Masi, Massimiliano and Pugliese, Rosario and Tiezzi, Francesco Security Analysis of Standards-Driven Communication Protocols for Healthcare Scenarios. Journal of Medical Systems, 36 (6). pp. 3695-3711. ISSN 0148-5598 (2012)
Restricted to Registered users only until December 2013.
The importance of the ElectronicHealth Record (EHR), that stores all healthcare-related data belonging to a patient, has been recognised in recent years by governments, institutions and industry. Initiatives like the Integrating the Healthcare Enterprise (IHE) have been developed for the definition of standard methodologies for secure and interoperable EHR exchanges among clinics and hospitals. Using the requisites specified by these initiatives, many large scale projects have been set up for enabling healthcare professionals to handle patients’ EHRs. The success of applications developed in these contexts crucially depends on ensuring such security properties as confidentiality, authentication, and authorization. In this paper, we first propose a communication protocol, based on the IHE specifications, for authenticating healthcare professionals and assuring patients’ safety. By means of a formal analysis carried out by using the specification language COWS and the model checker CMC, we reveal a security flaw in the protocol thus demonstrating that to simply adopt the international standards does not guarantee the absence of such type of flaws. We then propose how to emend the IHE specifications and modify the protocol accordingly. Finally, we show how to tailor our protocol for application to more critical scenarios with no assumptions on the communication channels. To demonstrate feasibility and effectiveness of our protocols we have fully implemented them.
|Uncontrolled Keywords:||Healthcare Applications, Electronic Health Records, Medical Records Storage and Retrieval, Data Security, Authentication, Model Checking|
|Subjects:||Q Science > QA Mathematics > QA75 Electronic computers. Computer science|
|Research Area:||Computer Science and Applications|
|Depositing User:||Users 31 not found.|
|Date Deposited:||02 May 2013 13:50|
|Last Modified:||02 May 2013 13:51|
Actions (login required)