Using Public Key Infrastructure to Secure Online Medical Records Presented by PRAVIN SHETTY.

Slides:

Advertisements

Similar presentations

Public Key Infrastructure and Applications

Advertisements

International Telecommunication Union Workshop on Standardization in E-health Geneva, May 2003 The Use of X.509 in E-Healthcare Professor David W.

A Plan for a Sustainable Community Behavioral Health Information Network Western States Health-e Connection Summit & Trade Show September 10, 2013.

Bakheet Aldosari, Ph.D. Health 305 Health Information Management Bakheet Aldosari, Ph.D.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

Chief Information Officer Branch Gestion du dirigeant principal de l’information “We will have a world class public key infrastructure in place” Prime.

Page 1 Issues in and perspectives on electronic authentication of health professionals Pascal POITEVIN Marketing and Communication manager GIP-CPS e-Health.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.

EUropean Best Information through Regional Outcomes in Diabetes Privacy and Disease Registries Technical Aspects Peter Beck JOANNEUM RESEARCH, Austria.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.

Cryptographic Technologies

TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

Summary For Chapter 8 Student: Zhibo Wang Professor: Yanqing Zhang.

Computer Science Public Key Management Lecture 5.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.

Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Chapter 10: Authentication Guide to Computer Network Security.

Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.

©Copyrights 2011 Eom, Hyeonsang All Rights Reserved Distributed Information Processing 20 th Lecture Eom, Hyeonsang ( 엄현상 ) Department of Computer Science.

Research Paper Presentation Software Engineering in agent systems.

1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.

Internet Security for Small & Medium Business Week 6

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

E-commerce What are the relationships among: – Client (i.e. you) – Server – Bank – Certification authority Other things to consider: – How to set up your.

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

Virtual Private Network (VPN) Topics Discussion What is a VPN? What is a VPN?  Types of VPN  Why we use VPN?  Disadvantage of VPN  Types of.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

© Oxford University Press 2011 DISTRIBUTED COMPUTING Sunita Mahajan Sunita Mahajan, Principal, Institute of Computer Science, MET League of Colleges, Mumbai.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

METU-SRDCEUROREC Meeting, Geneva, October 10, 2006 RIDE Overview Asuman Dogac Middle East Technical University Ankara, Turkey.

Key Management. Session and Interchange Keys  Key management – distribution of cryptographic keys, mechanisms used to bind an identity to a key, and.

Chapter 16 Security Introduction to CS 1 st Semester, 2012 Sanghyun Park.

This material was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.

Security, Accounting, and Assurance Mahdi N. Bojnordi 2004

Security Many secure IT systems are like a house with a locked front door but with a side window open -somebody.

Database Security Tampere University of Technology, Introduction to Databases. Oleg Esin.

Integrating a Federated Healthcare Data Query Platform With Electronic IRB Information Systems Shan He IPHIE 2010.

CS453: Introduction to Information Security for E-Commerce Prof. Tom Horton.

DIGITAL SIGNATURE.

Traditional Security Issues Confidentiality –Prevent unauthorized access or reading of information Integrity –Insure that writing or operations are allowed.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Digital Signatures and Digital Certificates Monil Adhikari.

Management Information System In Healthcare

1 Copyright © 2009, 2006, 2003, 2000, 1997, 1994 by Saunders, an imprint of Elsevier Inc. Chapter 23 Nursing Informatics.

Key management issues in PGP

Trust Profiling for Adaptive Trust Negotiation

Security Outline Encryption Algorithms Authentication Protocols

PAYMENT GATEWAY Presented by SHUJA ASHRAF SHAH ENROLL: 4471

Ministry of Health Montenegro ERASMUS+ KA2 PROJECT:

Lesson 1- Introduction to Health Information Technology

Instructor Materials Chapter 5: Ensuring Integrity

Presentation transcript:

Using Public Key Infrastructure to Secure Online Medical Records Presented by PRAVIN SHETTY

INTRODUCTION Why did I choose this topic? I am interested in Public Key Cryptography. I have a background in Health. I believe online medical records will deliver major improvements to the healthcare industry.

