Professional Documents
Culture Documents
Features
About the Authors Recent developments in the field of telemedi- The work described in this paper focuses on
cine have created new capabilities in protecting all ePHI stored in and transmitted
Dalimar Velez is at
the Department
emerging mHealth technologies. These via smartphones. This includes a crypto-
of Electrical advances can be seen in telecommunications graphic scheme required to address the
and Computer technologies, point of care testing (POCT) problem. A smartphone with an Android
Engineering, devices, and the implementation of electronic operating system (OS) is assumed as the
Michigan State health records (eHR). The security and POCT platform to implement and test the
University, East
privacy of the patient could, however, be system. The work takes into account crypto-
Lansing, MI. E-mail: velezdal@msu.edu
compromised if these technologies do not graphic attacks such as eavesdropping,
Michael Shanblatt is work in harmony at all the stages of the interception, data loss, or alteration. The core
at the Department system. It is therefore crucial for new of the cryptographic scheme implements
of Electrical
mHealth designs to include appropriate password-based encryption (PBE)1 that uses
and Computer
Engineering,
security mechanisms to secure patient the symmetric advanced encryption standard
Michigan State electronic protected health information (AES)2 with a cipher block chaining (CBC)3
University, East (ePHI) and, at the same time, comply with mode. This is a similar to the cryptographic
Lansing, MI. E-mail: mas@msu.edu governmental regulations and guidelines configuration used on sensitive data transac-
such as the Health Insurance Portability and tions and data storage in banking and
Accountability Act of 1996 (HIPAA) and the government operations. The salient difference
National Institute of Standards and is that the encryption/decryption blocks
Technology (NIST). presented in this work use a key management
design that isolates different parts of ePHI
with separate derived key material. The main
contributions of this design include a frame-
work for protecting ePHI in the context of
mHealth technologies that communicate with
a remote health provider and the algorithms
for security key generation and management.
Cryptosystem
A typical event in a mobile healthcare scenario
(Figure 14) requires the patient to use a
smartphone to connect to one or more
sensors, take a measurement, and then
Figure 1. Mobile Healthcare Scenario Overview4
transfer the data to a remote server. In this
AC-3, AC-4
Access Authorization (A)
Information access
Access is granted depending on the user policy such
management
as a registered patient or healthcare provider.
164.308(a)(4) Access Establishment and
AC-3
Modification (A)
D. Secure Transmission to Health Provider and then encrypted a second time when
The data exchanged between the smartphone transmitted over the SSL channel.
and the remote health provider must remain
private and confidential. Secure Sockets Compliance with Standards
Layer/ Transport Layer Security (SSL/TLS) And Regulations
protocols were used to protect against An Android application was developed to
eavesdropping, interception, and alteration. implement the cryptographic scheme pre-
In this protocol, the client (smartphone) and sented in this work along with other policies
the server (health provider) agree on the most and strategies.9 This implementation is the
secure cipher suite supported on both ends result of a risk analysis for the access, storage,
during the initial handshake stage. Special and transmission of ePHI from the smart-
attention should be given to enforce the use phone application. The risk analysis includes
of a strong cipher such as AES128/192/256, the evaluation of threats and vulnerabilities.
as a weaker cipher could compromise ePHI. The regulations reviewed include the HIPAA
In this particular case the encryption algo- law, the Recommended Security Controls for
rithm enforced is AES256. As a result, all Federal Information Systems and
ePHI data sent to a remote health provider is Organization (NIST SP800-53),10 and the
doubly encrypted because the locally stored Guidelines for Managing and Securing Mobile
ePHI is first encrypted on the smartphone Devices in the Enterprise (NIST
the size of the data encrypted. The key length Phone Key generation + Key generation +
of 256 bit was preselected to apply the Encryption (ms) Decryption(ms)
highest security strength possible. The test Motorola Photon 4G 143.69 148.87
application measures the average time taken
Motorola Atrix 142.66 154.30
by the key generation and the encryption/
HTC EVO 4G LTE 92.36 111.50
decryption processes. In addition, this
application takes in account the different Table 4. Cryptosystem Time Response (256 Bits Strength and Iteration Count of 500)
Conclusion
The cryptographic scheme presented in this
work protects all ePHI in the mHealth
scenario, both stored and transmitted. The
ePHI data is secured at several levels with
different keys, making it as difficult as
possible for an attacker to gain access to any
usable data. In addition, given that the data is
transmitted to a remote health center over a Figure 7. Decryption Time for Different APDU With Iteration Count of 500 for Tested Smartphones
secure channel, the data is doubly encrypted
8. Chen L. Recommendation for Key Derivation Using 12. Bogia DP. Supporting Personal Health Devices
Pseudorandom Functions. National Institute of through Standardization and Collaboration.
Standards and Technology (NIST), 2009; SP 800-108. e-Health Networking Applications and Services
(Healthcom), 13th IEEE International Conference.
9. Velez D, Shanblatt M. A Risk Analysis Approach
June 13-15, 2011; Columbia, MO: IEEE; 2011.
for HIPAA Compliance in Mobile Healthcare
Systems [ePoster Abstract]. 17th Annual
International Meeting and Exposition of the
American Telemedicine Association, Telemedicine
and e-Health. 2012; 18: A134; San Jose, CA:
American Telemedicine Association; 2012.
2013
Arlington, VA 22203-1633
CD or Book Buy Both and SAVE! For more information or to order additional copies,
call +1-877-249-8226 or +1-240-646-7031
List $430 / AAMI member $260 List $580 / AAMI member $380
SOURCE CODE: PB
Human Factors
Guidance
www.aami.org
peer reviewed journal
• FDA guidance documents, including draft
For more information or to order additional copies,
SOURCE CODE: PB