secure electronic health records

A!Digital!Rights!Management!Approach!t S i El t i H lth R dto!Securing Electronic Health Records

Rei!Safavi"NainiiCORE Chair!in!Information!Security

Department!of!Computer!Science,!U!of!Calgary

iCORE Information Security Lab

Electronic Health Record (EHR)Electronic!Health!Record!(EHR)• A!collection!of!electronic!health!

data!

• In!digital!format!! easy!to!share!across!!network"connected!information!systems!

• May!include,!• Demographics!(race,!disabilities..)!• medical historymedical!history,!• medication!and!allergies,!

immunization!status,• laboratory!test!results,!radiology!

images,images,• billing!information…

R. Safavi-Naini-Summit ‘09- Oct 14, 2009

Moving!towards!EHR

Existing access to Health DataExisting!access!to!Health!Data" Data!stored!in!island!databases

" Security:!" Mainly!communication!security

" Encrypted links • EHR!is!the!centerpiece!of!an!Encrypted!links" No,!or!little!control!on!access

" After!logging!to!the!system!all!data!can!be!accessed

" All!doctors!and!nurses!can!access!all!

integrated!solution!to!effective!and!secure!management!of!health!information.

data

" Records!can!be!copied,!printed!etc

" Other issuesOther!issues" Multiple!copies!of!data

" Inefficiency,!hard!to!access…


Security is an integral part of EHRSecurity!is!an!integral!part!of!EHR• Paper!data!and!data!stores!are!

inherently more secureinherently!more!secure• Limited!number• Hard!to!!duplicate..!imperfect!copies• Changes!are!detectable• Hard!to!access

• Electronic!data,• Many!copies!instantly• Easy!to!make!copies• Changes!undetectable• Can!be!accessed!from!any!points…

– Intranet• private!confidential!data!among!

employee– Extranet for outsourced resourcesExtranet!for!outsourced!resources– Web!Portal

• Security!is!a!major!challenge!

A!new!approach:!l hUsing!Digital Rights Management

" Digital!rights!management:" information!is!distributed!in!a!

protected!form" information!can!only!be!

accessed!using!a!license" License!contains!terms!and!conditions!in!a!machine"readable formreadable!form

" usable!only!by!trusted!DRM!agents

" compliant!DRM!agents will!refuse!to!perform!any!action!unless!it!is!permitted!by!the!licence.

Components!of!a!DRM!System


Digital!Rights!Management!for!l hHealthcare

In Healthcare:In!Healthcare:

OrganizationalOrganizational!Policies



In Healthcare: • Consent directives can beIn!Healthcare: • Consent!directives!can!be!expressed!in!terms!of!attributes.– adapted from the eXtensibleadapted!from!the!eXtensible!

Access!Control!Markup!Language!(XACML)



A licenseIn Healthcare: A!licenseIn!Healthcare:



A healthcare facilityA!healthcare!facility



‘Interpreting’ policiesInterpreting !policies• consent!directive!+!site!

authorization!policies!!subjects actions etcsubjects,!actions,!etc.!

• We!use!workflows!to!describe!the!activity!within!a!facility– workflows!imply!licenses!to!

perform!specific!actions



WorkflowsWorkflows• A!sequence!of!tasks!to!be!

carried!out!in!the!specified!order

• Authorization!templates!for!each!task

• Each workflow realizes a specific• Each!workflow!realizes!a!specific!purpose of data processing– “Treatment!Workflow”!

“Treatment!Purpose”

Check Examine

Check

ORDiagnose

Stop

Check ExamineSecond Opinion

OR

Start

A healthcare facilityA!healthcare!facility• A!session!starts!when!a!workflow!is!initiated• DRM!agents!can!join and!leave a!session!

l f h l l d h– Only!if!their!currently!logged"in!user!has!the!privileges!to!run!the!workflow!of!the!session

• Licenses are!issued!for!sessions– Any!agent!that!joins!the!session!can!benefit!

from!the!license# A!user!can!continue!a!session!with!a!different!agent!if!that!agent!joins!the!session

– E.g.!continue!execution!of!the!workflow!on!a!mobile!device

Id i MCredentials and Roles

XACML Req /Resp

Wrkflw Mgmt

LicenseIssuer

Idtity Mgmt. CDMSand Roles Req./Resp.

O P lWrkflw Mgmt. Authorization Template

License

Org. Polcy



Approach AdvantagesApproach

• Wholistic approach!to!security!and!privacy

– Access according to stated policies

Advantages• Data!stored!in!encrypted!form

– Protection!against!loss!of!disks,!laptops!bypassing!security

– Access according to stated policies

• Policies– Privacy!policies

• Consent!forms!"usersS it li i

• Security!for!the!lifetime!of!data– Data!always!remain!encrypted!

• in!a!locked!box– Access!always!through!trusted!agents

– Security!policies• Authorization!" organizational

• Policies!are!written!in!machine!readable!form.

• certain!type!in!a!given!context!

