4 Security and Safety of Telemedical Systems

4 Security and Safety of Telemedical Systems

Paweâ Sâowikowski

, Krzysztof Zieliľski

1

Department of Computer Science, AGH University of Science and Technology, Krakow, Poland

Agencies and standards bodies within governments of several nations have developed evaluation criteria for computing technology security. In the United States, the relevant document has the designation “Trusted Computer System Security Evaluation Criteria,” or TCSEC. The European Commission has published the Information Technology Security Evaluation Criteria, also known as ITSEC, and the Canadian government has published the Canadian Trusted Computer Product Evaluation Criteria, or CTCPEC. In 1996, these initiatives were officially combined into a document known as the Common Criteria [8].

In 1999 this document was approved as a standard [28], [27], [1] by the International Organization for Standardization. This initiative paves the way to worldwide mutual recognition of product evaluation results.

The need of the healthcare industry to reliably and confidentially exchange patient healthcare information in support of the portability of healthcare insurance and patients between employees, insurance companies and healthcare providers has resulted in creating a document called “The Health Insurance Portability and Accountability Act of 1996“ (HIPAA)[17]. To support the confidential maintenance and exchange of electronic healthcare information, the Department of Health and Human Services in the US has developed regulations that support and enforce HIPAA privacy and security. These regulations prescribe care in handling paper records, as well as care in handling electronic records for protected health information. Protected information that is stored in distributed e-medical information systems is potentially subject to inappropriate access or modification, also known as an attack.

A similar security architecture, but with a wider scope, has been developed as

part of the government’s commitment to developing a corporate IT strategy. It

has been prepared, for instance, by the UK Government [24]. This security architecture specifies framework policy, guidelines and implementation experience for UKonline services and market developments. This document is aimed at bodies engaged in procuring and providing e-Government services, including central government departments, non-departmental public sector bodies, local authorities and other local government bodies charged with the provision of e-Government services. It also encompasses regulatory bodies responsible for proper auditing and control of public assets and information.

Other security architectures can be found, for example, in [3], [25].

This chapter shows how to secure an e-medical system using widely-available digital security technology and mechanisms.

1 E-medical Secure Environment Requirements

HIPPA security mandates the following security rule: “Ensure the confidentiality, integrity, and availability of all electronic protected health information (PHI) the covered entity creates, receives, maintains or transmits.”

The security system assumes reasonably anticipated threats or hazards and reasonably anticipated (unauthorized) uses or disclosures. Its general objectives are to:

x guarantee health insurance coverage of employees, x reduce healthcare fraud and abuse,

x introduce/implement administrative simplifications in order to augment effectiveness and efficiency of the healthcare system in the United States,

x protect the health information of individuals against access without consent or authorization.

HIPAA presents a threefold challenge to device and software vendors:

1. incorporating necessary security technology into products to protect the privacy of the protected health information generated, managed and exchanged by the products at customer sites,

2. reevaluating and enhancing their own internal policies and training to ensure secure and confidential handling of protected health information exposed during testing, field services, product evaluation and research, 3. supporting their customers in the creation of HIPAA-compliant

workflows that incorporate their products, while at the same time

ensuring that those resulting product-enabled workflows do not impede

clinical communications or negatively affect patient care.

Device and software vendors are typically not directly responsible for the organizational policies and procedures of their customers. However, their own policies and procedures must protect the confidentiality of information and their products can be developed to make it easier to comply with HIPAA.

Specifically, HIPAA precisely specifies certain critical security policies and technologies, including:

x unique IDs for authorized users, x automatic logoff,

x audit trails for access to specific types of protected information, x encryption (optional),

x digital signatures (optional), x virus checking procedures, x backup/restore plans, x disaster recovery plans, x compliance auditing, x testing programs,

x training programs.

It is necessary to note that security solutions require more than just a few pieces of technology. To be effective, technical security solutions must be complemented by training, physical security, appropriate best practices-derived security policies and proper configuration of operating systems and applications.

Physical security can range from simple locks on doors to high-tech biometric authentication scanners, to trusted human guards. The challenge is determining what level of physical security is necessary given the sensitivity of the information, the robustness of technical security, the accessibility of the computing environment and the trustworthiness of human staff.

