- Email: [email protected]
How to deal with security issues in teleradiology
ELSEVIER
Computer Methods and Programs in Biomedicine 53 (1997) I-8
How to deal with security issues in teleradiology H.J. Baur ‘, U. Engelmann b.*, F. Sam-bier a, A. Schrijter b, U. Baur b, H.P. Meinzer b LkSreir~hris Transjerzentrum Medi;inische It$vmatik, Im Neuenheimer h Deursches Krebsforschu,2gsrer2trum, DiCsion of .‘Medical and Biological 69120 Heidelberg. German)
Feld 517, 69120 Heidelberg, Injkwmatics, Im Neuenheimer
Germaq Feld 280.
Received II September 1996; accepted 11 October 1996
Abstract The use of teleradiological systems for medical image communication is increasing significantly. Digital images can be transferred over public telephone (e.g. ISDN) lines to colleagues for interpretation and/or consultation. Thus, a new quality is being introduced into the process of radiological diagnostics. However, technical implementation of such systems is accompanied by little consideration of legal, i.e. data protection and security, issues. In this paper we describe a concept for data protection in teleradiology which unites aspects of privacy and security as well as user aspects. After highlighting the legal situation in Germany we describe the methodology used for deriving the security profile for teleradiology in Germany. As a result the set of security measures which have to be employed with a telerddiology system is listed. A detailed description follows of how the software requirements are implemented in the teleradiology software MEDICUS. 0 1997 Elsevier Science Ireland Ltd. Kr,~~o~cl.s: Teleradiology;
Data protection;
Privacy; Software;
I. Introduction
is the electronic transmission of radiological images from one location to another [I]. Image data are sent to external radiological facilities for interpretation and/or consultation, and interpreted images are sent back to a referring provider. Thus, teleradiology may Teleradiology
* Corresponding author. Tel.: + 49 6221 422382; fax: + 49 6221 422.145: e-mail: U.Engelmann@DKFZ-Heidelbergde
Security
o provide access to expert radiological services for interpretation and/or teleconsultation, also in emergency situations, l provide access to radiological services in facilities where no radiological support is available, l support cooperative interpretation of images among radiologists (e.g. subspecialties), thus also enhancing education, l enable on-call image interpretation at the radiologist’s home,
0169-260:‘/97:$17.00 cc 1997 Elsevier Science Ireland Ltd. ,411rights reserved Pfl SOiC.‘)-2607(96)01798-l
H.J.
Baur
et al. /Computer
Methods
provide timely availability of radiological images and interpretations in clinical care units, facilitate explanation of images to the referring physician in on-call situations, facilitate cooperation among researchers, and thus contribute to a higher efficiency or quality in the process of patient care through better information and work flow. The use of such telecommunication in health care must be accompanied by appropriate security measures. Here, data confidentiality, integrity and availability have to be ensured in compliance with the given legal framework. The legal framework regulates the patient’s privacy as well as security in the information technology (IT)-systems and the accountability of the health care professionals involved. Therefore, a variety of different measures have to be considered targeted at the typical requirements of the application area, mainly the nature of the data communicated, and the type of communication employed [2]. This paper describes a security concept for teleradiology which complies with the legal situation in Germany. After highlighting the legal aspects, a methodology for establishing a security concept is described., followed by the description of the security measures which were found to be mandatory for the regular use of a teleradiology system. Finally, the implementation of these services in the teleradiology software MEDICUS is described.
2. Legal framework in the German law In Germany, an explicit law Bundesdatenschutzgesetz (BDSG) was passed on January 27, 1977, which is intended to prevent the misusage of personal data in general. In May 1991, the last revision went into effect which explicitly protects the citizen’s basic right of privacy against the potential risks which arise from computerized data processing [3]. It is the intention of the law to protect the individual against the consequences of unauthorized access to, or insight into, personal data by a third party.
and Programs
in Biomedicine
53 (1997)
l-8
Processing of data (consisting of entry, correction, storage, transmission, deletion or analysis of data) is allowed in the medical field if BDSG or any other law explicitly demands it, or if the patient gives his/her consent. Section 28 of BDSG states that the processing of data without the patient’s explicit consent is allowed within the usual activities necessary for patient treatment and cure [6]. This agreement is understood as a part of the contract between patient and health care institution. However, the necessity and specific purpose of data processing have to be traceable. In the context of teleradiology, personal data are transmitted across organisational boundaries. Several ordinances, summarized by the term ‘Arztliche Schweigepflicht’, generally prohibit the transmission of patient information. No medical or paramedical staff may pass patient data to non-authorized persons. The common and criminal. codes inflict considerable penalties upon unauthorized disclosure of patient data. However, data transmission among medical staff can be expected to have the patient’s silent consent due to his/her wish for optimal cure and treatment [4]. Thus, data transmission across organisational boundaries among medical staff is legal if the data protection regulations of BDSG are adhered to by both sides. Section 9 of BDSG describes the technical and organisational security measures which have to be employed in order to perform BDSG-compliant data processing. In addition ten requirements are listed in Table 1. These postulated measures have to be operable for the typical requirements of the application area of teleradiology.
3. Method Standards are emerging which will provide a sound basis for the development and implementation of security concepts. The European Committee for Standardization (CEN) is preparing a framework for security protection of health care communication (TC 251, WG 6). The European Union is also supporting an initiative for evaluating the security aspects of systems. In ITSEC,
H.J.
