TTPs and biometrics for securing the payment of telemedical services

TTPs and biometrics for securing the payment of telemedical services

Future Generation Computer Systems 15 (1999) 265–276 TTPs and biometrics for securing the payment of telemedical services Despina Polemi ∗ Institute ...

70KB Sizes 0 Downloads 57 Views

Future Generation Computer Systems 15 (1999) 265–276

TTPs and biometrics for securing the payment of telemedical services Despina Polemi ∗ Institute of Communications and Computer Systems, National Technical University of Athens, Heroon Polytechniou 9, Zografou, Athens, Greece

Abstract The use of biometric smart cards may provide strong coordinated authentication across multi-vendor telemedical applications, health care enterprises and payers. The establishment of trusted third party services (TTPs) for securing the commerce component of health care in a web-based telemedical information society is necessary for the operation of certificate-based c 1999 Elsevier Science B.V. All rights reserved. payment systems such as SET. Keywords: TTPs; Telemedicine; EUROMED

1. Introduction As the internet grows and the development of telemedical applications accelerates so rapidly the lack of coordinated authentication mechanisms across health care enterprises and operating platforms as well as the lack of payment for telemedical services are considered to be the major barriers in telemedicine’s rapid deployment. Within the health care enterprise, there is a need for a user to be identified and authenticated to multiple health care applications. For example a physician must be authenticated to the laboratory, pharmacy and radiology information systems from various hospitals, since information from these systems is required to accomplish the business process of delivering care to the patient (obtain patient’s medical history, order a laboratory test, get results of ESGs, order medication from pharmacy, etc.). The involved health care operating systems do not use strong enough authentication and access con∗

Tel.: +30-1-772-2466; [email protected]

Fax:

+30-1-772-3577;

e-mail:

trol mechanisms to safeguard sensitive information; they rely on insecure tokens such as passwords and PINS making the systems vulnerable to penetration. Stronger security techniques must be employed for identification and authentication. 1 The current state of reality finds the identification and authentication of health care participants not to be coordinated across health care enterprises. A wide identification/authentication service is required that provides authentication across multi-vendor health care applications, health care enterprises and operating platforms based on secure tokens. Biometric smart cards as identification and authentication means to health care participants provides an answer to this need. Another barrier to telemedicine’s deployment is the lack of innovative billing procedures for telemedical services. A hospital (or health care provider) daily sends claims to payers (insurance providers/patients) which must return payment after receipt and process1 Identification is the process whereby an identity is assigned to a specific individual, e.g. a name; and authentication is the process designed to verify a user’s identity.

c 0167-739X/99/$ – see front matter 1999 Elsevier Science B.V. All rights reserved. PII: S 0 1 6 7 - 7 3 9 X ( 9 8 ) 0 0 0 6 9 - 7

266

D. Polemi / Future Generation Computer Systems 15 (1999) 265–276

ing of the claim transactions. Information systems must support securely this commerce component of health care. If a claim is modified during transmission, the hospital (or provider) may loose a lot of money and especially if such activities occur in large institutions that send many claims. The payment of the claims should be secured employing efficient electronic payment procedures. Certificate-based payment systems (e.g. secure electronic transaction–SET) have been tested successfully in various electronic commerce EC projects and are proven suitable for web applications. For the successful operation of such systems a public key infrastructure (PKI) based on the establishment of trusted third party services (TTPs) is necessary. TTPs guarantee all four components of security (confidentiality, authenticity, integrity, and availability) and provide appropriate countermeasures for the secure billing and payment processes. In this paper the above mentioned issues are explored as follows: In Section 2, a review on existing projects on telemedicine, TTPs and biometric technologies is presented. In Sections 3 and 4, technical and organizational aspects regarding the establishment of TTPs are described. Sections 5–7 deal with various issues on biometric smart cards such as technical, legal and standards. In Sections 8 and 9 the billing process of telemedical services is presented. Finally, in Section 10 conclusions are drawn.

2. State of the art European projects provide standards, define objectives and measures, and develop utilities, facilities and services in modern health care system architectures. They develop new solutions such as TTPs for trusted communications and secure authentication services in the medical sector. They evaluate defined features in the context of specific applications in realistic health care environments. 2.1. Projects in telemedicine EUROMED is a three year European Commission DGIII/B project [29,36,58] which began in January 1996. EUROMED aims to create the foundation of a telemedical information society. Patient’s health

