SlideShare una empresa de Scribd logo

Secure Electronic Health Records

Cybera Inc.
Cybera Inc.

Rei Safavi Naini iCore Chair for Information Security Department of Computer Science, University of Calgary Presented at the Cybera/CANARIE National Summit 2009, as part of the session "New Frontiers in Data Integration." This session showcased a selection of leading-edge initiatives that are breaking new ground and setting new precedents around the collection and integration of data.

TecnologíaEmpresariales
1 de 23
Descargar para leer sin conexión
A!Digital!Rights!Management!Approach! to!Securing El t i Health Records t S i Electronic H lth R d Rei!Safavi"Naini iCORE Chair!in!Information!Security Department!of!Computer!Science,!U!of!Calgary iCORE Information Security Lab
Electronic!Health!Record!(EHR) Electronic Health Record (EHR) • A!collection!of!electronic!health! data! • In!digital!format!! easy!to!share! across!!network"connected! information!systems! • May!include,! • Demographics!(race,!disabilities..)! • medical history medical!history,! • medication!and!allergies,! immunization!status, • laboratory!test!results,!radiology! images, • billing!information… R. Safavi-Naini-Summit ‘09- Oct 14, 2009
Moving!towards!EHR
Existing!access!to!Health!Data Existing access to Health Data " Data!stored!in!island!databases " Security:! " Mainly!communication!security " Encrypted links Encrypted!links • EHR!is!the!centerpiece!of!an! " No,!or!little!control!on!access integrated!solution!to!effective! and!secure!management!of! " After!logging!to!the!system!all!data! can!be!accessed health!information. " All!doctors!and!nurses!can!access!all! data " Records!can!be!copied,!printed!etc " Other issues Other!issues " Multiple!copies!of!data " Inefficiency,!hard!to!access… R. Safavi-Naini-Summit ‘09- Oct 14, 2009
Security!is!an!integral!part!of!EHR Security is an integral part of EHR • Paper!data!and!data!stores!are! inherently!more!secure inherently more secure • Limited!number • Hard!to!!duplicate..!imperfect!copies • Changes!are!detectable • Hard!to!access • Electronic!data, • Many!copies!instantly • Easy!to!make!copies • Changes!undetectable • Can!be!accessed!from!any!points… – Intranet • private!confidential!data!among! employee – Extranet for outsourced resources Extranet!for!outsourced!resources – Web!Portal • Security!is!a!major!challenge!
A!new!approach:! Using!Digital Rights Management l h " Digital!rights!management: " information!is!distributed!in!a! protected!form " information!can!only!be! accessed!using!a!license " License!contains!terms!and! conditions!in!a!machine" readable!form readable form " usable!only!by!trusted!DRM! agents " compliant!DRM!agents will! refuse!to!perform!any!action! unless!it!is!permitted!by!the! Components!of!a!DRM!System licence. R. Safavi-Naini-Summit ‘09- Oct 14, 2009
Digital!Rights!Management!for! Healthcare lh In!Healthcare: In Healthcare: Organizational! Organizational Policies R. Safavi-Naini-Summit ‘09- Oct 14, 2009
Digital!Rights!Management!for! Healthcare lh In!Healthcare: In Healthcare: • Consent directives can be Consent!directives!can!be! expressed!in!terms!of! attributes. – adapted from the eXtensible adapted!from!the!eXtensible! Access!Control!Markup! Language!(XACML) Organizational! Organizational Policies
Digital!Rights!Management!for! Healthcare lh In!Healthcare: In Healthcare: A!license A license Organizational! Organizational Policies R. Safavi-Naini-Summit ‘09- Oct 14, 2009
A!healthcare!facility A healthcare facility R. Safavi-Naini-Summit ‘09- Oct 14, 2009
A!healthcare!facility A healthcare facility ‘Interpreting’!policies Interpreting policies • consent!directive!+!site! authorization!policies!! subjects,!actions,!etc.! subjects actions etc • We!use!workflows!to!describe! the!activity!within!a!facility – workflows!imply!licenses!to! perform!specific!actions R. Safavi-Naini-Summit ‘09- Oct 14, 2009
A!healthcare!facility A healthcare facility Workflows • A!sequence!of!tasks!to!be! carried!out!in!the!specified!order • Authorization!templates!for! each!task • Each!workflow!realizes!a!specific! Each workflow realizes a specific purpose of data processing – “Treatment!Workflow”! “Treatment!Purpose” Stop Check Diagnose Check Examine OR Second Opinion Start
A!healthcare!facility A healthcare facility • A!session!starts!when!a!workflow!is!initiated • DRM!agents!can!join and!leave a!session! – Only!if!their!currently!logged"in!user!has! l f h l l d h the!privileges!to!run!the!workflow!of!the! session • Licenses are!issued!for!sessions – Any!agent!that!joins!the!session!can!benefit! from!the!license # A!user!can!continue!a!session!with!a! different!agent!if!that!agent!joins!the!session – E.g.!continue!execution!of!the!workflow!on! a!mobile!device Credentials XACML and Roles Req./Resp. Req /Resp Idtity M Id i Mgmt. CDMS License Issuer Wrkflw Mgmt. Mgmt Authorization Org. Polcy O P l Template R. Safavi-Naini-Summit ‘09- Oct 14, 2009 License
Digital!Rights!Management!for! Healthcare lh Approach Advantages • Data!stored!in!encrypted!form • Wholistic approach!to!security!and! – Protection!against!loss!of!disks,!laptops! privacy bypassing!security – Access according to stated policies • Security!for!the!lifetime!of!data • Policies – Data!always!remain!encrypted! – Privacy!policies • in!a!locked!box • Consent!forms!"users – Access!always!through!trusted!agents – S Security!policies it li i • certain!type!in!a!given!context! • Authorization!" organizational • Expressive!languages!to!state! • Policies!are!written!in!machine! requirements readable!form. – Fine"grain!access!control Fine"grain access control • Enforcement! • Security!and!privacy!both – Reference!monitors!to!interpret!policies – Enforcing!privacy!policies • Patients’!consent!directives R. Safavi-Naini-Summit ‘09- Oct 14, 2009
