Upload
trinhlien
View
213
Download
0
Embed Size (px)
Citation preview
11
Information Security in an Information Security in an
EE--Health World: Policies Health World: Policies
and Technologiesand Technologies
1212thth World Congress on Health World Congress on Health
Medical Informatics (MEDinfo) 2007Medical Informatics (MEDinfo) 2007
Panel S114Panel S114
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 200722
The Goal of this PanelThe Goal of this Panel
�� To outline information security To outline information security
problems, solutions, practice and trends problems, solutions, practice and trends
in healthcare; starting from real cases in healthcare; starting from real cases
that demonstrate the importance of the that demonstrate the importance of the
appropriate security controls and appropriate security controls and
demonstrating the technical steps and demonstrating the technical steps and
technologies that must be used to technologies that must be used to
ensure system and patient safety.ensure system and patient safety.
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 200733
Panel OverviewPanel Overview
�� PART I PART I –– Ted CooperTed Cooper
�� Case Study of the Kaiser Permanente Security Breach Case Study of the Kaiser Permanente Security Breach -- Lessons Lessons Learned, International Standards, Enabling High Reliability & Learned, International Standards, Enabling High Reliability & Resilience.Resilience.
�� PART II PART II –– Mike DavisMike Davis
�� Safeguarding Electronic Health Data Achieving Security and PrivaSafeguarding Electronic Health Data Achieving Security and Privacy cy Through Policy and TechnologyThrough Policy and Technology
�� PART III PART III –– Bernd Bernd BlobelBlobel
�� Security Services Security Services –– Key Concepts, Policy and Technology Key Concepts, Policy and Technology ImplicationsImplications
�� PART IV PART IV –– Tyrone Tyrone GrandisonGrandison
�� Security and Privacy Technology Enablers for Healthcare SystemsSecurity and Privacy Technology Enablers for Healthcare Systems
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 200744
Rules of EngagementRules of Engagement
�� Each panelist will give a fifteen (15) minute Each panelist will give a fifteen (15) minute
presentation, followed by a five (5) minute presentation, followed by a five (5) minute
Q&A session.Q&A session.
�� All cell phones should be off or set to vibrate.All cell phones should be off or set to vibrate.
55
Case Study Kaiser Permanente Security Breach
-- Lessons Learned, International Lessons Learned, International
Standards, High Reliability & Standards, High Reliability &
ResilienceResilience
Ted Cooper, MDTed Cooper, MDStanford University Stanford University
Kaiser Permanente 1973Kaiser Permanente 1973--20032003
MEDINFO 2007S114 Panel: Information Security in an E-Health World: Policies and Technologies
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 200766
Kaiser PermanenteKaiser Permanente
�� KP OverviewKP Overview
�� IT ExperienceIT Experience
�� Privacy & Security ProgramsPrivacy & Security Programs
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 200777
KP OnlineKP Online
�� WebWeb--based Patient Portalbased Patient Portal
�� Mission Mission
�� Service Level AgreementsService Level Agreements
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 200788
Recognizing a BreachRecognizing a Breach
�� Patient advise and message centerPatient advise and message center
�� received a phone callreceived a phone call
�� IT Notification IT Notification -- Escalation Escalation
�� Enterprise Support SystemEnterprise Support System
�� KP Online Business TeamKP Online Business Team
�� Top ManagementTop Management
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 200799
The Response & The OrganizationThe Response & The Organization’’s Repertoires Repertoire
�� Resources Resources �� Individual Skill SetsIndividual Skill Sets
�� LeadershipLeadership
�� Organizational Culture Organizational Culture
�� Crisis Management TeamCrisis Management Team
�� Root Cause AnalysisRoot Cause Analysis
�� MitigationMitigation
�� Organizational and Procedural ChangesOrganizational and Procedural Changes
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20071010
Root Cause AnalysisRoot Cause Analysis
Technical Technical �� Changes to servers Changes to servers –– caused caused SendmailSendmail malfunctionmalfunction
�� Repair required because of malfunction causes breachRepair required because of malfunction causes breach
�� Normal Accident Theory Normal Accident Theory �� Tightly Coupled Complex SystemsTightly Coupled Complex Systems
KPKP--IT Organization IT Organization �� Regional to National StructureRegional to National Structure
�� Technical conjunctionTechnical conjunction
�� Organizational disjunctionOrganizational disjunction
�� Departments with conflicting prioritiesDepartments with conflicting priorities�� New rapidly changing technologyNew rapidly changing technology
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20071111
Lessons Learned from KP Online BreachLessons Learned from KP Online Breach
1.1. Complex, tightlyComplex, tightly--coupled computerized health coupled computerized health information system architectures potentially information system architectures potentially aggravate security breaches or other mistakes.aggravate security breaches or other mistakes.�� They have the cThey have the capacity to transform errors into apacity to transform errors into
cascading system accidentscascading system accidents..
2.2. Security training is necessary but insufficient to Security training is necessary but insufficient to prevent breaches.prevent breaches.•• Individual errors, group failures, and system accidents Individual errors, group failures, and system accidents
may contribute to information security breaches may contribute to information security breaches wwithout ithout violating the HIPAA security rules or standard violating the HIPAA security rules or standard information security policies, procedures or information security policies, procedures or practicespractices..
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20071212
Lessons Learned from KP Online BreachLessons Learned from KP Online Breach
3.3. Breaches of healthcare information may signify: Breaches of healthcare information may signify: •• broader organizational discontinuities and failuresbroader organizational discontinuities and failures•• particularly likely during periods of reform or transitionparticularly likely during periods of reform or transition
4.4. ISO 1779921, HIPAA, the European Privacy Directive, ISO 1779921, HIPAA, the European Privacy Directive, and other regulatory regimes are forcing healthcare and other regulatory regimes are forcing healthcare organizations throughout the world to pay increasing organizations throughout the world to pay increasing attention to security practicesattention to security practices
•• protecting health information also requires fostering general goprotecting health information also requires fostering general good od information management practices information management practices
•• change control, routine inter and intradepartmental change control, routine inter and intradepartmental communication, and comprehensive failure analysis that communication, and comprehensive failure analysis that transcend the domain typically labeled transcend the domain typically labeled ““information security.information security.””
Breaching the Security of the Kaiser Permanente Internet PatientBreaching the Security of the Kaiser Permanente Internet Patient Portal: the Organizational Foundations of Information Portal: the Organizational Foundations of Information Security. Collmann J, Cooper T, J Am Med Inform Assoc 2007; 14:Security. Collmann J, Cooper T, J Am Med Inform Assoc 2007; 14: 239239--243. 243.
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20071313
International Organization for Standards (ISO)International Organization for Standards (ISO)
�� JTC1 Information Technology JTC1 Information Technology �� SC 27 Security Techniques WorkgroupsSC 27 Security Techniques Workgroups
1.1. Requirements, security services and guidelinesRequirements, security services and guidelines2.2. Security techniques and mechanismsSecurity techniques and mechanisms3.3. Security evaluation criteriaSecurity evaluation criteria4.4. Security controls and servicesSecurity controls and services5.5. Identity management and privacy technologiesIdentity management and privacy technologies
�� TC 215 Health InformaticsTC 215 Health Informatics�� Work Group 4 Security in HealthcareWork Group 4 Security in Healthcare
1.1. Protect and enhance confidentiality, availability and integrity Protect and enhance confidentiality, availability and integrity 2.2. Prevent systems from adversely effecting patient safety Prevent systems from adversely effecting patient safety 3.3. Ensure accountability of users of systemsEnsure accountability of users of systems
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20071414
International Security StandardsInternational Security Standards
�� ISO/IEC 17799:2005 Information technology ISO/IEC 17799:2005 Information technology -- Security techniques Security techniques -- Code of practice for Code of practice for information security management information security management (not auditable)(not auditable)�� ISO 27799 (under development in TC 215 WG4)ISO 27799 (under development in TC 215 WG4)
�� A guide for applying ISO 17799 for health informationA guide for applying ISO 17799 for health information
�� Minimum set of requirementsMinimum set of requirements
�� ISO/IEC 27001:2005 Information Security ISO/IEC 27001:2005 Information Security Management System Requirements Management System Requirements (auditable)(auditable)
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20071515
Capability Maturity ModelCapability Maturity Model®® ISO/IEC 21827:2007 ISO/IEC 21827:2007
Systems Security EngineeringSystems Security Engineering
�� Describes security engineering process that Describes security engineering process that
must exist to ensure good security engineering. must exist to ensure good security engineering.
