The lab is performing work on the Strategic Healthcare IT Advanced Research Projects on Security project. It is developing security and privacy technologies to help remove key barriers that prevent the use of health information by systems implementing electronic health records, health information exchanges, and telemedicine.
Advances in networking, distributed computing, and medical devices are combining with changes in the way health care is financed and the growing number of elderly people to produce strong prospects for the widespread use of assisted living, a health care approach which can benefit from transferring medical information collected in homes or dedicated facilities to clinicians over data networks. The lab explored security engineering of such systems through prototypes, field trials, and formal methods based on an architecture that uses a partially trusted Assisted Living Service Provider as a third party intermediary between assisted persons and clinicians.
Adaptive Messaging Policy (AMPol)
Scalable distributed systems demand an ability to express and adapt to diverse policies of numerous distinct administrative domains. The lab introduced technologies for messaging systems with adaptive security policies based on WSEmail, where Internet messaging is implemented as a web service, and Attribute-Based Messaging , where addressing is based on attributes of recipients.
Although there has been significant progress on the formal analysis of security for integrity and confidentiality, there has been relatively less progress on treating denial-of-service attacks. The lab has explored techniques for doing this based on the shared channel model, which envisions bandwidth as a limiting factor in attacks and focuses on host-based counter-measures such as selective verification, which exploits adversary bandwidth limitations to favor valid parties. It is also developing new formal methods for reasoning about dynamic configuration of VPNs.
Formal Privacy
Many new information technologies have a profound impact on privacy. Threats from these have provoked legislation and calls for deeper regulation. The lab has developed ways to treat privacy rules more formally, including better ways to reason using formal methods about conformance and the implications of regulations, and about how to quantify and classify privacy attitudes to control the risks of new technologies. The lab showed how to formally encode HIPAA consent regulations using privacy APIs so they can be analyzed with model checking.