1 / 21

Privacy and Security aspects of medical data storage on Grids

CoreGRID: European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies. Privacy and Security aspects of medical data storage on Grids University of Cyprus and FORTH ICS (Greece) Jesus Luna Feb-2008. Outline.

hova
Download Presentation

Privacy and Security aspects of medical data storage on Grids

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CoreGRID: European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies Privacy and Security aspects of medical data storage on Grids University of Cyprus and FORTH ICS (Greece) Jesus Luna Feb-2008

  2. Outline • Motivation: eHealth • Security risks • What’s the matter with privacy? • Legal approach • Technological approach • Conclusions European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies

  3. Motivation: eHealth • eHealth describes the application of IT and communications technologies across the whole range of functions that affect the health sector, from the doctor to the hospital manager, via nurses, data processing specialists, social security administrators and - of course - the patients. • eHealth (like eGoverment and eBanking) promises substantial productivity gains and restructured, citizen-centered health systems. • Examples: • Electronic Health Records. • Intensive Care Medicine. • ePharmacies. European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies

  4. Security Risks

  5. With reward comes risk Network-connected devices, systems & applications • The Reward • Quality of care • Fewer errors • Communication • Operational efficiency • Savings • The Risk • More vulnerable to an attack European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies

  6. eHealth is a delicious target for hackers • “Health industry payers and providers make attractive targets for identity theft and certain other cybercriminals because they collect and maintain large volumes of protected health information as well as other sensitive personal and financial data and conduct many transactions electronically...” • (May-05) (American Bar Association) European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies

  7. eHealth Vulnerability Reporting Program (EHVRP/May 2006) • According to the Open Web Application Security Project (OWASP): Patient's Privacy Compromised European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies

  8. What’s the matter with Privacy?

  9. Privacy is the name of the game • Privacy is the right of an individual or group to hide information about themselves, disclosing it to Authorized entities. • It is central to the doctor-patient relationship (even since the ancient Hippocratic Oath!). • But there are issues that may arise: • Security trade-offs (i.e. User authentication). • Legal issues because eHealth privacy laws are quite new (i.e. EU) or provide only partial solutions (i.e. US). European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies

  10. Privacy means Trust! • If Patients do not trust eHealth systems: • Give inaccurate or incomplete information. • Ask the doctor not to write down certain health information or to record a less serious or embarrassing conditions. • Avoid care altogether. • Therefore: • Patient with undetected and untreated conditions. • Life-threatening situations! • Future treatment may be compromised if the doctor misrepresents patient information. • Comprehensive solution: eHealth Privacy = Legal + Technological European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies

  11. Legal approach

  12. Legally eHealth • The heart of the European eHealth world is the Electronic Health Record (EHR). • Based on current Data Protection legislations, patient’s consent legitimates the EHR processing. • But, what if the patient is unable to give his consent due to a critical situation? • The European Health Management Association (EHMA) along with the Commission called for the “Legally eHealth” project to study these kind of issues. European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies

  13. EHMA’s legal recommendations on eHealth Data Protection • Problem: Legal Uncertainties and ambiguities in Data Protection, Consent and Other Purposes. European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies

  14. Technological approach

  15. EHMA’s technical recommendation on eHealth Data Protection Problem: Technical and organizational security measures. Issue: Data controller must take technical and organizational measures to protect security and confidentiality of personal data. Recommendation: Member States must implement and harmonize Data Protection mechanisms. • Let’s introduce our “low-level” approach for securing personal data in an eHealth storage system… European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies

  16. ICGrid: data architecture From sensors Patient’s personal data European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies

  17. Step 1.- security analysis Ultimate compromise of storage devices Inter-site comm. encrypted Attacker may Damage link AuthN&AuthZ enforcement Internal attacks (revoked users) are feasible Compromise not feasible European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies

  18. Encrypt at Disk-Level Encrypt at Disk-Level Fragment at Storage Elements Fragment at Storage Elements Step 2.- proposed mechanisms Integrity mechanisms Real-time User validation Store per-file Crypto-key European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies

  19. Conclusions (1) • eHealth systems are bringing a citizen-centered Health System. • Using public networks for eHealth introduces new vulnerabilities and attackers are resourceful. • Keeping patient’s privacy and overall security is a must. • Total Solution: • Legal: Data Protection laws and harmonization. • Technological: R+D already taking place. European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies

  20. Conclusions (2) • And the road ahead: • Storage Elements are “the last line of defense”, if authorization and authentication fail. • Performance and usability should be balanced with security. • Keep harmonizing legal and technical solutions! European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies

  21. Thank you for your attention! • Questions? • Jesus Luna • jluna@cs.ucy.ac.cy European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies

More Related