SlideShare a Scribd company logo
eHealth ….. How to trust a cloud?
Enabling trust in distributed eHealth applications
Dr. Mario Drobics
Thematic Coordinator
Safety & Security Department
AIT Austrian Institute of Technology GmbH
mario.drobics@ait.ac.at
+43 50 550 4810
http://www.ait.ac.at/ehealth
Overview
1. Specifics of eHealth applications in the cloud
2. Enabling trust in distributed eHealth environments
3. IHE as a framework for enabling trust
4. Open issues & outlook
Distinctive Feature of Distributed/Cloud Applications
 Not all tasks can be secured using cryptography
(e.g. access control, decision-making)
 Additional interface and areas of attack
(e.g. administration interfaces, virtual networks, account
management)
 Legal restrictions when hosting medical data in foreign
countries
 Legal construction of subcontractors not very transparent
 Security policies hard to audit
⇒ High level of trust to the provider necessary
Distinctive Features of eHealth Application
 Processed data is very sensitive
 Highly personal data
 Potentially large number of effected persons
 High number of active users and (geographically) distributed
nodes and sub-networks
 Specific use-cases (i.e. user might need to provide approval
for data access)
 Need to access data in case of (personal & technical)
emergency
⇒ Standard approaches are not directly applicable
Challenges for eHealth Applications
 Local nodes have highly varying security levels
(clinics, surgeries, laboratories, etc.)
 Distribution of nodes hinders physical protection
⇒ Take-over of (privileged) nodes not preventable
Legal framework for eHealth Applications
 European Level
 ENISA (Directive 2013/40/EU)
 Patients' Rights in Cross-border Healthcare (Directive
2011/24/EU)
 Protection of individuals with regard to the processing of
personal data and on the free movement of such data (Directive
95/46/EC)
 Protection of individuals with regard to the processing of
personal data (Regulation (EC) No. 45/200)
 etc.
 National Level
 E.g. data privacy laws, EHR related laws, …
Reasons for establishing eHealth Services in the Cloud
 Scalability of the service
 Providing centralized data storage in the cloud
 Geo-redundancy is easier to establish
 Easier to operate and more cost-efficient
 Provide Software as a Service
 Homogeneous level of security
 Cost reduction due to centralized
maintenance
Vulnerability to Attacks
Currently, only few attacks with sever impact to system or user
data known to the public
 No underlying business-model
 High degree of penalty if critical infrastructures are attacked
 Low acceptance of these attacks in the community
This might change …
 Social or military conflicts, terrorism
 Unspecific attacks to cloud services might also infringe
eHealth applications
 Increasing use of mobile devices and wireless communication
Ensuring Security By Design
 Compromise of nodes in large-scale networks is inevitable
 System design should limit effects of compromise
 Via cryptography
Prevent forgery of data by using appropriate algorithms and
transactions (e.g.. „bearer” vs “holder-of-key” model)
 Via system-policies
Limit the amount of data retrievable by attacker, e.g. by limiting
the access rights or the number of requests the attacker could
perform.
 Via security systems
IDS (Intrusion Detection Systems) may detect anomalies from
the outside, even when attacker uses correct authentication.
Enabling trust in (healthcare) networks
 Authentication of users (role-based access)
 Authentication of nodes
 Authentication of transactions
Low
Medium
High
Very High
Acess to summary
of clinical research
Access to Local EHR Verification of Data
Transscription
Remote Clinical Entry
Costs
Security
Demand
PIN/User-ID
Username - Password
Kerberos
Knowledge-Based
PKI/Digital Signature
Multi-Factor Token
Security Concepts for Cloud Services
 Encrypted data transfer
+ Easy to set-up
+ High transaction security
- Intrusion to data storage critical
 Separate (virtual) networks
+ Fraud detection on network level easy to set-up
+ Requires similar level of trust throughout the network
• Encrypted data transfer & storage
+ High security
+ Full access control to data
+ Supports distributed storage
- Access to emergency data difficult
Security Concepts for Cloud Services
Encrypted data transfer & storage
 Data is de- / encrypted at the client
 High level of control can be established
(e.g. access only with personal eCard)
 Homomorphic encryption supports limited computations on
encrypted data
 Enables “need-to-know” principle
IHE – Integrating the Healthcare Enterprise
 Non-profit organization aiming to improve interoperability
 Provides interoperability-profiles based on use-cases
 Defines how established standards (e.g. HL7, DICOM) should
be applied to these use-case
 IHE specifies
 How to enable interoperability
 Protect that interoperability mechanism from security risks
 NO security policies
IHE Profiles mapped to Security & Privacy Controls
Security & Privacy Controls
IHE Profile
Profile
Issued
AuditLog
Identificationand
Authentication
DataAccess
Control
Secrecy
DataIntegrity
Non-Repudiation
PatientPrivacy
Audit Trails and Node Authentication 2004 √ √ √ √ √ √ √
Consistent Time 2003 √ ∙ √
Enterprise User Authentication 2003 √ ∙ ∙ ∙
Cross-Enterprise User Assertion 2006 √ ∙ ∙ ∙
Basic Patient Privacy Consents 2006 ∙ √
Personnel White Pages 2004 √ √ ∙
Healthcare Provider Directory 2010 √ ∙ ∙
Document Digital Signature 2005 √ √ √
Document Encryption 2011 √ √ ∙
IHE Summary
 IHE does not support „encryption on storage“
i.e. encrypted cloud-storage has to be set-up „outside“ of IHE
 IHE design not optimized for cloud-infrastructures
(e.g. need-to-know principle not considered)
 Limitations in trans-organizational / -national infrastructures
⇒ Separate solutions necessary to guaranty security if not all
nodes are perfectly trustworthy
Outlook
 Cloud services need to adopt to eHealth requirements
 Establish relationship of trust between heath care and cloud
service provider
• Ensure privacy and confidentiality of hosted data
• Transparent handling of data and policies
• Ensure long-term availability & security of the data
 Support eHealth standards
 Confirm to (inter-) national laws
Your Ingenious Partner!
Dr. Mario Drobics
Thematic Coordinator
Safety & Security Department
AIT Austrian Institute of Technology GmbH
mario.drobics@ait.ac.at
+43 50 550 4810
http://www.ait.ac.at/ehealth

