infrastructure for secure sharing between picture archiving and communication system and image...
TRANSCRIPT
![Page 1: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/1.jpg)
Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic
Health Records
Krupa Anna KuriakoseMASc Candidate
Dept. Electrical, Computer and Software EngineeringUOIT
Supervisor : Dr. Kamran Sartipi
February 22, 2013
1
![Page 2: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/2.jpg)
OverviewDrawbacks of the existing PACSProposed solution Introduction to OpenID and OAuthCase Study : E-health Services with
Secure Mobile Agent
2
![Page 3: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/3.jpg)
Current security issues in PACSLack the following features :
Infrastructure for Federated Identity Management (FIM )
Common set of access control policies
Integration of patient consent directives with the security policies
User authentication and audit to data is local to each system and not federated
“ PACS have no means to integrate and interoperate with common infrastructure”
3
![Page 4: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/4.jpg)
Solution to address the issue A token based User Registry to
initially authenticate usersA Consent Registry that holds the
consent directives defined by patients
A Health Information Access Layer with a standard messaging and communication protocol
4
![Page 5: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/5.jpg)
Research Area
5
![Page 6: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/6.jpg)
Proposed SolutionStage 1 : Token based
authentication of the user prior to sending access request to EHR
Stage 2 : Agent managed behaviour based access control infrastructure
6
![Page 7: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/7.jpg)
Stage 1: PACS Authenticating with the user registry to use the designed infrastructure
7
Registration Service ( RS )
Token Providing Service (TPS )
User Registry
User ( PACS ) (1) User request
registration
(2) RS return RT
(3) User sends RT to TPS
(4) TPS issues AGT to user
RT : Registration TicketAGT : Access Grant Token
![Page 8: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/8.jpg)
PolicyGuideline PACS
Primitive SetsRegulations
Repository
Representation
(Role, Context, Resources, policy,
etc.)
User Behavior
Behavior Constructor
Decision Making Engine
Authentication
Access Request
Access Response
BehaviorCheck
AgentHIAL
Stage 2 : Agent managed behaviour based access control infrastructure
![Page 9: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/9.jpg)
PolicyGuideline PACS
Primitive SetsRegulations
Repository
Representation
(Role, Context, Resources, policy,
etc.)
User Behavior
Behavior Constructor
Decision Making Engine
Authentication
Access Request
Access Response
BehaviorCheck
AgentHIAL
User Registry
Complete Architecture
![Page 10: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/10.jpg)
Introduction to OpenID
10
![Page 11: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/11.jpg)
Need for OpenID
Lots of websites, lots of accounts…
Faceboo
kTwitter
Email Message
Boards
Blogs
MyUCSC
Bank
Accounts
Calendar
Gamin
g
E-Commerce
Social BookmarkingPhoto
Sharing
![Page 12: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/12.jpg)
OpenID SolutionUse one identity for all the
internet service (OpenID enabled)
![Page 13: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/13.jpg)
An OpenID is a URLURL are Globally unique.
OpenId allows proving ownership of an URL
People already have identity at URLS via blogs, photos, Myspace and Facebook Etc
![Page 14: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/14.jpg)
Main Components End-user
◦ The person who assert his or her identity to a site.
Identifier ◦ The URL chosen by the end-
user as their OpenID identifier
Identity provider or OpenID provider◦ A service provider offering the
service of registering OpenID URLs
◦ E.g. Yahoo, Blogger, etc
Relying party ◦ Site that wants to verify the
end-user's identifier : "service provider".
14
![Page 15: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/15.jpg)
Website Benefits Increased conversion rates from “site
visitors” to “registered users” Reduced customer care cost and frustration
with forgotten passwords Accelerated adoption of “community”
features Limited password sharing issues Facilitated single sign-on across multiple
company and partner websites
![Page 16: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/16.jpg)
User BenefitsFaster & easier registration and
login Reduced frustration from
forgotten user name/password Maintain personal data current at
preferred sites Minimize password security risks
![Page 17: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/17.jpg)
ChallengesThough you have one, there are not many
places to use it (yet) None of the big players — AOL, MS, Google, Yahoo!, MySpace — accept OpenID
The sign-in process can be very confusing and jarring to users
Security Concerns have not been fully resolved : subject to phishing attacks
Unrealized loss of Anonymity 17
![Page 18: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/18.jpg)
Introduction to OAuth
18
![Page 19: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/19.jpg)
Function of OAuth
“OAuth provides a way to grant access to your data on some website to a third website, without needing to provide this third website with your authentication information for the original website."
