330 likes | 531 Views
Performance Measurement and Workflow Impact of Securing Medical Data Using HIPAA Compliant Encryption in a .NET Environment. Master’s Thesis Andrew M. Snyder. Overview. Goals HIPAA Encryptions Prior Work Performance in .NET Recommendation Workflow Model Conclusions and Future Work.
E N D
Performance Measurement and Workflow Impact of Securing Medical Data Using HIPAA Compliant Encryption in a .NET Environment Master’s Thesis Andrew M. Snyder
Overview • Goals • HIPAA • Encryptions • Prior Work • Performance in .NET • Recommendation • Workflow Model • Conclusions and Future Work
Goals of the Thesis • Awareness of HIPAA • Distinguish and Compare Managed and Unmanaged Code • New Software Performance in .NET • Recommend an Encryption Algorithm • Predict Workflow Impact on UVA Department of Radiology
HIPAA • Synopsis • The Law • Purpose • Covered Entities • Creation Process • Violations
HIPAA • Sections • Transaction & Code Set • Identifier • Privacy • Security • Administrative Procedures • Physical Safeguards • Technical Safeguards
HIPAA • Impact • Entity Size • Workflow • Approach • Algorithms • Environments • Department of Radiology Model
Federated, Secure Trust Networks • $200,000 Grant from Microsoft • Create a prototype healthcare system adhering to technical HIPAA standards • Utilize .NET and Web Services • Work with the Department of Radiology • Understand implications of encrypted storage and transmission • Solve problems of Authentication, Authorization, and Trust Sharing
Encryptions and Attacks • Symmetric Key • DES • 3-DES • AES • Public Key • RSA
Managed vs. Unmanaged Code • Differences • Unmanaged Code • Native Code • Optimized for a Given Device/Platform • Managed Code • Executed Inside a Container • Translated at Runtime • Memory Management • Garbage Collection
Managed vs. Unmanaged Code • Benefits • Unmanaged Code • Fast • Managed Code • Secure • Memory Safe • Portable
Prior Work • Hardware (FPGA) • Gaj and Chodowiec • AES up to 51.7 MB/s • 3-DES up to 7.4 MB/s • Kaps and Par • DES up to 50 MB/s • Groszschaedl • RSA-1024 up to .25 MB/s
Unmanaged Software Implementation • Aoki and Lipmaa • AES-128 up to 30.4 MB/s • Corella • DES up to 22.8 MB/s • 3-DES up to 9.4 MB/s
Managed Software Implementations • Sterbenz and Lipp • AES-128 up to 2.4 MB/s • DES up to 1.3 MB/s • 3-DES up to .5 MB/s • Wagner • RSA-1024 up to .004 MB/s
Rationale for New Measurements • No Published Body of .NET Cryptography Performance Measurements • Managed and Unmanaged • Performance Gap Between Managed and Unmanaged Code • Shrinking or Growing? • Code Safety Importance • Performance vs. Security
Performance Measurements • Testbed • Computer • Visual Studio .NET 2003 • 3 GHz Pentium 4 • Windows XP • Files (1 B – 68 MB) • Algorithm Key Sizes
Performance Measurements • Throughputs – 3 GHz • Symmetric • Public Key
Performance Measurements • Analysis • Algorithm Performances • Overhead for Multiple Files • Second Testbed • 600 MHz Pentium 3 • Windows XP
Performance Measurements • Throughputs – 600 MHz • Symmetric • Public Key
Performance Measurements • Analysis • Computational Difficulty • Price of Code Safety • Performance vs. Security • Recommendations • Use 256-bit AES • Why? • Implemented in Managed Code • Data Exponentially More Secure • Quantum Computers
Workflow Model • Department of Radiology Model
Workflow Model • Involved Steps
Workflow Model • Resources
Workflow Model • Bottleneck Table – From Resource Allocation Table
Workflow Model • Bottleneck Calculation • B7 = Image Modality Unit Throughput Patients/Hr
Workflow Model • Throughput Results • Sequential System • 7% Performance Degradation • Highly Concurrent System • 5% Performance Degradation • Required Throughput for < 2% Degradation • 17 MB/s (Possible with Unmanaged Code) • Security vs. Performance
Workflow Model • Bounds • Infinite Resources • N / (Te + Ts) • Bottleneck Limit • 1 / Tb • Upper Bound • N / (Te + Ts + (N – 1) * Tb) • Lower Bound • 1 / (Te + Ts) Te = Time Spent Encrypting Ts = Total System Time – Te Tb = Time Spent on Bottleneck Step
Workflow Model • System with Encryption
Workflow Model • System with/without Encryption
Conclusions • Review of HIPAA Regulations • Analyzed International Standards of Encryption • Performance Measurements • Recommend 256-bit AES • Workflow • 5%-7% Performance Degradation • Security Concerns Outweigh Performance
Future Work • More Performance Measurements • Auditing • Authorization • Cost Analysis • Other Workflow Models • Papers • Alfred Weaver, Sam Dwyer, Andrew Snyder. “Federated, Secure Trust Networks for Distributed Healthcare IT Services”. 1st IEEE Conference on Industrial Informatics (INDIN ’03) Banff, Alberta, Canada. August 21-24, 2003. (Accepted) • Andrew Snyder, Alfred Weaver. “E-Logistics of Securing Distributed Medical Data”. (INDIN’03) (Accepted) • Demo • Microsoft Faculty Summit. Redmond, WA. July 27-29,2003.