More Related Content

What's hot

In data security
In data securityIn data security
In data security
adithdev
 
HIPAA
HIPAAHIPAA
Security services
Security servicesSecurity services
Security services
Gayan Geethanjana
 
Cyber physical system for healthcare
Cyber physical system for healthcareCyber physical system for healthcare
Cyber physical system for healthcare
JUGAL GANDHI
 
Aspects of data security
Aspects of data securityAspects of data security
Aspects of data security
SaranSwathi1
 
Hipaa auditing in cloud computing enviroment
Hipaa auditing in cloud computing enviromentHipaa auditing in cloud computing enviroment
Hipaa auditing in cloud computing enviroment
Parshant Tyagi
 
Edge pereira oss304 tech ed australia regulatory compliance and microsoft off...
Edge pereira oss304 tech ed australia regulatory compliance and microsoft off...Edge pereira oss304 tech ed australia regulatory compliance and microsoft off...
Edge pereira oss304 tech ed australia regulatory compliance and microsoft off...
Edge Pereira
 
Web Werks Data Center Achieves HIPAA Compliance Certification
Web Werks Data Center Achieves HIPAA Compliance CertificationWeb Werks Data Center Achieves HIPAA Compliance Certification
Web Werks Data Center Achieves HIPAA Compliance Certification
Web Werks Data Centers
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
Joben Domingo
 
Encryption Solutions for Healthcare
Encryption Solutions for HealthcareEncryption Solutions for Healthcare
Encryption Solutions for Healthcare
Steve Dunn
 
Our Software
Our SoftwareOur Software
Our Software
Assurance Screening
 
Best Practices for implementing Database Security Comprehensive Database Secu...
Best Practices for implementing Database Security Comprehensive Database Secu...Best Practices for implementing Database Security Comprehensive Database Secu...
Best Practices for implementing Database Security Comprehensive Database Secu...
Kal BO
 
Carestream white paper_cloud-security 2016
Carestream white paper_cloud-security 2016Carestream white paper_cloud-security 2016
Carestream white paper_cloud-security 2016
Carestream
 
Database Security Management
Database Security Management Database Security Management
Database Security Management
Ahsin Yousaf
 
Information security
Information security Information security
Information security
razendar79
 
Compliance regulations with Data Centric Security | Seclore
Compliance regulations with Data Centric Security | SecloreCompliance regulations with Data Centric Security | Seclore
Compliance regulations with Data Centric Security | Seclore
Seclore
 
Cloud computing 10 cloud security advantages and challenges
Cloud computing 10 cloud security advantages and challengesCloud computing 10 cloud security advantages and challenges
Cloud computing 10 cloud security advantages and challenges
Vaibhav Khanna
 

What's hot (17)

In data security
In data securityIn data security
In data security
 
HIPAA
HIPAAHIPAA
HIPAA
 
Security services
Security servicesSecurity services
Security services
 
Cyber physical system for healthcare
Cyber physical system for healthcareCyber physical system for healthcare
Cyber physical system for healthcare
 
Aspects of data security
Aspects of data securityAspects of data security
Aspects of data security
 
Hipaa auditing in cloud computing enviroment
Hipaa auditing in cloud computing enviromentHipaa auditing in cloud computing enviroment
Hipaa auditing in cloud computing enviroment
 
Edge pereira oss304 tech ed australia regulatory compliance and microsoft off...
Edge pereira oss304 tech ed australia regulatory compliance and microsoft off...Edge pereira oss304 tech ed australia regulatory compliance and microsoft off...
Edge pereira oss304 tech ed australia regulatory compliance and microsoft off...
 
