End-to-End Security for Personal Telehealth

Similar documents
develop privacy policies, and implement them with role-based or other access control mechanisms supported by EHR systems.

Practical Guidance to Implement Meaningful Use Stage 2. Secure Health Transport for Certification and Meaningful Use

IHE IT Infrastructure Technical Framework Supplement. Document Encryption (DEN) Trial Implementation

HIMSS Interoperability Showcase 2011

HIMSS Interoperability Showcase 2011

DELIVERABLE. ANTILOPE - Adoption and take up of standards and profiles for ehealth Interoperability" D3.2: Request for proposal. Version: 1.

Mobile Health. Architecture, Applications, Security. Capt Farell FOLLY, Ir. June 20th, Lusaka - ZAMBIA. Africa Internet Summit 2013

Milan Zoric ETSI

EHR Interoperability Framework Overview

Patient Empowerment Framework for Cardiac Patients

Continua and IHE Joint Recommendation on Remote Monitoring

ConCert by HIMSS Certification: An Overview

Practical Guidance to Implement Meaningful Use Stage 2 Secure Health Transport for Certification and Meaningful Use

Enabling Integrated Care

SINTERO SERVER. Simplifying interoperability for distributed collaborative health care

Continua Design Guidelines

Interoperability 101. Bridget A. Moorman, CCE Technical Manager Industry Advisory Board Renewing Health The Continua Alliance

The Direct Project Overview

Interoperability testing in Finland. Konstantin Hyppönen Summit on Interoperability (DK)

An open source software tool for creating and managing patient consents electronically in IHE XDS.b environments

SCHIEx: The South Carolina Health Information Exchange Update

IMAGE SHARING. Review and Update - A Fond Farewell to CDs 2012

Health Record Banking Alliance White Paper

Life Sciences. White Paper. Real-time Patient Health Monitoring with Connected Health Solutions

TABLE OF CONTENTS INTRODUCTION USE CASES FOR CONVERSION BETWEEN DIRECT AND XDR DATAMOTION XDR IMPLEMENTATION GLOSSARY OF TERMS

IHE IT Infrastructure White Paper. Health Information Exchange: Enabling Document Sharing Using IHE Profiles

Clinical Exchange Platform for procurement through the G-Cloud

Contextual cloud-based service oriented architecture for clinical workflow

INTEGRATING THE ESANTÉ DSP INTO GECAMED

EHR Standards Landscape

Electronic Health Records and XDS the IHE approach

IHE-XDS und Co. Erfahrungen im Projekt

Patient Controlled Health Records Standards and Technical Track

ABU DHABI DEMO. Continua PnP Worldwide

IBM Interoperable Healthcare Information Infrastructure (IHII) Overview. China October 2006 IBM

Privacy Issues in the Austrian EHR Project ELGA

Consent Management Ad-Hoc Workgroup Deliverable

Clinical Document Exchange Integration Guide - Outbound

Building Regional and National Health Information Systems. Mike LaRocca

Request for Proposal (RFP) Supporting Efficient Care Coordination for New Yorkers: Bulk Purchase of EHR Interfaces for Health Information

Relationship of HL7 EHR System Draft Standard to X12N

Illinois Health Information Exchange Client Readiness Technical Assessment Checklist

External Telehealth Videoconferencing

A Standards-Based Model for the Sharing of Patient-Generated Health Information With Electronic Health Records

ConnectVirginia EXCHANGE Onboarding and Certification Guide. Version 1.4

Electronic Health Record. Standards, Coding Systems, Frameworks, and Infrastructures

Creating a national electronic health record: The Canada Health Infoway experience

The ERS IC-EHR as Local, Regional and National ehealth Infrastructure July 2010

Service Definition. Contents

Personal Health Data: Patient Consent in Information Age

A Framework for Testing Distributed Healthcare Applications

Consumer Engagement with Health Information Technology Summary of NeHC Survey Results

NATIONAL EHEALTH ARCHITECTURE - FROM STRATEGY TO PRACTICE. Ministry of Social Affairs and Health, Finland

ehealth Information Exchange

Presented by: IHE USA in collaboration with Greenway Medical Technologies and Epic March, 2013

IHE Patient Care Coordination Technical Framework Supplement. Trial Implementation

There has to be more: iconnect Blends XDS and Image Exchange. A Merge White Paper

AT&T Healthcare Community Online - Enabling Greater Access with Stronger Security

Telehealth: Communication in Health Care

Canada Health Infoway

Electronic Health Network - Case Study Consent2Share Share with Confidence

Empowering Patients and Enabling Providers

An Oracle Technical White Paper September Health Information Exchange: From Meaningful Use to Personalized Health

Six Challenges for the Privacy and Security of Health Information. Carl A. Gunter University of Illinois

Health Information Technology OIT Architecture Strategy

XDS-I - CROSS-ENTERPRISE DOCUMENT SHARING FOR IMAGING

Continua: An Interoperable Personal Healthcare Ecosystem

Achieving meaningful use of healthcare information technology

In a previous article on medical device interoperability

To: From: Date: Subject: Proposed Rule on Meaningful Use Requirements Stage 2 Measures, Payment Penalties, Hardship Exceptions and Appeals

The EHR Agenda in Canada

Use Cases for Argonaut Project. Version 1.1

Cloud Innovation Program for Canadian Healthcare

LANES. A key component of the LANES Initiative is to develop a Health Information Exchange.