record will be distributed in medical cyberspace where doctors can click on patient’s home pages. EUROMED is based on WWW to establish communication between the participating sites. Its network consists of a number of internet sites that stores medical data about a number of patients as well as image processing and archive applications. EUROMED so far has standardized the use of the WWW for telemedical applications. It has introduced HTML, VRML, Javascript and Java as the standard on which different sites can communicate and interact in order to materialize the concept of telemedicine, remote diagnosis and the building of a virtual environment in which physicians interact with each other and with the patient’s data. EUROMED-ETS was a one year INFOSEC project [27,35,52] ended in 1998 which compliments EUROMED by concentrating on, and tackling, several issues of security in a telemedical information society supporting regional development. In EUROMEDETS we concentrated on the establishment of TTPs for ensuring that all health actors in EUROMED can communicate in a secure way over the WWW. TTPs secure the highly sensitive medical information exchange. In this project all aspects (operational, technical, functional, organizational, regulatory, and legal) of TTPs have been exploited for telemedical applications over the WWW. SSL was adopted as the security solution after considering EUROMED’s needs. The project THIS [56] offers technical security solutions for telematics systems and identifies the following important applications: – Secure user identification with authentication based on cryptographic smart cards. – Digital signatures to communicate legally binding electronic documents. – Establish confidentiality of the transferred information. – Establish TTPs. The projects Trust Health, Trust Health II use modern security techniques for establishing trustworthy telematics systems. Development, realization, evaluation of trusted communication by secure authentication and TTPs and the establishment of a network of TTPs were the important aspects of this project. SEISMED assesses the risks and formulates general guidelines for security of medical systems. The project ISHTAR provides guidelines for defining general objectives and conditions as well as the manage-

D. Polemi / Future Generation Computer Systems 15 (1999) 265–276

ment of processes and measures. HANSA provides security utilities, facilities and services in modern healthcare information system architectures. The project DIABCARD deals with specific applications in realistic healthcare environments. SIREN focuses on the security services for health care in Europe especially concentrating on digital signatures. EUROCARDS studies how to use patients data cards and health care professional cards. MEDSEC considers the standardization aspects of securing telemedicine.

2.2. Biometric projects – TASS [59,30,67] is a project from the Spanish National Social Security Identification Card using fingerprint technology installed in a smart card in order to verify social benefits recipients. – Caller verification in banking and telecommunications (CAVE) is an on-going project partially funded by the European Commission which will be completed in June 1997. Its goal is to use speaker verification techniques in telephone banking, home shopping and information services. – BIOTEST project is an important 27-month ongoing ESPRIT project started in 1996 which is very promising since its primary objective is to form independent testing methods so that manufacturers will be able to evaluate their products by the project’s developed standards, measures, and criteria. Customers will be able to compare the various biometric techniques and products for their specific applications. One of the most important objectives of this product is the establishment of independent testing centers. – CASCADE (chip architecture for smart cards) is an ESPRIT project funded through OMI (open microsystems initiative). Its main objective is to build a new generation of chips for portable electronic devices. CASCADE has produced a forecast of the potential market for smart cards holding biometric templates. In particular a smart card with a 32 bit microcomputer system was built which is suitable for voice, signature or fingerprint biometrics. – US biometric projects (e.g. PALMPRINT, FAST, INSPASS, CANPASS) search for experience in applying biometric technologies in real environments [11].

267

3. Payment systems Most existing work on electronic commerce concentrates on developing on-line payment systems (e.g. NetCash, Digicash, SEPP, TeleSec, STT, Millicent, PayWorld, MicroMint). There are four streams of payment systems–third party systems, certificate-based systems, net money systems and smart cards. Third party payment systems (e.g. VPS, First Virtual, Open Market, Netbanx, Virtula Payment Systems, Paylink) operate as agents between the merchant and consumer. They check the consumer’s credit card, approve (or reject) a transaction and then release the funds to the merchant. Certificate-based payment systems (e.g. Trintec, Cybertrust, Terisa, VeriFone) involve the consumer downloading a digital certificate, which then represents his/her credit card. These certificates (issued by trusted certificate bodies) are stored in a form of cyber wallet to be activated when the consumer wishes to make a purchase. SETs (secure electronic transactions) is the most prominent example of these systems [8]. The third stream is net money systems (e.g. Emoney, DigiCash, Data cash, Cybercash) which require the consumer to change his money into some form of cyber currency. Smart card-based payment systems (e.g. Mondex) are based on loading a smart card with funds from a specially adapted ATM machine. A smart card reader attached to a computer is used to debit cash from the card when on-line purchase is made. Other standardization initiatives for supporting electronic commerce where different consortia of companies and organizations agree on a common technology are [7,9]: OBI–open buying on the internet–is a specification initiative of American Express and Microsoft emerging from the Internet Purchasing Roundtable. It contains a role-based architecture. It refers to established standard technology like X.509, SSL, HTTP, and EDI. OTP–open trading protocol–is a specification of AT&T, Hewlett-Packard, Mondex, and other partners in order to unify all forms of trade independent of different payment methods (like Mondex or SET) under a standardized application user interface. It contains a role-based architecture and standardizes functions and data formats for the negotiation of a payment method.

268

D. Polemi / Future Generation Computer Systems 15 (1999) 265–276

JEPI–joint electronic payment initiative–has been announced by the World Wide Web Consortium (W3C) and CommerceNet. JEPI provides a universal payment platform to allow merchants and consumers to transact business over the internet using different forms of payment. The roster of companies involved in its development includes Microsoft, IBM, Open Market, GC Tech, CyberCash, Xerox, British Telecom and Digital Equipment. JEPI allows clients and servers to negotiate payment instruments, protocol and transport between one another. JEPI consists of two parts: an extension layer that rides on HTTP, submitted to the Internet Engineering Task Force standards body earlier this summer; and a negotiations protocol that identifies appropriate payment methodology. The protocols make payment negotiations automatic for end users, happening at the moment of purchase based on configurations within the browser. IBM CommercePoint is an initiative of IBM in order to “give the complete end-to-end solution” including the latest technology and open standards such as JavaTM, advanced catalog tools, dynamic pages and more”.