Web Werks Data Center Achieves HIPAA Compliance Certification
Web Werks Data Center Achieves HIPAA Compliance CertificationWeb Werks Data Center Achieves HIPAA Compliance Certification
Web Werks Data Center Achieves HIPAA Compliance Certification
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
 
Encryption Solutions for Healthcare
Encryption Solutions for HealthcareEncryption Solutions for Healthcare
Encryption Solutions for Healthcare
 
Our Software
Our SoftwareOur Software
Our Software
 
Best Practices for implementing Database Security Comprehensive Database Secu...
Best Practices for implementing Database Security Comprehensive Database Secu...Best Practices for implementing Database Security Comprehensive Database Secu...
Best Practices for implementing Database Security Comprehensive Database Secu...
 
Carestream white paper_cloud-security 2016
Carestream white paper_cloud-security 2016Carestream white paper_cloud-security 2016
Carestream white paper_cloud-security 2016
 
Database Security Management
Database Security Management Database Security Management
Database Security Management
 
Information security
Information security Information security
Information security
 
Compliance regulations with Data Centric Security | Seclore
Compliance regulations with Data Centric Security | SecloreCompliance regulations with Data Centric Security | Seclore
Compliance regulations with Data Centric Security | Seclore
 
Cloud computing 10 cloud security advantages and challenges
Cloud computing 10 cloud security advantages and challengesCloud computing 10 cloud security advantages and challenges
Cloud computing 10 cloud security advantages and challenges
 

Viewers also liked

Literate environment analysis ppt
Literate environment analysis pptLiterate environment analysis ppt
Literate environment analysis ppt
lanier2014
 
WHY COMPANIES INVEST IN GRIEVANCE MECHANISMS AND MANAGING COMPLAINTS?
WHY COMPANIES INVEST IN GRIEVANCE MECHANISMS AND MANAGING COMPLAINTS?WHY COMPANIES INVEST IN GRIEVANCE MECHANISMS AND MANAGING COMPLAINTS?
WHY COMPANIES INVEST IN GRIEVANCE MECHANISMS AND MANAGING COMPLAINTS?
Ethical Sector
 
âN tình sâu nặng đỗ quyên
âN tình sâu nặng   đỗ quyênâN tình sâu nặng   đỗ quyên
âN tình sâu nặng đỗ quyênstruyen68
 
Qr codes for real estate
Qr codes for real estateQr codes for real estate
Qr codes for real estate
Qrdigitalsolutions
 
Pre-production paperwork
Pre-production paperworkPre-production paperwork
Pre-production paperwork
CWalker95
 
Creative Toolbox Portfolio 2014
Creative Toolbox Portfolio 2014Creative Toolbox Portfolio 2014
Creative Toolbox Portfolio 2014
CreativeToolbox
 
The Myanmar Experience Presentation
The Myanmar Experience PresentationThe Myanmar Experience Presentation
The Myanmar Experience Presentation
Ethical Sector
 
Promoción 2013 ara !
Promoción 2013 ara !Promoción 2013 ara !
Promoción 2013 ara !
AraBedano
 
Evaluation- Question 3
Evaluation- Question 3Evaluation- Question 3
Evaluation- Question 3
Tillypeasnell
 
Nour tlijani
Nour tlijaniNour tlijani
Nour tlijani
nourtlijani
 
EvoMouse
EvoMouseEvoMouse
EvoMouse
krunal5400
 
L chatmon a2keynote
L chatmon a2keynoteL chatmon a2keynote
L chatmon a2keynote
LoLa FavDrinks
 
Pearson Acclaim Assembled Ed Presentation
Pearson Acclaim Assembled Ed PresentationPearson Acclaim Assembled Ed Presentation
Pearson Acclaim Assembled Ed Presentation
GeneralAssembly_DC
 
Fashion and self perception
Fashion and self perceptionFashion and self perception
Fashion and self perception
Nikki Vergakes
 
Sample Slideshare
Sample SlideshareSample Slideshare
Sample Slideshare
Ms. Mara
 
Okino.ua 2016
Okino.ua 2016Okino.ua 2016
Okino.ua 2016
MAGNET Media Holding
 

Viewers also liked (17)

Literate environment analysis ppt
Literate environment analysis pptLiterate environment analysis ppt
Literate environment analysis ppt
 
WHY COMPANIES INVEST IN GRIEVANCE MECHANISMS AND MANAGING COMPLAINTS?
WHY COMPANIES INVEST IN GRIEVANCE MECHANISMS AND MANAGING COMPLAINTS?WHY COMPANIES INVEST IN GRIEVANCE MECHANISMS AND MANAGING COMPLAINTS?
WHY COMPANIES INVEST IN GRIEVANCE MECHANISMS AND MANAGING COMPLAINTS?
 