• Expressive!languages!to!state!requirements

– Fine"grain access control

• Enforcement!– Reference!monitors!to!interpret!policies

– Fine"grain!access!control

• Security!and!privacy!both– Enforcing!privacy!policies

• Patients’!consent!directives


Fine"grained controlFine grained!control

• Policy statements are of the • Alice cannot• Policy!statements!are!of!the!form,

“role nurse!can read blood!data!for th f ti

• Alice!cannot,– print!!the!record– email!it!to!anyone– copy itthe purpose of surgery!preparation!!

location terminal!x12!!in!room#101”

– !"#$% as!a!‘nurse’! role

copy!it!– ..– Access!Britney’s!record

– Can!!‘read’ Bob’s!test!results!!action‘purpose’!surgery!prep! purpose!of!access

– On!a!‘terminal!x12!in!room!#112’! context


Technology!Demonstrator:!Re-purposing patient data

Aim:U ti t ’ d t f F thill • Security requirementsUse!patients’!data!from!FoothillsHospital!for!research!purposes

• Multiple!research!projects,!!

• Security!requirements– Patients’!private!data– Patients’!consent!directives– Controlling!access!based!on

• Need to know– Teams,!members!with!different!roles

• New!teams!formed,!old!teams!removed

Need!to!know– Provide!remote!access!– Link!with!other!health!data!

• Identify!patients!potential!candidates!for!each!research!study

– Management!and!tracking!of!their!records

• First!stage!:!HiiTech HepatologyKnowledge!base

• In!future:!!other!areas!of!medicine


C SCurrent!System

• Patients’!records!are!stored!in!a!MS!SQL!databaseQ

• MS!SharePoint!portal!is!used!to!access!and!manage!the!data

• Data!can!be!downloaded!by!users!in!the!form!of!MS!InfoPath!forms

• S it ll d t !• Security: everyone can see all data!

Data SharePoint

Web S Browser

raw data health d

health Data Services

Server

Browserrecord record

Id iIdentity Management

Serverlog-in credentials

The!New!Architecture!

Rightsmetadata

RightsManagement

Server

IRM Protectors

metadata

license

Browserprotectedconsent

metadata+

raw data

protecteddata

Data

SharePoint Services Web Server

Consent

DRMAgent

protected records

protectedrecord

Data

Id tit

raw data

Identity Management

Server

groups credentials

Scaling up to federated systemsScaling!up!to!federated!systems• Data"level!Federation Organization B

– Using!a!federated!database!• integrating!the!databases!in!two!

organizations

– Secure!link!for!data!transfer

ConsentApplication

• Complete!mutual!trust!between!organization!

– to!enforce!consent!directives!(and!

Data

(perhaps!other!local!policies)

• Easy!to!implement!– Use existing support for database Consent

Organization A

– Use!existing!support!for!database!federation!in!database!engines

• Does!not!support!cross"organizational!research!studies!as!applications are not connected

Data

Application

applications!are!not!connected


Scaling up to federated systemsScaling!up!to!federated!systems

• Business"Level!Federationfederation at application level

• Requirementsfederation of identity management– federation!at!application"level

– extending!the!application!to!enable!forming!cross"organizational!research!studies

• Implementation is much more difficult

– federation!of!identity!management• standard!solutions!(e.g.!SAML,!Active!

Directory)– rights!management!federation

• Design!alternatives!DRM trusted domains: issuing a license for a• Implementation!is!much!more!difficult!

– MS!IRM!service!federation,!or!a!custom!solution

– DRM!trusted!domains:!issuing!a!license!for!a!main!server!allowing!it!to!issue!local!licenses!in!its!domain

– Issuing!a!cross!organizational!license!directly!to!the!user!in!the!other!organization

Rights MgmntServer

Organization BRights Mgmnt

Server

Organization A

Data

SharePoint Services

Consent

Data

SharePoint Services

Consent

Identity MgmntServer

Identity MgmntServer


Future!direction:k h h ` l d’Taking!the!project!to!the!`Cloud’

" Scalable!design" Patient!data!stored!in!`cloud’

" Provincial,!National,..!Global!Access

" Access according to stated policies" Access!according!to!stated!policies" Whose!policy?

" Trust!relationships

" Consent!directives• Universality!of!the!approach

Similar!approach!can!be!used!for!

" Efficient!enforcement?

S a app oac ca be used oother!types!of!data– The!technology!can!be!used!for!

protection!of!any!document

" Data!security:!Whose!responsibility?" Encrypted!content


Project detailsProject!details

Participants PublicationsParticipants• iCIS!Lab

– Mohammad!Jafari,!Nicholas!Sh d Mi h l S k

Publications• N.!P.!Sheppard,!R.!Safavi"Naini,!M.!

Jafari,!A!Digital!Rights!Management!

Sheppard,!Michal!Sramka

• HiiTeC– Chad!Saunders,!Hytham!

g g gModel!for!Healthcare,!Proceedings!of!the!IEEE!POLICY’09,!London,!UK.

• N P Sheppard R Safavi"Naini MKhalil,!Simon!Liu

• Cybera– Patrick!Mann,!Jill!Kowalchuk

N.!P.!Sheppard,!R.!Safavi Naini,!M.!Jafari,A!Secure!Electronic!Healthcare!Record!Infrastructure!in!the!Digital!Rights Management Model

• Other!supports:!MITACS,!iCORE

Rights!Management!Model,!Technical!Report!2009"939"18,!Department!of!Computer!Science,!University!of!Calgary,!2009.!

iCORE


secure electronic health records

Technology

data policies data

health data data

security access

organizational policies

data existing access

policies consent

data records

ehr security