CoreGRID: European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies.

Slides:



Advertisements
Similar presentations
Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
Advertisements

ASYCUDA Overview … a summary of the objectives of ASYCUDA implementation projects and features of the software for the Customs computer system.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
CoreGRID: European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies.
CoreGRID: European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies.
CoreGRID: European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies.
CoreGRID: European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies.
Re-use of PSI Data Protection Issues Cécile de Terwangne Professor at the Law Faculty, Research Director at CRIDS University of Namur (Belgium) 2 nd LAPSI.
1 FPEG Identity theft & payment fraud point December 2007.
Conclusions from e-Health
Reducing administrative burden in Bulgaria: Single Entry Point for Reporting Fiscal and Statistical Information Dr.Mariana Kotzeva President of National.
Scoping the Framework Guidelines on Interoperability Rules for European Gas Transmission Geert Van Hauwermeiren Workshop, Ljubljana, 13 Sept 2011.
WHO Good Distribution Practices for Pharmaceutical Products
Public B2B Exchanges and Support Services
HIPAA AWARENESS TRAINING
Secure Virtual Machine Execution Under an Untrusted Management OS Chunxiao Li Anand Raghunathan Niraj K. Jha.
Software change management
Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.
Information Systems Today: Managing in the Digital World
AUDIT IN PUBLIC ADMINISTRATION Assoc. Prof. Dr. Recai AKYEL President of the TCA 04 JUNE 2013 TIRANA/ALBANIA.
2008 Johns Hopkins Bloomberg School of Public Health Setting Up a Smoking Cessation Clinic Sophia Chan PhD, MPH, RN, RSCN Department of Nursing Studies.
Location Based Services and Privacy Issues
Supporting National e-Health Roadmaps WHO-ITU-WB joint effort WSIS C7 e-Health Facilitation Meeting 13 th May 2010 Hani Eskandar ICT Applications, ITU.
Primary and secondary use of EHR: Enhancing clinical research Pharmaceutical Industry Perspectives Dr. Karin Heidenreich Senior Public Affairs Manager/Novartis.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 2.
Registry system data exchange General design requirements Pre-sessional Consultations on Registries 19 October 2002 New Delhi, India UNFCCC secretariat.
CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
The European Union legal framework for clinical data access: The European Union legal framework for clinical data access: potential challenges and opportunities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.
Pay As You Go – Associating Costs with Jini Leases By: Peer Hasselmeyer and Markus Schumacher Presented By: Nathan Balon.
OWASP Mobile Top 10 Why They Matter and What We Can Do
The Use of Health Information Technology in Physician Practices
A Framework for Automated Web Application Security Evaluation
Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
State Alliance for e-Health Conference Meeting January 26, 2007.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
From Privacy to Information Governance Dr Petra Wilson Internet Business Solutions Group - Cisco.
Electronic Health Records: Healthcare System’s Common Trends Based on Cloud Computing Group 2: OU Jin FANG Ting
IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.
Europe's work in progress: quality of mHealth Pēteris Zilgalvis, J.D., Head of Unit, Health and Well-Being, DG CONNECT Voka Health Community 29 September.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Consent Directive Management Adding patient privacy support to OpenHIE Derek Ritz, P.Eng., CPHIMS-CA Architecture Virtual Meeting, August 2015.
Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.
Kia Manoochehri.  Background  Threat Classification ◦ Traditional Threats ◦ Availability of cloud services ◦ Third-Party Control  The “Notorious Nine”
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Features Governmental organization Critically important ICT objects Distributed infrastructure Three levels of confidentiality Dozens of subsidiary organizations.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
Data protection as an integral part of OOP implementations: The Austrian approach Peter Kustor.
Unit 7 Seminar.  According to Sanderson (2009), the problems with the current paper-based health record system have been well documented. The author.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
Staying ahead of the storm: know your role in information security before a crisis hits Jason Testart, IST Karen Jack, Secretariat.
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
Joint UNECE/Eurostat work session on statistical data confidentiality October 2015 Helsinki, Finland Circle of trust Maurice Brandt DESTATIS.
1 Administrative Simplification: The Last Word National HIPAA Summit 8 Baltimore, MD March 9, 2004 William R. Braithwaite, MD, PhD “Doctor HIPAA”
ASHRAY PATEL Securing Public Web Servers. Roadmap Web server security problems Steps to secure public web servers Securing web servers and contents Implementing.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 3 This material was developed by Oregon Health & Science University,
Information Security and Privacy in HRIS
Chapter 17 Risks, Security and Disaster Recovery
American Health Information Management Association
Introduction to Health Privacy
Module 4 System and Application Security
eHealth/mHealth Gisele Roesems
Presentation transcript:

CoreGRID: European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies Privacy and Security aspects of medical data storage on Grids University of Cyprus and FORTH ICS (Greece) Jesus Luna Feb-2008

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 2 Outline Motivation: eHealth Security risks Whats the matter with privacy? Legal approach Technological approach Conclusions

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 3 Motivation: eHealth eHealth describes the application of IT and communications technologies across the whole range of functions that affect the health sector, from the doctor to the hospital manager, via nurses, data processing specialists, social security administrators and - of course - the patients. eHealth (like eGoverment and eBanking) promises substantial productivity gains and restructured, citizen- centered health systems. Examples: –Electronic Health Records. –Intensive Care Medicine. –ePharmacies.

