Escolar Documentos
Profissional Documentos
Cultura Documentos
Yahya Y. Al-Salqan
Sun Microsystems
Palo Alto, CA 94303
alsalqan@Eng.Sun.Com
ABSTRACT
In order to provide secure healthcare informatics systems, three different security levels need to be considered: 1) Secure healthcare applications to provide user
authentication and access control mechanism to
healthcare applications, components, and objects.; 2)
Secure database to provide the protection of the database against unauthorized disclosure, alternation, or
destruction of healthcare information by legal personnel; and 3) Secure communication infrastructure
which provides the protection of healthcare informatics systems from unauthorized attempts to access
information or interfere with its operation. In this
paper, we put the emphasis on the database and communication security. Several issues in this document
are learned from our experience in our project, the
Advanced Research TEstbed on Medical Information
System (ARTEMIS).
INTRODUCTION
The evolution from paper-based to computer-based
patient records changes the way in which we have to
perceive and deal with privacy and security issues.
The ability to automatically manipulate data, the
increased ease of possible access to vast amount of
data, and their availability regardless of time and place
all create a completely different and increasingly complex environment that challenges traditional
approaches to confidentiality and security [1]. In this
age of universal electronic connectivity, viruses and
hackers, electronic eavesdropping, and electronic
fraud, there is indeed no time at which security and
confidentiality does not matter.
Knowledge of some data elements can endanger ones
employment, insurability, and even acceptance in a
society. Indications of illicit drug use, sexual promiscuity and sexually transmitted diseases, infection with
human immunodeficiency virus (HIV), and psychiatric admissions, are harmful for obvious reasons.
Database Security
Protection of patients confidentiality is a basic
requirement for ethical and legal use of information
technology in healthcare informatics systems. As
information systems for inter-connected hospitals or
rural health clinics become widespread, there is a need
to take measures to guard against intentional or unintentional modification, destruction, loss, use, or disclosure of patients computer-based data.
Data Integrity
The term integrity in this section is used to mean accuracy, correctness, or validity. The problem of healthcare Informatics system integrity is the problem of
ensuring that the data is accurate, that is, to guard the
database against invalid updates. Invalid updates may
be caused by errors in data entry, by mistakes on the
part of operator or by deliberate falsification [7]. In this
section, we assume that the user is authorized to
attempt the update or insert on hand. The healthcare
integrity system needs to check that every update as
well as insert operation is valid and preventing such
operations if it turns out to be invalid.
Database Schema
A database schema is a collection of objects, such as
tables, views, clusters, procedures, and packages. Each
database has a list of valid users. To access a database,
a user must run a database application (such as
SQL*Forms form, SQL*Plus, or precompiled program in OracleTM [8]) and connect using a user name
defined in the database. When a user connects to a
database, the user has access to all objects contained in
the corresponding schema.
User Authentication
The database management system can require rigorous
user authentication. For example, a database management system might require a user to pass both specific
password and time-of-day checks. This authentication
process takes place in addition to authentication performed by the operating system.
A users password is used while establishing a connection to prevent unauthorized use of the database. A
users password is stored in the databases data dictionary where all the passwords must be stored in an
encrypted format to maintain security for the users. A
User Profiles
As part of a users security domain, limits can be set on
the amount of various system resources available to the
user. This allows security administration to prevent the
uncontrolled consumption of valuable system
resources, such as CPU time. This becomes important
in a multi-user environment, especially when the
healthcare information is stored in a multimedia database.
In some databases like OracleTM [8], resource limits
are managed with user profiles. A profile is a named
set of resource limits that can be assigned to a user.
Views
Views are very useful for adding another level of security to tables: A view can give an access to selected
columns of the base table(s) that define the view. For
example, a view can be defined on the PATIENT table
to show only the patients ID, name, and day of birth
columns. Consequently, if a clerk A is granted access
to the view, he/she will not be able to see any other
information from the patient record.
Roles
Roles are used in databases to facilitate privilege management. Roles are named groups of related privileges
that are granted to users and applications. For example,
if the healthcare provider decided to grant all nurses
the same privileges, such privileges can be formalized
by a role that materializes such privileges. In general,
we recommend this approach for the following advantages:
Auditing
Database auditing deals with monitoring and recording selected user actions. Auditing is normally used to
investigate suspicious activities and to monitor and
gather information about specific database activities.
