A Note on the Security in the Card Management System of the German E-Health Card

Size: px
Start display at page:

Download "A Note on the Security in the Card Management System of the German E-Health Card"

Transcription

1 A Note on the Security in the Card Management System of the German E-Health Card Marcel Winandy (Ruhr-University Bochum) 3rd International ICST Conference on Electronic Healthcare for the 21st Century (ehealth 2010) Casablanca, Morocco, December 2010 Mittwoch, 15. Dezember 2010

2 Introduction The German electronic Health Card (ehc) Core component of the Healthcare Telematics Each insured person will have such a card Supposed to enable new applications Smartcard with small storage + cryptographic functions German Healthcare Telematics Under development, going to be rolled out "soon" (originally 2006) Specifications by Gematik (company organization of health institutions) Health Professional Card (HPC) Similar card for all health professionals For identification, authentication, digital signatures Mittwoch, 15. Dezember 2010

3 Introduction: Use Cases of ehc Obligatory: Identification, Authentication - personalized cards - individual cryptographic keys European Health Insurance Card (EHIC) - printed on the backside Electronic Prescription - issuing and filling - directly stored on ehc Optional: Medical Emergency Data - directly stored on ehc Medication History Electronic Health Records - centrally stored on servers (in encrypted format) - ehc used to encrypt/decrypt and authorize access (via PIN) Other applications Mittwoch, 15. Dezember 2010

4 Introduction: Security & Privacy German law requires strong privacy: "Data Sovereignty" ( 291a.5 SGB V) Only the patient can define who may access the data associated with the ehc. German Ministry of Health*: ehc basic security requirements Authentication, authorization, and audit mechanisms have to be chosen so that the data sovereignty of the insured party can be taken for granted. * German Federal Ministry of Health: Entscheidungsvorlage - Festlegung der Authentisierungs-, Autorisierungs- und Auditmechanismen der Telematikinfrastruktur für die Fachanwendungen, Version 0.9.0, March Mittwoch, 15. Dezember 2010

5 German Healthcare Telematics

6 German Healthcare Telematics

7 German Healthcare Telematics

8 German Healthcare Telematics

9 German Healthcare Telematics

10 German Healthcare Telematics

11 German Healthcare Telematics

12 German Healthcare Telematics

13 German Healthcare Telematics Healthcare Telematics Boundary Mittwoch, 15. Dezember 2010

14 German Healthcare Telematics Healthcare Telematics Boundary Mittwoch, 15. Dezember 2010

15 German Healthcare Telematics Healthcare Telematics Boundary Mittwoch, 15. Dezember 2010

16 German Healthcare Telematics Healthcare Telematics Boundary ehc Mittwoch, 15. Dezember 2010

17 German Healthcare Telematics Healthcare Telematics Boundary HPC ehc Mittwoch, 15. Dezember 2010

18 German Healthcare Telematics Healthcare Telematics Boundary HPC ehc Mittwoch, 15. Dezember 2010

19 German Healthcare Telematics Healthcare Telematics Boundary HPC ehc Mittwoch, 15. Dezember 2010

20 Existing Security Analyses

21 Existing Security Analyses SECURITY ANALYSIS OF THE HEALTH CARE TELEMATICS INFRASTRUCTURE IN GERMANY Network security Access control policies Michael Huber, Ali Sunyaev and Helmut Krcmar Chair for Information Systems, Technische Universität München, Germany {hubermic, sunyaev, Keywords: Abstract: Security analysis, Health Care Telematics, Electronic Health Card, Information Security Management Systems. Based on ISO for Information Security Management Systems, this paper introduces a newly developed security analysis approach, suitable for technical security analyses in general. This approach is used for a security analysis of several components and processes of the Health Care Telematics in Germany. Besides the results of the analysis, basics for further analysis and verification activities is given. 1 INTRODUCTION In Germany, the Electronic Health Card (ehc) will replace the present health card as requested by law. By establishing the ehc, several improvements, such as cost savings, better ways of communication in the health care sector or the self-determination of the insured person concerning medical data, are supposed to be achieved (Schabetsberger et al., 2006). The use of IT to administrate medical data of the insured, implicates the question, whether these systems are safe enough to satisfy requirements like privacy, safety, security and availability (Heeks, 2006). The data administrated by the ehc and its infrastructure is mosltly strictly confidential as it contains personal information about peoples state of health, course of disease and hereditary diseases (Lorence and Churchill, 2005). As for example insurance companies Dezember or employers 2010would be highly interested Mittwoch, 15. in outlook. The current security status of health care in Germany was evaluated and valuable hints for future developments in the health care sector could be derived. The paper is based on a literature review (e.g. Computers & Security, Information Management & Computer Security, Information Systems Security, International Journal of Medical Informatics, Information Systems Journal, European Journal of Information Systems, International Journal of Information Security, security & privacy, Journal of computer security, ACM Transaction on Information and Systems Security und ACM Computing Surveys). The security analysis approach presented in this paper differs from other approaches due to the following aspects: Focus (health care sector; technical evaluation of security measures), being up-to-date (appliance of upto-date techniques and standards) and regional distinctions (located in germany, regional and political

22 Existing Security Analyses SECURITY ANALYSIS OF THE HEALTH CARE TELEMATICS INFRASTRUCTURE IN GERMANY Network security Access control policies Keywords: Michael Huber, Ali Sunyaev and Helmut Krcmar Chair for Information Systems, Technische Universität München, Germany {hubermic, sunyaev, SECURITY ANALYSIS OF THE GERMAN ELECTRONIC HEALTH CARD S PERIPHERAL PARTS Security analysis, Health Care Telematics, Electronic Health Card, Information Security Management Systems. Ali Sunyaev, Alexander Kaletsch, Christian Mauro and Helmut Krcmar Chair for Information Systems, Technische Universität München, Boltzmannstraße 3, Garching, Germany Abstract: Based on ISO for Information Security Management Systems, this paper introduces a newly developed {sunyaev, kaletsch, mauro, security analysis approach, suitable for technical security analyses in general. This approach is used for a security analysis of several components and processes of the Health Care Telematics in Germany. Besides the results of the analysis, basics for further analysis and verification activities is given. Peripheral parts (end-user systems) Keywords: Security Analysis, Electronic Health Card, Health Care Telematics. 1 INTRODUCTION outlook. The current security status of health care in Abstract: This paper describes a technical security analysis which Germany is based was on evaluated experiments and valuable done in a hints laboratory for future and verified in a physician s practice. The health care In Germany, the Electronic Health Card (ehc) will developments telematics infrastructure in the health in Germany care sector stipulates could be every derived. physician and every patient to automatically be given an electronic health smart card (for patients) and a replace the present health card as requested by law. corresponding health professional card (for health care providers). We analyzed these cards and the By establishing the ehc, several improvements, such The paper is based on a literature review (e.g. peripheral parts of the telematics infrastructure according to the ISO security standard. The as cost savings, better ways of communication in the Computers & Security, Information Management & introduced attack scenarios show that there are several security issues in the peripheral parts of the German health care sector or the self-determination of the insured person concerning medical data, are supposed ternational Journal of Medical Informatics, Informa- Computer Security, Information Systems Security, In- health care telematics. Based on discovered vulnerabilities we provide corresponding security measures to overcome these open issues and derive conceivable consequences for the nation-wide introduction of to be achieved (Schabetsberger et al., 2006). tion Systems Journal, European Journal of Information Systems, International Journal of Information Se- electronic health card in Germany. The use of IT to administrate medical data of the insured, implicates the question, whether these systems are safe enough to satisfy requirements like pririty, ACM Transaction on Information and Systems curity, security & privacy, Journal of computer secu- 1 vacy, INTRODUCTION safety, security and availability (Heeks, 2006). taking Security out unda ACM loan Computing or trying Surveys). to find insurance The security analysis2001). approach Furthermore, presented inone s this paper reputation differs The data administrated by the ehc and its infrastructure is mosltly strictly confidential as it contains from other approaches due to the following aspects: (Anderson, During the next years in Germany the present health could get tarnished when the wrong pieces of own personal information about peoples state of health, Focus (health care sector; technical evaluation of security measures), being up-to-date (appliance of up- insurance card will be replaced by the new sensitive medical information becomes publicly course of disease and hereditary diseases (Lorence electronic health card (ehc) (Sunyaev et al., 2009). accessible (Schneider, 2004). and Churchill, 2005). As for example insurance companies Dezember or employers 2010would be highly interested in tinctions (located in germany, regional and political to-date techniques and standards) and regional dis- The introduction tends to improve the efficiency of This paper is based on extensive laboratory Mittwoch, 15. the health system and the patients rights (Bales, experiments and on a detailed review of gematik s

