A Note on the Security in the Card Management System of the German E-Health Card

Size: px
Start display at page:

Download "A Note on the Security in the Card Management System of the German E-Health Card"

Transcription

1 A Note on the Security in the Card Management System of the German E-Health Card Marcel Winandy (Ruhr-University Bochum) 3rd International ICST Conference on Electronic Healthcare for the 21st Century (ehealth 2010) Casablanca, Morocco, December 2010 Mittwoch, 15. Dezember 2010

2 Introduction The German electronic Health Card (ehc) Core component of the Healthcare Telematics Each insured person will have such a card Supposed to enable new applications Smartcard with small storage + cryptographic functions German Healthcare Telematics Under development, going to be rolled out "soon" (originally 2006) Specifications by Gematik (company organization of health institutions) Health Professional Card (HPC) Similar card for all health professionals For identification, authentication, digital signatures Mittwoch, 15. Dezember 2010

3 Introduction: Use Cases of ehc Obligatory: Identification, Authentication - personalized cards - individual cryptographic keys European Health Insurance Card (EHIC) - printed on the backside Electronic Prescription - issuing and filling - directly stored on ehc Optional: Medical Emergency Data - directly stored on ehc Medication History Electronic Health Records - centrally stored on servers (in encrypted format) - ehc used to encrypt/decrypt and authorize access (via PIN) Other applications Mittwoch, 15. Dezember 2010

4 Introduction: Security & Privacy German law requires strong privacy: "Data Sovereignty" ( 291a.5 SGB V) Only the patient can define who may access the data associated with the ehc. German Ministry of Health*: ehc basic security requirements Authentication, authorization, and audit mechanisms have to be chosen so that the data sovereignty of the insured party can be taken for granted. * German Federal Ministry of Health: Entscheidungsvorlage - Festlegung der Authentisierungs-, Autorisierungs- und Auditmechanismen der Telematikinfrastruktur für die Fachanwendungen, Version 0.9.0, March Mittwoch, 15. Dezember 2010

5 German Healthcare Telematics

6 German Healthcare Telematics

7 German Healthcare Telematics

8 German Healthcare Telematics

9 German Healthcare Telematics

10 German Healthcare Telematics

11 German Healthcare Telematics

12 German Healthcare Telematics

13 German Healthcare Telematics Healthcare Telematics Boundary Mittwoch, 15. Dezember 2010

14 German Healthcare Telematics Healthcare Telematics Boundary Mittwoch, 15. Dezember 2010

15 German Healthcare Telematics Healthcare Telematics Boundary Mittwoch, 15. Dezember 2010

16 German Healthcare Telematics Healthcare Telematics Boundary ehc Mittwoch, 15. Dezember 2010

17 German Healthcare Telematics Healthcare Telematics Boundary HPC ehc Mittwoch, 15. Dezember 2010

18 German Healthcare Telematics Healthcare Telematics Boundary HPC ehc Mittwoch, 15. Dezember 2010

19 German Healthcare Telematics Healthcare Telematics Boundary HPC ehc Mittwoch, 15. Dezember 2010

20 Existing Security Analyses

21 Existing Security Analyses SECURITY ANALYSIS OF THE HEALTH CARE TELEMATICS INFRASTRUCTURE IN GERMANY Network security Access control policies Michael Huber, Ali Sunyaev and Helmut Krcmar Chair for Information Systems, Technische Universität München, Germany {hubermic, sunyaev, Keywords: Abstract: Security analysis, Health Care Telematics, Electronic Health Card, Information Security Management Systems. Based on ISO for Information Security Management Systems, this paper introduces a newly developed security analysis approach, suitable for technical security analyses in general. This approach is used for a security analysis of several components and processes of the Health Care Telematics in Germany. Besides the results of the analysis, basics for further analysis and verification activities is given. 1 INTRODUCTION In Germany, the Electronic Health Card (ehc) will replace the present health card as requested by law. By establishing the ehc, several improvements, such as cost savings, better ways of communication in the health care sector or the self-determination of the insured person concerning medical data, are supposed to be achieved (Schabetsberger et al., 2006). The use of IT to administrate medical data of the insured, implicates the question, whether these systems are safe enough to satisfy requirements like privacy, safety, security and availability (Heeks, 2006). The data administrated by the ehc and its infrastructure is mosltly strictly confidential as it contains personal information about peoples state of health, course of disease and hereditary diseases (Lorence and Churchill, 2005). As for example insurance companies Dezember or employers 2010would be highly interested Mittwoch, 15. in outlook. The current security status of health care in Germany was evaluated and valuable hints for future developments in the health care sector could be derived. The paper is based on a literature review (e.g. Computers & Security, Information Management & Computer Security, Information Systems Security, International Journal of Medical Informatics, Information Systems Journal, European Journal of Information Systems, International Journal of Information Security, security & privacy, Journal of computer security, ACM Transaction on Information and Systems Security und ACM Computing Surveys). The security analysis approach presented in this paper differs from other approaches due to the following aspects: Focus (health care sector; technical evaluation of security measures), being up-to-date (appliance of upto-date techniques and standards) and regional distinctions (located in germany, regional and political

22 Existing Security Analyses SECURITY ANALYSIS OF THE HEALTH CARE TELEMATICS INFRASTRUCTURE IN GERMANY Network security Access control policies Keywords: Michael Huber, Ali Sunyaev and Helmut Krcmar Chair for Information Systems, Technische Universität München, Germany {hubermic, sunyaev, SECURITY ANALYSIS OF THE GERMAN ELECTRONIC HEALTH CARD S PERIPHERAL PARTS Security analysis, Health Care Telematics, Electronic Health Card, Information Security Management Systems. Ali Sunyaev, Alexander Kaletsch, Christian Mauro and Helmut Krcmar Chair for Information Systems, Technische Universität München, Boltzmannstraße 3, Garching, Germany Abstract: Based on ISO for Information Security Management Systems, this paper introduces a newly developed {sunyaev, kaletsch, mauro, security analysis approach, suitable for technical security analyses in general. This approach is used for a security analysis of several components and processes of the Health Care Telematics in Germany. Besides the results of the analysis, basics for further analysis and verification activities is given. Peripheral parts (end-user systems) Keywords: Security Analysis, Electronic Health Card, Health Care Telematics. 1 INTRODUCTION outlook. The current security status of health care in Abstract: This paper describes a technical security analysis which Germany is based was on evaluated experiments and valuable done in a hints laboratory for future and verified in a physician s practice. The health care In Germany, the Electronic Health Card (ehc) will developments telematics infrastructure in the health in Germany care sector stipulates could be every derived. physician and every patient to automatically be given an electronic health smart card (for patients) and a replace the present health card as requested by law. corresponding health professional card (for health care providers). We analyzed these cards and the By establishing the ehc, several improvements, such The paper is based on a literature review (e.g. peripheral parts of the telematics infrastructure according to the ISO security standard. The as cost savings, better ways of communication in the Computers & Security, Information Management & introduced attack scenarios show that there are several security issues in the peripheral parts of the German health care sector or the self-determination of the insured person concerning medical data, are supposed ternational Journal of Medical Informatics, Informa- Computer Security, Information Systems Security, In- health care telematics. Based on discovered vulnerabilities we provide corresponding security measures to overcome these open issues and derive conceivable consequences for the nation-wide introduction of to be achieved (Schabetsberger et al., 2006). tion Systems Journal, European Journal of Information Systems, International Journal of Information Se- electronic health card in Germany. The use of IT to administrate medical data of the insured, implicates the question, whether these systems are safe enough to satisfy requirements like pririty, ACM Transaction on Information and Systems curity, security & privacy, Journal of computer secu- 1 vacy, INTRODUCTION safety, security and availability (Heeks, 2006). taking Security out unda ACM loan Computing or trying Surveys). to find insurance The security analysis2001). approach Furthermore, presented inone s this paper reputation differs The data administrated by the ehc and its infrastructure is mosltly strictly confidential as it contains from other approaches due to the following aspects: (Anderson, During the next years in Germany the present health could get tarnished when the wrong pieces of own personal information about peoples state of health, Focus (health care sector; technical evaluation of security measures), being up-to-date (appliance of up- insurance card will be replaced by the new sensitive medical information becomes publicly course of disease and hereditary diseases (Lorence electronic health card (ehc) (Sunyaev et al., 2009). accessible (Schneider, 2004). and Churchill, 2005). As for example insurance companies Dezember or employers 2010would be highly interested in tinctions (located in germany, regional and political to-date techniques and standards) and regional dis- The introduction tends to improve the efficiency of This paper is based on extensive laboratory Mittwoch, 15. the health system and the patients rights (Bales, experiments and on a detailed review of gematik s

