Securing The E-Health Cloud
Securing The E-Health Cloud
Securing The E-Health Cloud
net/publication/221629904
CITATIONS READS
184 3,701
3 authors, including:
Marcel Winandy
innogy
53 PUBLICATIONS 1,793 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Marcel Winandy on 17 May 2014.
3. PROBLEMS OF E-HEALTH CLOUDS curity mechanisms nor are they implemented in a robust
In this section, we give a systematic overview of the threats way as high-assurance systems. Due to architectural lim-
in the privacy-sensitive context of e-health clouds. The pro- itations they do not offer sufficient runtime protection of
cessing of healthcare data of patients has technical, but also applications and operating system software, they lack infor-
legal problems that one has to deal with. In this paper, we mation flow control mechanisms and secure user interfaces.
focus on the technical aspects. We therefore analyze three All this makes these systems vulnerable to malware attacks
different problem areas. that could steal passwords and secret data, or leak privacy-
sensitive data to illegitimate destinations on the Internet.
3.1 Data Storage and Processing
Security and privacy issues exist where the medical data Mobile Storage Devices.
of the health records are stored and processed, i.e., at the Moreover, those computer systems are usually used by
PHR or EHR server and, of course, at the local computer several persons, e.g., medical assistants, and they may con-
infrastructure of health care providers. Access control mech- nect them with mobile storage devices, such as USB memory
anisms and data encryption can ensure confidentiality of the sticks, for transferring data to other platforms. Data that
medical data, and great efforts are done in this direction in is transferred in this way usually leaves the control of any
many specifications, such as the German eHC [12], and stan- security mechanisms of the e-health infrastructure.
dardizations, such as HL7 and ISO/TC 215 [16].
3.2 Management of E-Health Infrastructure
Data Centers. On a larger scale, the whole infrastructure of an e-health
Storing privacy-sensitive data in central data centers bears cloud has several risks that threaten the privacy of health
the risk of information leakage to unauthorized entities. Sen- data. Both medical and administrative data of patients are
sitive data must be sufficiently protected, e.g., by means of processed at several places in the e-health cloud, and the
strong cryptographic encryption. Moreover, it must be pos- usage of smartcards and access control mechanisms alone
sible to administer and maintain the data center without does not provide the necessary protection.
letting administrators gain access to patient data.
Cryptographic Key Management.
Client Platforms. Complex infrastructures must be managed and this com-
The security of end-user systems is another problem that prises additional security and privacy issues. The usage
is rarely dealt with. Most specifications that we are aware of encryption requires management of cryptographic keys,
of define this as “out of scope”. End-user systems are the smartcards must be personalized and issued to their users.
PCs and network infrastructure at the doctor’s practice or One question that is often insufficiently answered in this con-
the computing platforms of information systems in hospitals. text concerns who is in control of the cryptographic keys. A
Especially, medical doctors who run their own small practice naive approach would say the patient of course. But how
do usually not have the competence and time to profession- to handle lost or stolen cards when the encryption keys are
ally manage their IT systems to be sufficiently protected lost as well? Do the card issuer or the EHR server have
against malware threats. On the other hand, they use their backup copies of the keys? But backup strategies must also
computer systems not only for accessing health records of take into account the privacy requirements of health data.
their patients, but also for other applications, such as billing For example, in many European countries, and especially in
systems, or Internet browser. But today’s commodity oper- Germany, it is required by law that the patients themselves
ating systems that are used do not offer sophisticated se- have the full data sovereignty over their health data. This
means no other party is allowed to circumvent privacy de- security and privacy properties. In this section, we first
cisions and access rights definitions of the patient regarding introduce privacy domains for healthcare systems. Then we
EHR data. But if the card issuer or even the EHR server discuss our realization based on a security kernel and TVDs.
providers maintain backup copies of the cryptographic keys
for reasons of issuing backup smartcards in case of theft or 4.1 Privacy Domains for E-Health
loss, they could in principle decrypt and access the EHR
data directly. In the context of e-health, privacy protection of the pa-
tients’ data is a primary concern. Technological solutions
should be employed to support legal and contractual regu-
Management of Certificates. lations.