�� A standard metric for security engineering A standard metric for security engineering
practicespractices
�� the entire life cyclethe entire life cycle
�� the whole IT organizationthe whole IT organization
�� concurrent interactions with other disciplinesconcurrent interactions with other disciplines
�� interactions with other organizations interactions with other organizations
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20071616
COBIT COBIT -- The Control Objectives for Information and The Control Objectives for Information and
Related TechnologyRelated Technology
�� Aimed at maximizing the benefits derived through the use Aimed at maximizing the benefits derived through the use of information technology of information technology �� BBest practicesest practices (framework) for IT management (framework) for IT management
�� Generally accepted Generally accepted measuresmeasures, indicators, , indicators, processesprocesses and best and best practices to assist them in and developing appropriate practices to assist them in and developing appropriate IT IT governancegovernance and and controlcontrol in a company. in a company.
�� Created by theCreated by the�� Information Systems Audit and Control AssociationInformation Systems Audit and Control Association (ISACA)(ISACA)
�� IT Governance InstituteIT Governance Institute (ITGI) in 1992(ITGI) in 1992
�� Motivated by the recognition that organizational missions Motivated by the recognition that organizational missions are dependent on IT functionality and performanceare dependent on IT functionality and performance
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20071717
ISO/IEC 21827 & COBITISO/IEC 21827 & COBIT
�� Capability Maturity ModelCapability Maturity Model®® ISO/IEC ISO/IEC 21827:2007 Systems Security Engineering 21827:2007 Systems Security Engineering comes from the perspective of software comes from the perspective of software engineering and IT operations.engineering and IT operations.
�� COBIT comes from the perspective of the COBIT comes from the perspective of the organization and its need to achieve value organization and its need to achieve value from ITfrom IT
�� Both involve Capability Maturity ModelsBoth involve Capability Maturity Models
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20071818
Capability Maturity ModelsCapability Maturity Models
ISO Levels:ISO Levels:�� 0: Incomplete 0: Incomplete
�� 1: Performed 1: Performed
�� 2: Managed 2: Managed
�� 3: Defined 3: Defined
�� 4: Quantitatively Managed4: Quantitatively Managed
�� 5: Optimizing5: Optimizing
COBIT Levels:COBIT Levels:�� 0: Non0: Non--existent existent
�� 1: Initial/1: Initial/ad hocad hoc
�� 2: Repeatable & Intuitive 2: Repeatable & Intuitive
�� 3: Defined Process 3: Defined Process
�� 4: Managed & Measurable 4: Managed & Measurable
�� 5: Optimized5: Optimized
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20071919
Highly Reliable OrganizationsHighly Reliable Organizations
HallmarksHallmarks
�� Preoccupation with failurePreoccupation with failure
�� Reluctance to simplify interpretationsReluctance to simplify interpretations
�� Sensitivity to operationsSensitivity to operations
�� Commitment to resilienceCommitment to resilience
�� Deference to expertiseDeference to expertise
�� WeickWeick & Sutcliffe & Sutcliffe
�� Managing the Unexpected 2001Managing the Unexpected 2001
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20072020
Avoiding FailureAvoiding Failure
�� High Reliability TheoryHigh Reliability Theory
Serious accidents with hazardous technologies Serious accidents with hazardous technologies can be prevented through intelligent can be prevented through intelligent organization design, implementation and organization design, implementation and management.management.
�� Normal Accident TheoryNormal Accident Theory
Serious accidents with hazardous technologies Serious accidents with hazardous technologies cannot be prevented no matter how hard we try cannot be prevented no matter how hard we try using organization design, implementation and using organization design, implementation and management.management.
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20072121
HRO Maturity Model:HRO Maturity Model:Organizational StagesOrganizational Stages
Survival
Containment
OrganizationalStabilization
InstitutionalLearning
HighReliability
© Maxcomm, Inc.
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20072222
Survival Stage:Survival Stage:Key Challenge & CharacteristicsKey Challenge & Characteristics
Survival Key Challenge: Surviving multiple failures
© Maxcomm, Inc.
Characteristics: (1) unstable dirty process with little opportunity for anomaly spotting and/or containment, (2) little to no capability for early error detection, (3) limited recognition that the organization has crossed the boundary into unknowable complexity; an engineering mindset may still pervade and (4) culture of fear, bewilderment and low confidence
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20072323
Containment
© Maxcomm, Inc.
Key Challenge: Building containment processes &avoiding a catastrophic event
Characteristics: (1) focus on current critical incidents, (2) HRO infrastructure, processes, roles and governance in very early foundational stages, (3) frightening discoveries in regards to lack of stable foundational processes and (4) culture of both firefighting heroics and sleepy complacency
Containment Stage: Containment Stage: Key Challenge & CharacteristicsKey Challenge & Characteristics
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20072424
© Maxcomm, Inc.
Key Challenge: Building a robust foundation of solid repeatable processes
Characteristics: (1) focus on building out HRO infrastructure, processes, roles and governance, (2) organization becoming increasingly mindful both anticipating failure events and containing them, (3) widespread acknowledgement of the organization’s mission to become an HRO and (4) cultural confidence growing as organizational foundation improves
Organizational Stabilization Stage:Organizational Stabilization Stage:
Key Challenge & CharacteristicsKey Challenge & Characteristics
Organizational
Stabilization
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20072525
© Maxcomm, Inc.
Key Challenge: Building enduring organizationalknowledge from incidents & near misses
Characteristics: (1) focus on learning capture and rapiddissemination of new knowledge, (2) organization has leveraged knowledge into greater mindfulness and resilience, (3) time between failure events is increasing and (4) culture connected, confident and growing in knowledge and capability
Institutional Learning Stage: Institutional Learning Stage: Key Challenge & CharacteristicsKey Challenge & Characteristics
InstitutionalLearning
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20072626
© Maxcomm, Inc.
Key Challenge: Remaining ever mindful and evervigilant as time between failure events stretches
Characteristics: (1) focus is on maintaining and improving all aspects of high reliability, (2) mindfulness pervades the organization, (3) time between failure events is significant, (4) use of increasingly complex and sophisticated simulations to model failure and the unexpected, (5) learning now from merely “interesting” events and (6) the “brand” is synonymous with high reliability
High Reliability Stage: High Reliability Stage: Key Challenge & CharacteristicsKey Challenge & Characteristics
HighReliability
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20072727
ConclusionConclusion
�� HIPAA compliance does not preclude HIPAA compliance does not preclude
breaches of privacybreaches of privacy
�� Breaches are likely, plan for themBreaches are likely, plan for them
�� Become a Highly Reliable OrganizationBecome a Highly Reliable Organization
�� Develop ResiliencyDevelop Resiliency
2828
Safeguarding Electronic Health Data Safeguarding Electronic Health Data Achieving Security and Privacy Achieving Security and Privacy
Through Policy and TechnologyThrough Policy and Technology
Mike DavisMike DavisVeterans AdministrationVeterans Administration
MEDINFO 2007S114 Panel: Information Security in an E-Health World: Policies and Technologies
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20072929
Electronic Health Record Security policy and Electronic Health Record Security policy and technologies in light of recent Federal technologies in light of recent Federal experiences.experiences.
