Using digital rights management for securing data ... - Semantic Scholar

Download PDF
6 downloads 824 Views 434KB Size Report
Comment
Oct 4, 2010 - We propose a digital rights management approach for shar- ... DRM, Electronic Health Records, Microsoft AD-RMS. 1. ..... signature -]]. .
Using Digital Rights Management for Securing Data in a Medical Research Environment Mohammad Jafari

Reihaneh Safavi-Naini

Chad Saunders

Department of Computer Science, Univ. of Calgary 2500 University DR NW Calgary, AB, Canada

Department of Computer Science, Univ. of Calgary 2500 University DR NW Calgary, AB, Canada

Department of Community Health Science, Univ. of Calgary, 2500 University DR NW, Calgary, AB, Canada

[email protected] [email protected] Nicholas Paul Sheppard

[email protected]

Library eServices, Queensland Univ. of Technology Victoria Park Rd, Kelvin Grove, QLD, Australia

[email protected] ABSTRACT

these patients and re-purposed for research while some of the data is collected specifically for individual studies. Guiding the use of this data for translational research is the ethics review process that attempts to ensure that patients provide their informed consent for the use of their data for specific research purposes. While this is reasonably easy to manage within the context of traditional health research methods since these tend to be self-contained research projects that collect all the data required as part of the study, translational research tends to require re-purposing data, which further complicates the ethics review process. In addition, some of the most innovative translational research emerges from linking data collected for one study and domain, to data from another study in a separate domain. Supporting this linking of data and the subsequent collaboration necessitates a system that ensures that ethics consents are enforced across studies and individual researchers, while facilitating the secure sharing of data and its movement among systems for the purposes of reporting and analysis, all in accordance with the consent. De-identification of data for making it available within a collaborative environment is one very active area of research [6]. However, it is mainly aimed at making data available to public and either removes identifiable information, or perturbs sensitive values. Both of these methods reduce reliability and traceability of data and make it unacceptable in many research projects. In this paper, we describe an approach to enforcing ethics consents based on digital rights management (“DRM”). DRM provides “persistent access control” by which access to electronic data can be governed by a policy expressed in a machine-readable license, regardless of the location in which the data is stored or used [10]. In the present context, the rights-managed data is a patient’s electronic healthcare record (“EHR”) and licenses are derived from the patient’s consent to use this record in a research context. The rest of the paper is organized as follows: Section 2 reviews some of the related work that propose use of DRM technology for protection of privacy in health-related sys-

We propose a digital rights management approach for sharing electronic health records in a health research facility and argue advantages of the approach. We also give an outline of the system under development and our implementation of the security features and discuss challenges that we faced and future directions.

Categories and Subject Descriptors K.6.5 [Management of Computing and Information Systems]: Security and Protection

General Terms Security

Keywords DRM, Electronic Health Records, Microsoft AD-RMS

1.

INTRODUCTION

There is increasing pressure on healthcare researchers to bridge the gap between bench-based basic science research and actual use within medical practice. This translational research, commonly referred to as bench-to-bedside, requires a very different approach compared to traditional methods [16]. In particular, translational research often requires integrating data from multiple systems and of different types. Some of this data is collected as part of the ongoing care of

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. DRM’10, October 4, 2010, Chicago, Illinois, USA. Copyright 2010 ACM 978-1-4503-0091-9/10/10 ...$10.00.

55

tems. Section 3 outlines the existing research management system and the main privacy hot spots. Our design and implementation is discussed in Section 4. In Section 5 we review some of the points about the current design and possibilities for future extensions, and the concluding remarks are given in Section 6.

2.

project is interested in a certain type of patients that meet a specific criteria. The patients of interest are enrolled in the project and their record is regularly updated with the new information resulting from their ongoing care. Members of the project have different roles. The leader of the project defines the project and choses the enrolled patients. Members of the project are either researchers or assistants. Depending on their roles, members have different views of the enrolled patients’ records. The researchers need to see and analyze health information in the patient’s record without seeing the personal and contact information. The assistants, on the contrary, should not see the health and medical information, but need to see the personal and contact information in order to contact the patient whenever necessary; for example, in case the patient visit is needed to collect samples or check symptoms.