23 Existing Security Analyses SECURITY ANALYSIS OF THE HEALTH CARE TELEMATICS INFRASTRUCTURE IN GERMANY Network security Access control policies Keywords: Michael Huber, Ali Sunyaev and Helmut Krcmar Chair for Information Systems, Technische Universität München, Germany {hubermic, sunyaev, SECURITY ANALYSIS OF THE GERMAN ELECTRONIC HEALTH CARD S PERIPHERAL PARTS Security analysis, Health Care Telematics, Electronic Health Card, Information Security Management Systems. Ali Sunyaev, Alexander Kaletsch, Christian Mauro and Helmut Krcmar Securing the E-Health Cloud Chair for Information Systems, Technische Universität München, Boltzmannstraße 3, Garching, Germany Abstract: Based on ISO for Information Security Management Systems, this paper introduces a newly developed {sunyaev, kaletsch, mauro, security analysis approach, suitable for technical security analyses in general. This approach is used for a security analysis of several components and processes of the Health Care Telematics in Germany. Besides the results of the analysis, basics for further analysis and verification activities is given. Hans Löhr Ahmad-Reza Sadeghi Marcel Winandy Horst Görtz Institute for IT Security Horst Görtz Institute Horst Görtz Institute Keywords: Security for IT Security Analysis, Electronic Health Card, for IT Health Security Care Telematics. 1 INTRODUCTION Ruhr-University Bochum Ruhr-Universityoutlook. BochumThe current Ruhr-University security status of Bochum health care in Abstract: This Germany paper describes a technical security Germany analysis which Germany is based was on evaluated experiments and Germany valuable done in a hints laboratory for future and verified in a physician s practice. The health care In Germany, the Electronic Health Card (ehc) will developments telematics infrastructure in the health Germany care sector stipulates could be every derived. physician and every patient to automatically be given an electronic health smart card (for patients) and a replace the present health card as requested by law. corresponding health professional card (for health care providers). We analyzed these cards and the By establishing the ehc, several improvements, such The paper is based on a literature review (e.g. ABSTRACT peripheral parts of the telematics infrastructure countries according as cost savings, better ways of communication in the Computers in to the the & Security, recent ISO years Information There security are Management continuing standard. The efforts & on introduced attack scenarios show that there are several security issues the peripheral parts of the German Modernhealth information care sector technology or theis self-determination increasingly used in ofhealth- care with sured theperson goal national and international standardization for interoperability and data we provide exchange. corresponding Many different security application measures scenarios to the in- Computer Security, Information Systems Security, International Journal of Medical Informatics, Informa- health toconcerning improve care telematics. andmedical enhance Based data, medical on discovered are supposed services vulnerabilities and to reduce costs. overcome In this these context, open issues the outsourcing and derive of conceivable are envisaged consequences in electronic for the nation-wide healthcare (e-health), introduction e.g., of electronic health records [12, 23, 22], accounting and billing [17, to be achieved (Schabetsberger et al., 2006). tion Systems Journal, European Journal of Information Systems, International Journal of Information Se- computation and storage electronic resources health card to in general Germany. IT providers The use of IT to administrate medical data of the (cloud computing) has become very appealing. E-health 24], medical research, and trading intellectual property [15]. insured, implicates the question, whether these systems medical are safe data, enough and opportunities to satisfy requirements for new business like pri- (EHRs) rity, ACM aretransaction believed to on decrease Information costs inand healthcare Systems (e.g., curity, security & privacy, Journal of computer secu- clouds offer new possibilities, such as easy and ubiquitous In particular e-health systems like electronic health records access to models. 1 vacy, INTRODUCTION However, safety, they security also bear and availability new risks and (Heeks, raise2006). challenges with The respect data administrated to security and by privacy the ehcaspects. and its infras- (Anderson, ministration) rity analysis2001). approach and tofurthermore, improve presented personal inone s thishealth paper reputation management differs taking avoiding Security out expensive unda ACM loan double Computing or trying diagnoses, Surveys). to find or repetitive insurance The secu- drug ad- In this tructure paper, iswe mosltly point strictly out several confidential shortcomings as it contains of current e-health personal solutions information and standards, about peoples particularly state of they health, do infrom general. other approaches due to the following aspects: During the next years in Germany the present health could get tarnished when the wrong pieces of own Examples of national activities are the e-health approach Focus (health care sector; technical evaluation of security measures), being up-to-date (appliance of up- insurance card will be replaced by the new sensitive medical information becomes publicly not address coursetheofclient disease platform and hereditary security, which diseases a(lorence crucial in Austria [23], the German electronic Health Card (ehc) electronic health card (ehc) (Sunyaev et al., 2009). accessible (Schneider, 2004). aspect for the overall security of e-health systems. To fill system [12] under development, or the Taiwan Electronic and Churchill, 2005). As for example insurance companies Dezember or employers 2010would be highly interested in tinctions (located in germany, regional and political to-date techniques and standards) and regional dis- The introduction tends to improve the efficiency of This paper is based on extensive laboratory this gap, we present a security architecture for establishing Medical Record Template (TMT) [22]. In Germany each insured personand will on get a smartcard detailed review that not of only gematik s contains Mittwoch, 15. privacy the domains health system in e-health and the infrastructures. patients rights Our (Bales, solution experiments ad- Peripheral parts (end-user systems) Platform security

