secure electronic health records
DESCRIPTION
Rei Safavi Naini iCore Chair for Information Security Department of Computer Science, University of Calgary Presented at the Cybera/CANARIE National Summit 2009, as part of the session "New Frontiers in Data Integration." This session showcased a selection of leading-edge initiatives that are breaking new ground and setting new precedents around the collection and integration of data.TRANSCRIPT
A!Digital!Rights!Management!Approach!t S i El t i H lth R dto!Securing Electronic Health Records
Rei!Safavi"NainiiCORE Chair!in!Information!Security
Department!of!Computer!Science,!U!of!Calgary
iCORE Information Security Lab
Electronic Health Record (EHR)Electronic!Health!Record!(EHR)• A!collection!of!electronic!health!
data!
• In!digital!format!! easy!to!share!across!!network"connected!information!systems!
• May!include,!• Demographics!(race,!disabilities..)!• medical historymedical!history,!• medication!and!allergies,!
immunization!status,• laboratory!test!results,!radiology!
images,images,• billing!information…
R. Safavi-Naini-Summit ‘09- Oct 14, 2009
Moving!towards!EHR
Existing access to Health DataExisting!access!to!Health!Data" Data!stored!in!island!databases
" Security:!" Mainly!communication!security
" Encrypted links • EHR!is!the!centerpiece!of!an!Encrypted!links" No,!or!little!control!on!access
" After!logging!to!the!system!all!data!can!be!accessed
" All!doctors!and!nurses!can!access!all!
integrated!solution!to!effective!and!secure!management!of!health!information.
data
" Records!can!be!copied,!printed!etc
" Other issuesOther!issues" Multiple!copies!of!data
" Inefficiency,!hard!to!access…
R. Safavi-Naini-Summit ‘09- Oct 14, 2009
Security is an integral part of EHRSecurity!is!an!integral!part!of!EHR• Paper!data!and!data!stores!are!
inherently more secureinherently!more!secure• Limited!number• Hard!to!!duplicate..!imperfect!copies• Changes!are!detectable• Hard!to!access
• Electronic!data,• Many!copies!instantly• Easy!to!make!copies• Changes!undetectable• Can!be!accessed!from!any!points…
– Intranet• private!confidential!data!among!
employee– Extranet for outsourced resourcesExtranet!for!outsourced!resources– Web!Portal
• Security!is!a!major!challenge!
A!new!approach:!l hUsing!Digital Rights Management
" Digital!rights!management:" information!is!distributed!in!a!
protected!form" information!can!only!be!
accessed!using!a!license" License!contains!terms!and!conditions!in!a!machine"readable formreadable!form
" usable!only!by!trusted!DRM!agents
" compliant!DRM!agents will!refuse!to!perform!any!action!unless!it!is!permitted!by!the!licence.
Components!of!a!DRM!System
R. Safavi-Naini-Summit ‘09- Oct 14, 2009
Digital!Rights!Management!for!l hHealthcare
In Healthcare:In!Healthcare:
OrganizationalOrganizational!Policies
R. Safavi-Naini-Summit ‘09- Oct 14, 2009
Digital!Rights!Management!for!l hHealthcare
In Healthcare: • Consent directives can beIn!Healthcare: • Consent!directives!can!be!expressed!in!terms!of!attributes.– adapted from the eXtensibleadapted!from!the!eXtensible!
Access!Control!Markup!Language!(XACML)
OrganizationalOrganizational!Policies
Digital!Rights!Management!for!l hHealthcare
A licenseIn Healthcare: A!licenseIn!Healthcare:
OrganizationalOrganizational!Policies
R. Safavi-Naini-Summit ‘09- Oct 14, 2009
A healthcare facilityA!healthcare!facility
R. Safavi-Naini-Summit ‘09- Oct 14, 2009
A healthcare facilityA!healthcare!facility
‘Interpreting’ policiesInterpreting !policies• consent!directive!+!site!
authorization!policies!!subjects actions etcsubjects,!actions,!etc.!