4. Trusted third party services Trusted third party services (TTPs) can play a fundamental role in the security, exploitation and promotion of telemedicine. By a TTP we mean an independent trusted body which does not have interests in the information content. The objective of a TTP is to achieve the necessary level of assurance that the applied security functions meet the security objectives of the system. Access control, security logging, integrity, confidentiality, non-repudiation, identification and authentication are the security principles, which are offered by the TTPs [1,4,10]. Most TTP services are based on well-established, standard cryptographic protocols (e.g., SSL, which is based on cryptographic protocols for key exchange, session key sharing and signature verification). There is still a multitude of subordinate algorithms used for bulk data encryption (e.g. DES, 3DES, RC4, etc.) and secure hashing/message authentication (e.g. MD5, SHA-1), which should be supported by all tools in order to establish secure connections [15,16]. More-

over, the exact implementation of each supported algorithm may allow only subsets of the applicable key domains (e.g. limited key lengths) to be used. The equipment and software tools that are currently used in the PKI are of major importance. They influence factors such as compatibility, scalability, interoperability, user-friendliness and compliance of the overall infrastructure to legal directives. Fortunately, recent development of standards and tools, as well as extensive interoperability verification has made possible the use of a variety of hardware environments and software tools. Several design decisions on the capabilities of the tools as well as several policy decisions concerning the content of the data within the PKI are influenced by legislation, such as the Privacy Act and the Database directive. Typical components of a PKI infrastrucure based on TTPs may be. Browser software from Netscape, Microsoft and Opera, server software which supports standard SSL, and S/MIME compatible e-mail software, like Baltimore Mail Secure, Microsoft Outlook and Outlook Express, Netscape Communicator, Opensoft Express Mail, SSE Trusted MIME, World Talk (latest versions). The directory service may be based on LDAP; however, the displaying of the certificate may be optional. Registration services can be offered using an infrastructure based on Windows 95, Windows NT, and different server products. S/MIME-based applications may be implemented locally. TTP technology is a mature security solution, emerging biometrics in this solution will enhance its security and it will enable it to be adopted in telemedicine. The impact of TTPs in biometrics has been noticed in [28]. These two technologies can collaborate in different ways: – Existing certification authority software may be combined with biometric hardware and software technologies in order to be used by a TTP to authenticate internet authentication, financial transactions or any other transaction requiring high security provisions. This will bring confidence to the users for doing their business transactions over the internet. – When the templates are stored in smart cards then a TTP can be responsible for issuing such cards ensuring that the biometric template remains secret inside the card.

D. Polemi / Future Generation Computer Systems 15 (1999) 265–276

4.1. Protocols WWW transactions can be secured at three different levels: above HTTP, at the HTTP level, or below HTTP. Securing transactions above HTTP (CCI-PGP) involves the usage of HTTP as a transport mechanism for transferring data that will be decoded by external applications. At the HTTP level, the protocol can be enhanced to deal with encryption and authentication either in an ad hoc way (SHTTP), or by adding security (SEA) to the protocol using an extension protocol (PEP). Below HTTP a number of protocols (SSL, TLS, PCT, GSS-API, DCE Web, IPSEC) can be used to establish a secure and authenticated session on top of which the transactions can take place [17]. The secure session layer (SSL) is the protocol that enables the proper operation of TTPs, it supports major TTP functions (e.g. certificate validation) and services (e.g. authentication). SSL is embedded in the web tools used and it operates upon the TCP layer of the TCP/IP protocol suite. 4.2. Services and functions The services provided by TTPs can be categorized as follows: (a) basic services which are directly related to the secure communication between two users and these include: confidentiality, integrity, access control, security logging, identification and authentication; (b) infrastructural services which are offered in large scale communication and they include: registration, certificate handling, directory and key management, naming a few; (c) value added services which are provided with appropriate agreements, policies and regulations and they include: professional registration and time stamping [19,34]. The TTP functions for supporting the certification process include: key generation initialization and distribution; electronic registration; uniqueness, namely, certificate generation distribution storage validation retrieval. Secure medium for personal certificates and private keys should be used by the web applications. The user’s private key should be protected by a biometric smart card. When designing the access rights to data, much attention should be given to special laws governing the privacy of sensitive personal information. The scheme adopted by any web application should be adaptable to a wide range of access policies.

269

Access to personal data in any web application is limited to certain users at the client site who is equipped with a secure token (e.g. biometric smart card) holding his/her private key and personal certificate(s). An appropriate Certificate Authority (CA) must have issued these certificates. Secret keys of the users as well as the secret key of a CA have to be stored in a very secure manner. A biometric smart card for storing secret keys as well as other user-related secret information is an ideal storage place. Common TTP functions that can be applied in telemedicine applications are: – Key generation and initialization. Keys are generated by the users or by the TTPs. A cryptographically secure random algorithm is used in all cases to seed the key generation procedure. – Electronic registration. All data that are needed for certification and registration can be sent electronically. Given that the real identity of a requester is proven correct, the following procedure is followed: The user sends his/her public key component, along with naming and contact information to the TTP, using e-mail. The TTP receives the PKCS request and validates it. The TTP generates the certificate and makes it publicly available through a Certificate Management server. The user retrieves and verifies the signed certificate through an encrypted SSL communication. Once the user has verified the certificate, it is uploaded on the directory for public access and distribution. If the verification has failed, the procedure is started over. – Authentication. Authentication is a function implemented by the end-entities, based on publicly available certification information. – Key distribution. If the keys are generated by the end-user then they do not have to be distributed, if the keys are generated by the TTP, the procedures and protection measures mentioned in the previous paragraph are followed. – Key uniqueness and personalization. RSA keys are guaranteed by construction to be unique pairs (i.e., no two private keys may correspond to the same public key). – Key repository. The private component of every key pair is stored with the responsibility of the user or

