Security in e-Health: Information classification mapping into security technologies

Abstract

This research work addresses security-related issues in the electronic and mobile healthcare environments and proposes an appropriate security framework. The proposed framework will identify the necessary security technologies and measures needed to achieve and maintain the security of people, data and infrastructure of the healthcare environment. The study is made in the context of DITIS, a homecare telemedicine application. The framework uses the OCTAVE risk evaluation methodology to identify the risks and areas of concern that address security challenges that should be taken into consideration when implementing security. The security technologies and procedures proposed in the framework are categorized based on the security objective they serve i.e. confidentiality, integrity, availability, legal conformance. By categorizing technologies based on security objectives we aim in helping people identify the technology they need to implement, based on what they want to protect. The framework is extended to define a security-level information classification scheme that categorizes information based on its sensitivity (public, internal-use only, confidential, highly confidential). The classification is then associated with the appropriate security technologies that should be considered under each classification level. By associating security technologies with the information classification, the framework aims in balancing the trade-off between security complexity and performance of the system; it will provide guidelines for implementing the necessary measures and technologies, without complicating the operation of the system or saturating its performance with unnecessary functionality. Finally, an appropriate evaluation is applied on the proposed framework, as well as on DITIS which currently implements some aspects of the framework. Evaluation is essential to assess if the system’s security capabilities and procedures represent the security needs and requirements of the users that rely on the system to perform their job well. However, since it is not feasible to conduct a complete system-technical evaluation as DITIS has not reached its final operational state and security is still an ongoing activity, ISO/ IEC 17799 standard entitled Information technology - Security techniques - Code of practice for information security management has been selected to evaluate the proposed security framework. The standard provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing or maintaining information security management systems; in general, it deals with the examination of non-technical issues related to personnel, procedural, physical security and security management. Therefore, it could be useful as a high-level evaluation of the proposed security framework, assessing the completeness of the framework against well-known practices. The result of the evaluation is expected to show if the proposed security framework implements adequate techniques and procedures providing the needed protection in the healthcare environment and identify the areas that need to address additional security measures.