24 Existing Security Analyses SECURITY ANALYSIS OF THE HEALTH CARE TELEMATICS INFRASTRUCTURE IN GERMANY Network security Access control policies Keywords: Michael Huber, Ali Sunyaev and Helmut Krcmar Chair for Information Systems, Technische Universität München, Germany {hubermic, sunyaev, SECURITY ANALYSIS OF THE GERMAN ELECTRONIC HEALTH CARD S PERIPHERAL PARTS Security analysis, Health Care Telematics, Electronic Health Card, Information Security Management Systems. Ali Sunyaev, Alexander Kaletsch, Christian Mauro and Helmut Krcmar Securing the E-Health Cloud Chair for Information Systems, Technische Universität München, Boltzmannstraße 3, Garching, Germany Abstract: Based on ISO for Information Security Management Systems, this paper introduces a newly developed {sunyaev, kaletsch, mauro, security analysis approach, suitable for technical security analyses in general. This approach is used for a security analysis of several components and processes of the Health Care Telematics in Germany. Besides the results of the analysis, basics for further analysis and verification activities is given. Hans Löhr Ahmad-Reza Sadeghi Marcel Winandy Horst Görtz Institute Horst Görtz Institute Horst Görtz Institute Keywords: Security for IT Security Analysis, Electronic Health Card, for IT Health Security Care Telematics. for IT Security!"#$%&#'()*+,%*&&(#&%*$%-#)./$%0#/1+0'/)#% 1 INTRODUCTION Ruhr-University Bochum Ruhr-Universityoutlook. BochumThe current Ruhr-University security status of Bochum health care in Abstract: This Germany paper describes a technical security Germany analysis which Germany is based was on evaluated experiments and Germany valuable done in a hints laboratory for future and verified in a physician s practice. +#1#./+*'&% The health care In Germany, the Electronic Health Card (ehc) will developments telematics infrastructure in the health Germany care sector stipulates could be every derived. physician and every patient to automatically be given an electronic health smart card (for patients) and a replace the present health card as requested by law. corresponding health professional card (for health care providers). We analyzed these cards and the By establishing the ehc, several improvements, such The paper is based on a literature review (e.g. ABSTRACT peripheral parts of the telematics infrastructure according to the ISO security standard. The as cost savings, better ways of communication!"#$%&'()*+$ countries in the Computers in the & Security, recent years. Information There are Management continuing efforts & on introduced attack scenarios show that there are several security issues the peripheral parts of the German Modernhealth information care sector technology or theis self-determination increasingly used in ofhealth- care with sured theperson goal toconcerning improve national and international standardization for interoperability and data we provide exchange. corresponding Many different security application measures scenarios to the in- Computer Security, Information Systems Security, International Journal of Medical Informatics, Informa- health!"#$%&'"(&)*+),(+*%'$&-./0)1".2(-/.2")3(-4"%/-&5&)67(.2"(0)68(-.20)9"%'$(:) care telematics. andmedical enhance Based data, medical on discovered are supposed services vulnerabilities overcome these open issues and /8(:$"4;-(<&8'<=") and to reduce costs. In this context, the outsourcing derive of conceivable are envisaged consequences in electronic for the nation-wide healthcare (e-health), introduction e.g., of electronic health records [12, 23, 22], accounting and billing [17, to be achieved (Schabetsberger et al., 2006). tion Systems Journal, European Journal of Information Systems, International Journal of Information Se- computation and storage electronic resources health card to in general Germany. IT providers The use of IT to administrate medical data of the (cloud computing) has become very appealing.,)'$-)./0$1*#2*#34*.$ E-health 24], medical research, and trading intellectual property [15]. insured, implicates the question, whether these systems medical are safe data, enough and opportunities to satisfy requirements for new business like pri- (EHRs) rity, ACM aretransaction believed to on decrease Information costs inand healthcare Systems (e.g., curity, security & privacy, Journal of computer secu- clouds offer new possibilities, such as easy and ubiquitous In particular e-health systems like electronic health access to models. 1 vacy, INTRODUCTION However, safety, they security also bear and availability new risks and (Heeks, raise2006). challenges with The respect data administrated to security and by privacy the ehcaspects. and its infras- (Anderson, ministration) rity analysis2001). approach and tofurthermore, improve presented personal inone s thishealth paper reputation management differs taking avoiding Security out expensive unda ACM loan double Computing or trying diagnoses, Surveys). to find or repetitive insurance The secu- drug ad- In this tructure paper, iswe mosltly point strictly out several confidential shortcomings as it 5*"2&4$6./2).$ contains of current e-health personal solutions information and standards, about peoples particularly state of they health, do infrom general. other approaches due to the following aspects: During the next years in Germany the present health could get tarnished when the wrong pieces of own Examples of national activities are the e-health approach Focus (health care sector; technical evaluation of security measures), being up-to-date (appliance of up- insurance card!"#$%&'"(&)*+),(+*%'$&-./0)1".2(-/.2")3(-4"%/-&5&)67(.2"(0)68(-.20)9"%'$(:) will be replaced by the new sensitive medical information becomes publicly not address coursetheofclient disease platform and hereditary security, which diseases a(lorence crucial in Austria [23], the German electronic Health Card (ehc) electronic health card (ehc) (Sunyaev et al., B%.'$%;-(<&8'<=") 2009). accessible (Schneider, 2004). aspect for the overall security of e-health systems. To fill system [12] under development, or the Taiwan Electronic and Churchill, 2005). As for example insurance companies Dezember or employers 2010would be highly interested in tinctions (located in germany, regional and political to-date techniques and standards) and regional dis- The introduction tends to improve the efficiency of This paper is based on extensive laboratory this gap, we present a security architecture for establishing Medical Record Template (TMT) [22]. In Germany each insured personand will on get a smartcard detailed review that not of only gematik s contains Mittwoch, 15. privacy the domains health system in e-health and the infrastructures. patients rights Our (Bales, solution experiments ad- Peripheral parts (end-user systems) Platform security Other open security issues

25 Open Problem: Card Management System!!! Mittwoch, 15. Dezember 2010

26 Open Problem: Card Management System!!! Einführung der Gesundheitskarte Einführung der Gesundheitskarte Kartenmanagement egk Facharchitektur Kartenmanagement egk Fachkonzept Version: Revision: main/rel_main/8 Stand: Status: freigegeben gematik_cms_facharchitektur_kartenmanagement_egk.doc Seite 1 von 81 Version: gematik Stand: Version: Revision: main/rel_main/5 Stand: Status: freigegeben gematik_cms_fachkonzept_kartenmanagement_egk_v1.3.0.doc Seite 1 von 62 Version: gematik Stand: Mittwoch, 15. Dezember 2010

27 Open Problem: Card Management System!!! Einführung der Gesundheitskarte Einführung der Gesundheitskarte Kartenmanagement egk Facharchitektur Kartenmanagement egk Fachkonzept Version: Revision: main/rel_main/8 Stand: Status: freigegeben gematik_cms_facharchitektur_kartenmanagement_egk.doc Seite 1 von 81 Version: gematik Stand: Version: Revision: main/rel_main/5 Stand: Status: freigegeben gematik_cms_fachkonzept_kartenmanagement_egk_v1.3.0.doc Seite 1 von 62 Version: gematik Stand: Mittwoch, 15. Dezember 2010

28 Card Management System

29 Card Management System

30 Card Management System

31 Card Management System

32 Card Management System

33 Card Management System

34 Card Management System

35 Card Management System

36 Card Management System

37 Card Management System

38 Card Management System

39 Card Management System

40 Card Management System

41 Card Management System

42 (1) Conflicting Requirements Security Requirement: At any time, the card management is not allowed to obtain information about application contents [...] for which it is not authorized. The card issuer MUST NOT get possession of unencrypted medical application data. Availability Requirement: When a replacement or renewal card is created, it MUST be assured that application data stored on a server (e.g., EHR) can be accessed using the new ehc. Mittwoch, 15. Dezember 2010

43 (1) Conflicting Requirements Security Requirement: Specification requires particular technical solution: At any time, the card management is not allowed to obtain information about application contents [...] for which it is not authorized. The following secret keys MUST be presently managed in The card issuer MUST NOT get possession of unencrypted medical application the context data. of the card management: [a list of keys follows]. Availability Requirement: Copies of the keys are stored!!! When a replacement or renewal card is created, it MUST be assured that application data stored on a server (e.g., EHR) can be accessed using the new ehc. Mittwoch, 15. Dezember 2010