Networks: Information being exchanged between distributed healthcare systems is exposed to potential discovery through various types of eavesdropping. Physical security of the networking components and communications media may be sufficient in small environments. In larger environments and whenever protected health information is to be exchanged across a public network, the privacy of that information must be maintained through cryptographic and security technology.

Computer Operating Systems: Most modern computer operating systems

provide sufficient security for protecting medical records. However, that

security needs to be properly configured based on best-practices security

policies. Configuration must include deleting unused and unnecessary user

accounts, as well as ensuring that all passwords meet modern security

requirements. A properly secure operating system must include both proper configuration to remove security holes and proper policies to ensure the users themselves don’t open new security holes.

Application Software: As with operating systems, most modern applications have the potential to be configured for secure use. However, as with operating systems, most applications are configured by default to have very weak or nonexistent security (e.g. DBMS systems with well-known default username/password pairs). Each application must be configured for secure use.

Data: Many types of information can be read by multiple applications (e.g.

image files). Relying solely on application-based security to protect the privacy of information will fail if unauthorized users can simply turn to a different less- protective application to read the information. Access control must be applied at the most fundamental level (files, database, etc.) in which the information is stored. In addition, in the case of information stored in databases, security must be applied at a minimum at the level of individual records. In some cases, database information may also need to be protected through some form of access control on the individual fields within records.

2 System Architecture Modeling for Security

Common Criteria [8], [9], [10] provide a taxonomy for evaluating security functionality through a set of functional and assurance requirements. The Criteria include 11 functional classes of requirements: security audit, communication, cryptographic support, user data protection, identification and authentication, management of security functions, privacy, protection of security functions, resource utilization, component access, and trusted path or channel [14], [20], [25]. These 11 functional classes are further divided into 66 families, each containing a number of component criteria. There are approximately 130 component criteria currently documented, with the recognition that designers may add additional component criteria to a specific design. There is a formal process for adopting component criteria through the Common Criteria administrative body.

Governments and industry groups develop functional descriptions for security

hardware and software using the Common Criteria. These documents [29],

known as protection profiles, describe groupings of security functions that are

appropriate for a given security component or technology. The underlying

motivations for developing protection profiles include incentives for vendors to

deliver standard functionality within security products and reduce risk in

information technology procurement.

The classes and families within the Common Criteria represent an aggregation of requirements [7]. The aggregation is more reflective of abstract security themes, such as cryptographic operations and data protection, rather than security in the context of IT operational function. A summary mapping of CC classes to functional categories is provided in Table 4-1.

Table 4-1 Relations between Common Criteria classes and functional categories [8]

Functional Category

Common Criteria Functional Class

Audit Audit, component protection, resource utilization

Access control Data protection, component protection, security management, component access, cryptographic support, identification and authentication, communication, trusted path/channel

Flow control Communication, cryptographic support, data protection, component protection, trusted path/channel, privacy Identity/credentials Communication, cryptographic support, data protection,

component protection, trusted path/channel, privacy Identity/credentials Cryptographic support, data protection, component

protection, identification and authentication, component access, security management, trusted path/channel

Solution integrity Cryptographic support, data protection, component protection, resource utilization, security management

This structure supports the assertion that the five categories described in Table 4-1 represent a set of interrelated processes, or subsystems.

Security audit subsystem: A security audit subsystem is responsible for capturing, analyzing, reporting, archiving and retrieving records of events and conditions within a computing solution. From Common Criteria, security requirements for an audit subsystem would include:

x collection of security audit data, including capture of the appropriate data, trusted transfer of audit data, and synchronization of chronologies, x protection of security audit data, including use of time stamps, signing

events, and storage integrity to prevent loss of data,

x analysis of security audit data, including review, anomaly detection,

violation analysis, and attack analysis using simple heuristics or complex

heuristics,

x alarms for loss thresholds, warning conditions, and critical events.

Solution integrity subsystem: The purpose of the solution integrity subsystem in an IT solution is to address the requirement for reliable and correct operation of a computing solution in support of meeting the legal [6] and technical standard for its processes. From Common Criteria, the focus of a solution integrity subsystem could include:

x integrity and reliability of resources,

x physical protections for data objects, such as cryptographic keys, and physical components, such as cabling, hardware, etc.,

x continued operations including fault tolerance, failure recovery, and self- testing,

x storage mechanisms; cryptography and hardware security modules, x accurate time source for time measurement and time stamps, x prioritization of service via resource allocation or quotas,

x functional isolation using domain separation or a reference monitor, x alarms and actions when a physical or passive attack is detected.

