Rei Safavi Naini
iCore Chair for Information Security Department of Computer Science, University of Calgary
Presented at the Cybera/CANARIE National Summit 2009, as part of the session "New Frontiers in Data Integration." This session showcased a selection of leading-edge initiatives that are breaking new ground and setting new precedents around the collection and integration of data.
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Secure Electronic Health Records
1. A!Digital!Rights!Management!Approach!
to!Securing El t i Health Records
t S i Electronic H lth R d
Rei!Safavi"Naini
iCORE Chair!in!Information!Security
Department!of!Computer!Science,!U!of!Calgary
iCORE Information Security Lab
2. Electronic!Health!Record!(EHR)
Electronic Health Record (EHR)
• A!collection!of!electronic!health!
data!
• In!digital!format!! easy!to!share!
across!!network"connected!
information!systems!
• May!include,!
• Demographics!(race,!disabilities..)!
• medical history
medical!history,!
• medication!and!allergies,!
immunization!status,
• laboratory!test!results,!radiology!
images,
• billing!information…
R. Safavi-Naini-Summit ‘09- Oct 14, 2009
4. Existing!access!to!Health!Data
Existing access to Health Data
" Data!stored!in!island!databases
" Security:!
" Mainly!communication!security
" Encrypted links
Encrypted!links • EHR!is!the!centerpiece!of!an!
" No,!or!little!control!on!access
integrated!solution!to!effective!
and!secure!management!of!
" After!logging!to!the!system!all!data!
can!be!accessed health!information.
" All!doctors!and!nurses!can!access!all!
data
" Records!can!be!copied,!printed!etc
" Other issues
Other!issues
" Multiple!copies!of!data
" Inefficiency,!hard!to!access…
R. Safavi-Naini-Summit ‘09- Oct 14, 2009
5. Security!is!an!integral!part!of!EHR
Security is an integral part of EHR
• Paper!data!and!data!stores!are!
inherently!more!secure
inherently more secure
• Limited!number
• Hard!to!!duplicate..!imperfect!copies
• Changes!are!detectable
• Hard!to!access
• Electronic!data,
• Many!copies!instantly
• Easy!to!make!copies
• Changes!undetectable
• Can!be!accessed!from!any!points…
– Intranet
• private!confidential!data!among!
employee
– Extranet for outsourced resources
Extranet!for!outsourced!resources
– Web!Portal
• Security!is!a!major!challenge!
6. A!new!approach:!
Using!Digital Rights Management
l h
" Digital!rights!management:
" information!is!distributed!in!a!
protected!form
" information!can!only!be!
accessed!using!a!license
" License!contains!terms!and!
conditions!in!a!machine"
readable!form
readable form
" usable!only!by!trusted!DRM!
agents
" compliant!DRM!agents will!
refuse!to!perform!any!action!
unless!it!is!permitted!by!the! Components!of!a!DRM!System
licence.
R. Safavi-Naini-Summit ‘09- Oct 14, 2009
7. Digital!Rights!Management!for!
Healthcare
lh
In!Healthcare:
In Healthcare:
Organizational!
Organizational
Policies
R. Safavi-Naini-Summit ‘09- Oct 14, 2009
8. Digital!Rights!Management!for!
Healthcare
lh
In!Healthcare:
In Healthcare: • Consent directives can be
Consent!directives!can!be!
expressed!in!terms!of!
attributes.
– adapted from the eXtensible
adapted!from!the!eXtensible!
Access!Control!Markup!
Language!(XACML)
Organizational!
Organizational
Policies
9. Digital!Rights!Management!for!
Healthcare
lh
In!Healthcare:
In Healthcare: A!license
A license
Organizational!
Organizational
Policies
R. Safavi-Naini-Summit ‘09- Oct 14, 2009
11. A!healthcare!facility
A healthcare facility
‘Interpreting’!policies
Interpreting policies
• consent!directive!+!site!
authorization!policies!!
subjects,!actions,!etc.!
subjects actions etc
• We!use!workflows!to!describe!
the!activity!within!a!facility
– workflows!imply!licenses!to!
perform!specific!actions
R. Safavi-Naini-Summit ‘09- Oct 14, 2009
12. A!healthcare!facility
A healthcare facility
Workflows
• A!sequence!of!tasks!to!be!
carried!out!in!the!specified!order
• Authorization!templates!for!
each!task
• Each!workflow!realizes!a!specific!