44 Card Management System

45 Card Management System

46 Card Management System

47 (2) Creating Replacement Cards Lost/stolen ehc or switching health insurance implies creating a replacement card Copies of the keys from the old card are used: All data required for the production of the card are available. The card issuer may assign the creation of the card to one or more service providers. Mittwoch, 15. Dezember 2010

48 Card Management System

49 Card Management System

50 (3) Re-Encrypting Data Issuing replacement or renewal card implies re-encryption of data Input needed for Card Issuer: ICCSN (ehc ID) Input for the Application Operator: [Card Issuer] transmits the ICCSN of the insured party and other data to the application operator. Application Operator processes the application data. Mittwoch, 15. Dezember 2010

51 (3) Re-Encrypting Data Issuing replacement or renewal card implies re-encryption of data Input needed for Card Issuer: ICCSN (ehc ID) Input for the Application Operator: [Card Issuer] transmits the ICCSN of the insured party and other data to the application operator. Application Operator processes the application data. Mittwoch, 15. Dezember 2010

52 (3) Re-Encrypting Data Issuing replacement or renewal card implies re-encryption of data Input needed for Card Issuer: ICCSN (ehc ID) Input for the Application Operator: [Card Issuer] transmits the ICCSN of the insured party and other data to the application operator. Application Operator processes the application data. Mittwoch, 15. Dezember 2010

53 (3) Re-Encrypting Data Issuing replacement or renewal card implies re-encryption of data Input needed for Card Issuer: ICCSN (ehc ID) Input for the Application Operator: [Card Issuer] transmits the ICCSN of the insured party and other data to the application operator. Application Operator processes the application data. Mittwoch, 15. Dezember 2010

54 Card Management System

55 Card Management System

56 Card Management System Violation of Data Sovereignty of the Patient!!!! Mittwoch, 15. Dezember 2010

57 Conclusion German E-Health Card: complex security architecture Card Management System has serious flaws: Copies of the secret keys of the patients are stored and could spread to other (unauthorized) parties Data Sovereignty of the patient is violated! Possible solution: remove technical requirement (instead: designs could use, e.g., secret key sharing) MediTrust (Platform security for end-users) ebpg ebusiness Plattform Gesundheit (Alternative security solution for accessing electronic health records) Mittwoch, 15. Dezember 2010

58 Questions? Contact: Marcel Winandy Ruhr-University Bochum Mittwoch, 15. Dezember 2010

Securing the E-Health Cloud

Securing the E-Health Cloud Securing the E-Health Cloud Hans Löhr, Ahmad-Reza Sadeghi, Marcel Winandy 1st ACM International Health Informatics Symposium (IHI 2010) Arlington, Virginia, USA, 11-12 November 2010 Introduction Buzzwords

More information

SECURITY ANALYSIS OF THE GERMAN ELECTRONIC HEALTH CARD S PERIPHERAL PARTS

SECURITY ANALYSIS OF THE GERMAN ELECTRONIC HEALTH CARD S PERIPHERAL PARTS SECURITY ANALYSIS OF THE GERMAN ELECTRONIC HEALTH CARD S PERIPHERAL PARTS Ali Sunyaev, Alexander Kaletsch, Christian Mauro and Helmut Krcmar Chair for Information Systems, Technische Universität München,

More information

Please quote as: Sunyaev, A.; Leimeister, J.M.; Krcmar, H. (2010): Open Security Issues in German Healthcare Telematics. In: Proceedings of the Third

Please quote as: Sunyaev, A.; Leimeister, J.M.; Krcmar, H. (2010): Open Security Issues in German Healthcare Telematics. In: Proceedings of the Third Please quote as: Sunyaev, A.; Leimeister, J.M.; Krcmar, H. (2010): Open Security Issues in German Healthcare Telematics. In: Proceedings of the Third International Conference on Health Informatics (HealthInf

More information

Securing the E-Health Cloud

Securing the E-Health Cloud Securing the E-Health Cloud Hans Löhr Horst Görtz Institute for IT Security Ruhr-University Bochum Germany hans.loehr@trust.rub.de Ahmad-Reza Sadeghi Horst Görtz Institute for IT Security Ruhr-University

More information

Connected health-it - Germany s Telematics Infrastructure

Connected health-it - Germany s Telematics Infrastructure Connected health-it - Germany s Telematics Infrastructure Dr. Christof Gessner gematik Gesellschaft für Telematikanwendungen der Gesundheitskarte mbh Friedrichstraße 136 10117 Berlin 20.04.2016 1 Shareholders

More information

Please quote as: Duennebeil, S.; Sunyaev, A.; Blohm, I.; Leimeister, J. M. & Krcmar, H. (2010): Do German physicians want electronic health services?

Please quote as: Duennebeil, S.; Sunyaev, A.; Blohm, I.; Leimeister, J. M. & Krcmar, H. (2010): Do German physicians want electronic health services? Please quote as: Duennebeil, S.; Sunyaev, A.; Blohm, I.; Leimeister, J. M. & Krcmar, H. (2010): Do German physicians want electronic health services? A characterization of potential adopters and rejectors

More information

Smart Cards for Future Healthcare Systems. Secure, efficient, reliable

Smart Cards for Future Healthcare Systems. Secure, efficient, reliable Smart Cards for Future Healthcare Systems Secure, efficient, reliable Card-based e-health networks: cutting costs and improving care All around the world, newspaper headlines warn about the exploding costs

More information

Please quote as: Mauro, C.; Sunyaev, A.; Leimeister, J. M.; Schweiger, A. & Krcmar, H. (2008): A proposed solution for managing doctor's smart cards

Please quote as: Mauro, C.; Sunyaev, A.; Leimeister, J. M.; Schweiger, A. & Krcmar, H. (2008): A proposed solution for managing doctor's smart cards Please quote as: Mauro, C.; Sunyaev, A.; Leimeister, J. M.; Schweiger, A. & Krcmar, H. (2008): A proposed solution for managing doctor's smart cards in hospitals using a single sign-on central architecture.

More information

Universität München Fakultät für Informatik Lehrstuhl für Wirtschaftsinformatik (i17) Sebastian Dünnebeil Helmut Krcmar

Universität München Fakultät für Informatik Lehrstuhl für Wirtschaftsinformatik (i17) Sebastian Dünnebeil Helmut Krcmar Universität München Fakultät für Informatik Lehrstuhl für Wirtschaftsinformatik (i17) Sebastian Dünnebeil Helmut Krcmar Market Engineering for Electronic Health Services Technische Universität München

More information

Patterns for Secure Boot and Secure Storage in Computer Systems

Patterns for Secure Boot and Secure Storage in Computer Systems Patterns for Secure Boot and Secure Storage in Computer Systems Hans Löhr, Ahmad-Reza Sadeghi, Marcel Winandy Horst Görtz Institute for IT Security, Ruhr-University Bochum, Germany {hans.loehr,ahmad.sadeghi,marcel.winandy}@trust.rub.de

More information

Written Contribution of the National Association of Statutory Health Insurance Funds of 16.11.2015

Written Contribution of the National Association of Statutory Health Insurance Funds of 16.11.2015 Written Contribution of the National Association of Statutory Health Insurance Funds of 16.11.2015 to the Public Consultation of the European Commission on Standards in the Digital : setting priorities

More information

A Proposed Solution for Managing Doctor s Smart Cards in Hospitals Using a Single Sign-On Central Architecture