Fine grained!control Fine"grained control • Policy!statements!are!of!the! Policy statements are of the • Alice cannot Alice!cannot, form, – print!!the!record – email!it!to!anyone “role nurse!can read blood!data!for – copy!it! copy it the th purpose of surgery!preparation!! f ti location terminal!x12!!in!room#101” – .. – Access!Britney’s!record – !"#$% as!a!‘nurse’ ! role – Can!!‘read’ Bob’s!test!results!! action ‘purpose’!surgery!prep! purpose! of!access – On!a!‘terminal!x12!in!room!#112’ ! context R. Safavi-Naini-Summit ‘09- Oct 14, 2009
Technology!Demonstrator:! Re-purposing patient data Aim: Use!patients’!data!from!Foothills U ti t ’ d t f F thill • Security!requirements Security requirements Hospital!for!research!purposes – Patients’!private!data – Patients’!consent!directives – Controlling!access!based!on • Multiple!research!projects,!! • Need!to!know Need to know – Teams,!members!with!different!roles – Provide!remote!access! • New!teams!formed,!old!teams! – Link!with!other!health!data! removed • Identify!patients!potential!candidates! for!each!research!study – Management!and!tracking!of!their! records • First!stage!:!HiiTech Hepatology Knowledge!base • In!future:!!other!areas!of!medicine R. Safavi-Naini-Summit ‘09- Oct 14, 2009
Current!System C S • Patients’!records!are!stored!in!a!MS!SQL!database Q • MS!SharePoint!portal!is!used!to!access!and!manage!the!data • Data!can!be!downloaded!by!users!in!the!form!of!MS!InfoPath! forms • S Security: everyone can see all data! it ll d t ! Web S raw data SharePoint health health Data Browser Server Services record d record Identity Id i Management log-in Server credentials
The!New!Architecture! metadata Rights license IRM Management Protectors Server metadata protected + data raw data consent Browser protected Consent protected record records SharePoint DRM Web Server Services Agent Data raw data groups Identity Id tit credentials Management Server
Scaling!up!to!federated!systems Scaling up to federated systems • Data"level!Federation Organization B – Using!a!federated!database! • integrating!the!databases!in!two! Consent organizations Application – Secure!link!for!data!transfer Data • Complete!mutual!trust!between! organization! – to!enforce!consent!directives!(and! ( perhaps!other!local!policies) Organization A • Easy!to!implement! – Use existing support for database Use!existing!support!for!database! Consent federation!in!database!engines Application • Does!not!support!cross" organizational!research!studies!as! Data applications!are!not!connected applications are not connected R. Safavi-Naini-Summit ‘09- Oct 14, 2009
Scaling!up!to!federated!systems Scaling up to federated systems • Business"Level!Federation • Requirements – federation at application level federation!at!application"level – federation!of!identity!management federation of identity management – extending!the!application!to!enable! • standard!solutions!(e.g.!SAML,!Active! forming!cross"organizational!research! Directory) studies – rights!management!federation • Design!alternatives! • Implementation!is!much!more!difficult! Implementation is much more difficult – DRM!trusted!domains:!issuing!a!license!for!a! DRM trusted domains: issuing a license for a main!server!allowing!it!to!issue!local!licenses! – MS!IRM!service!federation,!or!a!custom! in!its!domain – Issuing!a!cross!organizational!license!directly! solution to!the!user!in!the!other!organization Organization A Organization B Rights Mgmnt Rights Mgmnt Server Server Consent Consent SharePoint SharePoint Services Services Data Data Identity Mgmnt Identity Mgmnt Server Server R. Safavi-Naini-Summit ‘09- Oct 14, 2009
Future!direction: Taking!the!project!to!the!`Cloud’ k h h ` l d’ " Scalable!design " Patient!data!stored!in!`cloud’ " Provincial,!National,..!Global!Access " Access according to stated policies Access!according!to!stated!policies " Whose!policy? " Trust!relationships • Universality!of!the!approach " Consent!directives S a app oac ca be used o Similar!approach!can!be!used!for! other!types!of!data " Efficient!enforcement? – The!technology!can!be!used!for! protection!of!any!document " Data!security:!Whose!responsibility? " Encrypted!content R. Safavi-Naini-Summit ‘09- Oct 14, 2009
Project!details Project details Participants Publications • iCIS!Lab • N.!P.!Sheppard,!R.!Safavi"Naini,!M.! Jafari,! – Mohammad!Jafari,!Nicholas! A!Digital!Rights!Management! g g g Sheppard,!Michal!Sramka Sh d Mi h l S k Model!for!Healthcare,!Proceedings! • HiiTeC of!the!IEEE!POLICY’09,!London,!UK. – Chad!Saunders,!Hytham! • N.!P.!Sheppard,!R.!Safavi Naini,!M.! N P Sheppard R Safavi"Naini M Khalil,!Simon!Liu Jafari, • Cybera A!Secure!Electronic!Healthcare! Record!Infrastructure!in!the!Digital! – Patrick!Mann,!Jill!Kowalchuk Rights!Management!Model,! Rights Management Model Technical!Report!2009"939"18,! Department!of!Computer!Science,! • Other!supports:!MITACS,! University!of!Calgary,!2009.! iCORE R. Safavi-Naini-Summit ‘09- Oct 14, 2009
R. Safavi-Naini-Summit ‘09- Oct 14, 2009

Recomendados

Cyberinfrastructure Technologies and Applications
Cyberinfrastructure Technologies and ApplicationsCyberinfrastructure Technologies and Applications
Cyberinfrastructure Technologies and ApplicationsCybera Inc.
 
