy for AMI. The idea was to use a TPM to assure integrity of the calculations on the meter so that demand response calculations could be done there as opposed to sending potentially sensitive data back to the meter data management agency. Utility companies that saw this work were generally accepting of the basic idea of giving them an integrity assurance for the software while keeping the data on the meter for privacy protections, but were skeptical of the use of the TPM. A second generation of work showed how similar assurances could be obtained with an inexpensive co-processor, and then, in a third generation of effort, how it could be done by implementing an integrity kernel on processors with a basic memory protection unit. A fourth generation of effort, embodied in LeMay’s dissertation, showed how features like the architectural support for the integrity aware kernel could be generalized to an integrity aware architecture in which the hardware is designed to explicitly support integrity functions in a compact set of extensions.

Dr. LeMay defended his dissertation in June of 2011. Here is a link to his home page.













Steps Toward Nationwide Health Information Exchange

The PCAST workgroup made its report to the HITPC and HITSC committees of the ONC.  The workgroup felt that the PCAST report provides a compelling vision that could be an important aspect of the learning healthcare system, notes that major policy and operational issues need to be addressed in the proposed technology, and urges that large operational tests are needed to resolve the policy and feasibility concerns.  Here is the report:

Assuring Robustness of Radio Spectrum Telemetry

Cognitive radios offer ways to better exploit unused radio spectrum if accurate spectrum availability data can be obtained.  Techniques based on signal propagation analysis and machine learning can limit the risks arising from bad spectrum data provided by malicious parties.

Recently the FCC has authorized the use of unused “white spaces” in the radio spectrum.  There are two primary strategies for determining whether spectrum is unused.  One of these is to produce a map of the geographic locations and frequencies that are claimed to be in use; the other is to use sensing technology in cognitive radios to collect reports dynamically.  The latter has some notable advantages, including the ability to do crowdsourcing of radio telemetry in which all willing sensors contribute data.  However, this type of data collection must be robust against malicious nodes that might vandalize spectrum by falsely reporting that it is not in use or exploit spectrum by falsely reporting that it is in use.

A University of Illinois PhD student, Omid Fatemieh, working with myself, Ranveer Chandra from Microsoft Research, and other PhD students, has demonstrated a range of techniques to limit the damage that can be caused by malicious misreporting of radio spectrum telemetry.  This work demonstrated the effectiveness of three primary strategies.  First, when sensing is done in small geographic cells it is possible to compare results from neighboring cells to corroborate reports and detect cells in which a majority of reports come from malicious sources.  Second, with suitable experimental data it is possible to use machine learning based on Support Vector Machines (SVMs) to create a classifier that can detect anomalies without the need for a specific radio propagation model.  Third, there are systematic ways to incorporate data from nodes that builds confidence in their trustworthiness such as remote attestation.  Fatemieh’s project included evaluations using TV transmitter data from the FCC, terrain data from NASA, and house density data from the US Census Bureau for areas of central  Illinois and southwestern Pennsylvania.  He conducted studies that demonstrated applications of the technology for advanced meter infrastructure in rural areas and for providing Internet access for public schools.

Dr. Fatemieh defended his dissertation in February 2011.  Here is a link to his home page.

  1. Reliable Telemetry in White Spaces using Remote Attestation, Omid Fatemieh, Michael LeMay, and Carl A. Gunter, ACSAC ’11.
  2. Assuring Robustness of Ratio Spectrum Telemetry Against Vandalism and Exploitation, Omid Fatemieh. Doctoral Thesis, University of Illinois at Urbana-Champaign, February 2011.
  3. Using Classification to Protect the Integrity of Spectrum Measurements in White Space Networks, Omid Fatemieh, Ali Farhadi, Ranveer Chandra and Carl A. Gunter, NDSS ’11.
  4. Low Cost and Secure Smart Meter Communications using the TV White Spaces, Omid Fatemieh, Ranveer Chandra and Carl A. Gunter, ISRCS ’10.
  5. Secure Collaborative Sensing for Crowdsourcing Spectrum Data in White Space Networks, Omid Fatemieh, Ranveer Chandra and Carl A. Gunter, DySPAN ’10.
The following images illustrate the nature of cells and readings and the architecture of the proposed wireless meter communication infrastructure respectively.


Secure Multicast for Power Grid Communications

Increasing connectivity of electric power grid substation networks has led to concerns about the security of multicast communications on the substation networks. New research shows how suitable design based on IPsec can provide security with low latency.

