Presentation is loading. Please wait.

Presentation is loading. Please wait.

CoreGRID: European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies.

Published byAshton Costello Modified over 10 years ago

Similar presentations

Presentation on theme: "CoreGRID: European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies."— Presentation transcript:

1 CoreGRID: European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies Privacy and Security aspects of medical data storage on Grids University of Cyprus and FORTH ICS (Greece) Jesus Luna Feb-2008

2 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 2 Outline Motivation: eHealth Security risks Whats the matter with privacy? Legal approach Technological approach Conclusions

3 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 3 Motivation: eHealth eHealth describes the application of IT and communications technologies across the whole range of functions that affect the health sector, from the doctor to the hospital manager, via nurses, data processing specialists, social security administrators and - of course - the patients. eHealth (like eGoverment and eBanking) promises substantial productivity gains and restructured, citizen- centered health systems. Examples: –Electronic Health Records. –Intensive Care Medicine. –ePharmacies.

4 Security Risks

5 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 5 With reward comes risk The Reward –Quality of care –Fewer errors –Communication –Operational efficiency –Savings The Risk –More vulnerable to an attack Network-connected devices, systems & applications

6 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 6 eHealth is a delicious target for hackers Health industry payers and providers make attractive targets for identity theft and certain other cybercriminals because they collect and maintain large volumes of protected health information as well as other sensitive personal and financial data and conduct many transactions electronically... (May-05) (American Bar Association)

7 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 7 eHealth Vulnerability Reporting Program (EHVRP/May 2006) According to the Open Web Application Security Project (OWASP): OWASP Top 10 VulnerabilitiesProblems Found 1. Unvalidated input 2. Broken access control 3. Broken authentication and session mgt. 4. Cross site scripting (XSS) flaws 5. Buffer overflows 6. Injection flaws 7. Improper error handling 8. Insecure storage 9. Denial of service 10. Insecure configuration management

8 Whats the matter with Privacy?

9 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 9 Let us present an example… Dr. Jordi Girona, in Barcelona, wishes to digitize the current paper-based medical records of his patients. SoftMicro, a multi-national company, proposes to scan records in a local mobile unit and send the records to Pakistan for data entry and to populate a database hosted by a UK-based website. Is this something that he has a right to do? If so, under what conditions and what might be his duties towards his patients? What are the duties of the company, both in the UK and in Pakistan?

10 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 10 Privacy is the name of the game Privacy is the right of an individual or group to hide information about themselves, disclosing it to Authorized entities. It is central to the doctor-patient relationship (even since the ancient Hippocratic Oath!). But there are issues that may arise: –Security trade-offs (i.e. User authentication). –Legal issues because eHealth privacy laws are quite new (i.e. EU) or provide only partial solutions (i.e. US).

11 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 11 Privacy means Trust! If Patients do not trust eHealth systems: –Give inaccurate or incomplete information. –Ask the doctor not to write down certain health information or to record a less serious or embarrassing conditions. –Avoid care altogether. Therefore: –Patient with undetected and untreated conditions. –Life-threatening situations! –Future treatment may be compromised if the doctor misrepresents patient information. Comprehensive solution: eHealth Privacy = Legal + Technological

12 Legal approach

13 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 13 Legally eHealth The heart of the European eHealth world is the Electronic Health Record (EHR). Based on current Data Protection legislations, patients consent legitimates the EHR processing. But, what if the patient is unable to give his consent due to a critical situation? The European Health Management Association (EHMA) along with the Commission called for the Legally eHealth project to study these kind of issues.

14 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 14 EHMAs legal recommendations on eHealth Data Protection Problem: Legal Uncertainties and ambiguities in Data Protection, Consent and Other Purposes. Issues: Patients consent must be explicit. Medical data may be processed without consent if vital interest for the user or subject incapable (physically or legally) of giving it. Data must be collected for specific purposes and not to be used afterwards for incompatible purposes (not even historical, statistical or scientific!). Recommendations: EC to co-ordinate adoption of specific rules for the processing of health information to balance patients and public health interests, without recourse to the concept of consent. EC efforts toward harmonizing current guidelines on re- using eHealth data.

15 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 15 EHMAs legal recommendations on eHealth Data Protection Problem: Legal Uncertainties and ambiguities in Data Protection, Consent and Other Purposes. IssueRecommendation Patients consent must be explicit. Medical data may be processed without consent if vital interest for the user or subject incapable (physically or legally) of giving it. EC to co-ordinate adoption of specific rules for the processing of health information to balance patients and public health interests, without recourse to the concept of consent. Data must be collected for specific purposes and not to be used afterwards for incompatible purposes (not even historical, statistical or scientific!). EC efforts toward harmonizing current guidelines on re-using eHealth data.

