Safeguarding health data with enhanced accountability and patient awareness

Several factors are driving the transition from paper-based health records to electronic health record systems. In the United States, the adoption rate of electronic health record systems significantly increased after "Meaningful Use" incentive program was started in 2009. While increased use of electronic health record systems could improve the efficiency and quality of healthcare services, it can also lead to a number of security and privacy issues, such as identity theft and healthcare fraud. Such incidents could have negative impact on trustworthiness of electronic health record technology itself and thereby could limit its benefits. In this dissertation, we tackle three challenges that we believe are important to improve the security and privacy in electronic health record systems. Our approach is based on an analysis of real-world incidents, namely theft and misuse of patient identity, unauthorized usage and update of electronic health records, and threats from insiders in healthcare organizations. Our contributions include design and development of a user-centric monitoring agent system that works on behalf of a patient (i.e., an end user) and securely monitors usage of the patient's identity credentials as well as access to her electronic health records. Such a monitoring agent can enhance patient's awareness and control and improve accountability for health records even in a distributed, multi-domain environment, which is typical in an e-healthcare setting. This will reduce the risk and loss caused by misuse of stolen data. In addition to the solution from a patient's perspective, we also propose a secure system architecture that can be used in healthcare organizations to enable robust auditing and management over client devices. This helps us further enhance patients' confidence in secure use of their health data.PhDCommittee Chair: Mustaque Ahamad; Committee Member: Douglas M. Blough; Committee Member: Ling Liu; Committee Member: Mark Braunstein; Committee Member: Wenke Le

Identity Management and Authorization Infrastructure in Secure Mobile Access to Electronic Health Records