270

– – –

– – –





D. Polemi / Future Generation Computer Systems 15 (1999) 265–276

operator who generated that key. Thus, most users are responsible for their own private key. For public keys, there are two types of repositories: a per-TTP local repository and the global directory. Each TTP stores the certificates (containing public keys) in a local database, appropriately protected. The certificates can be uploaded to the directory on TTP operator action. Uploading a certificate to the directory makes this certificate public. Naming The X.500 directory scheme is followed for naming purposes. Certificate structures. The X.509v3 structure is used. Certificate generation. Certificates are generated by TTPs with the help of a Certificate Management software system (CMS). Certificates are generated according to the procedures mentioned in electronic registration above. Certificates are signed using the private CA key (1024 bits see below). Certificate distribution, storage and retrieval. These functions are accomplished via the directory. Auditing. All TTP operations are audible. Certificate directory management. Directory services are offered by TTPs according to the CCITT X500-X521 recommendations. The overall directory set-up for telemedicine applications depends heavily on organizational and privacy factors specified by the involved participants. CRL structures, CRL generation and maintenance, CRL distribution storage and retrieval. Each CA maintains a list of certificates that have been revoked. This revocation list is publicly available through the directory. An entity that needs to verify a certificate, must also obtain the current version of the CRL and test whether the certificate exists in the list. Integrity of the root public and private keys. SSL is used to guarantee the integrity of communication when entities look up the root public key. The root private key is stored in a human-unreadable file and cannot be exported or duplicated by non-trusted users.

4.3. Organizing CAs A major step towards organizing a TTP infrastructure is the organization of certification authorities (CAs). This aims at providing interoperability, as well

as establishing chains of trust between communicating parties in different domains. There are two generic architectures to deal with this issue; the decentralized (flat scheme) and the centralized (hierarchical certification scheme) one [70,71]. The decentralized organization is the one where CA infrastructures in different domains are not in a common hierarchical tree structure. Such a decentralized infrastructure is characterized by independent hierarchies of CAs with no common top level CA. The various structures in each domain can vary from a single CA to a multi-level hierarchy of CAs. Regarded as a national CA infrastructure any CA may in principle have trust relationships with CAs in other national contexts, either by direct subordination or by crosscertification. The advantage of a decentralized CA structure is that it gives flexibility in relation to various user needs and policies in various domains. This scheme is obviously difficult to manage, unless only few CAs are authorized. Huge human resources are then needed, and the probability of a mistake rises accordingly. Imagine the case one urgently needs information from a server “forgotten” to be configured to a CA. The centralized structure is characterized by a single hierarchy of CAs in a multi-level tree structure with one single national CA on the top. A centralized tree structure may consist of at least one CA, hence a CA monopoly. Typically, the users will have their public keys certified at a low level by a local CA. The basic advantage of such an infrastructure is that it is open and all users may directly verify all other users’ public keys. The main disadvantage is that the structure is presumably hard to establish. This scheme is more manageable. Management though is not the only relevant issue. Trusting a CA implies trusting numerous unknown CAs of superior level in the tree. Moreover a “root” CA can be held responsible for all the actions of its subordinate CA. Some countries prohibit by law hierarchical certification therefore such a regulation needs to be considered before a final implementation.

5. Biometric smart cards The use of biometric smart cards for securing telemedical applications where the uniqueness of the

D. Polemi / Future Generation Computer Systems 15 (1999) 265–276

health care participant arises from his personal characteristics and not on passwords, which can be stolen or numbers which can be forgotten, allow privacy and freedom while bringing confidence and trust [2,26]. Smart cards are plastic cards with embedded computer chips (memory only chips, logic-memory chips, microprocessors). These cards have their own operating system, programs and data. A traditional way to improve the smart card security consists of embedding more and more memory inside the component (to handle long size secrets) or adding to the 8 bit microprocessor of the card some powerful devices dedicated to cryptography. But is cryptography the only way to make a card inviolable? What happens if its genuine owner does not use the card? Today a simple PIN code verification is required to access the mine of secrets guarded inside the small piece of silicon [37]. This weakness in the security scheme of the application cannot be solved with cryptography. New verification techniques, such as biometric techniques, must be envisaged. These techniques require hard computation. The type of recognition algorithms is quite complex and completely different from those used for cryptography. So, on the one hand, an 8 bit microprocessor is not powerful enough to carry out the verification within reasonable time. On the other hand, cryptographic co-processors are unable to make it faster [18]. The silicon market for smart card is evolving in such a way that many promising applications will come up against impassable barriers. Microprocessors for Personal Computers started with 8 bit CISC architectures about 15 years ago. They have since progressed to 16 bit and to 32 bit engines and are now moving towards 64 bit architectures. In spite of the huge market, there has been no comparable evolution of the microprocessors used in smart cards. Existing smart cards use the same 8 bit (8051 or 6805 type) micro-controller cores as in the early beginnings, i.e. 15-year old chip designs. Most of today’s security mechanisms in smart card applications are based on symmetric functions using shared secrets. This makes trans-national applications and multi-application systems very difficult to implement, because of the reluctance of application providers to share secrets with potential competitors. Switching to asymmetric functions not requiring the sharing of secrets is therefore essential to be able to

