Security and Safety

12.1 Security of System and Data Access

The experience showed that the main offending of data security are not produced from externals, but often from intern. The transmission of sensitive data by internals to externals is technical not avoidable [Runkel, 1997, pp. 127 ff.]. Nevertheless technical as well as organizational activities have to be taken to protect sensitive patient data as good as possi-ble. In general these security measures have to be managed and controlled locally.

Security of Location

First of all, security is dependent on the location and accessibility of computers and

telepathology systems. The question is, whether only the staff of the organization is able to access the computer’s room, or are rooms also frequented by patients or other people? The problem of physical computer access is not just a problem of telepathology, but of the whole health care delivery system, since computers with sensitive patient data are almost available on each physician’s desk. Unfortunately measures like special access precautions of doors, identification of staff, continually control by security personnel or room surveil-lance techniques are often not practicable in the health care environment [Ulsenheimer, 1999, p. 201]. Hence, telepathology mostly has the advantage that the contact with patients is low and surgeon’s, as well as pathologist’s offices are on separated locations. Therefore the problem of accessibility can be solved more easily.

Computer equipment has not just to be protected from unauthorized access and vandalism, but also from natural catastrophes like fire or water. In any case, data back-ups have to be executed frequently and stored safely.

Data and System Access Security

Different physicians may have different access rights on patient and image data. Therefore, at institutions where online databases of pathological cases are maintained, the control of data views has to be taken seriously [O’Brien, 1998, p. 152]. The access to systems and data can be solved by authority concepts (exact definition of responsibilities, task-proto-col), user identification and password control [Ulsenheimer, 1999, p. 200; Marquart, 1997, pp. 78 ff.; Thiel, 1997, p. 135; Wyman, 1994]. The access on the telepathology net-work is actually often controlled by a secure chip card - the Health Professional Identifi-cation Card [Allaert, 1999].

12.2 Stability of Telepathology Systems

When relying on telepathology, the pathologist has to be certain that the system is usable and that system errors won’t occur (technical errors as well as errors due to improper human operations). User studies already showed that the availability of the system, for both consultant and the remote client, is judged as essential for increasing future usage [Ricci, 1997, p. 203]. Nevertheless, it never can be guaranteed that there are no system errors or even system break-downs. How to keep system interruption low is the question?

Security and Safety Page: 148

First of all, telepathology systems should only be allowed to be sold on the market, if ana-logue to MOT, an independent technical control organization (e.g. BSI⁶⁷ - Office of Infor-mation Technology Security) gives a quality certification. In addition, systems should be checked in a regular period of time, to guarantee system functionality [Berger, 1997].

Pathologist, clinical technicians and other health care support staff may often be befuddled by the technical or logistical complexities of using scanners, networks and telecommunica-tions links. Again, there is the need that systems are kept simple and robust in usage, so that errors due to operation mistakes are low. Help-menus and good written system descriptions may give advises to the physician as a first aid at system errors. Besides ade-quate training of telepathology participants, qualified services should be available, e.g. a 24-hour staffed help desk is needed with certified telepathology technicians who not only understand how to operate scanners, run computers, but also know about pathological pro??cesses. Since such technicians are quite expensive, the realization of such a service has to be content of future thoughts.

In Vermont such a help desk is already available. The focus of the technicians is to fix the problem as soon as possible so the conference or consult can proceed. Inevitably, they would troubleshoot by repeating a number of steps that worked in the past, such as reboot-ing the computer. In such situations, they concluded that the problem was software related.

A unusual high number of errors also occurred due to hardware failures. Problems with the ISDN lines were a further source of system interruption. On occasion, ISDN-related prob-lems were the result of user errors, but also due to network probprob-lems [Ricci, 1997, p. 202].

