Tragedy of the Anticommons in Digital Right Management of Medical Records
Quanyan Zhu1, Carl Gunter2 and Tamer Başar1
1Coordinated Science Laboratory
Department of Electrical and Computer Engineering
2Department of Computer Science
University of Illinois at Urbana-‐Champaign
3rd USENIX Workshop on Security and Privacy Bellevue, Aug. 6-‐7, 2012
• Security and Privacy of EHRs
• Digital Right Management SoluUon
• Tragedy of AnUcommons
• Game-‐TheoreUc Models
- Non-‐cooperaUve Game Model
- CooperaUve Game Model
• Conclusions and Future Work
MoUvaUon • Modern healthcare communicaUon architectures tend to be
open and interconnected.
– Electronic Health Record (EHR) system can reduce cost of the healthcare system and provide Umely access to informaUon.
– Decentralized accesses of paUent data are allowed for family doctors, medical specialists and even non-‐medical care providers.
• Security and privacy are major concerns of EHRs.
[h]p://www.oipc.ab.ca]
RMS Server
Data Owner
Recipient Data DistribuUon
Digital Rights Management (DRM) is applied to protect EHRs.
• Owners can control the distribuUon and use of informaUon. [Petkovic et al. 2007]
Who owns the data?
Recipien
t
Data Owner B
Data Owner A RMS Server A
RMS Server B
Data ownership is fragmented.
Requests
Requests
CerUficate
CerUficate
DistribuUon
DistribuUon
Tragedy of the Anticommons: CompeUng right holders foreclose each other from producUve use of a share of resources, which results in underutilization of resources.
• MulUple ownership of different pieces of a paUent’s medical history makes it difficult to assemble a complete record.
• The complete record has a greater value than sum of its parts.
• The barrier is not just technological but also economic.
Tragedy of the Commons Tragedy of the AnUcommons
Self Environ Air Quality Land Labour Ca]le
From Commons to AnUcommons
[Hardin 1968, Heller 1998, Fennell 2009, Hall 2010]
Tragedy of Commons: Prisoner’s Dilemma
• Both players are maximizers.
• NE in pure strategies (D, D) vs. OpUmal team soluUon (C, C) • Loss of efficiency:
2 , 2 0 , 3
3 , 0 1 , 1
C
C
D
D
(G1)
Social Welfare under NE =
1+1
2+2 = 50%
Tragedy of AnUcommons: Game of Chicken
• Both players are maximizers: choose between S (Swerve) or D (Drive Ahead)
• NE in pure strategies (S, D), (D, S) vs. OpUmal team soluUon (S, S)
• Loss of efficiency:
5 , 5 1 , 7
7 , 1 0 , 0
S
S
D
D
(G2)
Social Welfare under NE =
7+1
5+5 = 80%
• Consider two players P1 and P2.
• Each player decides the level of access granted to its users.
• λi ∋[0,1], i =1, 2, are decision variables:
– λi = 1 : Access is denied.
– λi = 0 : Access is fully granted.
– 1-‐λi is the access level.
• c ∋[0,1] is a unit cost on the granted access.
• p is a charge of access fee.
Non-‐CooperaUve Game Model
Ui (λ1, λ2) = p + (2-λ1-λ2)λi - c (1-λi), i = 1, 2,
The value of informaUon is proporUonal to total accesses granted.
• A unique NE is λ1= λ2 = (2+c)/3.
• Worst case is λ1= λ2 =1 when c =1, i.e., accesses are all denied.
Nash Equilibrium vs. Team OpUmal SoluUon
Ui (λ1, λ2) = p + (2-λ1-λ2) λi - c (1-λi), i = 1, 2,
U (λ1, λ2) = U1 (λ1, λ2) + U2 (λ1, λ2)
• Team opUmal soluUon is λ1= λ2 = (2+c)/4.
• Worst case is λ1= λ2 = 3/4 when c = 1, i.e., 1/4 accesses granted.
Some form of coordinaUon is needed.
A Coordinated Electronic Health Record System
Data Owner A
Consent Management System
Data Owner B
Health Record Database
Consent
PaUent PaUent Records
PaUent Records
[Sheppard, Safavi-‐Naini, Jafari, 2009]
How to quanUfy the value of coordinaUon?
The characterisUc funcUon v is described by – v(∅) = v({C}) = 0,
– v({1}) = v({2}) = ¼ (c-1)2 + p,
– v({1, C}) = v({2, C}) = ¼ (c-1)2 + p,
– v({1, 2}) = 2p,
– v({1, 2, C}) = ¼ (c-2)2 +2p.
CooperaUve Game Model: Shapley Value
Data Owner A Data Owner B
Coordinator
The characterisUc funcUon v : – v(∅) = v({C}) = 0,
– v({1}) = v({2}) = ¼ (c-1)2 + p,
– v({1, C}) = v({2, C}) = ¼ (c-1)2 + p,
– v({1, 2}) = 2p,
– v({1, 2, C}) = ¼ (c-2)2 +2p.
Value of CoordinaUon
Shapley Values
– u1=1/3 – c/3+ c2/12 +p
– u2=1/3 – c/3+ c2/12 +p
– u3=1/3 – c/3+ c2/12
• The coordinaUon is least valuable when c = 1, which yields u3 = 1/12.
• The coordinaUon is most valuable when c = 0, which yields u3 = 1/3.
Conclusions and Future Work
• The fractured ownership among medical service providers and insurers has created the tragedy of anticommons for DRM implementaUon.
• MulUple ownerships in DRM will lead to underutilization of HER resources even though security and privacy are guaranteed.
• The barrier is not just technical but also economic.
• CooperaUve and non-‐cooperaUve game-‐theoreUc models can be used to understand strategic behaviors of data owners and the value of coordinaUon.
• Game-‐theoreUc tools can provide a theoreUcal basis for implementaUon of DRM technologies, design of security policies and provision of incenUve mechanisms.
Contacts:
Quanyan Zhu [email protected]
Carl Gunter [email protected]
Tamer Başar [email protected]
Q. Zhu, C. Gunter and T. Başar, “Tragedy of AnUcommons in Digital Right Management of Medical Records,” Technical Report, CSL-‐UIUC, 2012.