271

implement “open” cryptographic applications. Being able to do this, while matching the speed requirements of acceptable man machine interfaces (MMIs) requires better software implementations of these functions to be carried out on faster processors. Adding security in the form of co-processing units that can be attached as peripherals or mounted inside the kernel of the portable computers is the common solution to reach that goal. But this solution is far from satisfactory because of its strong dependence on the hardware which make it too rigid. A 32 bit RISC smart card processor will be able to handle such calculations much more efficiently while retaining the flexibility of a general-purpose engine. For privacy and security reasons, the biometric recognition must be handled locally by the smart card. The template (recorded biometric measurement of a user) is one of the secrets to be held permanently in the memory of the card [13,21]. Implementing biometric verification inside a smart card is notoriously difficult since templates tend to use a large part of the card memory while biometric verification algorithms are beyond the processing capabilities of standard processors. Generic smart cards are smart cards that look like PCs. They do not have any application-oriented functions in their basic functionality. Consequently, the smart card program is a real operating system the role of which is to manage the smart card hardware resources for smart card applications. Applications are not pre-defined; they can be dynamically downloaded. The smart card operating system allocates memory for storing application data and activates application functions on reception of commands. For security reasons inherent to smart card micro-controllers (embedded chip containing a microprocessor and memories), application functions are run on top of a virtual machine by a secure interpreter rather than directly in native language [39]. An important drawback of virtual machines is of course the reduced execution speed. This is easily overcome by a powerful processor such as the ARM, since code interpreted by this engine will be faster than native code executed by today’s 8 bit processors. A 32 bit RISC smart card processor will allow smaller, more secure and more portable application code to be written.

272

D. Polemi / Future Generation Computer Systems 15 (1999) 265–276

The most advantageous cards are the ones, which are equipped with a microprocessor since they can store the biometric template and perform the verification process. In the CASCADE [41] project a smart card with a 32 bit microcomputer system was built which is suitable for voice, signature or fingerprint biometrics. Biometric methods used in the proof by property approach are the most advantageous means of authentication since it cannot be stolen or transferred to other people. One disadvantage is that a biometric PIN cannot be changed. CASCADE (chip architecture for smart cards) [41,24] is an ESPRIT project funded through OMI (open microsystems initiative). Its main objective is to build a new generation of chips for portable electronic devices. Applications are: GSM phone systems, multi-service cards, electronic purse, personal digital assistants PCMCIA cards, health care, pay TV and video information services, multi-media information services, intelligent agent services, transport control systems, secure access systems, passport cards. CASCADE has produced a forecast of the potential market for smart cards holding biometric templates. In the EC project Trust Health II biometric smart cards will be used in a pilot operation for securing telemedical applications.

6. Legal issues The European Union seeks clarification of various issues arising in biometrics requesting legislation considerations [3]. These issues include: ownership of template, security in data template, privacy, certification of safe verification products, certification and standards appropriate for each application. Definition of rights and responsibilities. The legality of European arrangements for biometric technologies should be in accordance with the Convention on Human Rights in which balance is achieved between the privacy of the individual citizen and the national security needs. The operation and licensing of biometric technologies will depend on how they meet the requirements of the convention. Council of Europe Convention 108 defines personal data as “any information relating to an identified or identifiable individual”. According to this definition then the templates are personal data. Convention 108

establishes quality requirements for automating processing of personal data (Art 15) and requirements for handling trans border data flows (Art 12). The impact of these issues on biometrics should be examined considering the EU Data Protection Directive. The Directive sets out several rules governing the lawfulness of processing personal data, e.g., there is an obligation to collect data only for specified, explicit and legitimate purposes, the data must be used for the purpose it was given and it cannot be passed on to third parties without the consent of the data subject. This is most important for the biometrics industries in the process used to collect the templates, and in the role that TTPs can play. The Directive also states that measures must be taken to secure access to the data. This directly affects crossover biometric applications where a template is collected and used to secure other purposes. As EU member states are required to conform to privacy protection, the issue of securing computer systems becomes more important than ever. Biometric technologically provides the answers for securing the identification and validation process and they are in perfect position to act as the custodian of privacy rights. Biometric templates are also regarded as medical data falling into Recommendation R (97) on the Protection of Medical Data saying that: “An individual shall not be regarded as identifiable if identification requires an unreasonable amount of time”. According to this recommendation the identification and verification time a biometric device is required should be tested. If the TTP is responsible for identifying and verifying the biometric PIN then similar tests should occur. This convention may be held to include time needed to decrypt an encrypted biometric template. The European Union Directive 95/46/EC aims to “protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data” (Art 1.1). The EU Directive (Art 17) requires “appropriate technical and organizational measures to protect personal data in particular where the processing involves the transmission of data over a network”. The organizational measures taken in the biometric technologies in function with the TTPs should be carefully examined. People using information systems are subject to other specific laws as well (e.g. Access to

D. Polemi / Future Generation Computer Systems 15 (1999) 265–276

Health Records Act, Data Protection Act, Copyright, Designs and Patent Act, Computer Misuse Act, Access to Health Records Act, Health and Safety at Work Act).