Access control subsystem: The purpose of an access control subsystem in an IT solution is to enforce security policies by gating access to, and execution of, processes and services within a computing solution via identification, authentication, and authorization processes, along with security mechanisms that use credentials and attributes. From Common Criteria, the functional requirements for an access control subsystem should include:

x access control enablement,

x access control monitoring and enforcement,

x identification and authentication mechanisms, including verification of secrets, cryptography (encryption and signing), and single- vs. multiple- use authentication mechanisms,

x authorization mechanisms, to include attributes, privileges, and permissions,

x access control mechanisms, to include attribute-based access control on subjects and objects and user-subject binding,

x enforcement mechanisms, including failure handling, bypass prevention, banners, timing and timeout, event capture, and decision and logging components.

Information flow control subsystem: The purpose of an information flow

control subsystem in an IT solution is to enforce security policies [23] by gating

the flow of information within a computing solution, affecting the visibility of

information within a computing solution, and ensuring the integrity of

information flowing within a computing solution. From Common Criteria, an information flow control subsystem may include the following functional requirements:

x flow permission or prevention, x flow monitoring and enforcement,

x transfer services and environments: open or trusted channel, open or trusted path, media conversions, manual transfer, import to or export between domains,

x mechanisms observability: to block cryptography (encryption), x storage mechanisms: cryptography and hardware security modules, x enforcement mechanisms: asset and attribute binding, event capture,

decision and logging components, stored data monitoring, rollback, residual information protection and destruction.

Identity or credential subsystem: The purpose of a credential subsystem in an IT solution is to generate, distribute, and manage the data objects that convey identity [6] and permissions across networks and among the platforms, the processes, and the security subsystems within a computing solution. From Common Criteria, a credential subsystem may include the following functional requirements:

x single-use vs. multiple-use mechanisms, either cryptographic or noncryptographic,

x generation and verification of secrets,

x identities and credentials to be used to protect security flows or business process flows,

x identities and credentials to be used in protection of assets: integrity or nonobservability,

x identities and credentials to be used in access control: identification, authentication, and access control for the purpose of user-subject binding,

x credentials to be used for purposes of identity in legally binding transactions,

x timing and duration of identification and authentication, x life cycle of credentials,

x anonymity and pseudonymity mechanisms.

The security design objectives and the solution environment have a central role

in the selection and enumeration of subsystems. Table 4-2 shows a possible

mapping of the sample design objectives to security subsystems. It indicates

where a subsystem may be required (R) or supplementary (S) in satisfying an

individual security requirement. Actual subsystem selection requires documented rationale.

Table 4-2 Mapping design objectives to security subsystems [8]

Security Design Objectives Audit Integrity Access Control

Flow Control

Credential Identity Control access to

systems/processes

S S R S S

Control access to information S S S R R

Control the flow of information

S S S R S Correct and reliable

component operation

S R S S S

Prevent/mitigate attacks R R R R S

Accountability through trusted identity

R R S S R

Prevent/mitigate fraud R R R R R

3 Techniques for Making E-medical Systems Secure

The techniques for making e-medical systems secure [15], [22], [21], [2], [19],

particularly as relates to subsystems, are depicted in Figure 4-1 and will be

elaborated in more detail below. They address three major areas: Application

and Data, System Infrastructure, and Networks.

Application and Data Security

Cryptographics Services Network

System security

Operating systems Biometric

Hardware Perimeter

Security protocols Anti-virus Applications

Data

Business-driven Integrated Solutions

Services Performance Availability Configuration Operations Authentication

Authorization Access Control Callable Security

Firewalls Encryption Virtual Private Networks

Figure 4-1 Range of various security-related technology applications.

Basic cryptography: The computer security services that are required to protect electronic information are based on technology called cryptography. Most of the security techniques are built upon either “secret key encryption” or

“public key encryption” cryptography. Encryption can be implemented using either a single key to scramble and unscramble the text (symmetric or secret key encryption) or a pair of keys; one to scramble and a different key to unscramble the text (public key encryption) [11]. Each underlying technology requires a different set of supporting concepts and mechanisms.

