Adibi 2008
Adibi 2008
Adibi 2008
TT
Abstract—This paper examines the security requirements for undergone any type of modification or undue delay in
eHealth (Electronic Health) records and the provided current processing, cryptographic hash functions, and hashed time-
and future technological solutions. This includes the Security stamps should be used.
and Privacy (S&P) requirements for diverse electronic health
Threat to User Authenticity: If an attacker can
information, the current frameworks and standards
maintaining proper handling (processing, storing, and masquerade as a legitimate user, security can be
transmitting) of such sensitive information and the related compromised. Users must be uniquely identifiable and
network architectures. authenticated by the system.
Threat to Availability: In these types of attacks, the
I. INTRODUCTION integrity of the system is compromised by making it
unavailable to legitimate users. One such attack is a Denial
M aintaining the privacy of information has always been
a challenge. This becomes more critical for Electronic
Health (eHealth) Information as we have to maintain privacy,
of Service (DoS) attack, where the attacker launches a series
of continual queries to flood the network. This prevents
safety, and anonymity of the patients’ and physicians’ legitimate users from having access to the system. In
information. wireless systems, jamming the communications link will
In the next section, we will discuss the threats and security have a similar effect.
issues related to the eHealth information. Section III Threat to Data Storage: When data is being stored, it must
discusses eHealth standards and frameworks, and section IV be protected from unauthorized access, additions, deletions
examines cryptographic system requirements and available or copying. This applies not only to the active database but
security architectures. Finally, section V includes also to any backup copies that are also being stored.
recommendations for proper security and privacy handling of Threat to Data Transmission: Transferred information
eHealth information. can be intercepted on the fly. The use of encryption reduces
the chance of an unauthorized entity to view or manipulate
II. THREATS AND RISK ASSESSMENT (TRA) any of the transmitted information. However, the stronger
the encryption technique, the slower the data processing will
The task of the Threats and Risk Assessment (TRA) is to
be. This is due to the additional computations required to
ensure that Personal Health Information (PHI) and all of the
encrypt and decrypt with very strong encryption algorithms.
pertinent data/applications are kept secured and private
against various threats against; Data Confidentiality, Data
A. Threat and Risk Assessment (TRA)
Integrity, Data Authenticity, Availability, and Privacy [1].
In order to address various risks and threats to Electronic
Information (data) can be in one of three states; Storage,
Health Records (EHRs), collaborative standards have been
Transmission, or Processing. Each state has different threats
created. One such set of standards has been created by
and security requirements, such as [2]:
Canadian Infoway/Inforoute. To manage these standards, a
Threat to User/Data Confidentiality/Privacy: In many
new streamlined governance structure has been developed,
cases, such as HIV treatments, anonymity of both the patient
which is called, the Governance Model. The followings are
and the physician are required. This includes anonymity of
principles of the governance model (adapted from [3]):
all pertinent documents and information. This is usually
1. “Providing decision-making practices to ensure
done by disassociating patients’ names from the eHealth
openness and balance of interest, which supports the
database by storing them in separate databases. The data is
strategic coordination and direction of the Canadian
also usually encrypted.
health information standards and the collaborative
Threat to Data Integrity: There are various threats
services.
concerning the integrity of data. An unauthorized or
2. Streamlining for the Canadian health information
authorized user may deliberately or inadvertently change a
standards governance structures and processes.
patient’s records. To ensure health information has not
3. Supporting a long-term solution for the Collaborative
Manuscript received April 6, 2008. This work was supported in part by Standards.
the Natural Sciences and Engineering Research Council of Canada. 4. Providing a flexible core governance structure to
S. Adibi is a Ph.D. student at the ECE Department in University of establish task force groups to address issues with a
Waterloo, Waterloo, ON N2L 3G1 Canada, phone: 519-888-4567, email:
sadibi@engmail.uwaterloo.ca.
specific scope and timeline.
G. B. Agnew is a Professor at the ECE Department in University of 5. Recognizing the existing Standards Development
Waterloo, Waterloo, ON N2L 3G1 Canada, phone: 519-888-4567, email: Organization governance procedures and policies.
gbagnew@engmail.uwaterloo.ca.