We live in an age of the mobile paradigm of anytime/anywhere access, as the mobile device is the most ubiquitous device that people now hold. Due to their portability, availability, easy of use, communication, access and sharing of information within various domains and areas of our daily lives, the acceptance and adoption of these devices is still growing. However, due to their potential and raising numbers, mobile devices are a growing target for attackers and, like other technologies, mobile applications are still vulnerable. Health information systems are composed with tools and software to collect, manage, analyze and process medical information (such as electronic health records and personal health records). Therefore, such systems can empower the performance and maintenance of health services, promoting availability, readability, accessibility and data sharing of vital information about a patients overall medical history, between geographic fragmented health services. Quick access to information presents a great importance in the health sector, as it accelerates work processes, resulting in better time utilization. Additionally, it may increase the quality of care. However health information systems store and manage highly sensitive data, which raises serious concerns regarding patients privacy and safety, and may explain the still increasing number of malicious incidents reports within the health domain. Data related to health information systems are highly sensitive and subject to severe legal and regulatory restrictions, that aim to protect the individual rights and privacy of patients. Along side with these legislations, security requirements must be analyzed and measures implemented. Within the necessary security requirements to access health data, secure authentication, identity management and access control are essential to provide adequate means to protect data from unauthorized accesses. However, besides the use of simple authentication models, traditional access control models are commonly based on predefined access policies and roles, and are inflexible. This results in uniform access control decisions through people, different type of devices, environments and situational conditions, and across enterprises, location and time. Although already existent models allow to ensure the needs of the health care systems, they still lack components for dynamicity and privacy protection, which leads to not have desire levels of security and to the patient not to have a full and easy control of his privacy. Within this master thesis, after a deep research and review of the stat of art, was published a novel dynamic access control model, Socio-Technical Risk-Adaptable Access Control modEl (SoTRAACE), which can model the inherent differences and security requirements that are present in this thesis. To do this, SoTRAACE aggregates attributes from various domains to help performing a risk assessment at the moment of the request. The assessment of the risk factors identified in this work is based in a Delphi Study. A set of security experts from various domains were selected, to classify the impact in the risk assessment of each attribute that SoTRAACE aggregates. SoTRAACE was integrated in an architecture with requirements well-founded, and based in the best recommendations and standards (OWASP, NIST 800-53, NIST 800-57), as well based in deep review of the state-of-art. The architecture is further targeted with the essential security analysis and the threat model. As proof of concept, the proposed access control model was implemented within the user-centric architecture, with two mobile prototypes for several types of accesses by patients and healthcare professionals, as well the web servers that handles the access requests, authentication and identity management. The proof of concept shows that the model works as expected, with transparency, assuring privacy and data control to the user without impact for user experience and interaction. It is clear that the model can be extended to other industry domains, and new levels of risks or attributes can be added because it is modular. The architecture also works as expected, assuring secure authentication with multifactor, and secure data share/access based in SoTRAACE decisions. The communication channel that SoTRAACE uses was also protected with a digital certificate. At last, the architecture was tested within different Android versions, tested with static and dynamic analysis and with tests with security tools. Future work includes the integration of health data standards and evaluating the proposed system by collecting users’ opinion after releasing the system to real world.Hoje em dia vivemos em um paradigma móvel de acesso em qualquer lugar/hora, sendo que os dispositivos móveis são a tecnologia mais presente no dia a dia da sociedade. Devido à sua portabilidade, disponibilidade, fácil manuseamento, poder de comunicação, acesso e partilha de informação referentes a várias áreas e domínios das nossas vidas, a aceitação e integração destes dispositivos é cada vez maior. No entanto, devido ao seu potencial e aumento do número de utilizadores, os dispositivos móveis são cada vez mais alvos de ataques, e tal como outras tecnologias, aplicações móveis continuam a ser vulneráveis. Sistemas de informação de saúde são compostos por ferramentas e softwares que permitem recolher, administrar, analisar e processar informação médica (tais como documentos de saúde eletrónicos). Portanto, tais sistemas podem potencializar a performance e a manutenção dos serviços de saúde, promovendo assim a disponibilidade, acessibilidade e a partilha de dados vitais referentes ao registro médico geral dos pacientes, entre serviços e instituições que estão geograficamente fragmentadas. O rápido acesso a informações médicas apresenta uma grande importância para o setor da saúde, dado que acelera os processos de trabalho, resultando assim numa melhor eficiência na utilização do tempo e recursos. Consequentemente haverá uma melhor qualidade de tratamento. Porém os sistemas de informação de saúde armazenam e manuseiam dados bastantes sensíveis, o que levanta sérias preocupações referentes à privacidade e segurança do paciente. Assim se explica o aumento de incidentes maliciosos dentro do domínio da saúde. Os dados de saúde são altamente sensíveis e são sujeitos a severas leis e restrições regulamentares, que pretendem assegurar a proteção dos direitos e privacidade dos pacientes, salvaguardando os seus dados de saúde. Juntamente com estas legislações, requerimentos de segurança devem ser analisados e medidas implementadas. Dentro dos requerimentos necessários para aceder aos dados de saúde, uma autenticação segura, gestão de identidade e controlos de acesso são essenciais para fornecer meios adequados para a proteção de dados contra acessos não autorizados. No entanto, além do uso de modelos simples de autenticação, os modelos tradicionais de controlo de acesso são normalmente baseados em políticas de acesso e cargos pré-definidos, e são inflexíveis. Isto resulta em decisões de controlo de acesso uniformes para diferentes pessoas, tipos de dispositivo, ambientes e condições situacionais, empresas, localizações e diferentes alturas no tempo. Apesar dos modelos existentes permitirem assegurar algumas necessidades dos sistemas de saúde, ainda há escassez de componentes para accesso dinâmico e proteção de privacidade , o que resultam em níveis de segurança não satisfatórios e em o paciente não ter controlo directo e total sobre a sua privacidade e documentos de saúde. Dentro desta tese de mestrado, depois da investigação e revisão intensiva do estado da arte, foi publicado um modelo inovador de controlo de acesso, chamado SoTRAACE, que molda as diferenças de acesso inerentes e requerimentos de segurança presentes nesta tese. Para isto, o SoTRAACE agrega atributos de vários ambientes e domínios que ajudam a executar uma avaliação de riscos, no momento em que os dados são requisitados. A avaliação dos fatores de risco identificados neste trabalho são baseados num estudo de Delphi. Um conjunto de peritos de segurança de vários domínios industriais foram selecionados, para classificar o impacto de cada atributo que o SoTRAACE agrega. O SoTRAACE foi integrado numa arquitectura para acesso a dados médicos, com requerimentos bem fundados, baseados nas melhores normas e recomendações (OWASP, NIST 800-53, NIST 800-57), e em revisões intensivas do estado da arte. Esta arquitectura é posteriormente alvo de uma análise de segurança e modelos de ataque. Como prova deste conceito, o modelo de controlo de acesso proposto é implementado juntamente com uma arquitetura focada no utilizador, com dois protótipos para aplicações móveis, que providênciam vários tipos de acesso de pacientes e profissionais de saúde. A arquitetura é constituída também por servidores web que tratam da gestão de dados, controlo de acesso e autenticação e gestão de identidade. O resultado final mostra que o modelo funciona como esperado, com transparência, assegurando a privacidade e o controlo de dados para o utilizador, sem ter impacto na sua interação e experiência. Consequentemente este modelo pode-se extender para outros setores industriais, e novos níveis de risco ou atributos podem ser adicionados a este mesmo, por ser modular. A arquitetura também funciona como esperado, assegurando uma autenticação segura com multi-fator, acesso e partilha de dados segura baseado em decisões do SoTRAACE. O canal de comunicação que o SoTRAACE usa foi também protegido com um certificado digital. A arquitectura foi testada em diferentes versões de Android, e foi alvo de análise estática, dinâmica e testes com ferramentas de segurança. Para trabalho futuro está planeado a integração de normas de dados de saúde e a avaliação do sistema proposto, através da recolha de opiniões de utilizadores no mundo real

