180 likes | 300 Views
XML Security based Access Control for Healthcare Information in Mobile Environment. Dasun Weerasinghe, Kalid Elmufti, M Rajarajan, Veselin Rakocevic Mobile Networks Research Group School of Engineering and Mathematical Sciences City University London. Outline of the Presentation.
E N D
XML Security based Access Control for Healthcare Information in Mobile Environment Dasun Weerasinghe, Kalid Elmufti, M Rajarajan, Veselin Rakocevic Mobile Networks Research Group School of Engineering and Mathematical Sciences City University London
Outline of the Presentation • Motivation • Security Issues • Technologies used • Proposed Mobile Healthcare Architecture • Advantages
Security Issues • Authenticate mobile devices to healthcare service operator • Confidentiality of the patient’s health information • Protect health information from integrity • Stockholders in the healthcare service operator should be responsible for information sent • Different access levels to health information at the healthcare service operator
Technologies Used • XML - eXtensible Markup Language • XML Encryption • XML Signature • XML Key Management Specification
XML Encryption • Provides end-to-end confidentiality • Encryption is based on XML formats • Solution to Confidentiality and Authentication • Advanced features: • Partial Encryption • Multiple Encryption
XML Encryption ( Contd. ) • Patient’s blood pressure count in a XML message • Blood pressure count has to be encrypted
XML Encryption ( Contd. ) • Encrypted XML Message
XML Signature • Technology for data Integrity • XML Signature specification defines electronic signature formats using XML • Solution to Authentication, Integrity and Non-repudiation • Advanced features • Partial Signature • Multiple Signature
XML Signature ( Contd.) • Patient’s blood pressure count is with XML signature
Mobile Healthcare Architecture Service Providers Stakeholders Insurance Service Doctor Private Medical Centre Nurse Administrator Healthcare Service Pharmacy Lab Patient Healthcare Operator / IdP Existing Relation Mobile Operator
Protocol for Mobile Health • Protocol Addresses • Authentication • Data Integrity • Confidentiality • Non- Repudiation • Data Access level control • Messages are in XML format • Communication is based on Web Services
Protocol – Authentication phase Service Providers Mobile Operator Patient Healthcare Operator / IdP Request Access Request for BSP Initiate BSP B-TID B-TID B-TID Ks RAND Challenge Challenge Response UT B-TID = String of based 64 random data Ks = Key material to secure the communication
Protocol – Authentication to SP Service Providers Mobile Operator Patient Healthcare Operator / IdP Request Access to SP, SPID, UT SPUT, tsK SPUT Login confirmation msg Service Request SPUT = SPID, tsK, TS, PID; encrypted by SP’s public key and signed by HO/IdP’s private key
Protocol - Data Access Level Service Providers: Healthcare Service Patient Doctor Lab Nurse Pharmacy Admin Service Req XML Msg Append message to patient: signed by Nurse’s IKencrypted by HS’s CK XML Msg Append message to Admin: about billing signed by Pharmacy’s IK encrypted by Admin’s CK Decrypts all the messages which are encrypted in HS’s CK and append those to XML Encrypt the full message in tsK XML Msg XML Msg XML Msg Request Msg: encrypted in tsK XML Msg XML Msg Append Lab Results: signed by Lab’s IKencrypted by Doctor’s CK Append XML message to Nurse: health information Signed by Doctor’s IK and encrypted by Nurse’s CK Append XML message to Pharmacy: about drugs Signed by Doctor’s IK and encrypted by Pharmacy’s CK Append XML message to Patient: doctors comments Signed by Doctor’s IK and encrypted by HS’s CK Append Health information: encrypted by Doctor’s CK Append Patient information: encrypted by Admin’s CK Msg : signed by HS’s IK Append data reading for Lab: signed by Doctor’s IK encrypted by Lab’s CK XML Msg Append invoice: signed by Admin’s IK encrypted by HS’s CK IK: private key CK: public key
Protocol - Data Access Level ( Contd.) • Same XML document is manipulated over different user levels. • Data access is restricted using XML elements. • Same XML message can be sent to external service providers. • HS appends information required for external parties; signed by HS’s private key and encrypted by receiver’s public key
Advantages • Healthcare information is protected in the mobile environment • Stockholders in the Healthcare service operator are responsible for information sent • Different access levels are defined in a single healthcare information document for different user levels