Each workflow realizes a specific
purpose of data processing
– “Treatment!Workflow”!
“Treatment!Purpose”
Stop
Check
Diagnose
Check Examine OR
Second
Opinion
Start
13. A!healthcare!facility
A healthcare facility
• A!session!starts!when!a!workflow!is!initiated
• DRM!agents!can!join and!leave a!session!
– Only!if!their!currently!logged"in!user!has!
l f h l l d h
the!privileges!to!run!the!workflow!of!the!
session
• Licenses are!issued!for!sessions
– Any!agent!that!joins!the!session!can!benefit!
from!the!license
# A!user!can!continue!a!session!with!a!
different!agent!if!that!agent!joins!the!session
– E.g.!continue!execution!of!the!workflow!on!
a!mobile!device
Credentials XACML
and Roles Req./Resp.
Req /Resp
Idtity M
Id i Mgmt. CDMS
License
Issuer
Wrkflw Mgmt.
Mgmt Authorization Org. Polcy
O P l
Template
R. Safavi-Naini-Summit ‘09- Oct 14, 2009 License
14. Digital!Rights!Management!for!
Healthcare
lh
Approach Advantages
• Data!stored!in!encrypted!form
• Wholistic approach!to!security!and! – Protection!against!loss!of!disks,!laptops!
privacy bypassing!security
– Access according to stated policies
• Security!for!the!lifetime!of!data
• Policies – Data!always!remain!encrypted!
– Privacy!policies • in!a!locked!box
• Consent!forms!"users – Access!always!through!trusted!agents
– S
Security!policies
it li i • certain!type!in!a!given!context!
• Authorization!" organizational
• Expressive!languages!to!state!
• Policies!are!written!in!machine! requirements
readable!form.
– Fine"grain!access!control
Fine"grain access control
• Enforcement! • Security!and!privacy!both
– Reference!monitors!to!interpret!policies
– Enforcing!privacy!policies
• Patients’!consent!directives
R. Safavi-Naini-Summit ‘09- Oct 14, 2009
15. Fine grained!control
Fine"grained control
• Policy!statements!are!of!the!
Policy statements are of the • Alice cannot
Alice!cannot,
form, – print!!the!record
– email!it!to!anyone
“role nurse!can read blood!data!for – copy!it!
copy it
the
th purpose of surgery!preparation!!
f ti
location terminal!x12!!in!room#101” – ..
– Access!Britney’s!record
– !"#$% as!a!‘nurse’ ! role
– Can!!‘read’ Bob’s!test!results!!
action
‘purpose’!surgery!prep! purpose!
of!access
– On!a!‘terminal!x12!in!room!#112’
! context
R. Safavi-Naini-Summit ‘09- Oct 14, 2009
16. Technology!Demonstrator:!
Re-purposing patient data
Aim:
Use!patients’!data!from!Foothills
U ti t ’ d t f F thill • Security!requirements
Security requirements
Hospital!for!research!purposes – Patients’!private!data
– Patients’!consent!directives
– Controlling!access!based!on
• Multiple!research!projects,!! • Need!to!know
Need to know
– Teams,!members!with!different!roles – Provide!remote!access!
• New!teams!formed,!old!teams! – Link!with!other!health!data!
removed
• Identify!patients!potential!candidates!
for!each!research!study
– Management!and!tracking!of!their!
records
• First!stage!:!HiiTech Hepatology
Knowledge!base
• In!future:!!other!areas!of!medicine
R. Safavi-Naini-Summit ‘09- Oct 14, 2009
17. Current!System
C S
• Patients’!records!are!stored!in!a!MS!SQL!database
Q
• MS!SharePoint!portal!is!used!to!access!and!manage!the!data
• Data!can!be!downloaded!by!users!in!the!form!of!MS!InfoPath!
forms
• S
Security: everyone can see all data!
it ll d t !