âN tình sâu nặng đỗ quyên
âN tình sâu nặng   đỗ quyênâN tình sâu nặng   đỗ quyên
âN tình sâu nặng đỗ quyên
 
Qr codes for real estate
Qr codes for real estateQr codes for real estate
Qr codes for real estate
 
Pre-production paperwork
Pre-production paperworkPre-production paperwork
Pre-production paperwork
 
Creative Toolbox Portfolio 2014
Creative Toolbox Portfolio 2014Creative Toolbox Portfolio 2014
Creative Toolbox Portfolio 2014
 
The Myanmar Experience Presentation
The Myanmar Experience PresentationThe Myanmar Experience Presentation
The Myanmar Experience Presentation
 
Promoción 2013 ara !
Promoción 2013 ara !Promoción 2013 ara !
Promoción 2013 ara !
 
Evaluation- Question 3
Evaluation- Question 3Evaluation- Question 3
Evaluation- Question 3
 
Nour tlijani
Nour tlijaniNour tlijani
Nour tlijani
 
EvoMouse
EvoMouseEvoMouse
EvoMouse
 
L chatmon a2keynote
L chatmon a2keynoteL chatmon a2keynote
L chatmon a2keynote
 
Pearson Acclaim Assembled Ed Presentation
Pearson Acclaim Assembled Ed PresentationPearson Acclaim Assembled Ed Presentation
Pearson Acclaim Assembled Ed Presentation
 
Cct gev
Cct gevCct gev
Cct gev
 
Fashion and self perception
Fashion and self perceptionFashion and self perception
Fashion and self perception
 
Sample Slideshare
Sample SlideshareSample Slideshare
Sample Slideshare
 
Okino.ua 2016
Okino.ua 2016Okino.ua 2016
Okino.ua 2016
 

Similar to eHealth ….. How to trust a cloud?

Target Unncryption Case Study
Target Unncryption Case StudyTarget Unncryption Case Study
Target Unncryption Case Study
Evelyn Donaldson
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
Kresimir Popovic
 
Network security
Network securityNetwork security
Network security
Ravikumar Natarajan
 
Security policy case study
Security policy case studySecurity policy case study
Security policy case study
ashu6
 
Discuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxDiscuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docx
cuddietheresa
 
Discuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxDiscuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docx
salmonpybus
 
Apani Ov V9
Apani Ov V9Apani Ov V9
Apani Ov V9
ScottBreadmore
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...
Brianna Johnson
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
Information Technology Society Nepal
 
Information Systems.pptx
Information Systems.pptxInformation Systems.pptx
Information Systems.pptx
KnownId
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive data
Ulf Mattsson
 
Network security by sandhya
Network security by sandhyaNetwork security by sandhya
Network security by sandhya
sandeepsandy75
 
Cloud Security
Cloud Security Cloud Security
Cloud Security
Carestream
 
Data security
Data securityData security
Data security
AbdulBasit938
 
CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf
CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdfCYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf
CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf
Jenna Murray
 
Access Control For Local Area Network Performance Essay
Access Control For Local Area Network Performance EssayAccess Control For Local Area Network Performance Essay
Access Control For Local Area Network Performance Essay
Dotha Keller
 
connected Medical devices IoT Cybersecurity reference architecture Telemedicine
connected Medical devices IoT Cybersecurity reference architecture Telemedicineconnected Medical devices IoT Cybersecurity reference architecture Telemedicine
connected Medical devices IoT Cybersecurity reference architecture Telemedicine
Alessandro Sappia
 
Seguridad web -articulo completo- ingles
Seguridad web -articulo completo- inglesSeguridad web -articulo completo- ingles
Seguridad web -articulo completo- ingles
isidro luna beltran
 
security of information systems
 security of information systems security of information systems
security of information systems
♥♛❁Sukla♥❀njoyng Breath♥
 
I want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdfI want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdf
amitkhanna2070
 

Similar to eHealth ….. How to trust a cloud? (20)

Target Unncryption Case Study
Target Unncryption Case StudyTarget Unncryption Case Study
Target Unncryption Case Study
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
 
Network security
Network securityNetwork security
Network security
 
Security policy case study
Security policy case studySecurity policy case study
Security policy case study
 
Discuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxDiscuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docx
 
Discuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxDiscuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docx
 
