Presentation - ICMCC
Presentation - ICMCC
Presentation - ICMCC
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
High Level Security<br />
Policies for Health:<br />
From Theory to Practice<br />
Spyros Deftereos * , C. Lambrinoudakis * , D. Gritzalis +<br />
* Dept. of Information and Communication Systems Engineering<br />
University of the Aegean<br />
+ Dept. of Informatics<br />
Athens University of Economics & Business
Introduction<br />
‣ Communication of healthcare information among<br />
HCUs is a necessity in shared care environments<br />
‣ Healthcare Information System should provide:<br />
‣ Secure Access to EHCRs<br />
‣ Protection of Patients’ Privacy<br />
‣ ENV 13606 describes basic security and privacy<br />
strategies but does not get into details<br />
2
The problem ……<br />
‣ Key obstacles in the realization of a global<br />
security policy are:<br />
‣Functional and organizational heterogeneity of<br />
HCUs<br />
‣Different security policies<br />
3
A Shared Care EHCR Exchange Scenario<br />
‣ Our analysis has been based on the beta-thalassemia<br />
care model. Possible scenarios are:<br />
1. The patient visits his local thalassemia unit to receive<br />
a scheduled blood transfusion<br />
‣ Physicians, laboratory and nursing personnel provide<br />
information that must be stored, through a LAN, in the<br />
patient EHCR<br />
2. The patient visits the nearest cardiology unit<br />
specializing in beta-Thalassemia<br />
‣ The cardiologist needs to study and update the patient EHCR<br />
‣ An mechanism is required for synchronizing distributed<br />
EHCR instances and for integrating them in a single view<br />
4
A Shared Care EHCR Exchange Scenario<br />
3. The patient visits a specialized radiology unit for<br />
heart and liver MRI scans<br />
‣ The results of the scans should be available to the attending<br />
cardiology and to the responsible physician of the<br />
thalassemia unit<br />
‣ Thus EHCR synchronization becomes more complex<br />
4. The patient presents to the emergency department of<br />
a hospital with an acute problem<br />
‣ On-line access (through Internet) to the patient record or to<br />
an appropriate summary would be valuable to the treating<br />
physicians<br />
5. The patient wishes to view his EHCR and to add his<br />
own comments and observations<br />
‣ On-line access (through Internet) is required<br />
5
A Shared Care EHCR Exchange Scenario<br />
‣ Three Distinct Modes of EHCR communication have<br />
been identified<br />
‣ access and update of information that is stored in<br />
centralized databases, via Local Area Networks<br />
‣ off-line synchronization of information contributed by<br />
distant healthcare units and<br />
‣ access to (parts of) the patient record via Internet<br />
‣ In all these modes, specific roles and access<br />
privileges should be assigned to the various actors<br />
and measures should be taken to protect patient’s<br />
privacy<br />
6
A Shared Care EHCR Exchange Scenario<br />
Physician<br />
EHCR<br />
(Central DB)<br />
EHCR Synchronization<br />
(Retrieve and Update)<br />
EHCR<br />
Retrieve and Update<br />
Retrieve and Update<br />
Cardiologist<br />
Update<br />
LAN<br />
Update<br />
Cardiology Unit<br />
Nursing<br />
Personnel<br />
Beta-Thalassemia Unit<br />
Laboratory<br />
Personnel<br />
Retrieve<br />
EHCR Synchronization<br />
(Update)<br />
Radiologist<br />
Patient<br />
Radiology Unit<br />
7
The Theory ……<br />
‣ Assuming that a High Level Security Policy exists, it<br />
should focus on the protection of:<br />
‣Confidentiality and integrity of Medical information<br />
‣Patient privacy<br />
‣ To this direction, the security policy should elaborate<br />
abstract, context dependant, rules and guidelines for:<br />
8
The Theory ……<br />
‣ Identification of all involved users (actors) and<br />
independent, well-defined, ‘roles’<br />
‣ User authentication<br />
‣ Association of access privileges with users/roles<br />
‣ Supporting auditing procedures<br />
‣ Elimination inherent risks pertinent to the<br />
violation of patient privacy (monitoring and<br />
tampering of communication channels, collection<br />
of profiling information, etc)<br />
9
From Theory to Practice ….<br />
‣ Certain security policy aspects (like authentication,<br />
auditing, patient privacy protection etc) can be<br />
enforced through the use of countermeasures based<br />
on Information Security and Privacy Enhancing<br />
Technologies (ISTs and PETs)<br />
‣ The implementation of others is not trivial at all,<br />
mainly due to organizational differences between<br />
HCUs:<br />
‣ We will consider the problems associated with the<br />
fulfillment of the Access Control requirements, on the basis<br />
of the identified actor roles<br />
10
From Theory to Practice ….<br />
‣ In a distributed environment the “Set of Actors<br />
or/and Roles” is not static<br />
‣ A given ‘Role’ does not necessarily reflect the same<br />
authorization privileges in all HCUs<br />
‣ Specific Roles, defined in a HCU, may be unknown<br />
to other HCUs. There is no straight forward way to<br />
determine the authorization privileges of a user who<br />
tries to access information at a HCU that does not<br />
recognize his Role.<br />
11
From Theory to Practice ….<br />
‣ There are no easy solutions for controlling the range<br />
of information in the EHCR that can be accessed by<br />
each Actor Role<br />
‣ A possibility is to maintain an ‘Access List’ in each<br />
different section of the EHCR – it will include all<br />
permissible actor roles and their access privileges<br />
‣ In a distributed environment with the participation of<br />
several independent healthcare organizations, the<br />
‘access lists’ for each EHCR section will either vary,<br />
from one organization to the other, or they will not be<br />
present at all.<br />
12
Conclusions<br />
‣ The overall security policy, in a shared care scenario,<br />
should support independent security domains, each<br />
domain representing the peculiarities of the<br />
organization specific security policies<br />
‣ The main effort should be towards the development<br />
of mechanisms that can resolve potential policy<br />
conflicts, allowing the development of a dynamic<br />
multiple-security-policies environment that matches a<br />
dynamic shared-care scenario.<br />
‣ Maintenance of a central policy repository that will record,<br />
in a platform independent form, the authorization privileges<br />
associated with each role of each healthcare organization<br />
participating in the shared care environment, as well as the<br />
characteristics (properties) of each role.<br />
‣ XACML could be used for enabling each section of an<br />
EHCR to carry its own access control policy, preferably at a<br />
granularity of role properties level rather than role level.<br />
13
Thank you<br />
14