23 Existing Security Analyses SECURITY ANALYSIS OF THE HEALTH CARE TELEMATICS INFRASTRUCTURE IN GERMANY Network security Access control policies Keywords: Michael Huber, Ali Sunyaev and Helmut Krcmar Chair for Information Systems, Technische Universität München, Germany {hubermic, sunyaev, SECURITY ANALYSIS OF THE GERMAN ELECTRONIC HEALTH CARD S PERIPHERAL PARTS Security analysis, Health Care Telematics, Electronic Health Card, Information Security Management Systems. Ali Sunyaev, Alexander Kaletsch, Christian Mauro and Helmut Krcmar Securing the E-Health Cloud Chair for Information Systems, Technische Universität München, Boltzmannstraße 3, Garching, Germany Abstract: Based on ISO for Information Security Management Systems, this paper introduces a newly developed {sunyaev, kaletsch, mauro, security analysis approach, suitable for technical security analyses in general. This approach is used for a security analysis of several components and processes of the Health Care Telematics in Germany. Besides the results of the analysis, basics for further analysis and verification activities is given. Hans Löhr Ahmad-Reza Sadeghi Marcel Winandy Horst Görtz Institute for IT Security Horst Görtz Institute Horst Görtz Institute Keywords: Security for IT Security Analysis, Electronic Health Card, for IT Health Security Care Telematics. 1 INTRODUCTION Ruhr-University Bochum Ruhr-Universityoutlook. BochumThe current Ruhr-University security status of Bochum health care in Abstract: This Germany paper describes a technical security Germany analysis which Germany is based was on evaluated experiments and Germany valuable done in a hints laboratory for future and verified in a physician s practice. The health care In Germany, the Electronic Health Card (ehc) will developments telematics infrastructure in the health Germany care sector stipulates could be every derived. physician and every patient to automatically be given an electronic health smart card (for patients) and a replace the present health card as requested by law. corresponding health professional card (for health care providers). We analyzed these cards and the By establishing the ehc, several improvements, such The paper is based on a literature review (e.g. ABSTRACT peripheral parts of the telematics infrastructure countries according as cost savings, better ways of communication in the Computers in to the the & Security, recent ISO years Information There security are Management continuing standard. The efforts & on introduced attack scenarios show that there are several security issues the peripheral parts of the German Modernhealth information care sector technology or theis self-determination increasingly used in ofhealth- care with sured theperson goal national and international standardization for interoperability and data we provide exchange. corresponding Many different security application measures scenarios to the in- Computer Security, Information Systems Security, International Journal of Medical Informatics, Informa- health toconcerning improve care telematics. andmedical enhance Based data, medical on discovered are supposed services vulnerabilities and to reduce costs. overcome In this these context, open issues the outsourcing and derive of conceivable are envisaged consequences in electronic for the nation-wide healthcare (e-health), introduction e.g., of electronic health records [12, 23, 22], accounting and billing [17, to be achieved (Schabetsberger et al., 2006). tion Systems Journal, European Journal of Information Systems, International Journal of Information Se- computation and storage electronic resources health card to in general Germany. IT providers The use of IT to administrate medical data of the (cloud computing) has become very appealing. E-health 24], medical research, and trading intellectual property [15]. insured, implicates the question, whether these systems medical are safe data, enough and opportunities to satisfy requirements for new business like pri- (EHRs) rity, ACM aretransaction believed to on decrease Information costs inand healthcare Systems (e.g., curity, security & privacy, Journal of computer secu- clouds offer new possibilities, such as easy and ubiquitous In particular e-health systems like electronic health records access to models. 1 vacy, INTRODUCTION However, safety, they security also bear and availability new risks and (Heeks, raise2006). challenges with The respect data administrated to security and by privacy the ehcaspects. and its infras- (Anderson, ministration) rity analysis2001). approach and tofurthermore, improve presented personal inone s thishealth paper reputation management differs taking avoiding Security out expensive unda ACM loan double Computing or trying diagnoses, Surveys). to find or repetitive insurance The secu- drug ad- In this tructure paper, iswe mosltly point strictly out several confidential shortcomings as it contains of current e-health personal solutions information and standards, about peoples particularly state of they health, do infrom general. other approaches due to the following aspects: During the next years in Germany the present health could get tarnished when the wrong pieces of own Examples of national activities are the e-health approach Focus (health care sector; technical evaluation of security measures), being up-to-date (appliance of up- insurance card will be replaced by the new sensitive medical information becomes publicly not address coursetheofclient disease platform and hereditary security, which diseases a(lorence crucial in Austria [23], the German electronic Health Card (ehc) electronic health card (ehc) (Sunyaev et al., 2009). accessible (Schneider, 2004). aspect for the overall security of e-health systems. To fill system [12] under development, or the Taiwan Electronic and Churchill, 2005). As for example insurance companies Dezember or employers 2010would be highly interested in tinctions (located in germany, regional and political to-date techniques and standards) and regional dis- The introduction tends to improve the efficiency of This paper is based on extensive laboratory this gap, we present a security architecture for establishing Medical Record Template (TMT) [22]. In Germany each insured personand will on get a smartcard detailed review that not of only gematik s contains Mittwoch, 15. privacy the domains health system in e-health and the infrastructures. patients rights Our (Bales, solution experiments ad- Peripheral parts (end-user systems) Platform security