��Policy and Technology Implications/DriversPolicy and Technology Implications/Drivers
��CautionsCautions--Katrina and Identity TheftKatrina and Identity Theft
��Advanced Architecture RequirementsAdvanced Architecture Requirements
AgendaAgenda
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20073030
Global Technology TrendsGlobal Technology Trends
�� Complexity Complexity –– Managing authentication/authorization for multiple Managing authentication/authorization for multiple
different systems, protocols and implementationsdifferent systems, protocols and implementations
�� Scalability Scalability –– Managing hundreds of systems and tens of Managing hundreds of systems and tens of
thousands of users, millions of patients/membersthousands of users, millions of patients/members
�� Adaptability Adaptability -- New laws, policies and practices not originally New laws, policies and practices not originally planned for, new technologies. Need for future proof planned for, new technologies. Need for future proof
technologies.technologies.
�� Interoperability Interoperability –– Open, secure data exchange within/ across Open, secure data exchange within/ across
enterprises. Logical and semantic interoperability with businesenterprises. Logical and semantic interoperability with business s partners.partners.
�� Assurability Assurability -- Certification, testing and maintaining assurance Certification, testing and maintaining assurance
of security function over system lifeof security function over system life--cyclecycle
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20073131
Legal and Social IssuesLegal and Social Issues
�� Rise of universal access to information Rise of universal access to information ((authn/authzauthn/authz). How do we extend trust across ). How do we extend trust across organizations? What are liabilities?organizations? What are liabilities?
�� Common credentials for Feds but no standard for Common credentials for Feds but no standard for citizens. What are the tradeoffs of privacy citizens. What are the tradeoffs of privacy vsvssecurity?security?
�� What are the privacy rights of clinicians? Do What are the privacy rights of clinicians? Do clinicians have rights?clinicians have rights?
�� We are seeing a convergence of Security and We are seeing a convergence of Security and Privacy enforcement in electronic environments. Privacy enforcement in electronic environments. Solution or train wreck?Solution or train wreck?
�� At what point do patient safety concerns trump At what point do patient safety concerns trump security/privacy?security/privacy?
HIPAASarbanes-
Oxley
HSPD-
12
E-Gov
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20073232
American Health Information CommunityAmerican Health Information Community
1. Secure Communications Channel
2. Collect and Communicate Secure Audit Trail
3. Privacy Consents4. Verify Privacy
Consents5. Manage Identity
Credentials6. Document Integrity 7. Manage and Control
Data Access8. Non-repudiation
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20073333
Emerging Technology Example: Emerging Technology Example:
HC DRMHC DRM
�� VA is implementing DRM to protect MS VA is implementing DRM to protect MS Exchange messages (internally)Exchange messages (internally)
�� Clinical use cases/requirements currently Clinical use cases/requirements currently limited to confidentialitylimited to confidentiality
�� Potential for patients to use DRM to enforce Potential for patients to use DRM to enforce readread--only access to PHR. For example, in only access to PHR. For example, in Trustee Model, Personal EHR data is readTrustee Model, Personal EHR data is read--only protected once it leaves control of the only protected once it leaves control of the patient. patient.
Digital Rights Management (Content Management) is the technology used by the music industry to protect IPR
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20073434
Hurricane KatrinaHurricane Katrina
�� Hurricane Katrina reaches Hurricane Katrina reaches
landfall Monday August 29, landfall Monday August 29,
2005.2005.
�� Power and communications Power and communications
lost to Jackson, Biloxi, and lost to Jackson, Biloxi, and
New Orleans New Orleans VAMCsVAMCs..
�� Generators provide emergency Generators provide emergency
power.power.
�� Patient records inaccessible Patient records inaccessible
from remote facilities where from remote facilities where
displaced patients are treated.displaced patients are treated.
�� VA team set up to restore full VA team set up to restore full
access to impacted sites.access to impacted sites.
Landfall August 29, 2005
Health care support during disasters is Health care support during disasters is
missing from the list of EHR benefitsmissing from the list of EHR benefits……
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20073535
New Orleans VAMC New Orleans VAMC -- BeforeBefore
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20073636
New Orleans VAMC New Orleans VAMC -- AfterAfter
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20073737
Gulfport VAMC Gulfport VAMC -- BeforeBefore
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20073838
Gulfport VAMC Gulfport VAMC -- AfterAfter
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20073939
Katrina VA EHR PerformanceKatrina VA EHR Performance
1.831.8310881088Radiology Radiology
reportsreports
1.901.9011281128Discharge Discharge
summarysummary
2.162.1612831283
Lab results: Lab results:
chemistry & chemistry &
hematologyhematology
2.522.5214991499DoctorsDoctors’’
ordersorders
3.163.1618801880
PatientsPatients’’
medical medical
problem listproblem list
8.098.0948094809Medications: Medications:
OutpatientOutpatient
12.8812.8876597659Medications: Medications:
InpatientInpatient
17.5217.521041710417TextText--based based
notes catalognotes catalog
19.6319.631167211672Progress note Progress note
texttext
22.6722.671347813478
TextText--based based
reports, otherreports, other
Percentage Percentage
of Total of Total
RequestsRequestsRequestsRequestsData TypeData Type
http://www.ajph.org/cgi/content/abstract/97/Supplement_1/S136
� VA’s Single Organizational Structure, Trained Staff, and EHR System permitted responses to be well underway by 31 Aug, 2005.
� By Sept 30, 2005, clinical data were accessed electronically for at least 38% (14,941 of 39,910) of patients cared for prior to Hurricane Katrina by New Orleans VA medical facilities.
� Approximately, 1000 patients per day (2/3 pre-Katrina values) had data accessed during the month following Hurricane Katrina.
� Health care data were transmitted to more than 200 sites in 48 states and to at least 2300 users.
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20074040
Lessons LearnedLessons Learned
1.1. When When ““displaceddisplaced”” persons seek medical care, it is persons seek medical care, it is usually in the absence of their medical charts.usually in the absence of their medical charts.
2.2. More complete More complete EHRsEHRs are needed but are needed but secure data sharing secure data sharing among different among different EHRsEHRs is also importantis also important..
3.3. Satellite network access for data communication is a Satellite network access for data communication is a critical option. critical option.
4.4. Reviews of privacy regulations are needed to enable Reviews of privacy regulations are needed to enable protective yet flexible protective yet flexible ““breakbreak--thethe--glassglass”” to allow for to allow for timely disaster responses outside of normal operations.timely disaster responses outside of normal operations.
5.5. Pharmacy and laboratory computerization alone, Pharmacy and laboratory computerization alone, although among the most commonly available, will not be although among the most commonly available, will not be sufficient for future disaster support systems.sufficient for future disaster support systems.
