Ebook: Security Standards for Healthcare Information Systems

The European Union's “Information Society Initiative in Standardisation” [ISIS] programme addressed the standardisation issues associated with the developing Information Society in various sectors. There were two projects dealing with various aspects of information security in Healthcare. They were

• MEDSEC Healthcare Security and Privacy in the Information Society

• SEMRIC Secure Medical Record Information Communication

The outlines of both projects are available on the ISIS web site at the URL http://europa.eu.int/ISPO/isis/isishome.htm. As can be seen, the SEMRIC was concerned with the developing standards in Healthcare communications while the MEDSEC project was rather but not exclusively concerned with the more general issues of existing standards in Healthcare security and their validation. The MEDSEC project explored the security standards available for Medical Information Systems and it was funded for the two years 1997-98. The EU Project Officers were successively, Simon Smith and Erkki Laakso. However, Dr Petra Wilson, project officer for the Health Telematics ISHTAR project kept in close contact as the MEDSEC project developed.

Many of the participants in the project had been involved in the earlier AIM SEISMED [Secure Environment for Information Systems in MEDicine] which published Healthcare Security Guidelines in IOS “Studies in Health Technology and Informatics” series volumes 27 and 31 - 33 and the HT ISHTAR [Implementing Secure Health Telematics Applications in Europe] published in volume 66 and outlined on the web at http://www.ishtar.org.uk. The object in participating in the MEDSEC project was to move on from the general investigation and development of security activities to the elucidation of the support which these activities could get from the standards community. The detailed list of the actual participants is given at the back of the book but the participant organisations were:

• Expertnet, the project co-ordinator from Greece,

• the Universities of the Aegean and of Thessaloniki from Greece

• the University of Magdeburg from Germany

• the University Hospital of Leiden [now the Leiden University Medical Centre] from The Netherlands

• HISCOM from The Netherlands

• Research in Advanced Medical Informatics and Telematics vzw [RAMIT] from Belgium

• IGNIS Technologies Ltd from Ireland

• CENBIOTECH, Dijon from France [taking over the contract of the NHS Executive in England and sub-contracting Health Data Protection Ltd to carry out the work]

The work of the project focused on important aspects related to standards for security and privacy in the Information Society and was deployed along four main axes:

• Taxonomy of relevant standards

• Identification of gaps in standards

• Proposal of requirements and specifications for emerging standards

• Application, demonstration and validation of selected standards

• Awareness and promotion on the existence and usefulness of standards for privacy and security in Healthcare.

Most user organisations are unaware of on-going or existing standardisation work, a fact that justifies the need for both the first and the last directions of the proposed work. On the other hand, existing standards specific to Healthcare security and privacy are still quite young (hence untried) and require validation through actual trials in user organisations. Moreover, even though some technical standards exist, there is a definite need for developing standards for the management of security (i.e. standard security policies) within user organisations. It is believed that the results of the project will be very useful to user organisations, Healthcare Information System (HIS) developers and standardisation bodies such as CEN TC251 WG III and ISO 215 WG 4 as well as to “de facto” standardisation bodies such as HL7.

The work started with an examination of the available standards in Healthcare Security and a Handbook of Standards for Security and Privacy in Healthcare was developed. It is intended to make this document available either on the IOS or the ASSIS web sites. ASSIS, Association pour la Sécurité des Systèms d'Information de Santé, is the association that has been founded to provide continuing support for this work following the end of the SEISMED, ISHTAR and MEDSEC projects. It is hoped that the ASSIS web site which will take over from the ISHTAR web site noted above will continue to provide a valuable resource for Healthcare Security matters and activities.

The project itself continued with a review of the SEISMED High Level Security Policy, an extensive piece of work on Secure Medical Databases with a draft standard and some validation of the CEN TC 251 WG III pre-standard ENV 12924. A considerable amount of work was done on communications security which was absorbed into the international thinking and into HL7 standards in particular. Finally, a training package was developed on the basis of the standards listed in the Handbook. There were many other issues that were addressed by the project, and which can be found in the project deliverables, but the key matters have been included in the following chapters. Throughout, the emphasis has been on the draft standards that were developed rather than on the processes of developing them. It is hoped that the text will be of value to all those involved in developing security standards in Health Informatics, whether in the formal standards bodies or in the other networks of informal standards development.

