eHealth Beyond the Horizon – Get IT There S.K. Andersen et al. (Eds.) IOS Press, 2008 © 2008 Organizing Committee of MIE 2008. All rights reserved.

661

Secure dissemination of electronic healthcare records in distributed wireless environments Petros BELSIS, Dimitris VASSIS, Christos SKOURLAS, Grammati PANTZIOU Technological Education Institute of Athens

Abstract. A new networking paradigm has emerged with the appearance of wireless computing. Among else ad-hoc networks, mobile and ubiquitous environments can boost the performance of systems in which they get applied. Among else, medical environments are a convenient example of their applicability. With the utilisation of wireless infrastructures, medical data may be accessible to healthcare practitioners, enabling continuous access to medical data. Due to the critical nature of medical information, the design and implementation of these infrastructures demands special treatment in order to meet specific requirements; among else, special care should be taken in order to manage interoperability, security, and in order to deal with bandwidth and hardware resource constraints that characterize the wireless topology. In this paper we present an architecture that attempts to deal with these issues; moreover, in order to prove the validity of our approach we have also evaluated the performance of our platform through simulation in different operating scenarios. Keywords. Telematics, Distributed systems, Networks, Security.

Introduction Wireless technologies have gained wide acceptance while they have been integrated in many environments our everyday life. As mobile devices become more powerful, they are integrated as a non high-cost solution in many environments. Among other reasons for their wide acceptance we can distinguish their relative easy integration in many types of environments as well as the continuous raise in computational power of handheld devices. The medical domain can suffice a lot by their deployment, since the use of handheld devices may provide doctors with accurate information from every place within a wireless environment which usually covers the clinic in which they belong to. Therefore, in contrast to past practices, the doctors do not need to approach a steady point (for example their office) and get access to medical data (concerning their patients) using their pc and by accessing a specific application or by logging to a portal; instead while carrying their wireless device they can use it to acquire on site and in 

Corresponding author: Petros Belsis, Dept. of Informatics, Technological Educational Institute of Athens, Ag. Spyridonos Street, 12210, Aigaleo, Athens, Greece, Email: [email protected]

662

P. Belsis et al. / Secure Dissemination of Electronic Healthcare Records

timely accurate manner access to medical information, realizing thus the anytimeanywhere access to medical information paradigm. Among the main design and implementation challenges we can distinguish: • The capability to provide information to doctors independently of their exact location; • Achievement of information integration using interoperable standards for medical information storage and exchange; • The ability to ensure that no sensitive medical information will be disclosed to unauthorized parties. In this paper we present an architecture that allows authorized medical personnel to access medical information while moving within their clinic; therefore they can gain access to their patient’s medical records using an architecture that utilizes standardized technologies for processing, storage and exchange of information. Lightweight yet robust encryption and authentication techniques ensure that no breach of confidentiality happens. For our specific design choices, we measure the information payload of HL7 messages and perform simulation tests that show the validity of our approach. We also describe our benchmark methodology through which we have determined the effect of performance issues such as determination of the maximum number of concurrently sent HL7 messages, considering at the same time the encryption overhead. The rest of the paper is organized as follows: Section 1 presents related work in context. Section 2 describes in brief the main design principles which rule our approach. Section 3 presents our architecture, and an overall usage example scenario. In Section 4 simulation results are outlined, by which our approach is evaluated and validated. Finally, Section 5 concludes the paper and provides the directions of our future work.

1. Related Work Electronic health records management attracts increasing interest and sets the scenery for the establishment of ubiquitous acquisition of medical information, achieving thus the provision of improved health services. Lately several projects have focused on providing efficient solutions to various aspects of medical records management, leading also to the development of improved e-health services [7][9][10]. Wireless mediCenter [3] is a system for management of electronic medical records and delivery through secure LANs or high-speed wireless connections. It provides different portals for doctors and patients in order to achieve classification of access permissions. The restriction though to connect through the portal is a serious burden to the user. The m-Care project [4] aims at providing secure access through a WAP based architecture. Users and access rights related information is kept in an MS-SQL Server database. In our approach we have enabled a policy based approach which facilitates interoperation with other systems while it also provides a highly distributed nature to our system. PatientService [8] is a trust-based security architecture that enables medical records management in pervasive environments. In this approach access to medical information is provided to a set of users which hold a PDA that keeps the policy in a smart card. In our approach we issue the request form the PDA while the policy evaluation is not performed by the PDA itself. Moreover we attempt to evaluate our approach by performing simulation experiments.