6.6. Requests for textRequests for text--based data was significantly greater based data was significantly greater
than medications and lab.than medications and lab.While VA recovered from Katrina While VA recovered from Katrina
another storm was brewinganother storm was brewing……
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20074141
Identity Theft DisasterIdentity Theft Disaster
VA required encryption on all VA required encryption on all ““thumbdrivesthumbdrives”” and prohibited use and prohibited use
of most other USB storage devices.of most other USB storage devices.April 2007April 2007
VA encrypted all laptops (22K)VA encrypted all laptops (22K)August 2006August 2006
OMB (MOMB (M--0606--16) issued a memorandum requiring Federal 16) issued a memorandum requiring Federal
Departments and Agencies to:Departments and Agencies to:
•• Encrypt all data on mobile computers/devices whichEncrypt all data on mobile computers/devices which
carry agency data.carry agency data.
•• Allow remote access only with twoAllow remote access only with two--factorfactor
authentication.authentication.
June 2006June 2006
Theft of a VA employeeTheft of a VA employee’’s hard drive left in its wake the loss of s hard drive left in its wake the loss of
personal information on at least 26.8 million veterans, active personal information on at least 26.8 million veterans, active
military, and dependentsmilitary, and dependents……characterized as the largest data characterized as the largest data
breach ever in the Government. Policies in place did NOT:breach ever in the Government. Policies in place did NOT:
•• Prohibit removal of protected information from the Prohibit removal of protected information from the
worksite, storing protected information on a worksite, storing protected information on a
personally owned computer.personally owned computer.
•• Provide safeguards for electronic data stored on Provide safeguards for electronic data stored on
portable media.portable media.
May 2006May 2006
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20074242
Rise of Identity TheftRise of Identity Theft
Card processor, Card processor, CardSystemsCardSystems Solutions had its IT systems Solutions had its IT systems
hacked to the tune of more than 40 million consumer hacked to the tune of more than 40 million consumer
records. records.
Mid 2005Mid 2005
For more than a decade, the Census Bureau posted on a For more than a decade, the Census Bureau posted on a
public Web site 63,000 Social Security numbers of people public Web site 63,000 Social Security numbers of people
who received financial aid. The apparent violation of Federal who received financial aid. The apparent violation of Federal
privacy law prompted concerns about identity theft.privacy law prompted concerns about identity theft.
April April
20072007
TJX Companies suffered a longTJX Companies suffered a long--term hacker breach and term hacker breach and
information related to more than 45 million credit cards was information related to more than 45 million credit cards was
accessed by unauthorized parties. Assuming most of those accessed by unauthorized parties. Assuming most of those
adults had some form of available credit this breach alone adults had some form of available credit this breach alone
compromised a quarter of the U.S. populationcompromised a quarter of the U.S. population’’s cards.s cards.
2006 2006 --
20072007
Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard
provides basic security. Many older systems remain provides basic security. Many older systems remain
vulnerable despite the guideline. Require encryption over vulnerable despite the guideline. Require encryption over
public networks but not at rest.public networks but not at rest.
20042004
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20074343
Distributed Services FrameworkDistributed Services Framework
IAM
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20074444
�� Identity and Access Management provides Identity and Access Management provides enterpriseenterprise--wide servicewide service--oriented architecture oriented architecture solutions for user authentication, authorization and solutions for user authentication, authorization and audit, including directories, single signaudit, including directories, single sign--on, and on, and identity and access provisioning.identity and access provisioning.
�� Part of a servicePart of a service--oriented security architectureoriented security architecture�� Provides common security infrastructure for identity and Provides common security infrastructure for identity and
access managementaccess management�� Allows for sharing of security informationAllows for sharing of security information�� ““DecouplesDecouples”” security mechanisms formerly tightly integrated security mechanisms formerly tightly integrated
with specific applications.with specific applications.
�� Authentication component Authentication component �� Authorization/access control componentAuthorization/access control component�� Provisioning component (e.g., Role assignment)Provisioning component (e.g., Role assignment)
Enterprise Solutions: IAM InfrastructuresEnterprise Solutions: IAM Infrastructures
Cross cuttin
g Audit
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20074545
RoleRole--based Access Controlbased Access Control
–DSTU included 224 possible Permissions based upon 56
defined objects
Health Level 7 balloted the first-ever world-wide role-based access control permission definitions (Jan 2006).
HL7
RBAC Permission Vocabulary
HL7 Security Technical CommitteeJan 2006
Session=Workflow
Authenticated
Basic
Roles
OPS=Operations
OBJ=Objects
PERM=Permissions
OBJOPS
(PA)
Permission
Assignment
(UA)
User
Assignment
PERM
UsersFunctional
RolesAuthenticated
HL7 permission vocabulary successfully balloted (May 2007) but will be re-balloted for consensus
http://www.va.gov/rbac* Adapted from ANSI INCITS 359-2004
*
PhysicianPhysician PermissionsPermissionsuserid=SmithJ
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20074646
How It All Fits TogetherHow It All Fits Together
ROLEROLE = Physician= Physician
PERMISSION = Write Medication OrderPERMISSION = Write Medication Order
BUSINESS RULE = 1st year Oncology BUSINESS RULE = 1st year Oncology Residents need Orders coResidents need Orders co--signed by Attending signed by Attending PhysicianPhysician
PRIVACY RULE = Dr. Smith may see my recordPRIVACY RULE = Dr. Smith may see my record
CONSTRAINTS = Express further restrictions CONSTRAINTS = Express further restrictions based upon separation of duties, cardinality, time, based upon separation of duties, cardinality, time, location, etc.location, etc.
Dr. Joe Smith is an Oncologist
Inheritance
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20074747
General Security Service FrameworkGeneral Security Service Framework
PACS
LOB Systems/
Applications
OperatingSystems
Systems/ Applications
(HR, etc.)
Portalsand
Self Service
Access Management
Identity Administration
Identity Provisioning
Directory Services
Auditin
g a
nd R
eport
ing
• Identification, authentication and enterprise SSO• Authorization and access control• Federated Identity Management (FIM)
• Identity proofing• User and group management• Credential management• Self-service
• Integrated user provisioning• Cross-enterprise provisioning
• LDAP, meta and virtual directories
4848
Future Future IdMIdM/IAM Framework/IAM Framework
Enterprise Data
Security Services
Authorization
DirectoryServices
Authentication
Provisioning
Identity
Services
LOB Data
Identity
Correlation
Identity Administration
Business Services
LOB Data Services
Applications
Portal
Identity Enumeration
Audit
Identity
Synchronization
Personal IdentityPersonal Identity
Verification (PIV)Verification (PIV)
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20074949
SummarySummary
�� EHRsEHRs provide the means to implement provide the means to implement interoperable HIT infrastructures, including support interoperable HIT infrastructures, including support during disasters, but carry increased risk of during disasters, but carry increased risk of massive data loss.massive data loss.
�� Future proof architectures implementing serviceFuture proof architectures implementing service--oriented approaches provide flexibility, adaptability, oriented approaches provide flexibility, adaptability, interoperability by separating security from interoperability by separating security from application business functions.application business functions.
�� Greater security and privacy integration will be Greater security and privacy integration will be needed to meet healthcare business and policy needed to meet healthcare business and policy requirements.requirements.
5050
Security Services Security Services ––
Key Concepts, Policy and Technology Key Concepts, Policy and Technology
ImplicationsImplications
Bernd Bernd BlobelBlobelPhD, Associate ProfessorPhD, Associate Professor
Head, German National Head, German National eHealtheHealth Competence CenterCompetence Center
University of Regensburg Medical CenterUniversity of Regensburg Medical Center
Regensburg, GermanyRegensburg, Germany
eHCC
MEDINFO 2007S114 Panel: Information Security in an E-Health World: Policies and Technologies
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20075151
The eHealth ChallengeThe eHealth Challenge
�� For meeting the challenges for high quality and efficient healthFor meeting the challenges for high quality and efficient health systems, all systems, all
developed and increasingly also developing countries are faced tdeveloped and increasingly also developing countries are faced to, following o, following
paradigm changes are inevitable:paradigm changes are inevitable:
�� Turning health systems to customisable, comprehensive and compleTurning health systems to customisable, comprehensive and completely tely
integrated care in close relation to efficient public health.integrated care in close relation to efficient public health.