Getting IT right: Implementing a maternity EHR
Getting IT right: Implementing a maternity EHRGetting IT right: Implementing a maternity EHR
Getting IT right: Implementing a maternity EHRHealth Informatics New Zealand
 
Improving CPR success rate Improvement Project (FOCUS-PDCA)
Improving CPR success rate Improvement Project (FOCUS-PDCA)Improving CPR success rate Improvement Project (FOCUS-PDCA)
Improving CPR success rate Improvement Project (FOCUS-PDCA)Mohamed Nassif, MD, MSc, CPHQ, CPPS, LSSGB.
 
Hw1 project charter electronic health record for university health care_sunil...
Hw1 project charter electronic health record for university health care_sunil...Hw1 project charter electronic health record for university health care_sunil...
Hw1 project charter electronic health record for university health care_sunil...Sunil Kumar Gunasekaran
 
EHR Implementation Plan Presentation
EHR Implementation Plan PresentationEHR Implementation Plan Presentation
EHR Implementation Plan PresentationDavid Montanez, PMP
 
Data Insights - sentiXchange
Data Insights - sentiXchangeData Insights - sentiXchange
Data Insights - sentiXchangeAkshay Wattal
 
7 Signs Your Help Desk Needs Help
7 Signs Your Help Desk Needs Help7 Signs Your Help Desk Needs Help
7 Signs Your Help Desk Needs HelpBonitasoft
 
Mid tech presentation copy (satish)
Mid tech presentation copy (satish)Mid tech presentation copy (satish)
Mid tech presentation copy (satish)Satish Dave
 

Recomendados

Cyberinfrastructure Technologies and Applications
Cyberinfrastructure Technologies and ApplicationsCyberinfrastructure Technologies and Applications
Cyberinfrastructure Technologies and ApplicationsCybera Inc.
 
Getting IT right: Implementing a maternity EHR
Getting IT right: Implementing a maternity EHRGetting IT right: Implementing a maternity EHR
Getting IT right: Implementing a maternity EHRHealth Informatics New Zealand
 
Improving CPR success rate Improvement Project (FOCUS-PDCA)
Improving CPR success rate Improvement Project (FOCUS-PDCA)Improving CPR success rate Improvement Project (FOCUS-PDCA)
Improving CPR success rate Improvement Project (FOCUS-PDCA)Mohamed Nassif, MD, MSc, CPHQ, CPPS, LSSGB.
 
Hw1 project charter electronic health record for university health care_sunil...
Hw1 project charter electronic health record for university health care_sunil...Hw1 project charter electronic health record for university health care_sunil...
Hw1 project charter electronic health record for university health care_sunil...Sunil Kumar Gunasekaran
 
EHR Implementation Plan Presentation
EHR Implementation Plan PresentationEHR Implementation Plan Presentation
EHR Implementation Plan PresentationDavid Montanez, PMP
 
Data Insights - sentiXchange
Data Insights - sentiXchangeData Insights - sentiXchange
Data Insights - sentiXchangeAkshay Wattal
 
7 Signs Your Help Desk Needs Help
7 Signs Your Help Desk Needs Help7 Signs Your Help Desk Needs Help
7 Signs Your Help Desk Needs HelpBonitasoft
 
Mid tech presentation copy (satish)
Mid tech presentation copy (satish)Mid tech presentation copy (satish)
Mid tech presentation copy (satish)Satish Dave
 
The future of scientific information & communication
The future of scientific information & communicationThe future of scientific information & communication
The future of scientific information & communicationUS Environmental Protection Agency (EPA), Center for Computational Toxicology and Exposure
 
Workflow Preservation
Workflow PreservationWorkflow Preservation
Workflow PreservationJose Enrique Ruiz
 
Evolution of The Application
Evolution of The ApplicationEvolution of The Application
Evolution of The ApplicationDaniel Miessler
 
Bright talk if they cant use it, it doesnt work - final
Bright talk if they cant use it, it doesnt work - finalBright talk if they cant use it, it doesnt work - final
Bright talk if they cant use it, it doesnt work - finalAndrew White
 
From Crowdsourcing to Big Data: how ePatients (and their machines) are evolvi...
From Crowdsourcing to Big Data: how ePatients (and their machines) are evolvi...From Crowdsourcing to Big Data: how ePatients (and their machines) are evolvi...
From Crowdsourcing to Big Data: how ePatients (and their machines) are evolvi...Ferdinando Scala
 
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)Men and Mice
 
Workflows in the Virtual Observatory
Workflows in the Virtual ObservatoryWorkflows in the Virtual Observatory
Workflows in the Virtual ObservatoryJose Enrique Ruiz
 
Aerogear Java User Group Presentation
Aerogear Java User Group PresentationAerogear Java User Group Presentation
Aerogear Java User Group Presentationhwilming
 
Hybert 1 Web Collab
Hybert 1 Web CollabHybert 1 Web Collab
Hybert 1 Web CollabCISPI, STC Chicago, CCASTD, Roosevelt University
 
CSM Business Process Presentation
CSM Business Process Presentation CSM Business Process Presentation
CSM Business Process Presentation cdadian
 
Squirro - Service Management
Squirro - Service ManagementSquirro - Service Management
Squirro - Service ManagementSquirro
 
Chemical Database Projects Delivered by RSC eScience
Chemical Database Projects Delivered by RSC eScienceChemical Database Projects Delivered by RSC eScience
Chemical Database Projects Delivered by RSC eScienceUS Environmental Protection Agency (EPA), Center for Computational Toxicology and Exposure
 
Just enough may_29_2012
Just enough may_29_2012Just enough may_29_2012
Just enough may_29_2012Peter Lijnse
 