Sisäisen uhan havaitseminen terveydenhuollon käyttölokeista

Sosiaali- ja terveydenhuollossa on siirrytty käyttämään sähköisiä potilastietoja. Potilasturvallisuuden takaamiseksi laki edellyttää keräämään lokitietoja niiden käytöstä. Käyttölokeista voidaan havaita käyttäjien suorittamaa potilastietojen väärinkäyttöä auditoimalla, mutta tietojen suuri määrä vaikeuttaa niiden manuaalista läpikäyntiä. Kun suurista tietomääristä yritetään löytää oleellista tietoa, samankaltaisuuksia ja poikkeavuuksia, voidaan hyödyntää tiedonlouhinta- ja koneoppimistekniikoita. Tekniikat ovat tärkeä osa väärinkäytön ja sisäisen uhan havaitsemiseksi kutsuttuja tutkimusaloja. Tutkielmassa etsittiin terveydenhuoltoon sopivia sisäisen uhan havaitsemismenetelmiä, jotka hyödyntävät käyttölokeja. Tutkimusmenetelmänä havaitsemismenetelmien etsintään käytettiin integroivaa kirjallisuuskatsausta, jonka aineistoon valikoitui 19 laatuarvioitua tieteellistä julkaisua. Sisällytetyt julkaisut vuosilta 2009–2019 kerättiin tietotekniikan alan tietokannoista. Tutkielman keskeisin tulos on itse kirjallisuuskatsaus, jossa esitellään aihealueen aiempia tutkimuksia ja muodostetaan synteesi. Synteesi sisältää tiivistetyn nykytilannekuvauksen sisäisen uhan havaitsemisratkaisuista terveydenhuoltoympäristössä. Toimiva järjestelmä selvittää, viittaako käyttölokitietue, käyttäjä tai potilas väärinkäyttöön. Järjestelmän havaitsemisstrategia hyödyntää yksinkertaisia sääntöjä, hälytysten priorisointia ja vähentämistä, suosittelua, normaalikäytön selitysmallinteita tai läheisyysmittoja. Järjestelmän kannalta tärkeitä tietoja ovat käyttölokit, organisaatio- ja hoitotiedot. Terveydenhuoltoon sopivien havaitsemismenetelmien löytäminen on mahdollista kirjallisuuskatsauksen avulla, vaikka yhtenäisten hakusanojen muodostaminen tuo haasteita. Katsaus osoitti, että soveltuvien menetelmien kokonaisuus on monipuolinen, ja että niiden avulla havaitsemistyötä on todennäköisesti mahdollista tehostaa. Lisäksi sisäisen uhan havaitsemisen tutkimusala on aktiivinen, joten uusia havaitsemisstrategioita voi löytyä lisää lähitulevaisuudessa. On todennäköistä, että terveydenhuoltoympäristön erityispiirteiden vuoksi tulevaisuudenkin ratkaisut nojaavat vahvasti käyttölokeihin. Jatkotutkimuksissa olisi syytä selvittää menetelmien käytännön soveltuvuutta suomalaisessa terveydenhuollossa olemassa olevien järjestelmien rinnalla