Many security mechanisms are based on the consequences of digitally “signing”

protected information using either secret key encryption or public key encryption. When a piece of information is “signed” using public key encryption, the signer uses their private half of the public/private key pair to encrypt the information. If anyone wishes to test that signed information (e.g. to validate the source of the information or integrity of the information), they use the public half of the key pair to decrypt the message. Digital Certificates are encrypted documents generated by a Certificate Authority, which confirms the identity of the owner of a public/private key pair.

Authentication of users: Authentication is the process of verifying the identity

of a potential user of a system. Most authentication mechanisms are based on

some combination of one or more “shared secrets” (e.g. password), security

devices (e.g. access card) and/or physical characteristic (e.g. fingerprint). A

common combination (sometimes called “two-factor authentication”) is

authentication based on something you have (e.g. your ATM card) and

something you know (e.g. the ATM account PIN). At its simplest, authentication

is performed through the verification of an access code or a

username/password pair entered by the user at the time they wish access to the system. More sophisticated authentication mechanisms include the use of

“smart cards” to store encrypted credentials and even biometric analysis of fingerprints, face scans or retina scans. Authentication on its own does not mean access to any information or services specific to the system; it only verifies, with some level of certainty, that you are who you claim to be.

Authorized access to protected information: Access control is sometimes also called authorization, particularly when referring to the process of determining whether a user is authorized to have access to a system or application. Access to a specific piece of information can only be granted to a properly authenticated, authorized user with appropriate levels of access (e.g. a physician may have complete access to their own patient’s information, yet only have access to de- identified or statistical information about another physician’s patients).

Accountability of changes to protected information: Users of protected health information are accountable for all access, modifications and distribution of that information. Any unauthorized access to protected health information should be reported. Audit logs are tools for logging the authorized and unauthorized use of the applications and/or services of a system, as well as access and/or changes to protected health information. Regular inspection of audit logs is critical to protecting the security of the system, the integrity of the protected information and the legal standing of the organization.

Integrity of protected information: Protected health information must be represented, stored and distributed in such a way that any attempt to alter the information (whether authorized or not) can be identified and tracked. Typically a system-independent mechanism bound tightly to the information (e.g.

checksum, CRC, or digital signature) provides corroboration of the integrity of the information.

Non-repudiation of changes to protected information: Non-repudiation mechanisms provide non-refutable evidence of creation, deletion, modification or distribution of information. This ensures that not even an authorized user can access, change or share the information and then deny having accessed it.

Confidentiality of protected information: Data in a secure system, or data

being exchanged across secure distributed systems must not be viewable by

unauthorized users or systems. Privacy often must extend to any requests made

with regard to the secure system. Unauthorized users can potentially obtain

important information about data on the system simply by “overhearing” a

request regarding such data.

Confidential information should never be stored in plain text on a non-secure system. If the physical or electronic security of a system is suspect, confidential information should be encrypted using keys that are not stored on the non-secure system. Depending on the nature of the information, it may be stored in an encrypted file, stored as a set of message digest records or stored as encrypted fields within a database.

Protecting the privacy of data that is being exchanged across a network requires encryption of that data. This encryption can happen at a number of different layers in the communications process:

1. network layer encryption, 2. session layer encryption, 3. application layer encryption.

Network layer encryption is usually implemented between secure network routers based on the IETF IP sec standard. These routers encrypt all (IP payload) traffic sent between themselves and other mutually authenticated routers. If the sending and receiving local-area networks (LANs) and associated systems are secure, and the path between them is secure (e.g. configured as a virtual private network using network-level encryption), then session-level and application-level encryption is not necessary.

The challenge with network-layer encryption is that information is only encrypted between the edges of the LANs of each organization. The information will be in plain text within each LAN and on the end-systems of each organization. When you are unsure if the network between end-systems is secure, session-layer encryption can be used to secure the information being exchanged between end-systems independent of whether the network layer itself is encrypted. Session-layer encryption is often implemented using the secure socket layer (SSL) industry standard. SSL is used for secure transactions by Web, e-mail, and file transfer applications.

Monitoring access and modification of protected information: Each of the

security mechanisms used to protect sensitive systems and information has the

potential of being breached by an attacker. To maintain security and integrity of

the protected information, discretion is required, not only in the selection of

technology and implementation of policies, but also in monitoring the systems

to identify attempted breaches as well as suspicious access trends, and track

compliance with specified policies and procedures. Monitoring covers audit

logs, trend analysis, alarms and event reporting.

