a governance model for ubiquitous medical devices accessing ehealth data: the need for standards

1ISACA VENICE Chapter

IV Conference on Application Security and Modern Technologies

Venezia, Università Ca’ Foscari23 Settembre 2016

In collaborazione con

223/09/2016 ISACA VENICE Chapter

Massimiliano Masi, Ph.D.A governance model for ubiquitous medical devices accessing eHealth data: the need for standards

Massimiliano.masi@tiani-spirit.com

3ISACA VENICE Chapter23/09/2016

Who am I?

I obtained my Ph.D. from the Uni of Florence, formal methods

I work in Vienna for a SME which is active in the eHealth sector

I am a Java developer

I am an editor of eHealth industry standards

I work mainly in Cross Border eHealth Sharing

4ISACA VENICE Chapter23/09/2016

Introduction / EHR

The Electronic Health Record (EHR) is a digital version of the patient’s paper chart.

Is a real-time, patient-centered, record that makes information available instantly and securely to all clinicians involved in patient’s care

It contains Patient Demographics (name, surname, mail, identifier, phone, address) Lab Results Discharge Summaries Encounter Reports Diseases Prescriptions …

EHR may travel across medical facilities

5ISACA VENICE Chapter23/09/2016

Introduction / EMR

The Electronic Medical Record (EMR) is a digital version of the patient’s paper chart, in the clinician’s office.

It contains the medical history of a patient in one practice Track data over time Easily Identify Patients for preventive screenings Check how patients are doing on certain parameters (e.g., blood pressure) Improve the quality of the practice (e.g., hospital)

EMRs do not travel across facilities

6ISACA VENICE Chapter23/09/2016

Introduction / PHR

The Personal (Patient) Health Record (PHR), is an electronic application used by patients to maintain and manage their health information in a private, secure, and confidential environment. Managed By Patients Can Include Information from a variety of sources Can help patients store and monitor health, such as diet plans, data from

home monitoring system, fitness, patient contact information, diagnosis, medication lists, allergies, etc.

Facilitate remote diagnosis

Source: HealthIT.gov

7ISACA VENICE Chapter23/09/2016

Introduction / Evolution

EHR, EMR, and PHR are being developed worldwide The U.S. funded several successful initiatives

Healtheway/NHIN, DIRECT, Bluebutton

Year Percentage of adoption

2007 17%

2008 21%

2009 27%

2011-2013 44%

New adopters 19%

The obstacles found were Financial Resources and Technical Assistance The U.S. congress promoted EHR by establishing financial and technical

programs

8ISACA VENICE Chapter23/09/2016

Introduction / Evolution

In Europe, each member state is sovereign in healthcare matter State-wide EHR initiatives

Austria: the ELGA system Italy: Region by Region (Fascicolo Sanitario Elettronico) U.K.: the National Health System (NHS)

The EU Commission is promoting Research projects

Aimed at enhancing the PHR, ageing well, remote monitoring, work safety

Cross Border eHealth Exchange To enforce the ”freedom of movement” fundamental right Have a medicine prescribed in a state, dispensed in other Right to care

Public Health

9ISACA VENICE Chapter23/09/2016

eHealth / Public Health / mHealth

eHealth (WHO): eHealth is the use of ICT for health. Examples include treating patients, conducting research, educating the health workforce, tracking diseases, and monitoring public health

mHealth, mobile health, is the use of mobile devices to manage electronic health records

Public eHealth is an all-encompassing term that refers to the use of ICT for the public, including, e.g., research on anonymized data, statistical planning, pandemic previsions.

Clearly eHealth, mHealth, PeH, offer many benefits Greater safety through the reduction of medical errors

10ISACA VENICE Chapter23/09/2016

Security Evaluation

Medical Records carry several critical information Person Identifiable Information (PII) (linked or linkable)

Any information about an individual maintaned by an agency including any information that can be used to distinguish or trace an individual’s identity” (NIST-SP-800-122)

Name, SSN, Fiscal Code, employment information Protected Healthcare Information (PHI)

Any information about health status, provision of health care, or payment for health care that can be linked to a specific principal

Both PII and PHI must be protected. But what does it means?

11ISACA VENICE Chapter23/09/2016

Security Dimensions

It is imperative to protect Safety – the patient must not suffer any damage provided by the ICT Integrity – Medical Records must respect data integrity through the lifecycle Confidentiality – the PHI/PII must be kept confidential and avoid disclosure Authorization – only authorized user can access medical data Authentication – only authenticated user can access data Informed Consent – the patient is ultimately responsible to share data Identification – Patient identification Non Repudiation – to be able to solve disputes related to treatment

12ISACA VENICE Chapter23/09/2016

Some stories

Discharge summary After a hospitalization, the patient Massi needs further exams from specialists

outside the hospital facilities and a continuous monitoring of the blood pressure and hydration at home (EHR/PHR)

Prescription Patient Massi needs Warfarin (coumadin) checks every week, and tablets if

the check is outside the limits. He has a prescription from his home physician. Massi is abroad for business (EHR)

Diet obligations Patient Massi is loosing weight to avoid cardio-vascular diseases. His home

physician is controlling the amount of calories lost during running using a smartphone app (PHR, EMR)