Baur
et al. / Computer
Methods
and Programs
security criteria are described [8]. An associated evaluation manual ITSEM is also available [9]. Both these EU publications are compatible with and extend the concepts suggested by the IJS Department of Defense in the TCSEC ‘Orange Book’ [lo]. In Germany, the ‘Bundesamt fur Sicherheit in der Informationstechnik’ in Bonn (BSI, German Information Security Agency) publishes an IT Security Manual [l l] which adopts the concepts described in the EU publications mentioned above. A directory of recommended IT-security measures [12] is also available. The IT Security Manual [l l] describes in detail how to establish a security concept. The process is divided into four major stages which are further divided into substeps (see steps 1-12 in Fig. 1). Stage I: Determination security Step I: Determination cations and information
of the appropriate
level of
of the objects (IT-applisets) which are relevant
Table 1 The ‘Ten Commandments’ of data privacy Security measure ~__ Admission control Media control Storage control User control Access control Transmission control Input control Directive control Transpori. control Organisation control
Do not admit unauthorized persons to the data processing device Control reading, manipulation, copying or removal of storage media Control entry, reading, manipulation or deletion of data Control who uses the data processing system Make sure that data are accessible only according to authorization Record to whom data were transmitted Record who entered or manipulated which data Make sure that data are only processed according to given directives No unauthorized reading, manipulation, copying or deletion during transmission of data Organisational structure must comply with BDSG requirements
in Biomedicine
53 (1997)
i-8
3
pIizJ.p~I’ Fig. 1. The 12 steps to establishing a security concept (according to [I 11).
for further security analysis. All entities touched by the teleradiology system have to be considered. Step 2: Assessment of the value of these objects. The damages induced by loss of confidentiality, integrity and availability of either of these objects have to be classified into one of 6 categories of damage severity given in the manual [l 11. In teleradiology, the damage induced by loss of data origin authentication also has to be examined. As a result of this stage, those applications and information sets are detected which need to be further considered in the security analysis. Stage 2: Threat analysis Step 3: Development of a list of all objects which are involved in the operation of the teleradiology system. The object classes under consideration are infrastructure, hard- and software, paperware, storage media, data, communication and personnel. Step 4: Determination of the relevant threats for each object. Step 5: Determination of possible weaknesses in the operation of the teleradiology system, i.e. how the threats identified in step 4 come into effect. For this step, the manual gives a detailed list of possible weaknesses in the operation of IT-systems.
3
H.J.
Bnur et trl. 1 Compter
Methis
md
Propmns
in Biomedicine
53 (1997)
Stage 3: Kisk analysis
4. Results
Step 6: Quantification of the damage induced if one of the threats determined in the previous step comes true. This analysis is done separately for each object. Here, the damage corresponds to the value of the objects determined in step -3. Step 7: Estimation of the frequency of occurrence of damages. The categories of frequencies are given in the manual [l 11. Step 8: Identification of intolerable risks. A decision table is established which classifies each (object value/damage frequency)-tuple into ‘tolerable’ or ‘intolerable’. Thus. those threats are identified which induce intolerable damage to the teleradiological setting. These are the threats which have to be dealt with in the following stage.
4.1. Security and primq~ teleradiolog~
Sru,ge 4: Establishment
of the security
concept
Step 9: Selection of appropriate security measures. The security manual [l l] and a directory of recommended IT-security measures [ 121 suggest appropriate action for reducing the risks to tolerable levels. These measures either reduce the probability of occurrence or they reduce the damage if an adverse event is unavoidable. Step IO: Evaluation of the selected security measures. Their consequences with regard to risk reduction, costs and operational feasibility have to be examined. Step I I: Examination of the cost&effect relationship. An analysis has to be made as to whether there is an appropriate relationship between severity of possible damages, costs of the measures and their effect. This analysis is done from the user’s perspective (or the perspective of the data protection commissioner and the administrative body of the medical facility). Step I;?: Rest risk analysis. Assuming that the postulated security measures are implemented, the remaining risk must be on a tolerable level. It is also conceivable that intolerable risks may be accepted if their frequency is minimal or if the threat is unavoidable. This is again a matter of subjective judgement from the users’ point 01 view.
I 8
requirenlents .ftir
The process described above results in a set of security measures which are mandatory requirements for the regular operation of a teleradiology system. This can also be seen as a protection profile for teleradiology. The security measures can be divided into four categories: (1) some measures concern the work organisation in the medical facility where the teleradiology system is located; (2) others refer to the technical and hardware standards of security; (3) further measures include education and training of the users; and finally, (4) there are security measures which have to be provided by the application. For each of these four categories, a checklist can be established which lists the security mechanisms which have to be employed during the system operation. Work organisation, technical security precautions and education of the users result in the establishment of a general security policy in the medical facility. Such a security ‘culture’ is not specific to the application of a teleradiology system, although the users have to be especially sensitized to the security issue since data leaves the boundaries of the organisation in which they work. With the checklist, the data protection commissioner is able to check whether the security policy at his/her institution is sufficient or whether additional mechanisms have to be employed. 4.1.1. Generd security> poliq Qrganisational measures include: l restricted access to the system, for example through a locking system, or placement of the system in a non-patient area l protect system (hardware, storage media) against removal l provide enough copies of the user manual l description of the procedure to be taken in case of a system failure l appointment of a responsible system administrator
If .J. Bazrr
et cd. , Cotnpufer
hletld~
prohibition of installation of untested or public domain software. Technical measures include all technical aspects for safe operation of the system. Educational activities are important in order to make the users sensitive to the problems of data security and privacy,. They include l lessons about privacy issues at the time of system introduction (during user training) l information about the possible damage if rules are not obeyed l information about legal/criminal issues 0 appropriate training courses (operation of hardware, media, software). 0
4.12. Secwit?~ provisions of the telemdiolog? soJtllui~e The most important part of the data security and privacy concept are the measures implemented in the software. The software has to provide security services for the data and for the communication process. These services are supposed 1.0 protect against the main threats in teleradiology, namely impersonation, modification of information, repudiation and leakage of information [3]. The following security services have to be provided by the teleradiology software: (a) Data related services The application has to prepare the data so that security is supported before and after communication. i.e. the local security on the teleradiology workstation. l encryption of data on the sender’s workstation l encryption of data on the receiver’s workstation l data integrity and authenticity l control of data origin and receiver’s rights l limited lifetime of data (b) Communication related services Communication security has to be applied on all levels of the ISO/OSI reference model, but is most important at the application level. Here, communication session oriented services have to be implemented which envelope data objects before sending and remove the envelope as it is presented to the application [2].
