Mobile Healthcare Security Whitepaper



Similar documents
Teleradiology Security Whitepaper

Ensuring the security of your mobile business intelligence

Sophos Mobile Control User guide for Apple ios. Product version: 2 Document date: December 2011

Sophos Mobile Control User guide for Apple ios. Product version: 4

Mobile Device Management Version 8. Last updated:

Copyright 2013, 3CX Ltd.

When enterprise mobility strategies are discussed, security is usually one of the first topics

Sophos Mobile Control User guide for Apple ios

The fi rst fully network-based integrated OR

SysAid MDM User Guide for ios

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

1. What are the System Requirements for using the MaaS360 for Exchange ActiveSync solution?

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Type of Personal Data We Collect and How We Use It

Research Information Security Guideline

Sophos Mobile Control Startup guide. Product version: 3.5

EMR Link Server Interface Installation

Mobile Iron User Guide

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Remote Desktop Gateway. Accessing a Campus Managed Device (Windows Only) from home.

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

Setting up SJUMobile (Wireless Internet Access for personal devices)

ViewPoint Mobile Quick Start Guide

Deploying iphone and ipad Security Overview

Privacy Policy Version 1.0, 1 st of May 2016

FileCloud Security FAQ

Sophos Mobile Control Startup guide. Product version: 3

How to configure Mac OS X Server

USC Marshall School of Business ShareFile_With_Outlook_Client_v2.docx 6/12/13 1 of 9

Note. Server Name. User Name. Password

WISE-4000 Series. WISE IoT Wireless I/O Modules

Feature and Technical

/ 1. Online Banking User Guide SouthStateBank.com / (800)

SecureSend File Transfer Portal Usage Guide

Ensuring the security of your mobile business intelligence

The CIO s Guide to HIPAA Compliant Text Messaging

Novell Filr 1.0.x Mobile App Quick Start

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

Server Installation ZENworks Mobile Management 2.7.x August 2013

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

Secure Data Transfer

Cloud Services MDM. ios User Guide

/ 1. Online Banking User Guide SouthStateBank.com / (800)

Is there a fee to use U-Deposit? No, U-Deposit is a free*, convenient service provided to UNITED SA Federal Credit Union members.

How to configure your mobile devices post migrating to Microsoft Office 365

Instructions Android Smartphone & Tablet Page 1

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Setting Up and Accessing VPN

Android App User Guide

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

A new innovation to protect, share, and distribute healthcare data

Sophos Mobile Control User guide for Windows Phone 8. Product version: 3.5

GV-iView HD V1 for ipad

Pogo> User Guide. for iphone, ipad and ipod touch

WatchDox Administrator's Guide. Application Version 3.7.5

Cloud Managed Printing

Enterprise Analytics. (Also known as Pyramid Analytics or BI Office) Mobile Device Support

Initial DUO 2 Factor Setup, Install, Login and Verification

Advanced Configuration Steps

Advanced Administration

Supplier Information Security Addendum for GE Restricted Data

Sophos Mobile Control User guide for Windows Mobile

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

Android Developer Applications

Zipit Chat. Functional Specification / User Manual

User manual Remote access VNC V 0.2

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Brainloop Cloud Security

ipad in Business Security

Information Security Policy

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Secure Mail Message Retrieval Instructions

Bell Mobile Device Management (MDM)

GO!Enterprise MDM Device Application User Guide Installation and Configuration for ios with TouchDown

Install and Configure Cyberoam iaccess for ios

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android

Securing Corporate on Personal Mobile Devices

Send and receive encrypted s

Using etoken for Securing s Using Outlook and Outlook Express

The All-in-One Support Solution. Easy & Secure. Secure Advisor

BlackVue Cloud App Overview...3. Getting Started...6. Basic Menu Screens BlackVue Cloud BlackVue Wi-Fi Internal Memory...