24 Existing Security Analyses SECURITY ANALYSIS OF THE HEALTH CARE TELEMATICS INFRASTRUCTURE IN GERMANY Network security Access control policies Keywords: Michael Huber, Ali Sunyaev and Helmut Krcmar Chair for Information Systems, Technische Universität München, Germany {hubermic, sunyaev, SECURITY ANALYSIS OF THE GERMAN ELECTRONIC HEALTH CARD S PERIPHERAL PARTS Security analysis, Health Care Telematics, Electronic Health Card, Information Security Management Systems. Ali Sunyaev, Alexander Kaletsch, Christian Mauro and Helmut Krcmar Securing the E-Health Cloud Chair for Information Systems, Technische Universität München, Boltzmannstraße 3, Garching, Germany Abstract: Based on ISO for Information Security Management Systems, this paper introduces a newly developed {sunyaev, kaletsch, mauro, security analysis approach, suitable for technical security analyses in general. This approach is used for a security analysis of several components and processes of the Health Care Telematics in Germany. Besides the results of the analysis, basics for further analysis and verification activities is given. Hans Löhr Ahmad-Reza Sadeghi Marcel Winandy Horst Görtz Institute Horst Görtz Institute Horst Görtz Institute Keywords: Security for IT Security Analysis, Electronic Health Card, for IT Health Security Care Telematics. for IT Security!"#$%&#'()*+,%*&&(#&%*$%-#)./$%0#/1+0'/)#% 1 INTRODUCTION Ruhr-University Bochum Ruhr-Universityoutlook. BochumThe current Ruhr-University security status of Bochum health care in Abstract: This Germany paper describes a technical security Germany analysis which Germany is based was on evaluated experiments and Germany valuable done in a hints laboratory for future and verified in a physician s practice. +#1#./+*'&% The health care In Germany, the Electronic Health Card (ehc) will developments telematics infrastructure in the health Germany care sector stipulates could be every derived. physician and every patient to automatically be given an electronic health smart card (for patients) and a replace the present health card as requested by law. corresponding health professional card (for health care providers). We analyzed these cards and the By establishing the ehc, several improvements, such The paper is based on a literature review (e.g. ABSTRACT peripheral parts of the telematics infrastructure according to the ISO security standard. The as cost savings, better ways of communication!"#$%&'()*+$ countries in the Computers in the & Security, recent years. Information There are Management continuing efforts & on introduced attack scenarios show that there are several security issues the peripheral parts of the German Modernhealth information care sector technology or theis self-determination increasingly used in ofhealth- care with sured theperson goal toconcerning improve national and international standardization for interoperability and data we provide exchange. corresponding Many different security application measures scenarios to the in- Computer Security, Information Systems Security, International Journal of Medical Informatics, Informa- health!"#$%&'"(&)*+),(+*%'$&-./0)1".2(-/.2")3(-4"%/-&5&)67(.2"(0)68(-.20)9"%'$(:) care telematics. andmedical enhance Based data, medical on discovered are supposed services vulnerabilities overcome these open issues and /8(:$"4;-(<&8'<=") and to reduce costs. In this context, the outsourcing derive of conceivable are envisaged consequences in electronic for the nation-wide healthcare (e-health), introduction e.g., of electronic health records [12, 23, 22], accounting and billing [17, to be achieved (Schabetsberger et al., 2006). tion Systems Journal, European Journal of Information Systems, International Journal of Information Se- computation and storage electronic resources health card to in general Germany. IT providers The use of IT to administrate medical data of the (cloud computing) has become very appealing.,)'$-)./0$1*#2*#34*.$ E-health 24], medical research, and trading intellectual property [15]. insured, implicates the question, whether these systems medical are safe data, enough and opportunities to satisfy requirements for new business like pri- (EHRs) rity, ACM aretransaction believed to on decrease Information costs inand healthcare Systems (e.g., curity, security & privacy, Journal of computer secu- clouds offer new possibilities, such as easy and ubiquitous In particular e-health systems like electronic health access to models. 1 vacy, INTRODUCTION However, safety, they security also bear and availability new risks and (Heeks, raise2006). challenges with The respect data administrated to security and by privacy the ehcaspects. and its infras- (Anderson, ministration) rity analysis2001). approach and tofurthermore, improve presented personal inone s thishealth paper reputation management differs taking avoiding Security out expensive unda ACM loan double Computing or trying diagnoses, Surveys). to find or repetitive insurance The secu- drug ad- In this tructure paper, iswe mosltly point strictly out several confidential shortcomings as it 5*"2&4$6./2).$ contains of current e-health personal solutions information and standards, about peoples particularly state of they health, do infrom general. other approaches due to the following aspects: During the next years in Germany the present health could get tarnished when the wrong pieces of own Examples of national activities are the e-health approach Focus (health care sector; technical evaluation of security measures), being up-to-date (appliance of up- insurance card!"#$%&'"(&)*+),(+*%'$&-./0)1".2(-/.2")3(-4"%/-&5&)67(.2"(0)68(-.20)9"%'$(:) will be replaced by the new sensitive medical information becomes publicly not address coursetheofclient disease platform and hereditary security, which diseases a(lorence crucial in Austria [23], the German electronic Health Card (ehc) electronic health card (ehc) (Sunyaev et al., B%.'$%;-(<&8'<=") 2009). accessible (Schneider, 2004). aspect for the overall security of e-health systems. To fill system [12] under development, or the Taiwan Electronic and Churchill, 2005). As for example insurance companies Dezember or employers 2010would be highly interested in tinctions (located in germany, regional and political to-date techniques and standards) and regional dis- The introduction tends to improve the efficiency of This paper is based on extensive laboratory this gap, we present a security architecture for establishing Medical Record Template (TMT) [22]. In Germany each insured personand will on get a smartcard detailed review that not of only gematik s contains Mittwoch, 15. privacy the domains health system in e-health and the infrastructures. patients rights Our (Bales, solution experiments ad- Peripheral parts (end-user systems) Platform security Other open security issues

25 Open Problem: Card Management System!!! Mittwoch, 15. Dezember 2010

26 Open Problem: Card Management System!!! Einführung der Gesundheitskarte Einführung der Gesundheitskarte Kartenmanagement egk Facharchitektur Kartenmanagement egk Fachkonzept Version: Revision: main/rel_main/8 Stand: Status: freigegeben gematik_cms_facharchitektur_kartenmanagement_egk.doc Seite 1 von 81 Version: gematik Stand: Version: Revision: main/rel_main/5 Stand: Status: freigegeben gematik_cms_fachkonzept_kartenmanagement_egk_v1.3.0.doc Seite 1 von 62 Version: gematik Stand: Mittwoch, 15. Dezember 2010

27 Open Problem: Card Management System!!! Einführung der Gesundheitskarte Einführung der Gesundheitskarte Kartenmanagement egk Facharchitektur Kartenmanagement egk Fachkonzept Version: Revision: main/rel_main/8 Stand: Status: freigegeben gematik_cms_facharchitektur_kartenmanagement_egk.doc Seite 1 von 81 Version: gematik Stand: Version: Revision: main/rel_main/5 Stand: Status: freigegeben gematik_cms_fachkonzept_kartenmanagement_egk_v1.3.0.doc Seite 1 von 62 Version: gematik Stand: Mittwoch, 15. Dezember 2010

28 Card Management System

29 Card Management System

30 Card Management System

31 Card Management System

32 Card Management System

33 Card Management System

34 Card Management System

35 Card Management System

36 Card Management System

37 Card Management System

38 Card Management System

39 Card Management System

40 Card Management System

41 Card Management System

42 (1) Conflicting Requirements Security Requirement: At any time, the card management is not allowed to obtain information about application contents [...] for which it is not authorized. The card issuer MUST NOT get possession of unencrypted medical application data. Availability Requirement: When a replacement or renewal card is created, it MUST be assured that application data stored on a server (e.g., EHR) can be accessed using the new ehc. Mittwoch, 15. Dezember 2010

