Privacy and Security Policies for Healthcare Solutions on the Cloud Karuna P Joshi, PhD University of Maryland, Baltimore County karuna.joshi@umbc.edu
Introduction Increasing adoption of technologies such as Electronic Health Records (EHR) to capture clinical data Mandate by Health Information Technology for Economic and Clinical Health (HITECH 09) act Variety of Medical records data can be aggregated and analyzed to personalize delivery of healthcare Huge growth in Medical/healthcare data in coming decade Cloud-based solutions are being adopted. Focus of this talk on Cloud security, privacy policies for Healthcare/Personalized Medicine.
Medical Records Data Provider maintain Electronic Medical Records (EMRs) Electronic records sharing between different EMR systems are called Electronic Health Records (EHRs). Interoperation and sharing among different EMRs poor. Cost and poor usability obstacles to adoption of EHR. Personal Health Record (PHR): health record that is initiated and maintained by an individual. Includes summary of EMR and EHR EHR PHR EMR
Current Medical Technology Picture archiving and communication system (PACS) The universal format for PACS image storage and transfer is DICOM (Digital Imaging and Communications in Medicine). PACS consists of : Imaging modalities such as X-ray, CT, MRI Secured network for the transmission of patient information Workstations for interpreting and reviewing images Archives for the storage and retrieval of images and reports PACS should interface with : Hospital information system (HIS) and Radiology Information System (RIS).
Health care IT services Per Certification Commission for Healthcare Information Technology (CCHIT), following electronic medical IT systems are being offered in the market Electronic Health Records (EHRs) Electronic Medical Records (EMRs) Personal Health Records (PHRs) Payer-based Health Records (PBHRs) Electronic Prescribing (E-prescribing) Medical Financial Billing/Administrative System www.critigen.com Computerized Practitioner Order Entry (CPOE) Systems
Some Cloud Solutions EHR,EMR Sequencing and Genotyping Majority of them run on Amazon, Rackspace, Microsoft, etc. cloud providers.
Challenges with Large Medical Data Medical data at present is very large in volume running to the order of terabytes (10 12 bytes) With the increasing adoption of digitized patient records and physician s notes, it has the potential of reaching peta (10 15 ) or even exa (10 18 ) bytes of data that in itself will be difficult to manage and analyze. Data currently resides in separate silos, which prevents it from being correlated and analyzed. Few providers can afford the infrastructure, both hardware and software, needed to collect, clean, curate, and analyze this data.
Technical Solution: Cloud Computing Latest paradigm for delivering IT resources or applications Service/Applications are stored/run on cloud and accessed by consumers via the Internet using Computers or Mobile devices. Eukhost blog Cloud based Services can provide analytics driven personalized medicine services Available to practitioners at the point of care. X as a Service : data storage, computing power, platform E.g. cloud based PACS, CareCloud cloud based EHR, Cloud based Medical billing services
Advantage of Using Cloud Cloud services make data and computing capabilities portable, sharable, and accessible from any online device The objective of the HITECH Act. Significant cost savings and the option of avoiding capital investment for organizations. Elasticity: Can easily scale up or scale down their resources instantly and on-demand. Cloud services are OS-neutral, and usually easy to use. E.g. Click Care HIPAA compliant SaaS and iphone application.
Challenges in Using Cloud Data security / Patient Privacy (attack by Hackers) Data ownership Auditing Cloud provider Compliance and Legal issues. Issues of regulatory compliance. Provider reliability What happens if Provider goes out of business? E.g. in 2001,GE Healthcare bought health records provider Encounter EHR and eventually ended up shutting it downgiving records holders 30 days notice to reclaim their data or lose it. Not Mature, standards still developing
HealthCare Services on the Cloud HIS/RIS Medical imaging Real time sensors Collaborating medical teams Genome data Service Access POLICY Online Communities Healthcare Cloud Medical Billing service Cloud data Access POLICY PACS services Public data service EHR/EMR service
Policy driven Cloud services A semantically rich, policy-based framework can be used to automate the lifecycle of virtualized services. Proposed lifecycle by us at UMBC Identify the key policies that the Cloud service should comply with Hard constraints that have to be met - HIPAA compliant Soft constraints that can be negotiated - Cost, support Policies defined in Requirements phase Technical policies OS, Hardware, Applications, Database Data / Security Policies Privacy Policies Compliance policies
Healthcare Cloud Security Policy Control level over the operating systems, hardware, and software. User, resource, and data requests threshold policies Cloud provider is internal within an organizationcontrolled data center or hosted externally. Compliance requirement The Health Insurance Portability and Accountability Act (HIPAA),1996 FISMA
Healthcare Services Cloud Service Model Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS). Cloud Deployment Public Hybrid Community Private.
Cloud Data Security Policy Checklist 1. Cloud Data Location policy 2. Data Deletion policy 3. Data Encryption strategy 4. Identity Management policy 5. Service Level Agreement (SLA) Monitoring 6. Incident response 7. Cloud Forensics 8. Cloud Data Audit
Cloud Security/Privacy Policies Data/Cloud Location US jurisdiction Europe jurisdiction Globally located Data Deletion Archived Secure wipe Data Encryption Encryption Key management
Cloud Identity Management Identity Management critical Authentication Mechanism ID/Password SmartCard (CatCard) PIN 1 time PIN/PW Data accessed via a mobile device / tablet requires more authentication Authorization Methods Limited Administrator Access Group Level Access Physicians, Residents, Nurses Need-to-know access Individual based
Continuous SLA monitoring Monitoring of SLA critical to ensure performance and ROI Companies want to be able to translate existing Outsourcing policies into Cloud We have developed an Ontology for machine-readable Cloud SLA Available on public domain - http://ebiq.org/r/344
Incident Response for Cloud Services * Cloud support SLAs should include Availability timeframe of services Contingency (Business Continuity) plans Timeframes for notification and recovery following an unplanned service disruption or a security incident Problem resolution and escalation procedures Scheduled maintenance times. * Some policies of a major financial organization, industry best practices
Cloud Data Privacy Policies Patient Data access across services, across consumers Virtual Machine Separation Controlled Multi-tenancy Disclosure Risk Assessment Existing Data Inferred Data wsj.com
Healthcare Ontologies Develop a standard ontology to describe/define EHR, PACS, DICOM standards Efforts being led by US National Library of Medicine Unified Medical Language System (UMLS) OpenClinical cancer research UK GALEN and GALEN-open project Gene Ontology Consortium molecular function, biological process, cellular component
Summary Increasing adoption of cloud based IT services for Personalized Medicine (mandated by HITECH 09) A policy-based integrated framework to control the execution of Cloud based Health care services Declarative, semantically rich approach that helps specify policies to control the service Automate the execution and consumption of such services at point of care, protect patient privacy, and ensure compliance with appropriate policies An automated cloud based service will ensure that the physician can focus on the patient s health, and not be concerned with the IT requirements.
Papers available at http://ebiquity.umbc.edu Contact: karuna.joshi@umbc.edu