Security requirements and solutions in distributed Electronic Health Records [chapter]

B. Blobel
1997 Information Security in Research and Business  
The healthcare systems in all developed countries are changing to labour-shared structures as Shared Care. Such structures require an extended communication and co-operation. Medical information systems integrated into the care processes must be able to support that communication and co-operation adequately, representing an active and distributed Electronic Health Record (EHR) system. Distributed health record systems must meet high demands for data protection and data security, which concern
more » ... tegrity, availability, confidentiality including access management, and accountability. Communication and cooperation in information systems can be provided by middleware architectures. For the different middleware architectures used in healthcare as EDI (HL7, EDIFACT), CORBA or DHE, the architectural principles and security solutions are shortly described in the paper. Supporting open information systems, these security solutions are independent of applications and transparent to the user. For trusted communication and cooperation, application-related and user-related security mechanisms are required. Such mechanisms have to fulfil the security policy of the application domain. They are using the basic security mechanisms of the underlying communication-and cooperation-supporting systems. The discussed policy, threats, and countermeasures are referred to the first German regional distributed medical record, which is developed and step by step refined in the Clinical Cancer Registry Magdeburg/Saxony-Anhalt. Part Twelve Security in Healthcare Systems INTRODUCTION Due to the changed basic conditions of healthcare systems in all developed countries, which are characterised by the demographic development with an increasing number of elderly and multiple-diseased patients, rapidly growing and expensive medical and technical progress, and a generally increasing demand of health services, there is a substantial requirement for efficient and still high quality healthcare. The response of choice is the structural change of healthcare systems enforcing Shared Care, i.e. a continuous and coordinated activity of different care providers including the patient itself to give an optimal medical, psychological and social help to the patient (Blobel, 1996b; Blobel, 1996c ) . Such distributed, decentralised, labour-shared health care structure must be supported by an adequate information system structure, consisting of highly specialised and highly effective components enabled to optimal communication and cooperation. Therefore, these processes are accompanied with improving and extending electronic communication. The content and extent of communication as well as the used both services and communication infrastructure determine new threats, define the need for protection, and facilitate new measures for data security. The consideration here is restricted to issues related to middleware concepts as well as to services and threats within our distributed EHR (DEHR) solution. Communication in healthcare can be characterised by communication content, communication partners, communication infrastructure, and communication services. In a combinatorial way, different communication contents, partners, infrastructure, and services present different communication conditions and lead also to different security threats and requests for adequate countermeasures. A general approach to system security and a categorisation of architectures with respect to their threat models and trust models including an extended discussion of common communication services is given in . The paper concerns especial advanced communication services, e.g., provided by middleware systems. Comprehensive guidelines on security of healthcare systems have been published in (The SEISMED Consortium, 1996) . SECURITY SPECIFICATION AND DOMAINS Personal medical data are highly sensitive information. In this context, legal, medical, social, and technical aspects must be considered. For extended communication of such information in Shared Care systems and for trustworthy and non-repudiated cooperation, the basic security dimensions of data integrity, availability, confidentiality, and accountability of information and processes have to be ensured. The latter concerns also the non-repudiation of origin and receipt of data as a basic foundation of interoperability (Blobel, 1996b; Blobel, 1996c; . We distinguish the globally manageable communication security from the locally managed application security, the former dealing with data transfer between two or more authenticated principals (users, processes, devices, etc.), the latter dealing with access of Part Twelve Security in Healthcare Systems The purpose of security domains is to form groups of mutual trust defining special level of risks and therefore demanding a set of countermeasures. Assuming adequate characteristics, departments, enterprises, institutions and even organisations can be considered as domains. These domains are assumed as trust environment, which must be only protected against external threats. Therefore, special security measures are required only for communication between different domains and are implemented at the domain boundaries. Nevertheless, the challenges and conditions of Shared Care, the use of widely spread and distributed middleware architectures, and the integration of many care and system providers require the consideration of current and future health information systems as open and distributed systems, accepting the untrustworthiness of the communication environment as well as involving several domains. Therefore, the communication partners and also the middleware system could belong to different technology domains, environment domains, or even policy domains.
doi:10.1007/978-0-387-35259-6_31 fatcat:mtp35hm44bhbzjihle25przoje