1. A Cryptographic Key Management Solution for HIPAA Privacy/Security Regulations 針對 HIPAA 隱私 / 安全規則的一種密碼金鑰管理方法 IEEE Transactions on Information Technology in Biomedicine, VOL. 12, NO. 1,January 2008 Author: Wei-Bin Lee, Chien-Ding Lee Adviser ： 鄭錦楸 教授 Reporter ：林彥宏 1

2. Outline Introduction Proposed Scheme Registration Phases Encryption Phases Decryption Phases Dissussion conclusions 2

3. Introduction Health Insurance Portability and Accountability Act(HIPAA) enacted by the United States Congress in 1996 improving healthcare quality indicate that patients’ privacy should be emphasized summarizes the status quo of developing the HIPAA in Taiwan HIPAA is a centralized framework of health information, it can facilitate people to understand about health information issues increases popular confidence in the confidentiality of health information internationalization is a tendency because of difference in history and condition, it is difficult for the HIPAA to directly satisfy different environments 3

4. Introduction crucial part of the HIPAA : Privacy Regulations address the patients’ rights to understand and control the use and disclosure of their protected health information (PHI) consent exceptions Security Regulations be distinguished by requirement standards and specifications on what to do and how to do it from different viewpoints to guard integrity, confidentiality, and availability of the health data 4

5. Introduction Key management solution is the key to accomplish events: Patient’s Understanding: Digital Signature Confidentiality: Encryption Patient’s Control: Knowledge of the Corresponding Key Data Integrity Consent Exception a patient must carry many keys while visiting different hospitals 5

6. Proposed Scheme server of the governmental healthcare office (SG) server of a healthcare provider (SH) the patient 6

7. 7 Proposed Scheme Registration Phases: SG creates contract which consists of signed consent and patient data Step1: choose a random number Step2: compute as the patient’s master key Step3: sign the contract as and Step4: deliver a health data card with to the patient

8. 8 Proposed Scheme confirm steps: Step1: verify whether Step2: computer Step3: computer Step4: check whether to ensure the content of the contract

9. 9 Proposed Scheme Encryption Phases: Step1: computer the session key of the patient’s medical record with SH as Step2: encrypt PHI as

10. 10 Proposed Scheme Decryption Phases: Consent Case: patient enter the PIN or biometric information to enable the card Step1: compute the session key for the and as Step2: decrypt the encrypted PHI as Step3: examine the integrity of the whole record by checking whether

11. Decryption Phases: Consent Exception Case: Step1: derive the random seed from as Step2: compute the master key as Step3: recover the healthcare provider’s session key as 11 Proposed Scheme

12. 12 Dissussion key generation: key diversification provides a unique cryptographic key for each smart card efficient, secure, and flexible way to generate and manage keys key distribution: corresponding can be instantly obtained unnecessary complicated operations to generation key key storage: it’s infeasible to derive from without correct is infeasible =256bits, =320 bits, total is 72 bytes smart card is 8192 byte, is restricted 8192-72=8120 bytes

13. 13 Dissussion Computational Performance: only hash function employ, its computational load is low and need exponential computations and lead to time consuming precomputed technology encryption phase, and in consent exception, is time consuming

14. 14 Dissussion Improved digital signature algorithm(DSA)

15. 15 conclusions they proposed a cryptographic key management solution and complying with the HIPAA privacy/security regulations in their scheme, the privacy and data integrity of the patient are guaranteed the rights of the patient are controlled by the key usage they hope that the scheme can be modified to accommodate further changes in regulations