and
Programs
in Biotnedicine
encryption 0 certification l recording l protection 0 firewall 0 emergency l
53 (1997)
I
8
s
of data for transmission over ISDN of communication partners of data transmission against unauthorized log-in concept
4.2. Security seruices of the telemdiology MEDICUS-
softwre
In the teleradiology project MEDICUS[5] which was run by the Deutsches Krebsforschungszentrum (German Cancer Research Centre) with the funding from DeTeBerkom, Berlin, the above requirements were implemented in a specific teleradiology software. One design criterion was that the data protection mechanisms should interfere as little as possible with the ergonomy and user friendliness of the system. Data protection should not be an obstacle for teleradiology which would make the communication between radiologists clumsy and annoying. ‘Therefore, as many services as possible run automatically in the MEDICUS system. Encryption of data on the sender’s workstation When image data are sent from the digital modality (or from the archive) to the MEDICUS ,workstation, the data are automatically encrypted. The encryption usesunique machine fea‘tures and encrypts both images and database entries with a symmetrical algorithm. No activities by the user are required. Thus. only encrypted data are stored on the teleradiology workstation. Encryption of data on the receiver’s workstation Data stored on the receiver’s workstation can only be read with the receiver’s private key, using the MEDICUS program. Thus. these data are only readable by the person who knows the private key. Theft or viewing of these data cannot cause damage, at least as long as the receiver’s private key is kept secret. Data authenticity and integrity Data are transmitted in so-called packets. At the time of sending, they are signed with an electronic signature. This is done with the sender’s private key. The electronic signature is given before the data packet is encrypted. The digital l
l
l
6
H.J.
Baur et al. /Computer
Methods
and Programs
signature is necessary for enabling the receiver to check the authenticity of the data. If data are transmitted informally, the electronic signature can be omitted. A checksum procedure makes sure that the data were not manipulated during transmission or temporary storage on the hard disk. This protects the integrity of the data. Control over the data and receiver’s rights After the images have been transferred to the receiver, the sender ( = author) loses control of what is further done with his images. In order to avoid this, the sender can define the receiver’s rights, i.e. what the receiver is allowed to do with the images (e.g. export images into other formats, print images etc.). According to these rights, the MEDICUS program enables/disables the corresponding functionalities. Limited lifetime of data MEDICUSis a communication, not an archive system. Since only copies of original images are stored on a MEDICUS workstation, data are deleted after a maximum of 90 days. Deletion is carried out automatically by the software. At the time of program start, the system checks for data which have exceeded the limit and deletes them. It is possible for the sender to give the data an explicit lifetime of less than 90 days. Encryption of data for transmission over ISDN Data are encrypted specifically for the receiver and transmitted in encrypted form. Here, an asymmetrical procedure is applied: data are encrypted using the receiver’s public key. Data can only be decrypted with the receiver’s private key. Thus, only public keys are passed to other persons. The private keys are never transmitted over the ISDN line. Certification of communication partners by a trust center Communication partners are certified at one central institution, the Steinbeis Transferzentrum Medizinische Informatik. There, the public keys are administrated, certified and distributed to all registered communication partners. Communication with a non-certified partner is also possible. The MEDICUS system then gives an appropriate warning. l
l
l
l
in Biomedicine
53 (1997)
l-8
Recording of data transmission Data transmission is automatically recorded into so-called files of ‘incoming and outgoing mail’. These cannot be manipulated manually. These files enable the user to prove that data were sent or received. Protection against unauthorized log-in The MEDICUS software runs under UNIX or LINUX and uses the TCP/IP and PPP communication protocols. Seven steps are necessary to successfully log in to a MEDICUS workstation over ISDN, e.g. entering the PPP- and login account and passwords. A further protection is that the ISDN telephone number is not accessible in the telephone directory or through telephone information service. Additionally, the address and the telephone number of the caller must be registered with login permission by the trust center. Firewall MEDICUS workstations are connected to the ISDN. Mostly, they are also connected to a digital imaging device or to a whole departmental network. Thus, a MEDICUS workstation might be a security leak if it is possible to enter the network through the ISDN entrance. In order to avoid this, firewall software can be installed on the MEDICUS workstation where necessary. A cheap solution is offered by TCP-wrapper software [I 31 which is able to explicitly allow and prohibit particular network services on individual hosts or networks. Emergencies and availability of keys Backups of the private keys of users have to be stored in a clinic safe. In the case of the loss of a key, it can be accessed and reconstructed through authorized persons. It is also possible to distribute parts of private keys to several locations. In order to reconstruct it, all parts would have to be put together. The cryptographic services on the data and the digital electronic signatures are implemented using the public key package ‘Pretty Good Privacy’TM by Phil’s Pretty Good Software [7]. The protection against intrusion into the MEDICUS workstation and into the local network is implemented according to the Internet Firewall recommendations by Chapman and Zwicky [14]. l
l
l
l
H.J.