2015 AADSM Presentation
2015 AADSM Presentation2015 AADSM Presentation
2015 AADSM PresentationTrish Braga, DDS, Diplomate ABDSM
 
Patricia braga 2015 AADSM Presentation-Building A Physician Referral Dental S...
Patricia braga 2015 AADSM Presentation-Building A Physician Referral Dental S...Patricia braga 2015 AADSM Presentation-Building A Physician Referral Dental S...
Patricia braga 2015 AADSM Presentation-Building A Physician Referral Dental S...Trish Braga, DDS, Diplomate ABDSM
 
CASE-3 Assisting Special Needs Children with the Power of Open Source!
CASE-3 Assisting Special Needs Children with the Power of Open Source!CASE-3 Assisting Special Needs Children with the Power of Open Source!
CASE-3 Assisting Special Needs Children with the Power of Open Source!Alfresco Software
 
The Future of Employee Research Report
The Future of Employee Research ReportThe Future of Employee Research Report
The Future of Employee Research ReportSilverman_Research
 
Metrics & more
Metrics & more Metrics & more
Metrics & more Stefan Thies
 
Reducing paper liabilities creating lean health care opportunities
Reducing paper liabilities creating lean health care opportunitiesReducing paper liabilities creating lean health care opportunities
Reducing paper liabilities creating lean health care opportunitiesCompliancy Group
 
Changing the context
Changing the contextChanging the context
Changing the contextHuib Schoots
 
Cyber Summit 2016: Technology, Education, and Democracy
Cyber Summit 2016: Technology, Education, and DemocracyCyber Summit 2016: Technology, Education, and Democracy
Cyber Summit 2016: Technology, Education, and DemocracyCybera Inc.
 
Cyber Summit 2016: Understanding Users' (In)Secure Behaviour
Cyber Summit 2016: Understanding Users' (In)Secure BehaviourCyber Summit 2016: Understanding Users' (In)Secure Behaviour
Cyber Summit 2016: Understanding Users' (In)Secure BehaviourCybera Inc.
 

Más contenido relacionado

Similar a Secure Electronic Health Records

Evolution of The Application
Evolution of The ApplicationEvolution of The Application
Evolution of The ApplicationDaniel Miessler
 
Bright talk if they cant use it, it doesnt work - final
Bright talk if they cant use it, it doesnt work - finalBright talk if they cant use it, it doesnt work - final
Bright talk if they cant use it, it doesnt work - finalAndrew White
 
From Crowdsourcing to Big Data: how ePatients (and their machines) are evolvi...
From Crowdsourcing to Big Data: how ePatients (and their machines) are evolvi...From Crowdsourcing to Big Data: how ePatients (and their machines) are evolvi...
From Crowdsourcing to Big Data: how ePatients (and their machines) are evolvi...Ferdinando Scala
 
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)Men and Mice
 
Workflows in the Virtual Observatory
Workflows in the Virtual ObservatoryWorkflows in the Virtual Observatory
Workflows in the Virtual ObservatoryJose Enrique Ruiz
 
Aerogear Java User Group Presentation
Aerogear Java User Group PresentationAerogear Java User Group Presentation
Aerogear Java User Group Presentationhwilming
 
CSM Business Process Presentation
CSM Business Process Presentation CSM Business Process Presentation
CSM Business Process Presentation cdadian
 
Squirro - Service Management
Squirro - Service ManagementSquirro - Service Management
Squirro - Service ManagementSquirro
 
Just enough may_29_2012
Just enough may_29_2012Just enough may_29_2012
Just enough may_29_2012Peter Lijnse
 
Patricia braga 2015 AADSM Presentation-Building A Physician Referral Dental S...
Patricia braga 2015 AADSM Presentation-Building A Physician Referral Dental S...Patricia braga 2015 AADSM Presentation-Building A Physician Referral Dental S...
Patricia braga 2015 AADSM Presentation-Building A Physician Referral Dental S...Trish Braga, DDS, Diplomate ABDSM
 
CASE-3 Assisting Special Needs Children with the Power of Open Source!
CASE-3 Assisting Special Needs Children with the Power of Open Source!CASE-3 Assisting Special Needs Children with the Power of Open Source!
CASE-3 Assisting Special Needs Children with the Power of Open Source!Alfresco Software
 
The Future of Employee Research Report
The Future of Employee Research ReportThe Future of Employee Research Report
The Future of Employee Research ReportSilverman_Research
 
Reducing paper liabilities creating lean health care opportunities
Reducing paper liabilities creating lean health care opportunitiesReducing paper liabilities creating lean health care opportunities
Reducing paper liabilities creating lean health care opportunitiesCompliancy Group
 
Changing the context
Changing the contextChanging the context
Changing the contextHuib Schoots
 

Similar a Secure Electronic Health Records (20)

The future of scientific information & communication
The future of scientific information & communicationThe future of scientific information & communication
The future of scientific information & communication
 
Workflow Preservation
Workflow PreservationWorkflow Preservation
Workflow Preservation
 
Evolution of The Application
Evolution of The ApplicationEvolution of The Application
Evolution of The Application
 
Bright talk if they cant use it, it doesnt work - final
Bright talk if they cant use it, it doesnt work - finalBright talk if they cant use it, it doesnt work - final
Bright talk if they cant use it, it doesnt work - final
 
From Crowdsourcing to Big Data: how ePatients (and their machines) are evolvi...
From Crowdsourcing to Big Data: how ePatients (and their machines) are evolvi...From Crowdsourcing to Big Data: how ePatients (and their machines) are evolvi...
From Crowdsourcing to Big Data: how ePatients (and their machines) are evolvi...
 
