Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

27.4 State of the Art Design for Health ... > 27.4.3 System Architecture - Pg. 686

686 CHAPTER 27 Security and Privacy for Mobile Health-Care (m-Health) Systems verify the identity of each other, even if such authentication is cross-domain. 10. Confidentiality: Confidentiality requires that the contents of PHI and SHI are not learned by any passive eavesdroppers or active attack- ers, which fundamentally guarantees patient privacy specified in the privacy requirement. Furthermore, message exchanges involving secret information are subject to confidential- ity requirement as well. 11. Data Integrity: HIPS guarantees that the stored PHI or SHI is not modified except by authorized physicians upon patients' consent or requests. Additionally, protocol messages exchanged between communicating parties are not to be modified by any malicious parties. 2. 3. 4. 5. 6. 7. 8. 9. except the family and P-device can link the stored PHI files to a particular patient. Fail-Open: We say that HIPS system is fail- open if the system provides backup mecha- nisms to successfully retrieve patients' PHI in case of emergency while preserving the above privacy requirement. Access Control (Authorization): HIPS realizes access control if no physicians other than the authorized can gain access to the patient's PHI or the SHI. Accountability: HIPS meets the accountabil- ity goal if the physician who discloses the patient's PHI and the SHI other than legiti- mate reasons is traceable and held responsible in case of emergency and information sharing, respectively. We implicitly assume that when the patient is physically competent to retrieve the PHI (i.e., not in emergency), he/she will know the source of the PHI leakage by recall- ing which physician(s) recently treated him. Minimum-Privilege Delegation: Our system achieves minimum-privilege delegation if the delegator is able to specify which data por- tions of SHI can be accessed by the delegatee, even if these data portions belong to a same document as those that cannot be accessed by the delegatee. Adaptability: Our system meets the adapt- ability goal if the change of status or avail- ability of a delegatee does not require the intervention of the delegator to restart the information sharing procedure, nor cause the interruption of the procedure in any way. In other words, the changes should be trans- parent to the delegator. Dynamic Revocation: We say that our sys- tem guarantees dynamic revocation if the sys- tem provides mechanism for the delegator to revoke delegated rights at any time. Availability: The availability requirement states that the authorized physician must be able to obtain PHI and SHI stored anywhere in the health-care architecture. Authenticity: Authenticity indicates that any entities involved in HIPS communications must be able to successfully authenticate or 27.4.3. System Architecture Consider the application scenario in our HIPS system shown in Figure 27-1, where all links are bidirectional and the bracketed numbers indicate major events or exchanged messages. In general, the physician has only physical contacts with all entities in a patient local area network (LAN), denoted by a double solid line from the physi- cian, Dr. White in Figure 27-1, to a patient LAN. Specifically, the physician orally communicates with the patient and family, in common-case treatment and emergencies, respectively. Contacts with P-device, on the other hand, is through the physician physically operating P-device, in emer- gencies only. Similarly, S-server interacts with all entities in the patient LAN mainly via wireless links for PHI storage and retrieval. Note that PHI storage is carried out only between S-server and the patient using the patient's home PC. PHI retrieval can be performed by the family and P-device in emergen- cies and by the patient in common-case treatment using cell phone. The internal links of the hospital/clinic net- work and the patient LAN are often high-speed wired links. The patient interacts with the family and P-device to assign privilege (i.e., secret keys)