Guidelines for the technological

development in the e-health application domain

Ivano Malavolta Università degli Studi dell’Aquila

Introduction

Great progress in the health sector applied to

etc.

However, the health sector currently lags behind other sectors in the use of advanced data management software à there is great potential for rapid, sustained growth

image acquisition

image elaboration robotics

Introduction

The E-Health Technology project focusses on

Remote assistance via mobile devices

Modernization of business processes

Design of new services in the cloud

Introduction

The role of University of L’Aquila in the project

Research Prototypes

development

Research actions

State of the art Architectural

solutions

Introduction

In this talk we will present the main solutions for architecting an

e-health software system in terms of its

Security engineering

Reliability assurance

etc.

Data management infrastructure

   

Remainder of the talk

•  Introduction

•  Cloud computing

•  User authentication

•  User authorization

•  Data encryption

•  Sensitive data separation

•  Conclusions

Cloud computing

The use of computing power that is located “elsewhere”à in the cloud

Advantages: no infrastructure

elasticity low risk

Cloud computing

Challenges in the e-health application domain:

Who can enter the system?

Who can do what in the system?

Who can read my data?

Where is my data?

User authentication Strong authentication is mandatory

•  one possible implementation: two-factor + challenge-response

Something you know Something you have

ex. username and password ex. card or security token

+

OATH1

Open standard for the interoperability of authentication methods

•  Supports both hardware and software implementations

http://www.openauthentication.org/

Advantages: •  always with the user •  low investment risk •  scalable •  customizable •  no waiting time for issuing a

new token

User authorization Access control is the basis of Information Security

prevent disclosure to unauthorized users

prevent modification by unauthorized users

Confidentiality

Integrity

XACML Open standard proposing

•  a declarative language for defining access control policies

•  a run-time architecture for enforcing the policies

defining

enforcing

Data encryption Data encryption is the process of encoding messages or information in such a way that only authorized parties can read it In our project we encrypt data at two levels:

prevent information disclosure while sending data

prevent reading saved data in the database

Communication

Database

Sensitive data separation

Multi-tenant architecture with a dedicated database for each agency

Advantages: •  data isolation ( required by law) •  customized services •  easy disaster recovery

Conclusions (i)

Conclusions (ii) What is not covered in this talk:

•  digital documents with legal validity

•  Analog copies of digital documents

•  Graphometric signatures with legal

validity

These aspects are covered in our research article*

* available also in English  

   

Contact

Ivano Malavolta

Università degli Studi dell’Aquila

ivano.malavolta@univaq.it http://www.di.univaq.it/malavolta

Images credits •  http://www.tutorialspoint.com/shorttutorials/cloud-computing-from-the-home

•  https://www.tcnp3.com/home/cloud-technology/what-is-cloud-computing-infographic/

•  http://www.carestreamdental.com/it/it-it/computedradiography

•  http://www.kavo.it/Prodotti/Imaging-Radiologia/Tomografia-volumetrica-3D.aspx

•  http://www.siriweb.com/wp/?product_cat=ecograf_multi

•  http://cdn.bills.com/images/articles/originals/rate-lock.jpg

•  http://www.ftsafe.com/product/otp/hotp

•  https://www.hidglobal.com/partner-products/single-button-time-based-oath-otp

•  http://www.solidpass.com/authentication-methods/time-synchronized-security-token.html

•  http://www.partnerdata.it/prodotti/identificazione/one-time-pw/modelli-epass/

•  http://www.telos.com/secure-communications/secure-unified-directory/