4 Access Control Models

Access control is a very important instrument for implementing security policy in e-medical systems. It can be implemented with at least three levels of sophistication:

x user-based access control,

x role-based access control [4], [5], [12], [16], x context-based or rules-based access control.

USERS

SESSIONS

PERMISSIONS

OBJECTS OPERATIONS

* 0..1 has >>

*

* has assigned >>

* *

has user’s >>

Case:

User John Smith has assigned permissions to prescribe medication and confirm ECG.

User John Smith has one session with assigned all his permissions.

In this case John Smith is able to prescribe medication and confirm ECG.

Figure 4-2 User-based access control (UBAC)

User-based access control is depicted in Figure 4-2. Implementing authorization

policies can be as simple as maintaining and referring to a list that matches

individual user identity and a specific access right for a given resource. These are

usually implemented by a specific application on a specific system (e.g. a file

system access control list (ACL)). The challenge with user-based access control

is that it requires considerable system administration effort to maintain the

access control lists for all users on all systems for each piece of protected

information.

USERS

SESSIONS

ROLES

PERMISSIONS

OBJECTS OPERATIONS

can play >>

*

*

* 0..1 has >>

*

*

has assigned >>

* *

has assigned >>

Case:

User John Smith can play roles: physician, cardiologist.

User John Smith has one session with assigned a physician role.

The physician role allows to prescribe medication.

In this case John Smith is only able to prescribe medication.

is parent >>

* 0..1

Figure 4-3 Role-based access Control (RBAC).

Role-based access control is presented in Figure 4-3. Since users often play

specific roles (e.g. administrator, physician, covering physician, etc.), the

administrative overhead of managing a protected system can be reduced by

matching a user’s role to a specific access right for a resource. However, this too

becomes problematic when managing access rights across many different

systems. In addition, individual user rights must still be granted for information

owned by individuals and not accessible by other members of the user’s groups.

USERS

SESSIONS

ROLES

PERMISSIONS

OBJECTS OPERATIONS

can play >>

*

*

* 0..1 has >>

*

*

has assigned >>

* *

has assigned >>

Case:

Context-based rules: only a patient’s primary physician can confirm ECG.

John Smith can play roles: physician, cardiologist.

John Smith has one session with assigned physician and cardiologist roles.

An example of User context: IP address of John Smith’s computer (no significance in this case)

The cardiologist role allows to confirm ECG.

Resource context: John Smith is not Mary Bush’s primary physician.

In this case John Smith is not able to confirm Mary Bush’s ECG.

USER CONTEXT

is related to <<

*

*

RESOURCE CONTEXT

*

* is related to >>

CONTEXT-BASED RULES is parent >>

* 0..1

Figure 4-4 Context-based access aontrol (CBAC).

Context-based access vontrol is illustrated in Figure 4-4. Under normal circumstances, a user in a healthcare facility has limited access to patient information. Only those with a direct need-to-know are allowed access to detailed protected information. However, there are a number of situations in which healthcare professionals require access to information based on the current context:

x a covering physician must have access to patient information in a unit, x a physician receiving a referral must access some subset of a patient’s

protected information,

x an emergency room nurse must access historical information while performing triage in a busy ER.

More sophisticated approaches to implementing context-based access control

policy involve the use of policy and rules services for all of the resources within

a system or a site. These access control services may support both static policy

(e.g. applications that can be used, files that can be accessed, directories that can

be viewed, access hours, storage quota, etc.) and dynamic rules based on real-

time context (e.g. whether currently covering for another healthcare provider).

5 Service-Oriented Security Architecture

Service-oriented architecture (SOA) is a set of principles for designing extensible, federated, interoperable services [12]. SOA principles can (and should) be applied not only to the services that compose a service-oriented business architecture, but also to the services that compose a service-oriented security architecture (SOSA). SOSA, based on the set of Web Services Security (WS Security)-related standards recently proposed by IBM and Microsoft, is currently under development at the Organization for the Advancement of Structured Information Standards (OASIS). The fundamental goal of the emerging XML and WS Security standard is not to replace the diverse security infrastructures already deployed, but to enable them to interoperate in an end- to-end fashion.