16 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 16 EHMAs recommendations on eHealth Data Protection (2) Problem: Legal Uncertainties in Data Protection and Specified Purpose. Issue: Data must be collected for specified (clearly defined) and explicit (transparent) purposes. Collected data must not be used afterwards for incompatible purposes (not even historical, statistical or scientific!). Recommendation: EC to provide guidelines on finality of purpose to allow public health management and disease prevention. Other uses must clearly specify public health interests. Efforts toward harmonizing current guidelines on re-using eHealth data.

17 Technological approach

18 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 18 EHMAs technical recommendation on eHealth Data Protection Problem: Problem: Technical and organizational security measures. Issue: Data controller must take technical and organizational measures to protect security and confidentiality of personal data. Recommendation: Member States must implement and harmonize Data Protection mechanisms. Lets introduce our low-level approach for securing personal data in an eHealth storage system…

19 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 19 ICGrid: data architecture From sensors Patients personal data

20 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 20 Step 1.- security analysis Inter-site comm. encrypted Attacker may Damage link Compromise not feasible Internal attacks (revoked users) are feasible Ultimate compromise of storage devices AuthN&AuthZ enforcement

21 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 21 Step 2.- proposed mechanisms Integrity mechanisms Real-time User validation Store per-file Crypto-key Fragment at Storage Elements Fragment at Storage Elements Encrypt at Disk-Level Encrypt at Disk-Level

22 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 22 Conclusions (1) eHealth systems are bringing a citizen-centered Health System. Using public networks for eHealth introduces new vulnerabilities and attackers are resourceful. Keeping patients privacy and overall security is a must. Total Solution: –Legal: Data Protection laws and harmonization. –Technological: R+D already taking place.

23 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 23 Conclusions (2) And the road ahead: –Storage Elements are the last line of defense, if authorization and authentication fail. –Performance and usability should be balanced with security. –Keep harmonizing legal and technical solutions!

24 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 24 Thank you for your attention! Questions? Jesus Luna jluna@cs.ucy.ac.cy

Download ppt "CoreGRID: European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies."

Similar presentations

Chapter 1 - 1 ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.

Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
ASYCUDA Overview … a summary of the objectives of ASYCUDA implementation projects and features of the software for the Customs computer system.

ASYCUDA Overview … a summary of the objectives of ASYCUDA implementation projects and features of the software for the Customs computer system.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
CoreGRID: European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies.

CoreGRID: European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies.
CoreGRID: European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies.

CoreGRID: European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies.
CoreGRID: European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies.

CoreGRID: European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies.
CoreGRID: European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies.

CoreGRID: European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies.
Re-use of PSI Data Protection Issues Cécile de Terwangne Professor at the Law Faculty, Research Director at CRIDS University of Namur (Belgium) 2 nd LAPSI.

Re-use of PSI Data Protection Issues Cécile de Terwangne Professor at the Law Faculty, Research Director at CRIDS University of Namur (Belgium) 2 nd LAPSI.
1 FPEG Identity theft & payment fraud point 2.2 19 December 2007.

1 FPEG Identity theft & payment fraud point December 2007.
Conclusions from e-Health

Conclusions from e-Health
Reducing administrative burden in Bulgaria: Single Entry Point for Reporting Fiscal and Statistical Information Dr.Mariana Kotzeva President of National.

Reducing administrative burden in Bulgaria: Single Entry Point for Reporting Fiscal and Statistical Information Dr.Mariana Kotzeva President of National.
Scoping the Framework Guidelines on Interoperability Rules for European Gas Transmission Geert Van Hauwermeiren Workshop, Ljubljana, 13 Sept 2011.

Scoping the Framework Guidelines on Interoperability Rules for European Gas Transmission Geert Van Hauwermeiren Workshop, Ljubljana, 13 Sept 2011.
WHO Good Distribution Practices for Pharmaceutical Products

WHO Good Distribution Practices for Pharmaceutical Products
Public B2B Exchanges and Support Services

Public B2B Exchanges and Support Services
HIPAA AWARENESS TRAINING

HIPAA AWARENESS TRAINING
Secure Virtual Machine Execution Under an Untrusted Management OS Chunxiao Li Anand Raghunathan Niraj K. Jha.

Secure Virtual Machine Execution Under an Untrusted Management OS Chunxiao Li Anand Raghunathan Niraj K. Jha.
Software change management

Software change management
Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.

Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.
Information Systems Today: Managing in the Digital World

Information Systems Today: Managing in the Digital World
AUDIT IN PUBLIC ADMINISTRATION Assoc. Prof. Dr. Recai AKYEL President of the TCA 04 JUNE 2013 TIRANA/ALBANIA.

AUDIT IN PUBLIC ADMINISTRATION Assoc. Prof. Dr. Recai AKYEL President of the TCA 04 JUNE 2013 TIRANA/ALBANIA.

Similar presentations

Ads by Google