Databases Reference
In-Depth Information
that each query resulted in the leaked data. The query that accessed the state
of the database that is most similar to the leaked database should be examined
first by the auditor. While this technique helps prioritize the leads, establish-
ing the source of disclosure with certainty still requires forensic investigation.
We assume that individual business aliates are loaned separate copies of the
database generated from queries that were run at different times. Since the
company can identify the queries that disclosed information to specific third
parties, this ranking method may help isolate the source of disclosure. Thus,
query ranking enables the company to track the release of its data without
perturbing the released data.
Auditing Curation.
Another important feature of a Hippocratic database
is the ability to audit modifications of information and policies. Suppose that
NetCare Hospital is the subject of a malpractice investigation, in which plain-
tiff Betsy alleges that her husband Charles's death was due to an improper
drug prescription and dosage. She claims that the doctor ignored her hus-
band's reported allergy to the drug and that administration of this drug was
inappropriate given the results of his most recent blood tests. His physician,
Dr. Roberts, contends that there is no record of the patient's allergy to this
drug and that the prescribed dosage was appropriate given the results of
the patient's blood work. In the course of its internal investigation, NetCare
would like to determine whether any potentially inculpating information in
the patient's medical record was deleted or modified.
To address this problem, we proposed an auditing system called
curation
auditing
, which tracks the history of modifications to sensitive information
and the policies that govern such information, using logs of database updates
[12]. By allowing entities to investigate the source of improprieties, such as
improper data or policy modifications, curation auditing helps to address the
HDB compliance principle more completely. The audit system maintains logs
of all database operations in addition to the backlog structure used for au-
diting database access. The audit expression language discussed above with
regard to compliance auditing is extended to declaratively specify the curation
information to be audited. Because curation auditing tracks general updates,
this language includes the
before
and
after
values of update operations. The
following is an informal example of an audit expression that NetCare would
issue to determine whether patient Charles's allergy information was updated
or deleted subsequent to his death six months ago.
Who updated or deleted patient Charles allergy to penicillin within
the past six months?
During
current date - 6 months to current date
Audit-curation
Patient-Allergies s
Where
s.patient-name=”Charles” and before s.allergy=”penicillin”
The
during
clause of the audit expression specifies a time period for the
audit, the
audit-curation
clause stipulates that the patient-allergies table is
