30th Annual International IEEE EMBS Conference

Vancouver, British Columbia, Canada, August 20-24, 2008

On The Diversity of eHealth Security Systems and Mechanisms

Sasan Adibi, Gordon B. Agnew, Member, IEEE
T

TT

Abstract—This paper examines the security requirements for undergone any type of modification or undue delay in
eHealth (Electronic Health) records and the provided current processing, cryptographic hash functions, and hashed time-
and future technological solutions. This includes the Security stamps should be used.
and Privacy (S&P) requirements for diverse electronic health
Threat to User Authenticity: If an attacker can
information, the current frameworks and standards
maintaining proper handling (processing, storing, and masquerade as a legitimate user, security can be
transmitting) of such sensitive information and the related compromised. Users must be uniquely identifiable and
network architectures. authenticated by the system.
Threat to Availability: In these types of attacks, the
I. INTRODUCTION integrity of the system is compromised by making it
unavailable to legitimate users. One such attack is a Denial
M aintaining the privacy of information has always been
a challenge. This becomes more critical for Electronic
Health (eHealth) Information as we have to maintain privacy,
of Service (DoS) attack, where the attacker launches a series
of continual queries to flood the network. This prevents
safety, and anonymity of the patients’ and physicians’ legitimate users from having access to the system. In
information. wireless systems, jamming the communications link will
In the next section, we will discuss the threats and security have a similar effect.
issues related to the eHealth information. Section III Threat to Data Storage: When data is being stored, it must
discusses eHealth standards and frameworks, and section IV be protected from unauthorized access, additions, deletions
examines cryptographic system requirements and available or copying. This applies not only to the active database but
security architectures. Finally, section V includes also to any backup copies that are also being stored.
recommendations for proper security and privacy handling of Threat to Data Transmission: Transferred information
eHealth information. can be intercepted on the fly. The use of encryption reduces
the chance of an unauthorized entity to view or manipulate
II. THREATS AND RISK ASSESSMENT (TRA) any of the transmitted information. However, the stronger
the encryption technique, the slower the data processing will
The task of the Threats and Risk Assessment (TRA) is to
be. This is due to the additional computations required to
ensure that Personal Health Information (PHI) and all of the
encrypt and decrypt with very strong encryption algorithms.
pertinent data/applications are kept secured and private
against various threats against; Data Confidentiality, Data
A. Threat and Risk Assessment (TRA)
Integrity, Data Authenticity, Availability, and Privacy [1].
In order to address various risks and threats to Electronic
Information (data) can be in one of three states; Storage,
Health Records (EHRs), collaborative standards have been
Transmission, or Processing. Each state has different threats
created. One such set of standards has been created by
and security requirements, such as [2]:
Canadian Infoway/Inforoute. To manage these standards, a
Threat to User/Data Confidentiality/Privacy: In many
new streamlined governance structure has been developed,
cases, such as HIV treatments, anonymity of both the patient
which is called, the Governance Model. The followings are
and the physician are required. This includes anonymity of
principles of the governance model (adapted from [3]):
all pertinent documents and information. This is usually
1. “Providing decision-making practices to ensure
done by disassociating patients’ names from the eHealth
openness and balance of interest, which supports the
database by storing them in separate databases. The data is
strategic coordination and direction of the Canadian
also usually encrypted.
health information standards and the collaborative
Threat to Data Integrity: There are various threats
services.
concerning the integrity of data. An unauthorized or
2. Streamlining for the Canadian health information
authorized user may deliberately or inadvertently change a
standards governance structures and processes.
patient’s records. To ensure health information has not
3. Supporting a long-term solution for the Collaborative
Manuscript received April 6, 2008. This work was supported in part by Standards.
the Natural Sciences and Engineering Research Council of Canada. 4. Providing a flexible core governance structure to
S. Adibi is a Ph.D. student at the ECE Department in University of establish task force groups to address issues with a
Waterloo, Waterloo, ON N2L 3G1 Canada, phone: 519-888-4567, email:
sadibi@engmail.uwaterloo.ca.
specific scope and timeline.
G. B. Agnew is a Professor at the ECE Department in University of 5. Recognizing the existing Standards Development
Waterloo, Waterloo, ON N2L 3G1 Canada, phone: 519-888-4567, email: Organization governance procedures and policies.
gbagnew@engmail.uwaterloo.ca.