P. Belsis et al. / Secure Dissemination of Electronic Healthcare Records

663

2. Design requirements for wireless medical infrastructures Pervasive infrastructures are characterized by rapid changes in their topology. Devices on the other hand, are characterized by the low computing resources and power. Medical information on the other hand is highly sensitive; thus, we have to design our system so as to demand as less processing and network bandwidth resources, without though decreasing our strict privacy requirements. Among the main requirements for our architecture we can distinguish: • Privacy preservation. Unauthorized disclosure of medical information may lead to disastrous results. EU and US legislation force towards privacy preservation of medical data. Except from protecting appropriately medical databases, transmission of medical information should also be performed in a reliable and secure manner. We have thus employed efficient encryption techniques based on both symmetric and public key cryptography methods, so as to achieve data protection without demanding excessive processing power. In order to transmit data wirelessly we first exchange a shared key using strong encryption based on singing the messages with the private keys of the two parties, and then continue using shared key encryption so as to achieve a lightweight implementation. • Network topology instability: Pervasive infrastructures are characterized by node mobility as well as node failure; In order to enable constant connectivity for as long as possible, we have decentralized many of our processing and communication tasks avoiding thus the existence of points of failure. Towards this direction we have adopted the DLS (distributed lookup server approach) [5] according to which a number of nodes act collectively as a centralized node. When a node is about to stop transmitting, it passes all of its information to its neighbors. • Access control management: In order to apply access control, we have adopted the Role Based Access Control Model (RBAC), due to its simplicity and wide acceptance as a security standard. Access Control is performed in the medical database using a policy based approach [6]. A policy approach allows determination of privileges according to business roles, accordingly these privileges may be encoded in a suitable policy language and each request is directed towards special purpose modules, which reason over a specific request and either authorize or reject the request. • Interoperability: In order to enable interoperation of our system with other medical systems and architectures we have adopted the HL7 standard for information encoding and exchange. For secure transmission and in compliance with the guidelines of the HL7 that instruct the use of secure protocols, one of the IP Security protocol (IPSec), Secure File Transfer Protocol (SFTP) or Secure Socket Layer Protocol (SSL) can be used for encrypting medical records.

3. System Utility Scenarios We can consider the following scenario: A doctor within the ward he/she belongs approaches a patient’s bed and wants to access some basic information regarding the patient’s medical history. The doctor sends a request from his/her PDA to retrieve the

664

P. Belsis et al. / Secure Dissemination of Electronic Healthcare Records

data from the medical database. The medical database is kept in a device with more processing power which acts as a medical server. In order to avoid single point of failure we have adopted a distributed approach considering caches per sub-domain. Moreover, in order to lower the network resource consumption we have adopted the use of ontologies one per sub-domain (fig. 1). Thus, when a device from one domain wants to query for specific information it firsts examines the ontology of the domain under consideration. For example if we are interested in medical records concerning hematological data and the ontology of the domain does not specify such terms, then it is useless to query the medical servers for information of that kind regarding a specific patient. When a request is sent to the server, in order to authorize or not the request, the server needs to identify the doctor’s identity as well as to evaluate the permissions which have been granted to the doctor. First it requests a validation of the doctor’s id. This can be done using public key encryption techniques. The doctor’s private key is stored in a smart card inserted in the PDA. Using the doctor’s public key and the server’s private key, the two parties may authenticate each other and they can exchange a (shared) session key which will be used to encrypt all further communications. This is being done since use of private key encryption techniques for the transmission of all messages would demand a lot more computational resources. The doctor’s device also is able to identify whether it resides within the clinic or whether it resides in an unknown environment with the aid of a beacon which sends signed messages identifiable by the doctor’s device when compared to a number of stored signed (within the smart card) messages. Thus, we prevent unauthorized transmission or reception from the device when it resides outside pre-settled space boundaries. After authentication has been performed and the session key has been exchanged, all communication can be encrypted end to end from the medical database to the doctor’s device using SSL. When a new request is sent to the medical database, the policy module is invoked, which examines the request, the requester’s role and the privileges which have been recorded in the policy. This procedure is supported by most of modern devices which handle effectively at least 128-bit encryption.

Figure 1. Pervasive medical domain overall architecture. The presence of a beacon on each domain can notify the device about the local policy enforced and direct easier user-authentication. Devices of higher processing power may work as a medical server. In the figure we see also PDA’s of doctors participating in the wireless framework.

