Developing a Public Key Infrastructure for a Secure Regional e-Health Environment

 

 Buy Article Permissions and Reprints

Summary

Objectives: Internet technologies provide an attractive infrastructure for efficient and low cost communications in regional health information networks. The advantages provided by the Internet come however with a significantly greater element of risk to the confidentiality and integrity of information. This is because the Internet has been designed primarily to optimize information sharing and interoperability, not security. The main objective of this paper is to propose the exploitation of public-key cryptography techniques to provide adequate security to enable secure healthcare Internet applications.

Methods: Public-key cryptography techniques can provide the needed security infrastructure in regional health networks. In the regional health-care security framework presented in this paper, we propose the use of state-of-art Public Key Infrastructure (PKI) technology. Such an e-Health PKI consists of regional certification authorities that are implemented within the central hospitals of each region and provide their services to the rest of the healthcare establishments of the same region.

Results: Significant experience in this area has been gained from the implementation of the PKI@AUTH project.

Conclusions: The developed PKI infrastructure already successfully provides its security services to the AHEPA university hospital. The same infrastructure is designed to easily support a number of hospitals participating in a regional health information network.

• REFERENCES

• 1 Ahuja V. Secure commerce on the Internet. London: AP Professional Press; 1997
  Google Scholar
• 2 Furnell SM, Gaunt PN, Pangalos G, Sanders PW, Warren MJ. A generic methodology for health care data security. Med Inf (Lond) 1994; 19 (Suppl. 03) 229-45.
  PubMedGoogle Scholar
• 3 Pangalos G. Security of medical database systems for health care IT and security personnel. In: The SEISMED Consortium editors.. Data security for health care, Vol. II: Technical guidelines. Amsterdam: IOS Press; 1996. p. 235-342.
  Google Scholar
• 4 Lynch C. A white paper on authentication and access management issues in cross-organizational use of networked information resources. Coalition for Networked Information. Revised discussion draft, 1998
  PubMedGoogle Scholar
• 5 HCFA. Internet communications security and appropriate use policy and guidelines. USA Health Care Financing Administration: Office of Information Services, Security and Standards Group. Department of Health and Human Services: 1998
  Google Scholar
• 6 Basic security issues. NETSCAPE Center. Available from: http://www.netscape.com/security/basics/index.html. Accessed September 25, 2000
  PubMedGoogle Scholar
• 7 Ilioudis C, Pangalos G. Development of Internet security policy for health care establishments. Med Inform Internet Med 2000; 25 (Suppl. 04) 265-73.
  CrossrefPubMedGoogle Scholar
• 8 Pangalos G. Secure medical databases. Proceedings of IMIA Security Conference; 1996. Finland.:
  Google Scholar
• 9 PKI@AUTH project. Aristotle University of Thessaloniki (AUTH). Available from: http://www.itc.auth.gr/services/pki. Accessed November 9, 2001
  PubMedGoogle Scholar
• 10 European Committee for Standardization. Framework for security protection of health-care communication. Technical Committee for Health Informatics (CEN/TC251) technical report. N98-110, 1998. Available from: http://www.centc251.org/TCMeet/Doclist/doclist1998.htm. Accessed September 3, 2001
  PubMedGoogle Scholar
• 11 USA Department of Health and Human Services. Security and electronic signature standards. Federal Register: 63 (155); August 12, 1998. Available from: http://wais.access.gpo.gov. Accessed November 21, 2000
  PubMedGoogle Scholar
• 12 EU Directive 1999/93/EC. On a Community framework for electronic signatures, European Parliament and of the Council of 13 Dec. 1999. Official Journal of the European Communities 19/1/2000. Available from: http://europa.eu.int/scadplus/leg/en/lvb/l24118.htm Accessed January 22, 2002
  PubMedGoogle Scholar
• 13 European Committee for Standardization. Security for healthcare communication. Technical Committee for Health Informatics (CEN/TC251). 1999. Available from: http://www.centc251.org/TCMeet/Doclist/doclist1999.htm. Accessed September 3, 2000
  PubMedGoogle Scholar
• 14 Council of Europe Recommendation No. R (99) 5, 1999. For the protection of privacy on the Internet. Available from: http://www.coe.fr/dataprotection/rec/elignes.htm . Accessed November 21, 2000
  PubMedGoogle Scholar
• 15 USA Department of Health and Human Services. Health Insurance Portability and Accountability Act (HIPAA),. 1996. Available from: http://aspe.os.dhhs.gov/admnsimp/pl104191.htm. Accessed May 21, 2000
  PubMedGoogle Scholar
• 16 SETECS-SM, SETECS Integrated and Comprehensive Security System (SICS),. Version 1.3, March 2000. Available from: http://www. setecs.com. Accessed October 5, 2001
  PubMedGoogle Scholar