RELATED WORK

Digital rights management is best known for its use in the protection of intellectual property [10], but more recently has also been applied to the protection of personal information [8, 13]. Digital rights management technology allows information owners to control the distribution and use of their information by describing a policy in a machine-readable license. Petkovi´c et al. examine the potential for using digital rights management technology in protecting electronic healthcare records [12]. They argue that digital rights management technologies already provide many of the features desired in a secure electronic healthcare system, in that they can provide persistent and homogeneous protection of information even when it is disseminated throughout a distributed healthcare system. On the other hand, they also mention that there are some points where digital rights management may not meet these needs. Our work is a step towards implementing a workable system based on that idea and tackling practical challenges. Some authors have proposed DRM standards, notably the MPEG-21 IPMP Components [4], for use in protecting some kinds of medical data, such as the information collected by embedded medical devices [5, 9]. Whereas these works concentrate on a certain type of application dealing with only simple type of medical data, our application is more general and is closer to a complete electronic health record system. In a previous work, the present authors have proposed the design of a secure electronic health record system in which digital rights management is employed to protect health information that are in use within a healthcare facility [14, 15]. The current work is along the same line of research and a step to implement a real application based on that approach. Also, at an earlier stage of this project, we published an outline of the design as a 2-page short paper in the USENIX HealthSec’10 workshop [7].

3. 3.1

3.2

Privacy Requirements

The main privacy requirements of the research facility are: • Only members of a project can access the EHRs of the patients enrolled; • assignment of patients’ EHR to projects should be subject to patients’ consents; • users can access project data based on their role in the organization and the project; • the user can only exercise the specified access rights (e.g. read); and • the access control will be persistent, in the sense that data remains protected on both server and client side.

4.

THE DEVELOPED SYSTEM

4.1

Microsoft SharePoint and AD-RMS

The Hepatology Knowledge Base (described in Section 3) is developed on Microsoft’s SharePoint [2]. SharePoint is a feature-rich web publishing platform that facilitates developing collaborative applications. We chose Microsoft’s Active Directory Rights Management Services (“AD-RMS”) [1] as the rights management solution since the application in question is already being developed on Microsoft’s SharePoint and also because SharePoint has some support for integration with AD-RMS. For similar reasons, Microsoft Active Directory is used for identity management. AD-RMS enables registered users of a domain to publish rights-managed content in protected form and issue licenses to control what users are allowed to use the content and under what conditions. The license is an XML document in a standard rights expression language, XrML [3] that includes the following elements and is signed by the AD-RMS server:

THE EXISTING SYSTEM Research Management Application

The research management application is developed to be used primarily by the Hepatology Research Group at the Faculty of Medicine, University of Calgary, Canada. The system is intended to facilitate medical research by providing electronic management of healthcare information relating to patients who participate in medical studies. In its current form, it is used in Hepatology research (that is, the study of liver, gall bladder and pancreas) and is known as the Hepataology Knowledge Base. The design of the application is, however, general enough to be used by other similar research groups and it is hoped that the system will eventually be used in other areas of medicine. The research is organized into several research projects. Each research project has some members and focuses on a certain research topic. Depending on the research topic each

• The identity of the user to which the license is issued. • The identifier of the content for which the license is issued. • The rights that are granted to the user for using the content. • The conditions under which the rights are granted such as time limits.

56

• The cryptographic key with which the content is encrypted. This key is in turn encrypted with the recipient’s public-key so that it can only be used by the particular user.

[[- Issued Time -]] [[- Descriptor -]] [[- Issuer -]] [[- Issued Principals -]] [[- Identifying information of the content -]] [[- Owner -]] [[- Right -]] [[- Condition -]] [[- Exclusion Policy -]] [[- Inclusion Policy -]] [[- signature -]]