As in any public key infrastructure, certificates must be
We propose to construct privacy domains for the patients’
managed to ensure authenticity of key holders (smartcards,
medical data as a technical measure to support the enforce-
connectors, server, etc.). This includes issuing and distribut-
ment of privacy and data protection policies: Systems (e.g.,
ing certificates as well as updating revocation lists.
a client PC) must be able to partition execution environ-
ments for applications into separate domains that are iso-
Management of Hardware/Software Components. lated from each other. Data is kept within a privacy domain,
Besides the cryptographic infrastructure, other compo- and the domain infrastructure ensures that only authorized
nents must be managed and maintained as well. This in- entities can join this domain. Moreover, data leakage from
cludes the hardware and software components that are used the domain is prevented by the security architecture and the
at EHR servers, billing servers, and computing devices of domain infrastructure. Therefore, the same system can be
health care providers. Security-critical components, such used for different work flows that are strictly isolated. Fig-
as smartcard readers or connectors to protected networks, ure 3 illustrates the privacy domains applied to our e-health
should be certified and tested properly. The installation cloud model.
and update of software components requires a secure distri-
bution mechanism. On the one hand, it must be possible
to allow changes in software configuration due to legitimate
updates. On the other hand, unauthorized and malicious
changes (e.g., due to malware attacks), must be detectable
to stop further usage or to exclude the infected components
from the e-health infrastructure.
E-Mail Server
User TVD-Master for
Accounting-TVD E-Health
Server
Secure GUI
Webserver
Application Webbrowser, Accounting Accounting
for processing E-Mail-Client and billing Server
EHRs software
(e.g., KV-
TVDProxy for Safenet TVDProxy for
application) Accounting-
E-Health-TVD
TVD
Trusted
Hardware Hardware
We implemented Trusted Computing support based on ing external cloud services that provide the user with poten-
the TPM, due to its widespread availability. We use the tially unlimited storage capacity. Only the actual amount
authenticated boot process and attestation functionality of of storage that is currently used has to be payed, and the
the TPM for the TVD master to verify the client platform available storage increases as needed. Similarly, file servers
integrity, and for the protection of cryptographic keys. that are not part of a TVD can be used as external storage
We developed (from previous project results) two inter- within a TVD.
operable implementations based on the XEN hypervisor [1] Storage devices and services should be considered as “pas-
and the L4 microkernel [18], with various Linux and Win- sive” components that do not provide security properties.
dows versions as guest operating systems. Currently, we Thus the enforcement of security policies relies entirely on
are working on a TVD implementation using OpenSolaris, the computer to which the storage is connected. We may
where Solaris zones can be used as guest systems9 . Sirrix assume the policy is correctly enforced as long as storage
security technologies10 is offering a commercial product line is used within the TVD boundaries. This assumption is in
called Turaya, which supports TVDs [6]. general no longer true if external storage is used outside its
In summary, TVDs have been shown to be practical in a domain, e.g., when it is connected to an outsider computer.
number of different contexts. Although some implementa- We extended the TVD model with the benefits of using
tions are research prototypes rather than production-ready mobile storage devices, allowing the transparent binding of
systems, various implementations based on different security devices to a certain TVD so that only platforms of the same
kernels exist, supporting all kinds of operating systems. TVD can access the stored data. In the same way, other
external storage – such as storage provided by Cloud Com-
Protection of External Storage. puting – can be incorporated into TVDs. From the point of
The secure incorporation and usage of external storage in view of the TVD architecture, the storage service provides
TVDs, e.g., USB disks, pen drives or cloud storage such as a container for data, just like a mobile storage device.