43 (1) Conflicting Requirements Security Requirement: Specification requires particular technical solution: At any time, the card management is not allowed to obtain information about application contents [...] for which it is not authorized. The following secret keys MUST be presently managed in The card issuer MUST NOT get possession of unencrypted medical application the context data. of the card management: [a list of keys follows]. Availability Requirement: Copies of the keys are stored!!! When a replacement or renewal card is created, it MUST be assured that application data stored on a server (e.g., EHR) can be accessed using the new ehc. Mittwoch, 15. Dezember 2010

44 Card Management System

45 Card Management System

46 Card Management System

47 (2) Creating Replacement Cards Lost/stolen ehc or switching health insurance implies creating a replacement card Copies of the keys from the old card are used: All data required for the production of the card are available. The card issuer may assign the creation of the card to one or more service providers. Mittwoch, 15. Dezember 2010

48 Card Management System

49 Card Management System

50 (3) Re-Encrypting Data Issuing replacement or renewal card implies re-encryption of data Input needed for Card Issuer: ICCSN (ehc ID) Input for the Application Operator: [Card Issuer] transmits the ICCSN of the insured party and other data to the application operator. Application Operator processes the application data. Mittwoch, 15. Dezember 2010

51 (3) Re-Encrypting Data Issuing replacement or renewal card implies re-encryption of data Input needed for Card Issuer: ICCSN (ehc ID) Input for the Application Operator: [Card Issuer] transmits the ICCSN of the insured party and other data to the application operator. Application Operator processes the application data. Mittwoch, 15. Dezember 2010

52 (3) Re-Encrypting Data Issuing replacement or renewal card implies re-encryption of data Input needed for Card Issuer: ICCSN (ehc ID) Input for the Application Operator: [Card Issuer] transmits the ICCSN of the insured party and other data to the application operator. Application Operator processes the application data. Mittwoch, 15. Dezember 2010

53 (3) Re-Encrypting Data Issuing replacement or renewal card implies re-encryption of data Input needed for Card Issuer: ICCSN (ehc ID) Input for the Application Operator: [Card Issuer] transmits the ICCSN of the insured party and other data to the application operator. Application Operator processes the application data. Mittwoch, 15. Dezember 2010

54 Card Management System

55 Card Management System

56 Card Management System Violation of Data Sovereignty of the Patient!!!! Mittwoch, 15. Dezember 2010

57 Conclusion German E-Health Card: complex security architecture Card Management System has serious flaws: Copies of the secret keys of the patients are stored and could spread to other (unauthorized) parties Data Sovereignty of the patient is violated! Possible solution: remove technical requirement (instead: designs could use, e.g., secret key sharing) MediTrust (Platform security for end-users) ebpg ebusiness Plattform Gesundheit (Alternative security solution for accessing electronic health records) Mittwoch, 15. Dezember 2010

58 Questions? Contact: Marcel Winandy Ruhr-University Bochum Mittwoch, 15. Dezember 2010

Securing the E-Health Cloud

Securing the E-Health Cloud Securing the E-Health Cloud Hans Löhr, Ahmad-Reza Sadeghi, Marcel Winandy 1st ACM International Health Informatics Symposium (IHI 2010) Arlington, Virginia, USA, 11-12 November 2010 Introduction Buzzwords

More information

SECURITY ANALYSIS OF THE GERMAN ELECTRONIC HEALTH CARD S PERIPHERAL PARTS

SECURITY ANALYSIS OF THE GERMAN ELECTRONIC HEALTH CARD S PERIPHERAL PARTS SECURITY ANALYSIS OF THE GERMAN ELECTRONIC HEALTH CARD S PERIPHERAL PARTS Ali Sunyaev, Alexander Kaletsch, Christian Mauro and Helmut Krcmar Chair for Information Systems, Technische Universität München,

More information

Please quote as: Sunyaev, A.; Leimeister, J.M.; Krcmar, H. (2010): Open Security Issues in German Healthcare Telematics. In: Proceedings of the Third

Please quote as: Sunyaev, A.; Leimeister, J.M.; Krcmar, H. (2010): Open Security Issues in German Healthcare Telematics. In: Proceedings of the Third Please quote as: Sunyaev, A.; Leimeister, J.M.; Krcmar, H. (2010): Open Security Issues in German Healthcare Telematics. In: Proceedings of the Third International Conference on Health Informatics (HealthInf

More information

Securing the E-Health Cloud

Securing the E-Health Cloud Securing the E-Health Cloud Hans Löhr Horst Görtz Institute for IT Security Ruhr-University Bochum Germany hans.loehr@trust.rub.de Ahmad-Reza Sadeghi Horst Görtz Institute for IT Security Ruhr-University

More information

Connected health-it - Germany s Telematics Infrastructure

Connected health-it - Germany s Telematics Infrastructure Connected health-it - Germany s Telematics Infrastructure Dr. Christof Gessner gematik Gesellschaft für Telematikanwendungen der Gesundheitskarte mbh Friedrichstraße 136 10117 Berlin 20.04.2016 1 Shareholders

More information

Please quote as: Duennebeil, S.; Sunyaev, A.; Blohm, I.; Leimeister, J. M. & Krcmar, H. (2010): Do German physicians want electronic health services?

Please quote as: Duennebeil, S.; Sunyaev, A.; Blohm, I.; Leimeister, J. M. & Krcmar, H. (2010): Do German physicians want electronic health services? Please quote as: Duennebeil, S.; Sunyaev, A.; Blohm, I.; Leimeister, J. M. & Krcmar, H. (2010): Do German physicians want electronic health services? A characterization of potential adopters and rejectors

More information

Patterns for Secure Boot and Secure Storage in Computer Systems

Patterns for Secure Boot and Secure Storage in Computer Systems Patterns for Secure Boot and Secure Storage in Computer Systems Hans Löhr, Ahmad-Reza Sadeghi, Marcel Winandy Horst Görtz Institute for IT Security, Ruhr-University Bochum, Germany {hans.loehr,ahmad.sadeghi,marcel.winandy}@trust.rub.de

More information

Strategies for Development and Adoption of EHR in German Ambulatory Care

Strategies for Development and Adoption of EHR in German Ambulatory Care Strategies for Development and Adoption of EHR in German Ambulatory Care Sebastian Duennebeil 1, Ali Sunyaev 1, Jan Marco Leimeister 2, Helmut Krcmar 1 1 Department of Informatics 1 Technische Universität

More information

Please quote as: Mauro, C.; Sunyaev, A.; Leimeister, J. M.; Schweiger, A. & Krcmar, H. (2008): A proposed solution for managing doctor's smart cards

Please quote as: Mauro, C.; Sunyaev, A.; Leimeister, J. M.; Schweiger, A. & Krcmar, H. (2008): A proposed solution for managing doctor's smart cards Please quote as: Mauro, C.; Sunyaev, A.; Leimeister, J. M.; Schweiger, A. & Krcmar, H. (2008): A proposed solution for managing doctor's smart cards in hospitals using a single sign-on central architecture.