978-1-4244-1815-2/08/$25.00 ©2008 IEEE. 1478

6. Ensuring an efficient and effective approach to and frameworks have been created centered around the
coordinate and manage health information standards. security of EHRs. Generally, eHealth is concerned with
7. Maintaining a high-level of communication to all optimal handling (transmitting, processing, storing, etc.) of
standards stakeholders. health-related information (such as prescriptions, lab results,
8. Ensuring transparency of process and progress in referrals, x-rays, etc.). It also includes business practices
regards to standards stakeholders”. related information (IT services, emails, contracts, etc.).
The governance model for the risk management and The Health Insurance Portability and Accountability Act
business owners are depicted in Figure 1 (adapted from [4]). (HIPAA) was created by the United States government in
1996 [5]. It was designed to improve the continuity and
portability of health coverage and to combat fraud and health
insurance abuses [6]. HIPAA’s security and privacy act,
includes [5]: “Transactions and Code Sets, Unique Health
Identifiers, Security, Privacy, and Electronic Signatures”.
In Canada, much of health care policy and funding is
relegated to individual provinces. In the Ontario province,
for example, health care is centered around an integrated
care system that supports timely access to services, patient
safety, and accountability. These are divided into the
following three themes; Connectivity, Shareable Information,
and Applications and Tools [7]. This has evolved into an
Ontario-based standard; OHISC (Ontario Health Informatics
Standards Council). The SMP (Standards Management
Figure 1. The Governance Model
Process) is how OHISC has adopted its accountability model
for the standards review and recommendation. The SMP
1) Basic Risk Model: The Basic Risk Model (BRM) is a
steps include (adapted from [8]):
logical and sequential combination of: threats,
1. “The quality cross-sectoral information sharing review,
vulnerabilities, assets, risks, values, protections, and
2. The standard appropriateness outline,
safeguards. This combination is shown in Figure 2 (adapted
3. The feasibility issues with the standard implementation,
from [4]). According to Figure 2, the TRA phases include:
4. Any related items for the system interoperability”.
determining the protection requirements, which are met by
The Pan-Canadian Health Information Privacy and
the safeguards. This reduces the risks associated with the
Confidentiality Framework (PCHI-PCF) includes review
threats. Identifying and reducing threats will reduce the
and revision of both international and domestic eHealth
vulnerabilities. Exploring the assets will identify the values
provisions for protecting PHI and EHRs [8,9]. This
and the potential impacts. The overall risk values will adjust
Framework consists of core provisions for protecting the
the required protection.
privacy of patients and their PHI. This framework has been
harmonized with the Information Protection and Electronic
Documents Act (PIPEDA) [10], and the Canadian Charter of
Rights and Freedoms (CCRF) [11]. This Framework covers
recorded and unrecorded PHI.
PIPEDA identifies a number of main issues, including
(adapted from [10]):
1. “Accountability for information
2. Information for Identifying purposes,
3. Limiting collection of personal information,
4. Limiting, retention and disclosure of information
5. Consent to collect and use personal information
6. Individual access to personal information
Figure 2. Basic Risk Model (BRM) 7. Challenging compliance,
8. Accuracy,
III. STANDARDS AND FRAMEWORKS 9. Safeguards, and
10. Openness of information”.
As mentioned previously, handling patient information in a Another framework is the Advisory Committee on
secure manner is a challenging task. There are various Information and Emerging Technologies (ACIET), which
scenarios and criteria, which makes it impossible to address was created in December 2002. ACIET includes five
all issues in a single draft. That is why numerous standards initiatives (adapted from [12]):