7. Standardization efforts European bodies (European Commission, Council of Europe, SOGIS, OECD, IMIA, EFMI, etc.) as well as standardization bodies (CEN/TC251, ETSI, EWOS, ECMA, ITW, etc.) act in the field of security of medical data [5]. Standard development organizations such as European Health Telematics Observatory (EMTO), CEN ISSS, American Society for Testing and Materials (ASTM), Health Level Seven (HL7), the Object Management Group (OMG), the Computer-based Patient Records Institute (CPRI) currently address security aspects of health care with special programs and subcommittees [71–75]. Security bodies such as ETSI SAGE (Security Algorithms Group of Experts) and ETSI RES 6 Working Group 6 (the TETRA Security Group) and the GSM MOU Security Group are involved in the security issues [76–80]. Standardization groups, such as Javacard forum or PS/SC workgroup stimulate smart card-based secure architectures. The National Physical Laboratory, the UK’s national standards laboratory, acts as a custodian of primary standards of biometric units. The Association for Biometrics (AFB), and the USbased bodies: the Biometry Industry Standards Association and The Biometric Consortium have achieved great progress in the standardization of biometric technologies. The Council of Europe is working towards developing a recommendation on the protection of medical data as well as on a recommendation on ethical and legal issues relevant to the communication of health information in hospitals. The Organization for Economic Co-operation and Development (OECD) has dealt with the issue since 1971. OECD published a set of guidelines for the security of information systems. The US authorities have also dealt with the subject. An automated information systems security handbook has been published by NIST in 1991.

273

The computer control guidelines (Canadian Institute of Chartered Accountants), the data protection handbook (NHS Information Management Center), the SEISMED high level policy for health care provide guidance for secure telemedicine.

8. Payments of telemedical services Another barrier to telemedicine’s deployment is the lack of innovative billing procedures for telemedical services. The first problem is that specific feature, type, scope, duration and cost of the offered telemedical services are not well defined and harmonized across various telemedicine networks and providers. This problem should be resolved before the billing process may start. In the current state of reality, a hospital (or health care provider) daily sends claims to payers (insurance providers/patients) which must return payment after receipt and processing of the claim transactions. Information systems must support securely this commerce component of health care. If a claim is modified during transmission, the hospital (or provider) may loose a lot of money and especially if such activities occur in large institutions that send hundred of thousands of ECUs in claims [32]. Data transmissions should be securely routed. A patient should also have the right to receive anonymous health care services from a provider. Claims might reveal the treatment that a patient has received or the drugs that are prescribed [4,6]. The use of TTPs can provide the secure transmission of medical claims. Having established a Certificate Authority (CA) infrastructure, certificatebased payment systems can be chosen for the payment of telemedical services. The most prominent example of such systems is SETs (secure electronic transactions).

9. TTPs and SET Having established a TTP infrastructure, it is only natural to adopt certificate-based payment systems for the billing process of telemedical services. The most commonly applied system is the SET, which is rather a protocol than a payment system [81]. It stands for secure electronic transactions. It is a specification of a

274

D. Polemi / Future Generation Computer Systems 15 (1999) 265–276

credit card-based internet payment mechanism which was jointly developed by VISA International and Mastercard/Europay. The SET consortium is now joined by American Express, Netscape, IBM, Microsoft and other partners. The projects ACTS-SEMPER and ESPRIT-E2S are two major EC projects, which used SET within their trials. Other implementations are tested in field trials (e.g. Bank of America, Bank of Ireland, Luottokunta, Commerzbank, Optimus Bank). The SET protocol specifies a method of entity authentication referred as trust chaining. This method entails the exchange of certificates (issued by a TTP) and verification of the public keys by validating the digital signatures of the issuing CA. This trust chain method continues all the way up to the CA at the top of the hierarachy (SET Root CA). The SET Root CA is a highly secure off-line CA which: (i) Generates and securely stores the SET Root CA public and private keys. (ii) Generates and “self-signs” the SET Root CA certificates. (iii) Processes brand certificate requests and generates SET Brand CA certificates. (iv) Generates and distributes certificate revocation lists (CRLs). The SET Root CA issues SET certificates to payment card brands [12]. Payments for telemedical services will consist of: – insurance to hospital or patient (electronic check); – doctor [at an access node] to hospital (credit card); – patient [at an access node] to hospital or doctor (credit card). Electronic payments is a market sector dominated by banks. However, the major participants in the telemedical applications (e.g. hospitals) could get involved in the authentication procedures inherent in many electronic payment systems, such as SET without, of course, dealing with the payment systems themselves. In particular, the hospitals which act as TTPs provide certificates to their participants (e.g. other clinics, doctors, patients, insurance companies) and validate/authenticate their participants upon request of a payment transaction. This request may occur by the banks, payers, and insurance companies.