More information

A Proposed Solution for Managing Doctor s Smart Cards in Hospitals Using a Single Sign-On Central Architecture

A Proposed Solution for Managing Doctor s Smart Cards in Hospitals Using a Single Sign-On Central Architecture A Proposed Solution for Managing Doctor s Smart Cards in Hospitals Using a Single Sign-On Central Architecture Christian Mauro Ali Sunyaev Jan Marco Leimeister Andreas Schweiger Helmut Krcmar Technische

More information

Smart Cards for Future Healthcare Systems. Secure, efficient, reliable

Smart Cards for Future Healthcare Systems. Secure, efficient, reliable Smart Cards for Future Healthcare Systems Secure, efficient, reliable Card-based e-health networks: cutting costs and improving care All around the world, newspaper headlines warn about the exploding costs

More information

Universität München Fakultät für Informatik Lehrstuhl für Wirtschaftsinformatik (i17) Sebastian Dünnebeil Helmut Krcmar

Universität München Fakultät für Informatik Lehrstuhl für Wirtschaftsinformatik (i17) Sebastian Dünnebeil Helmut Krcmar Universität München Fakultät für Informatik Lehrstuhl für Wirtschaftsinformatik (i17) Sebastian Dünnebeil Helmut Krcmar Market Engineering for Electronic Health Services Technische Universität München

More information

Common Criteria Protection Profile. electronic Health Card (ehc) elektronische Gesundheitskarte (egk)

Common Criteria Protection Profile. electronic Health Card (ehc) elektronische Gesundheitskarte (egk) electronic Health Card (ehc) elektronische Gesundheitskarte (egk) BSI-CC-PP-0020-V3-2010-MA-01 Approved by the Federal Ministry of Health Version 2.9, 19th April 2011 electronic Health Card Version 2.9,

More information

AN ENHANCED ATTRIBUTE BASED ENCRYPTION WITH MULTI PARTIES ACCESS IN CLOUD AREA

AN ENHANCED ATTRIBUTE BASED ENCRYPTION WITH MULTI PARTIES ACCESS IN CLOUD AREA Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 3, Issue. 1, January 2014,

More information

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Purpose This paper is intended to describe the benefits of smart card implementation and it combination with Public

More information

Written Contribution of the National Association of Statutory Health Insurance Funds of 16.11.2015

Written Contribution of the National Association of Statutory Health Insurance Funds of 16.11.2015 Written Contribution of the National Association of Statutory Health Insurance Funds of 16.11.2015 to the Public Consultation of the European Commission on Standards in the Digital : setting priorities

More information

Keywords: German electronic ID card, e-government and e-business applications, identity management

Keywords: German electronic ID card, e-government and e-business applications, identity management From Student Smartcard Applications to the German Electronic Identity Card Lucie Langer, Axel Schmidt, Alex Wiesmaier Technische Universität Darmstadt, Department of Computer Science, Darmstadt, Germany

More information

Common Criteria Protection Profile. electronic Health Card (ehc) elektronische Gesundheitskarte (egk) BSI-PP-0020-V2-2007

Common Criteria Protection Profile. electronic Health Card (ehc) elektronische Gesundheitskarte (egk) BSI-PP-0020-V2-2007 VERSION 2.00 (ehc) elektronische Gesundheitskarte (egk) BSI-PP-0020-V2-2007 Approved by the Federal Ministry of Health Version 2.00, 29 th January 2007 Version 2.00, 29 th January 2007 this page was intentionally

More information

Common Criteria Protection Profile. electronic Health Card (ehc) elektronische Gesundheitskarte (egk) BSI-PP-0020-V2-2007-MA01

Common Criteria Protection Profile. electronic Health Card (ehc) elektronische Gesundheitskarte (egk) BSI-PP-0020-V2-2007-MA01 VERSION 2.50 (ehc) elektronische Gesundheitskarte (egk) BSI-PP-0020-V2-2007-MA01 Approved by the Federal Ministry of Health Version 2.50, 2 nd January 2008 Version 2.50, 2nd January 2008 this page was

More information

Property Based TPM Virtualization

Property Based TPM Virtualization Property Based Virtualization Marcel Winandy Joint work with: Ahmad Reza Sadeghi, Christian Stüble Horst Görtz Institute for IT Security Chair for System Security Ruhr University Bochum, Germany Sirrix

More information

Security und Compliance in Clouds

Security und Compliance in Clouds Security und Compliance in Clouds Prof. Dr. Jan Jürjens, Kristian Beckers Fraunhofer Institut für Software- und Systemtechnologie ISST, Dortmund http://jan.jurjens.de The NIST Cloud Definition Framework

More information

Journal of Electronic Banking Systems

Journal of Electronic Banking Systems Journal of Electronic Banking Systems Vol. 2015 (2015), Article ID 614386, 44 minipages. DOI:10.5171/2015.614386 www.ibimapublishing.com Copyright 2015. Khaled Ahmed Nagaty. Distributed under Creative

More information

Computer and Network Security Policy

Computer and Network Security Policy Coffeyville Community College Computer and Network Security Policy Created By: Jeremy Robertson Network Administrator Created on: 6/15/2012 Computer and Network Security Page 1 Introduction: The Coffeyville

More information

Please quote as: Sunyaev, A.; Atherton, M.; Mauro, C.; Leimeister, J. M. & Krcmar, H. (2009): Characteristics of IS security approaches with respect

Please quote as: Sunyaev, A.; Atherton, M.; Mauro, C.; Leimeister, J. M. & Krcmar, H. (2009): Characteristics of IS security approaches with respect Please quote as: Sunyaev, A.; Atherton, M.; Mauro, C.; Leimeister, J. M. & Krcmar, H. (2009): Characteristics of IS security approaches with respect to healthcare. In: Proceedings of the Fifteenth Americas

More information

ECCA 2014 Conference Santander 26.05.2014

ECCA 2014 Conference Santander 26.05.2014 ECCA 2014 Conference Santander 26.05.2014 Introducing -Technology For Strong Authentication Section 3- IT-Systems, Softwareintegration Department 6 Information And Communication Services Dezernat6 - Informations-

More information

EHR IN THE CLOUD - FINDING A BALANCE

EHR IN THE CLOUD - FINDING A BALANCE 1 05/12/2013 EHR IN THE CLOUD - FINDING A BALANCE Michael De Geest Central information security consultant vzw Provincialaat der Broeders van Liefde 2 EHR in the Cloud - introduction Find a clever way

More information

For a health-care system with a future. The electronic health insurance card.

For a health-care system with a future. The electronic health insurance card. For a health-care system with a future. The electronic health insurance card. Find out more What will change with the electronic health insurance card? Opportunities The electronic health insurance card

More information

Secondary Use of the EHR via Pseudonymisation

Secondary Use of the EHR via Pseudonymisation Secondary Use of the EHR via Klaus POMMERENING Institut für Medizinische Biometrie, Epidemiologie und Informatik Johannes-Gutenberg-Universität D-55101 Mainz, Germany Michael RENG Klinik und Poliklinik

More information

Security and Compliance in Clouds: Challenges and Solutions

Security and Compliance in Clouds: Challenges and Solutions Security and Compliance in Clouds: Challenges and Solutions Prof. Dr. Jan Jürjens Fraunhofer Institut für Software- und Systemtechnologie ISST, Dortmund http://jan.jurjens.de This Talk What are the challenges?

More information

Optimizing the User Experience of a Social Content Management Software for Casual Users

Optimizing the User Experience of a Social Content Management Software for Casual Users Optimizing the User Experience of a Social Content Management Software for Casual Users 10.08.2015, TU München Florian Katenbrink, Thomas Reschenhofer, Prof. Dr. Florian Matthes Software Engineering for

More information

SOLUTIONS FOR HEALTHCARE PROFESSIONALS AND GOVERNMENTS

SOLUTIONS FOR HEALTHCARE PROFESSIONALS AND GOVERNMENTS SOLUTIONS FOR HEALTHCARE PROFESSIONALS AND GOVERNMENTS The number of people in need of medical care in the world is continuously increasing, as evidenced by the evolving demographic outlook in both developed

More information

D.I.M. allows different authentication procedures, from simple e-mail confirmation to electronic ID.

