Developing an infrastructure for secure patient summary exchange in the EU context: Lessons learned from the KONFIDO project

Background: The increase of healthcare digitalization comes along with potential information security risks. Thus, the EU H2020 KONFIDO project aimed to provide a toolkit supporting secure cross-border health data exchange. Methods: KONFIDO focused on the so-called “User Goals”, while also identifying barriers and facilitators regarding eHealth acceptance. Key user scenarios were elaborated both in terms of threat analysis and legal challenges. Moreover, KONFIDO developed a toolkit aiming to enhance the security of OpenNCP, the reference implementation framework. Results: The main project outcomes are highlighted and the “Lessons Learned,” the technical challenges and the EU context are detailed. Conclusions: The main “Lessons Learned” are summarized and a set of recommendations is provided, presenting the position of the KONFIDO consortium toward a robust EU-wide health data exchange infrastructure. To this end, the lack of infrastructure and technical capacity is highlighted, legal and policy challenges are identified and the need to focus on usability and semantic interoperability is emphasized. Regarding technical issues, an emphasis on transparent and standards-based development processes is recommended, especially for landmark software projects. Finally, promoting mentality change and knowledge dissemination is also identified as key step toward the development of secure cross-border health data exchange services

Evaluating a Reference Architecture for Privacy Level Agreement\u27s Management

With the enforcement of the General Data Protection Regulation and the compliance to specific privacyand security-related principles, the adoption of Privacy by Design and Security by Design principles can be considered as a legal obligation for all organisations keeping EU citizens’ personal data. A formal way to support Data Controllers towards their compliance to the new regulation could be a Privacy Level Agreement (PLA), a mutual agreement of the privacy settings between a Data Controller and a Data Subject, that supports privacy management, by analysing privacy threats, vulnerabilities and Information Systems’ trust relationships. However, the concept of PLA has only been proposed on a theoretical level. In this paper, we propose a novel reference architecture to enable PLA management in practice, and we report on the application and evaluation of PLA management within the context of real-life case studies from two different domains, the public administration and the healthcare, where sensitive data is kept. The results are rather positive, indicating that the adoption of such an agreement promotes the transparency of an organisation while enhances data subjects’ trust

GDPR Implementation in an Airline Contact Center

Seoses GDPR kasutuselevõtmisega 2018. aasta mais, on paljudel ettevõtetel, kus kasutatakse tavapäraselt EL kodanike isikuandmeid, oht suurteks trahvideks. Lennufirmad on üks näide ärist, kus töödeldakse massiliselt isikuandmeid ja see toob teravalt esile lennuettevõtete vastavuse GDPR nõuetele. Suur osa neist andmetest töödeldakse kontaktkeskustes, mis toob vajaduse viia töötlemine vastavusse GDPR nõuetega. Lennufirmad, kus ei olda valmis kohaldama GDPR nõudeid, võivad silmitsi seista mainekahjudega, klientide usalduse kaotusega või pankrotiga suurte trahvide tõttu. Tänapäeval enamik lennufirmadest ostab kontaktkeskuse teenuseid sisse kolmandalt osapoolelt, mistõttu on keerukas andmetöötluse rolle ja vastutust jagada mõlema osapoole vahel. Pooled peavad jõudma kokkuleppele, et kanda võrdselt vastutust tänapäeva pingelises konkurentsis. Käesoleva magistritöö eesmärgiks on viia läbi Euroopa ühe suurima lennuettevõtja kontaktkeskuse juhtumianalüüs, analüüsida lendude broneerimise protsessi GDPR seisukohalt ja selgitada välja lüngad, mis võivad põhjustada nõuetele mittevastavust. Lõputöö keskendub vastavuse saavutamiseks lünkade täitmisele lennubroneerimise protsessis, tuues sisse uusi tegevusi, mida kinnitas ka lennufirma kontaktkeskuse juhtivtöötajate ekspertarvamus.With the introduction of GDPR in upcoming May 2018, many companies that used to handle personal data of EU citizens in a more casual manner, are now at risk of facing heavy fines. Airline industry is one such example of business entity that handles and processes personal data on massive scales, which puts the airline business in the spotlight of GDPR compliance. A fair amount of such data is processed in contact centers, which makes it vital to comply with GDPR. Airlines that are not ready to adapt GDPR may face loss of reputation, loss of customer’s trust and bankruptcy because of heavy fines. In today’s age, most of airlines have outsourced their contact center business to third parties, which makes it even more complicated to define the roles and responsibilities of data controller and data processor and both entities have to reach an agreement to share the burden of compliance, in order to survive in today’s competitive environment. The idea of this thesis is to study a running case scenario in one of the major European Airline’s contact center, analyze the flight booking process from GDPR’s perspective to find out the gaps that can cause non-compliance. The solution part of this thesis is focused on filling these gaps by means of activities introduced in the flight booking process to achieve compliance, validated by expert opinion from senior staff members of Airline’s contact center

A policy compliance detection architecture for data exchange infrastructures

Data sharing and federation can significantly increase efficiency and lower the cost of digital collaborations. It is important to convince the data owners that their outsourced data will be used in a secure and controlled manner. To achieve this goal, constructing a policy governing concrete data usage rule among all parties is essential. More importantly, we need to establish digital infrastructures that can enforce the policy. In this thesis, we investigate how to select optimal application-tailored infrastructures and enhance policy compliance capabilities. First, we introduce a component linking the policy to the infrastructure patterns. The mechanism selects digital infrastructure patterns that satisfy the collaboration request to a maximal degree by modelling and closeness identification. Second, we present a threat-analysis driven risk assessment framework. The framework quantitatively assesses the remaining risk of an application delegated to digital infrastructure. The optimal digital infrastructure for a specific data federation application is the one which can support the requested collaboration model and provides the best security guarantee. Finally, we present a distributed architecture that detects policy compliance when an algorithm executes on the data. A profile and an IDS model are built for each containerized algorithm and are distributed to endpoint execution platforms via a secure channel. Syscall traces are monitored and analysed in endpoint points platforms. The machine learning based IDS is retrained periodically to increase generalization. A sanitization algorithm is implemented to filter out malicious samples to further defend the architecture against adversarial machine learning attacks

Challenges and opportunities of the China – Gulf Cooperation Council Free Trade Agreement

The free trade agreement between China and the Gulf Cooperation Council (“the GCC”) currently under negotiation is due to become China’s first comprehensive trade and investment agreement with a supranational customs union. The article explores the challenges and opportunities of the proposed China-GCC Free Trade Agreement. It proposes tailor-made recommendations according to the specific interests of both parties