A Proposed Solution for Managing Doctor s Smart Cards in Hospitals Using a Single Sign-On Central Architecture A Proposed Solution for Managing Doctor s Smart Cards in Hospitals Using a Single Sign-On Central Architecture Christian Mauro Ali Sunyaev Jan Marco Leimeister Andreas Schweiger Helmut Krcmar Technische

More information

Strategies for Development and Adoption of EHR in German Ambulatory Care

Strategies for Development and Adoption of EHR in German Ambulatory Care Strategies for Development and Adoption of EHR in German Ambulatory Care Sebastian Duennebeil 1, Ali Sunyaev 1, Jan Marco Leimeister 2, Helmut Krcmar 1 1 Department of Informatics 1 Technische Universität

More information

Common Criteria Protection Profile. electronic Health Card (ehc) elektronische Gesundheitskarte (egk)

Common Criteria Protection Profile. electronic Health Card (ehc) elektronische Gesundheitskarte (egk) electronic Health Card (ehc) elektronische Gesundheitskarte (egk) BSI-CC-PP-0020-V3-2010-MA-01 Approved by the Federal Ministry of Health Version 2.9, 19th April 2011 electronic Health Card Version 2.9,

More information

AN ENHANCED ATTRIBUTE BASED ENCRYPTION WITH MULTI PARTIES ACCESS IN CLOUD AREA

AN ENHANCED ATTRIBUTE BASED ENCRYPTION WITH MULTI PARTIES ACCESS IN CLOUD AREA Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 3, Issue. 1, January 2014,

More information

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Purpose This paper is intended to describe the benefits of smart card implementation and it combination with Public

More information

Common Criteria Protection Profile. electronic Health Card (ehc) elektronische Gesundheitskarte (egk) BSI-PP-0020-V2-2007

Common Criteria Protection Profile. electronic Health Card (ehc) elektronische Gesundheitskarte (egk) BSI-PP-0020-V2-2007 VERSION 2.00 (ehc) elektronische Gesundheitskarte (egk) BSI-PP-0020-V2-2007 Approved by the Federal Ministry of Health Version 2.00, 29 th January 2007 Version 2.00, 29 th January 2007 this page was intentionally

More information

Common Criteria Protection Profile. electronic Health Card (ehc) elektronische Gesundheitskarte (egk) BSI-PP-0020-V2-2007-MA01

Common Criteria Protection Profile. electronic Health Card (ehc) elektronische Gesundheitskarte (egk) BSI-PP-0020-V2-2007-MA01 VERSION 2.50 (ehc) elektronische Gesundheitskarte (egk) BSI-PP-0020-V2-2007-MA01 Approved by the Federal Ministry of Health Version 2.50, 2 nd January 2008 Version 2.50, 2nd January 2008 this page was

More information

Security und Compliance in Clouds

Security und Compliance in Clouds Security und Compliance in Clouds Prof. Dr. Jan Jürjens, Kristian Beckers Fraunhofer Institut für Software- und Systemtechnologie ISST, Dortmund http://jan.jurjens.de The NIST Cloud Definition Framework

More information

Keywords: German electronic ID card, e-government and e-business applications, identity management

Keywords: German electronic ID card, e-government and e-business applications, identity management From Student Smartcard Applications to the German Electronic Identity Card Lucie Langer, Axel Schmidt, Alex Wiesmaier Technische Universität Darmstadt, Department of Computer Science, Darmstadt, Germany

More information

Property Based TPM Virtualization

Property Based TPM Virtualization Property Based Virtualization Marcel Winandy Joint work with: Ahmad Reza Sadeghi, Christian Stüble Horst Görtz Institute for IT Security Chair for System Security Ruhr University Bochum, Germany Sirrix

More information

Journal of Electronic Banking Systems

Journal of Electronic Banking Systems Journal of Electronic Banking Systems Vol. 2015 (2015), Article ID 614386, 44 minipages. DOI:10.5171/2015.614386 www.ibimapublishing.com Copyright 2015. Khaled Ahmed Nagaty. Distributed under Creative

More information

For a health-care system with a future. The electronic health insurance card.

For a health-care system with a future. The electronic health insurance card. For a health-care system with a future. The electronic health insurance card. Find out more What will change with the electronic health insurance card? Opportunities The electronic health insurance card

More information

SOLUTIONS FOR HEALTHCARE PROFESSIONALS AND GOVERNMENTS

SOLUTIONS FOR HEALTHCARE PROFESSIONALS AND GOVERNMENTS SOLUTIONS FOR HEALTHCARE PROFESSIONALS AND GOVERNMENTS The number of people in need of medical care in the world is continuously increasing, as evidenced by the evolving demographic outlook in both developed

More information

D.I.M. allows different authentication procedures, from simple e-mail confirmation to electronic ID.

D.I.M. allows different authentication procedures, from simple e-mail confirmation to electronic ID. Seite 1 von 11 Distributed Identity Management The intention of Distributed Identity Management is the advancement of the electronic communication infrastructure in justice with the goal of defining open,

More information

Please quote as: Sunyaev, A.; Atherton, M.; Mauro, C.; Leimeister, J. M. & Krcmar, H. (2009): Characteristics of IS security approaches with respect

Please quote as: Sunyaev, A.; Atherton, M.; Mauro, C.; Leimeister, J. M. & Krcmar, H. (2009): Characteristics of IS security approaches with respect Please quote as: Sunyaev, A.; Atherton, M.; Mauro, C.; Leimeister, J. M. & Krcmar, H. (2009): Characteristics of IS security approaches with respect to healthcare. In: Proceedings of the Fifteenth Americas

More information

Uni-directional Trusted Path: Transaction Confirmation on Just One Device

Uni-directional Trusted Path: Transaction Confirmation on Just One Device Uni-directional Trusted Path: Transaction Confirmation on Just One Device Atanas Filyanov 1, Jonathan M. McCune 2, Ahmad-Reza Sadeghi 3, Marcel Winandy 1 1 Ruhr-University Bochum, Germany 2 Carnegie Mellon

More information

Security and Compliance in Clouds: Challenges and Solutions

Security and Compliance in Clouds: Challenges and Solutions Security and Compliance in Clouds: Challenges and Solutions Prof. Dr. Jan Jürjens Fraunhofer Institut für Software- und Systemtechnologie ISST, Dortmund http://jan.jurjens.de This Talk What are the challenges?

