formalization of health information portability and accountability act (hipaa) simon berring, navya...
TRANSCRIPT
Formalization of Health Information Portability and Accountability Act (HIPAA)
Simon Berring,
Navya Rehani,
Dina Thomas
Overview
PreviousWork
SPIN
Results
Conclusions
Project Overview
• HIPAA Overview
• Previous Work
• Verification Tool - SPIN
• Formalization Results
• Conclusions
• Further Work
Overview
Overview
PreviousWork
SPIN
Results
Conclusions
What is HIPAA?
Timeline- 1996: main act is passed
- 2000: HHS releases privacy rule
- 2003: In response to criticism, HHS releases updated privacy rule
Goals- Prevent malicious parties from obtaining protected health information (phi)
- Allow flows of information necessary for health care
- Allows patients reasonable discretion
Overview
Overview
PreviousWork
SPIN
Results
Conclusions
Privacy and Contextual Integrity• Barth, Datta, Mitchell and Nissenbaum • Uses typed, first order, linear temporal logic.• With types = Agent |Message | Property | Context
• With grammar:
• With invariants:
• With norms (e.g.): inrole(p1, covered-entity) inrole(p2, individual) (q = p2) (t phi)
PreviousWork
Overview
PreviousWork
SPIN
Results
Conclusions
Privacy APIsPrevious
Work • Gunter, et al• Defined a formalism for legal privacy rules
“auditable privacy systems”• Created a language (HRU) that preserved the
subtleties of law and was accessible to non-experts
• Investigated several properties, found one “unexpected ambiguity” about patient consent
• Converted HRU to Promela and used SPIN verification
Overview
PreviousWork
SPIN
Results
Conclusions
Verification Tool
SPIN
• SPIN = Simple Promela Interpreter• Software verifier for parallel, distributed systems• LTL model checker
PromelaModel M
Xspin
LTL Translator
Verifier
Counter Example(Trace)
SPIN
Overview
PreviousWork
SPIN
Results
Conclusions
Promela
SPIN
From: Theo R. Ruys – SPIN Beginner’sTutorial, 2002
• Promela = Protocol/Process Meta Language• Communication via message channels
(synchronous/asynchronous)• Non deterministic scheduling of processes
• Model consists of• Type declarations• Channel declarations• Variable declarations• Process declarations• [ init process ]
Overview
PreviousWork
SPIN
Results
Conclusions
Promela
SPIN
From: Theo R. Ruys – SPIN Beginner’sTutorial, 2002
/*******#defines **************/mtype { one};mtype {pharmafrnd,frndpharma};
/*********global variables *************/chan q[N] = [2] of { byte};bool pharma_frnd=0;
/************** processes ****************/proctype pharmacist (chan friendin,friendout){
byte mesg;end: do ::friendin?one(mesg) ->
printf("pharmacist gets mesg frm friend \n"); ::friendout!one(mesg) ->
printf("pharmacist sends mesg to friend \n"); ::breakod
}
Overview
PreviousWork
SPIN
Results
Conclusions
Promela
SPIN
From: Theo R. Ruys – SPIN Beginner’sTutorial, 2002
proctype friend (chan pharmain,pharmaout){ byte mesg; end: do
::pharmain?one(mesg) -> pharma_frnd=1;printf("friends gets mesg frm pharmacist \n");
::pharmaout!one(mesg) ->printf("friend sends mesg to pharmacist \n");
::breakod
}/************init process**************/init {
atomic{run friend(q[pharmafrnd],q[frndpharma]); run pharmacist(q[frndpharma],q[pharmafrnd])
}}LTL property: <> pharma_frnd /* does the pharmacist send a message to the friend */
Overview
PreviousWork
SPIN
Results
Conclusions
Formalization Results
Results
• Properties checked• A friend cannot find out what medicine you're taking
without your knowledge • Your protected health information won't be transmitted to
a third party who is not covered by HIPAA privacy rule • A doctor may not disclose a patient’s record for TPO after
the patient has denied consent.
• Approach: Check validity of ( HIPAA Desired Property)
Overview
PreviousWork
SPIN
Results
Conclusions
Formalization Results
Results
• A friend cannot find out what medicine you're taking without your knowledge.