Sophos Mobile Control Technical guide

Security Architecture Whitepaper

GadgetTrak Mobile Security Android & BlackBerry Installation & Operation Manual

Wakefield Council Secure and file transfer User guide for customers, partners and agencies

Sophos Mobile Control as a Service Startup guide. Product version: 3.5

Transcription:

Mobile Healthcare Security Whitepaper aycan OsiriX PRO, aycan mobile and Apple's ipad as DICOM image distribution enhancement for PACS environments. Copyright aycan Digitalsysteme GmbH 2013 ayc_mobile_healthcare_security_whitepaper_130529_sp_ds. ID54676 Mobile Healthcare - Security Whitepaper Page 1 of 10

Table of Content 1. Executive Summary 2. aycan mobile 3. Use cases 4. Security 5. Other aspects 6. References Mobile Healthcare - Security Whitepaper Page 2 of 10

1. Executive Summary Medical professionals want to use state-of-the-art mobile technology for their needs. Tablets and smartphones provide mobile access to medical information. Mobile devices offer advantages of viewing medical images on the fly. Their functionality is still limited by hard- and software. This new technology also introduces new questions about security and effectiveness. Due to the characteristics of tablet technology, the diagnostic use should be limited to high contrast, low resolution medical studies like MRI, CT, US, NM and PET. Local regulations about display technology should be followed also. aycan mobile, an ipad App for transferring and displaying DICOM images, is used in many medical facilities for different use cases. Information security regarding confidentiality, integrity, availability and accountability is ensured on a solid level and complies the current state of the technology. It even follows German data protection law (which might be the toughest law about this topic worldwide). Mobile Healthcare - Security Whitepaper Page 3 of 10

2. aycan mobile aycan mobile provides a transparent way to share DICOM images in local and also to distant networks. The DICOM images are stacked into cases (at the aycan OsiriX PRO software inside the hospital/imaging center) and sent to ipads. Users have to setup a login at the mobile.aycan.com server. This server will never store any patient data and is only used for establishing the proper connection between sender and receiver. The existence of a new case is signalized to the ipad user through the Apple Push Notification service. After login to the aycan mobile App some meta data and thumbnails of the case are retrieved by the ipad. If both devices (aycan mobile and aycan OsiriX PRO) are logged in at the same network, they will establish a secure, encrypted channel and send the images directly to the ipad. If they are in different networks without routing, they will establish a secure, encrypted ad-hoc SSL tunnel between the devices and send the images to the ipad. Fig. 1 aycan mobile Workflow aycan mobile provides several features for displaying and basic image processing, including the comparison of two series. Mobile Healthcare - Security Whitepaper Page 4 of 10

3. Use cases There are at least four use cases for the aycan mobile system: 1. Reviewing images with patients at their bedside. 2. On-call and other remote review, interpretation, and diagnosis of radiological images. 3. Teleconsulting with colleagues. 4. Distribution of images to colleagues on-site. Fig. 2 aycan mobile use cases Mobile Healthcare - Security Whitepaper Page 5 of 10

4. Security The overall security of the ipad is documented at the Apple website, section "ipad in Business". Topics are: Device Control and Protection Data Protection Secure Network Communication Secure Platform Foundation It is recommended to setup the Apple remote wipe feature, in case the ipad gets lost. Apps for ios are reviewed by Apple before they are released for customers. This is a benefit for the integrity and security of the software and the ipad. Currently there are no known viruses and other compromising software published for ios. 4.1 Confidentiality Confidentiality assures that no unauthorized users have access to the information. There are two possible sources identified which might cause a risk regarding confidentiality: 1. Access to the information during the information is transmitted to the device. 2. Access to the information while the information is on the device. This is addressed by the following topics: Use of encrypted transmission channel, data is encrypted during transmission. Data is stored encrypted on the device. Application and data access secured by password. It is recommended to send only anonymized data to the device. Anonymization of the 'patient name' can be used by default or switched on/off for each individual transfer. It is recommended to make use of remote deletion services for the device from the manufacturer of the device. (See also attached ipad Security Overview: 'remote wipe'.) It is recommended to secure access to the device by password. If a user logs into the application which keeps data for another target user at this time, the data for the other user is deleted during the login process. The encryption is implemented in a way which doesn't even allow the device respectively the operating system manufacturer to get access to the data. Mobile Healthcare - Security Whitepaper Page 6 of 10