For a service consumer to delegate responsibility for executing a process to a service provider, a policy of trust must underlie that delegation. For example, a consumer, before delegating responsibility for holding her savings to a medical database, must first trust the medical service. Thus, the ultimate goal of SOSA is to enable such trust by establishing and enforcing security policies defined by a trust model, without regard to specific enforcement mechanisms. Accordingly, SOSA is not based on any specific enforcement mechanism, but rather on a generic model of policy-based trust:

x identifiers: for consumers and services, x formats: for tokens and policies,

x protocols: for exchanging tokens and policies.

In other words, SOSA should be defined in terms of generic protocols for exchanging generic (token) claims offered by service consumers and generic policy rules regarding such claims enforced by service providers. The interoperable formats of SOSA define a generic policy model, modularized into the following conceptual building blocks:

x policy: a set of policy assertions.

x policy assertion: a specific preference, requirement, capability, or other property. A more general and perhaps clearer definition of policy assertion is “rule that governs a choice in the behavior of a system”.

x security token: a set of security claims. Security tokens can be either binary (e.g., X.509, Kerberos ticket) or XML (e.g., SAML, XrML). A certificate (e.g., X.509) or a ticket (e.g., Kerberos) is simply a signed security token. XML tokens can be signed as well; thus, certificates are also either binary or XML.

x claim: a policy-relevant statement made by or about a subject accessing

a service.

The interoperable protocols of SOSA define a generic process model, modularized into the following subprocesses:

x generating and distributing service security policies via service definitions (e.g., WSDL) and service directories (e.g., UDDI),

x generating and distributing security tokens,

x presenting tokens in messages and service requests,

x evaluating whether presented tokens meet required policies.

Several standards embodying various aspects of this type of SOSA have been designed over the past several years. They are described in Table 4-3.

Table 4-3 Standards Embodying SOSA Principles

Acronym /Doc. No. Full name of document

AAA Authorization, Authentication, Accounting

XNS Extensible Name System

XACML Extensible Access Control Markup Language

PCIM Policy Core Information Model

SAML Security Assertion Markup Language

WSSM Web Services Security Model

RFC 2753 A Framework for Policy-Based Admission Control

6 RAD Case Study

RAD (Resource Access Decision) is a mechanism of access control, i.e. limiting resource access to a group of authorized users. It has been implemented with the idea of protecting medical resources provided by a portal application and accessed via a Web browser. RAD is based on the Resource Access Decision Facility developed by the Object Management Group [18]. The goal of the Resource Access Decision Facility is to separate authorization logic from application-specific business logic and make the authorization service independent of the specific security models and policies. RAD is able to support, among other models, user-based access control, role-based access control, context-based access control and rules-based access control. The architecture and features of RAD make it a valuable addition to our Medical Portal.

The following case study illustrates how RAD is used to authorize access to

patient examination results and how it can be used to authorize access to other

medical resources. It refers to the scenario in which a patient comes to a

hospital for an examination. Following examination, the results are stored in the hospital’s IT system. Only the patient and authorized personnel are allowed to access these results. The case study focuses on providing examination results through the portal. We describe the authorization mechanism that was used in our solution. The authentication process is omitted, because RAD only addresses authorization.

RAD architecture: RAD architecture is derived from the Resource Access Decision Facility. The main difference between the original specification and our implementation is that the middleware which constitutes the basis of the solution is Java RMI, EJB and Web Services, whereas in the original specification it was CORBA. We have also made some additional minor changes in order to improve service performance. Nevertheless, the general architecture, presented in Figure 4-5, remained unchanged.

RAD

Secured, security- aware application

Authorization database

RDBS

LDAP

..

Combinator

Evaluator

Evaluator

..

access_allowed(

Resource name, Operation, Caller’s credentials

Combinator Evaluator ACL-s

Figure 4-5 RAD architecture.

The main steps of the authorization process are [26]:

1. Whenever required, the secured, security-aware application checks if the user has been granted access to the requested resource. The application invokes the access_allowed method of the RAD interface, passing three arguments: resource name, operation to be executed on the resource and user’s credentials.