A trusted agent is necessary for acquiring the license and using the content. The trusted agent is guaranteed to enforce the rights and conditions according to the license and protect both the content key and the plaintext content from direct access of the user. Microsoft Office applications such as Word or Excel can act as trusted agents for the AD-RMS and can be used to generate protected content, or acquire licenses from the server and open the protected content created by other users. AD-RMS works with standard set of rights such as read, modify, copy, etc. that are defined in the standard DRM agents but is also capable of implementing application-specific rights and customized DRM agents developed by third parties. AD-RMS can be integrated with SharePoint and provides persistent access control so that server-side permissions can be enforced on the client as well. Upon downloading some content from the SharePoint website, it is encrypted and changed into protected form, and its access control settings on documents stored on SharePoint are automatically translated to rights-management settings in a license. For instance, suppose the permission settings on the server say that user Alice is allowed to see, but not modify a document and Alice is trying to access the document. When the request for download gets to the server, the document is encrypted on-the-fly and sent to Alice. ADR-MS will then issue a license for Alice that allows her to only read the document, and not modify or copy it. Thus, even when the document is saved on the local hard drive of Alice’s machine, it is subject to the restrictions settled by the server-side access control policy. A brief overview of how AD-RMS works is given below:

4.1.1

Figure 1: The structure of the AD-RMS use license (UL) [11] license (“UL”) to be issued. Both the account certificate of the user (RAC), and the publishing license of the content (PL) are included in this request. If the publishing license authorized the requesting user to use the content, the use license is generated subject to both the rules specified in the publishing license and the general policies defined by the AD-RMS, such as the expiration date, excluded agents, etc. After acquiring the use license, the agent is able to decrypt the content and make it available to the user subject to the rules specified in the use license. For instance, if the use license forbids printing, the agent does not allow the user to print the content. Note that use license is what is actually referred to as license in the standard DRM literature. Figure 1 shows the structure of a use license.

Registration with the Infrastructure

When a user logs in on a machine, the machine contacts AD-RMS and a registration process is initiated. First, the machine on which the user has logged in is issued a certificate named security processor certificate (“CPC”). This certificate contains a key-pair used for cryptographic authentication of the machine and is bound to its unique hardware features. The logged-in user is issued a separate certificate called rights management account certificate (“RAC”). This certificate contains a key-pair used for authentication of the user and is bound to the user’s unique identifier and email address.

4.1.2

4.2

4.2.1

Creating Protected Content

Consents

Patients’ consent comes in a simple form as a list of keywords such as liver cancer, Hepatitis, etc. that indicate the type of research activities for which the patient has consented to participate. On the other hand, the administrator assigns a number of appropriate keywords to each project at the time of definition based on the research activities of the project. The consent compliance rule is that in order to be enrolled in a project, a patient must have consented to all of its assigned keywords. As an example, assume patient Alice has consented to participate only for liver cancer research, and project PRJ1 is assigned both liver cancer and Hepatitis, in which case Alice cannot be enrolled in the project. The consent compliance rule can be enforced by defining

For creating protected content, a user should encrypt the content either locally by the agent, or using the AD-RMS server-side functions. A publishing license (“PL”) is then created and signed by the user specifying the general policy governing the usage of content. The license specifies what users or groups are allowed to use the content, what rights each of them have (e.g. read, print, modify, save a copy, etc.) and under what further conditions. The publishing license is attached to the document and will remain with it.

4.1.3

Implementation

Figure 2 shows an overview of the system. EHRs and consents are stored in a backend database and records are assigned to projects by project leaders through a selection process that we do not discuss here. In this section we discuss different components of the system:

Using the Protected Content

When a registered user tries opening the protected content, the agent (e.g. Microsoft Excel) requests for a use

57

data, etc. The access control settings for each of the reports will be set accordingly so that each member of the project has access only to the minimum required information. Reports are stored in a rights-managed SharePoint document library. A document library is SharePoint component that resembles a file system within which files and folders can be stored. When rights-management is enabled on a document library, SharePoint works with AD-RMS to protect the files using digital rights management, aside from the regular server-side access control. A user can see all the reports to which he or she has some access by pointing his or her browser to the URL of the application website. Users can choose and download the latest version of the report to their machine. This is a protected copy that is encrypted and requires a license. To open the document, the user logs on the AD-RMS server, using Microsoft Excel. After logging in, the credentials of the user are checked and if they are eligible, a suitable license is generated and sent to the agent with which the document can be decrypted. Excel will enforce the usage policy that is stated in the license. For instance, if the document is read-only, there editing options are not available in the application and the data cannot be copied to other documents.

ActiveDirectory

AD-RMS Server

Database Server rights management

authentication

SharePoint Server

Client

Figure 2: The Architecture of the Developed System. project-specific views over the table of records. A view is a filtered projection of the data in which only records and fields that meet certain criteria are included. The projectspecific view includes only the records of patients who have consented to all of its assigned keywords. The view can be implemented using a simple database query. Only patients in the project-specific view are offered for enrollment in the project.