Amazon S3, increases the flexibility of users in their work Deploying external storage within the TVD requires some
flows, but requires a careful design of the overall security refinement to the model due to the following concerns:
architecture. Mobile storage devices are regularly employed
to store copies of documents that the user (e.g., a doctor) • Storage container identification. External storage can
may take home or to another office, or data to be processed be moved to one workstation or to another, without
on other systems. In particular, USB disks are frequently any control by the TVD infrastructure. Hence, when-
used offline, i.e., plugged to any platform while it is not con- ever external storage is connected to a platform, the
nected to the domain network (e.g., a laptop in the train or system should be able to distinguish the device and
on an airplane). Cloud storage may provide a very conve- the domain this device belongs to.
nient and relatively inexpensive way to store backups: While
local storage devices or file servers provide quick access to • Dynamic storage management. Unlike hard disks that
data and are available independently of a working Internet are built into a computer, external storage may un-
connection, regular backups can be stored conveniently us- predictably appear and disappear within the domain,
because users may plug in or unplug devices arbitrar-
9
See http://www.trust.rub.de/projects/tvd-solaris ily, and network connections to an external server or
10
See http://www.sirrix.com storage provider may be established or interrupted at
any time. This requires the introduction of a stor- the doctor at the patient’s home. Furthermore, a pa-
age management infrastructure in order to handle, e.g., tient might not be present in person, but is represented
creation and distribution of encryption keys. by a relative or friend, or a patient consults a doctor
remotely, e.g., by phone.
To extend TVDs with such a solution for external storage,
we enhanced the TVD master with the necessary key man- • Inability of the patient to authenticate: The patient
agement. Moreover, we added a storage device manager to might be unable (physically or mentally) to remember
the client’s security kernel that identifies the appropriate and enter a PIN.
TVD for storage devices and retrieves keys from the TVD Examples scenarios include elderly patients and hand-
master (if they are not already available in a local cache). icapped people who cannot authenticate by entering
The device manager also creates a virtual storage device for a PIN. In emergencies, e.g., in case the patient is un-
the VM of the correct TVD (for details, see [7]). conscious, the patient must be represented by someone
else. Moreover, in particular people who only need to
Security Considerations Concerning External Storage. authenticate infrequently, tend to forget their PINs.
Introducing external storage into a system can lead to new • Confidentiality of existence: The mere existence of an
security risks. It might be easier for attackers to gain physi- EHR for a given person could already imply that this
cal possession of external devices than to obtain an internal person received medical treatment, and thus must be
hard disk. However, due to the transparent encryption of all kept confidential to avoid violating privacy laws.
external storage by the TVD infrastructure, outside attack- • Client anonymity: Client anonymity is often not con-
ers who are not part of the TVD cannot access the data. sidered at all, but in the context of healthcare, a pa-
Moreover, viruses or Trojan horse programs could be stored tient’s privacy might be violated by tracking of users
on USB sticks that are plugged into a system. On commod- or client systems in some scenarios. For instance, if
ity operating systems such as Windows, this is a serious a patient buys medicine in a pharmacy using an elec-
threat because programs from USB storage will be auto- tronic prescription, the pharmacist should not be able
matically executed when the device is attached, and even to trace or identify the patient.
when the automatic execution of programs from USB stor-
age is disabled, users could manually start malware-infected • Non-repudiation of emergency access: In case of emer-
programs from USB sticks. gency, health professionals might need to access data
With the TVD architecture, we can prevent malware from urgently in situations, where the patient is unable to
entering the TVD via USB sticks, because only data from authorize this. In such cases, access should be possi-
a storage container belonging to the same TVD as a given ble, but is important for legal reasons that the person
compartment will be connected to that compartment by the accessing the data can be identified and held responsi-
security kernel. Encryption and decryption happens trans- ble. Moreover, this person should not be able to deny
parently for the compartment of the TVD, and the data the fact that he/she accessed the data.
cannot be accessed from outside the TVD. For the security
kernel, external storage such as a USB disk is just a passive These issues are not adequately addressed by most current
storage device. No programs will be executed from it auto- e-health systems, and hence are important research chal-
matically, neither in the security kernel, nor in any TVD. lenges to address. Note that solutions to these problems
Malware that is stored on USB sticks from within the are orthogonal to the network and platform security issues
TVD cannot be prevented from being read or executed in addressed by our work on privacy domains for e-health sys-
another compartment of the same TVD (which might be tems. We anticipate that future solutions can readily be
on an different computer system). The TVD infrastructure integrated into TVD-based privacy domains.