2. RAD selects evaluators and a combinator based on the resource name.

Evaluators are responsible for interpreting authorization policies that

control access to the requested resource. In order to evaluate an access

request, the evaluators refer to the authorization database. The

combinator is responsible for combining results from evaluators

according to the authorization policy. The result of the combinator, a

Boolean value granting or denying access to the resource, is returned to

the application.

3. The application grants or denies access to the resource on the basis of the result received from RAD.

RAD makes an access decision based on the user’s credentials (user name, certificate, etc.), the operation to be performed on the resource and the resource name. User credentials, which are coeval with patient identity, are one of the results of the authentication process. The resource name identifies the patient’s examination result. The operation is understood as the action associated with the resource (e.g. READ, WRITE).

RAD consists of two parts: an access control service and an access control administration module. The access control service provides its interface to secure-aware applications that require authorization. The interfaces are low-level and require adaptation of secured applications. In the case of the Medical Portal, such adaptation took place during the design phase of the application. The administration module is intended to be a tool for managing Medical Portal security.

RAD in Medical Portal: One of the essential security mechanisms for enforcing security policies is access control to resources. In our system, RAD was used to provide an authorization service. The Medical Portal was implemented as a J2EE (JSP/Servlets/EJB) application running on the JBoss application server. Communication between the Medical Portal and RAD was through Java RMI. Patient information, as well as the authorization database, were stored in a relational database management system (Oracle).

In order to combine RAD and the Medical Portal, some steps had to be taken:

an authorization database had to be created (with defined users, groups, resources and permissions), a specific evaluator had to be implemented and calls to RAD had to be added in the code of the Medical Portal.

Figure 4-6 shows how RAD is used to authorize access to patient examination

results provided by the Medical Portal.

Resource Access Decision

(RAD) Client Application/

Web Browser

Authorization Database

RDBS 2. access_allowed(

Resource name, Operation, Caller’s credentials)

Medical Portal

1. request:

access to an examination’s result

3. authorization evaluation 4. result:

the examination’s result

Figure 4-6 RAD in Medical Portal.

Access to examination result consists of the following steps:

1. Following authentication in the Medical Portal, the user requests an examination result.

2. The Medical Portal intercepts the request and extracts the user identifier (caller’s credentials), the identifier of the examination result (resource name) and the operation to be performed on the examination result (READ). Next, the information is sent to RAD as parameters of the authorization method.

3. RAD chooses appropriate evaluators and combinators basing on the resource name. For the examination result, only one evaluator is required. RAD delegates the authorization request to the evaluator and after having received the result, makes an authorization decision using the combinator. In this step RAD accesses the authorization database which stores authorization information. The model of authorization is user-based access control extended with context-based rules.

4. If the authorization decision is positive, the examination result is provided to the user; otherwise an “unauthorized request” page is displayed.

Usage of RAD in the described manner ensures authorization of access to

Medical Portal resources. In our case, access control is based on a very simple

security policy; however, RAD can support much more sophisticated security

policies without changes to the architecture of the whole system. It is only

necessary to implement specific plug-ins called evaluators and to reconfigure

RAD. In this way, we can include support for time-dependent permissions, as well as context-based or role-based access control.

A comfortable GUI interface for RAD administration and management of the authorization database makes Medical Portal administration an easy task.

7 Summary

Telemedical systems contain and provide information that is extremely sensitive.

Disclosing or damaging that information in an unauthorized way may be catastrophic both for organizations and patients. In order to assure the security of telemedical systems, suitable security policies, security architectures and security mechanisms must be applied. Additionally, a secure and safe working environment must be guaranteed. The rules for setting up such an environment are described (for example) in HIPPA.

Best-practice telemedical systems should satisfy such evaluation criteria as TCSEC or ITSEC. Conformity with these standards helps achieve a well- protected and secure system.

8 Bibliography

[1] P. B. Checkland, Systems Thinking, Systems Practice, John Wiley & Sons, Inc., New York (1981).

[2] W. R. Cheswick and S. M. Bellovin, Firewalls and Internet Security: Repelling the Wily Hacker, Addison-Wesley Publishing Co., Reading, MA (1994).

[3] Committee on Information Systems Trustworthiness, National Research Council, Trust in Cyberspace, National Academy Press, Washington, DC (1999).

[4] D. Ferraiolo, Proposed NIST Standard for Role-Based Access Control, ACM Transactions on Information and System Security, Vol. 4, No. 3 (August 2001), pp. 224–274.