4.2.2

4.2.4

Server-Side Access Control

SharePoint provides a rich set of role-based access control features using which permissions can be assigned to roles and users become members of roles according to their capacities and job functions in order to get the required access rights. Roles can both be global, that is defined in the identity management server, or be defined locally on SharePoint. On the other hand, data objects, such as folders or individual documents are abstracted as scopes. Each role is defined over a scope that determines the domain in which its assigned access rights are effective. For example, if a role with read permission is assigned to the scope of a folder, it means members of that role are authorized to read the files in that folder. Using the role-based access control facilities in SharePoint, permissions on project documents can be set so that only project members with certain roles can access them. A separate role should be defined for each project with appropriate access rights, and team members of each project should be assigned to the appropriate roles accordingly. The scope of each role will be straightforwardly restricted to the corresponding folder that stores project documents.

4.2.3

Data Delivery Module

Figure 3 depicts the functionality of the data delivery module. This module is used to fetch the most recent version of data by running a query against the database, and store the results in the corresponding Microsoft Excel document. This process, in fact, converts data from the database format into the form of a document that can be protected using SharePoint and AD-RMS rights management facilities. The data delivery module relies on report templates. A report template is an Excel document that contains all the necessary formatting and analysis and only lacks data values. This enables various predefined analyses, such as summaries and charts to be already present in the report. This module re-fills the report template with fresh data by running the corresponding query against the database and saves the resulting updated report in the corresponding right-managed document library. In the current design data delivery is triggered each time a user visits the application website. Other update policies, such as regular time-based updates (e.g. hourly, daily, etc.) can also be adopted, based on the number of users and the frequency of the changes in the data.

5. 5.1

Rights-Management

DISCUSSION Consent Directives

In the current system, since the consent directives have a simple form, they can be enforced using simple database queries and by defining project-specific views to the database in which the consents are taken into account as described in Section 4.2.1. However, if patients’ consents take more complex forms in a way that they cannot be easily turned into a database views the current enforcement mechanism will not be feasible. For instance, if consent forms allow the patient to prohibit certain users from accessing the record, it can no more be enforced at the database level and needs a more complex access control mechanism.

Since SharePoint-RMS integration only supports protection of Microsoft Office documents, and since the EHR data is stored in a relational database, the existing SharePoint integration could not readily be used for protection of EHR data. Hence, we implemented a data delivery module, depicted in Figure 2, as a SharePoint application to convert the tabular data of the database into Microsoft Excel documents. More details on this module is given in Section 4.2.4. For each project, a number of reports are designed that provide different views to the EHRs of the patients enrolled in that project. For instance, some reports may include personal and contact information, some reports only aggregated

58

5.5

Database

Rights-Managed Document Library

In the current design, data is given to the users in rightsmanaged form, and naturally they are not able to copy the data or save a copy of the entire document. One practical issue with this restriction is that researchers may want to perform new analyses, beside what already exists in the document, and save the results. This is not possible as the document is read-only and in practice, this restriction is not desirable for a research environment. Note that this may also be considered as a privacy feature, since the types of analyses to be performed, i.e. the ways data is used, is limited to what is predefined by the report.

SharePoint Server

5.6

Data Delivery Module

Excel Document

Excel Document

Policy Combination

Whenever there are multiple authorities for settling policies, the issues of policy combination and conflict resolution arise. In the research environment in question, there are two different types of policies, namely the patient consent, and the organizational policy. The current design evades policy conflicts by restricting each type of policy to a separate domain: the organizational policy corresponds to the business within the projects and is implemented by role-based access control in SharePoint, whereas the consent directives is limited only to the assignment of patients to projects, which is dealt with by designing consent-aware project-specific views over the database. Nonetheless, it should be noted that if patient consents take more complex form and interfere in the organizational policy, for example by denying access by certain roles or users, such separation will no more be possible and a mechanism should be followed to combine different, possibly conflicting policies.

5.3

6.

CONCLUSION

Digital rights management allows a seamless enforcement of privacy protection policies in a health research environment. We showed how this approach can be implemented in a real system using an existing product that provides DRM service. This approach can be used as an alternative or complementary approach to de-identification of data when it re-purposed for research. The digital rights management approach is also an scalable approach and although we only considered a single organization, one can extend it to multiple organizations.