Regionale uitwisseling van medische gegevens (IHE)

Implementing a PHR System for Knowledge Sharing based on IHE Cross-Enterprise

Structured Data Capture (SDC) The Use of Structured Data Capture for Clinical Research

Health Informatics Standardization: Relevance and Indian Initiatives

Health Record Banking Alliance

IHE IT Infrastructure Technical Framework Supplement

IHE Implementation Case Study: French Electronic Health Record Program

Opportunities and challenges for public health surveillance: a new world of interoperability with electronic health records

Electronic Medical Records and Public Health

Presenter. Deborah Kohn, MPH, RHIA, CHE, CPHIMS Principal Dak Systems Consulting San Mateo, CA

Expanded Support for Medicaid Health Information Exchanges

Overview of an Enterprise HIE at Virtua Health

HL7 and Meaningful Use

Integrating EHR and EDC systems

OpenHRE Security Architecture. (DRAFT v0.5)

Eligible Professionals please see the document: MEDITECH Prepares You for Stage 2 of Meaningful Use: Eligible Professionals.

South Carolina Health Information Exchange (SCHIEx)

Overview of global ehealth initiatives

IHE IT Infrastructure Technical Framework Supplement. On-Demand Documents. Trial Implementation

Interoperability solution for medical devices

New York ehealth Collaborative. Health Information Exchange and Interoperability April 2012

Charting the Future of Healthcare Interoperability. Presenters. Michael Stearns, MD, CPC, CFCP

Security Considerations

IHE Korea. Daegu 2010 Connectathon eworkshop Todd Cooper, Breakthrough Solutions Foundry, Inc.

The Total Telehealth Solution

Information Auditing and Governance of Cloud Computing IT Capstone Spring 2013 Sona Aryal Laura Webb Cameron University.

Transcription:

End-to-End Security for Personal Telehealth Paul KOSTER a,1, Muhammad ASIM a, Milan PETKOVIC a, b a Philips Research, b TU/e, Eindhoven, The Netherlands Abstract. Personal telehealth is in rapid development with innovative emerging applications like disease management. With personal telehealth people participate in their own care supported by an open distributed system with health services. This poses new end-to-end security and privacy challenges. In this paper we introduce new end-to-end security requirements and present a design for consent management in the context of the Continua Health Alliance architecture. Thus, we empower patients to control how their health information is shared and used in a personal telehealth eco-system. Keywords. security, privacy, consent, telehealth Introduction Healthcare around the world is facing important challenges through a substantial increase of the average age of the population and an increase of chronic diseases. Personal telehealth systems are expected to take an important role in addressing these issues. They extend healthcare from acute institutional care to outpatient care and home healthcare. Technological developments in this area are followed by standardization, policy and marketing activities of more than 230 companies that joined their efforts within the Continua Health Alliance [1] to ensure interoperability and further develop the personal telehealth market. Although personal telehealth technologies bring a lot of benefits, they also create new security and privacy challenges. With personal telehealth services, it becomes simpler to collect, store, and search electronic health data, which in turn endangers people's privacy. Furthermore, mistakes that are made because patient measurements are not available, associated to a wrong patient or modified in an unauthorized way can endanger patient safety. Therefore, technological means that empower patients with control over their health information while preventing security breaches and ensuring information correctness are of utmost importance. Traditionally, security in healthcare treats protection of sensitive data by considering individual systems and communication. For personal telehealth applications like remote patient monitoring common security means are (role-based) access control and secure communication protocols [2]. However, emerging trends to open, distributed and user-centric telehealth architectures call for a more end-to-end 1 Corresponding Author: Paul Koster, Philips Research, Koninklijke Philips Electronics N.V., High Tech Campus 34, 5656AE, Eindhoven, The Netherlands; E-mail: r.p.koster@philips.com

