Experiences in the logical specification of the HIPAA and GLBA privacy laws

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2010, Pages 73-82

  DeYoung, Henry ^a   Garg, Deepak ^a   Jia, Limin ^a   Kaynar, Dilsun ^a   Datta, Anupam ^a  

^a CARNEGIE MELLON UNIVERSITY   (United States)

Author keywords

fixed point logic; glba; hipaa; privacy policy specification

Indexed keywords

COMPUTER ASSISTED; FIXED POINTS; FIXED-POINT LOGIC; FORMAL SPECIFICATION AND ANALYSIS; GLBA; GRAMM-LEACH-BLILEY ACTS; HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACTS; HIPAA; LOGICAL FORMALIZATION; LOGICAL SPECIFICATIONS; PRIVACY LAW; PRIVACY POLICIES; SELF-REFERENCES;

HEALTH INSURANCE; LEACHING; SPECIFICATIONS;

COMPUTER PRIVACY;

EID: 78650209519     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1866919.1866930     Document Type: Conference Paper

References (25)

1. R. Alur and T. A. Henzinger. A really temporal logic. Journal of the ACM, 41(1):181-203, 1994.
2. M. Backes, B. Pfitzmann, and M. Schunter. A toolkit for managing enterprise privacy policies. In European Symposium on Research in Computer Security, LNCS 2808, pages 101-119, 2003.
3. A. Barth, A. Datta, J. C. Mitchell, and H. Nissenbaum. Privacy and contextual integrity: Framework and applications. In Proceedings of the 27th IEEE Symposium on Security and Privacy, pages 184-198, 2006.
4. A. Barth, A. Datta, J. C. Mitchell, and S. Sundaram. Privacy and utility in business processes. In Proceedings of the 20th IEEE Computer Security Foundations Symposium, pages 279-294, 2007.
5. D. Basin, F. Klaedtke, and S. Müller. Monitoring security policies with metric first-order temporal logic. In Proceedings of the 15th ACM Symposium on Access Control Models and Technologies, pages 23-34, 2010.
6. J. Bradfield and C. Stirling. Local model checking for infinite state spaces. Theoretical Computer Science, 96(1):157-174, 1992.
7. J. Bradfield and C. Stirling. The Handbook of Modal Logic, chapter Modal Mu-Calculi, pages 721-756. 2006.
8. T. Breaux and A. Antón. Analyzing regulatory rules for privacy and security requirements. IEEE Transactions on Software Engineering, 34(1):5-20, 2008.
9. L. F. Cranor. Web Privacy with P3P. O'Reilly and Associates, Inc., 2002.
10. Deloitte & Touche and the Ponemon Institute. Enterprise@Risk: 2007 Privacy and Data Protection Survey. White Paper, December 2007.
11. H. DeYoung, D. Garg, D. Kaynar, and A. Datta. Logical specification of the GLBA and HIPAA privacy laws. Technical Report CMU-CyLab-10-007, Carnegie Mellon University, 2010.
12. N. Dinesh, A. K. Joshi, I. Lee, and O. Sokolsky. Reasoning about conditions and exceptions to laws in regulatory conformance checking. In Proceedings of the Ninth International Conference on Deontic Logic in Computer Science, pages 110-124, 2008.
13. L.-Å. Fredlund, D. Gurov, T. Noll, M. Dam, T. Arts, and G. Chugunov. A verification tool for ERLANG. International Journal of Software Tools for Technology Transfer, 4(4):405-420, 2003.
14. M. Hilty, D. A. Basin, and A. Pretschner. On obligations. In Proceedings of the 10th European Symposium on Research in Computer Security, pages 98-117, 2005.
15. S. Jajodia, P. Samarati, M. L. Sapino, and V. S. Subrahmanian. Flexible support for multiple access control policies. ACM Transactions on Database Systems, 26(2):214-260, 2001.
16. P. E. Lam, J. C. Mitchell, and S. Sundaram. A formalization of HIPAA for a medical messaging system. In Proceedings of the 6th International Conference on Trust, Privacy, and Security in Digital Business, LNCS 5695, pages 73-85, 2009.
17. N. Li, J. C. Mitchell, and W. H. Winsborough. Design of a role-based trust management framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 114-130, 2002.
18. Z. Manna and A. Pnueli. Temporal Verification of Reactive Systems: Safety. Springer-Verlag, 1995.
19. M. J. May, C. A. Gunter, and I. Lee. Privacy APIs: Access control techniques to analyze and verify legal privacy policies. In Proceedings of the IEEE Workshop on Computer Security Foundations, pages 85-97, 2006.
20. H. Nissenbaum. Privacy as contextual integrity. Washington Law Review, 79(1):119-158, 2004.
21. OASIS XACML Committee. Extensible access control markup language (XACML) v2.0, 2004. Available at http://www.oasis-open.org/specs/#xacmlv2.0.
22. T. Räsch. Automata, Logics, and In nite Games, chapter Introduction to Guarded Logics, pages 321-342. LNCS 2500. Springer-Verlag, 2002.
23. US Congress. Gramm-Leach-Bliley Act, Financial Privacy Rule. 15 USC x6801{x6809, November 1999. Available at http://www.law.cornell.edu/uscode/usc- sup-01-15-10-94-20-I.html.
24. US Congress. Health Insurance Portability and Accountability Act of 1996, Privacy Rule. 45 CFR 164, August 2002. Available at http://www.access.gpo.gov/ nara/cfr/waisidx-07/45cfr164-07.html.
25. A. F. Westin. Privacy and Freedom. Atheneum, 1967.