�� Current development from organisationCurrent development from organisation--centred to processcentred to process--oriented has to oriented has to
continue to personalised care (body map area, patient monitoringcontinue to personalised care (body map area, patient monitoring). ).
Emphasis of prevention and home care.Emphasis of prevention and home care.
�� Such development must be supported by appropriate, trustworthy ISuch development must be supported by appropriate, trustworthy ICT to CT to
support health telematics and telemedicine support health telematics and telemedicine –– summarized as eHealth. summarized as eHealth.
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 2007
Security andProtection
Security of personaldata (data protection)
Protection of thedata subject
Protection ofprivacy
Protection ofthe user
Patient safety ...
Aspects of Protection and Security Aspects of Protection and Security (after C. (after C. LaskeLaske))
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20075353
Legal frameworkLegal framework
�� Council of Europe: Strasbourg Convention 108 Council of Europe: Strasbourg Convention 108 (1981)(1981)
�� European Union: Directive 95/46/ECEuropean Union: Directive 95/46/EC
�� national legislation following 95/46/ECnational legislation following 95/46/EC
�� specific provisions for HCspecific provisions for HC
�� HIPAAHIPAA
�� details filled in by standardisationdetails filled in by standardisation((““new approachnew approach”” in EU)in EU)
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20075454
Standards Classification Health Informatics Standards Classification Health Informatics
Security (1/2)Security (1/2)�� Architecture standardsArchitecture standards
�� HL7 versions 2.x/3, CORBA, MDA, HISAHL7 versions 2.x/3, CORBA, MDA, HISA
�� Modelling standardsModelling standards
�� UML, CEN 15300: UML, CEN 15300: ““CEN Report: Framework for formal modelling of CEN Report: Framework for formal modelling of
healthcare security policieshealthcare security policies””
�� Communication standardsCommunication standards
�� CEN 13608: CEN 13608: ““Security for healthcare communicationSecurity for healthcare communication””, CEN 13606: , CEN 13606:
““Electronic healthcare record communicationElectronic healthcare record communication””
�� Infrastructure standardsInfrastructure standards
�� ISO 17090: ISO 17090: ““Public key infrastructurePublic key infrastructure””, ETSI TS 101733: , ETSI TS 101733: ““Electronic Electronic
Signature FormatsSignature Formats””
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20075555
�� Privacy standardsPrivacy standards
�� ASTM E1987ASTM E1987--98: 98: ““Standard guide for individual rights regarding health Standard guide for individual rights regarding health
informationinformation””, CEN 13729: , CEN 13729: ““Secure user identification Secure user identification -- Strong Strong
authentication using microprocessor cardsauthentication using microprocessor cards””; ; ISO/IEC PDTS ISO/IEC PDTS
PseudonymisationPseudonymisation Practices for the Protection of Personal Health Practices for the Protection of Personal Health
Information and Health Related ServicesInformation and Health Related Services
�� Safety standardsSafety standards
�� CEN 13694: CEN 13694: ““CEN Report: Safety and security related software quality CEN Report: Safety and security related software quality
standards for healthcarestandards for healthcare””; ; ISO/DTS 25238 Classification of Safety RisksISO/DTS 25238 Classification of Safety Risks
�� Terminology and ontology standardsTerminology and ontology standards
�� UMLS, SNOMEDUMLS, SNOMED
�� Identifier and identification schemesIdentifier and identification schemes
�� LOINC, ASTM E1714LOINC, ASTM E1714--00: 00: ““Standard guide for properties of a Universal Standard guide for properties of a Universal
Healthcare IdentifierHealthcare Identifier””
Standards Classification Health Informatics Standards Classification Health Informatics
Security (2/2)Security (2/2)
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20075656
ResponsibilitiesResponsibilities
�� Government: legal and ethical frameworkGovernment: legal and ethical framework
�� Base: EU directive 95/46/ECBase: EU directive 95/46/EC
�� National privacy legislation and supporting lawsNational privacy legislation and supporting laws
�� Statements by HC InspectorateStatements by HC Inspectorate
�� Professional bodies: Professional bodies:
active participation in standardisation workactive participation in standardisation work
�� Management: Management:
organisational culture, definition of responsibilities, clear storganisational culture, definition of responsibilities, clear statements about atements about
policypolicy
�� All users: All users:
awareness for quality, safety and securityawareness for quality, safety and security
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20075757
Fair Information Principles Fair Information Principles after E.after E.--H. KlugeH. Kluge
�� Openness, publicityOpenness, publicity
�� Limitation of data collectionLimitation of data collection
�� Limitation of information disclosureLimitation of information disclosure
�� Limitation of information useLimitation of information use
�� SecuritySecurity
�� Access controlAccess control
Ethical Principles Ethical Principles after E.after E.--H. KlugeH. Kluge
�� Autonomy and respect of personAutonomy and respect of person
�� Exclusion of impossibility for realising the rightExclusion of impossibility for realising the right
�� Exclusion of relevant differences between right and realisation Exclusion of relevant differences between right and realisation (praxis)(praxis)
�� Obligation for best actionObligation for best action
�� Assurance of range of priority (logic, natural, voluntary)Assurance of range of priority (logic, natural, voluntary)
�� Assurance of equality and legalityAssurance of equality and legality
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20075858
Common TTP policy ⇓⇓⇓⇓
Based on the Electronic signature directive
Based on the EESSI electronic signature standard
⇓⇓⇓⇓ ⇓⇓⇓⇓ Legal coherence with European rules
Technical coherence with European (international) standards
⇓⇓⇓⇓ ⇓⇓⇓⇓ Legal coherence with national rules, i.e. legal interoperability
Technical coherence with standards, i.e. technical interoperability
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20075959
TTP functions and requirements
Identification & authentication
Integrity
Confidentiality
Non-repudiation
Security loggingBasic
services
Infrastructuralservices
Value added
services
Directories
Certificate handling
Card issuing
NameingKey management
Anony-misation
Time stamping
Access control Services directly related tothe secure communicationbetween two users
Services which facilitates securecommunications in a large scaleinvolving mututal distrustful users
Services related to the business value orsecurity of document or message exchange,given by agreements or by regulations.
Registration
Prof. registration
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 2007
Entity of usersEntity of users
Entity of medicalinformation
Entity of medicalinformation
Special user classesSpecial user classes
Temporary userteams
Temporary userteams
Responsiblecaring doctor
Responsiblecaring doctor
Visit-relatedinformation
Visit-relatedinformation
Anonymizedinformation
Anonymisedinformation
Identified generalinformation
Identified generalinformation
Ind
ivid
uali
ty,
Resp
on
sib
ilit
y
Deta
il,
Sp
ecia
lity
, S
en
sit
ivit
y
Am
ou
nt
of
Info
rmati
on
Nu
mb
er
of
Users
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 2007
Security PolicySecurity Policy
�� Security policy is a complex of legal, Security policy is a complex of legal, organisational, functional, medical, organisational, functional, medical, social, ethical and technical aspects, social, ethical and technical aspects, which must be considered in the which must be considered in the context of data protection and data context of data protection and data security.security.