1479
1. “Emerging Technologies Assessment, should be kept private. There is also a danger of inadvertent
2. Pharmaceuticals Strategic Advances, leakage of information if an attacker can associate a patient
3. Genomics, with a particular healthcare provider or test.
4. Privacy, The ability of the patient to recognize and trust the
5. Strategic Directions for the Pan-Canadian Health physician and that of the physician to recognize and provide
Information Privacy and Confidentiality Framework”. secret information to the correct patient is an important
aspect. This is called user authentication. In the healthcare
The International Standards Organization (ISO) is an area, both parties must be able to authenticate each other
international standardization body that also deals with (mutual authentication).
eHealth security and privacy. The important ISO standards, Data integrity is the ability to ensure the exchanged
dealing with eHealth issues, are [13]: information is not subjected to addition, deletion,
modification, or undue delay.
1. The ISO 27002 (2005) is the code of practice for Non-repudiation is the ability to prevent an authorized user
information security management and is a renamed from denying previous participation in a communication.
standard from ISO 17799, which addresses the specific The cryptographic tools ensuring security and privacy are:
requirements, including (adapted from [9]): Encryption/Decryption, Message Authentication Codes
a. “Structure, Risk Assessment and Treatment, (Cryptographic Hash Functions), and Digital Signatures.
b. Security Policy, Electronic Health Information is required to remain
c. Physical Security, confidential for a very long time. Therefore very strong
d. Organization of Information Security, cryptographic algorithms must be used. Cryptographic
e. Human Resource Security, algorithms are designed for a limited secure lifetime. This is
f. Access Control, due to the tradeoffs between security and usability. As
g. Asset Management, technology evolves, the requirement for utilizing stronger
h. Communications and Ops Management, security tools is inevitable, however with the adoption of
i. Information Systems Acquisition, strongest available cryptographic tools of today, the need to
j. Development, re-encrypt the information in the future can be delayed. In
k. Maintenance, 2006, the NSA released a series of recommended algorithms
l. Compliance, for cryptographic systems for government use (Suite B) [15].
m. Information Security Incident management, These have set the standard for the current level of Best
n. Business Continuity”. Practices in cryptographic systems.

2. ISO 27799 is the security management in health using A. Privacy and Security Architectures
ISO/IEC 27002 (17799). The purpose of ISO 27799 is
to provide guidance to health organizations to maintain The purpose of indentifying the security threats and
confidentiality, integrity, and availability to EHRs. The requirements is to create a broader security policy
current draft is under final international publication, as framework to address specific security needs of a health care
of June 12th 2008. system. Figure 3 (adapted from [16]) depicts the privacy and
security architecture process. Figure 4 (adapted from [16])
IV. CRYPTO SYSTEM REQUIREMENTS AND SECURITY also shows the proposed Canadian Health Infoway and
ARCHITECTURES eHealth security architecture. This architecture includes
registries, data, and services. Two important entities are the
The eHealth security/privacy systems require thorough Longitudinal Record Services (LRS) and the Health
analysis and recommendations for strong encryption and Information Access Layer (HIAL). The later acts as a filter
decryption. There are several areas of protection that crypto to provide the appropriate data/service to a specific
systems can address. These include [14]: Data Privacy, Data department (pharmacy, radiology, etc) and to keep the rest of
Integrity, user Authentication, and Non-Repudiation. the data/services secured from exposure.
Data privacy is the ability of keeping the communication
between authorized parties private. This ensures that an V. RECOMMENDATIONS
unauthorized entity will not be able to interpret any part of
the transmitted information. In a stronger sense, the Technological advances also increase the threats to
unauthorized entity should not be able to identify the privacy as attackers have more powerful tools at hand.
communicating parties. In the strongest sense, even the fact Therefore protecting sensitive information is of great
that any communication has occurred should be prevented. importance. We summarize our recommendations to the
In the eHealth scenario, patients and the healthcare providers health care providers for relatively safer and more secure
are the communicating parties. What is being transmitted environments, with the following items:
among them (prescriptions, diagnostics, referrals, etc.)

1480
 7. Privacy Protective and Secure HealthCare Solution:
According to Figure 3, steps are to be taken to map
legislative obligations into privacy policies and derive
conceptual/logical/detailed system architectures to come
up with the most reliable privacy and security system
that satisfies most of the criteria.