• We!use!workflows!to!describe!the!activity!within!a!facility– workflows!imply!licenses!to!
perform!specific!actions
R. Safavi-Naini-Summit ‘09- Oct 14, 2009
A healthcare facilityA!healthcare!facility
WorkflowsWorkflows• A!sequence!of!tasks!to!be!
carried!out!in!the!specified!order
• Authorization!templates!for!each!task
• Each workflow realizes a specific• Each!workflow!realizes!a!specific!purpose of data processing– “Treatment!Workflow”!
“Treatment!Purpose”
Check Examine
Check
ORDiagnose
Stop
Check ExamineSecond Opinion
OR
Start
A healthcare facilityA!healthcare!facility• A!session!starts!when!a!workflow!is!initiated• DRM!agents!can!join and!leave a!session!
l f h l l d h– Only!if!their!currently!logged"in!user!has!the!privileges!to!run!the!workflow!of!the!session
• Licenses are!issued!for!sessions– Any!agent!that!joins!the!session!can!benefit!
from!the!license# A!user!can!continue!a!session!with!a!different!agent!if!that!agent!joins!the!session
– E.g.!continue!execution!of!the!workflow!on!a!mobile!device
Id i MCredentials and Roles
XACML Req /Resp
Wrkflw Mgmt
LicenseIssuer
Idtity Mgmt. CDMSand Roles Req./Resp.
O P lWrkflw Mgmt. Authorization Template
License
Org. Polcy
R. Safavi-Naini-Summit ‘09- Oct 14, 2009
Digital!Rights!Management!for!l hHealthcare
Approach AdvantagesApproach
• Wholistic approach!to!security!and!privacy
– Access according to stated policies
Advantages• Data!stored!in!encrypted!form
– Protection!against!loss!of!disks,!laptops!bypassing!security
– Access according to stated policies
• Policies– Privacy!policies
• Consent!forms!"usersS it li i
• Security!for!the!lifetime!of!data– Data!always!remain!encrypted!
• in!a!locked!box– Access!always!through!trusted!agents
– Security!policies• Authorization!" organizational
• Policies!are!written!in!machine!readable!form.
• certain!type!in!a!given!context!
• Expressive!languages!to!state!requirements
– Fine"grain access control
• Enforcement!– Reference!monitors!to!interpret!policies
– Fine"grain!access!control
• Security!and!privacy!both– Enforcing!privacy!policies
• Patients’!consent!directives
R. Safavi-Naini-Summit ‘09- Oct 14, 2009
Fine"grained controlFine grained!control
• Policy statements are of the • Alice cannot• Policy!statements!are!of!the!form,
“role nurse!can read blood!data!for th f ti
• Alice!cannot,– print!!the!record– email!it!to!anyone– copy itthe purpose of surgery!preparation!!
location terminal!x12!!in!room#101”
– !"#$% as!a!‘nurse’! role
copy!it!– ..– Access!Britney’s!record
– Can!!‘read’ Bob’s!test!results!!action‘purpose’!surgery!prep! purpose!of!access
– On!a!‘terminal!x12!in!room!#112’! context
R. Safavi-Naini-Summit ‘09- Oct 14, 2009
Technology!Demonstrator:!Re-purposing patient data
Aim:U ti t ’ d t f F thill • Security requirementsUse!patients’!data!from!FoothillsHospital!for!research!purposes
• Multiple!research!projects,!!
• Security!requirements– Patients’!private!data– Patients’!consent!directives– Controlling!access!based!on
• Need to know– Teams,!members!with!different!roles
• New!teams!formed,!old!teams!removed
Need!to!know– Provide!remote!access!– Link!with!other!health!data!
• Identify!patients!potential!candidates!for!each!research!study
– Management!and!tracking!of!their!records
• First!stage!:!HiiTech HepatologyKnowledge!base
• In!future:!!other!areas!of!medicine
R. Safavi-Naini-Summit ‘09- Oct 14, 2009
C SCurrent!System
• Patients’!records!are!stored!in!a!MS!SQL!databaseQ
• MS!SharePoint!portal!is!used!to!access!and!manage!the!data
• Data!can!be!downloaded!by!users!in!the!form!of!MS!InfoPath!forms
• S it ll d t !• Security: everyone can see all data!
