TRUST officials also have been advising lawmakers and regulators about the security and privacy aspects of proposed laws and policies.
In the area of medical privacy, the medical school at Vanderbilt University, a center research partner, has made patient records available to TRUST in a pilot project to research access and privacy issues, including medical and billing information. They want to protect the system against unauthorized entry.
“The school wanted our help in making the system secure,” says Larry Rohrbough, TRUST’s executive director. “We are providing the mechanisms to ensure that the portal is constructed consistent with all the privacy requirements, particularly with regard to who can have access: provider, doctor, patient, friend, relative.”
The Vanderbilt University Medical Center also is supporting a clinical trial of TRUST -developed technologies that will help medical professionals better treat conditions such as sepsis and congestive heart failure. “TRUST researchers developed these health information systems to both improve patient care and comply with rules and policies,” such as HIPAA, the health privacy information law, as well as the Children’s Online Privacy Protection Act, or COPPA, Rohrbough says..
Furthermore, TRUST’s healthcare work attracted the attention of the Department of Health and Human Services, prompting the department to create the Strategic Healthcare IT Advanced Research Projects (SHARP), a program to explore the potential uses of health information technology nationwide, and ensure they are secure.
Among other things, the federal SHARP program has awarded $15 million grants to each of four universities and/or health care systems to study how patients and physicians can use these electronic systems to improve care and involve patients, while protecting privacy, similar to what TRUST researchers are doing with the Vanderbilt project.
“We’ve embedded it with medical processes, which involve a fair number of treatment protocols—standards of care for doctors and patients,” Sastry says. “You have a system that pops up and says ‘this is what you are supposed to do,’ for a specific treatment. It tells a certain set of practices for doctors, nurses and patients, and all consistent with privacy.”
The center also is collaborating with the federal Departments of Treasury and Energy. At Treasury, they are advising officials on how to protect large banks and trading partners against financial crime, “which can be much more sophisticated than phishing, and can include such things as mortgage fraud,” Sastry says. At Energy, they are helping to protect the nation’s physical infrastructure against attack.
“In TRUST, we are working on ways to protect smart grids, water, power, gas,” Rohrbough says. “Some people want to cause blackouts, to, for example, deny Chicago heat during a snowstorm, or shut down traffic lights in Los Angeles. Sometimes these are insider attacks, from a disgruntled employee. How do you operate through attacks? How do you prevent these attacks? We’re looking not only at threats and vulnerabilities, but at existing and emerging standards, areas where security is not addressed or where it is addressed in a conflicting way, so we can develop, test, and deploy solutions.”
The goal is create networks where security is not an afterthought, Sastry says. “We are thinking in advance,” he says.
With that in mind, the center is pushing for a science base that will move computer security from a reactive stance to a proactive one “and beyond deploying defenses for known attacks to building secure systems in a principled way,” Sastry says.
“For example, how can we characterize security properties in a way that gives insight into enforcement mechanisms and verification approaches?” he adds. “What security properties can defenses support, and what attacks can defenses resist? This will require the architecture of the infrastructure to change, so that what replaces it, ultimately, will be more secure and resilient.”