VI. REFERENCES

[1] S. Dritsas, L. Gymnopoulos, M. Karyda, T. Balopoulos, S. Kokolakis,

C. Lambrinoudakis, S.K.Katsikas, "A knowledge-based approach to
security requirements for e-health applications", The electronic
Figure 3. The Privacy and Security Architecture Process Journal for E-Commerce Tools & Applications (eJETA), Special Issue
on Emerging Security Paradigms in the Knowledge Era, October,
2006
[2] Sasan Adibi, Gordon B. Agnew, “Security Measures for Mobile Ad-
Hoc Networks (MANETs)”, IGI-Global Publication, Chapter 31,
Handbook of Research on Wireless Security, March 2008
[3] Infoway Standards Collaborative Governance Model
http://www.infoway-inforoute.ca/en/WhatWeDo/Standards
Collaboration.aspx
[4] Keith Jonah, “Threat and Risk Assessments in Sensitive eHealth
Environments”, Presented at the eHealth Information Security
Workshop, March 26th – 28th, 2008, University of Waterloo, Ontario,
Canada
[5] “HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY
ACT – HIPAA”, Executive Overview & Summary, Phoenix Health
System,
http://www.hipaadvisory.com/programs/prest/HIPAAExecPresHiLeve
ledit.ppt
[6] Overview of HIPAA Privacy and Security
Figure 4. Privacy and Security Conceptual Architecture http://www.ahc.umn.edu/privacy/hipaa/home.html
[7] Bahram Jalayer, “e-Health, Electronic Health Record and Technology
Infrastructure”, Presentation to WHO-EMRO, September 2004
[8] Ontario Health Informatics Standards Council (OHISC)
1. Asset/Threat/Risk Analysis: A thorough and most up http://www.health.gov.on.ca/ehealth/standards/standards_mn.html
to date TRA is required according to the nature of the [9] Pan-Canadian Health Information Privacy and Confidentiality
health care system to identify vulnerabilities and to Framework, http://www.hc-sc.gc.ca/hcs-sss/pubs/ehealth-esante/2005-
pancanad-priv/index_e.html
perform a complete asset/threat/risk analysis. [10] Kate Boschee, “Canadian Data Protection Law:The Personal
2. Strong Encryption/Decryption Algorithm: All data, Information Protection and Electronic Documents Act (PIPEDA),
including names, prescriptions, medications, procedures, Prepared for the American Bar Association February 12, 2004
etc., must be protected using the strongest cryptographic [11] "Canadian Charter of Rights and Freedoms", Reliable transcription of
Part 1 of the Constitution Act, 1982
algorithms available. http://www.hackcanada.com/canadian/freedom/ccrf.html
3. User Authenticity/Anonymity: Mutual authentication [12] Canada's Health Infostructure, Federal/Provincial/Territorial Advisory
reduces the chance of a successful attack. Committee on Information and Emerging Technologies,
4. Non-Repudiation: None of the communication parties http://www.hc-sc.gc.ca/hcs-sss/ehealth-
esante/infostructure/aciet_ccint_e.html
(patients and physicians) should be able to deny their [13] The 27000 series of ISO standards, ISO website,
involvement in any previous communications. For this, a http://www.27000.iso.org
strong digital signature scheme has to be present to [14] G. B. Agnew, “Encryption and Encryption Technologies for Health
accompany every individual communication taking Care”, Presented at the eHealth Information Security Workshop,
March 26th – 28th, 2008, University of Waterloo, Ontario, Canada
place.
[15] “Fact Sheet NSA Suite B Cryptography”,
5. Secure Transmission: An end-to-end secure tunnel is http://www.nsa.gov/ia/industry/Crypto_suite_b.cfm
suggested to reduce the chance of an unauthorized entity [16] Stan Ratajczak, “Canadian Health Infoway – eHealth Security
to capture and/or manipulate the transmitting Architecture Overview – How secure and privacy enhancing is your
iEHR?”, Presented at the eHealth Information Security Workshop,
information. Strong VPN/IPSec tunnels with multipath
March 26th – 28th, 2008, University of Waterloo, Ontario, Canada
capabilities are suggested for this matter.
6. Secure Storage: Multi-redundant storage databases are
required to store EHRs. This should be accompanied
with very strong encryption techniques.

1481