120 likes | 235 Views
2. Securing Healthcare records is a difficult task. Digital records can be copied verbatim, exposing confidential patient informationAttacks can occur from both within and outside the organizationVarious privacy laws around the world strictly regulate the digital storage of healthcare recordsO
E N D
1. Requirements of Secure Storage Systems for Healthcare Records : A Position Paper Ragib Hasan+, Marianne Winslett+, and Radu Sion++
+University of Illinois at Urbana Champaign
++Stony Brook University
2. 2 Securing Healthcare records is a difficult task Digital records can be copied verbatim, exposing confidential patient information
Attacks can occur from both within and outside the organization
Various privacy laws around the world strictly regulate the digital storage of healthcare records
Our goal: Look into the regulations, and derive a common set of storage/security requirements for healthcare records
3. 3 Finding a common theme in regulations Different countries around the world have different regulations on healthcare information management
A common set of requirements can be derived from the requirements
Research on healthcare records should follow these common criteria
4. 4 Case study: HIPAA HIPAA stands for Health Insurance Portability and Accountability Act of 1996
Regulates insurance industry (Title I), and mandates the confidentiality and privacy of medical information (Title II)
Compliance is mandatory for organizations handling healthcare information
5. 5 HIPAA’s security requirements Privacy:
Organizations must ensure reasonable measures for safeguarding privacy and confidentiality
Security:
Internal audit procedures for medical data are mandatory for all organizations
Records must be disposed of in a trustworthy manner after the mandatory retention period
Data integrity must be ensured via checksums or signatures
6. 6 Other requirements of HIPAA Media re-use:
All information need to be removed before re-use of storage media
Accountability:
All data access and migration operations must be logged
Backup and Storage:
Organizations must provide backup of all information
7. 7 Other laws around the world also mandate various security requirements OSHA:
Occupational Safety and Health Administration requires all employee exposure records to be maintained for 30 years
EU Directive 95/46/EC
Article 6 requires accuracy guarantees of personal records, and guaranteed disposal after the retention period.
Article 17 requires measures for ensuring the confidentiality and availability of records.
UK Data Protection Act of 1998
Requires mandatory disposal of electronic records after retention period,
Mandates accuracy of information,
Requires logging any changes, and strict confidentiality.
8. 8 A common set of requirements can be derived from these laws Confidentiality and access control
Integrity
Availability and performance
Logging, audit trails, and provenance
Long term secure retention and migration
Backup
Cost effectiveness
9. 9 Existing storage models do not address all these requirements Relational databases
Most commonly used model for healthcare records
Encryption provides confidentiality, but does not protect records from malicious insiders, and also makes queries on encrypted records less efficient
IBM’s Hippocratic Database technology can provide fine grained access control, and compliant auditing, but is still vulnerable to insider attacks
10. 10 Existing storage models do not address all these requirements (2) Object-based storage systems:
Document content hashes are used to locate documents
Allows efficient retrieval for read operations
Document integrity is ensured
But Appends and Writes are difficult, and inefficient
11. 11 Existing storage models do not address all these requirements (3) Regulatory Compliant WORM Storage
Records kept in Write-once, Read-many times media (optical, magnetic, etc.)
Trustworthy indexing, migration, and deletion mechanisms can ensure trustworthy retention and movement of records
But mainly suitable for data that do not change often, and do not require frequent corrections
12. 12 Wish list of features A storage model for healthcare records should be:
Efficient in performance, cheap in cost
Allow both efficient and secure reads and writes / updates / corrections to records
Handle trustworthy indexing, retention, migration and deletions of records
Provide detailed provenance information for records, documenting the history of the information