Data SharePoint
Web S Browser
raw data health d
health Data Services
Server
Browserrecord record
Id iIdentity Management
Serverlog-in credentials
The!New!Architecture!
Rightsmetadata
RightsManagement
Server
IRM Protectors
metadata
license
Browserprotectedconsent
metadata+
raw data
protecteddata
Data
SharePoint Services Web Server
Consent
DRMAgent
protected records
protectedrecord
Data
Id tit
raw data
Identity Management
Server
groups credentials
Scaling up to federated systemsScaling!up!to!federated!systems• Data"level!Federation Organization B
– Using!a!federated!database!• integrating!the!databases!in!two!
organizations
– Secure!link!for!data!transfer
ConsentApplication
• Complete!mutual!trust!between!organization!
– to!enforce!consent!directives!(and!
Data
(perhaps!other!local!policies)
• Easy!to!implement!– Use existing support for database Consent
Organization A
– Use!existing!support!for!database!federation!in!database!engines
• Does!not!support!cross"organizational!research!studies!as!applications are not connected
Data
Application
applications!are!not!connected
R. Safavi-Naini-Summit ‘09- Oct 14, 2009
Scaling up to federated systemsScaling!up!to!federated!systems
• Business"Level!Federationfederation at application level
• Requirementsfederation of identity management– federation!at!application"level
– extending!the!application!to!enable!forming!cross"organizational!research!studies
• Implementation is much more difficult
– federation!of!identity!management• standard!solutions!(e.g.!SAML,!Active!
Directory)– rights!management!federation
• Design!alternatives!DRM trusted domains: issuing a license for a• Implementation!is!much!more!difficult!
– MS!IRM!service!federation,!or!a!custom!solution
– DRM!trusted!domains:!issuing!a!license!for!a!main!server!allowing!it!to!issue!local!licenses!in!its!domain
– Issuing!a!cross!organizational!license!directly!to!the!user!in!the!other!organization
Rights MgmntServer
Organization BRights Mgmnt
Server
Organization A
Data
SharePoint Services
Consent
Data
SharePoint Services
Consent
Identity MgmntServer
Identity MgmntServer
R. Safavi-Naini-Summit ‘09- Oct 14, 2009
Future!direction:k h h ` l d’Taking!the!project!to!the!`Cloud’
" Scalable!design" Patient!data!stored!in!`cloud’
" Provincial,!National,..!Global!Access
" Access according to stated policies" Access!according!to!stated!policies" Whose!policy?
" Trust!relationships
" Consent!directives• Universality!of!the!approach
Similar!approach!can!be!used!for!
" Efficient!enforcement?
S a app oac ca be used oother!types!of!data– The!technology!can!be!used!for!
protection!of!any!document
" Data!security:!Whose!responsibility?" Encrypted!content
R. Safavi-Naini-Summit ‘09- Oct 14, 2009
Project detailsProject!details
Participants PublicationsParticipants• iCIS!Lab
– Mohammad!Jafari,!Nicholas!Sh d Mi h l S k
Publications• N.!P.!Sheppard,!R.!Safavi"Naini,!M.!
Jafari,!A!Digital!Rights!Management!
Sheppard,!Michal!Sramka
• HiiTeC– Chad!Saunders,!Hytham!
g g gModel!for!Healthcare,!Proceedings!of!the!IEEE!POLICY’09,!London,!UK.
• N P Sheppard R Safavi"Naini MKhalil,!Simon!Liu
• Cybera– Patrick!Mann,!Jill!Kowalchuk
N.!P.!Sheppard,!R.!Safavi Naini,!M.!Jafari,A!Secure!Electronic!Healthcare!Record!Infrastructure!in!the!Digital!Rights Management Model
• Other!supports:!MITACS,!iCORE
Rights!Management!Model,!Technical!Report!2009"939"18,!Department!of!Computer!Science,!University!of!Calgary,!2009.!
iCORE
R. Safavi-Naini-Summit ‘09- Oct 14, 2009
R. Safavi-Naini-Summit ‘09- Oct 14, 2009