ABSTRACT
Modern information technology is increasingly used in healthcare with the goal to improve and enhance medical services and to reduce costs. In this context, the outsourcing of computation and storage resources to general IT providers (cloud computing) has become very appealing. E-health clouds offer new possibilities, such as easy and ubiquitous access to medical data, and opportunities for new business models. However, they also bear new risks and raise challenges with respect to security and privacy aspects.
In this paper, we point out several shortcomings of current e-health solutions and standards, particularly they do not address the client platform security, which is a crucial aspect for the overall security of e-health systems. To fill this gap, we present a security architecture for establishing privacy domains in e-health infrastructures. Our solution provides client platform security and appropriately combines this with network security concepts. Moreover, we discuss further open problems and research challenges on security, privacy and usability of e-health cloud systems.
- P. Barham, B. Dragovic, K. Fraser, S. Hand, T. L. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In 19th ACM Symposium on Operating Systems Principles (SOSP'03), pages 164--177. ACM Press, 2003. Google ScholarDigital Library
- S. Berger, R. Cáceres, D. E. Pendarakis, R. Sailer, E. Valdez, R. Perez, W. Schildhauer, and D. Srinivasan. TVDc: Managing security in the trusted virtual datacenter. Operating Systems Review, 42(1): 40--47, 2008. Google ScholarDigital Library
- A. Bussani, J. L. Griffin, B. Jansen, K. Julisch, G. Karjoth, H. Maruyama, M. Nakamura, R. Perez, M. Schunter, A. Tanner, L. V. Doorn, E. A. V. Herreweghen, M. Waidner, and S. Yoshihama. Trusted Virtual Domains: Secure foundations for business and IT services. Technical Report RC23792, IBM Research, 2005.Google Scholar
- S. Cabuk, C. I. Dalton, K. Eriksson, D. Kuhlmann, H. V. Ramasamy, G. Ramunno, A.-R. Sadeghi, M. Schunter, and C. Stüble. Towards automatedsecurity policy enforcement in multi-tenant virtual data centers. Journal of Computer Security, 18(1): 89--121, 2010. Google ScholarDigital Library
- L. Catuogno, A. Dmitrienko, K. Eriksson, D. Kuhlmann, G. Ramunno, A.-R. Sadeghi, S. Schulz, M. Schunter, M. Winandy, and J. Zhan. Trusted Virtual Domains -- design, implementation and lessons learned. In International Conference on Trusted Systems 2009 (INTRUST'09). Springer Verlag, 2009. Google ScholarDigital Library
- L. Catuogno, H. Löhr, M. Manulis, A.-R. Sadeghi, C. Stüble, and M. Winandy. Trusted Virtual Domains: Color your network. Datenschutz und Datensicherheit (DuD), 5, 2010.Google Scholar
- L. Catuogno, H. Löhr, M. Manulis, A.-R. Sadeghi, and M. Winandy. Transparent mobile storage protection in trusted virtual domains. In 23rd Large Installation System Administration Conference (LISA'09). USENIX Association, 2009. Google ScholarDigital Library
- Common Criteria Project Sponsoring Organisations. Common Criteria for Information Technology Security Evaluation, Version 3.1, July 2009. http://www.commoncriteriaportal.org/thecc.html.Google Scholar
- Y. Gasmi, A.-R. Sadeghi, P. Stewin, M. Unger, and N. Asokan. Beyond secure channels. In 2nd ACM Workshop on Scalable Trusted Computing (STC'07), pages 30--40. ACM Press, 2007. Google ScholarDigital Library
- Gematik. Einführung der Gesundheitskarte - Gesamtarchitektur, Version 1.7.0. http://www.gematik.de/upload/GA_ZentraleDienste_5171.zip, August 2009.Google Scholar
- Gematik. Einführung der Gesundheitskarte - Netzwerkspezifikation, Version 2.0.0. http://www.gematik.de/upload/GA_ZentraleDienste_5171.zip, August 2009.Google Scholar
- Gematik - Gesellschaft für Telematikanwendungen derGesundheitskarte. http://www.gematik.de.Google Scholar
- J. L. Griffin, T. Jaeger, R. Perez, R. Sailer, L. van Doorn, and R. Cáceres. Trusted Virtual Domains: Toward secure distributed services. In Proceedings of the 1st IEEE Workshop on Hot Topics in System Dependability (HotDep'05), June 2005. Google ScholarDigital Library
- Health Level Seven International (HL7). http://www.hl7.org.Google Scholar
- C.-Y. Hsu, Y.-C. Chen, R.-C. Luo, H.-H. Rau, C.-T. Fan, B.-S. Hsiao, and H.-W. Chiu. A resource-sharing platform for trading biomedical intellectual property. IT Professional, 12: 42--49, 2010. Google ScholarDigital Library