Apani Ov V9
Apani Ov V9Apani Ov V9
Apani Ov V9
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
 
Information Systems.pptx
Information Systems.pptxInformation Systems.pptx
Information Systems.pptx
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive data
 
Network security by sandhya
Network security by sandhyaNetwork security by sandhya
Network security by sandhya
 
Cloud Security
Cloud Security Cloud Security
Cloud Security
 
Data security
Data securityData security
Data security
 
CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf
CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdfCYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf
CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf
 
Access Control For Local Area Network Performance Essay
Access Control For Local Area Network Performance EssayAccess Control For Local Area Network Performance Essay
Access Control For Local Area Network Performance Essay
 
connected Medical devices IoT Cybersecurity reference architecture Telemedicine
connected Medical devices IoT Cybersecurity reference architecture Telemedicineconnected Medical devices IoT Cybersecurity reference architecture Telemedicine
connected Medical devices IoT Cybersecurity reference architecture Telemedicine
 
Seguridad web -articulo completo- ingles
Seguridad web -articulo completo- inglesSeguridad web -articulo completo- ingles
Seguridad web -articulo completo- ingles
 
security of information systems
 security of information systems security of information systems
security of information systems
 
I want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdfI want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdf
 

Recently uploaded

About CentiUP - Introduction and Products.pdf
About CentiUP - Introduction and Products.pdfAbout CentiUP - Introduction and Products.pdf
About CentiUP - Introduction and Products.pdf
CentiUP
 
HEALTH ASSESSMENT IN NURSING USING THE NURSING PROCESSpptx
HEALTH ASSESSMENT IN NURSING USING THE NURSING PROCESSpptxHEALTH ASSESSMENT IN NURSING USING THE NURSING PROCESSpptx
HEALTH ASSESSMENT IN NURSING USING THE NURSING PROCESSpptx
Rommel Luis III Israel
 
PPT on Embryological and fetal development
PPT on Embryological and fetal developmentPPT on Embryological and fetal development
PPT on Embryological and fetal development
smileysharma63
 
CSE presentation 050804-nikhil tandon.ppt
CSE presentation 050804-nikhil tandon.pptCSE presentation 050804-nikhil tandon.ppt
CSE presentation 050804-nikhil tandon.ppt
vattakandyrahoof8
 
Columbia毕业证书退学办理
Columbia毕业证书退学办理Columbia毕业证书退学办理
Columbia毕业证书退学办理
ozcot
 
Nursing management of the patient with Tonsillitis PPT
Nursing management of the patient with Tonsillitis PPTNursing management of the patient with Tonsillitis PPT
Nursing management of the patient with Tonsillitis PPT
blessyjannu21
 
05 CLINICAL AUDIT-ORTHO done at a peripheral.pptx
05 CLINICAL AUDIT-ORTHO done at a peripheral.pptx05 CLINICAL AUDIT-ORTHO done at a peripheral.pptx
05 CLINICAL AUDIT-ORTHO done at a peripheral.pptx
Santhosh Raj
 
Faridkot ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 7742996321 ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 Faridkot
Faridkot ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 7742996321 ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 FaridkotFaridkot ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 7742996321 ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 Faridkot
Faridkot ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 7742996321 ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 Faridkot
varun0kumar00
 
Cyclothymia Test: Diagnosing, Symptoms, Treatment, and Impact | The Lifescien...
Cyclothymia Test: Diagnosing, Symptoms, Treatment, and Impact | The Lifescien...Cyclothymia Test: Diagnosing, Symptoms, Treatment, and Impact | The Lifescien...
Cyclothymia Test: Diagnosing, Symptoms, Treatment, and Impact | The Lifescien...
The Lifesciences Magazine
 
ASSESSMENT OF THE SKIN, HAIR, AND NAILS.pptx
ASSESSMENT OF THE SKIN, HAIR, AND NAILS.pptxASSESSMENT OF THE SKIN, HAIR, AND NAILS.pptx
ASSESSMENT OF THE SKIN, HAIR, AND NAILS.pptx
Rommel Luis III Israel
 
Types of Cancer Treatments | Forms of cancer treatment
Types of Cancer Treatments | Forms of cancer treatmentTypes of Cancer Treatments | Forms of cancer treatment
Types of Cancer Treatments | Forms of cancer treatment
RioGrandeCancerSpeci
 
The Ultimate Guide in Setting Up Market Research System in Health-Tech
The Ultimate Guide in Setting Up Market Research System in Health-TechThe Ultimate Guide in Setting Up Market Research System in Health-Tech
The Ultimate Guide in Setting Up Market Research System in Health-Tech
Gokul Rangarajan
 