Difficulties with ISDN were also reported from Basel/CH and Heidelberg/Germany. In Heidelberg unexpected breakdowns of ISDN connection occurred in 4/25 of the transmis-sions⁶⁸ [Kayser, 1995/(1), pp. 58, 59]. At a trial of static systems and the use of ISDN in Sweden in 45 % of the cases no connection was established due to malfunctions in the network or terminal [Olsson, 1995, p. 240]. To solve problems as fast as possible, assess-ment tools for the investigation of errors were employed in Vermont. It is also from great value that errors of the past are analyzed and documented for being avoided in the future. If it is not possible to get the system to run or to create a communication link, an emergency concept has to be available. In general if there occurs a total system breakdown, processes will be executed in the conventional manner.

12.3 Date Transmission Security

"Cracking the code protecting medical data transmissions might be a game to a student or electronic media aficionado, but not to those whose private parts end up on some strange person’s computer screen ... more-secure methods of data transmission and encryption need to be established." [Karinch in Blanton, 1995].

Firewalls and Private Networks

Using telemedicine systems, data are transmitted by using local and public networks, which mostly can easily be listen in on. Careless data transfer is opening the door for damaging programs and viruses. By using standard software packages with macro features, e-mail, or

67 Bundesamt für Sicherheit in der Informationstechnik in Germany

68 ISDN test between Heidelberg and Stuttgart. ISDN-line breakdowns could only be detected by separate conventional telephone calls.

Failures of the modems could be excluded due to the fact that no acoustic information transfer by use of ISDN telephones was possible for hours. The technical reasons for acute breakdowns were not known. Fortunately complete breakdowns of the connection by using telephone lines to 2400 baud were observed very rarely, in less than 1 %.

Security and Safety Page: 149

download of WWW-information, even the careful user is not safe and so called ‘firewalls’

are easily bypassed. Firewalls are security shield around an organization to control a safe data input from externals. In general with a firewall, it is not possible to build up a direct connection to the internal computers behind this wall form extern, but initialized data exchange from internals to externals is possible [Thiel, 1997, pp. 132 ff.; Allaert, 1999].

‘Screening Routers’ are for example firewalls on the protocol level (ISO/OSI level 3), which safe the communication between computers. Another possibility are ‘application gateways’, which first simulate applications on the firewall. In this way no direct connec-tion with external computers is established and the applicaconnec-tion gateway will check input data. However, although firewalls are employed, by using the Internet and the TCP/IP pro-tocol there is still a risk that IP-packages or sender addresses are manipulated for getting access to sensitive information or even to add for example ‘electronic bombs’ to transmit-ted data. That is why some organizations startransmit-ted to place sensitive data on a highly secure internal network, which only gives restrictive access to the Internet [Runkel, 1997, p. 127].

To minimize the infection by a computer virus, it is important to use actual antiviral packages to double-check the secure access to workstations and medical databases.

Security of Public Networks

In general the question arises, whether medical information systems should be linked at all to public networks for exchanging their sensitive data via open networks like the Internet, especially since the security concerns of Internet technology and applications are not viewed as accomplished [Hatcher, 1998/(1), p. 376; Pommerening, 1996, p. 7; ]. System-atical analyses of the threat and risks of security are necessary to develop adequate specifi-cations, concepts and mechanism to ensure safe communication between partners. These concepts have to take all layers of the ISO-OSI-model for open system data interchange into consideration. An conceptual overview about these layers and their requirements for communication security is designed by Blobel, who distinguishes between communication and application security and regards both in the context of data, algorithm, mechanism, service and concept relations. Within this distinction, several sets of security services have to be ensured. For example the authentication, integrity, and confidentiality of the trans-ferred information, which is mostly realized by standard formats at the application layer like HL7, EDIFACT, XML, MINE. Further the liability that the original of the message and received message are identically has to be guaranteed, which happens by SSL (Security Socket Layer) [Blobel, 1998, pp. 72 ff.].

Client Server

"client hello" "server hello"

[certificate]

[server key exchange]

[certificate request]

"server hello done"

[certificate]

client key exchange [certificate verfiy]

change cipher spec

finished Change ciper spec

finished

General exchange of application layer data

Figure 15: SSL-connection between client and server [Matthies, 1998, p. 100].