- International Organization for Standardization (ISO). Technical Committee 215, Health Informatics. http://www.iso.org/iso/iso_technical_committee?commid=54960.Google Scholar
- Kassenärztliche Bundesvereinigung. KV-SafeNet homepage. http://www.kbv.de/12705.html.Google Scholar
- J. Liedtke. On micro-kernel construction. In Fifteenth ACM Symposium on Operating System Principles (SOSP'95), pages 237--250. ACM Press, 1995. Google ScholarDigital Library
- H. Löhr, A.-R. Sadeghi, C. Stüble, M. Weber, and M. Winandy. Modeling trusted computing support in a protection profile for high assurance security kernels. In Trusted Computing, 2nd International Conference, Trust 2009, volume 5471 of Lecture Notes in Computer Science, pages 45--62. Springer, 2009. Google ScholarDigital Library
- H. Löhr, A. R. Sadeghi, C. Vishik, and M. Winandy. Trusted privacy domains -- challenges for trusted computing in privacy-protecting information sharing. In Information Security Practice and Experience, 5th International Conference, (ISPEC'09), volume 5451 of Lecture Notes in Computer Science, pages 396--407. Springer, 2009. Google ScholarDigital Library
- H. Löhr, A.-R. Sadeghi, and M. Winandy. Patterns for secure boot and secure storage in computer systems. In 4th International Workshop of Secure System Methodologies Using Patterns (SPattern 2010), In Proc. of Fifth International Conference on Availability, Reliability and Security (ARES'10), pages 569--573. IEEE Computer Society, 2010.Google ScholarCross Ref
- H.-H. Rau, C.-Y. Hsu, Y.-L. Lee, W. Chen, and W.-S. Jian. Developing electronic health records in Taiwan. IT Professional, 12: 17--25, 2010. Google ScholarDigital Library
- T. Schabetsberger, E. Ammenwerth, S. Andreatta, G. Gratl, R. Haux, G. Lechleitner, K. Schindelwig, C. Stark, R. Vogl, I. Wilhelmy, and F. Wozak. From a paper-based transmission of discharge summaries to electronic communication in health care regions. International Journal of Medical Informatics, 75: 209--215, 2006.Google ScholarCross Ref
- D. Sofsian. An introduction to medicalbilling. http://www.e-healtharticles.com/Detailed/1449.html, April 2006.Google Scholar
- A. Sunyaev, A. Kaletsch, C. Mauro, and H. Krcmar. Security analysis of the german electronic health card's peripheral parts. In ICEIS 2009 - Proceedings of the 11th International Conference on Enterprise Information Systems, Volume ISAS, Milan, Italy, May 6-10, 2009, pages 19--26, 2009.Google ScholarCross Ref
- A. Sunyaev, J. M. Leimeister, and H. Krcmar. Open security issues in german healthcare telematics. In HEALTHINF 2010 - Proceedings of the 3rd International Conference on Health Informatics, pages 187--194. INSTICC, 2010.Google Scholar
- Trusted Computing Group. TPM Main Specification, Version 1.2 rev. 103, July 2007. https://www.trustedcomputinggroup.org.Google Scholar
Index Terms
- Securing the e-health cloud
Recommendations
Securing Electronic Health Records in the Cloud
W-P2DS'18: Proceedings of the 1st Workshop on Privacy by Design in Distributed SystemsHealth care institutions gather and store sensitive information from patients with the goal of providing the best care. The medical history of a patient is essential to guarantee that the right diagnosis is achieved and help the clinical staff act in ...
Securing the IP-based internet of things with HIP and DTLS
WiSec '13: Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networksThe IP-based Internet of Things (IoT) refers to the pervasive interaction of smart devices and people enabling new applications by means of new IP protocols such as 6LoWPAN and CoAP. Security is a must, and for that we need a secure architecture in ...
Elicitation of Security requirements for E-Health system by applying Model Oriented Security Requirements Engineering (MOSRE) Framework
CCSEIT '12: Proceedings of the Second International Conference on Computational Science, Engineering and Information TechnologyE-health is a health care system which is supported by electronic process and communication. The information that is kept in the system must be accurate. In case of false information, it may cause harm to human life. So this system needs more security ...
Comments