Seaman’s safety When fishing, seamen stay days in the sea. If a heart attack happens, a

remote-controlled EAD can be used to save his life (mHealth, Telemedicin) Research

The massive availability of MRIs and diagnosis, enable scientist to better find counter measures for a disease (Pseudonyms, Public eHealth)

13ISACA VENICE Chapter23/09/2016

Why we need standards

Standards are made for interoperability In case of emergency immediate access to data save lives (safety) Disclosing health status can create problems in the living context

(confidentiality) The EHR must be accessed only by those entitled to do so (safety,

identification, authentication, authorization, accountability) Every Single operation to the EHR must be tracked (non repudiation) Avoid geo localization-based (physical?) attacks (privacy) Settle the same algorithms for encryption, hashing, signature Etc.

Avoid at any costs, vendor lock-in! Do not let adapters to proliferate – another way to have vendor lock-in

14ISACA VENICE Chapter23/09/2016

Available Standards

DICOM Established in 1993 - ISO 12052 Almost all the medical imaging devices export DICOM images

HL7 Definition of administrative data (patient identifier, triage) Definition of the clinical document architecture (CDA)

SNOMED-CT Definition of the medical data vocabulary (where you can create ontologies)

IHE Connects healthcare facilities Creation of national/international backbones and infrastructures

FHIR Enable medical devices to access backbones and infrastructures

15ISACA VENICE Chapter23/09/2016

IHE

IHE has a complex governance model to enable testing-before-purchasing

16ISACA VENICE Chapter23/09/2016

Security through IHE

IHE is about hospital-to-hospital, region-to-region, country-to-country EHR exchange

It uses a web-service infrastructure IA&A is achieved using SAML tokens and XACML policies

SAML is a signed XML document that bears the identity of a principal (doctor) The specific authentication mechanism is left to the facility Helps on the building of the Circle of Trust Attention

SOAP Message Rewrite attacks (K. Bhargavan et al., Secure Session for Web Services)

XML Signature Wrapping (XSW)-family (J. Somorovsky, How to break XML Signature and XML Encryption)

Usage of TLS is useless (web services are useful if intermediaries can modify the message on its way)

17ISACA VENICE Chapter23/09/2016

Security through IHE

Patient informed consent is a form of authorization Healthcare uses XACML

No role-based anymore Policy based access control (the access is given in a specific computable

context) Break the glass scenario

Helmuth Petritsch, Break-Glass, Handling Exceptional Situations in Access Control

18ISACA VENICE Chapter23/09/2016

HL7 FHIR

While IHE provides infrastructures, FHIR provides the last mile connection

It is completely based on RESTFul APIs, point-to-point JSON and XML format to exchange data Devised for medical devices: no infrastructures in REST! Based on section 4.3 of rfc6749 (Oauth2.0) JWT <-> SAML mapping

The problem is that the channel authentication is only HTTPS At the moment only bearer usage (no holder-of-key, no identity binding

from the channel) Work is done in UMA (User Managed Access)

19ISACA VENICE Chapter23/09/2016

HL7 FHIR

By using FHIR and vocabularies (such as SNOMED-CT) medical devices can feed EHR/PHR with data that can help the human health status, ageing well, and well being

Telemonitoring in smart homes will hopefully be a reality soon Great relief on public finance and hospitalization availablitity

Fitness devices, smart phones, smart watches, can now have the precision comparable to an ECG

Hospitals encourage the usage of cloud services (PaaS, SaaS) for patients to feed their own PHR to achieve better treatment

“How do you feel today?” “Did you walk at least 30 minutes?” ”Your diet is too fat” “It’s time to get the flu vaccination” “The patient is not moving since 20 minutes, is it felt down?” “The patient is waving for help, call the ambulance”

20ISACA VENICE Chapter23/09/2016

Cloud Issues

FHIR enables also the use of Cloud Services Hospitals support the following deployments

Clinical workflows Clinical agenda Data sharing Document repository Backup services Research & Collaboration

But however the usage of Cloud has some security concerns Isolation failure Compliance to the law Vendor ignorance on the clinical context Malicious insider Vendor lock-in

21ISACA VENICE Chapter23/09/2016

IoT Issues

Internet of things: several views IT lacks governance

And we just saw how governance can save lives Many technically disconnected islands (smart grids, smart homes)

(like eHealth 20 years ago) IoT-GSI failed?

The telco standpoint A standardization governance is needed How many IoT? One? Multiple?

22ISACA VENICE Chapter23/09/2016

Sample CBeHIS

23ISACA VENICE Chapter23/09/2016

Conclusions

eHealth is a mature domain and developed worldwide eHealth, after years of separated communities is now switching to be

entirely connected through IHE and FHIR Standards are crucial to achieve such security needs as required by the

domain. IHE selects only relevant standards (SAML, XACML, Oauth, TLS)

eHealth and Cloud services are slowly but truly converging to enable patients for a better and sustainable health care

eHealth and IoT are not yet ready to deploy efficiently (i.e., respecting the security rules)

24ISACA VENICE Chapter23/09/2016

DOMANDE?