Baur
et al. /Computer
Methods
and Programs
5. Discussion and conclusions According to the methodology suggested by European and German authorities, an analysis was performed which resulted in a thorough list of security requirements for teleradiology. Implementation of this protection profile makes sure that the ‘Ten Commandments’ of the German law (BDSG) are obeyed. However, there are no explicit criteria given in the German Law BDSG which determine when the requirements are sufficiently fulfilled. Thus, the appropriateness of the data protection implemented in a software system is a matter for the subjective judgement of the data protection commissioner of each individual hospital. The development process of the security concept consists of very detailed examinations which make the whole procedure as transparent as possible. This makes the security analysis reproducible and also makes it possible to react to changes in legislation or the technical state of the art. The procedure is usually applied retrospectively, i.e., in a given setting, the systematics is applied in order to detect existing risks and to establish a concept to reduce their probabilities or the damage caused by them. In the MEDICUS-2 project, a prospective approach was pursued. It was necessary to have the security concept completed and implemented at the time of introducing the system into clinical practice. The security concept described here follows the recommendations of the European Committee for Standardization CEN (TC 251) for a reference model for security protection of health care communication. In addition to a general security policy, there are measures provided for data security, session security, local network security and intermediary network security. These are derived from the German legislation, and the implementation of these measures was done u.sing international standards and products. However. there is different legislation concerning governmental control of encryption products all over Europe. In some countries, the use of certain products like PGP is prohibited, other countries may only allow the use of specific versions.
in Biomedicine
53 (1997)
l-8
7
The effect is that trans-national data transmission is far from being operational. European standards will have to be introduced soon in order to overcome the barriers between the EU member states which still exist in health care communication.
Acknowledgements The study reported was conducted within the MEDICUSproject run by Deutsches Krebsforschungszentrum (German Cancer Research Centre) from August 1994 to July 1996. The project was funded by DeTeBerkom GmbH, Berlin under grant number 2097. The authors wish to thank the participating radiologists and data protection commissioners of the medical facilities who played an active role during the construction of the security concept proposed here.
References [l] American College of Radiology, ACR Standard for Teleradiology, Teleradiol. Res. 21 (1994) (http://www.acr.org/ standards.new/teleradiology_standard.html). [2] G. De Moor and G. van Maele, Standards in healthcare informatics and telematics, European Committee for Standardisation, Technical Committee 251 Medical Informatics, Brussels, 1996. [3] E. Diirr, Neues Bundesdatenschutzgesetz: Handkommentar und Arbeitsilfe fur Wirtschaft und Verwahung (Datakontext Verlag, 1991). [4] C. Dierks, Schweigepflicht und Datenschutz in Gesundheitswesen und medizinischer Forschung, in: Reihe Rechtswissenschaftliche Forschung und Entwickhmg. ed. E. Lehmann (Lorentz Verlag, 1993) [5] U. Engelmann, A. Schroter, U. Baur et al., Teleradiology System MEDICUS. In: CAR ‘96: Computer assisted radiology, 10th Int. Symp. Exhibition, eds. M.W. Lemke, M.W. Vannier, K. Inamura and A.G. Farman, pp. 537542 (Elsevier, Amsterdam, 1996). [6] H. Fangmann, Rechtliche Konsequenzen des Einsatzes von ISDN (Westdeutscher Verlag, Koln, 1993). [7] S. Garfinkel, PGP: Pretty Good Privacy @‘Reilly and Associates, Sebastopol, CA, 1995). [8] Commission of the European Communities, DG XIII/F, Information Technology Security Evaluation Criteria ITSEC, BNssdS and Luxembourg, ISBN 92-826-3004-8, 1994.
8
H.J.
Buur
et ul. /Computer
Methods
[9] Commission of the European Communities, DC XIII, F, Information Technology Security Evaluation Manual ITSEM. Brussels and Luxembourg, ISBN 92-826-7087. 2, 19%. [10] Department of Defense, Trusted Computer System Evaluation Criteria. DOD 5200.28ST, 1985. [I I] Bundeaamt fur Sicherheit in der Infomationstechnik. IT-Sicherheitshandbuch. Bundesdruckerei, Bonn. 1995. [I 21 Bunderamt fur Sichrrheit in der Infomationstechnik.
and Programs
in Biomediciur
53 (1997)
l-8
IT-Grundschutzhandbuch-MaRnahmen fur den mittleren Schutzbedarf (Bundesanzeiger Verlagsges mbH. Koln, 1995). [13-i W.Z. Venema, TCP WRAPPER, network monitoring. access control and booby traps. Proc. UNIX Security Symp. III (Baltimore), September 1992. [14-l D.B. Chapman and E.D. Zwicky, Building internet firewalls (O’Reilly and Associates, Sebastopol, CA. 1995).