Smart grid technologies have introduced a variety of capabilities to electric power substations to link Intelligent Electric Devices (IEDs) through digital substation Local Area Networks (LANs) based on Ethernet. Such substations use multicast to send data and control commands between IEDs. At the same time, these substations have become increasingly connected to external systems and hence to threats of malicious attacks. This make it desirable to provide for secure multicast communications in which messages are authenticated and possibly even encrypted. Ideally one could use off-the-shelf security technologies such as the Internet Security Protocol (IPsec) to address this need, but there are two problems: (1) increasing complexity of substation configurations and the complexity of IPsec configuration make automated support of security configuration critical and (2) the latency requirements of substation communications must be respected by security protocols.

Research by Jianqing Zhang, a PhD student at the University of Illinois, and I has shown how to address these problems through the use of an extension of the Substation Configuration Language (SCL) called SecureSCL and a proper application of IPsec Group Domain of Interpretation (IPsec GDOI). Zhang’s technique adds annotations to SCL configurations and uses them to generate IPsec configurations. We produced a mathematical model of the configuration that supports basic tests of correct configuration. One of the most interesting aspects of the project was the discovery that a naïve application of point-to-point IPsec using a hub-and-spokes model is not efficient enough to maintain substation latencies. We did a experiments with various sizes of emulated substations on the DETER test bed and found that scalability depends on effective use of the underlying parallelism of the switches. Zhang used the TVA Bradley substation as a guiding test case for the studies.

The work is described conference and journal articles as well as his thesis. Doctor Zhang is now a research scientist at Intel Labs in Santa Clara where he works on the security of smart grid technologies for home appliances. Here is a link to his home page.

  1. Application-Aware Secure Multicast for Power Grid Communications, Jianqing Zhang and Carl A. Gunter. International Journal of Security and Networks (IJSN), volume 6, number 1, 2011.
  2. Application-Aware Secure Multicast for Power Grid Communications, Jianqing Zhang and Carl A. Gunter. IEEE International Conference on Smart Grid Communications (SmartGridComm ’10), Gaithersburg, MD, October 2010.
  3. Secure Multicast for Power Grid Communications, Jianqing Zhang, Doctoral Thesis, University of Illinois, September 2010.

The following illustrations depict the typical architecture of an advanced electric substation LAN and the SecureSCL system respectively.

Non-Intrusive Load Shed Verification (NILSV)

Smart grid load shedding of consumer appliances during peak periods is challenged by the need to have trustworthy responses from these appliances.  A new design shows how this can be achieved with a “trust-but-verify” framework.

One strategy for getting load reductions during periods of peak demand is for Energy Service Providers (ESPs) to maintain direct control over a class of consumer loads.  This has tradeoffs against allowing indirect control by a consumer through means like variable pricing.  Direct control has the advantage that the ESP has better knowledge of how and when to shed loads, but direct control assumes the existence of appliances that can be relied upon to receive, and act on, load shed commands from the ESP.  This introduces a problem with the trust the ESP can place in consumer appliances.  Approaches that place trust in appliances, like relying on special chips that enable ESP access, make direct controls more expensive and difficult to deploy.  On the other hand, consumer “free riders”, who accept discount programs for direct control but fail to respond to load shed signals, make enforcement problematic if there is no ESP technical control.

I worked with a team that includes students from the TCIPG project and Andrew Wright from N-Dimension to develop a technique for direct control that is based on a “trust but verify” technique called Non-Intrusive Load Shed Verification (NILSV).  The idea is to use Non-Intrusive Load Monitoring (NILM) on smart meters to monitor power usage and from this to form an estimate of whether load shed instructions are being respected by consumers.  The main novelty required by the technique was a form of distributed NILM (dNILM) which does heavy-weight NILM calculations at the ESP backend while doing light-weight monitoring on the smart meter.  We did some preliminary tests of the technique to show general feasibility using monitoring of appliances in homes.

The over-all approach for NILSV is described in an article in an IEEE Pervasive special issue on smart energy systems [1], and details of the dNILM algorithms were presented at ISGT [2].

  1. Non-Intrusive Load Shed Verification, David C. Bergman, Dong Jin, Joshua P. Juen, Naoki Tanaka, Carl A. Gunter and Andrew K. Wright. IEEE Pervasive Computing, Special Issue on Smart Energy Systems, volume 10, number 1, pages 49-57, 2011.
  2. Distributed Non-Intrusive Load Monitoring, David C. Bergman, Dong Jin, Joshua P. Juen, Naoki Tanaka, Carl A. Gunter and Andrew Wright. IEEE/PES Conference on Innovative Smart Grid Technologies (ISGT ’11), Anaheim, CA, January 2011.