eHIP: Health Information Platform
Security & Privacy
Riccardo Scandariato
IBBT-DistriNet
Caring through Sharing
2
K.U.LeuvenK.U.Leuven
Problem
Architectural solution based on XDS reference model
No out-of-the-box security&privacy solution
Patient data is the asset to protectSensitivity of informationLaws and regulations
3
K.U.LeuvenK.U.Leuven
Security analysisBusiness level
Analyzing the functionality and how it can be misused
Search, View, Upload, Notify
Abusing the functionality (out-of-the-box thinking)
Adding fake data or removing correct data
Exploiting unplanned information paths
Abusing privileges
EXAMPLE: Hiding errors by overwriting documents
4
K.U.LeuvenK.U.Leuven
Security analysisTechnical level
Identify assets in E-HIP architecture
Data flow diagram (DFD)
Determine threats
Spoofing identity
Tampering with data
Repudiation
Information disclosure
Denial of service
Elevation of privilege
EXAMPLE: Tampering with communication
5
K.U.LeuvenK.U.Leuven
Security solutionIn a nutshell
Enforce rules to limit who can access what
Centralized for ease of management
Per-resource rules
Establish identities
Decentralized due to scale and admin constraints
6
K.U.LeuvenK.U.Leuven
Security solutionWhat rules?
Analyzed the type of rulesIdentityRoles and affiliation Data sensitivityLocationData originPatient historyTreatment or long-lasting relationship
Rule
Condition EffectTarget
Subject Resource Action Environment
XACMLeXtensible
Access Control Markup Language
7
K.U.LeuvenK.U.Leuven
Security solutionEstablishing identities
Federation of ID providers
Providers generates a tokenProofs identityAttributes of subject
Security service trusts providers
SAMLAttribute Assertion
subjectissuersignaturetimestampversionid
role...
SAMLAttribute
Statements
SAMLSecurity Assertions Markup Language
8
K.U.LeuvenK.U.Leuven
SecurityImplementation
ID provider(SAML)
Security service(XACML)
Repository
usr/pwd
view doc
ok?
permit
9
K.U.LeuvenK.U.Leuven
PrivacyIn a nutshell
Avoid linkability of data when communicated across contexts
Identifiers must be pseudonymized in cross context communication
In some applications process must be reversible
Ric’sblood count
is low
Ricis buyingvitamins
Ric is workingtoo hard
10
K.U.LeuvenK.U.Leuven
PrivacyReversible IDs
Context‐Specific References
Prefix Global ID
Reversible ID
study_83547
0100110011 820908 324 56
!@#$%^@# *&#$!@
11
K.U.LeuvenK.U.Leuven
PrivacyImplementation
ID provider
Security service
Repository
usr/pwd
view doc
ok?
permit
Anonymizer
12
K.U.LeuvenK.U.Leuven
CreditsSuccessful results come from good teamwork
IBBT-DistriNet team
Kim Wuyts, Eryk Kulikowski, Kris Verlaenen, Ric
IBBT-COSIC team
Mina Deng, Claudia Diaz, Danny De Cock