Upload
massimiliano-masi
View
32
Download
0
Embed Size (px)
Citation preview
1ISACA VENICE Chapter
IV Conference on Application Security and Modern Technologies
Venezia, Università Ca’ Foscari23 Settembre 2016
In collaborazione con
223/09/2016 ISACA VENICE Chapter
Massimiliano Masi, Ph.D.A governance model for ubiquitous medical devices accessing eHealth data: the need for standards
3ISACA VENICE Chapter23/09/2016
Who am I?
I obtained my Ph.D. from the Uni of Florence, formal methods
I work in Vienna for a SME which is active in the eHealth sector
I am a Java developer
I am an editor of eHealth industry standards
I work mainly in Cross Border eHealth Sharing
4ISACA VENICE Chapter23/09/2016
Introduction / EHR
The Electronic Health Record (EHR) is a digital version of the patient’s paper chart.
Is a real-time, patient-centered, record that makes information available instantly and securely to all clinicians involved in patient’s care
It contains Patient Demographics (name, surname, mail, identifier, phone, address) Lab Results Discharge Summaries Encounter Reports Diseases Prescriptions …
EHR may travel across medical facilities
5ISACA VENICE Chapter23/09/2016
Introduction / EMR
The Electronic Medical Record (EMR) is a digital version of the patient’s paper chart, in the clinician’s office.
It contains the medical history of a patient in one practice Track data over time Easily Identify Patients for preventive screenings Check how patients are doing on certain parameters (e.g., blood pressure) Improve the quality of the practice (e.g., hospital)
EMRs do not travel across facilities
6ISACA VENICE Chapter23/09/2016
Introduction / PHR
The Personal (Patient) Health Record (PHR), is an electronic application used by patients to maintain and manage their health information in a private, secure, and confidential environment. Managed By Patients Can Include Information from a variety of sources Can help patients store and monitor health, such as diet plans, data from
home monitoring system, fitness, patient contact information, diagnosis, medication lists, allergies, etc.
Facilitate remote diagnosis
Source: HealthIT.gov
7ISACA VENICE Chapter23/09/2016
Introduction / Evolution
EHR, EMR, and PHR are being developed worldwide The U.S. funded several successful initiatives
Healtheway/NHIN, DIRECT, Bluebutton
Year Percentage of adoption
2007 17%
2008 21%
2009 27%
2011-2013 44%
New adopters 19%
The obstacles found were Financial Resources and Technical Assistance The U.S. congress promoted EHR by establishing financial and technical
programs
8ISACA VENICE Chapter23/09/2016
Introduction / Evolution
In Europe, each member state is sovereign in healthcare matter State-wide EHR initiatives
Austria: the ELGA system Italy: Region by Region (Fascicolo Sanitario Elettronico) U.K.: the National Health System (NHS)
The EU Commission is promoting Research projects
Aimed at enhancing the PHR, ageing well, remote monitoring, work safety
Cross Border eHealth Exchange To enforce the ”freedom of movement” fundamental right Have a medicine prescribed in a state, dispensed in other Right to care
Public Health
9ISACA VENICE Chapter23/09/2016
eHealth / Public Health / mHealth
eHealth (WHO): eHealth is the use of ICT for health. Examples include treating patients, conducting research, educating the health workforce, tracking diseases, and monitoring public health
mHealth, mobile health, is the use of mobile devices to manage electronic health records
Public eHealth is an all-encompassing term that refers to the use of ICT for the public, including, e.g., research on anonymized data, statistical planning, pandemic previsions.
Clearly eHealth, mHealth, PeH, offer many benefits Greater safety through the reduction of medical errors
10ISACA VENICE Chapter23/09/2016
Security Evaluation
Medical Records carry several critical information Person Identifiable Information (PII) (linked or linkable)
Any information about an individual maintaned by an agency including any information that can be used to distinguish or trace an individual’s identity” (NIST-SP-800-122)
Name, SSN, Fiscal Code, employment information Protected Healthcare Information (PHI)
Any information about health status, provision of health care, or payment for health care that can be linked to a specific principal
Both PII and PHI must be protected. But what does it means?
11ISACA VENICE Chapter23/09/2016
Security Dimensions
It is imperative to protect Safety – the patient must not suffer any damage provided by the ICT Integrity – Medical Records must respect data integrity through the lifecycle Confidentiality – the PHI/PII must be kept confidential and avoid disclosure Authorization – only authorized user can access medical data Authentication – only authenticated user can access data Informed Consent – the patient is ultimately responsible to share data Identification – Patient identification Non Repudiation – to be able to solve disputes related to treatment
12ISACA VENICE Chapter23/09/2016
Some stories
Discharge summary After a hospitalization, the patient Massi needs further exams from specialists
outside the hospital facilities and a continuous monitoring of the blood pressure and hydration at home (EHR/PHR)
Prescription Patient Massi needs Warfarin (coumadin) checks every week, and tablets if
the check is outside the limits. He has a prescription from his home physician. Massi is abroad for business (EHR)
Diet obligations Patient Massi is loosing weight to avoid cardio-vascular diseases. His home
physician is controlling the amount of calories lost during running using a smartphone app (PHR, EMR)
Seaman’s safety When fishing, seamen stay days in the sea. If a heart attack happens, a
remote-controlled EAD can be used to save his life (mHealth, Telemedicin) Research
The massive availability of MRIs and diagnosis, enable scientist to better find counter measures for a disease (Pseudonyms, Public eHealth)
13ISACA VENICE Chapter23/09/2016
Why we need standards
Standards are made for interoperability In case of emergency immediate access to data save lives (safety) Disclosing health status can create problems in the living context
(confidentiality) The EHR must be accessed only by those entitled to do so (safety,
identification, authentication, authorization, accountability) Every Single operation to the EHR must be tracked (non repudiation) Avoid geo localization-based (physical?) attacks (privacy) Settle the same algorithms for encryption, hashing, signature Etc.