2024 Media Preferences of Older Adults: Consumer Survey and Marketing Implica...
2024 Media Preferences of Older Adults: Consumer Survey and Marketing Implica...2024 Media Preferences of Older Adults: Consumer Survey and Marketing Implica...
2024 Media Preferences of Older Adults: Consumer Survey and Marketing Implica...
Media Logic
 
Mohali Call Girls 7742996321 Call Girls Mohali
Mohali Call Girls  7742996321 Call Girls  MohaliMohali Call Girls  7742996321 Call Girls  Mohali
Mohali Call Girls 7742996321 Call Girls Mohali
Digital Marketing
 
Call Girls Kolkata 8824825030 Top Class Kolkata Escorts Available
Call Girls Kolkata 8824825030 Top Class Kolkata Escorts AvailableCall Girls Kolkata 8824825030 Top Class Kolkata Escorts Available
Call Girls Kolkata 8824825030 Top Class Kolkata Escorts Available
kmiss 1062#v08
 
EXAMINATION OF HUMAN URINE AND FAECES.pdf
EXAMINATION OF HUMAN URINE AND FAECES.pdfEXAMINATION OF HUMAN URINE AND FAECES.pdf
EXAMINATION OF HUMAN URINE AND FAECES.pdf
Madhusmita Sahoo
 
Digital Health in India_Health Informatics Trained Manpower _DrDevTaneja_15.0...
Digital Health in India_Health Informatics Trained Manpower _DrDevTaneja_15.0...Digital Health in India_Health Informatics Trained Manpower _DrDevTaneja_15.0...
Digital Health in India_Health Informatics Trained Manpower _DrDevTaneja_15.0...
DrDevTaneja1
 
Health Tech Market Intelligence Prelim Questions -
Health Tech Market Intelligence Prelim Questions -Health Tech Market Intelligence Prelim Questions -
Health Tech Market Intelligence Prelim Questions -
Gokul Rangarajan
 
Luxury Massage Experience at Affordable Rate - Malayali Kerala Spa Ajman
Luxury Massage Experience at Affordable Rate - Malayali Kerala Spa AjmanLuxury Massage Experience at Affordable Rate - Malayali Kerala Spa Ajman
Luxury Massage Experience at Affordable Rate - Malayali Kerala Spa Ajman
Malayali Kerala Spa Ajman
 
Hyderabad Call Girls 7023059433 High Profile Escorts Service Hyderabad
Hyderabad Call Girls 7023059433 High Profile Escorts Service HyderabadHyderabad Call Girls 7023059433 High Profile Escorts Service Hyderabad
Hyderabad Call Girls 7023059433 High Profile Escorts Service Hyderabad
garge6804
 

Recently uploaded (20)

About CentiUP - Introduction and Products.pdf
About CentiUP - Introduction and Products.pdfAbout CentiUP - Introduction and Products.pdf
About CentiUP - Introduction and Products.pdf
 
HEALTH ASSESSMENT IN NURSING USING THE NURSING PROCESSpptx
HEALTH ASSESSMENT IN NURSING USING THE NURSING PROCESSpptxHEALTH ASSESSMENT IN NURSING USING THE NURSING PROCESSpptx
HEALTH ASSESSMENT IN NURSING USING THE NURSING PROCESSpptx
 
PPT on Embryological and fetal development
PPT on Embryological and fetal developmentPPT on Embryological and fetal development
PPT on Embryological and fetal development
 
CSE presentation 050804-nikhil tandon.ppt
CSE presentation 050804-nikhil tandon.pptCSE presentation 050804-nikhil tandon.ppt
CSE presentation 050804-nikhil tandon.ppt
 
Columbia毕业证书退学办理
Columbia毕业证书退学办理Columbia毕业证书退学办理
Columbia毕业证书退学办理
 
Nursing management of the patient with Tonsillitis PPT
Nursing management of the patient with Tonsillitis PPTNursing management of the patient with Tonsillitis PPT
Nursing management of the patient with Tonsillitis PPT
 
05 CLINICAL AUDIT-ORTHO done at a peripheral.pptx
05 CLINICAL AUDIT-ORTHO done at a peripheral.pptx05 CLINICAL AUDIT-ORTHO done at a peripheral.pptx
05 CLINICAL AUDIT-ORTHO done at a peripheral.pptx
 
Faridkot ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 7742996321 ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 Faridkot
Faridkot ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 7742996321 ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 FaridkotFaridkot ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 7742996321 ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 Faridkot
Faridkot ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 7742996321 ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 Faridkot
 
Cyclothymia Test: Diagnosing, Symptoms, Treatment, and Impact | The Lifescien...
Cyclothymia Test: Diagnosing, Symptoms, Treatment, and Impact | The Lifescien...Cyclothymia Test: Diagnosing, Symptoms, Treatment, and Impact | The Lifescien...
Cyclothymia Test: Diagnosing, Symptoms, Treatment, and Impact | The Lifescien...
 
