1 / 12

Requirements of Secure Storage Systems for Healthcare Records : A Position Paper

2. Securing Healthcare records is a difficult task. Digital records can be copied verbatim, exposing confidential patient informationAttacks can occur from both within and outside the organizationVarious privacy laws around the world strictly regulate the digital storage of healthcare recordsO

ranit
Download Presentation

Requirements of Secure Storage Systems for Healthcare Records : A Position Paper

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. Requirements of Secure Storage Systems for Healthcare Records : A Position Paper Ragib Hasan+, Marianne Winslett+, and Radu Sion++ +University of Illinois at Urbana Champaign ++Stony Brook University

    2. 2 Securing Healthcare records is a difficult task Digital records can be copied verbatim, exposing confidential patient information Attacks can occur from both within and outside the organization Various privacy laws around the world strictly regulate the digital storage of healthcare records Our goal: Look into the regulations, and derive a common set of storage/security requirements for healthcare records

    3. 3 Finding a common theme in regulations Different countries around the world have different regulations on healthcare information management A common set of requirements can be derived from the requirements Research on healthcare records should follow these common criteria

    4. 4 Case study: HIPAA HIPAA stands for Health Insurance Portability and Accountability Act of 1996 Regulates insurance industry (Title I), and mandates the confidentiality and privacy of medical information (Title II) Compliance is mandatory for organizations handling healthcare information

    5. 5 HIPAA’s security requirements Privacy: Organizations must ensure reasonable measures for safeguarding privacy and confidentiality Security: Internal audit procedures for medical data are mandatory for all organizations Records must be disposed of in a trustworthy manner after the mandatory retention period Data integrity must be ensured via checksums or signatures

    6. 6 Other requirements of HIPAA Media re-use: All information need to be removed before re-use of storage media Accountability: All data access and migration operations must be logged Backup and Storage: Organizations must provide backup of all information

    7. 7 Other laws around the world also mandate various security requirements OSHA: Occupational Safety and Health Administration requires all employee exposure records to be maintained for 30 years EU Directive 95/46/EC Article 6 requires accuracy guarantees of personal records, and guaranteed disposal after the retention period. Article 17 requires measures for ensuring the confidentiality and availability of records. UK Data Protection Act of 1998 Requires mandatory disposal of electronic records after retention period, Mandates accuracy of information, Requires logging any changes, and strict confidentiality.

    8. 8 A common set of requirements can be derived from these laws Confidentiality and access control Integrity Availability and performance Logging, audit trails, and provenance Long term secure retention and migration Backup Cost effectiveness

    9. 9 Existing storage models do not address all these requirements Relational databases Most commonly used model for healthcare records Encryption provides confidentiality, but does not protect records from malicious insiders, and also makes queries on encrypted records less efficient IBM’s Hippocratic Database technology can provide fine grained access control, and compliant auditing, but is still vulnerable to insider attacks

    10. 10 Existing storage models do not address all these requirements (2) Object-based storage systems: Document content hashes are used to locate documents Allows efficient retrieval for read operations Document integrity is ensured But Appends and Writes are difficult, and inefficient

    11. 11 Existing storage models do not address all these requirements (3) Regulatory Compliant WORM Storage Records kept in Write-once, Read-many times media (optical, magnetic, etc.) Trustworthy indexing, migration, and deletion mechanisms can ensure trustworthy retention and movement of records But mainly suitable for data that do not change often, and do not require frequent corrections

    12. 12 Wish list of features A storage model for healthcare records should be: Efficient in performance, cheap in cost Allow both efficient and secure reads and writes / updates / corrections to records Handle trustworthy indexing, retention, migration and deletions of records Provide detailed provenance information for records, documenting the history of the information

More Related