Computer Methods and Programs in Biomedicine 53 (1997) I-8
How to deal with security issues in teleradiology H.J. Baur ‘, U. Engelmann b.*, F. Sam-bier a, A. Schrijter b, U. Baur b, H.P. Meinzer b LkSreir~hris Transjerzentrum Medi;inische It$vmatik, Im Neuenheimer h Deursches Krebsforschu,2gsrer2trum, DiCsion of .‘Medical and Biological 69120 Heidelberg. German)
Feld 517, 69120 Heidelberg, Injkwmatics, Im Neuenheimer
Germaq Feld 280.
Received II September 1996; accepted 11 October 1996
Abstract The use of teleradiological systems for medical image communication is increasing significantly. Digital images can be transferred over public telephone (e.g. ISDN) lines to colleagues for interpretation and/or consultation. Thus, a new quality is being introduced into the process of radiological diagnostics. However, technical implementation of such systems is accompanied by little consideration of legal, i.e. data protection and security, issues. In this paper we describe a concept for data protection in teleradiology which unites aspects of privacy and security as well as user aspects. After highlighting the legal situation in Germany we describe the methodology used for deriving the security profile for teleradiology in Germany. As a result the set of security measures which have to be employed with a telerddiology system is listed. A detailed description follows of how the software requirements are implemented in the teleradiology software MEDICUS. 0 1997 Elsevier Science Ireland Ltd. Kr,~~o~cl.s: Teleradiology;
Data protection;
Privacy; Software;
I. Introduction
is the electronic transmission of radiological images from one location to another [I]. Image data are sent to external radiological facilities for interpretation and/or consultation, and interpreted images are sent back to a referring provider. Thus, teleradiology may Teleradiology
* Corresponding author. Tel.: + 49 6221 422382; fax: + 49 6221 422.145: e-mail: U.Engelmann@DKFZ-Heidelbergde
Security
o provide access to expert radiological services for interpretation and/or teleconsultation, also in emergency situations, l provide access to radiological services in facilities where no radiological support is available, l support cooperative interpretation of images among radiologists (e.g. subspecialties), thus also enhancing education, l enable on-call image interpretation at the radiologist’s home,
0169-260:‘/97:$17.00 cc 1997 Elsevier Science Ireland Ltd. ,411rights reserved Pfl SOiC.‘)-2607(96)01798-l
H.J.
Baur
et al. /Computer
Methods
provide timely availability of radiological images and interpretations in clinical care units, facilitate explanation of images to the referring physician in on-call situations, facilitate cooperation among researchers, and thus contribute to a higher efficiency or quality in the process of patient care through better information and work flow. The use of such telecommunication in health care must be accompanied by appropriate security measures. Here, data confidentiality, integrity and availability have to be ensured in compliance with the given legal framework. The legal framework regulates the patient’s privacy as well as security in the information technology (IT)-systems and the accountability of the health care professionals involved. Therefore, a variety of different measures have to be considered targeted at the typical requirements of the application area, mainly the nature of the data communicated, and the type of communication employed [2]. This paper describes a security concept for teleradiology which complies with the legal situation in Germany. After highlighting the legal aspects, a methodology for establishing a security concept is described., followed by the description of the security measures which were found to be mandatory for the regular use of a teleradiology system. Finally, the implementation of these services in the teleradiology software MEDICUS is described.
2. Legal framework in the German law In Germany, an explicit law Bundesdatenschutzgesetz (BDSG) was passed on January 27, 1977, which is intended to prevent the misusage of personal data in general. In May 1991, the last revision went into effect which explicitly protects the citizen’s basic right of privacy against the potential risks which arise from computerized data processing [3]. It is the intention of the law to protect the individual against the consequences of unauthorized access to, or insight into, personal data by a third party.
and Programs
in Biomedicine
53 (1997)
l-8
Processing of data (consisting of entry, correction, storage, transmission, deletion or analysis of data) is allowed in the medical field if BDSG or any other law explicitly demands it, or if the patient gives his/her consent. Section 28 of BDSG states that the processing of data without the patient’s explicit consent is allowed within the usual activities necessary for patient treatment and cure [6]. This agreement is understood as a part of the contract between patient and health care institution. However, the necessity and specific purpose of data processing have to be traceable. In the context of teleradiology, personal data are transmitted across organisational boundaries. Several ordinances, summarized by the term ‘Arztliche Schweigepflicht’, generally prohibit the transmission of patient information. No medical or paramedical staff may pass patient data to non-authorized persons. The common and criminal. codes inflict considerable penalties upon unauthorized disclosure of patient data. However, data transmission among medical staff can be expected to have the patient’s silent consent due to his/her wish for optimal cure and treatment [4]. Thus, data transmission across organisational boundaries among medical staff is legal if the data protection regulations of BDSG are adhered to by both sides. Section 9 of BDSG describes the technical and organisational security measures which have to be employed in order to perform BDSG-compliant data processing. In addition ten requirements are listed in Table 1. These postulated measures have to be operable for the typical requirements of the application area of teleradiology.
3. Method Standards are emerging which will provide a sound basis for the development and implementation of security concepts. The European Committee for Standardization (CEN) is preparing a framework for security protection of health care communication (TC 251, WG 6). The European Union is also supporting an initiative for evaluating the security aspects of systems. In ITSEC,
H.J.