4. Performance Evaluation In order to test the validity of our approach we have evaluated its performance through simulation in Pamvotis WLAN simulator [1]. We assume an IEEE 802.11 wireless channel of 1Mb/s, which is capable of covering a range of up to 300m of indoor

P. Belsis et al. / Secure Dissemination of Electronic Healthcare Records

665

environments. The IEEE 802.11 protocol is suitable for HL7-based applications, as it supports high data rates and combines the advantages of mobility and packet switching, making it suitable for IP-based mobile devices such as PDAs and 3G/4G mobile phones. Considering an average HL7 message, we assume that the application packet payload size obeys a uniform distribution with a mean value of 280Bytes. Concerning the packet overhead added from the SSL protocol, this is about 16% of the packet payload [2], meaning 48Bytes. Adding the TCP overhead (32Bytes with timestamps included) and the IP overhead (20Bytes), we have an IEEE 802.11 MAC datagram of 380Bytes. Finally, we assume that the number of messages each doctor sends obeys a Poisson distribution with a mean of one message every two minutes. The simulation results concerning the above configuration are outlined in the rest of this section. 2 depicts the aggregate traffic (system throughput) generated by HL7 messages for a network consisted of 600 users. 80

Aggregate Traffic (Kb/s)

70 60 50 40 30 20 10 0 0

400

800

1200

1600

2000

2400

2800

3200

3600

Tim e (se c)

Figure 2. Aggregation traffic versus simulation time.

As we can see, the traffic is minimal compared to the wireless channel capacity. Hence, if other applications run on the same network (e.g. medical image downloading or interactive applications such as VoIP), our proposed architecture does not affect their performance. Figure 3 depicts the service delay for a network consisted of 600 users. What we mean by service delay is the delay from the moment a user sends an HL7 message until the moment he receives another HL7 message from the database server, containing the information requested. Note that the processing delay (e.g. delay faced on the database server for performing the database transaction) is not taken into account.

Service Delay (msec)

12 10 8 6 4 2 0 0

400

800

1200

1600

2000

2400

2800

3200

3600

Time (sec)

Figure 3. Service delay versus simulation time.

We observe that the service delay is less than a second, even for the best effort class considered in our case. Finally, Figure 4 depicts the service delay versus the HL7 message size in ASCII characters.

666

P. Belsis et al. / Secure Dissemination of Electronic Healthcare Records 8000

Service Delay (msec)

7000 6000 5000 4000 3000 2000 1000 0 0

2000

4000

6000

8000

10000

12000

14000

16000

18000

HL7 Me ssa ge Size (ASCII cha rs)

Figure 4. Service delay versus message size.

As we can see, the delay is low for messages up to 1500 characters, allowing a large amount of information to be contained in the messages. For messages up to 1500 characters the system gets saturated and the delay increases significantly. For example, the service delay for a message consisted of 17196 characters is about 7.5sec.

5. Conclusions Pervasive environments offer new possibilities for efficient and better e-health services. Still, the nature of medical environments imposes many restrictions and demands consideration of several factors, such as: considering the limited computational, power and network bandwidth resources and of course security. In this paper we have presented an architecture that allows authorized medical personnel to access information from anywhere within a wirelessly covered area using portable wireless enabled devices. We have presented our selection choices in order to deal with the hardware specific problems and described our policy based approach for access control enforcement. For interoperability issues we have selected the HL7 standard for codification of HL7 messages; in order to ensure confidentiality of messages we have used combination of public and shared key encryption techniques. We have also tested the validity of our approach by performing simulations in which we have estimated the number of queries and the resource consumption measuring the ability of our platform to respond. We intend to apply our scenario to a wider extent and to measure our platform’s performance through extensive testing and recording of efficiency parameters.

References [1] The Pamvotis WLAN Simulator, Information available online at www.pamvotis.org. [2] The Transport Layer Security Protocol Version 1.1, IETF, RFC 4346. [3] Wireless Medicenter. http://www.wirelessmedicenter.com/mc/glance.cfm [4] D. Brazier, Alpha Bravo Charlie Ltd. The m-care project. http://www.m-care.co.uk/tech.html [5] A. Malatras, G. Pavlou, P. Belsis, S. Gritzalis, C. Skourlas, I. Chalaris, "Deploying Pervasive Secure Knowledge Management Infrastructures", International Journal of Pervasive Computing and Communications, Vo. 1, No. 4, pp. 265-276, 2005, Troubador Publishing [6] Gritzalis S., Belsis P., Katsikas S. “Interconnecting autonomous medical domains: a security perspective” IEEE EMB Magazine, vol. 26, number 5, pp. 23-28, Sept.-Oct 2007, IEEE press [7] Gatzoulis S., Iakovidis I., “Wearable and Portable e-health systems IEEE EMB Magazine, vol. 26, number 5, pp. 51-55 Sept.-Oct 2007, IEEE press [8] A. Choudhri, L. Kagal, A. Joshi, T. Finin, and Y. Yesha, PatientService: Electronic Patient Record Redaction and Delivery in Pervasive Environments, Fifth International Workshop on Enterprise Networking and Computing in Healthcare Industry (Healthcom 2003), Santa Monica, June 2003 [9] http://www.pervasivehealthcare.dk/projects/index.html [10] http://www.eecs.harvard.edu/~mdw/proj/codeblue/