ASSESSMENT OF THE SKIN, HAIR, AND NAILS.pptx
ASSESSMENT OF THE SKIN, HAIR, AND NAILS.pptxASSESSMENT OF THE SKIN, HAIR, AND NAILS.pptx
ASSESSMENT OF THE SKIN, HAIR, AND NAILS.pptx
 
Types of Cancer Treatments | Forms of cancer treatment
Types of Cancer Treatments | Forms of cancer treatmentTypes of Cancer Treatments | Forms of cancer treatment
Types of Cancer Treatments | Forms of cancer treatment
 
The Ultimate Guide in Setting Up Market Research System in Health-Tech
The Ultimate Guide in Setting Up Market Research System in Health-TechThe Ultimate Guide in Setting Up Market Research System in Health-Tech
The Ultimate Guide in Setting Up Market Research System in Health-Tech
 
2024 Media Preferences of Older Adults: Consumer Survey and Marketing Implica...
2024 Media Preferences of Older Adults: Consumer Survey and Marketing Implica...2024 Media Preferences of Older Adults: Consumer Survey and Marketing Implica...
2024 Media Preferences of Older Adults: Consumer Survey and Marketing Implica...
 
Mohali Call Girls 7742996321 Call Girls Mohali
Mohali Call Girls  7742996321 Call Girls  MohaliMohali Call Girls  7742996321 Call Girls  Mohali
Mohali Call Girls 7742996321 Call Girls Mohali
 
Call Girls Kolkata 8824825030 Top Class Kolkata Escorts Available
Call Girls Kolkata 8824825030 Top Class Kolkata Escorts AvailableCall Girls Kolkata 8824825030 Top Class Kolkata Escorts Available
Call Girls Kolkata 8824825030 Top Class Kolkata Escorts Available
 
EXAMINATION OF HUMAN URINE AND FAECES.pdf
EXAMINATION OF HUMAN URINE AND FAECES.pdfEXAMINATION OF HUMAN URINE AND FAECES.pdf
EXAMINATION OF HUMAN URINE AND FAECES.pdf
 
Digital Health in India_Health Informatics Trained Manpower _DrDevTaneja_15.0...
Digital Health in India_Health Informatics Trained Manpower _DrDevTaneja_15.0...Digital Health in India_Health Informatics Trained Manpower _DrDevTaneja_15.0...
Digital Health in India_Health Informatics Trained Manpower _DrDevTaneja_15.0...
 
Health Tech Market Intelligence Prelim Questions -
Health Tech Market Intelligence Prelim Questions -Health Tech Market Intelligence Prelim Questions -
Health Tech Market Intelligence Prelim Questions -
 
Luxury Massage Experience at Affordable Rate - Malayali Kerala Spa Ajman
Luxury Massage Experience at Affordable Rate - Malayali Kerala Spa AjmanLuxury Massage Experience at Affordable Rate - Malayali Kerala Spa Ajman
Luxury Massage Experience at Affordable Rate - Malayali Kerala Spa Ajman
 
Hyderabad Call Girls 7023059433 High Profile Escorts Service Hyderabad
Hyderabad Call Girls 7023059433 High Profile Escorts Service HyderabadHyderabad Call Girls 7023059433 High Profile Escorts Service Hyderabad
Hyderabad Call Girls 7023059433 High Profile Escorts Service Hyderabad
 

eHealth ….. How to trust a cloud?