�� Security policy defines the framework, Security policy defines the framework, rights and duties of principals rights and duties of principals involved, but also consequences and involved, but also consequences and penalties in the case of disregard of penalties in the case of disregard of the fixings taken. the fixings taken.
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20076262
Access Control Service
1
System 1
A1 DB1
Access Control Service
2
DB2
AccessControl 2System
2
A2
Access Control for System to System
Communication Request for Information
Granted Information
Authority Assignment
Domain 1
Authority Assignment
Domain 2
Role Assigner 1
Role Assigner 1
Role A according to Assigner 1
Role A according to Assigner 2
ID ID
Policy Agreement
Security Domain 1 Security Domain 2
Security Domain 1 Security Domain 2
Access Control 1
Directory Service
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 2007
communicationsecurity
applicationsecurity
authori-sation
accesscontrol
availa-bility
concepts
serv
ices
mechanis
ms
data
digitalsignature
... fire pro-tection
digitalsignature
encryp-tion
key es-crowing
...
... fire pro-tection
...
account-ability
notary’sfunctions
audit
availa-bility
notary’sfunctions
identi-fication
authen-tication
account-ability
non-re-pudiation
confi-dentialityintegrity
non-re-pudiation
confi-dentiality
multiplecomp.hashing encryp-
tionkey re-coveryhashing
multiplecomp.
alg
orith
ms
DES RSAIDEA DSA
EL-GAMAL
DSARSAIDEADES
EL-GAMAL
data keys certifi-cates
certifi-cateskeysdata
SHA-1 MD5 MD5SHA-1
security qualitysafety
accesscontrol accuracyintegrity
This is
the
criti
cal p
art o
f the
game
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20076464
PervasiveComputing
Location-independentservice provision
Telematics,, Telemedicine
MobileComputingAccessabilityTele-consultation
AutonomicComputing
Self-organisationHealth information
systems
UbiquitousComputing
Ubiquitous Care Technology ParadigmsUbiquitous Care Technology Paradigms
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20076565
System RequirementsSystem Requirements
��OpennessOpenness
��FlexibilityFlexibility
��ScalabilityScalability
��PortabilityPortability
��User acceptanceUser acceptance
��Service orientationService orientation
��Distribution at Internet levelDistribution at Internet level
��LawfulnessLawfulness
��Based on standardsBased on standards
��ServiceService--oriented interoperabilityoriented interoperability
��Appropriate security and privacy servicesAppropriate security and privacy services
Model-driven approach
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20076666
Ente
rprise V
iew
Info
rmation V
iew
Com
puta
tiona
l V
iew
Engin
eeri
ng V
iew
Technolo
gy
Vie
w
Business Concepts
Relations Network
Basic Services/Functions
Basic Concepts
Domain n
Domain 2
Domain 1
Component View
Com
pon
en
tD
ecom
positio
n
The Generic Component
Model
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20076767
Architecture Paradigms for FutureArchitecture Paradigms for Future--Proof Proof
Health Information SystemsHealth Information Systems
�� DistributionDistribution�� ComponentComponent--orientation (flexibility, scalability)orientation (flexibility, scalability)�� Separation of platformSeparation of platform--independent and platformindependent and platform--
specific modelling specific modelling ���� Separation of logical and technological views Separation of logical and technological views
(portability)(portability)�� Specification of reference and domain models at Specification of reference and domain models at
metameta--levellevel�� Interoperability at service level (concepts, Interoperability at service level (concepts,
contexts, knowledge)contexts, knowledge)�� Appropriate data protection and data security Appropriate data protection and data security
measuresmeasures
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20076868
BasicsBasics
��Two basic class types must be dealt with:Two basic class types must be dealt with:
��EntitiesEntities
�� PoliciesPolicies
�� RolesRoles
�� PrincipalsPrincipals
�� DocumentsDocuments
��ActsActs
�� Policy managementPolicy management
�� Principal managementPrincipal management
�� Privilege managementPrivilege management
�� AuthenticationAuthentication
�� AuthorisationAuthorisation
�� Access control managementAccess control management
�� AuditAudit
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20076969
ActorsActors
��Principals, e.g.,Principals, e.g.,
�� PersonPerson
�� OrganisationOrganisation
�� SystemSystem
�� DeviceDevice
�� ApplicationApplication
�� ComponentComponent
�� ObjectObject
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20077070
Sy stem Ad ministra tor
Audit
User
Patient C onsent
Information Ac c ess
Authentic ation
TTP
Information
Legal & E thic al Framework
Ac c ess C ontrol
P rivilegesAc c ess C ontrol Rules
Polic yPolic y C ounc il
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20077171
Policy
policy_identifier : IIpolicy_name : CSpolicy_authority_ID : OIDpolicy_authority_name : STpolicy_domain_identifier : OIDpolicy_domain_name : ENpolicy_target_list : LIST <INT>
AuthorisationPolicy
Obligation Policy
event : CVexception : Exception
RefrainPolicy
action : CE
Delegation Policy
grantee : OIDaccessRights : CE
Auth+
action : CE
Auth-
action : CE
Deleg+ Deleg-
MetaPolicy
meta_expressionraised_action : CE
BasicPolicy
policy_subject_ID : OIDpolicy_subject_name : STtarget_identifier : IItarget_name : ENtarget_object : IIoperation_code : CEpermission_policy : CDconstraint : OCL
CompositePolicy
event : CVpolicy : CDmpolicy : CDpolicy_group : IIconstraint : OCL
Group
group_identifier : IIgroup_name : CSgroup_description : CD
ManagementStructure
roles : Rolerels : Relmstructs : Mstruct
Relationship
roles : Role
Role
subjectDomain : OIDrole_identifier : IIrole_name : CSrole_description : CD
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20077272
Control ModelControl Model
Claimant Target
ControlPolicy
EnvironmentVariables
Verifierrequests service authorises request
defines conditions
influences conditions
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20077373
Delegation ModelDelegation Model
delegates privileges
SourceOfAuthority
Verifier
trusts unconditionally
Claimant
assigns privileges
asserts privileges
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20077474
RolesRoles
��For managing roleFor managing role--relationships between the relationships between the entities, organisational and functional roles can be entities, organisational and functional roles can be defined.defined.
��Organisational roles specify relations between Organisational roles specify relations between entities in the sense of competence (RIM roles) entities in the sense of competence (RIM roles) often reflecting organisational or structural often reflecting organisational or structural relations (hierarchies). relations (hierarchies).
��Functional roles are bound to an act. Functional Functional roles are bound to an act. Functional roles can be assigned to be performed during an roles can be assigned to be performed during an act. They correspond to the RIM participation. act. They correspond to the RIM participation.
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20077575
<security_role><role_name/><role_ID/><role_authority/><role_authority/><role_description>
…</role_description>
</security_role>
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20077676
Structural Role (ISO TS 17090)Structural Role (ISO TS 17090)
�� Regulated Health ProfessionalRegulated Health Professional
�� Non Regulated Health ProfessionalNon Regulated Health Professional
�� Sponsored Health Care ProviderSponsored Health Care Provider
�� Supporting Organisation EmployeeSupporting Organisation Employee
�� Patient / ConsumerPatient / Consumer
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20077777
““Functional RolesFunctional Roles”” Established in the Established in the
EN/ISO 13606 EHR communicationEN/ISO 13606 EHR communication�� Subject of care (normally the patient)Subject of care (normally the patient)
�� Subject of care agent (parent, guardian, carer, or other legal rSubject of care agent (parent, guardian, carer, or other legal representative)epresentative)
�� Responsible (personal) healthcare professional (the healthcare pResponsible (personal) healthcare professional (the healthcare professional rofessional
with the closest relationship to the patient, often his GP)with the closest relationship to the patient, often his GP)
�� Privileged healthcare professionalPrivileged healthcare professional
�� nominated by the subject of care nominated by the subject of care
�� nominated by the healthcare facility of care (there is a nominatnominated by the healthcare facility of care (there is a nomination by ion by
regulation, practice, etc.)regulation, practice, etc.)