Avoid at any costs, vendor lock-in! Do not let adapters to proliferate – another way to have vendor lock-in
14ISACA VENICE Chapter23/09/2016
Available Standards
DICOM Established in 1993 - ISO 12052 Almost all the medical imaging devices export DICOM images
HL7 Definition of administrative data (patient identifier, triage) Definition of the clinical document architecture (CDA)
SNOMED-CT Definition of the medical data vocabulary (where you can create ontologies)
IHE Connects healthcare facilities Creation of national/international backbones and infrastructures
FHIR Enable medical devices to access backbones and infrastructures
15ISACA VENICE Chapter23/09/2016
IHE
IHE has a complex governance model to enable testing-before-purchasing
16ISACA VENICE Chapter23/09/2016
Security through IHE
IHE is about hospital-to-hospital, region-to-region, country-to-country EHR exchange
It uses a web-service infrastructure IA&A is achieved using SAML tokens and XACML policies
SAML is a signed XML document that bears the identity of a principal (doctor) The specific authentication mechanism is left to the facility Helps on the building of the Circle of Trust Attention
SOAP Message Rewrite attacks (K. Bhargavan et al., Secure Session for Web Services)
XML Signature Wrapping (XSW)-family (J. Somorovsky, How to break XML Signature and XML Encryption)
Usage of TLS is useless (web services are useful if intermediaries can modify the message on its way)
17ISACA VENICE Chapter23/09/2016
Security through IHE
Patient informed consent is a form of authorization Healthcare uses XACML
No role-based anymore Policy based access control (the access is given in a specific computable
context) Break the glass scenario
Helmuth Petritsch, Break-Glass, Handling Exceptional Situations in Access Control
18ISACA VENICE Chapter23/09/2016
HL7 FHIR
While IHE provides infrastructures, FHIR provides the last mile connection
It is completely based on RESTFul APIs, point-to-point JSON and XML format to exchange data Devised for medical devices: no infrastructures in REST! Based on section 4.3 of rfc6749 (Oauth2.0) JWT <-> SAML mapping
The problem is that the channel authentication is only HTTPS At the moment only bearer usage (no holder-of-key, no identity binding
from the channel) Work is done in UMA (User Managed Access)
19ISACA VENICE Chapter23/09/2016
HL7 FHIR
By using FHIR and vocabularies (such as SNOMED-CT) medical devices can feed EHR/PHR with data that can help the human health status, ageing well, and well being
Telemonitoring in smart homes will hopefully be a reality soon Great relief on public finance and hospitalization availablitity
Fitness devices, smart phones, smart watches, can now have the precision comparable to an ECG
Hospitals encourage the usage of cloud services (PaaS, SaaS) for patients to feed their own PHR to achieve better treatment
“How do you feel today?” “Did you walk at least 30 minutes?” ”Your diet is too fat” “It’s time to get the flu vaccination” “The patient is not moving since 20 minutes, is it felt down?” “The patient is waving for help, call the ambulance”
20ISACA VENICE Chapter23/09/2016
Cloud Issues
FHIR enables also the use of Cloud Services Hospitals support the following deployments
Clinical workflows Clinical agenda Data sharing Document repository Backup services Research & Collaboration
But however the usage of Cloud has some security concerns Isolation failure Compliance to the law Vendor ignorance on the clinical context Malicious insider Vendor lock-in
21ISACA VENICE Chapter23/09/2016
IoT Issues
Internet of things: several views IT lacks governance
And we just saw how governance can save lives Many technically disconnected islands (smart grids, smart homes)
(like eHealth 20 years ago) IoT-GSI failed?
The telco standpoint A standardization governance is needed How many IoT? One? Multiple?
22ISACA VENICE Chapter23/09/2016
Sample CBeHIS
23ISACA VENICE Chapter23/09/2016
Conclusions
eHealth is a mature domain and developed worldwide eHealth, after years of separated communities is now switching to be
entirely connected through IHE and FHIR Standards are crucial to achieve such security needs as required by the
domain. IHE selects only relevant standards (SAML, XACML, Oauth, TLS)
eHealth and Cloud services are slowly but truly converging to enable patients for a better and sustainable health care
eHealth and IoT are not yet ready to deploy efficiently (i.e., respecting the security rules)
24ISACA VENICE Chapter23/09/2016
DOMANDE?