approach to security. Only an end-to-end approach can provide a consistent level of security and meet patient empowerment expectations. In this paper, we present new requirements for an end-to-end approach to security for personal telehealth. Moreover, we describe a digital consent management solution. This work represents ideas that have been contributed to and further elaborated in the Continua Health Alliance. This paper is organized as follows. In section 1, we introduce the Continua Health Alliance. Security and privacy requirements are described in section 2. Section 3 focuses on consent management to empower patients and presents a design addressing Continua requirements. Section 4 concludes the paper. 1. Continua Health Alliance The Continua Health Alliance is an industry alliance formed with the intention to foster the growth of personal telehealth. Its 230+ members recognize the need for alignment and interoperability for applications such as disease management, fitness and aging independently. Continua provides a reference architecture for personal telehealth systems and the Continua guidelines [3], which select and profile standards to realize the interoperability objectives. Architecture. The Continua architecture is characterized by its interfaces and device classes as illustrated in Figure 1. Medical observation devices measure people s vital signs such as weight and blood pressure. These devices can be stationary, portable or body-worn, and use USB, Bluetooth or Zigbee to transmit the measurements to an application hosting device (AHD). Measurement communication follows the IEEE 11073 standard. The AHD acts as an intermediary between observation devices and remote services. The AHD can be a gateway device, PC or smartphone. It uses the WAN interface to forward observations to the remote services such as a disease management organization (DMO). WAN communication makes use of the IHE Patient Care Device transaction standard, which is based on web-services and HL7 2.6 message standards. PAN Device Application Hosting WAN Device Health Record (HRN) Device PAN-IF Device (AHD) WAN-IF HRN-IF LAN Device LAN-IF Disease Management Organization (DMO) PHRs/EHRs care profs Physician EMRs Figure 1. Continua end-to-end reference architecture A WAN service collects the observation data to provide care, e.g. a DMO employing nurses supported by IT systems to coordinate a patient s care. If measurements fall outside the expected range then a nurse may prepare a Personal Health Monitoring Report (PHMR) and forward this to care providers e.g. a patient s family physician. The HRN interface facilitates the exchange of the PHMR documents. HRN services interact with WAN services using IHE XDR (Cross-Enterprise Document Reliable Interchange) and IHE XDM (Cross-Enterprise Document Media

Interchange) standards. HRN services include electronic health record (EHR) systems belonging to care providers or personal health record (PHR) systems. Security. As mentioned in the introduction, for adoption of personal telehealth systems, trust, security and privacy are very important. The same holds for compliance to legislation like EU Directive 95/46 and HIPAA. Continua acknowledges the importance of these issues amongst others through its E2E Security Task Force. The authors actively participate in this task force. Initial security and privacy issues have been addressed in Continua version 1 guidelines for the PAN and HRN interfaces. Continua version 1.5 guidelines added security features for the WAN and LAN interfaces with e.g. TLS for secure communication and SAML 2.0 tokens for authentication of AHD users, see table 1. Table 1. Security standards in Continua version 1.5 Security standard Security objective Interface TLS 1.0 confidentiality + integrity + authentication HRN IHE XDM (S/MIME) confidentiality + integrity + authentication IHE ATNA auditing WS-I BSP (TLS 1.0) confidentiality + integrity + authentication WAN IHE ATNA auditing WS-I BSP (WS-Security + SAML 2.0) entity authentication Zigbee security confidentiality + integrity + authentication LAN Bluetooth security confidentiality + integrity + authentication PAN 2. End-to-end security and privacy requirements Continua version 1.5 addresses basic security requirements for personal telehealth with a strong focus on point-to-point transport security. However, a telehealth system with such open and distributed nature calls for an end-to-end approach, which follows from the risk analysis for remote patient monitoring performed by ENISA [4]. An end-to-end approach helps service providers to ensure compliance with legislation, empowers patients and eases seamless integration by defining a homogeneous security framework. The next paragraphs sketch end-to-end requirements as identified in Continua. Identity management. A correct association of health information to patient identities is essential to provide high quality and safe personal telehealth services. However, a person typically has different identifiers at the various systems in a distributed architecture like Continua. These multiple identifiers imply linking and cross-referencing of identities at the AHD, WAN and HRN systems and services. Up to now, service providers often provide a vertically integrated solution and deal with identity management out-of-band. However, larger number of patients, operational cost pressure, less vertical integration, and vendor interoperability ask for standardized inband identity solutions. This leads to the following requirements: i) measurement uploads should be unambiguously linked to a particular patient, and ii) identity linking should be in-band using interoperable protocols and preferably user-initiated. Integrity and data origin authentication. Health measurements performed by patients require healthcare professionals to place trust in information that patients report. For example, for a blood pressure measurement it is crucial to know that blood pressure of a registered patient is actually measured on his body, that the measurement is taken with a certified device and that it is not modified on the way to healthcare providers. However, end-to-end integrity is not trivial to guarantee as in the Continua architecture health measurements pass through multiple parties and undergo