( HIPAA Desired Property) returns FALSE
• Desired Propertyinrole(p1, pharmacist) inrole (q, patient) inrole (p2, friend[q]) t prescription send(p1, p2, t) (! send(q, p1, deny-identification)
S send(q, p1, identify-friend)) • HIPAA Norms
• § 164.510(b)(1)
[Positive Norm]
inrole(q, patient) inrole(p1, hcp) tphi inrole(p2, familyfriend[q]) send(p1, p2, t)
Overview
PreviousWork
SPIN
Results
Conclusions
Formalization Results
Results
[Positive Norm]
inrole(q, patient) inrole(p1, hcp) tphi send(p1, p2, t) (!send(q, p1, deny-identification) S send(q, p1, identify-friend))
• § 164.510(b)(2)
[Negative Norm]
inrole(q, patient) inrole(p1, hcp) tphi available-sane-agrees(q) send(q, p1, object-disclosure[t]) !send(p1, p2, t)
• § 164.510(b)(3)
[Positive Norm]
inrole(q, patient) inrole(p1, hcp) tphi !available-sane- authorize(q) uses-professional-judgment(p1) !send(p1, p2, t)
Overview
PreviousWork
SPIN
Results
Conclusions
Formalization Results
Results
• Your protected health information won't be transmitted to a third party who is not covered by HIPAA privacy rule
( HIPAA Desired Property) returns FALSE
• Desired Propertyinrole(p1, hcp) inrole(q, patient) tphi send(p1, p2, t) incontext(p2, covered-entity)
• HIPAA Norms
• § 164.506(c)(1)[Positive Norm]
inrole(p1, hcp) inrole(p2, hcp) tphi send(p1, p2, t) disclosure-for-TPO(p1, t)
Overview
PreviousWork
SPIN
Results
Conclusions
Formalization Results
Results
• § 164.506(c)(2) [Positive Norm]
inrole(p1, hcp) inrole(p2, hcp) tphi send(p1, p2, t) disclosure-for-T(p2, t)
• § 164.506(c)(3) [Positive Norm]
inrole(p1, hcp) (inrole(p2, hcp) incontext(p2, covered-entity)) tphi send(p1, p2, t) disclosure-for-P(p2, t)
• § 164.506(c)(4) [Positive Norm]
inrole(p1, hcp) inrole(p2, hcp) inrole(q, patient) tphi has-relationship(q, p2) send(p1, p2, t) disclosure-for-TPO(p2, t)
• § 164.506(c)(5) [Positive Norm]
inrole(p1, hcp) inrole(p2, hcp) tphi send(p1, p2, t) incontext(p1, covered-entity) incontext(p2, covered-entity) disclosure-for-O(p2, t)
Overview
PreviousWork
SPIN
Results
Conclusions
Formalization Results
Results
Covered entity Non-covered entity
Overview
PreviousWork
SPIN
Results
Conclusions
Formalization Results
Results
• A doctor may not disclose a patient’s record for TPO after the patient has denied consent
(HIPAA -> Desired Property) returns FALSE
• Desired Propertyinrole(q, patient) inrole(p1, hcp) tphi send(p1, p2, t) (!send(q, p1, deny-consent) S send (q, p1, consent))
• HIPAA Norms
§164.506(a)(1) [Positive Norm]
inrole(q, patient) inrole(p1, hcp) tphi (<->send(p1, q, consent-request) ! <->send(p1, q, consent-request) ) send(p1, p2, t)
• §164.506(a)(2) [Negative Norm]
inrole(q, patient) inrole(p1, hcp) t authorization-requiring-phi !<-> send(q,p1, authorization) !send(p1,p2,t)
Overview
PreviousWork
SPIN
Results
Conclusions
Conclusions
Conclusions
HIPAA Specific:• The HIPAA privacy rule is generally comprehensive and well-
specified.
• However, the prose law does contain many ambiguous clauses.
• And, in at least 3 ways, HIPAA fails to require expected protections of health information.
Procedural:• SPIN, despite some troublesome flaws (lack of past operators,
memory constraints), was a good choice for this analysis.
• The methods of “Privacy & Contextual Integrity” are useful for consistently parsing prose law into LTL formulae.
• 3 is not a crowd