10. Conclusions In this paper various issues are discussed regarding TTP, biometric technologies and payment systems in order to be used as a guard for the electronic commerce component of a telemedical society.

Acknowledgements Since some results of this paper come from EUROMED-ETS, the author would like to thank the consortium of this project. However this paper represents only the views of the author. Special thanks to Mr. Biget (from GEMPLUS) for his contribution on the smart card section. References [1] V. Ahuja, Network and Internet Security, Academic Press, New York 1996. [2] Biometric Technology Today SJB Services, Soberest, UK (ht.//www.sjb.co.uk). [3] A. Branscomb, Common Law for the Electronic Frontier, Scientific American, September 1991, pp. 112–115. [4] L.J. Camp, M. Sirbu, Critical issues in internet commerce, IEEE Commun. Mag. (1997) 58–62. [5] A. Colleran, Standardization Issues for the European Trusted Services–ETS, Quercus Information, May 1997. [6] Communications of the ACM, Special issue: Electronic Commerce, 39(6) (1996). [7] COMPUTER Network Security, Special issue 31(9) (1998). [8] S. Denny, Is SET really the answer to e-commerce?, J. Internet Banking and Commerce (1998). [9] E. Foo, B. Colin, W. Caelli, E. Dawson, A Taxonomy of Electronic Cash Schemes IFIP 97, Chapman & Hall, London, 1997, pp. 337-348. [10] A. Froomkin, The Essential Role of Trusted Third Parties in Electronic Commerce, October 1996. [11] General Accounting Office Electronic Benefits Transfer, Use of Biometrics to Deter Fraud in the Nationwide EBT program, USA, 1995. [12] IEEE Spectrum, Special issue: Electronic Money, The Institute of Electrical and Electronics Engineers, February, 1997. [13] A. Jain, R. Bolle, S. Pankanti, Personal Identification in Networked Society, Kluwer Academic Publishers, Dordrecht, 1998. [14] Menezes, van Oorschot, Vanstone, Handbook of Applied Cryptography, CRC Press, Boca Raton, 1996. [15] B. Schneier, Applied Cryptography, Protocols, Algorithms and Source Code in C, 2nd ed., Wiley, New York, 1996. [16] W. Stallings, Network and Internet Security: Principles and Practice, Prentice-Hall, Princeton, NJ, 1995.

D. Polemi / Future Generation Computer Systems 15 (1999) 265–276 [17] G.J. Simmons, Contemporary Cryptography: The Science of Information Integrity, IEEE Press, New York, 1992. [18] L.J. Camp, M. Sirbu, Critical issues in internet commerce, IEEE Commun. Mag. (1997) 58–62. [19] Digital Signatures, Timestamping of the Digital Signature in Health Care, Meinhold, September 1996. [20] M. Hamilton, Java and the Shift to Net-Centric Computing, 1996, pp. 31–39. [21] P. Marsh, Biometric Behavior is Smart and Secure, New Electronics, 9 July 1996, pp. 25–26. [22] J. Moffett, M. Sloman, The Source of Authority for Commercial Access Control, Computer, February 1988, pp. 59–69. [23] National Research Council, Computers at Risk, National Academy Press, Washington, DC, 1990. [24] E. Newman, The Biometric Report SJB Services, UK, 1995. [25] S.L. Pfleeger, A Framework for Security Requirements, Comput. Security 10(6) (1991) 515–523. [26] D. Polemi, Biometric Technologies and Their Applications, Proceedings of the SAFE COMP’97, 1997, pp. 158–170. [27] D. Polemi, Trusted third party services for health care in Europe, Future Generation Computer Systems 14 (1998) 51– 59. [28] D. Polemi, Review and Evaluation of Biometric Techniques for Identification and Authentication Including an Appraisal of the Areas where they are most Applicable http://www. cordis.lu/infosec/home.html, 1996. [29] D. Polemi, A. Marsh, Secure Telemedicine Applications High Performance Computing and Networking, Proceedings of the HPCNE’98, Amsterdam, Netherlands, 1998. [30] Spanish Government Agency Wins Outstanding Smart card Application Award at CTST’96 Awards Banquet. May 1996. CardFlash, RAM Research Group. [31] D. Sterne, On the Buzzword’ Security Policy’, in: Proceedings of the 1991 IEEE Symposium on Research in Computer Security and Privacy, USA, 1991, pp. 219–230. [32] A. Stockel, Securing data and financial transactions, IEEE Annual International Carnahan Conference on Security Technology Proceedings, 1995, pp. 397–401. [33] G. Torbet, I. Marshall, S. Jones, Vital signs for identification, Computer Bull. 7(6) (1995) 14–15. [34] A. Varvitsiotis, D. Polemi, A. Marsh, EUROMED–Java: trusted third party services for securing medical Java applets, Proceedings of the Fifth European Symposium on Research in Computer Security, ESORICS 98, Lecture Notes in Computer Science, vol. 1485, Springer Berlin, 1998, pp. 209-220. [35] A. Varvitsiotis, D. Polemi, A. Marsh, Securing Webbased medical applications using trusted third party services, International Conference on Parallel and Distributed Processing Techniques and Applications (PDPTA’98), 1998. [36] A. Varvitsiotis, D. Polemi, A. Marsh, Using Trusted Third Party Services to provide a secure framework for telemedical interaction, International Conference of the IEEE Engineering in Medicine and Biology Society (EMBS’98), 1998. [37] H.M. Wood, The use of passwords for controlled access to computer resources, National Bureau of Standards, Special Publication 500-9, US Dept. of Commerce/NBS.