More information

Siemens Roadmap to ehealth

Siemens Roadmap to ehealth Siemens Roadmap to ehealth 4. th. ehealth national conference, Sofia Michael Gorgi June 26 th., 2007 Siemens Bulgaria Agenda ehealth? Evolution of ehealth Systems Siemens & ehealth Page 2 June 2007 Siemens

More information

Secondary Use of the EHR via Pseudonymisation

Secondary Use of the EHR via Pseudonymisation Secondary Use of the EHR via Klaus POMMERENING Institut für Medizinische Biometrie, Epidemiologie und Informatik Johannes-Gutenberg-Universität D-55101 Mainz, Germany Michael RENG Klinik und Poliklinik

More information

ECCA 2014 Conference Santander 26.05.2014

ECCA 2014 Conference Santander 26.05.2014 ECCA 2014 Conference Santander 26.05.2014 Introducing -Technology For Strong Authentication Section 3- IT-Systems, Softwareintegration Department 6 Information And Communication Services Dezernat6 - Informations-

More information

Card enabled e-health network How to improve healthcare

Card enabled e-health network How to improve healthcare Card enabled e-health network How to improve healthcare Dr. Elmar Fassbinder Patrick Melioris Bratislava, 25. Sept. 2008 Page 1 Agenda 1) The Vicious Circle in health care 2) Card enabled e-health Network

More information

Computer and Network Security Policy

Computer and Network Security Policy Coffeyville Community College Computer and Network Security Policy Created By: Jeremy Robertson Network Administrator Created on: 6/15/2012 Computer and Network Security Page 1 Introduction: The Coffeyville

More information

Response of the German Medical Association

Response of the German Medical Association Response of the German Medical Association To the Green Paper on mobile Health ( mhealth ) of the European Commission Berlin, 3 July 2014 Bundesärztekammer Herbert-Lewin-Platz 1 10623 Berlin We are grateful

More information

The ELGA initiative: A plan for implementing a nationwide electronic health records system in Austria

The ELGA initiative: A plan for implementing a nationwide electronic health records system in Austria The ELGA initiative: A plan for implementing a nationwide electronic health records system in Austria Georg Duftschmid, Wolfgang Dorda, Walter Gall Core Unit of Medical Statistics and Informatics Section

More information

EHR IN THE CLOUD - FINDING A BALANCE

EHR IN THE CLOUD - FINDING A BALANCE 1 05/12/2013 EHR IN THE CLOUD - FINDING A BALANCE Michael De Geest Central information security consultant vzw Provincialaat der Broeders van Liefde 2 EHR in the Cloud - introduction Find a clever way

More information

Guide for Securing E-mail With WISeKey CertifyID Personal Digital Certificate (Personal eid)

Guide for Securing E-mail With WISeKey CertifyID Personal Digital Certificate (Personal eid) The World Internet Security Company Solutions for Security Guide for Securing E-mail With WISeKey CertifyID Personal Digital Certificate (Personal eid) Wherever Security relies on Identity, WISeKey has

More information

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker www.quotium.com 1/14 Summary Abstract 3 PCI DSS Statistics 4 PCI DSS Application Security 5 How Seeker Helps You Achieve PCI DSS

More information

Threat Model for Software Reconfigurable Communications Systems

Threat Model for Software Reconfigurable Communications Systems Threat Model for Software Reconfigurable Communications Systems Presented to the Management Group 6 March 007 Bernard Eydt Booz Allen Hamilton Chair, SDR Security Working Group Overview Overview of the

More information

Federation Proxy for Cross Domain Identity Federation

Federation Proxy for Cross Domain Identity Federation Proxy for Cross Domain Identity Makoto Hatakeyama NEC Corporation, Common Platform Software Res. Lab. 1753, Shimonumabe, Nakahara-Ku, Kawasaki, Kanagawa 211-8666, Japan +81-44-431-7663 m-hatake@ax.jp.nec.com

More information

Canada Health Infoway

Canada Health Infoway Canada Health Infoway EHR s in the Canadian Context June 7, 2005 Mike Sheridan, COO Canada Health Infoway Healthcare Renewal In Canada National Healthcare Priorities A 10-year Plan to Strengthen Healthcare

More information

CHAPTER 1 INTRODUCTION

CHAPTER 1 INTRODUCTION 1 CHAPTER 1 INTRODUCTION 1.1 Introduction Cloud computing as a new paradigm of information technology that offers tremendous advantages in economic aspects such as reduced time to market, flexible computing

More information

Alternative authentication what does it really provide?

Alternative authentication what does it really provide? Alternative authentication what does it really provide? Steve Pannifer Consult Hyperion Tweed House 12 The Mount Guildford GU2 4HN UK steve.pannifer@chyp.com Abstract In recent years many new technologies

More information

Inadequacies of Current Risk Controls for the Cloud

Inadequacies of Current Risk Controls for the Cloud Inadequacies of Current Risk Controls for the Cloud Name: Michael Goldsmith Michael Auty, Sadie Creese and Paul Hopkins Venue: CPSRT@CloudCom2010, Indianapolis Date: 2 December 2010 Research supported

More information

Secure Information Systems Engineering: Experiences and Lessons Learned from two Health Care Projects

Secure Information Systems Engineering: Experiences and Lessons Learned from two Health Care Projects Secure Information Systems Engineering: Experiences and Lessons Learned from two Health Care Projects H. Mouratidis 1, A. Sunyaev 2, J. Jurjens 3 1 School of Computing and Technology, University of East

More information

Compliance in Clouds A cloud computing security perspective

Compliance in Clouds A cloud computing security perspective Compliance in Clouds A cloud computing security perspective Kristian Beckers, Martin Hirsch, Jan Jürjens GI Workshop: Governance, Risk & Compliance on the 19th of March 2010 What is Cloud Computing? Today:

More information

exceet Secure Solutions Smart & Secure Network From Vision to Reality

exceet Secure Solutions Smart & Secure Network From Vision to Reality exceet Secure Solutions Smart & Secure Network From Vision to Reality Agenda 1. About exceet 2. Entering the World of Smart Connected Products 3. exceet s Transformation Developing New Competencies 4.

More information

Continuity of Care Record (CCR) in Germany? PROREC activities on the way to EHR interoperability

Continuity of Care Record (CCR) in Germany? PROREC activities on the way to EHR interoperability Herzlich Willkommen! EHTEL Telemed ehealth IOP Satellite Heidelberg, 12 June 2008 Continuity of Care Record (CCR) in Germany? PROREC activities on the way to EHR interoperability Sebastian Claudius Semler

More information

ehealth EHR Viewer & Integration Joint Service/Access Policy Executive Summary for Authorized Provider Organizations ("APOs")

ehealth EHR Viewer & Integration Joint Service/Access Policy Executive Summary for Authorized Provider Organizations (APOs) ehealth EHR Viewer & Integration Joint Service/Access Policy July 31, 2013 Version 1.0 1. BACKGROUND: Executive Summary for Authorized Provider Organizations ("APOs") ehealth Saskatchewan ("ehealth") is

More information

Model-based Security Analysis of the German Health Card Architecture

Model-based Security Analysis of the German Health Card Architecture Model-based Security Analysis of the German Health Card Architecture J. Jürjens Computing Department, The Open University, UK R. Rumm Munich, Germany Summary Objectives: Health-care information systems

More information

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011 Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8

More information

SECURITY ANALYSIS OF PASSWORD BASED MUTUAL AUTHENTICATION METHOD FOR REMOTE USER

SECURITY ANALYSIS OF PASSWORD BASED MUTUAL AUTHENTICATION METHOD FOR REMOTE USER SECURITY ANALYSIS OF PASSWORD BASED MUTUAL AUTHENTICATION METHOD FOR REMOTE USER Mrs. P.Venkateswari Assistant Professor / CSE Erode Sengunthar Engineering College, Thudupathi ABSTRACT Nowadays Communication

More information

Protected Patients Data Centre in Cloud Computing

Protected Patients Data Centre in Cloud Computing Protected Patients Data Centre in Cloud Computing Ms.M.Shanthi 1, Mr. P. Ranjithkumar 2 M.E II year, Department of Computer Science and Engineering, Sri Subramanya College Of Engineering and Technology,

More information

Appendix B: Existing Guidance to Support HIE Implementation Opportunities

Appendix B: Existing Guidance to Support HIE Implementation Opportunities Appendix B: Existing Guidance to Support HIE Implementation Opportunities APPENDIX B: EXISTING GUIDANCE TO SUPPORT HIE IMPLEMENTATION OPPORTUNITIES There is an important opportunity for the states and