[5] D. Ferraiolo, D. Kuhn, and R. Chandramouli, Role-Based Access Control, Artech House, Norwood, MA (2003).

[6] Digital Signature Guidelines, American Bar Association (1996), Section 1.35, available at http://www.abanet.org/scitech/ec/isc/dsgfree.html.

[7] Guide for Development of Protection Profiles and Security Targets, ISO/IEC PDTR 15446, available at http://csrc.nist.gov/cc/t4/wg3/27n2449.pdf, pp. 69–74.

[8] Information Technology—Security Techniques—Evaluation Criteria for IT Security—Part 1: Introduction and General Model, ISO/IEC 15408-1 (1999);

available at

http://isotc.iso.ch/livelink/livelink/fetch/2000/2489/lttf_Home/

PubliclyAvailableStandards.htm.

[9] Information Technology—Security Techniques—Evaluation Criteria for IT Security—Part 2: Security Functional Requirements, ISO/IEC 15408-2 (1999).

[10]Information Technology—Security Techniques—Evaluation Criteria for IT Security—Part 3: Security Assurance Requirements, ISO/IEC 15408-3 (1999).

[11] H. Johner, S. Fujiwara, A. S. Yeung, A. Stephanou, and J. Whitmore, Deploying a Public Key Infrastructure, Redbook SG24-5512-00, IBM Corporation, http://www.redbooks.ibm.co.

[12] N. Kall, Service-Oriented Security Architecture: Part 1, Metagroup, ZDNet (2003).

[13] A. Kumar, N. Karnik, and G. Chafle, Context Sensitivity in Role Based Access Control, ACM SIGOPS Operating Systems Review (July 2002), pp.

53-66.

[14] P. T. L. Lloyd and G. M. Galambos, Technical Reference Architectures, IBM Systems Journal 38, No. 1, 51–75 (1999); available at

http://researchweb.watson.ibm.com/journal/sj/381/lloyd.html.

[15] S. McClure, J. Scambray, and G. Kurtz, Hacking Exposed: Network Security Secrets & Solutions, McGraw-Hill Publishing Company, Maidenhead, Berkshire (1999).

[16] M. Moyer and M. Ahamad, Generalized Role-Based Access Control, International Conference on Distributed Computing Systems (April 2001), pp. 391-398.

[17] NEMA -Privacy and Security Committee, Security and Privacy: An Introduction to HIPAA (April 10, 2001).

[18] OMG, Resource Access Decision, Version 1.0. (2001); available at

http://www.omg.org/technology/documents/formal/resource_access_

decision.htm.

[19] A. Patel and S. O. Ciardhuain, The Impact of Forensic Computing on Telecommunications, IEEE Communications Magazine 38, No. 11, 64–67 (November 2000).

[20] E. Rechtin, Systems Architecting: Creating and Building Complex Systems, Prentice Hall, New York (1991).

[21] RFC 1825, Security Architecture for the Internet Protocol (August 1995);

available at http://www.ietf.org/rfc.html.

[22] RFC 2316, Report of the IAB Security Architecture Workshop (April 1998);

available at http://www.ietf.org/rfc.html.

[23] F. B. Schneider, Enforceable Security Policies, ACM Transactions on Information and System Security 3, No. 1, 30–50 (February 2000).

[24]Security Architecture, e-Government Strategy, Version 2.0 (September 2002).

[25]Security Architecture for Open Systems Interconnection for CCITT Applications,

ITU-T Recommendation X.800/ISO 7498-2 (1991); available at

http://www.itu.int/itudoc/itu-t/rec/x/x500up/x800.html.

[26] P. Slowikowski and M. Jarzab, Security aspect of medical portals, Proceedings, the International Conference on E-he@lth in Common Europe,

Krakow, Poland (2003).

[27] D. Verton, Common Ground Sought for IT Security Requirements, Computerworld 35, No. 11, 8 (March 12, 2001).

[28] J. J. Whitmore, Security and e-business: Is There a Prescription? Proceedings, 21st National Information Systems Security Conference, Arlington, VA (October 6–9, 1998); available at

http://csrc.nist.gov/nissc/1998/proceedings/paperD13.pdf.

[29] http://www.commoncriteria.org/protection_profiles/pp.html.