This chapter presents the benefits resulting from standardisation in the field of Security in Healthcare Information Systems (HIS). Especially in the EU, standardisation appears as a key element for the effectiveness of the Single Market and the competitiveness of European industry.

The intense need for Healthcare information exchange has revealed a lack of interoperability of systems and applications. Security controls, usually based on proprietary methods and techniques, aggravate the current situation. However, timely development of HIS security standards may improve the interoperability and enable the integration of systems. This chapter provides an overview of the standardisation work that is being done by official standardisation organisations in Europe and world-wide.

Within the working programme of CEN/TC251 (Health Informatics), a standard for Security Categorisation and Protection for Healthcare Information Systems has been developed. This document was formally adopted in 1997 by CEN as pre-standard CEN ENV 12924 [1]. A demonstration and implementation effort, which was to be effected in principle at one location, was planned and executed as part of the MEDSEC project.

The standard CEN ENV 12924 contains a security categorisation model for information systems in Healthcare, distinguishing six categories, plus some refinements. For each category it specifies the required protection measures. The project task consisted of demonstrating and implementing the standard (as far as possible within a limited period) in a real life situation, and providing feedback on these results to the CEN organisation.

To this end, the categorisation scheme, as specified in the standard, was applied to a large part of the information (sub)-systems in the Leiden University Medical Centre. A set of ten sub-systems was then selected for a more detailed investigation. The actual protection status for each sub-system was evaluated on the basis of the recommended protection profiles specified in the standard. For each of the relevant recommendations in the standard, its status was recorded, and remarks were added on its relevance, feasibility, etc. These detailed data have been gathered in separate reports for each sub-system. These reports evidently are confidential, in view of protection of the hospital's information security.

A similar, though more limited exercise has been done at Magdeburg University Hospital (UHM), in order to be able to allow for possible differences in local situations. A thorough comparison of results for different hospitals was beyond the scope of the project, however.

From the overall picture we have tried to draw conclusions on the quality, completeness and applicability of the standard, as well as on the actual level of protection of the systems. As a by-product of the investigation, for all systems out of the small group, implementation plans have been specified to bring the protection in the various (sub)-systems on a higher level, where necessary. Subsequently, these plans have been realised to a large extent.

To facilitate the bookkeeping of the results, we have used the SIDERO model [2], resulting from the SEISMED project [3]. This model has been enhanced, for this purpose, with the recommendations from this standard. A brief description of this database model has been included in Appendix B.

As an overall conclusion, we may state that the standard has proven to be a very useful instrument, providing a good basis for a security review of the types of Healthcare information systems which are encountered in a hospital environment. Some suggestions have been presented, for amending recommendations that were found too unpractical or too heavy in the circumstances considered. Also, we suggest to add one category to the set of six which is being used now. Furthermore, the use of a ‘bookkeeping tool’ (like e.g. SIDERO) is strongly recommended.

The document describes the applicability of the Internet standardisation efforts on secure electronic data interchange (EDI) transactions for Health Level-7 (HL7), an EDI standard for Healthcare used world-wide [1].

The document heavily relies on the work in progress by the IETF EDIINT working group. It is in most parts a restatement of the EDIINTs requirements document and application statement 1 (AS#1) tailored to the needs of the HL7 audience. The authors tried to make the document as self consistent as possible. The goal is to give to the reader who is not a security or Internet standards expert enough foundational and detail information to enable him to build communication software that complies to the Internet standards.

Even though the authors rely on and promote the respective Internet standards and drafts, they did not withstand from commenting on and criticising the work where they see upcoming problems in use with HL7 or other EDI protocols that have not been in the initial focus of the EDIINT working group. The authors make suggestions to add parameters to the specification of the MIME type for EDI messages in RFC 1767 in order to enhance functionality. The authors give use cases for a larger subset of disposition types and modifiers of message disposition notifications.

One key issue where the document goes beyond the current EDIINT drafts is the concept of non-repudiation of commitment to an EDI transaction. Secure EDI transactions should be regarded as “distributed contracts,” i.e. not only the sending and receiving of single messages should be non-refutable but also the connection between messages interchanges.

In anticipation of this requirement HL7 usually requires a response message to be sent to acknowledge every transaction. The authors therefore have the requirement to securely couple an EDI response message to its request message. Given the current shape of RFC 1767 this is generally possible only if a response message is coupled with an MDN receipt and the combination of both signed by the responder. The document describes a protocol to bundle MDN and response that uses the MIME multi-part/related content type in RFC 2112.