Presentation is loading. Please wait.

Presentation is loading. Please wait.

CoreGRID: European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies.

Similar presentations


Presentation on theme: "CoreGRID: European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies."— Presentation transcript:

1 CoreGRID: European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies Data Safety in the Grid Environment University of Cyprus and FORTH ICS (Greece) Jesus Luna Feb-2008

2 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 2 Outline Motivation: eHealth Security risks Why privacy? Legal approach: an overview Technological approach Conclusions

3 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 3 Motivation: eHealth eHealth describes the application of IT and communications technologies across the whole range of functions that affect the health sector, from the doctor to the hospital manager, via nurses, data processing specialists, social security administrators and - of course - the patients. eHealth (like eGoverment and eBanking) promises substantial productivity gains and restructured, citizen- centered health systems. Examples: –Intensive Care Medicine. –ePharmacies. –Telemedicine.

4 Security Risks

5 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 5 With reward comes risk The Reward –Quality of care –Fewer errors –Communication –Operational efficiency –Savings The Risk –More vulnerable to an attack Network-connected devices, systems & applications

6 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 6 eHealth is a delicious target for hackers Health industry payers and providers make attractive targets for identity theft and certain other cybercriminals because they collect and maintain large volumes of protected health information as well as other sensitive personal and financial data and conduct many transactions electronically... (May-05) (American Bar Association)

7 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 7 A few examples… A computer intruder broke into a Seattle area hospital and downloaded thousands of private medical records earlier this year. (Dec-2000) A former branch manager with the San Jose Medical Group (California) has been accused of stealing computers and the disk that contained 185,000 patients records. (May-2005) Duke University Health System instructed 14,500 users of its Web sites to create new passwords after the system's operators discovered a security breach. (June-2005)

8 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 8 eHealth Vulnerability Reporting Program (EHVRP/May 2006) According to the Open Web Application Security Project (OWASP): OWASP Top 10 VulnerabilitiesProblems Found 1. Unvalidated input 2. Broken access control 3. Broken authentication and session mgt. 4. Cross site scripting (XSS) flaws 5. Buffer overflows 6. Injection flaws 7. Improper error handling 8. Insecure storage 9. Denial of service 10. Insecure configuration management

9 Why Privacy?

10 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 10 Privacy is the name of the –eHealth- game Privacy is the right of an individual or group to hide information about themselves, disclosing it to Authorized entities. It is central to the doctor-patient relationship (even since the ancient Hippocratic Oath!). But there are issues that may arise: –Security trade-offs (i.e. User authentication). –Legal issues, because eHealth privacy laws are quite new (i.e. EU) or provide only partial solutions (i.e. US).

11 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 11 Privacy means Trust! If Patients do not trust eHealth systems: –Give inaccurate or incomplete information. –Ask the doctor not to write down certain health information or to record a less serious or embarrassing conditions. –Avoid care altogether. Therefore: –Patient with undetected and untreated conditions. –Future treatment may be compromised if the doctor misrepresents patient information. –Life-threatening situations! Comprehensive solution: eHealth Privacy = Legal + Technological

12 Legal approach: an overview

13 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 13 Legally eHealth The heart of the European eHealth world is the Electronic Health Record (EHR). Based on current Data Protection legislations, patients consent legitimates the EHR processing. But, what if the patient is unable to give his consent due to a critical situation? The European Health Management Association (EHMA) along with the Commission called for the Legally eHealth project to study these kind of issues.

14 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 14 Example: EHMAs legal recommendations on eHealth Data Protection IssuesRecommendation Patients consent must be explicit. Medical data may be processed without consent if vital interest for the user or subject incapable (physically or legally) of giving it. EC to co-ordinate adoption of specific rules for the processing of health information to balance patients and public health interests, without recourse to the concept of consent.

15 Technological approach

16 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 16 Use Case 1:Electronic Health Card (Germany) To replace European Health Insurance Card. Patient decides IF and WHICH information can be recorded or deleted and WHO has access to it. Two-keys principle: –The card itself. –PIN as sign of consent. In emergencies, data can be accessed with a Health Professional Card (i.e. ICU, paramedics). 50 most recent accesses are logged. Administrative Data Cryptoprocessor

17 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 17 Use Case 2: Protecting ICGrid From sensors Patients personal data

18 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 18 Step 1.- security analysis Inter-site comm. encrypted Attacker may Damage link Compromise not feasible Internal attacks (revoked users) are feasible Ultimate compromise of storage devices AuthN&AuthZ enforcement

19 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 19 Step 2.- proposed mechanisms Integrity mechanisms Real-time User validation Store per-file Crypto-key Fragment at Storage Elements Fragment at Storage Elements Encrypt at Disk-Level Encrypt at Disk-Level

20 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 20 Conclusions (1) eHealth systems are bringing a citizen-centered Health System. Using public networks for eHealth introduces new vulnerabilities and attackers are resourceful. Keeping patients privacy and overall security is a must. Total Solution: –Legal: Data Protection laws and harmonization. –Technological: R+D already taking place.

21 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 21 Conclusions (2) And the road ahead: –Storage Elements are the last line of defense, if authorization and authentication fail. –Performance and usability should be balanced with security. –Interoperability is a MUST!

22 European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 22 Thank you for your attention! Questions? Jesus Luna


Download ppt "CoreGRID: European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies."

Similar presentations


Ads by Google