  • 1. eHealth ….. How to trust a cloud? Enabling trust in distributed eHealth applications Dr. Mario Drobics Thematic Coordinator Safety & Security Department AIT Austrian Institute of Technology GmbH mario.drobics@ait.ac.at +43 50 550 4810 http://www.ait.ac.at/ehealth
  • 2. Overview 1. Specifics of eHealth applications in the cloud 2. Enabling trust in distributed eHealth environments 3. IHE as a framework for enabling trust 4. Open issues & outlook
  • 3. Distinctive Feature of Distributed/Cloud Applications  Not all tasks can be secured using cryptography (e.g. access control, decision-making)  Additional interface and areas of attack (e.g. administration interfaces, virtual networks, account management)  Legal restrictions when hosting medical data in foreign countries  Legal construction of subcontractors not very transparent  Security policies hard to audit ⇒ High level of trust to the provider necessary
  • 4. Distinctive Features of eHealth Application  Processed data is very sensitive  Highly personal data  Potentially large number of effected persons  High number of active users and (geographically) distributed nodes and sub-networks  Specific use-cases (i.e. user might need to provide approval for data access)  Need to access data in case of (personal & technical) emergency ⇒ Standard approaches are not directly applicable
  • 5. Challenges for eHealth Applications  Local nodes have highly varying security levels (clinics, surgeries, laboratories, etc.)  Distribution of nodes hinders physical protection ⇒ Take-over of (privileged) nodes not preventable
  • 6. Legal framework for eHealth Applications  European Level  ENISA (Directive 2013/40/EU)  Patients' Rights in Cross-border Healthcare (Directive 2011/24/EU)  Protection of individuals with regard to the processing of personal data and on the free movement of such data (Directive 95/46/EC)  Protection of individuals with regard to the processing of personal data (Regulation (EC) No. 45/200)  etc.  National Level  E.g. data privacy laws, EHR related laws, …
  • 7. Reasons for establishing eHealth Services in the Cloud  Scalability of the service  Providing centralized data storage in the cloud  Geo-redundancy is easier to establish  Easier to operate and more cost-efficient  Provide Software as a Service  Homogeneous level of security  Cost reduction due to centralized maintenance
  • 8. Vulnerability to Attacks Currently, only few attacks with sever impact to system or user data known to the public  No underlying business-model  High degree of penalty if critical infrastructures are attacked  Low acceptance of these attacks in the community This might change …  Social or military conflicts, terrorism  Unspecific attacks to cloud services might also infringe eHealth applications  Increasing use of mobile devices and wireless communication
  • 9. Ensuring Security By Design  Compromise of nodes in large-scale networks is inevitable  System design should limit effects of compromise  Via cryptography Prevent forgery of data by using appropriate algorithms and transactions (e.g.. „bearer” vs “holder-of-key” model)  Via system-policies Limit the amount of data retrievable by attacker, e.g. by limiting the access rights or the number of requests the attacker could perform.  Via security systems IDS (Intrusion Detection Systems) may detect anomalies from the outside, even when attacker uses correct authentication.
  • 10. Enabling trust in (healthcare) networks  Authentication of users (role-based access)  Authentication of nodes  Authentication of transactions Low Medium High Very High Acess to summary of clinical research Access to Local EHR Verification of Data Transscription Remote Clinical Entry Costs Security Demand PIN/User-ID Username - Password Kerberos Knowledge-Based PKI/Digital Signature Multi-Factor Token
  • 11. Security Concepts for Cloud Services  Encrypted data transfer + Easy to set-up + High transaction security - Intrusion to data storage critical  Separate (virtual) networks + Fraud detection on network level easy to set-up + Requires similar level of trust throughout the network • Encrypted data transfer & storage + High security + Full access control to data + Supports distributed storage - Access to emergency data difficult
  • 12. Security Concepts for Cloud Services Encrypted data transfer & storage  Data is de- / encrypted at the client  High level of control can be established (e.g. access only with personal eCard)  Homomorphic encryption supports limited computations on encrypted data  Enables “need-to-know” principle
  • 13. IHE – Integrating the Healthcare Enterprise  Non-profit organization aiming to improve interoperability  Provides interoperability-profiles based on use-cases  Defines how established standards (e.g. HL7, DICOM) should be applied to these use-case  IHE specifies  How to enable interoperability  Protect that interoperability mechanism from security risks  NO security policies
  • 14. IHE Profiles mapped to Security & Privacy Controls Security & Privacy Controls IHE Profile Profile Issued AuditLog Identificationand Authentication DataAccess Control Secrecy DataIntegrity Non-Repudiation PatientPrivacy Audit Trails and Node Authentication 2004 √ √ √ √ √ √ √ Consistent Time 2003 √ ∙ √ Enterprise User Authentication 2003 √ ∙ ∙ ∙ Cross-Enterprise User Assertion 2006 √ ∙ ∙ ∙ Basic Patient Privacy Consents 2006 ∙ √ Personnel White Pages 2004 √ √ ∙ Healthcare Provider Directory 2010 √ ∙ ∙ Document Digital Signature 2005 √ √ √ Document Encryption 2011 √ √ ∙
  • 15. IHE Summary  IHE does not support „encryption on storage“ i.e. encrypted cloud-storage has to be set-up „outside“ of IHE  IHE design not optimized for cloud-infrastructures (e.g. need-to-know principle not considered)  Limitations in trans-organizational / -national infrastructures ⇒ Separate solutions necessary to guaranty security if not all nodes are perfectly trustworthy
  • 16. Outlook  Cloud services need to adopt to eHealth requirements  Establish relationship of trust between heath care and cloud service provider • Ensure privacy and confidentiality of hosted data • Transparent handling of data and policies • Ensure long-term availability & security of the data  Support eHealth standards  Confirm to (inter-) national laws
  • 17. Your Ingenious Partner! Dr. Mario Drobics Thematic Coordinator Safety & Security Department AIT Austrian Institute of Technology GmbH mario.drobics@ait.ac.at +43 50 550 4810 http://www.ait.ac.at/ehealth