Secure and Trusted Paradigm for Interoperable eHealth Services John Avramidis EULAMBIA Advanced Technologies Ltd H2020 PROJECT CLUSTERING WORKSHOP 31th January 2018, Athens, Greece
H2020 PROJECT CLUSTERING WORKSHOP KONFIDO means “Trust” in Esperanto H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 2
KONFIDO Consortium 15 partners 7 countries 2 pilots H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 3
KONFIDO Vision Provide a holistic approach to address the challenge of secure cross-border exchange of eHealth data H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 4
Interoperable and secure European eHealth services Our Goal Interoperable and secure European eHealth services Storage Disseminatio n Processing Presentation H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 5
Country B should be aware of: Cross-Border eHealth Data Retrieval Country B Country A Data Request Patient Data Country B should be aware of: Data formats and protocols of every country A The national infrastructure of every country A Regulations of every country A H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 6
Previous work on the field – Our guide The epSOS Project (I & II) 2008-2013 Smart Open Services for European Patient Goal: To develop a practical eHealth framework and ICT infrastructure, based on existing national infrastructures, that enables secure access to patient health information, particularly with respect to a basic Patient Summary and ePrescription, between European healthcare systems. H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 7
OpenNCP is the technical outcome of the epSOS project eHDSI and OpenNCP OpenNCP is the technical outcome of the epSOS project OpenNCP is a part of the eHealth Digital Service Infrastructure (eHDSI) and allows for the exchange of eHealth Data in Europe H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 8
The epSOS Mediated Approach National Contact Point (NCP) in charge of: Interacting with the other NCPs Pivoting documents Encode the pivoted document in the national structure Interact with the National Infrastructure (NI) H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 9
Security Assessment of epSOS Security of communications is ensured by employment of cryptography and secure protocols Security of communicating parties is not enforced by technical means It is instead assumed by legally binding agreement No protection is offered against propagation of cyberattacks Instead, attacks which success in compromising a NI can exploit NCP to propagate to other countries These security aspects were out of scope of epSOS H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 10
Here comes… H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 11
KONFIDO innovation pillars 1st Pillar: Enhancement of the trust and security of interoperable eHealth services 2nd Pillar: Continuous validation and proof of concept demonstrations 3rd Pillar: Focus on stakeholders, improving user acceptance, adhering to standards and legal and ethical directives H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 12
KONFIDO Challenges Develop a holistic secure solution for interoperable eHealth services Consider storage, dissemination, processing and presentation Successfully develop system components System Integration Ensure interoperability and scalability Handle legal, privacy and ethical issues H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 13
1st Pillar Enhancement of the trust and security of interoperable eHealth services H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 14
Six state-of-the-art Technologies Exploit the new security extensions of COTS CPUs for creating protected execution environments for eHealth applications Develop novel photonic encryption key generation technologies Build an efficient homomorphic encryption mechanism supporting secured health data storage, processing and exchange Develop customized SIEM solutions for real-time monitoring of the security of eHealth applications Implement disruptive logging and auditing mechanisms Design and implement a eIDAS compliant eID infrastructure Security information & event management H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 15
Only code running inside enclave sees data in clear Trusted Execution Environment (Intel SGX) Application splitted in: Trusted and Untrusted parts App runs & creates enclave which is placed in trusted memory Only code running inside enclave sees data in clear Intel Software Guard eXtensions (SGX) is an extension of the x86 ISA designed to support trusted computing SGX – based software is built around the concept of enclave Hardware – supported containers capable to guarantee the code executed therein The TCB is limited to the enclave Separation between trusted and untrusted part of an application Remote (and local) attestation between enclaves H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 16