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
 
Workflows in the Virtual Observatory
Workflows in the Virtual ObservatoryWorkflows in the Virtual Observatory
Workflows in the Virtual Observatory
 
Aerogear Java User Group Presentation
Aerogear Java User Group PresentationAerogear Java User Group Presentation
Aerogear Java User Group Presentation
 
Hybert 1 Web Collab
Hybert 1 Web CollabHybert 1 Web Collab
Hybert 1 Web Collab
 
CSM Business Process Presentation
CSM Business Process Presentation CSM Business Process Presentation
CSM Business Process Presentation
 
Squirro - Service Management
Squirro - Service ManagementSquirro - Service Management
Squirro - Service Management
 
Chemical Database Projects Delivered by RSC eScience
Chemical Database Projects Delivered by RSC eScienceChemical Database Projects Delivered by RSC eScience
Chemical Database Projects Delivered by RSC eScience
 
Just enough may_29_2012
Just enough may_29_2012Just enough may_29_2012
Just enough may_29_2012
 
2015 AADSM Presentation
2015 AADSM Presentation2015 AADSM Presentation
2015 AADSM Presentation
 
Patricia braga 2015 AADSM Presentation-Building A Physician Referral Dental S...
Patricia braga 2015 AADSM Presentation-Building A Physician Referral Dental S...Patricia braga 2015 AADSM Presentation-Building A Physician Referral Dental S...
Patricia braga 2015 AADSM Presentation-Building A Physician Referral Dental S...
 
CASE-3 Assisting Special Needs Children with the Power of Open Source!
CASE-3 Assisting Special Needs Children with the Power of Open Source!CASE-3 Assisting Special Needs Children with the Power of Open Source!
CASE-3 Assisting Special Needs Children with the Power of Open Source!
 
The Future of Employee Research Report
The Future of Employee Research ReportThe Future of Employee Research Report
The Future of Employee Research Report
 
Metrics & more
Metrics & more Metrics & more
Metrics & more
 
Reducing paper liabilities creating lean health care opportunities
Reducing paper liabilities creating lean health care opportunitiesReducing paper liabilities creating lean health care opportunities
Reducing paper liabilities creating lean health care opportunities
 
Changing the context
Changing the contextChanging the context
Changing the context
 

Más de Cybera Inc.

Cyber Summit 2016: Technology, Education, and Democracy
Cyber Summit 2016: Technology, Education, and DemocracyCyber Summit 2016: Technology, Education, and Democracy
Cyber Summit 2016: Technology, Education, and DemocracyCybera Inc.
 
Cyber Summit 2016: Understanding Users' (In)Secure Behaviour
Cyber Summit 2016: Understanding Users' (In)Secure BehaviourCyber Summit 2016: Understanding Users' (In)Secure Behaviour
Cyber Summit 2016: Understanding Users' (In)Secure BehaviourCybera Inc.
 
Cyber Summit 2016: Insider Threat Indicators: Human Behaviour
Cyber Summit 2016: Insider Threat Indicators: Human BehaviourCyber Summit 2016: Insider Threat Indicators: Human Behaviour
Cyber Summit 2016: Insider Threat Indicators: Human BehaviourCybera Inc.
 
Cyber Summit 2016: Research Data and the Canadian Innovation Challenge
Cyber Summit 2016: Research Data and the Canadian Innovation ChallengeCyber Summit 2016: Research Data and the Canadian Innovation Challenge
Cyber Summit 2016: Research Data and the Canadian Innovation ChallengeCybera Inc.
 
Cyber Summit 2016: Knowing More and Understanding Less in the Age of Big Data
Cyber Summit 2016: Knowing More and Understanding Less in the Age of Big DataCyber Summit 2016: Knowing More and Understanding Less in the Age of Big Data
Cyber Summit 2016: Knowing More and Understanding Less in the Age of Big DataCybera Inc.
 
Cyber Summit 2016: Privacy Issues in Big Data Sharing and Reuse
Cyber Summit 2016: Privacy Issues in Big Data Sharing and ReuseCyber Summit 2016: Privacy Issues in Big Data Sharing and Reuse
Cyber Summit 2016: Privacy Issues in Big Data Sharing and ReuseCybera Inc.
 
Cyber Summit 2016: Establishing an Ethics Framework for Predictive Analytics ...
Cyber Summit 2016: Establishing an Ethics Framework for Predictive Analytics ...Cyber Summit 2016: Establishing an Ethics Framework for Predictive Analytics ...
Cyber Summit 2016: Establishing an Ethics Framework for Predictive Analytics ...Cybera Inc.
 
Cyber Summit 2016: The Data Tsunami vs The Network: How More Data Changes Eve...
Cyber Summit 2016: The Data Tsunami vs The Network: How More Data Changes Eve...Cyber Summit 2016: The Data Tsunami vs The Network: How More Data Changes Eve...
Cyber Summit 2016: The Data Tsunami vs The Network: How More Data Changes Eve...Cybera Inc.
 
Cyber Summit 2016: Issues and Challenges Facing Municipalities In Securing Data
Cyber Summit 2016: Issues and Challenges Facing Municipalities In Securing DataCyber Summit 2016: Issues and Challenges Facing Municipalities In Securing Data
Cyber Summit 2016: Issues and Challenges Facing Municipalities In Securing DataCybera Inc.
 
Cyber Summit 2016: Using Law Responsibly: What Happens When Law Meets Technol...
Cyber Summit 2016: Using Law Responsibly: What Happens When Law Meets Technol...Cyber Summit 2016: Using Law Responsibly: What Happens When Law Meets Technol...
Cyber Summit 2016: Using Law Responsibly: What Happens When Law Meets Technol...Cybera Inc.
 
Privacy, Security & Access to Data
Privacy, Security & Access to DataPrivacy, Security & Access to Data
Privacy, Security & Access to DataCybera Inc.
 
Do Universities Dream of Big Data
Do Universities Dream of Big DataDo Universities Dream of Big Data
Do Universities Dream of Big DataCybera Inc.
 