More information

SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security

SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security International Telecommunication Union ITU-T Y.2740 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (01/2011) SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS

More information

Cloud security architecture

Cloud security architecture ericsson White paper Uen 284 23-3244 January 2015 Cloud security architecture from process to deployment The Trust Engine concept and logical cloud security architecture presented in this paper provide

More information

Optimizing the User Experience of a Social Content Management Software for Casual Users

Optimizing the User Experience of a Social Content Management Software for Casual Users Optimizing the User Experience of a Social Content Management Software for Casual Users 10.08.2015, TU München Florian Katenbrink, Thomas Reschenhofer, Prof. Dr. Florian Matthes Software Engineering for

More information

The silver lining: Getting value and mitigating risk in cloud computing

The silver lining: Getting value and mitigating risk in cloud computing The silver lining: Getting value and mitigating risk in cloud computing Frequently asked questions The cloud is here to stay. And given its decreased costs and increased business agility, organizations

More information

What You Need to Know About Securing Healthcare Information Exchanges

What You Need to Know About Securing Healthcare Information Exchanges What You Need to Know About Securing Healthcare Information Exchanges SECURITY GUIDE Table of Contents Introduction... 2 Security Considerations for HIE... 2 Data Protection Solution Offerings for HIE

More information

WHITEPAPER. Data Security for Office 365 Balancing control & usability

WHITEPAPER. Data Security for Office 365 Balancing control & usability WHITEPAPER Data Security for Office 365 Balancing control & usability Contents Executive Summary... 2 Top Security Issues for Office 365... 4 Compelled Disclosures... 4 Unauthorized Sharing... 4 External

More information

Introducing the Electronic Health Record in Austria

Introducing the Electronic Health Record in Austria Introducing the Electronic Health Record in Austria Wolfgang Dorda a, Georg Duftschmid a, Lukas Gerhold a, Walter Gall a, Jürgen Gambal b a Core Unit for Medical Statistics and Informatics, Medical University

More information

secure user IDs and business processes Identity and Access Management solutions Your business technologists. Powering progress

secure user IDs and business processes Identity and Access Management solutions Your business technologists. Powering progress secure Identity and Access Management solutions user IDs and business processes Your business technologists. Powering progress 2 Protected identity through access management Cutting costs, increasing security

More information

Please quote as: Dünnebeil, S.; Mauro, C.; Sunyaev, A.; Leimeister, J. M. & Krcmar, H. (2009): Integration of patient health portals into the German

Please quote as: Dünnebeil, S.; Mauro, C.; Sunyaev, A.; Leimeister, J. M. & Krcmar, H. (2009): Integration of patient health portals into the German Please quote as: Dünnebeil, S.; Mauro, C.; Sunyaev, A.; Leimeister, J. M. & Krcmar, H. (2009): Integration of patient health portals into the German healthcare telematics infrastructure. In: 15. Americas

More information

Matthias Hauss- SRC Security Research & Consulting GmbH October 2011. PCI DSS Requirements in the Context of European Data Protection Law

Matthias Hauss- SRC Security Research & Consulting GmbH October 2011. PCI DSS Requirements in the Context of European Data Protection Law Matthias Hauss- SRC Security Research & Consulting GmbH October 2011 PCI DSS Requirements in the Context of European Data Protection Law About SRC Two pillars: Card-based Payment Systems and IT security

More information

GENERIC SECURITY FRAMEWORK FOR CLOUD COMPUTING USING CRYPTONET

GENERIC SECURITY FRAMEWORK FOR CLOUD COMPUTING USING CRYPTONET http:// GENERIC SECURITY FRAMEWORK FOR CLOUD COMPUTING USING CRYPTONET Manisha Dawra 1, Ramdev Singh 2 1 Al-Falah School of Engg. & Tech., Vill-Dhauj, Ballabgarh-Sohna Road, Faridabad, Haryana (INDIA)-121004

More information

Technical Security in Smart Metering Devices: A German Perspective S4 SCADA Security Scientific Symposium 2012-01-18, Miami Beach FL / USA

Technical Security in Smart Metering Devices: A German Perspective S4 SCADA Security Scientific Symposium 2012-01-18, Miami Beach FL / USA Technical Security in Smart Metering Devices: A German Perspective S4 SCADA Security Scientific Symposium 2012-01-18, Miami Beach FL / USA Dr. Stephan Beirer s.beirer@gai-netconsult.de Sichere ebusiness

More information

Web Werks Data Center Achieves HIPAA Compliance Certification

Web Werks Data Center Achieves HIPAA Compliance Certification Web Werks Data Center Achieves HIPAA Compliance Certification Web Werks has Achieved HIPAA Compliance Certification Meeting the Security Standards Required to Maintain Healthcare Information. Web Werks

More information

Qualified mobile electronic signatures: Possible, but worth a try?

Qualified mobile electronic signatures: Possible, but worth a try? Qualified mobile electronic signatures: Possible, but worth a try? Lothar Fritsch 1, Johannes Ranke 2, Heiko Rossnagel 1 Interest level of audience: 3 - for application developers (interested in IT security)

More information

Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud

Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud Deploying and Managing Private Clouds The Essentials Series Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud sponsored by Managing for the Long Term: Keys to

More information

2.2 The Security of Electronic Medical Records (EMR) DOH, the Executive Yuan August 19, 2009

2.2 The Security of Electronic Medical Records (EMR) DOH, the Executive Yuan August 19, 2009 Topic 2: Privacy Protection and Ensuring Security of Network Applications or Services 2.2 The Security of Electronic Medical Records (EMR) DOH, the Executive Yuan August 19, 2009 1 Agenda 1. The Vision

More information

e-health in Europe Georges Liberman, Ingenico

e-health in Europe Georges Liberman, Ingenico e-health in Europe At Ingenico, we bring the security layer between the patient, the doctor, and the health management system. This way healthcare systems become safer, more efficient, and provide a better

More information

RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS

RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS Security solutions for patient and provider access AT A GLANCE Healthcare organizations of all sizes are responding to the demands of patients, physicians,

More information

Data Leakage Detection in Cloud Computing using Identity Services

Data Leakage Detection in Cloud Computing using Identity Services International Journal of Computer Sciences and Engineering Open Access Research Paper Volume-4, Issue-04 E-ISSN: 2347-2693 Data Leakage Detection in Cloud Computing using Identity Services K. Mythili 1*,

More information

ICT TECHNOLOGY, PATIENTS AND CLOUD COMPUTING

ICT TECHNOLOGY, PATIENTS AND CLOUD COMPUTING ICT TECHNOLOGY, PATIENTS AND CLOUD COMPUTING Mario Po Venezia, 8 June 2012 1/14 ehealth AVAILABLE TO ALL NOT SOME Technology is an important tool for helping to address the core challenges of any health

More information

CONTROLLING DATA IN THE CLOUD: OUTSOURCING COMPUTATION WITHOUT OUTSOURCING CONTROL

CONTROLLING DATA IN THE CLOUD: OUTSOURCING COMPUTATION WITHOUT OUTSOURCING CONTROL CONTROLLING DATA IN THE CLOUD: OUTSOURCING COMPUTATION WITHOUT OUTSOURCING CONTROL Paper By: Chow, R; Golle, P; Jakobsson, M; Shai, E; Staddon, J From PARC & Masuoka, R And Mollina From Fujitsu Laboratories

More information

Applying Standards in Cross-sector Communication for an Integrated Health Environment

Applying Standards in Cross-sector Communication for an Integrated Health Environment Applying Standards in Cross-sector Communication for an Integrated Health Environment Hans Demski Helmholtz Zentrum München - German Research Center for Environmental Health Working Group MEDIS Institute

More information

Mobile App Testing. Mobile App Testing. Seite 1 von 10

Mobile App Testing. Mobile App Testing. Seite 1 von 10 Mobile App Testing Seite 1 von 10 1 Security and Insecurity of mobile Applications... 3 1.1 App-Security in official App Stores... 3 1.2 mediatest digital App Security Audits... 3 1.2.1 Testing Approach...