4.2 Integrity Integrity assures that the information is correct that is, it has not been improperly modified. The data is encrypted during transmission (over an encrypted channel) and during storage on the device (see 4.1 Confidentiality). From that point where the data left the source node until the data is displayed on the screen there is no possibility to alter the information at the data sets because modification would imply correct decryption and correct encryption after modification, which is not possible with reasonable effort. The data transfer mechanism assures that incomplete or modified transmissions can be detected and that the user is notified. Regarding the software distribution process defined by Apple it can be assumed that only aycan is able to replace the application itself by another version. Software modifications on the device are not envisioned. Therefore unwanted software changes can be seen as precluded. 4.3 Availability Availability suggests that the information will be available when needed. It is in the nature of a mobile device that it has to handle the uncertainty of the transmission channel especially if the area of mobility is not limited to a certain area where somehow controlled transmission channel conditions can be expected like at a hospital building or campus. Usage at time critical scenarios is not included at the Intended Use of aycan mobile. To ensure to have a reliable transmission channel when needed, the user should read up on the reception conditions of a certain area before he is going to use the solution there (access to WiFi hotspots or 3G/EDGE/... network access depending on the technique he would like and he is able to use). Before data deletion is executed a prompt for confirmation must be done. Correct operation of the update/upgrade functionality from any previous version will be checked during the verification process. ios the operating system of the ipad is a closed system. Users don't have access to the system. Installation of applications can be restricted by the administration capabilities of ios. Mobile Healthcare - Security Whitepaper Page 7 of 10

4.4 Accountability Accountability is the application of identification and authentication to assure that the prescribed access process is being done by an authorized user. Every person who wants to use the system has to have a valid user account. For each user account a unique user name has to be selected. It is recommended not to share user accounts but to have a dedicated account for each person that would like to use the system. People who would like to exchange messages respectively images have to authorize each other before one is able to send data to the other. Each message either only text messages or messages where image data is attached has an unambiguous user as the sender of this message. Each message has one (in later versions possibly more) unambiguous user as the addressee(s) of the message. Access to data of a certain user is only possible after successful login. Mobile Healthcare - Security Whitepaper Page 8 of 10

5. Other aspects 5.1 Diagnostic use In some countries are regulations about medical displays for diagnostic use. Users have to check local regulations whether the display of the ipad is sufficient for diagnostic purposes. The display of the ipad is a 9.7" touchscreen with Retina resolution (2.048 x 1.536 pixels at 264 pixels per inch (ppi)) or the older ipad 2 with 1.024 x 768 pixels resolution. An external (medical) display can be connected to the ipad 2 by an adapter and the ipad can display 1.920 x 1.280 pixels on this external device. Fig. 3: ipad for Diagnostic Purposes The aycan mobile App is labeled with a CE-Mark as a Medical Device Class I in Europe and with FDA 510(k) clearance in the USA. It provides a visualization correction Function (VCF) according to the DICOM GSDF curve, which is similar to a DICOM Preset medical grade display. The ipad touchscreen reaches regulations of DIN V 6868-57:2001-02 (Consistency and uniformity testing for medical displays). A touchscreen is always affected by fingerprints while usage. Users should always check the display before and while usage and clean the display when necessary. 5.2. Hygiene There are third-party manufacturers who offer covers, cases and shields for the ipad which can be sanitized. 5.3. Software distribution process According to the limited influence on the software distribution process of the device manufacturer, there is a mechanism implemented to ensure that a recall of the product in case of serious risk can be done in an effective way independently from the software distribution process. Mobile Healthcare - Security Whitepaper Page 9 of 10

6. References ipad in Business Security resources http://www.apple.com/ipad/business/it-center/security.html ipad Initiative, University of Chicago http://medchiefs.bsd.uchicago.edu/ipad.html aycan mobile user manual, section Safety Instructions Mobile Healthcare - Security Whitepaper Page 10 of 10