Predicting the Future With Microsoft Bing
Predicting the Future With Microsoft BingPredicting the Future With Microsoft Bing
Predicting the Future With Microsoft BingCybera Inc.
 
Analytics 101: How to not fail at analytics
Analytics 101: How to not fail at analyticsAnalytics 101: How to not fail at analytics
Analytics 101: How to not fail at analyticsCybera Inc.
 
Are MOOC's past their peak?
Are MOOC's past their peak?Are MOOC's past their peak?
Are MOOC's past their peak?Cybera Inc.
 
Opening the doors of the laboratory
Opening the doors of the laboratoryOpening the doors of the laboratory
Opening the doors of the laboratoryCybera Inc.
 
Open City - Edmonton
Open City - EdmontonOpen City - Edmonton
Open City - EdmontonCybera Inc.
 
Unlocking the power of healthcare data
Unlocking the power of healthcare dataUnlocking the power of healthcare data
Unlocking the power of healthcare dataCybera Inc.
 
Checking in on Healthcare Data Analytics
Checking in on Healthcare Data AnalyticsChecking in on Healthcare Data Analytics
Checking in on Healthcare Data AnalyticsCybera Inc.
 
Open access and open data: international trends and strategic context
Open access and open data: international trends and strategic contextOpen access and open data: international trends and strategic context
Open access and open data: international trends and strategic contextCybera Inc.
 

Más de Cybera Inc. (20)

Cyber Summit 2016: Technology, Education, and Democracy
Cyber Summit 2016: Technology, Education, and DemocracyCyber Summit 2016: Technology, Education, and Democracy
Cyber Summit 2016: Technology, Education, and Democracy
 
Cyber Summit 2016: Understanding Users' (In)Secure Behaviour
Cyber Summit 2016: Understanding Users' (In)Secure BehaviourCyber Summit 2016: Understanding Users' (In)Secure Behaviour
Cyber Summit 2016: Understanding Users' (In)Secure Behaviour
 
Cyber Summit 2016: Insider Threat Indicators: Human Behaviour
Cyber Summit 2016: Insider Threat Indicators: Human BehaviourCyber Summit 2016: Insider Threat Indicators: Human Behaviour
Cyber Summit 2016: Insider Threat Indicators: Human Behaviour
 
Cyber Summit 2016: Research Data and the Canadian Innovation Challenge
Cyber Summit 2016: Research Data and the Canadian Innovation ChallengeCyber Summit 2016: Research Data and the Canadian Innovation Challenge
Cyber Summit 2016: Research Data and the Canadian Innovation Challenge
 
Cyber Summit 2016: Knowing More and Understanding Less in the Age of Big Data
Cyber Summit 2016: Knowing More and Understanding Less in the Age of Big DataCyber Summit 2016: Knowing More and Understanding Less in the Age of Big Data
Cyber Summit 2016: Knowing More and Understanding Less in the Age of Big Data
 
Cyber Summit 2016: Privacy Issues in Big Data Sharing and Reuse
Cyber Summit 2016: Privacy Issues in Big Data Sharing and ReuseCyber Summit 2016: Privacy Issues in Big Data Sharing and Reuse
Cyber Summit 2016: Privacy Issues in Big Data Sharing and Reuse
 
Cyber Summit 2016: Establishing an Ethics Framework for Predictive Analytics ...
Cyber Summit 2016: Establishing an Ethics Framework for Predictive Analytics ...Cyber Summit 2016: Establishing an Ethics Framework for Predictive Analytics ...
Cyber Summit 2016: Establishing an Ethics Framework for Predictive Analytics ...
 
Cyber Summit 2016: The Data Tsunami vs The Network: How More Data Changes Eve...
Cyber Summit 2016: The Data Tsunami vs The Network: How More Data Changes Eve...Cyber Summit 2016: The Data Tsunami vs The Network: How More Data Changes Eve...
Cyber Summit 2016: The Data Tsunami vs The Network: How More Data Changes Eve...
 
Cyber Summit 2016: Issues and Challenges Facing Municipalities In Securing Data
Cyber Summit 2016: Issues and Challenges Facing Municipalities In Securing DataCyber Summit 2016: Issues and Challenges Facing Municipalities In Securing Data
Cyber Summit 2016: Issues and Challenges Facing Municipalities In Securing Data
 
Cyber Summit 2016: Using Law Responsibly: What Happens When Law Meets Technol...
Cyber Summit 2016: Using Law Responsibly: What Happens When Law Meets Technol...Cyber Summit 2016: Using Law Responsibly: What Happens When Law Meets Technol...
Cyber Summit 2016: Using Law Responsibly: What Happens When Law Meets Technol...
 
Privacy, Security & Access to Data
Privacy, Security & Access to DataPrivacy, Security & Access to Data
Privacy, Security & Access to Data
 
Do Universities Dream of Big Data
Do Universities Dream of Big DataDo Universities Dream of Big Data
Do Universities Dream of Big Data
 
Predicting the Future With Microsoft Bing
Predicting the Future With Microsoft BingPredicting the Future With Microsoft Bing
Predicting the Future With Microsoft Bing
 
Analytics 101: How to not fail at analytics
Analytics 101: How to not fail at analyticsAnalytics 101: How to not fail at analytics
Analytics 101: How to not fail at analytics
 
Are MOOC's past their peak?
Are MOOC's past their peak?Are MOOC's past their peak?
Are MOOC's past their peak?
 