Baur
et al. / Computer
Methods
and Programs
security criteria are described [8]. An associated evaluation manual ITSEM is also available [9]. Both these EU publications are compatible with and extend the concepts suggested by the IJS Department of Defense in the TCSEC ‘Orange Book’ [lo]. In Germany, the ‘Bundesamt fur Sicherheit in der Informationstechnik’ in Bonn (BSI, German Information Security Agency) publishes an IT Security Manual [l l] which adopts the concepts described in the EU publications mentioned above. A directory of recommended IT-security measures [12] is also available. The IT Security Manual [l l] describes in detail how to establish a security concept. The process is divided into four major stages which are further divided into substeps (see steps 1-12 in Fig. 1). Stage I: Determination security Step I: Determination cations and information
of the appropriate
level of
of the objects (IT-applisets) which are relevant
Table 1 The ‘Ten Commandments’ of data privacy Security measure ~__ Admission control Media control Storage control User control Access control Transmission control Input control Directive control Transpori. control Organisation control
Do not admit unauthorized persons to the data processing device Control reading, manipulation, copying or removal of storage media Control entry, reading, manipulation or deletion of data Control who uses the data processing system Make sure that data are accessible only according to authorization Record to whom data were transmitted Record who entered or manipulated which data Make sure that data are only processed according to given directives No unauthorized reading, manipulation, copying or deletion during transmission of data Organisational structure must comply with BDSG requirements
in Biomedicine
53 (1997)
i-8
3
pIizJ.p~I’ Fig. 1. The 12 steps to establishing a security concept (according to [I 11).
for further security analysis. All entities touched by the teleradiology system have to be considered. Step 2: Assessment of the value of these objects. The damages induced by loss of confidentiality, integrity and availability of either of these objects have to be classified into one of 6 categories of damage severity given in the manual [l 11. In teleradiology, the damage induced by loss of data origin authentication also has to be examined. As a result of this stage, those applications and information sets are detected which need to be further considered in the security analysis. Stage 2: Threat analysis Step 3: Development of a list of all objects which are involved in the operation of the teleradiology system. The object classes under consideration are infrastructure, hard- and software, paperware, storage media, data, communication and personnel. Step 4: Determination of the relevant threats for each object. Step 5: Determination of possible weaknesses in the operation of the teleradiology system, i.e. how the threats identified in step 4 come into effect. For this step, the manual gives a detailed list of possible weaknesses in the operation of IT-systems.
3
H.J.
Bnur et trl. 1 Compter
Methis
md
Propmns
in Biomedicine
53 (1997)
Stage 3: Kisk analysis
4. Results
Step 6: Quantification of the damage induced if one of the threats determined in the previous step comes true. This analysis is done separately for each object. Here, the damage corresponds to the value of the objects determined in step -3. Step 7: Estimation of the frequency of occurrence of damages. The categories of frequencies are given in the manual [l 11. Step 8: Identification of intolerable risks. A decision table is established which classifies each (object value/damage frequency)-tuple into ‘tolerable’ or ‘intolerable’. Thus. those threats are identified which induce intolerable damage to the teleradiological setting. These are the threats which have to be dealt with in the following stage.
4.1. Security and primq~ teleradiolog~
Sru,ge 4: Establishment
of the security
concept
Step 9: Selection of appropriate security measures. The security manual [l l] and a directory of recommended IT-security measures [ 121 suggest appropriate action for reducing the risks to tolerable levels. These measures either reduce the probability of occurrence or they reduce the damage if an adverse event is unavoidable. Step IO: Evaluation of the selected security measures. Their consequences with regard to risk reduction, costs and operational feasibility have to be examined. Step I I: Examination of the cost&effect relationship. An analysis has to be made as to whether there is an appropriate relationship between severity of possible damages, costs of the measures and their effect. This analysis is done from the user’s perspective (or the perspective of the data protection commissioner and the administrative body of the medical facility). Step I;?: Rest risk analysis. Assuming that the postulated security measures are implemented, the remaining risk must be on a tolerable level. It is also conceivable that intolerable risks may be accepted if their frequency is minimal or if the threat is unavoidable. This is again a matter of subjective judgement from the users’ point 01 view.
I 8
requirenlents .ftir
The process described above results in a set of security measures which are mandatory requirements for the regular operation of a teleradiology system. This can also be seen as a protection profile for teleradiology. The security measures can be divided into four categories: (1) some measures concern the work organisation in the medical facility where the teleradiology system is located; (2) others refer to the technical and hardware standards of security; (3) further measures include education and training of the users; and finally, (4) there are security measures which have to be provided by the application. For each of these four categories, a checklist can be established which lists the security mechanisms which have to be employed during the system operation. Work organisation, technical security precautions and education of the users result in the establishment of a general security policy in the medical facility. Such a security ‘culture’ is not specific to the application of a teleradiology system, although the users have to be especially sensitized to the security issue since data leaves the boundaries of the organisation in which they work. With the checklist, the data protection commissioner is able to check whether the security policy at his/her institution is sufficient or whether additional mechanisms have to be employed. 4.1.1. Generd security> poliq Qrganisational measures include: l restricted access to the system, for example through a locking system, or placement of the system in a non-patient area l protect system (hardware, storage media) against removal l provide enough copies of the user manual l description of the procedure to be taken in case of a system failure l appointment of a responsible system administrator
If .J. Bazrr
et cd. , Cotnpufer
hletld~
prohibition of installation of untested or public domain software. Technical measures include all technical aspects for safe operation of the system. Educational activities are important in order to make the users sensitive to the problems of data security and privacy,. They include l lessons about privacy issues at the time of system introduction (during user training) l information about the possible damage if rules are not obeyed l information about legal/criminal issues 0 appropriate training courses (operation of hardware, media, software). 0
4.12. Secwit?~ provisions of the telemdiolog? soJtllui~e The most important part of the data security and privacy concept are the measures implemented in the software. The software has to provide security services for the data and for the communication process. These services are supposed 1.0 protect against the main threats in teleradiology, namely impersonation, modification of information, repudiation and leakage of information [3]. The following security services have to be provided by the teleradiology software: (a) Data related services The application has to prepare the data so that security is supported before and after communication. i.e. the local security on the teleradiology workstation. l encryption of data on the sender’s workstation l encryption of data on the receiver’s workstation l data integrity and authenticity l control of data origin and receiver’s rights l limited lifetime of data (b) Communication related services Communication security has to be applied on all levels of the ISO/OSI reference model, but is most important at the application level. Here, communication session oriented services have to be implemented which envelope data objects before sending and remove the envelope as it is presented to the application [2].