transformations before a health provider obtains them. Therefore, it is required to i) authenticate data sources including users and devices, and ii) prevent or detect unauthorized data modifications while allowing legitimate transformations. A more detailed description of related requirements and security mechanisms is presented in [5]. Consent management. Traditionally, consent has been an important concept in healthcare. Signed paper consent forms are used to grant (opt-in) or withhold (opt-out) consent and enable patients to regulate which care providers have access to their health information. In perspective of user centered care and patient empowerment trends, patients should be in more direct control for distributed applications like personal telehealth. Digital consent addresses this requirement and increases consistency, compliance and efficiency for both patients and care providers. Consequently, highlevel end-to-end requirements include that i) patients should be able to define and manage their digital consent and privacy policies in a user-friendly manner, e.g. on a device at home or online, ii) digital consent should propagate together with the patient data, and iii) systems of care providers and services must enforce digital consent. 3. Design for consent management in the Continua architecture Consent management entails the specification, exchange and update of patient s digital consent preferences. For maximum effect, a patient should indicate his consent and privacy policies as early as possible such that they can travel together with the patient data through the ecosystem. In Continua, the AHD device would be a practical location for a patient to specify his consent. Alternatively, it could be specified at a WAN service by the patient online or taken care of by a nurse on behalf of the patient. Propagation of consent policies over the WAN and HRN interfaces must be enabled to ensure that disease management organizations and care providers use and share patient data in accordance with the patient s digital consent policy. The Implementation Guide for HL7 CDA R2 Consent Directive [6] forms the basis for our approach to consent management in Continua. This recently approved draft standard for trial use defines a document format for digital consent and enables the expression of structured patient consent policies. The advantage of this standard lies in the fact that it is based on the CDA R2 standard, which is already used at the Continua HRN interface for the health PMHR document. Similarly, well-defined protocols exist for the exchange of this type of documents through the IHE XD* family of profiles. Figure 2 provides an overview of how these document and document exchange standards realize the consent management interactions at the HRN interface. The WAN interface solution is a subset of the solution for the HRN interface. Consent at the HRN interface is supported through a basic and a more advanced interaction. In the basic interaction the patient consent document is included in the same transaction as the health PHMR document as shown in Figure 2a. This makes use of the IHE XDR transaction in Continua, which allows inclusion of both documents in the existing submission set. In the more advanced interaction the patient consent document is retrieved online on demand as depicted in Figure 2b. Such interaction allows for more flexibility as a receiver may obtain consent documents e.g. when it does not have the required consent to perform its intended task. Technically, this variant involves the IHE XDS standard, which provides a superset of the functionality provided by XDR. To enable online retrieval of consent documents, a sender at the HRN interface implements the

Document Repository and Registry actors to host the consent documents. The receiver implements the IHE XDS Document Consumer actor. Optionally, the receiver may query and lookup the appropriate consent document identifiers and their location URLs. Subsequently, the HRN receiver requests the consent document through an XDS retrieve transaction. The receiver may include a token in the request to authenticate to the sender and enable personalization of the consent document. Finally, the sender responds with the requested patient consent document personalized for the recipient. HRN Sender HRN Receiver (a) Provide(Health Document, Patient Consent Document (optional) ) Query(Patient Consent Document) Query Response (b) Retrieve(Patient Consent Document, Requestor Token) Response(Patient Consent Document ) Figure 2. Consent management at the HRN interface 4. Conclusions Novel use cases in personal telehealth cannot be addressed with point-to-point or transport security alone anymore and a more end-to-end approach to security and privacy is required. The user-centered and open architecture of personal telehealth systems introduce challenging end-to-end security needs in the areas of identity management, integrity, data origin authentication and consent management. This paper presents a design to extend personal telehealth with digital consent. This design is applied to and presented in context of the Continua Health Alliance interoperability architecture. It demonstrates how the application and combination of novel standards from the healthcare domain realizes consent management and thereby empowers users. References [1] Wartena F, Muskens L, Schmitt L, Petkovic M. Continua: The reference architecture of a personal telehealth ecosystem. Proceedings of the 12th IEEE International Conference on e-health Networking, Application and Services (Healthcom); 2010 July 1-3; Lyon, France; 2010. [2] Raman A. Enforcing Privacy through Security in Remote Patient Monitoring Ecosystems. Information Technology Applications in Biomedicine; ITAB 2007; Tokyo; 2007. [3] Continua Health Alliance. Continua Design Guidelines version 1.5. 2010. [4] Chronaki C, et al. Being diabetic in 2011: Identifying emerging and future risks in remote health monitoring and treatment. EFR Pilot; ENISA; 2009. p29 [5] Petkovic M. Remote Patient Monitoring: Information Reliability Challenges. TELSIKS 2009. IEEE Press; 2009. p295-301 [6] HL7 Implementation Guide for Clinical Document Architecture, Release 2: Consent Directives, Release 1. Draft Standard for Trial Use. January 2011; HL7; 2011.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information