Security and privacy issues in implantable medical devices: A comprehensive survey

Bioengineering is a field in expansion. New technologies are appearing to provide a more efficient treatment of diseases or human deficiencies. Implantable Medical Devices (IMDs) constitute one example, these being devices with more computing, decision making and communication capabilities. Several research works in the computer security field have identified serious security and privacy risks in IMDs that could compromise the implant and even the health of the patient who carries it. This article surveys the main security goals for the next generation of IMDs and analyzes the most relevant protection mechanisms proposed so far. On the one hand, the security proposals must have into consideration the inherent constraints of these small and implanted devices: energy, storage and computing power. On the other hand, proposed solutions must achieve an adequate balance between the safety of the patient and the security level offered, with the battery lifetime being another critical parameter in the design phase

Securing Medical Devices and Protecting Patient Privacy in the Technological Age of Healthcare

The healthcare industry has been adopting technology at an astonishing rate. This technology has served to increase the efficiency and decrease the cost of healthcare around the country. While technological adoption has undoubtedly improved the quality of healthcare, it also has brought new security and privacy challenges to the industry that healthcare IT manufacturers are not necessarily fully prepared to address. This dissertation explores some of these challenges in detail and proposes solutions that will make medical devices more secure and medical data more private. Compared to other industries the medical space has some unique challenges that add significant constraints on possible solutions to problems. For example, medical devices must operate reliably even in the face of attack. Similarly, due to the need to access patient records in an emergency, strict enforcement of access controls cannot be used to prevent unauthorized access to patient data. Throughout this work we will explore particular problems in depth and introduce novel technologies to address them. Each chapter in this dissertation explores some aspect of security or privacy in the medical space. We present tools to automatically audit accesses in electronic medical record systems in order to proactively detect privacy violations; to automatically fingerprint network-facing protocols in order to non-invasively determine if particular devices are vulnerable to known attacks; and to authenticate healthcare providers to medical devices without a need for a password in a way that protects against all known attacks present in radio-based authentication technologies. We also present an extension to the widely-used beacon protocol in order to add security in the face of active attackers; and we demonstrate an overhead-free solution to protect embedded medical devices against previously unpreventable attacks that evade existing control- flow integrity enforcement techniques by leveraging insecure built-in features in order to maliciously exploit configuration vulnerabilities in devices

Context-Based Access for Infrequent Requests in Tanzania\u27s Health Care System

Access control is an important aspect of any information system. It is a way of ensuring that users can only access what they are authorised to and no more. This can be achieved by granting users access to resources based on pre-defined organisational and legislative rules. Although access control has been extensively studied, and as a result, a wide range of access control models, mechanisms and systems have been proposed, specific access control requirements for healthcare systems that needs to support the continuity of care in an accountable manner have not been addressed. This results in a gap between what is required by the application domain and what is actually practised, and thus access control solutions implemented for the domain become too restrictive. The continuity of care is defined as the delivery of seamless health care services to patients through integration, coordination and sharing of information between providers. This thesis, therefore, designs a context-based access control model that allows healthcare professionals to bypass access rules in an accountable manner in case of an infrequent access request involving an emergency situation. This research uses the Tanzania\u27s healthcare system as a case study domain

Contributions to the privacy provisioning for federated identity management platforms