D.I.M. allows different authentication procedures, from simple e-mail confirmation to electronic ID. Seite 1 von 11 Distributed Identity Management The intention of Distributed Identity Management is the advancement of the electronic communication infrastructure in justice with the goal of defining open,

More information

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker www.quotium.com 1/14 Summary Abstract 3 PCI DSS Statistics 4 PCI DSS Application Security 5 How Seeker Helps You Achieve PCI DSS

More information

The ELGA initiative: A plan for implementing a nationwide electronic health records system in Austria

The ELGA initiative: A plan for implementing a nationwide electronic health records system in Austria The ELGA initiative: A plan for implementing a nationwide electronic health records system in Austria Georg Duftschmid, Wolfgang Dorda, Walter Gall Core Unit of Medical Statistics and Informatics Section

More information

Siemens Roadmap to ehealth

Siemens Roadmap to ehealth Siemens Roadmap to ehealth 4. th. ehealth national conference, Sofia Michael Gorgi June 26 th., 2007 Siemens Bulgaria Agenda ehealth? Evolution of ehealth Systems Siemens & ehealth Page 2 June 2007 Siemens

More information

Please quote as: Dünnebeil, S.; Mauro, C.; Sunyaev, A.; Leimeister, J. M. & Krcmar, H. (2009): Integration of patient health portals into the German

Please quote as: Dünnebeil, S.; Mauro, C.; Sunyaev, A.; Leimeister, J. M. & Krcmar, H. (2009): Integration of patient health portals into the German Please quote as: Dünnebeil, S.; Mauro, C.; Sunyaev, A.; Leimeister, J. M. & Krcmar, H. (2009): Integration of patient health portals into the German healthcare telematics infrastructure. In: 15. Americas

More information

Matthias Hauss- SRC Security Research & Consulting GmbH October 2011. PCI DSS Requirements in the Context of European Data Protection Law

Matthias Hauss- SRC Security Research & Consulting GmbH October 2011. PCI DSS Requirements in the Context of European Data Protection Law Matthias Hauss- SRC Security Research & Consulting GmbH October 2011 PCI DSS Requirements in the Context of European Data Protection Law About SRC Two pillars: Card-based Payment Systems and IT security

More information

Canada Health Infoway

Canada Health Infoway Canada Health Infoway EHR s in the Canadian Context June 7, 2005 Mike Sheridan, COO Canada Health Infoway Healthcare Renewal In Canada National Healthcare Priorities A 10-year Plan to Strengthen Healthcare

More information

Continuity of Care Record (CCR) in Germany? PROREC activities on the way to EHR interoperability

Continuity of Care Record (CCR) in Germany? PROREC activities on the way to EHR interoperability Herzlich Willkommen! EHTEL Telemed ehealth IOP Satellite Heidelberg, 12 June 2008 Continuity of Care Record (CCR) in Germany? PROREC activities on the way to EHR interoperability Sebastian Claudius Semler

More information

Uni-directional Trusted Path: Transaction Confirmation on Just One Device

Uni-directional Trusted Path: Transaction Confirmation on Just One Device Uni-directional Trusted Path: Transaction Confirmation on Just One Device Atanas Filyanov 1, Jonathan M. McCune 2, Ahmad-Reza Sadeghi 3, Marcel Winandy 1 1 Ruhr-University Bochum, Germany 2 Carnegie Mellon

More information

Mobile App Testing. Mobile App Testing. Seite 1 von 10

Mobile App Testing. Mobile App Testing. Seite 1 von 10 Mobile App Testing Seite 1 von 10 1 Security and Insecurity of mobile Applications... 3 1.1 App-Security in official App Stores... 3 1.2 mediatest digital App Security Audits... 3 1.2.1 Testing Approach...

More information

Card enabled e-health network How to improve healthcare

Card enabled e-health network How to improve healthcare Card enabled e-health network How to improve healthcare Dr. Elmar Fassbinder Patrick Melioris Bratislava, 25. Sept. 2008 Page 1 Agenda 1) The Vicious Circle in health care 2) Card enabled e-health Network

More information

How to Use ISO/IEC 24727-3 with Arbitrary Smart Cards

How to Use ISO/IEC 24727-3 with Arbitrary Smart Cards How to Use ISO/IEC 24727-3 with Arbitrary Smart Cards Detlef Hühnlein 1 and Manuel Bach 2 1 secunet Security Networks AG, Sudetenstraße 16, 96247 Michelau, Germany detlef.huehnlein@secunet.com 2 Federal

More information

Please quote as: Dünnebeil, S.; Köbler, F.; Koene, P.; Leimeister, J. M. & Krcmar, H. (2011): Encrypted NFC emergency tags based on the German

Please quote as: Dünnebeil, S.; Köbler, F.; Koene, P.; Leimeister, J. M. & Krcmar, H. (2011): Encrypted NFC emergency tags based on the German Please quote as: Dünnebeil, S.; Köbler, F.; Koene, P.; Leimeister, J. M. & Krcmar, H. (2011): Encrypted NFC emergency tags based on the German Telematics Infrastructure. In: Third International Workshop

More information

Response of the German Medical Association

Response of the German Medical Association Response of the German Medical Association To the Green Paper on mobile Health ( mhealth ) of the European Commission Berlin, 3 July 2014 Bundesärztekammer Herbert-Lewin-Platz 1 10623 Berlin We are grateful

More information

ehealth EHR Viewer & Integration Joint Service/Access Policy Executive Summary for Authorized Provider Organizations ("APOs")

ehealth EHR Viewer & Integration Joint Service/Access Policy Executive Summary for Authorized Provider Organizations (APOs) ehealth EHR Viewer & Integration Joint Service/Access Policy July 31, 2013 Version 1.0 1. BACKGROUND: Executive Summary for Authorized Provider Organizations ("APOs") ehealth Saskatchewan ("ehealth") is

More information

Alternative authentication what does it really provide?

Alternative authentication what does it really provide? Alternative authentication what does it really provide? Steve Pannifer Consult Hyperion Tweed House 12 The Mount Guildford GU2 4HN UK steve.pannifer@chyp.com Abstract In recent years many new technologies

More information

Model-based Security Analysis of the German Health Card Architecture

Model-based Security Analysis of the German Health Card Architecture Model-based Security Analysis of the German Health Card Architecture J. Jürjens Computing Department, The Open University, UK R. Rumm Munich, Germany Summary Objectives: Health-care information systems

More information

Guide for Securing E-mail With WISeKey CertifyID Personal Digital Certificate (Personal eid)

Guide for Securing E-mail With WISeKey CertifyID Personal Digital Certificate (Personal eid) The World Internet Security Company Solutions for Security Guide for Securing E-mail With WISeKey CertifyID Personal Digital Certificate (Personal eid) Wherever Security relies on Identity, WISeKey has

More information

Qualified mobile electronic signatures: Possible, but worth a try?