and
Programs
in Biotnedicine
encryption 0 certification l recording l protection 0 firewall 0 emergency l
53 (1997)
I
8
s
of data for transmission over ISDN of communication partners of data transmission against unauthorized log-in concept
4.2. Security seruices of the telemdiology MEDICUS-
softwre
In the teleradiology project MEDICUS[5] which was run by the Deutsches Krebsforschungszentrum (German Cancer Research Centre) with the funding from DeTeBerkom, Berlin, the above requirements were implemented in a specific teleradiology software. One design criterion was that the data protection mechanisms should interfere as little as possible with the ergonomy and user friendliness of the system. Data protection should not be an obstacle for teleradiology which would make the communication between radiologists clumsy and annoying. ‘Therefore, as many services as possible run automatically in the MEDICUS system. Encryption of data on the sender’s workstation When image data are sent from the digital modality (or from the archive) to the MEDICUS ,workstation, the data are automatically encrypted. The encryption usesunique machine fea‘tures and encrypts both images and database entries with a symmetrical algorithm. No activities by the user are required. Thus. only encrypted data are stored on the teleradiology workstation. Encryption of data on the receiver’s workstation Data stored on the receiver’s workstation can only be read with the receiver’s private key, using the MEDICUS program. Thus. these data are only readable by the person who knows the private key. Theft or viewing of these data cannot cause damage, at least as long as the receiver’s private key is kept secret. Data authenticity and integrity Data are transmitted in so-called packets. At the time of sending, they are signed with an electronic signature. This is done with the sender’s private key. The electronic signature is given before the data packet is encrypted. The digital l
l
l
6
H.J.
Baur et al. /Computer
Methods
and Programs
signature is necessary for enabling the receiver to check the authenticity of the data. If data are transmitted informally, the electronic signature can be omitted. A checksum procedure makes sure that the data were not manipulated during transmission or temporary storage on the hard disk. This protects the integrity of the data. Control over the data and receiver’s rights After the images have been transferred to the receiver, the sender ( = author) loses control of what is further done with his images. In order to avoid this, the sender can define the receiver’s rights, i.e. what the receiver is allowed to do with the images (e.g. export images into other formats, print images etc.). According to these rights, the MEDICUS program enables/disables the corresponding functionalities. Limited lifetime of data MEDICUSis a communication, not an archive system. Since only copies of original images are stored on a MEDICUS workstation, data are deleted after a maximum of 90 days. Deletion is carried out automatically by the software. At the time of program start, the system checks for data which have exceeded the limit and deletes them. It is possible for the sender to give the data an explicit lifetime of less than 90 days. Encryption of data for transmission over ISDN Data are encrypted specifically for the receiver and transmitted in encrypted form. Here, an asymmetrical procedure is applied: data are encrypted using the receiver’s public key. Data can only be decrypted with the receiver’s private key. Thus, only public keys are passed to other persons. The private keys are never transmitted over the ISDN line. Certification of communication partners by a trust center Communication partners are certified at one central institution, the Steinbeis Transferzentrum Medizinische Informatik. There, the public keys are administrated, certified and distributed to all registered communication partners. Communication with a non-certified partner is also possible. The MEDICUS system then gives an appropriate warning. l
l
l
l
in Biomedicine
53 (1997)
l-8
Recording of data transmission Data transmission is automatically recorded into so-called files of ‘incoming and outgoing mail’. These cannot be manipulated manually. These files enable the user to prove that data were sent or received. Protection against unauthorized log-in The MEDICUS software runs under UNIX or LINUX and uses the TCP/IP and PPP communication protocols. Seven steps are necessary to successfully log in to a MEDICUS workstation over ISDN, e.g. entering the PPP- and login account and passwords. A further protection is that the ISDN telephone number is not accessible in the telephone directory or through telephone information service. Additionally, the address and the telephone number of the caller must be registered with login permission by the trust center. Firewall MEDICUS workstations are connected to the ISDN. Mostly, they are also connected to a digital imaging device or to a whole departmental network. Thus, a MEDICUS workstation might be a security leak if it is possible to enter the network through the ISDN entrance. In order to avoid this, firewall software can be installed on the MEDICUS workstation where necessary. A cheap solution is offered by TCP-wrapper software [I 31 which is able to explicitly allow and prohibit particular network services on individual hosts or networks. Emergencies and availability of keys Backups of the private keys of users have to be stored in a clinic safe. In the case of the loss of a key, it can be accessed and reconstructed through authorized persons. It is also possible to distribute parts of private keys to several locations. In order to reconstruct it, all parts would have to be put together. The cryptographic services on the data and the digital electronic signatures are implemented using the public key package ‘Pretty Good Privacy’TM by Phil’s Pretty Good Software [7]. The protection against intrusion into the MEDICUS workstation and into the local network is implemented according to the Internet Firewall recommendations by Chapman and Zwicky [14]. l
l
l
l
H.J.