Opening the doors of the laboratory
Opening the doors of the laboratoryOpening the doors of the laboratory
Opening the doors of the laboratory
 
Open City - Edmonton
Open City - EdmontonOpen City - Edmonton
Open City - Edmonton
 
Unlocking the power of healthcare data
Unlocking the power of healthcare dataUnlocking the power of healthcare data
Unlocking the power of healthcare data
 
Checking in on Healthcare Data Analytics
Checking in on Healthcare Data AnalyticsChecking in on Healthcare Data Analytics
Checking in on Healthcare Data Analytics
 
Open access and open data: international trends and strategic context
Open access and open data: international trends and strategic contextOpen access and open data: international trends and strategic context
Open access and open data: international trends and strategic context
 

Último

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 

Último (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 

Secure Electronic Health Records

  • 1. A!Digital!Rights!Management!Approach! to!Securing El t i Health Records t S i Electronic H lth R d Rei!Safavi"Naini iCORE Chair!in!Information!Security Department!of!Computer!Science,!U!of!Calgary iCORE Information Security Lab
  • 2. Electronic!Health!Record!(EHR) Electronic Health Record (EHR) • A!collection!of!electronic!health! data! • In!digital!format!! easy!to!share! across!!network"connected! information!systems! • May!include,! • Demographics!(race,!disabilities..)! • medical history medical!history,! • medication!and!allergies,! immunization!status, • laboratory!test!results,!radiology! images, • billing!information… R. Safavi-Naini-Summit ‘09- Oct 14, 2009
  • 4. Existing!access!to!Health!Data Existing access to Health Data " Data!stored!in!island!databases " Security:! " Mainly!communication!security " Encrypted links Encrypted!links • EHR!is!the!centerpiece!of!an! " No,!or!little!control!on!access integrated!solution!to!effective! and!secure!management!of! " After!logging!to!the!system!all!data! can!be!accessed health!information. " All!doctors!and!nurses!can!access!all! data " Records!can!be!copied,!printed!etc " Other issues Other!issues " Multiple!copies!of!data " Inefficiency,!hard!to!access… R. Safavi-Naini-Summit ‘09- Oct 14, 2009
  • 5. Security!is!an!integral!part!of!EHR Security is an integral part of EHR • Paper!data!and!data!stores!are! inherently!more!secure inherently more secure • Limited!number • Hard!to!!duplicate..!imperfect!copies • Changes!are!detectable • Hard!to!access • Electronic!data, • Many!copies!instantly • Easy!to!make!copies • Changes!undetectable • Can!be!accessed!from!any!points… – Intranet • private!confidential!data!among! employee – Extranet for outsourced resources Extranet!for!outsourced!resources – Web!Portal • Security!is!a!major!challenge!
  • 6. A!new!approach:! Using!Digital Rights Management l h " Digital!rights!management: " information!is!distributed!in!a! protected!form " information!can!only!be! accessed!using!a!license " License!contains!terms!and! conditions!in!a!machine" readable!form readable form " usable!only!by!trusted!DRM! agents " compliant!DRM!agents will! refuse!to!perform!any!action! unless!it!is!permitted!by!the! Components!of!a!DRM!System licence. R. Safavi-Naini-Summit ‘09- Oct 14, 2009
  • 7. Digital!Rights!Management!for! Healthcare lh In!Healthcare: In Healthcare: Organizational! Organizational Policies R. Safavi-Naini-Summit ‘09- Oct 14, 2009
  • 8. Digital!Rights!Management!for! Healthcare lh In!Healthcare: In Healthcare: • Consent directives can be Consent!directives!can!be! expressed!in!terms!of! attributes. – adapted from the eXtensible adapted!from!the!eXtensible! Access!Control!Markup! Language!(XACML) Organizational! Organizational Policies
  • 9. Digital!Rights!Management!for! Healthcare lh In!Healthcare: In Healthcare: A!license A license Organizational! Organizational Policies R. Safavi-Naini-Summit ‘09- Oct 14, 2009
  • 10. A!healthcare!facility A healthcare facility R. Safavi-Naini-Summit ‘09- Oct 14, 2009
  • 11. A!healthcare!facility A healthcare facility ‘Interpreting’!policies Interpreting policies • consent!directive!+!site! authorization!policies!! subjects,!actions,!etc.! subjects actions etc • We!use!workflows!to!describe! the!activity!within!a!facility – workflows!imply!licenses!to! perform!specific!actions R. Safavi-Naini-Summit ‘09- Oct 14, 2009
  • 12. A!healthcare!facility A healthcare facility Workflows • A!sequence!of!tasks!to!be! carried!out!in!the!specified!order • Authorization!templates!for! each!task • Each!workflow!realizes!a!specific! Each workflow realizes a specific purpose of data processing – “Treatment!Workflow”! “Treatment!Purpose” Stop Check Diagnose Check Examine OR Second Opinion Start
  • 13. A!healthcare!facility A healthcare facility • A!session!starts!when!a!workflow!is!initiated • DRM!agents!can!join and!leave a!session! – Only!if!their!currently!logged"in!user!has! l f h l l d h the!privileges!to!run!the!workflow!of!the! session • Licenses are!issued!for!sessions – Any!agent!that!joins!the!session!can!benefit! from!the!license # A!user!can!continue!a!session!with!a! different!agent!if!that!agent!joins!the!session – E.g.!continue!execution!of!the!workflow!on! a!mobile!device Credentials XACML and Roles Req./Resp. Req /Resp Idtity M Id i Mgmt. CDMS License Issuer Wrkflw Mgmt. Mgmt Authorization Org. Polcy O P l Template R. Safavi-Naini-Summit ‘09- Oct 14, 2009 License