Qualified mobile electronic signatures: Possible, but worth a try? Qualified mobile electronic signatures: Possible, but worth a try? Lothar Fritsch 1, Johannes Ranke 2, Heiko Rossnagel 1 Interest level of audience: 3 - for application developers (interested in IT security)

More information

Inadequacies of Current Risk Controls for the Cloud

Inadequacies of Current Risk Controls for the Cloud Inadequacies of Current Risk Controls for the Cloud Name: Michael Goldsmith Michael Auty, Sadie Creese and Paul Hopkins Venue: CPSRT@CloudCom2010, Indianapolis Date: 2 December 2010 Research supported

More information

Protected Patients Data Centre in Cloud Computing

Protected Patients Data Centre in Cloud Computing Protected Patients Data Centre in Cloud Computing Ms.M.Shanthi 1, Mr. P. Ranjithkumar 2 M.E II year, Department of Computer Science and Engineering, Sri Subramanya College Of Engineering and Technology,

More information

Introducing the Electronic Health Record in Austria

Introducing the Electronic Health Record in Austria Introducing the Electronic Health Record in Austria Wolfgang Dorda a, Georg Duftschmid a, Lukas Gerhold a, Walter Gall a, Jürgen Gambal b a Core Unit for Medical Statistics and Informatics, Medical University

More information

Technical Security in Smart Metering Devices: A German Perspective S4 SCADA Security Scientific Symposium 2012-01-18, Miami Beach FL / USA

Technical Security in Smart Metering Devices: A German Perspective S4 SCADA Security Scientific Symposium 2012-01-18, Miami Beach FL / USA Technical Security in Smart Metering Devices: A German Perspective S4 SCADA Security Scientific Symposium 2012-01-18, Miami Beach FL / USA Dr. Stephan Beirer s.beirer@gai-netconsult.de Sichere ebusiness

More information

CHAPTER 1 INTRODUCTION

CHAPTER 1 INTRODUCTION 1 CHAPTER 1 INTRODUCTION 1.1 Introduction Cloud computing as a new paradigm of information technology that offers tremendous advantages in economic aspects such as reduced time to market, flexible computing

More information

Vs Encryption Suites

Vs Encryption Suites Vs Encryption Suites Introduction Data at Rest The phrase "Data at Rest" refers to any type of data, stored in the form of electronic documents (spreadsheets, text documents, etc.) and located on laptops,

More information

Certification Practice Statement

Certification Practice Statement Certification Practice Statement Revision R1 2013-01-09 1 Copyright Printed: January 9, 2013 This work is the intellectual property of Salzburger Banken Software. Reproduction and distribution require

More information

Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud

Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud Deploying and Managing Private Clouds The Essentials Series Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud sponsored by Managing for the Long Term: Keys to

More information

2.2 The Security of Electronic Medical Records (EMR) DOH, the Executive Yuan August 19, 2009

2.2 The Security of Electronic Medical Records (EMR) DOH, the Executive Yuan August 19, 2009 Topic 2: Privacy Protection and Ensuring Security of Network Applications or Services 2.2 The Security of Electronic Medical Records (EMR) DOH, the Executive Yuan August 19, 2009 1 Agenda 1. The Vision

More information

Threat Model for Software Reconfigurable Communications Systems

Threat Model for Software Reconfigurable Communications Systems Threat Model for Software Reconfigurable Communications Systems Presented to the Management Group 6 March 007 Bernard Eydt Booz Allen Hamilton Chair, SDR Security Working Group Overview Overview of the

More information

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0 Entrust Managed Services PKI Getting started with digital certificates and Entrust Managed Services PKI Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust

More information

exceet Secure Solutions Smart & Secure Network From Vision to Reality

exceet Secure Solutions Smart & Secure Network From Vision to Reality exceet Secure Solutions Smart & Secure Network From Vision to Reality Agenda 1. About exceet 2. Entering the World of Smart Connected Products 3. exceet s Transformation Developing New Competencies 4.

More information

White Paper. From Policy to Practice: A Practical Guide to Implementing HIPAA Security Safeguards

White Paper. From Policy to Practice: A Practical Guide to Implementing HIPAA Security Safeguards From Policy to Practice: A Practical Guide to Implementing HIPAA Security Safeguards Abstract HIPAA requires a number of administrative, technical, and physical safeguards to protect patient information

More information

SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security

SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security International Telecommunication Union ITU-T Y.2740 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (01/2011) SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS

More information

Secure Information Systems Engineering: Experiences and Lessons Learned from two Health Care Projects

Secure Information Systems Engineering: Experiences and Lessons Learned from two Health Care Projects Secure Information Systems Engineering: Experiences and Lessons Learned from two Health Care Projects H. Mouratidis 1, A. Sunyaev 2, J. Jurjens 3 1 School of Computing and Technology, University of East

More information

e-health in Europe Georges Liberman, Ingenico

e-health in Europe Georges Liberman, Ingenico e-health in Europe At Ingenico, we bring the security layer between the patient, the doctor, and the health management system. This way healthcare systems become safer, more efficient, and provide a better

More information

Security and privacy rights management for mobile and ubiquitous computing

Security and privacy rights management for mobile and ubiquitous computing Security and privacy rights management for mobile and ubiquitous computing Michael Fahrmair, Wassiou Sitou, and Bernd Spanfelner Technische Universität München, Department of Informatics, Boltzmannstr.3,

More information

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011 Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8

More information

SECURITY ANALYSIS OF PASSWORD BASED MUTUAL AUTHENTICATION METHOD FOR REMOTE USER

SECURITY ANALYSIS OF PASSWORD BASED MUTUAL AUTHENTICATION METHOD FOR REMOTE USER SECURITY ANALYSIS OF PASSWORD BASED MUTUAL AUTHENTICATION METHOD FOR REMOTE USER Mrs. P.Venkateswari Assistant Professor / CSE Erode Sengunthar Engineering College, Thudupathi ABSTRACT Nowadays Communication

More information

Cloud security architecture

Cloud security architecture ericsson White paper Uen 284 23-3244 January 2015 Cloud security architecture from process to deployment The Trust Engine concept and logical cloud security architecture presented in this paper provide

More information

Federation Proxy for Cross Domain Identity Federation

Federation Proxy for Cross Domain Identity Federation Proxy for Cross Domain Identity Makoto Hatakeyama NEC Corporation, Common Platform Software Res. Lab. 1753, Shimonumabe, Nakahara-Ku, Kawasaki, Kanagawa 211-8666, Japan +81-44-431-7663 m-hatake@ax.jp.nec.com

More information

GENERIC SECURITY FRAMEWORK FOR CLOUD COMPUTING USING CRYPTONET

GENERIC SECURITY FRAMEWORK FOR CLOUD COMPUTING USING CRYPTONET http:// GENERIC SECURITY FRAMEWORK FOR CLOUD COMPUTING USING CRYPTONET Manisha Dawra 1, Ramdev Singh 2 1 Al-Falah School of Engg. & Tech., Vill-Dhauj, Ballabgarh-Sohna Road, Faridabad, Haryana (INDIA)-121004

More information

Secure procedure for the German CCIs certificates of origin

Secure procedure for the German CCIs certificates of origin Secure procedure for the German CCIs certificates of origin In Germany, Chambers of Commerce and Industry issue certificates of origin. They apply two different procedures, which are equally correct and

More information

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased

More information

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public. Federal CIO Council Information Security and Identity Management Committee (ISIMC) Guidelines for the Secure Use of Cloud Computing by Federal Departments and Agencies DRAFT V0.41 Earl Crane, CISSP, CISM

More information

Compliance in Clouds A cloud computing security perspective

Compliance in Clouds A cloud computing security perspective Compliance in Clouds A cloud computing security perspective Kristian Beckers, Martin Hirsch, Jan Jürjens GI Workshop: Governance, Risk & Compliance on the 19th of March 2010 What is Cloud Computing? Today:

More information

Technische Herausforderungen der Cloud-Forensik

Technische Herausforderungen der Cloud-Forensik Technische Herausforderungen der Cloud-Forensik Dominik Birk Horst Görtz Institute for IT Security Bochum (Germany) Anwendertag IT-Forensik 2011 April 12 th, 2011, Darmstadt The Speaker Dominik Birk Ph.D.