1479
1. “Emerging Technologies Assessment, should be kept private. There is also a danger of inadvertent
2. Pharmaceuticals Strategic Advances, leakage of information if an attacker can associate a patient
3. Genomics, with a particular healthcare provider or test.
4. Privacy, The ability of the patient to recognize and trust the
5. Strategic Directions for the Pan-Canadian Health physician and that of the physician to recognize and provide
Information Privacy and Confidentiality Framework”. secret information to the correct patient is an important
aspect. This is called user authentication. In the healthcare
The International Standards Organization (ISO) is an area, both parties must be able to authenticate each other
international standardization body that also deals with (mutual authentication).
eHealth security and privacy. The important ISO standards, Data integrity is the ability to ensure the exchanged
dealing with eHealth issues, are [13]: information is not subjected to addition, deletion,
modification, or undue delay.
1. The ISO 27002 (2005) is the code of practice for Non-repudiation is the ability to prevent an authorized user
information security management and is a renamed from denying previous participation in a communication.
standard from ISO 17799, which addresses the specific The cryptographic tools ensuring security and privacy are:
requirements, including (adapted from [9]): Encryption/Decryption, Message Authentication Codes
a. “Structure, Risk Assessment and Treatment, (Cryptographic Hash Functions), and Digital Signatures.
b. Security Policy, Electronic Health Information is required to remain
c. Physical Security, confidential for a very long time. Therefore very strong
d. Organization of Information Security, cryptographic algorithms must be used. Cryptographic
e. Human Resource Security, algorithms are designed for a limited secure lifetime. This is
f. Access Control, due to the tradeoffs between security and usability. As
g. Asset Management, technology evolves, the requirement for utilizing stronger
h. Communications and Ops Management, security tools is inevitable, however with the adoption of
i. Information Systems Acquisition, strongest available cryptographic tools of today, the need to
j. Development, re-encrypt the information in the future can be delayed. In
k. Maintenance, 2006, the NSA released a series of recommended algorithms
l. Compliance, for cryptographic systems for government use (Suite B) [15].
m. Information Security Incident management, These have set the standard for the current level of Best
n. Business Continuity”. Practices in cryptographic systems.
2. ISO 27799 is the security management in health using A. Privacy and Security Architectures
ISO/IEC 27002 (17799). The purpose of ISO 27799 is
to provide guidance to health organizations to maintain The purpose of indentifying the security threats and
confidentiality, integrity, and availability to EHRs. The requirements is to create a broader security policy
current draft is under final international publication, as framework to address specific security needs of a health care
of June 12th 2008. system. Figure 3 (adapted from [16]) depicts the privacy and
security architecture process. Figure 4 (adapted from [16])
IV. CRYPTO SYSTEM REQUIREMENTS AND SECURITY also shows the proposed Canadian Health Infoway and
ARCHITECTURES eHealth security architecture. This architecture includes
registries, data, and services. Two important entities are the
The eHealth security/privacy systems require thorough Longitudinal Record Services (LRS) and the Health
analysis and recommendations for strong encryption and Information Access Layer (HIAL). The later acts as a filter
decryption. There are several areas of protection that crypto to provide the appropriate data/service to a specific
systems can address. These include [14]: Data Privacy, Data department (pharmacy, radiology, etc) and to keep the rest of
Integrity, user Authentication, and Non-Repudiation. the data/services secured from exposure.
Data privacy is the ability of keeping the communication
between authorized parties private. This ensures that an V. RECOMMENDATIONS
unauthorized entity will not be able to interpret any part of
the transmitted information. In a stronger sense, the Technological advances also increase the threats to
unauthorized entity should not be able to identify the privacy as attackers have more powerful tools at hand.
communicating parties. In the strongest sense, even the fact Therefore protecting sensitive information is of great
that any communication has occurred should be prevented. importance. We summarize our recommendations to the
In the eHealth scenario, patients and the healthcare providers health care providers for relatively safer and more secure
are the communicating parties. What is being transmitted environments, with the following items:
among them (prescriptions, diagnostics, referrals, etc.)
1480
7. Privacy Protective and Secure HealthCare Solution:
According to Figure 3, steps are to be taken to map
legislative obligations into privacy policies and derive
conceptual/logical/detailed system architectures to come
up with the most reliable privacy and security system
that satisfies most of the criteria.
VI. REFERENCES
1481