itself only isolates and protects the TVD from adversaries
from the outside, not from malicious software that is already 6. CONCLUSION
part of the TVD. However, the TVD infrastructure should
In this paper, we considered security and privacy issues
help to ensure that only secure systems can become members
in modern distributed e-health systems, as well as existing
of the TVD by mechanisms such as the integrity verification
proposals and solutions. We addressed an often neglected
of all platforms before joining.
problem: the security of client platforms. We showed how
privacy domains can be used to extend the protection of e-
5. OPEN RESEARCH CHALLENGES health systems from (existing) network security solutions to
There are a number of issues with electronic health data a more comprehensive infrastructure, including the client.
that need to be taken into account by systems for EHRs, As future work, we will address some remaining open
which are not completely solved by current proposals: research challenges, outlined in Section 5, in our ongoing
projects. In particular, we aim to integrate e-health card
systems or alternatives into privacy domains and address
• Absence of the patient: The patient is not necessarily
usability problems in this area.
present when the EHR needs to be accessed. In this
case, using an eHC with a PIN does not work.
7. ACKNOWLEDGMENTS
For this, various example scenarios exist: Often, the
This work was partially funded by the federal state North
data is entered into the system only after the patient
Rhine-Westphalia under the project RUBTrust/MediTrust.
left the doctor. Moreover, the patient is not present
at the doctor’s office during preparation of a visit by
8. REFERENCES [14] Health Level Seven International (HL7).
[1] P. Barham, B. Dragovic, K. Fraser, S. Hand, T. L. http://www.hl7.org.
Harris, A. Ho, R. Neugebauer, I. Pratt, and [15] C.-Y. Hsu, Y.-C. Chen, R.-C. Luo, H.-H. Rau, C.-T.
A. Warfield. Xen and the art of virtualization. In 19th Fan, B.-S. Hsiao, and H.-W. Chiu. A resource-sharing
ACM Symposium on Operating Systems Principles platform for trading biomedical intellectual property.
(SOSP’03), pages 164–177. ACM Press, 2003. IT Professional, 12:42–49, 2010.
[2] S. Berger, R. Cáceres, D. E. Pendarakis, R. Sailer, [16] International Organization for Standardization (ISO).
E. Valdez, R. Perez, W. Schildhauer, and Technical Committee 215, Health Informatics.
D. Srinivasan. TVDc: Managing security in the http://www.iso.org/iso/iso_technical_
trusted virtual datacenter. Operating Systems Review, committee?commid=54960.
42(1):40–47, 2008. [17] Kassenärztliche Bundesvereinigung. KV-SafeNet
[3] A. Bussani, J. L. Griffin, B. Jansen, K. Julisch, homepage. http://www.kbv.de/12705.html.
G. Karjoth, H. Maruyama, M. Nakamura, R. Perez, [18] J. Liedtke. On micro-kernel construction. In Fifteenth
M. Schunter, A. Tanner, L. V. Doorn, E. A. V. ACM Symposium on Operating System Principles
Herreweghen, M. Waidner, and S. Yoshihama. Trusted (SOSP’95), pages 237–250. ACM Press, 1995.
Virtual Domains: Secure foundations for business and [19] H. Löhr, A.-R. Sadeghi, C. Stüble, M. Weber, and
IT services. Technical Report RC23792, IBM M. Winandy. Modeling trusted computing support in
Research, 2005. a protection profile for high assurance security kernels.
[4] S. Cabuk, C. I. Dalton, K. Eriksson, D. Kuhlmann, In Trusted Computing, 2nd International Conference,
H. V. Ramasamy, G. Ramunno, A.-R. Sadeghi, Trust 2009, volume 5471 of Lecture Notes in
M. Schunter, and C. Stüble. Towards automated Computer Science, pages 45–62. Springer, 2009.
security policy enforcement in multi-tenant virtual [20] H. Löhr, A. R. Sadeghi, C. Vishik, and M. Winandy.
data centers. Journal of Computer Security, Trusted privacy domains – challenges for trusted
18(1):89–121, 2010. computing in privacy-protecting information sharing.