Security and Safety Page: 150

Other approaches for a secure medical data exchange are investigated in Berlin, Germany, within the MedSeC project. The University of Berlin, Benjamin Franklin Medical Center and the Technical University of Berlin, are testing a combination of TCP/IP and online coding features, and FTP transport protocols in combination with DICOM-standards [Bernarding, 1998, pp. 91 ff.]. Investigations showed that the coding of data on the TCP-IP-level by SSL, which are implementable on each computer, reduce the rate of data trans-fer. To code all data between rooters depends on hardware components and therefore this possibility is quite inflexible. High transmission speed is needed for the transfer of images.

This makes an online-coding almost unacceptable. That is why it is tested only to code parts of the data, e.g. the patient relevant sensitive ASCII-data. Later special dynamic fea-tures will unify the sensitive coded data with the uncoded data at the receiving end [Thiel, 1997, pp. 132 ff.].

Other research projects, which are actually investigating security requirements and are systematically developing protocol for security mechanisms and services are ISHTAR (Implementing Secure Health Telematics Applications in Europe), TrustHealth-1 and TrustHealth-2, MEDSEC, EUROMED-ETS, HANSA or DIABCARD. An organization which is further busy in the development of security standards is the ITU (International Telecommunication Union) in Genf, Switzerland.

Electronic Signature - Health Care Professional Card

With increasing penetration of computers at the physician’s work environment, simple but secure authenticity solutions for users, applications, systems, and machines have to be introduced. The idea of a ‘health professional card’ was born. This chip card basically includes public key algorithms, added by a secret key, as well as qualification and authority statements of the legitimated user. With the combination of possessing such a card and knowing the secret PIN-code for it, a high security level can be reached. As soon as the user has activated his card with his PIN-code, the cryptographic processes are used auto-matically by the system [Debold, 1998, pp. 84 ff.; Kayser, 2000]. Further approaches for identification are for example biometric methods like finger prints in combination with card terminals.

Cryptographic Coding

Cryptography is the science of data coding. It can be distinguished between symmetrical and asymmetrical procedures. By the symmetrical coding, sender and receiver use the same coding key, whereas by the asymmetrical coding two matching keys are used - the coding is done with a general known ‘public key’ of the addressee, taken from a central key-server, and admitted and controlled by a certification authority, whereas the decoding is done by a ‘private key’, only known by the receiver [Hufnagl, 1999, p. 95; Thiel, 1997, p. 134]. This coding is done on the application level. In general cryptage algorithm soft-ware has to be installed either within the workstation or at the telecommunications router level [Allaert, 1999]. For encrypting and digitally signing, programs are available at the Internet⁶⁹ [Agbamu, 1997, p. 1440].

69 PGP (Pretty Good Privacy) program, available free of charge at the Internet: http://web.mit.edu/network/pgp-form.html (for citizens of North America); http://www.ifi.uio.no/~staalesc/PGP/ (for the rest of the world)

Security and Safety Page: 151

Cryptography not just guarantees that data can’t be read by unauthorized persons, but also provides features to clearly recognize communication partners. In advance, cryptography further forgery-proof data handling and there guarantees the liability of documents and communication’s contents. The means for that is the electronic signature. One example for the handling of the coding keys is the usage of chip cards as described before. In any case, if data of a patient is exchanged between telepathology partners, its safety has to be guaranteed with the employed security features.

12.4 Conclusion

Utilizing telepathology applications, sensitive data of patients are processed. That is why first of all data and systems have to be located at rooms where access security is guaran-teed. Since telepathology demands data exchange in open networks, the security of the external data transfer is often named as a problem. Data security and protection in open information and communication systems need mature security methods like cryptography or splitting of patient data and case data. Only if safety of data communication is ensured, the exchange of sensitive data is acceptable. If telepathology systems are used for

telediagnostic and teleconsultation, system stability and system reliability are further important issues which have to be carefully regarded, since uncertain systems may lead to reduced acceptance by the users (judgements of this study about security factors see chap-ters 18.3.8, 19.1.2.2, and 19.1.2.5).

Financial and Efficiency Aspects Page: 152