�� Healthcare professional (involved in providing direct care to thHealthcare professional (involved in providing direct care to the patient)e patient)
�� HealthHealth--related professional (indirectly involved in patient care, teachrelated professional (indirectly involved in patient care, teaching, ing,
research, etc.)research, etc.)
�� Administrator (and any other parties supporting service provisioAdministrator (and any other parties supporting service provision to the n to the
patient)patient)
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20077878
PolicyPolicy--Driven, RoleDriven, Role--Based Access Based Access
ControlControl
Principal
SR_Policy
Structural_Role
Role_Hierarchy
1..*
1
FR_Policy
Functional_Role
0..*0..* 0..*0..*
User_Assignment1..*1
Process_PolicySession
1..*
0..*
1..*
0..*
User_Session
1
1..*
1
1..*
Session_Role
1..* 1
Target_Policy
Target_Component
0..*0..* 0..*0..*
Permission_Assignment1..*
1
1..*
1
1 1..*
1..* 1
1
1..*
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20077979
Interrelations of the Models and Interrelations of the Models and
Documents Used and Produced in the Documents Used and Produced in the
Role Engineering Process Role Engineering Process (after Neumann & (after Neumann & StrembeckStrembeck))
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20078080
Workflow
Scenario
Transaction
Step
Ente
rprise V
iew
Info
rmatio
n V
iew
Com
puta
tio
nal V
iew
Engin
eeri
ng V
iew
Technolo
gy V
iew
ComponentView
ComponentDecomposition(Granularity)
Business Concepts
Relations Network
Basic Services/Functions
Basic Concepts
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20078181
Business Concepts
Relations Network
Basic Services/Functions
Basic Concepts
ComponentDecomposition(Granularity)
StructuralRoles
FunctionalRoles
Role Assigment
Comparing the Generic Component Model and the VA Role Engineering Process
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20078282
Important eHealth Components Important eHealth Components
(logical view)(logical view)
PolicyServices
ClientServices
ApplicationServices
AuditServices
PMIEHR
Systems
DirectoryServices
ID CAServices
ACAServices
PKI
TerminologyServices
GesundheitskarteGesundheitskarte
Name Zeile 1Name Zeile 2Name der Krankenkasse
123456789 A123456789Kassennummer Versichertennummer
KnowledgeServices
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20078383
Security, Privacy and Safety Challenge in Security, Privacy and Safety Challenge in
HealthHealth
�� Security services in health are policy driven in the broad interSecurity services in health are policy driven in the broad interpretation of pretation of
policy as any legal, social, ethical, psychological, organisatiopolicy as any legal, social, ethical, psychological, organisational, functional nal, functional
and technical implication affecting trustworthy deployment of heand technical implication affecting trustworthy deployment of healthalth--related related
applications. applications.
�� Moving towards advanced care paradigms such as personal care, thMoving towards advanced care paradigms such as personal care, the actors e actors
involved in the business cover the entire set of principals defiinvolved in the business cover the entire set of principals defined at ned at
OMG/CORBA such as persons, organisations, systems, devices, OMG/CORBA such as persons, organisations, systems, devices,
applications, components and even single objects. All those actoapplications, components and even single objects. All those actors have to rs have to
meet the aforementioned policy challenges. meet the aforementioned policy challenges.
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20078484
ConclusionsConclusions
�� As a conclusion from the presented scenarios and the mechanisms As a conclusion from the presented scenarios and the mechanisms to run, to run,
different management services are needed: principal management idifferent management services are needed: principal management including ncluding
user management, organisation management, device management, etcuser management, organisation management, device management, etc., which ., which
are combined with registry and directory services, but also roleare combined with registry and directory services, but also role management, management,
privilege management, policy management, etc.privilege management, policy management, etc.
8585
Security and Privacy Technology Security and Privacy Technology
Enablers for Healthcare SystemsEnablers for Healthcare Systems
Tyrone Grandison PhDIBM Healthcare Center of Excellence
Almaden Research CenterSan Jose, California
MEDINFO 2007S114 Panel: Information Security in an E-Health World: Policies and Technologies
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20078686
IntroductionIntroduction
�� CaveatCaveat
�� As medical information moves to electronic platforms, As medical information moves to electronic platforms,
policy and social education programs policy and social education programs mustmust be augmented be augmented
by appropriate, corresponding technologyby appropriate, corresponding technology11..
�� ObjectivesObjectives
�� Define the addressable.Define the addressable.
�� Define the current major problems.Define the current major problems.
�� Outline technological solutions to each of these problems.Outline technological solutions to each of these problems.
1Christopher Johnson, Rakesh Agrawal, "Intersections of Law and Technology in Balancing Privacy Rights with Free Information Flow", Proceedings of the Fourth IASTED International Conference on Law and Technology, Cambridge, Massachusetts, USA, October 2006.
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20078787
Scope of Current Technical EnablersScope of Current Technical Enablers
��The Problem SpaceThe Problem Space�� Tightly Coupled Complex SystemsTightly Coupled Complex Systems
�� Each SiloEach Silo’’ed System has its own Protection Mechanismsed System has its own Protection Mechanisms
�� Conflicting Priorities and PoliciesConflicting Priorities and Policies
�� New (and changing) TechnologyNew (and changing) Technology
��Solution RequirementsSolution Requirements�� Reduce the complexity and workReduce the complexity and work--load in integrating and deploying load in integrating and deploying
systems, i.e. allow systems to worry about their core function asystems, i.e. allow systems to worry about their core function and nd
leverage security and privacy controls in the data system.leverage security and privacy controls in the data system.
�� Do not impact the performance/efficiency of the currently runninDo not impact the performance/efficiency of the currently running g
systemsystem
�� Enable the current (clinical) workflow and do not require it to Enable the current (clinical) workflow and do not require it to change.change.
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20078888
Current Major Problems Current Major Problems
�� PolicyPolicy--based Private Data Management.based Private Data Management.
�� How does one enforce data disclosure policies and patient How does one enforce data disclosure policies and patient
preferences?preferences?
�� How does one enable privacyHow does one enable privacy--preserving data mining?preserving data mining?
�� Secure Information ExchangeSecure Information Exchange
�� How does one selective share the minimum amount of data How does one selective share the minimum amount of data
necessary for a task?necessary for a task?
�� How does one deHow does one de--identify data for information exchange?identify data for information exchange?
�� Efficient Data Access TrackingEfficient Data Access Tracking
�� How do you efficiently track access and disclosure?How do you efficiently track access and disclosure?
�� How do you protect data sent to outsourced agents?How do you protect data sent to outsourced agents?
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20078989
Technology SolutionsTechnology Solutions
�� PolicyPolicy--based Private Data Management.based Private Data Management.