Inter-Organizational Security
All of the above requirements address intra-organizational security concerns. The need for inter-organization access control comes into effect once data need to
be shared among two or more institutions, like a hospital and a clinic or laboratory. This is more complex
since several security issues need to considered.
Encryption, secure data communication, interoperability, inter-organizational security policy and arrangements, and integration of heterogeneous databases are
examples of issues that need to addressed. Meta roles
(roles managing roles) can be used in some cases to
guarantee inter-organizational security.
Cryptography as a Solution
Cryptography is taking a plain text and then encoding
it to a cyphertext. Communications use cryptography
should be useful only to the sender and the intended
recipient. All cryptography schemes rely on key(s).
In conventional cryptographic systems, the sender and
the receiver know a single secret key. Such a mechanism is known as a shared key cryptosystem. The best
known of these in current commercial use is the U.S.
Data Encryption Standard (DES). The problem with
using a shared key is transferring the secret key
between the sender and the receiver.
A contemporary approach to this problem is the public
key cryptography, wherein a message can be encrypted
using one key and decrypted using another. The two
keys are mathematically related in such a way that
knowledge of one key does not make it possible to find
the other. Therefore, one key, the public key, to be
made widely known, while the corresponding key is
kept private to a single user. Messages encrypted using
the private key can be decrypted using the public key
and vice versa.
Public key cryptography is used for both privacy and
authentication. One major problem with public key
cryptosystem is that it is slow. The best known example of a public key cryptosystem is RSA.
Cryptography is a very important part to achieve
secure communication. It can help prevent penetration
from the outside. It can protect privacy of users of the
systems so that only authorized participants can com-
Cryptographic API
New system developers need not tightly couple the
applications to the cryptographic model. Instead, they
can use a much more powerful and flexible alternative
by using a standardized Cryptographic Application
Program Interface (CAPI) [15].
New healthcare application developers can add
hooks to access cryptographic functionality being
developed by other programmers. These hooks are
known as CAPIs [15]. Such an approach has the
advantage that applications can access several cryptographic implementations and are flexible enough to
add new ones in the future.
Currently, there are several CAPI proposals. The most
widely accepted proposals are Generic Security Services -GSS-API (Internet Engineering Task Force)
[16], The Generic Crypto Services-GCS-API (X/
Open) [17], and Cryptoki (RSA) [18]. Each of these
CAPIs was designed to support significantly different
Authentication
There are two distinct aspects to communication
authentication: ensuring the integrity of the message
and ensuring the identity of the sender.
Message authentication can be assured by the digital
signature, which is done by encrypting the message
with a private key and decrypting it with a public key.
It is important to note that the communication facility
utilizes the security model must be capable of supporting a variety of authentication algorithms and pluggabel authentication modules (PAM) [19] and be capable
of extending the set of protocols supported as new protocols are developed. The usage of smart cards for
authentication will play a major role in health care
informatics.
Conclusion
In this paper, we discussed general security issues in
healthcare informatics. Distributed database and communication network security were discussed in details.
References
[1] Saffron, C., Ring, D, et. al., Protection of Confidentiality in the Computer-Based Patient Record,
M.D. Computing, Val. 12, No. 3, May/June 1995,
Pp.187-192.
[2] Al-Salqan, Y., Jagannathan, J., et al, Security and
Confidentiality in Healthcare, Submitted to the 1st
ACM/NIST Workshop on RBAC.
[3] Panglos, G., Security of medical Database Systems- Part 1, SEISMED (A2033) Project, AIM/
SEISMED/SP-07/10-10-94/2, October 1994.
[4] Panglos, G., Security of medical Database Systems- Part 2, SEISMED (A2033) Project, AIM/
SEISMED/SP-07/20-2-95/3, February 1995.
[5] Robinson, E. N. Jr, Editorial, M.D. Computing,
Vol. 11, No. 2, 1994, Pp. 69-73.
[6] Code Of Ethics, The American Medical Association.
[7] Date, C. J., An Introduction to Database Systems,
fifth edition, Addison Wesley.