OVERVIEW OF PRESENTATION 1.Introduction to the problem 2.Nature of Medical Records 3.What are the advantages and disadvantages of online medical records? 4.Features of Public Key Infrastructure that make it applicable to use for online medical records.

5.Applications of Public Key Infrastructure for Online Medical Records. 6.Public Key Infrastructure and Security Policy. 7.Conclusion. 8.References

1. THE PROBLEM Through online medical records the aim is to achieve a system where healthcare providers have: Through online medical records the aim is to achieve a system where healthcare providers have: accurate and up-to-data clinical information irrespective of the point of care for patients. Why? Why?

2. WHAT IS A MEDICAL RECORD? A medical record is a collection of information about an individual that is used for their treatment by a health care provider. A medical record is a collection of information about an individual that is used for their treatment by a health care provider. The record contains both sensitive medical information about the patient along with demographic data and personal information.

Health care worker notes (e.g. notes about a common viral illness or a report about major psychiatric illness). Pathology test results (e.g. HIV or hepatitis serology). Radiological results (e.g. x rays and scans).

Specialized tests such as angiograms (e.g. coronary angiogram). Operation reports (e.g. report of surgery performed). Drug allergies and sensitivities. Details of next of kin or guardian.

Who uses a medical record? Tertiary and Quaternary referral centres - large specialized referral hospitals (e.g. Royal Melbourne Hospital). Small to medium community hospitals (e.g. Williamstown Hospital). General Practices - low acuity or ongoing community care of patients (e.g. a suburban general practice).

USERPURPOSE General PractitionerMedical notes Specialist Medical notes NurseNursing notes Allied Health (e.g. physiotherapist)Allied health notes Medical AdministratorsPlanning, Auditing Medical TypistsClerical Reception StaffClerical PharmacistPrescriptions RadiographerPerforming radiological tests Hospital ChaplainAt request of relatives or patient Medical InsurersService payment Government Agencies (e.g. Medicare)Service payment Law Agencies Law enforcement I.T. Staff (e.g. Database Administrator)I.T. technology and support ResearchersMedical research

3. Advantages/Disadvantages of online medical records? Advantages: Improving the treatment of patients. Use of patient information for research purposes and public health monitoring. Improved efficiency of the health system.

Disadvantages: Loss of confidentiality Loss of data integrity Loss of control over personal information

4. Public Key Infrastructure and Online Medical Records Features of Public Key Infrastructure Maintaining Confidentiality of Medical Records Ensuring Authentication of User Maintaining the Integrity of Medical Records Non-repudiation of Information Exchange Weaknesses of Public Key Infrastructure

5. Applications of Public Key Infrastructure

Applications using Public-Key Certificates and Attribute Certificates [6] looked at distributed healthcare databases in Germany and other European Countries. Aimed to create a system where healthcare workers who where appropriately registered could access health care records. Attribute Certificates were user for authorization and authentication of users.

Attribute certificate for qualifications: profession (e.g. doctor, dentist, midwife etc.), specialty type and dedicated specialty. Attribute certificate for authorizations: general authorization, authorization type, and dedicated authorization. The attribute certificate cannot exist on its own but is rather bound to the public key certificate.

The link occurs by using the serial number of the public key certificate or by other means. Together they constitute an entity which is then able to interact with a health care information system. This permits a doctor to view patient files, prescribe medication and perform other necessary duties as specified by the certificates.

Access Confidential Patient Data Over the Internet [7] conducted a study at the Salford hospital, in the Greater Manchester District. Examined secure online patient records. Aimed to improve the flow of information between secondary care hospitals providing specialist treatment and the primary care physicians in the community.

Researchers use the triple DES algorithm. Public key cryptography is used in this case to distribute the session key. Entrust formatted X.509 certificates and their proprietary protocols were used. The Entrust Direct client works as a proxy on both the web clients (general practitioner) and server (hospital).

