Presentation - ICMCC

High Level Security
Policies for Health:
From Theory to Practice
Spyros Deftereos * , C. Lambrinoudakis * , D. Gritzalis +
* Dept. of Information and Communication Systems Engineering
University of the Aegean
+ Dept. of Informatics
Athens University of Economics & Business

Introduction
‣ Communication of healthcare information among
HCUs is a necessity in shared care environments
‣ Healthcare Information System should provide:
‣ Secure Access to EHCRs
‣ Protection of Patients’ Privacy
‣ ENV 13606 describes basic security and privacy
strategies but does not get into details
2

The problem ……
‣ Key obstacles in the realization of a global
security policy are:
‣Functional and organizational heterogeneity of
HCUs
‣Different security policies
3

A Shared Care EHCR Exchange Scenario
‣ Our analysis has been based on the beta-thalassemia
care model. Possible scenarios are:
1. The patient visits his local thalassemia unit to receive
a scheduled blood transfusion
‣ Physicians, laboratory and nursing personnel provide
information that must be stored, through a LAN, in the
patient EHCR
2. The patient visits the nearest cardiology unit
specializing in beta-Thalassemia
‣ The cardiologist needs to study and update the patient EHCR
‣ An mechanism is required for synchronizing distributed
EHCR instances and for integrating them in a single view
4

A Shared Care EHCR Exchange Scenario
3. The patient visits a specialized radiology unit for
heart and liver MRI scans
‣ The results of the scans should be available to the attending
cardiology and to the responsible physician of the
thalassemia unit
‣ Thus EHCR synchronization becomes more complex
4. The patient presents to the emergency department of
a hospital with an acute problem
‣ On-line access (through Internet) to the patient record or to
an appropriate summary would be valuable to the treating
physicians
5. The patient wishes to view his EHCR and to add his
own comments and observations
‣ On-line access (through Internet) is required
5

A Shared Care EHCR Exchange Scenario
‣ Three Distinct Modes of EHCR communication have
been identified
‣ access and update of information that is stored in
centralized databases, via Local Area Networks
‣ off-line synchronization of information contributed by
distant healthcare units and
‣ access to (parts of) the patient record via Internet
‣ In all these modes, specific roles and access
privileges should be assigned to the various actors
and measures should be taken to protect patient’s
privacy
6

A Shared Care EHCR Exchange Scenario
Physician
EHCR
(Central DB)
EHCR Synchronization
(Retrieve and Update)
EHCR
Retrieve and Update
Retrieve and Update
Cardiologist
Update
LAN
Update
Cardiology Unit
Nursing
Personnel
Beta-Thalassemia Unit
Laboratory
Personnel
Retrieve
EHCR Synchronization
(Update)
Radiologist
Patient
Radiology Unit
7

The Theory ……
‣ Assuming that a High Level Security Policy exists, it
should focus on the protection of:
‣Confidentiality and integrity of Medical information
‣Patient privacy
‣ To this direction, the security policy should elaborate
abstract, context dependant, rules and guidelines for:
8

The Theory ……
‣ Identification of all involved users (actors) and
independent, well-defined, ‘roles’
‣ User authentication
‣ Association of access privileges with users/roles
‣ Supporting auditing procedures
‣ Elimination inherent risks pertinent to the
violation of patient privacy (monitoring and
tampering of communication channels, collection
of profiling information, etc)
9

From Theory to Practice ….
‣ Certain security policy aspects (like authentication,
auditing, patient privacy protection etc) can be
enforced through the use of countermeasures based
on Information Security and Privacy Enhancing
Technologies (ISTs and PETs)
‣ The implementation of others is not trivial at all,
mainly due to organizational differences between
HCUs:
‣ We will consider the problems associated with the
fulfillment of the Access Control requirements, on the basis
of the identified actor roles
10

From Theory to Practice ….
‣ In a distributed environment the “Set of Actors
or/and Roles” is not static
‣ A given ‘Role’ does not necessarily reflect the same
authorization privileges in all HCUs
‣ Specific Roles, defined in a HCU, may be unknown
to other HCUs. There is no straight forward way to
determine the authorization privileges of a user who
tries to access information at a HCU that does not
recognize his Role.
11

From Theory to Practice ….
‣ There are no easy solutions for controlling the range
of information in the EHCR that can be accessed by
each Actor Role
‣ A possibility is to maintain an ‘Access List’ in each
different section of the EHCR – it will include all
permissible actor roles and their access privileges
‣ In a distributed environment with the participation of
several independent healthcare organizations, the
‘access lists’ for each EHCR section will either vary,
from one organization to the other, or they will not be
present at all.
12

Conclusions
‣ The overall security policy, in a shared care scenario,
should support independent security domains, each
domain representing the peculiarities of the
organization specific security policies
‣ The main effort should be towards the development
of mechanisms that can resolve potential policy
conflicts, allowing the development of a dynamic
multiple-security-policies environment that matches a
dynamic shared-care scenario.
‣ Maintenance of a central policy repository that will record,
in a platform independent form, the authorization privileges
associated with each role of each healthcare organization
participating in the shared care environment, as well as the
characteristics (properties) of each role.
‣ XACML could be used for enabling each section of an
EHCR to carry its own access control policy, preferably at a
granularity of role properties level rather than role level.
13

Thank you
14