�� Active EnforcementActive Enforcement
�� PrivacyPrivacy--Preserving Data MiningPreserving Data Mining
�� Secure Information ExchangeSecure Information Exchange
�� Sovereign Information SharingSovereign Information Sharing
�� Optimal Optimal kk--anonymization (deanonymization (de--identification)identification)
�� Efficient Data Access TrackingEfficient Data Access Tracking
�� Compliance AuditingCompliance Auditing
�� Database WatermarkingDatabase Watermarking
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20079090
DATABASE
Application DataRetrieval
EnforcementHDB Driver
Personal Data
Subject Preferences& Data Collection
NegotiationSubject Preferences& Policy Matching
Installed Policy
Policy Creation
InstallationPolicyParser
Hippocratic Database Active EnforcementHippocratic Database Active Enforcement
� Privacy Policy: Organizations define a set of policies describing who may access data (users or roles), for what purposes data may be accessed (purposes) and to whom data may be disclosed (recipients).
� Consent: Data subjects are given control, through opt-in and opt-out choices, over who may see their data and under what circumstances
� Active Enforcement: Intercepts and rewrites incoming queries to comply with policies, subject choices, and context.
� Efficiency: Rewritten queries benefit from all of the optimizations and performance enhancements provided by the underlying engine (e.g. parallelism).
� Advantages:• Cell-level access and disclosure control.• Application modification not required.• Database agnostic; does not require
changes to the database engine.
--4040DanielDaniel44
(333) 333(333) 333--33333333--BobBob33
(111) 111(111) 111--111111112525AdamAdam11
PhonePhoneAgeAgeNameName##
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20079191
PrivacyPrivacy--Preserving Data MiningPreserving Data Mining
0
200
400
600
800
1000
1200
2 10 18 26 34 42 50 58 66 74 82
Original Randomized Reconstructed
0
20
40
60
80
100
120
10 20 40 60 80 100 150 200
Randomization Level
Original Randomized Reconstructed
50 | 40K | ... 30 | 70K | ...
Randomizer Randomizer
Reconstruct
distribution
of age
Reconstruct
distribution
of income
Data Mining Algorithms
Data Mining Model
65 | 20K | ... 25 | 60K | ...
Alice’s age
Alice’s income
Bob’s age
30+35
� Preserves privacy at the individual level, but allows accurate data mining models to be constructed at the aggregate level.
� Adds random noise to individual values to protect data subject privacy.
� EM algorithm estimates original distribution of values given randomized values + randomization function.
� Algorithms for building classification models and discovering association rules on top of privacy-preserved data with only small loss of accuracy.
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20079292
Sovereign Information IntegrationSovereign Information Integration
Medical
Research
Institution
DNA
Sequences
Drug
Reactions
� Autonomous databases for competitive, statutory, or security reasons.
• Provides selective, minimal sharing on need-to-know basis.
� Example: Which DNA expressions correlate with reactions to certain drugs?
� Algorithms for computing secure joins and join counts without revealing any additional information among the databases.
Minimal Necessary Sharing
R S
� R must not know that S has b & y
� S must not know that R has a & x vv
uu
R S
xxvvuuaa
yyvvuubb
R
S
Count (R S)
� R & S do not learn anything except that the result is 2.
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20079393
Optimal Optimal kk--AnonymizationAnonymization
(k=2, on name,
address, age)
130 Harry Road
Name
Erica
Paul $88,000
28210 Almaden PkwyHenry
19 Main Street
Mark
42
26
Income AgeAddress
$120,000
$42,000
$50,000
474800 17th Street
San Jose
City
San Jose
San Jose
San Jose
95120
Name
*
* $88,000
20-2995131*
95131
*
40-49
20-29
AgeAddress
$120,000
$42,000
$50,000
40-4995120
San Jose
City
San Jose
San Jose
San Jose
Income
� Optimal k-Anonymization (Bayardo, Agrawal, 2005)
• Algorithm finds optimal k-anonymizations under two representative cost measures and variations of k.
� Advantages of optimal k-anonymization:
• Truthful - Unlike other disclosure protection techniques that use data scrambling, swapping, or adding noise, all information within a k-anonymized dataset is truthful.
• Secure - More secure than other de-identification methods, which may inadvertently reveal confidential information.
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20079494
Compliance AuditingCompliance Auditing
DataTables
20042004--0202……
20042004--0202……
TimestampTimestamp
S. RobertsS. RobertsAccount serviceAccount serviceS. RobertsS. RobertsSelect Select ……22
MortgageCo.MortgageCo.MarketingMarketingB. JonesB. JonesSelect Select ……11
RecipientRecipientPurposePurposeUserUserQueryQueryIDID
Query Audit Log
DatabaseLayer
Query with purpose, recipient
Generate audit recordfor each query
Updates, inserts, deletes
Backlog
Database triggers or replication
Audit
DatabaseLayer
Audit expression
IDs of log queries having accessed data specified by the audit query
� Audits: Determine whether specified particular data has been accessed in violation of privacy policies or choices.
� Audit expression: Auditor specifies the information disclosures that he or she would like to track.
� Suspicious Queries: Audit system identifies logged queries that accessed the specified data
� Audit Results: Returns the queries that accessed the specified information and the circumstances of access.
� Advantages:
• Cell-level disclosure auditing.
• Low storage overhead; reuses existing database infrastructure.
• Low performance impact; defers computation until audit time.
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20079595
Watermarking DatabasesWatermarking Databases
Watermark
Insertion
Watermark
Detection
DatabaseSuspiciousDatabase
3. Pseudo randomly select a subset of the rows for marking
Function of secret key and attribute values
3. Identify marked rows/attributes, compare marks with expected mark values
Requires neither original unmarked data nor the watermark
1. Choose secret key
2. Specify table/attributes to be marked
1. Specify secret key
2. Specify table/attributes which should contain marks
4. Confirm presence or absence of the watermark
� Deters data theft and asserts ownership of pirated copies by intentionally introduced pattern in the data.
• Very unlikely to occur by chance.
• Hard to find => hard to destroy (robust against malicious attacks).
� Existing watermarking techniques developed for multimedia are not applicable to database tables.
• Rows in a table are unordered.
• Rows can be inserted, updated, deleted.
• Attributes can be added, dropped.
� New algorithm for watermarking database tables.
• Watermark can be detected using only a subset of the rows and attributes of a table.
• Robust against updates, incrementally updatable.
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20079696
ConclusionConclusion
�� Technology controls for security and privacy must be used in conTechnology controls for security and privacy must be used in conjunction with junction with
legal policy, organizational requirements and social awareness plegal policy, organizational requirements and social awareness programs in rograms in
order to address the current and future problems in medical infoorder to address the current and future problems in medical informatics rmatics
systems.systems.
�� Controls must be moved to the data level in order to:Controls must be moved to the data level in order to:
�� Reduce the complexity in current system.Reduce the complexity in current system.
�� Provide a unified protection framework.Provide a unified protection framework.
�� Allow the resolution of conflicts at the data level.Allow the resolution of conflicts at the data level.
�� Scale to future technology without infrastructure modification.Scale to future technology without infrastructure modification.
�� There is a current set of enablers that would avert breaches andThere is a current set of enablers that would avert breaches and integrate integrate
seamlessly into current systems.seamlessly into current systems.
Panel S114: Information Security in an EPanel S114: Information Security in an E--Health World; Policies and TechnologiesHealth World; Policies and Technologies
Brisbane Convention Center Brisbane Convention Center –– Australia. August 22Australia. August 22ndnd, 2007, 20079797
THE ENDTHE END
Slides available at http://www.almaden.ibm.com/cs/people/tgrandison/talks.html
��Ted Cooper: Ted Cooper: [email protected]@sbcglobal.net
��Mike Davis Mike Davis [email protected]@va.gov
��Bernd Bernd BlobelBlobel [email protected]@klinik.uni--regensburg.deregensburg.de, , [email protected]@ehealth--cc.decc.de
��Tyrone Tyrone GrandisonGrandison [email protected]@us.ibm.com