19
![Page 20: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/20.jpg)
oAuth Overview Security protocol that allows users to grant third-party access
to their web resources without sharing their passwords.
The heart of OAuth is an authorization token.
OAuth is an open protocol
Manages handshake between applications
Used when an API publisher wants to know who is communicating with the system.
![Page 21: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/21.jpg)
OAuth terminology The resource owner (original OAuth name: user) – that’s
you, me, or anyone with something private they want to share
The server (original OAuth name: service provider) – that’s the service where the private resources reside
The client (original OAuth name: consumer) – that’s the service we’d like to use. It needs access to the resources
![Page 22: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/22.jpg)
Example Scenario User has Twitter account
and he wants to use a service such as TwitPic or yfrog to upload a photo and tweet it.
Twitter account (or specific actions on twitter account like reading, posting etc) is the private resource and it should be protected
22
![Page 23: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/23.jpg)
Resource owner has to authorise the client (TwitPic or yfrog) to access protected resources (twitter API actions) on the server.
Client asks the server to authenticate
User grant or deny access to specific resources on the server
Client is issued with a token that can be presented to the server to access those resources in future.
23
![Page 24: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/24.jpg)
Case Study
E-health Services with Secure Mobile Agent
Rossilawati Sulaiman, Xu Huang, Dharmendra SharmaDepartment of Information Science & EngineeringUniversity of CanberraAustralia
24
![Page 25: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/25.jpg)
Main Focus “ How Sender can securely transfer sensitive information to Recipient while still maintaining control over it ”
Introduces mobile agents to Multilayer Communication ( MLC ) layer in the model
Sender keeps the key for decryption at his/her side until the agent needs it
A token is carried by the agent to obtain the key for decryption processes
25
![Page 26: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/26.jpg)
Main Components
Agent
Key
Token
26
![Page 27: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/27.jpg)
Security Token
It is an encrypted random number carried by the mobile agent to the Recipient’s host
Agent sends back the token to the Sender to retrieve the information for data decryption
27
![Page 28: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/28.jpg)
Security mechanisms
Data Security
Channel security
Protect the database from unauthorized access
28
Ensures security of a given communication channel, regardless of the information that is transferred over that channel
![Page 29: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/29.jpg)
Classification and Security Mechanisms in the MLC Approach
Layer of communication
Security Mechanism
Layer 1 : Extremely sensitive dataDoctor DoctorDoctor PatientDoctor NurseNurse Patient
Data and Channel security
Layer 2 : Highly sensitive dataParamedic Sys Coordinator
Data security ( using wireless network )
Layer 3 : Medium sensitive data
Channel security or Data security
Layer 4 : Low sensitive data Channel security or Data security
Layer 5 : Non sensitive data or public data The public
Secure open channel , ID and password
29
![Page 30: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/30.jpg)
Example Scenario : Communication between Doctor and Patient
Doctor
Patient
30
![Page 31: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/31.jpg)
Steps involved
Step 1
Step 2
Layer of communication (com_layer) is identified
Choosing the appropriate security mechanism
31
![Page 32: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/32.jpg)
Lo Value to choose the MLC layer
Role Lo Value
DoctorPatientNurse
Layer 1
Paramedic CoordinatorSystem Coordinator Layer 2
Social Worker Layer 3
System Administrator Layer 4
32
![Page 33: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/33.jpg)
Finding com_layer value
Lo Value : Com_layer Value
Sender = Recipient Sender’s L0 / Recipient’s L0
Sender > Recipient Sender’s L0
Sender < Recipient Recipient’s L0
33
![Page 34: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/34.jpg)
Appropriate Layer and Corresponding Security mechanism
34
![Page 35: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/35.jpg)
Security Architecture
Doctors Host
Patient Host
35
Plain Text
Additional
Information
Data File
MA
MA
PADA
(1)
(2)
Send additional information(3)
Dispatches mobile agent
Dispatches mobile agent
![Page 36: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/36.jpg)
Process flow
36
![Page 37: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/37.jpg)
Conclusion
Research implements a common infrastructure for secure sharing between PACS and the diagnostic image repository of EHR
Agent based methodology can be used to implement this solution in the HIAL layer of EHR
37
![Page 38: Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649dff5503460f94ae7c31/html5/thumbnails/38.jpg)
Thank You&
Questions?
38