More information

Pervasive Computing und. Informationssicherheit

Pervasive Computing und. Informationssicherheit Pervasive Computing und 11. Symposium on Privacy and Security Rüschlikon, 13. September 2006 Prof. Christof Paar European Competence Center for IT Security www.crypto.rub.de Contents 1. Pervasive Computing

More information

WHITEPAPER. Data Security for Office 365 Balancing control & usability

WHITEPAPER. Data Security for Office 365 Balancing control & usability WHITEPAPER Data Security for Office 365 Balancing control & usability Contents Executive Summary... 2 Top Security Issues for Office 365... 4 Compelled Disclosures... 4 Unauthorized Sharing... 4 External

More information

Heuristic Walkthrough Usability Evaluation of Electronic Health Record with a Proposed Security Architecture

Heuristic Walkthrough Usability Evaluation of Electronic Health Record with a Proposed Security Architecture Heuristic Walkthrough Usability Evaluation of Electronic Health Record with a Proposed Prajakta Pawar, Sushopti Gawade Abstract: There currently appears to be concerted efforts at national (HSE) Regional

More information

Securing VoIP Networks using graded Protection Levels

Securing VoIP Networks using graded Protection Levels Securing VoIP Networks using graded Protection Levels Andreas C. Schmidt Bundesamt für Sicherheit in der Informationstechnik, Godesberger Allee 185-189, D-53175 Bonn Andreas.Schmidt@bsi.bund.de Abstract

More information

Implementation of Role Based Access Control on Encrypted Data in Hybrid Cloud

Implementation of Role Based Access Control on Encrypted Data in Hybrid Cloud Implementation of Role Based Access Control on Encrypted Data in Hybrid Cloud Gajanan Ganorkar, Prof. A.B. Deshmukh, Prof M.D.Tambhakhe Information Technology Email:g.ganorkar7691@gmail.com Contact: 8600200142

More information

A Structured Comparison of Security Standards

A Structured Comparison of Security Standards A Structured Comparison of Security Standards Kristian Beckers 1, Isabelle Côté 3, Stefan Fenz 2, Denis Hatebur 1,3, and Maritta Heisel 1 1 paluno - The Ruhr Institute for Software Technology - University

More information

DIGITAL RIGHTS MANAGEMENT SYSTEM FOR MULTIMEDIA FILES

DIGITAL RIGHTS MANAGEMENT SYSTEM FOR MULTIMEDIA FILES DIGITAL RIGHTS MANAGEMENT SYSTEM FOR MULTIMEDIA FILES Saiprasad Dhumal * Prof. K.K. Joshi Prof Sowmiya Raksha VJTI, Mumbai. VJTI, Mumbai VJTI, Mumbai. Abstract piracy of digital content is a one of the

More information

Chapter 1: Introduction

Chapter 1: Introduction Chapter 1 Introduction 1 Chapter 1: Introduction 1.1 Inspiration Cloud Computing Inspired by the cloud computing characteristics like pay per use, rapid elasticity, scalable, on demand self service, secure

More information

InfoGard Healthcare Services. 2015 InfoGard Laboratories Inc.

InfoGard Healthcare Services. 2015 InfoGard Laboratories Inc. InfoGard Healthcare Services 10 Steps To Protect My Covered Entity From Breach Your Presenters Alan Martin Account Manger Marvin Byrd Security Engineer Test and Certification Laboratory Healthcare Payment

More information

Research Information Security Guideline

Research Information Security Guideline Research Information Security Guideline Introduction This document provides general information security guidelines when working with research data. The items in this guideline are divided into two different

More information

White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication

White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication Page 1 of 8 Introduction As businesses and consumers grow increasingly reliant on the Internet for conducting

More information

NATIONAL CYBER SECURITY AWARENESS MONTH

NATIONAL CYBER SECURITY AWARENESS MONTH NATIONAL CYBER SECURITY AWARENESS MONTH Tip 1: Security is everyone s responsibility. Develop an awareness framework that challenges, educates and empowers your customers and employees to be part of the

More information

National Deployment Committee Activity Report

National Deployment Committee Activity Report National Deployment Committee Activity Report Nation / Region Name: IHE Austria Deployment Committee Report Date Activity Report Issued: April 26 th, 2012 Mission of the National / Regional IHE initiative

More information

Building A Secure Microsoft Exchange Continuity Appliance

Building A Secure Microsoft Exchange Continuity Appliance Building A Secure Microsoft Exchange Continuity Appliance Teneros, Inc. 215 Castro Street, 3rd Floor Mountain View, California 94041-1203 USA p 650.641.7400 f 650.641.7401 ON AVAILABLE ACCESSIBLE Building

More information

Efficient Integrity Checking Technique for Securing Client Data in Cloud Computing

Efficient Integrity Checking Technique for Securing Client Data in Cloud Computing International Journal of Electrical & Computer Sciences IJECS-IJENS Vol: 11 No: 05 41 Efficient Integrity Checking Technique for Securing Client Data in Cloud Computing Abstract-- It has been widely observed

More information

preliminary experiment conducted on Amazon EC2 instance further demonstrates the fast performance of the design.

preliminary experiment conducted on Amazon EC2 instance further demonstrates the fast performance of the design. Privacy-Preserving Public Auditing For Secure Cloud Storage ABSTRACT: Using cloud storage, users can remotely store their data and enjoy the on-demand high-quality applications and services from a shared

More information

Security and Privacy Issues and Requirements for Healthcare Cloud Computing

Security and Privacy Issues and Requirements for Healthcare Cloud Computing ICT Innovations 2012 Web Proceedings ISSN 1857-7288 143 Security and Privacy Issues and Requirements for Healthcare Cloud Computing Goce Gavrilov 1, Vladimir Trajkovik 2 1 Health Insurance Fund of Macedonia,

More information

EHR STRATEGY FINLAND. Kari Harno Helsinki University Central Hospital

EHR STRATEGY FINLAND. Kari Harno Helsinki University Central Hospital EHR STRATEGY FINLAND Kari Harno Helsinki University Central Hospital The Nordic Welfare Model In Finland this model includes: universal coverage of services universal social security scheme health insurance

More information

Information Security Basic Concepts

Information Security Basic Concepts Information Security Basic Concepts 1 What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment,

More information

Secure Card based Voice over Internet Protocol Authentication

Secure Card based Voice over Internet Protocol Authentication Secure Card based Voice over Internet Protocol Authentication By GOWSALYA.S HARINI.R CSE-B II YEAR (IFET COLLEGE OF ENGG.) Approach to Identity Card-based Voiceover-IP Authentication Abstract Voice-over-IP

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

CRYPTOGRAPHY AS A SERVICE

CRYPTOGRAPHY AS A SERVICE CRYPTOGRAPHY AS A SERVICE Peter Robinson RSA, The Security Division of EMC Session ID: ADS R01 Session Classification: Advanced Introduction Deploying cryptographic keys to end points such as smart phones,

More information