[5] L. Catuogno, A. Dmitrienko, K. Eriksson, In Information Security Practice and Experience, 5th
D. Kuhlmann, G. Ramunno, A.-R. Sadeghi, S. Schulz, International Conference, (ISPEC’09), volume 5451 of
M. Schunter, M. Winandy, and J. Zhan. Trusted Lecture Notes in Computer Science, pages 396–407.
Virtual Domains – design, implementation and lessons Springer, 2009.
learned. In International Conference on Trusted [21] H. Löhr, A.-R. Sadeghi, and M. Winandy. Patterns for
Systems 2009 (INTRUST’09). Springer Verlag, 2009. secure boot and secure storage in computer systems.
[6] L. Catuogno, H. Löhr, M. Manulis, A.-R. Sadeghi, In 4th International Workshop of Secure System
C. Stüble, and M. Winandy. Trusted Virtual Methodologies Using Patterns (SPattern 2010), In
Domains: Color your network. Datenschutz und Proc. of Fifth International Conference on
Datensicherheit (DuD), 5, 2010. Availability, Reliability and Security (ARES’10), pages
[7] L. Catuogno, H. Löhr, M. Manulis, A.-R. Sadeghi, and 569–573. IEEE Computer Society, 2010.
M. Winandy. Transparent mobile storage protection in [22] H.-H. Rau, C.-Y. Hsu, Y.-L. Lee, W. Chen, and W.-S.
trusted virtual domains. In 23rd Large Installation Jian. Developing electronic health records in Taiwan.
System Administration Conference (LISA’09). IT Professional, 12:17–25, 2010.
USENIX Association, 2009. [23] T. Schabetsberger, E. Ammenwerth, S. Andreatta,
[8] Common Criteria Project Sponsoring Organisations. G. Gratl, R. Haux, G. Lechleitner, K. Schindelwig,
Common Criteria for Information Technology Security C. Stark, R. Vogl, I. Wilhelmy, and F. Wozak. From a
Evaluation, Version 3.1, July 2009. paper-based transmission of discharge summaries to
http://www.commoncriteriaportal.org/thecc.html. electronic communication in health care regions.
[9] Y. Gasmi, A.-R. Sadeghi, P. Stewin, M. Unger, and International Journal of Medical Informatics,
N. Asokan. Beyond secure channels. In 2nd ACM 75:209–215, 2006.
Workshop on Scalable Trusted Computing (STC’07), [24] D. Sofsian. An introduction to medical billing. http:
pages 30–40. ACM Press, 2007. //www.e-healtharticles.com/Detailed/1449.html,
[10] Gematik. Einführung der Gesundheitskarte - April 2006.
Gesamtarchitektur, Version 1.7.0. http://www. [25] A. Sunyaev, A. Kaletsch, C. Mauro, and H. Krcmar.
gematik.de/upload/GA_ZentraleDienste_5171.zip, Security analysis of the german electronic health
August 2009. card’s peripheral parts. In ICEIS 2009 - Proceedings
[11] Gematik. Einführung der Gesundheitskarte - of the 11th International Conference on Enterprise
Netzwerkspezifikation, Version 2.0.0. http://www. Information Systems, Volume ISAS, Milan, Italy, May
gematik.de/upload/GA_ZentraleDienste_5171.zip, 6-10, 2009, pages 19–26, 2009.
August 2009. [26] A. Sunyaev, J. M. Leimeister, and H. Krcmar. Open
[12] Gematik - Gesellschaft für Telematikanwendungen der security issues in german healthcare telematics. In
Gesundheitskarte. http://www.gematik.de. HEALTHINF 2010 - Proceedings of the 3rd
[13] J. L. Griffin, T. Jaeger, R. Perez, R. Sailer, L. van International Conference on Health Informatics, pages
Doorn, and R. Cáceres. Trusted Virtual Domains: 187–194. INSTICC, 2010.
Toward secure distributed services. In Proceedings of [27] Trusted Computing Group. TPM Main Specification,
the 1st IEEE Workshop on Hot Topics in System Version 1.2 rev. 103, July 2007.
Dependability (HotDep’05), June 2005. https://www.trustedcomputinggroup.org.