  • 14. Digital!Rights!Management!for! Healthcare lh Approach Advantages • Data!stored!in!encrypted!form • Wholistic approach!to!security!and! – Protection!against!loss!of!disks,!laptops! privacy bypassing!security – Access according to stated policies • Security!for!the!lifetime!of!data • Policies – Data!always!remain!encrypted! – Privacy!policies • in!a!locked!box • Consent!forms!"users – Access!always!through!trusted!agents – S Security!policies it li i • certain!type!in!a!given!context! • Authorization!" organizational • Expressive!languages!to!state! • Policies!are!written!in!machine! requirements readable!form. – Fine"grain!access!control Fine"grain access control • Enforcement! • Security!and!privacy!both – Reference!monitors!to!interpret!policies – Enforcing!privacy!policies • Patients’!consent!directives R. Safavi-Naini-Summit ‘09- Oct 14, 2009
  • 15. Fine grained!control Fine"grained control • Policy!statements!are!of!the! Policy statements are of the • Alice cannot Alice!cannot, form, – print!!the!record – email!it!to!anyone “role nurse!can read blood!data!for – copy!it! copy it the th purpose of surgery!preparation!! f ti location terminal!x12!!in!room#101” – .. – Access!Britney’s!record – !"#$% as!a!‘nurse’ ! role – Can!!‘read’ Bob’s!test!results!! action ‘purpose’!surgery!prep! purpose! of!access – On!a!‘terminal!x12!in!room!#112’ ! context R. Safavi-Naini-Summit ‘09- Oct 14, 2009
  • 16. Technology!Demonstrator:! Re-purposing patient data Aim: Use!patients’!data!from!Foothills U ti t ’ d t f F thill • Security!requirements Security requirements Hospital!for!research!purposes – Patients’!private!data – Patients’!consent!directives – Controlling!access!based!on • Multiple!research!projects,!! • Need!to!know Need to know – Teams,!members!with!different!roles – Provide!remote!access! • New!teams!formed,!old!teams! – Link!with!other!health!data! removed • Identify!patients!potential!candidates! for!each!research!study – Management!and!tracking!of!their! records • First!stage!:!HiiTech Hepatology Knowledge!base • In!future:!!other!areas!of!medicine R. Safavi-Naini-Summit ‘09- Oct 14, 2009
  • 17. Current!System C S • Patients’!records!are!stored!in!a!MS!SQL!database Q • MS!SharePoint!portal!is!used!to!access!and!manage!the!data • Data!can!be!downloaded!by!users!in!the!form!of!MS!InfoPath! forms • S Security: everyone can see all data! it ll d t ! Web S raw data SharePoint health health Data Browser Server Services record d record Identity Id i Management log-in Server credentials
  • 18. The!New!Architecture! metadata Rights license IRM Management Protectors Server metadata protected + data raw data consent Browser protected Consent protected record records SharePoint DRM Web Server Services Agent Data raw data groups Identity Id tit credentials Management Server
  • 19. Scaling!up!to!federated!systems Scaling up to federated systems • Data"level!Federation Organization B – Using!a!federated!database! • integrating!the!databases!in!two! Consent organizations Application – Secure!link!for!data!transfer Data • Complete!mutual!trust!between! organization! – to!enforce!consent!directives!(and! ( perhaps!other!local!policies) Organization A • Easy!to!implement! – Use existing support for database Use!existing!support!for!database! Consent federation!in!database!engines Application • Does!not!support!cross" organizational!research!studies!as! Data applications!are!not!connected applications are not connected R. Safavi-Naini-Summit ‘09- Oct 14, 2009
  • 20. Scaling!up!to!federated!systems Scaling up to federated systems • Business"Level!Federation • Requirements – federation at application level federation!at!application"level – federation!of!identity!management federation of identity management – extending!the!application!to!enable! • standard!solutions!(e.g.!SAML,!Active! forming!cross"organizational!research! Directory) studies – rights!management!federation • Design!alternatives! • Implementation!is!much!more!difficult! Implementation is much more difficult – DRM!trusted!domains:!issuing!a!license!for!a! DRM trusted domains: issuing a license for a main!server!allowing!it!to!issue!local!licenses! – MS!IRM!service!federation,!or!a!custom! in!its!domain – Issuing!a!cross!organizational!license!directly! solution to!the!user!in!the!other!organization Organization A Organization B Rights Mgmnt Rights Mgmnt Server Server Consent Consent SharePoint SharePoint Services Services Data Data Identity Mgmnt Identity Mgmnt Server Server R. Safavi-Naini-Summit ‘09- Oct 14, 2009
  • 21. Future!direction: Taking!the!project!to!the!`Cloud’ k h h ` l d’ " Scalable!design " Patient!data!stored!in!`cloud’ " Provincial,!National,..!Global!Access " Access according to stated policies Access!according!to!stated!policies " Whose!policy? " Trust!relationships • Universality!of!the!approach " Consent!directives S a app oac ca be used o Similar!approach!can!be!used!for! other!types!of!data " Efficient!enforcement? – The!technology!can!be!used!for! protection!of!any!document " Data!security:!Whose!responsibility? " Encrypted!content R. Safavi-Naini-Summit ‘09- Oct 14, 2009
  • 22. Project!details Project details Participants Publications • iCIS!Lab • N.!P.!Sheppard,!R.!Safavi"Naini,!M.! Jafari,! – Mohammad!Jafari,!Nicholas! A!Digital!Rights!Management! g g g Sheppard,!Michal!Sramka Sh d Mi h l S k Model!for!Healthcare,!Proceedings! • HiiTeC of!the!IEEE!POLICY’09,!London,!UK. – Chad!Saunders,!Hytham! • N.!P.!Sheppard,!R.!Safavi Naini,!M.! N P Sheppard R Safavi"Naini M Khalil,!Simon!Liu Jafari, • Cybera A!Secure!Electronic!Healthcare! Record!Infrastructure!in!the!Digital! – Patrick!Mann,!Jill!Kowalchuk Rights!Management!Model,! Rights Management Model Technical!Report!2009"939"18,! Department!of!Computer!Science,! • Other!supports:!MITACS,! University!of!Calgary,!2009.! iCORE R. Safavi-Naini-Summit ‘09- Oct 14, 2009