Identity information, personal data and user’s profiles are key assets for organizations and companies by becoming the use of identity management (IdM) infrastructures a prerequisite for most companies, since IdM systems allow them to perform their business transactions by sharing information and customizing services for several purposes in more efficient and effective ways. Due to the importance of the identity management paradigm, a lot of work has been done so far resulting in a set of standards and specifications. According to them, under the umbrella of the IdM paradigm a person’s digital identity can be shared, linked and reused across different domains by allowing users simple session management, etc. In this way, users’ information is widely collected and distributed to offer new added value services and to enhance availability. Whereas these new services have a positive impact on users’ life, they also bring privacy problems. To manage users’ personal data, while protecting their privacy, IdM systems are the ideal target where to deploy privacy solutions, since they handle users’ attribute exchange. Nevertheless, current IdM models and specifications do not sufficiently address comprehensive privacy mechanisms or guidelines, which enable users to better control over the use, divulging and revocation of their online identities. These are essential aspects, specially in sensitive environments where incorrect and unsecured management of user’s data may lead to attacks, privacy breaches, identity misuse or frauds. Nowadays there are several approaches to IdM that have benefits and shortcomings, from the privacy perspective. In this thesis, the main goal is contributing to the privacy provisioning for federated identity management platforms. And for this purpose, we propose a generic architecture that extends current federation IdM systems. We have mainly focused our contributions on health care environments, given their particularly sensitive nature. The two main pillars of the proposed architecture, are the introduction of a selective privacy-enhanced user profile management model and flexibility in revocation consent by incorporating an event-based hybrid IdM approach, which enables to replace time constraints and explicit revocation by activating and deactivating authorization rights according to events. The combination of both models enables to deal with both online and offline scenarios, as well as to empower the user role, by letting her to bring together identity information from different sources. Regarding user’s consent revocation, we propose an implicit revocation consent mechanism based on events, that empowers a new concept, the sleepyhead credentials, which is issued only once and would be used any time. Moreover, we integrate this concept in IdM systems supporting a delegation protocol and we contribute with the definition of mathematical model to determine event arrivals to the IdM system and how they are managed to the corresponding entities, as well as its integration with the most widely deployed specification, i.e., Security Assertion Markup Language (SAML). In regard to user profile management, we define a privacy-awareness user profile management model to provide efficient selective information disclosure. With this contribution a service provider would be able to accesses the specific personal information without being able to inspect any other details and keeping user control of her data by controlling who can access. The structure that we consider for the user profile storage is based on extensions of Merkle trees allowing for hash combining that would minimize the need of individual verification of elements along a path. An algorithm for sorting the tree as we envision frequently accessed attributes to be closer to the root (minimizing the access’ time) is also provided. Formal validation of the above mentioned ideas has been carried out through simulations and the development of prototypes. Besides, dissemination activities were performed in projects, journals and conferences.Programa Oficial de Doctorado en Ingeniería TelemáticaPresidente: María Celeste Campo Vázquez.- Secretario: María Francisca Hinarejos Campos.- Vocal: Óscar Esparza Martí

Facilitating patient and administrator analyses of electronic health record accesses

The past two decades in the United States have ushered in an era of increasing ubiquity of digitized healthcare as the speed and sophistication of technology follows an ever-growing trend. Electronic health records (EHRs) are an integral part of the growing healthcare industry which offers ease of access and new functionality while simultaneously causing worries over their privacy and security. In an effort to address these concerns, much legislation has been enacted in order to tighten the oversight and requirements for accessing protected health information (PHI). Most recently, the Department of Health and Human Services has released rulemaking which requires providers utilizing EHRs to comply with patients’ requests for logs of the accesses to their records. In this work, we outline our system for complying with this regulation while easing the burden of compli- ance for providers and simultaneously providing patients with informative and satisfying information about why their accounts were accessed. We implement a system called the Multiview Audit Interface (MAI) which utilizes recent research in the data mining and anomaly detection communities to provide a unified interface for conveniently using these algorithms for patients and administrators. We then test this system on a de- identified access log from Northwestern Memorial Hospital containing months of audit data. We construct a framework for implementing these algorithms as modules, thereby recycling existing code, encouraging multi-faceted comprehensions of their results, and offering an easy-to-use interface that administrators and patients can use alike. We demonstrate the the power of three modules currently implemented and show how the extensibility of the framework can be harvested to develop modules in the future

A System for The Promotion of Traceability and Ownership of Health Data Using Blockchain