More information

Secure Cloud Architecture for Preserving Privacy in Cloud Computing using OTPWTP

Secure Cloud Architecture for Preserving Privacy in Cloud Computing using OTPWTP Global Journal of Computer Science and Technology Cloud and Distributed Volume 13 Issue 3 Version 1.0 Year 2013 Type: Double Blind Peer Reviewed International Research Journal Publisher: Global Journals

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

have adequate policies and practices for secure data disposal have not established a formal 22% risk management program

have adequate policies and practices for secure data disposal have not established a formal 22% risk management program do not have budgeted disaster 38% recovery plans do not use standardized data 37% classification do not have a plan for responding to 29% security breaches 23% have adequate policies and practices for

More information

How to Use ISO/IEC 24727-3 with Arbitrary Smart Cards

How to Use ISO/IEC 24727-3 with Arbitrary Smart Cards How to Use ISO/IEC 24727-3 with Arbitrary Smart Cards Detlef Hühnlein 1 and Manuel Bach 2 1 secunet Security Networks AG, Sudetenstraße 16, 96247 Michelau, Germany detlef.huehnlein@secunet.com 2 Federal

More information

An Open ecard Plug-in for accessing the German national Personal Health Record

An Open ecard Plug-in for accessing the German national Personal Health Record An Open ecard Plug-in for accessing the German national Personal Health Record Raik Kuhlisch 1 Dirk Petrautzki 2 Johannes Schmölz 3 Ben Kraufmann 1 Florian Thiemer 1 Tobias Wich 3 Detlef Hühnlein 3 Thomas

More information

HIPAA Email Compliance & Privacy. What You Need to Know Now

HIPAA Email Compliance & Privacy. What You Need to Know Now HIPAA Email Compliance & Privacy What You Need to Know Now Introduction The Health Insurance Portability and Accountability Act of 1996 (HIPAA) places a number of requirements on the healthcare industry

More information

Identity and Access Management

Identity and Access Management Cut costs. Increase security. Support compliance. www.siemens.com/iam Scenarios for greater efficiency and enhanced security Cost pressure is combining with increased security needs compliance requirements

More information

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and procedures to govern who has access to electronic protected

More information

A KIND OF IMPLEMENT ABOUT MOBILE SIGNATURE SERVICE BASED ON MOBILE TELEPHONE TERMINAL

A KIND OF IMPLEMENT ABOUT MOBILE SIGNATURE SERVICE BASED ON MOBILE TELEPHONE TERMINAL A KIND OF IMPLEMENT ABOUT MOBILE SIGNATURE SERVICE BASED ON MOBILE TELEPHONE TERMINAL Wangjian, Xu Guoai, Zhangmiao National Engineering Laboratory for Disaster Backup and Recovery, Beijing University

More information

Engage Mobile Security Whitepaper

Engage Mobile Security Whitepaper Engage Mobile Security Whitepaper NavisHealth Platform Products NavisHealth September 2014 About NavisHealth NavisHealth is a Silicon Valley, Digital Health IT Solutions Company that provides a cloud-based

More information

White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication

White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication Page 1 of 8 Introduction As businesses and consumers grow increasingly reliant on the Internet for conducting

More information

CRYPTOGRAPHY AS A SERVICE

CRYPTOGRAPHY AS A SERVICE CRYPTOGRAPHY AS A SERVICE Peter Robinson RSA, The Security Division of EMC Session ID: ADS R01 Session Classification: Advanced Introduction Deploying cryptographic keys to end points such as smart phones,

More information

SECURITY AND PRIVACY ISSUES IN A KNOWLEDGE MANAGEMENT SYSTEM

SECURITY AND PRIVACY ISSUES IN A KNOWLEDGE MANAGEMENT SYSTEM SECURITY AND PRIVACY ISSUES IN A KNOWLEDGE MANAGEMENT SYSTEM Chandramohan Muniraman, Meledath Damodaran, Amanda Ryan University of Houston-Victoria Abstract As in any information management system security

More information

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased

More information

Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication.

Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication. Polling Question Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication. Please type in your response. This poll will close promptly at 1:00 pm CDT Getting the

More information

Please quote as: Dünnebeil, S.; Köbler, F.; Koene, P.; Leimeister, J. M. & Krcmar, H. (2011): Encrypted NFC emergency tags based on the German

Please quote as: Dünnebeil, S.; Köbler, F.; Koene, P.; Leimeister, J. M. & Krcmar, H. (2011): Encrypted NFC emergency tags based on the German Please quote as: Dünnebeil, S.; Köbler, F.; Koene, P.; Leimeister, J. M. & Krcmar, H. (2011): Encrypted NFC emergency tags based on the German Telematics Infrastructure. In: Third International Workshop

More information

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public. Federal CIO Council Information Security and Identity Management Committee (ISIMC) Guidelines for the Secure Use of Cloud Computing by Federal Departments and Agencies DRAFT V0.41 Earl Crane, CISSP, CISM

More information

InfoGard Healthcare Services. 2015 InfoGard Laboratories Inc.

InfoGard Healthcare Services. 2015 InfoGard Laboratories Inc. InfoGard Healthcare Services 10 Steps To Protect My Covered Entity From Breach Your Presenters Alan Martin Account Manger Marvin Byrd Security Engineer Test and Certification Laboratory Healthcare Payment

More information

A Secure Decentralized Access Control Scheme for Data stored in Clouds

A Secure Decentralized Access Control Scheme for Data stored in Clouds A Secure Decentralized Access Control Scheme for Data stored in Clouds Priyanka Palekar 1, Abhijeet Bharate 2, Nisar Anjum 3 1 SKNSITS, University of Pune 2 SKNSITS, University of Pune 3 SKNSITS, University

More information

CORL Dodging Breaches from Dodgy Vendors

CORL Dodging Breaches from Dodgy Vendors CORL Dodging Breaches from Dodgy Vendors Tackling Vendor Security Risk Management in Healthcare Introductions Cliff Baker 20 Years of Healthcare Security experience PricewaterhouseCoopers, HITRUST, Meditology

More information

Heuristic Walkthrough Usability Evaluation of Electronic Health Record with a Proposed Security Architecture

Heuristic Walkthrough Usability Evaluation of Electronic Health Record with a Proposed Security Architecture Heuristic Walkthrough Usability Evaluation of Electronic Health Record with a Proposed Prajakta Pawar, Sushopti Gawade Abstract: There currently appears to be concerted efforts at national (HSE) Regional

More information

Vs Encryption Suites

Vs Encryption Suites Vs Encryption Suites Introduction Data at Rest The phrase "Data at Rest" refers to any type of data, stored in the form of electronic documents (spreadsheets, text documents, etc.) and located on laptops,

More information

Big Data, Big Risk, Big Rewards. Hussein Syed

Big Data, Big Risk, Big Rewards. Hussein Syed Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data

More information