Web S
raw data SharePoint health health
Data Browser
Server
Services record
d record
Identity
Id i
Management
log-in Server credentials
18. The!New!Architecture!
metadata
Rights license
IRM
Management
Protectors
Server
metadata protected
+ data
raw data
consent
Browser
protected
Consent protected
record records
SharePoint DRM
Web Server
Services Agent
Data
raw data
groups Identity
Id tit credentials
Management
Server
19. Scaling!up!to!federated!systems
Scaling up to federated systems
• Data"level!Federation Organization B
– Using!a!federated!database!
• integrating!the!databases!in!two! Consent
organizations
Application
– Secure!link!for!data!transfer
Data
• Complete!mutual!trust!between!
organization!
– to!enforce!consent!directives!(and!
(
perhaps!other!local!policies)
Organization A
• Easy!to!implement!
– Use existing support for database
Use!existing!support!for!database! Consent
federation!in!database!engines Application
• Does!not!support!cross"
organizational!research!studies!as! Data
applications!are!not!connected
applications are not connected
R. Safavi-Naini-Summit ‘09- Oct 14, 2009
20. Scaling!up!to!federated!systems
Scaling up to federated systems
• Business"Level!Federation • Requirements
– federation at application level
federation!at!application"level – federation!of!identity!management
federation of identity management
– extending!the!application!to!enable! • standard!solutions!(e.g.!SAML,!Active!
forming!cross"organizational!research! Directory)
studies – rights!management!federation
• Design!alternatives!
• Implementation!is!much!more!difficult!
Implementation is much more difficult – DRM!trusted!domains:!issuing!a!license!for!a!
DRM trusted domains: issuing a license for a
main!server!allowing!it!to!issue!local!licenses!
– MS!IRM!service!federation,!or!a!custom! in!its!domain
– Issuing!a!cross!organizational!license!directly!
solution to!the!user!in!the!other!organization
Organization A Organization B
Rights Mgmnt Rights Mgmnt
Server Server
Consent Consent
SharePoint SharePoint
Services Services
Data Data
Identity Mgmnt Identity Mgmnt
Server Server
R. Safavi-Naini-Summit ‘09- Oct 14, 2009
21. Future!direction:
Taking!the!project!to!the!`Cloud’
k h h ` l d’
" Scalable!design
" Patient!data!stored!in!`cloud’
" Provincial,!National,..!Global!Access
" Access according to stated policies
Access!according!to!stated!policies
" Whose!policy?
" Trust!relationships • Universality!of!the!approach
" Consent!directives S a app oac ca be used o
Similar!approach!can!be!used!for!
other!types!of!data
" Efficient!enforcement? – The!technology!can!be!used!for!
protection!of!any!document
" Data!security:!Whose!responsibility?
" Encrypted!content
R. Safavi-Naini-Summit ‘09- Oct 14, 2009
22. Project!details
Project details
Participants Publications
• iCIS!Lab • N.!P.!Sheppard,!R.!Safavi"Naini,!M.!
Jafari,!
– Mohammad!Jafari,!Nicholas! A!Digital!Rights!Management!
g g g
Sheppard,!Michal!Sramka
Sh d Mi h l S k Model!for!Healthcare,!Proceedings!
• HiiTeC of!the!IEEE!POLICY’09,!London,!UK.
– Chad!Saunders,!Hytham!
• N.!P.!Sheppard,!R.!Safavi Naini,!M.!
N P Sheppard R Safavi"Naini M
Khalil,!Simon!Liu Jafari,
• Cybera A!Secure!Electronic!Healthcare!
Record!Infrastructure!in!the!Digital!
– Patrick!Mann,!Jill!Kowalchuk Rights!Management!Model,!
Rights Management Model
Technical!Report!2009"939"18,!
Department!of!Computer!Science,!
• Other!supports:!MITACS,! University!of!Calgary,!2009.!
iCORE
R. Safavi-Naini-Summit ‘09- Oct 14, 2009