The following procedure occurs with each request for information: 1. Requests by client browser for information are intercepted by the Entrust Direct proxy on the client computer. 2. The request is encrypted and digitally signed before being sent to the web server of the hospital. 3. The Entrust Direct proxy on the web server intercepts and decrypts the message, verifies the signature and decides whether it is from a trusted source. 4. The Entrust Direct proxy/web server retrieves a certificate revocation list (CRL) and checks the message against this.

5. The web server then queries the diabetic register database and retrieves the relevant information. 6. The outgoing message is intercepted by the Entrust Direct proxy. 7. The message is encrypted and digitally signed using the private key of the Diabetic Information System. 8. The client browser Entrust Direct proxy intercepts and decrypts the message, verifies the signature and decides whether it is from a trusted source. 9. The Entrust Direct proxy/client server retrieves a CRL and check the message against this. 10. The requested information appears on the client browser.

6. Public Key Infrastructure and Security Policy No security system should be reliant on a single technology. Security of online medical records requires an organization-wide approach: Development of a security policy Having clear security goals and objectives

Creating a culture of security awareness Making employees explicitly aware of the security policy Public key infrastructure can provide enormous security benefits when correctly and appropriately integrated into the security system of a health care organization. Its implementation must be considered in terms of the objectives and goals of the security policy.

7. Conclusion Increasing momentum towards online medical records. Security of such a system is a major obstacle. Community fears regarding confidentiality. Public Key Infrastructure can provide a key component of a security system that provides enough security to make online medical records viable.

It offers a system whereby medical records can not only be powerfully encrypted, but the transmission between health care providers can be controlled with a level of certainty that virtually eliminates the possibility of the records being intercepted or ending up in the wrong hands. This technology goes further by assuring the integrity of a message through the use of digital signatures and message digests and creating a communication which is non reputable.

Studies into the use of online medical records have shown promising results.

8.0References [1]Rindfleisch, T., (1997) Privacy, information technology, and health. Communications of the ACM August 1997, Volume 40, Issue 8. [2] Anderson, R., (2001) Security Engineering: A Guide to Building Dependable Distributed System, John Wiley. [3]Marshall, W., Haley, R., (2000) Use of Secure Internet Web Site for Collaborative Medical Research. Journal of the American Medical Association. Volume 284(14), pp 1843 – [4]Burnett, S. & Paine, S., (2000) RSA Security's Official Guide to Cryptography. RSA Press. [5]Clarke, R., (2001) Can Digital Signatures and Public Key Infrastructure Be of Any Use in the Care Sector??? [online] Available from: [Accessed 3/05/03]. [6]Wohlmacher, P. & Pharow, P (2000) Applications in health care using public-key certificates and attribute certificates Computer Security Applications, ACSAC '00. 16th Annual Conference, Dec 2000 Page(s): 128 –137.

[7]Chadwick, D. et al (2002) Experiences of Using Public Key Infrastructure to Access Patient Confidential Data Over the Internet. Proceeding of the 35th International Conference on Systems Sciences IEEE. [8] Verisign Course in PKI by Verisign Australia. [9]Moreno, A & Isern D. (2002) Session 6A: applications: A first step towards providing health-care agent-based services to mobile users Proceedings of the first international joint conference on Autonomous agents and multiagent systems: part 2 July [10]Ateniese, G. & de Medeiros B. (2002) Anonymous E-prescriptions Proceeding of the ACM workshop on Privacy in the Electronic Society November [11]Jurecic, M. & Bunz, H. (1994) Exchange of patient records-prototype implementation of a security attributes service in X.500 Proceedings of the 2nd ACM Conference on Computer and communications security November [12]Zhang, L. Ahn, G. & Chu B. (2002) Applications: A role-based delegation framework for healthcare information systems Seventh ACM Symposium on Access Control Models and Technologies June 2002.