7.

REFERENCES

[1] Microsoft Active Directory Rights Management Service. http://technet.microsoft.com/en-ca/ windowsserver/dd448611.aspx. [2] Microsoft Office SharePoint Server. http://sharepoint.microsoft.com/. [3] eXtensible rights Markup Language version 1.2. http://www.xrml.org/XrML_12.asp, 2001. [4] International Standards Organization, Information Technology, Multimedia Framework (MPEG-21),part 4: Intellectual Property Management and Protection Components. ISO/IEC 21000-4, 2006. [5] A. Fragopoulos, J. Gialelis, and D. Serpanos. Security Framework for Pervasive Healthcare Architectures Utilizing MPEG-21 IPMP Components. International Journal of Telemedicine and Applications, 2009. [6] B. C. M. Fung, K. Wang, R. Chen, and P. S. Yu. Privacy-preserving data publishing: A survey of recent developments. ACM Computing Surveys, 42(4):1–53, 2010. [7] M. Jafari, R. Safavi-Naini, C. Saunders, and N. P. Sheppard. Securing medical research data with a rights management system. In USENIX HealthSec’10: 1st USENIX Workshop on Health Security and Privacy (to appear), 2010. [8] S. Kenny and L. Korba. Applying digital rights management systems to privacy rights management. Computers & Security, 21(7):648 – 664, 2002.

Extensions to the Data Delivery Module

Since the data delivery module is the mediator between the raw data in the database and the data as viewed by the end user, it is the right place to implement more advanced data filtering functionalities. For instance, one of the common privacy-related features is to replace the value of some fields with more abstract values, such as replacing exact date of birth with a range. Simpler functions are implementable using the database’s own query language but more complex custom functions can also be supported by programming. The data delivery module can be configured to apply such functions to the results of a query before storing them in the report document.

5.4

Project Enrollment Implications

The fact that a patient is enrolled in project may reveal some information about her or his health information and types of diseases, since, as we mentioned before, each project is interested in certain types of patients that meet some criteria. This is a privacy issue that our solution does not address.

Figure 3: Data Delivery Module.

5.2

Saving Analysis Results

Using Microsoft Excel

Although the decision for using spreadsheets was in the first place due to limitations in SharePoint’s support for rights management, this approach also fits researchers’ needs for doing various analyses and nicely matches certain use cases in practice. In fact, the researchers have a better experience with Excel than they would have with regular tables on web pages since different analysis tools are already available in that environment.

59

[9] W. Leister, T. Fretland, and I. Balasingham. Security and Authentication Architecture Using MPEG-21 for Wireless Patient Monitoring Systems. International Journal On Advances in Security, 2(1):16–29, 2009. [10] Q. Liu, R. Safavi-Naini, and N. P. Sheppard. Digital rights management for content distribution. In ACSW Frontiers ’03, pages 49–58, 2003. [11] Microsoft. Rights Management Services (RMS): Client-to-Server Protocol Specification. http://msdn.microsoft.com/en-us/library/ cc243191%28v=PROT.13%29.aspx, 2010. [12] M. Petkovi´c, S. Katzenbeisser, and K. Kursawe. Rights management technologies: A good choice for securing electronic health records? In ISSE’07: Proceedings of the International Conference on Information Security Solutions Europe, pages 178–187, 2007.

[13] N. P. Sheppard and R. Safavi-Naini. Protecting Privacy with the MPEG-21 IPMP Framework. In PET’06: Proceedings of the International Workshop on Privacy Enhancing Technologies, pages 152–171, 2006. [14] N. P. Sheppard, R. Safavi-Naini, and M. Jafari. A digital rights management model for healthcare. In POLICY’09: Proceedings of the IEEE International Workshop on Policies for Distributed Systems and Networks, pages 106–109, London, UK, 2009. [15] N. P. Sheppard, R. Safavi-Naini, and M. Jafari. A secure electronic healthcare record infrastructure in the digital rights management model. Technical report, 2009-939-18, Department of Computer Science, University of Calgary, 2009. [16] S. H. Woolf. The meaning of translational research and why it matters. The Journal of American Medical Association, 2008.

60