Baur
et al. /Computer
Methods
and Programs
5. Discussion and conclusions According to the methodology suggested by European and German authorities, an analysis was performed which resulted in a thorough list of security requirements for teleradiology. Implementation of this protection profile makes sure that the ‘Ten Commandments’ of the German law (BDSG) are obeyed. However, there are no explicit criteria given in the German Law BDSG which determine when the requirements are sufficiently fulfilled. Thus, the appropriateness of the data protection implemented in a software system is a matter for the subjective judgement of the data protection commissioner of each individual hospital. The development process of the security concept consists of very detailed examinations which make the whole procedure as transparent as possible. This makes the security analysis reproducible and also makes it possible to react to changes in legislation or the technical state of the art. The procedure is usually applied retrospectively, i.e., in a given setting, the systematics is applied in order to detect existing risks and to establish a concept to reduce their probabilities or the damage caused by them. In the MEDICUS-2 project, a prospective approach was pursued. It was necessary to have the security concept completed and implemented at the time of introducing the system into clinical practice. The security concept described here follows the recommendations of the European Committee for Standardization CEN (TC 251) for a reference model for security protection of health care communication. In addition to a general security policy, there are measures provided for data security, session security, local network security and intermediary network security. These are derived from the German legislation, and the implementation of these measures was done u.sing international standards and products. However. there is different legislation concerning governmental control of encryption products all over Europe. In some countries, the use of certain products like PGP is prohibited, other countries may only allow the use of specific versions.
in Biomedicine
53 (1997)
l-8
7
The effect is that trans-national data transmission is far from being operational. European standards will have to be introduced soon in order to overcome the barriers between the EU member states which still exist in health care communication.
Acknowledgements The study reported was conducted within the MEDICUSproject run by Deutsches Krebsforschungszentrum (German Cancer Research Centre) from August 1994 to July 1996. The project was funded by DeTeBerkom GmbH, Berlin under grant number 2097. The authors wish to thank the participating radiologists and data protection commissioners of the medical facilities who played an active role during the construction of the security concept proposed here.
References [l] American College of Radiology, ACR Standard for Teleradiology, Teleradiol. Res. 21 (1994) (http://www.acr.org/ standards.new/teleradiology_standard.html). [2] G. De Moor and G. van Maele, Standards in healthcare informatics and telematics, European Committee for Standardisation, Technical Committee 251 Medical Informatics, Brussels, 1996. [3] E. Diirr, Neues Bundesdatenschutzgesetz: Handkommentar und Arbeitsilfe fur Wirtschaft und Verwahung (Datakontext Verlag, 1991). [4] C. Dierks, Schweigepflicht und Datenschutz in Gesundheitswesen und medizinischer Forschung, in: Reihe Rechtswissenschaftliche Forschung und Entwickhmg. ed. E. Lehmann (Lorentz Verlag, 1993) [5] U. Engelmann, A. Schroter, U. Baur et al., Teleradiology System MEDICUS. In: CAR ‘96: Computer assisted radiology, 10th Int. Symp. Exhibition, eds. M.W. Lemke, M.W. Vannier, K. Inamura and A.G. Farman, pp. 537542 (Elsevier, Amsterdam, 1996). [6] H. Fangmann, Rechtliche Konsequenzen des Einsatzes von ISDN (Westdeutscher Verlag, Koln, 1993). [7] S. Garfinkel, PGP: Pretty Good Privacy @‘Reilly and Associates, Sebastopol, CA, 1995). [8] Commission of the European Communities, DG XIII/F, Information Technology Security Evaluation Criteria ITSEC, BNssdS and Luxembourg, ISBN 92-826-3004-8, 1994.
8
H.J.
Buur
et ul. /Computer
Methods
[9] Commission of the European Communities, DC XIII, F, Information Technology Security Evaluation Manual ITSEM. Brussels and Luxembourg, ISBN 92-826-7087. 2, 19%. [10] Department of Defense, Trusted Computer System Evaluation Criteria. DOD 5200.28ST, 1985. [I I] Bundeaamt fur Sicherheit in der Infomationstechnik. IT-Sicherheitshandbuch. Bundesdruckerei, Bonn. 1995. [I 21 Bunderamt fur Sichrrheit in der Infomationstechnik.
and Programs
in Biomediciur
53 (1997)
l-8
IT-Grundschutzhandbuch-MaRnahmen fur den mittleren Schutzbedarf (Bundesanzeiger Verlagsges mbH. Koln, 1995). [13-i W.Z. Venema, TCP WRAPPER, network monitoring. access control and booby traps. Proc. UNIX Security Symp. III (Baltimore), September 1992. [14-l D.B. Chapman and E.D. Zwicky, Building internet firewalls (O’Reilly and Associates, Sebastopol, CA. 1995).