Security Risks

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 5 With reward comes risk The Reward –Quality of care –Fewer errors –Communication –Operational efficiency –Savings The Risk –More vulnerable to an attack Network-connected devices, systems & applications

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 6 eHealth is a delicious target for hackers Health industry payers and providers make attractive targets for identity theft and certain other cybercriminals because they collect and maintain large volumes of protected health information as well as other sensitive personal and financial data and conduct many transactions electronically... (May-05) (American Bar Association)

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 7 eHealth Vulnerability Reporting Program (EHVRP/May 2006) According to the Open Web Application Security Project (OWASP): OWASP Top 10 VulnerabilitiesProblems Found 1. Unvalidated input 2. Broken access control 3. Broken authentication and session mgt. 4. Cross site scripting (XSS) flaws 5. Buffer overflows 6. Injection flaws 7. Improper error handling 8. Insecure storage 9. Denial of service 10. Insecure configuration management

Whats the matter with Privacy?

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 9 Let us present an example… Dr. Jordi Girona, in Barcelona, wishes to digitize the current paper-based medical records of his patients. SoftMicro, a multi-national company, proposes to scan records in a local mobile unit and send the records to Pakistan for data entry and to populate a database hosted by a UK-based website. Is this something that he has a right to do? If so, under what conditions and what might be his duties towards his patients? What are the duties of the company, both in the UK and in Pakistan?

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 10 Privacy is the name of the game Privacy is the right of an individual or group to hide information about themselves, disclosing it to Authorized entities. It is central to the doctor-patient relationship (even since the ancient Hippocratic Oath!). But there are issues that may arise: –Security trade-offs (i.e. User authentication). –Legal issues because eHealth privacy laws are quite new (i.e. EU) or provide only partial solutions (i.e. US).

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 11 Privacy means Trust! If Patients do not trust eHealth systems: –Give inaccurate or incomplete information. –Ask the doctor not to write down certain health information or to record a less serious or embarrassing conditions. –Avoid care altogether. Therefore: –Patient with undetected and untreated conditions. –Life-threatening situations! –Future treatment may be compromised if the doctor misrepresents patient information. Comprehensive solution: eHealth Privacy = Legal + Technological

Legal approach

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 13 Legally eHealth The heart of the European eHealth world is the Electronic Health Record (EHR). Based on current Data Protection legislations, patients consent legitimates the EHR processing. But, what if the patient is unable to give his consent due to a critical situation? The European Health Management Association (EHMA) along with the Commission called for the Legally eHealth project to study these kind of issues.

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 14 EHMAs legal recommendations on eHealth Data Protection Problem: Legal Uncertainties and ambiguities in Data Protection, Consent and Other Purposes. Issues: Patients consent must be explicit. Medical data may be processed without consent if vital interest for the user or subject incapable (physically or legally) of giving it. Data must be collected for specific purposes and not to be used afterwards for incompatible purposes (not even historical, statistical or scientific!). Recommendations: EC to co-ordinate adoption of specific rules for the processing of health information to balance patients and public health interests, without recourse to the concept of consent. EC efforts toward harmonizing current guidelines on re- using eHealth data.

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 15 EHMAs legal recommendations on eHealth Data Protection Problem: Legal Uncertainties and ambiguities in Data Protection, Consent and Other Purposes. IssueRecommendation Patients consent must be explicit. Medical data may be processed without consent if vital interest for the user or subject incapable (physically or legally) of giving it. EC to co-ordinate adoption of specific rules for the processing of health information to balance patients and public health interests, without recourse to the concept of consent. Data must be collected for specific purposes and not to be used afterwards for incompatible purposes (not even historical, statistical or scientific!). EC efforts toward harmonizing current guidelines on re-using eHealth data.

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 16 EHMAs recommendations on eHealth Data Protection (2) Problem: Legal Uncertainties in Data Protection and Specified Purpose. Issue: Data must be collected for specified (clearly defined) and explicit (transparent) purposes. Collected data must not be used afterwards for incompatible purposes (not even historical, statistical or scientific!). Recommendation: EC to provide guidelines on finality of purpose to allow public health management and disease prevention. Other uses must clearly specify public health interests. Efforts toward harmonizing current guidelines on re-using eHealth data.

Technological approach

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 18 EHMAs technical recommendation on eHealth Data Protection Problem: Problem: Technical and organizational security measures. Issue: Data controller must take technical and organizational measures to protect security and confidentiality of personal data. Recommendation: Member States must implement and harmonize Data Protection mechanisms. Lets introduce our low-level approach for securing personal data in an eHealth storage system…

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 19 ICGrid: data architecture From sensors Patients personal data

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 20 Step 1.- security analysis Inter-site comm. encrypted Attacker may Damage link Compromise not feasible Internal attacks (revoked users) are feasible Ultimate compromise of storage devices AuthN&AuthZ enforcement

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 21 Step 2.- proposed mechanisms Integrity mechanisms Real-time User validation Store per-file Crypto-key Fragment at Storage Elements Fragment at Storage Elements Encrypt at Disk-Level Encrypt at Disk-Level

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 22 Conclusions (1) eHealth systems are bringing a citizen-centered Health System. Using public networks for eHealth introduces new vulnerabilities and attackers are resourceful. Keeping patients privacy and overall security is a must. Total Solution: –Legal: Data Protection laws and harmonization. –Technological: R+D already taking place.

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 23 Conclusions (2) And the road ahead: –Storage Elements are the last line of defense, if authorization and authentication fail. –Performance and usability should be balanced with security. –Keep harmonizing legal and technical solutions!

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 24 Thank you for your attention! Questions? Jesus Luna

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.