Same PUF-challenge allow the same response! Photonic Unclonable Function (PUF) Electronic circuit Photonic Token Deterministic operation Same PUF-challenge allow the same response! Challenge Physical object Response Bit string (seed) Optical stimulus Bit string (key) Image (speckle) PUF characteristics : ► Repeatability Immunity to noise: The same object, challenge generates the same response robustness Immunity to replication even by malicious manufacturer ► Practically impossible to replicate unclonability ► Computationally unrealistic to simulate Immunity to machine learning, brute force, or simulation unpredictability H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 17
without violating the patients’ privacy Homomorphic Cryptography Parties: User – private data owner Server – owner of algorithm Goal: Server executes algorithm on HE data User obtains algorithm result on private data Can perform analysis on medical data without violating the patients’ privacy H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 18
Support a distributed analysis of high volumes of data KONFIDO SIEM A Security Information & Event Monitoring (SIEM) component is needed, in order to: Support a distributed analysis of high volumes of data Discover anomalies in the normal operation of the healthcare security system Protect the OpenNCP infrastructure from distributed attacks (ex. DDoS) H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 19
Disruptive Logging and Auditing Provides traceability and liability support Based on the blockchain design pattern Logs all privacy-critical operations A legally binding system based on blockchain auditing that allows to prove that specific eHealth data: Have been requested by a legitimate entity Have been provided (or not) H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 20
eIDAS Authentication OpenNCP deals with: Physicians Pharmacists Patients eIDAS authentication refers to how these different users authenticate with OpenNCP with eIDAS compliant identities H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 21
OpenNCP Reference Architecture Country 3 … Country 1 Country 1 EHR EHR NCP 3 Level 3 Level 3 Level 2 Level 2 Hospital Health Center Hospital Health Center NCP 1 NCP 2 OpenNCP National Infrastructure National Infrastructure Mobile Devices General Practitioner Mobile Devices General Practitioner Triage Home Care Triage Home Care Level 1 Level 1 H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 22
Conceptual view of KONFIDO architecture H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 23
Information flow (topmost level) H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 24
Before KONFIDO Deployment Country 3 … NCP 3 Country 1 Country 2 National Infrastructure NCP 1 NCP 2 National Infrastructure OpenNCP H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 25
KONFIDO Services Deployment TEE KONFIDO SERVICES/APIs KONFIDO Services Deployment Country 3 … KONFIDO Country 1 Country 2 TEE NCP 3 KONFIDO KONFIDO KONFIDO KONFIDO TEE TEE TEE TEE National Infrastructure NCP 1 NCP 1 National Infrastructure KONFIDO SERVICES/APIs TEE TEE KONFIDO SERVICES/APIs PUF eiDAS Auditing Services HE H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 26
Continuous validation and proof of concept demonstrations 2nd Pillar Continuous validation and proof of concept demonstrations H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 27
Objectives Perform preliminary module and system assessments and validation campaigns well before the pilot demonstrations Perform two (2) iterations on the specification and development of the proposed solutions Organize two (2) diverse and iterative demonstration campaigns in three (3) different member states H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 28
Validation Pilots Pilot sites in: Italy Denmark Spain H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 29
Scenario 1: Cross-border health data exchange across EU Validation Pilots Scenario 1: Cross-border health data exchange across EU Scenario 2: Secure cross-region and cross- border mobility for emergency management and patient empowerment H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 30
3rd Pillar Focus on stakeholders, improving user acceptance, adhering to standards and legal and ethical directives H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 31
Achieve wide acceptance of KONFIDO’s solutions Objectives Adhere to existing National and European legal directives and ethical norms Achieve wide acceptance of KONFIDO’s solutions Achieve wide user engagement steering KONFIDO’s solutions Define appropriate business models and a go-to- market strategy H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 32
KONFIDO outcome Smartly integrate the different components/tools into a ‘universal’ security toolbox to provide a complete packaged security solution to eHealth/mHealth Uniform, seamless and interoperable interface, operating under a common security and privacy framework Consideration of legal, operational/policy and ethical aspects H2020 PROJECT CLUSTERING WORKSHOP 31st January 2018 33
www.konfido-project.eu @konfidoproject twitter.com/konfidoproject www.facebook.com/konfidoproject/ www.linkedin.com/in/konfido-project-860427134/ www.konfido-project.eu @konfidoproject john.avramidis@eulambia.com