275

[38] E. Yourdon, Java, the Web and Software Development, COMPUTER, 1996, pp. 25–30. [39] R. Zunkel, Biometrics and Border Control Security Technology & Design, May 1996, pp. 22-27. [40] ACTS/SEMPER Project, Secure Electronic Market Place for Europe, 1995. [41] ESPRIT/Chip Architecture for Smart Cards and Secure Portable Devices (CASCADE), Esprit Project EP8670, Data Sheet 1995. [42] ESPRIT/CRISP Project EP 20 837. [43] ESPRIT/E2S Project EP 20 563. [44] ESPRIT/FACTMERCHANT Project EP 24 103. [45] ESPRIT/SOSCARD Project ESPRIT EP 9259. [46] ESPRIT/WIRE Project EP 22 005. [47] INFOSEC/BOLERO Project, The Bolero Rule Book, Denton Hall, UK, July 1995. [48] INFOSEC/EAGLE Project, Telia Promotor, Sweden, 1997. [49] INFOSEC/ETS I/KRISIS Project 1997. [50] INFOSEC/ETS II/BESTS project, Business Environment Study of Trusted Services, 1998. [51] INFOSEC/ETS’96: Legal, Ethical & Regulatory Issues concerning the TTPs and Digital Signatures. [52] INFOSEC/EUROMED-ETS Trusted Third Party Services for Health Care in Europe, 1996–1997, http://narcisus. esd.ece.ntua.gr/ETS/index.html. [53] INFOSEC/EURO-TRUST Project, Baltimore Technologies, Ireland, 1997. [54] INFOSEC/MANDATE II Project, Cryptomathic, Denmark, 1997. [55] INFOSEC/TESTFIT Project, 1994. [56] INFOSEC/THIS Project, Trusted Third Party Services, Ver. 2.0, Spri, Sweden, December 1995. [57] INFOSEC/TTP Project, in: P. Muller (Ed.), Trusted Third Party Services: Functional Model, Ver. 1.1, Bull Ingenierie, France, December 1993. [58] ISIS/EUROMED Project, http://[email protected], 1995– 1998. [59] TASS project Unisys Personal Identification Technology will be used to give Spaniers Access to Personal Information in Spain’s Health care Databases, UNISYS WORLD Editorial Index, Publications & communications Inc, March 1996 [60] TEDIS I/EDIPAY Project, 1994. [61] TEDIS II/First Attempt to Secure Trade (FAST), 1994–1996. [62] TEDIS/TEDIC Project, Trade EDI Certification. [63] Telematics Applications/TAPPE Project, Telematics for Administrations: Public Procurement in Europe, 1996. [64] Telematics Engineering/DEDICA Project, Directory based EDI Certificate Access and Management. [65] Telematics Engineering/ICE-TEL Project, Architecture and General Specifications of the Public Key Infrastructure, COST, September 1996. [66] TELEMATICS for Administrators/COSACC Project, Coordination of Security Activities between Chambers of Commerce, 1998. [67] Unisys Personal Identification Technology will be used to give Spaniers Access to Personal Information in Spain’s Health care Databases, UNISYS WORLD Editorial Index, Publications & communications, March 1996, .

276

D. Polemi / Future Generation Computer Systems 15 (1999) 265–276

[68] ANSI X3.92 Data Encryption Standard. [69] ANSI X9.31-Key Management for the Financial Services Industry (draft standard). [70] Architecture for Public Key Infrastructure (APKI), Draft 1, The Open Group, May 1997. [71] CEN/CENELEC/ETSI ITAEGV/N231, M-IT-06, Taxonomy and Directory of European Standardization Requirements for Information Systems Security, Issue 2.1, October 1994. [72] ISO 7816 Part 4 Smart Card Operating System. [73] ISO/IEC 10118-2:92, Hash Function for Digital Signatures, Part 2: Hash Functions using a Symmetric Block-cipher Algorithm. [74] ISO/IEC 9796:91, Information Technology–Security Techniques–Digital Signature Scheme giving Message Recovery.

[75] ISO/IEC DIS 11577 Network Layer Security Protocol. [76] ISO/IEC DIS 9594-8 X.509 The Directory Authentication Framework. [77] ISO/IEC JTC 1/SC27 N691, Guidelines on the Use and Management of Trusted Third Party Services, August 1993. [78] ISO/IEC JTC1/SC27/WG2 Security Techniques, Security Mechanisms DIS 9796. [79] ISO/IEC X.509 RSA Public Key Certificates. [80] ISO10202 Security Architecture of Financial Transaction Systems using IC Cards. [81] Mastercard, VISA: Secure Electronic Transactions, Draft, 26 June 1996.