With the development of more and better globally connected mobile devices and thanks to improvements in wireless connectivity, it became possible to utilize the capabilities of mobile devices to monitor health­related events in real­time, making m­health a technology more appealing and functional. m­health enables the monitoring of health data, improving user convenience and enabling faster diagnoses without the need to travel to healthcare facilities. Blockchain technology is also an exponentially growing technology used in various research areas from finance, voting mechanisms, production chains, and even for IoT event control. A Blockchain can be described as a group of recorded transactions organized into blocks, where each block is linked to the previous block cryptographically. The use of these records of transactions grouped into blocks does not allow the modification of the stored information due to being secured by the cryptographic hash of the previous block. This technology provides important characteristics as immutability, non­repudiation, transparency, and reducing the need for intermediaries. These features provided by Blockchain technology grant huge advantages to m­health systems. A m­health system integrated with blockchain allows each access and transaction to be stored in the blockchain thus providing immutability and non­repudiation to these transactions increasing the trust in the m­health system. This dissertation aims to study the blockchain technology in conjunction with m­health system, capable of being easily integrated with other systems or applications allowing a patient­user to access his electronic health record. The data should be traceable throughout the system but maintain the necessary anonymity. For this end, a prototype for a blockchain based solution using Hyperledger Fabric was developed to be applied in this case. This implementation enables the creation of a chronologically organized and immutable health data record. To create an anonymous storage system, the proposed system uses two separate database components that maintain data traceability through sets of IDs stored in the blockchain. After, the development of the proposed system, the system was evaluated in terms of performance and network configurations of the Hyperledger Fabric. This work shows how the Blockchain can be used in junction with health data collected by mobile devices, in an advantageous manner, in contexts where security, anonymity, and immutability of data are crucial aspects.O desenvolvimento de mais e melhores dispositivos móveis interligados globalmente devido ao progresso das ligações móveis sem fios, tornou possível utilizar as capacidades destes dispositivos para monitorizar eventos relacionados com a saúde em tempo real tornando Mobile Health (m­health) ou Tecnologias Móveis para a Saúde, numa tecnologia mais apelativa e funcional. A m­health permite a monitorização de vários dados de saúde, melhorando a conveniência do seu utilizador e permitindo diagnósticos mais rápidos sem a necessidade de deslocação para instalações de saúde. A tecnologia Blockchain é também uma área tecnológica em crescimento exponencial utilizado em várias áreas de investigação desde a área financeira, mecanismos de voto, cadeias de produção e até para controlo de eventos de Internet of Things (IoT) (Internet das Coisas). Uma Blockchain pode ser descrita como um conjunto de registos organizados em blocos, em que cada bloco está ligado ao anterior de uma forma criptográfica. A utilização destes registos de transações agrupados em bloco permitem que a informação não possa ser alterada, devido a ser assegurada pela hash criptográfica do bloco anterior. Esta tecnologia fornece características importantes desde imutabilidade, não repúdio, transparência e reduzindo a necessidade de intermediários. Estas características fornecidas pela tecnologia Blockchain garantem vantagens enormes a sistemas m­health. Um sistema de m­health integrado com blockchain permite, por exemplo, que cada acesso e transação seja armazenado na blockchain fornecendo assim imutabilidade e não repudio a estas transações aumentando a confiança no sistema de m­health. Esta dissertação visa o estudo da tecnologia blockchain em junção com sistema de mhealth capaz de ser facilmente integrado com outros sistemas ou aplicações que permitam que um utilizador paciente possa aceder ao seu registo de saúde eletrónico e onde os dados possam ser rastreáveis ao longo do sistema, mas mantendo o seu anonimato. Para isso, foi desenvolvimento um protótipo para uma solução baseada em blockchain, utilizando Hyperledger Fabric, para ser aplicado neste caso. Esta implementação permite a criação de um registo de dados de saúde, cronologicamente organizado e imutável. Para criar um sistema de armazenamento anónimo, o sistema proposto utiliza dois componentes de base de dados separados que mantém a rastreabilidade dos dados através de conjuntos de IDs armazenados na blockchain. Após, o desenvolvimento do sistema proposto, o sistema foi avaliado em termos de desempenho e de configurações de rede do Hyperledger Fabric. Com este trabalho, foi mostrado como a tecnologia Blockchain pode ser utilizada em junção com dados de saúde recolhidos por dispositivos móveis de uma forma benéfica em contextos onde a segurança, a anonimidade e a imutabilidade dos dados são aspetos cruciais