Title: XML Security based Access Control for Healthcare Information in Mobile Environment
1XML Security based Access Control for Healthcare
Information in Mobile Environment
- Dasun Weerasinghe, Kalid Elmufti, M Rajarajan,
Veselin Rakocevic - Mobile Networks Research Group
- School of Engineering and Mathematical Sciences
- City University
- London
2Outline of the Presentation
- Motivation
- Security Issues
- Technologies used
- Proposed Mobile Healthcare Architecture
- Advantages
3Motivation
4Security Issues
- Authenticate mobile devices to healthcare service
operator - Confidentiality of the patients health
information - Protect health information from integrity
- Stockholders in the healthcare service operator
should be responsible for information sent - Different access levels to health information at
the healthcare service operator
5Technologies Used
- XML - eXtensible Markup Language
- XML Encryption
- XML Signature
- XML Key Management Specification
6XML Encryption
- Provides end-to-end confidentiality
- Encryption is based on XML formats
- Solution to Confidentiality and Authentication
- Advanced features
- Partial Encryption
- Multiple Encryption
7XML Encryption ( Contd. )
- Patients blood pressure count in a XML message
- Blood pressure count has to be encrypted
8XML Encryption ( Contd. )
9XML Signature
- Technology for data Integrity
- XML Signature specification defines electronic
signature formats using XML - Solution to Authentication, Integrity and
Non-repudiation - Advanced features
- Partial Signature
- Multiple Signature
10XML Signature ( Contd.)
- Patients blood pressure count is with XML
signature
11Mobile Healthcare Architecture
Service Providers
Stakeholders
Insurance Service
Doctor
Private Medical Centre
Nurse
Administrator
Healthcare Service
Pharmacy
Lab
Patient
Healthcare Operator / IdP
Existing Relation
Mobile Operator
12Protocol for Mobile Health
- Protocol Addresses
- Authentication
- Data Integrity
- Confidentiality
- Non- Repudiation
- Data Access level control
- Messages are in XML format
- Communication is based on Web Services
13Protocol Authentication phase
Service Providers
Mobile Operator
Patient
Healthcare Operator / IdP
Request Access
Request for BSP
Initiate BSP
B-TID
B-TID
B-TID
Ks
RAND Challenge
Challenge Response
UT
B-TID String of based 64 random data
Ks Key material to secure the communication
14Protocol Authentication to SP
Service Providers
Mobile Operator
Patient
Healthcare Operator / IdP
Request Access to SP, SPID, UT
SPUT, tsK
SPUT
Login confirmation msg
Service Request
SPUT SPID, tsK, TS, PID encrypted by SPs
public key and signed by HO/IdPs private key
15Protocol - Data Access Level
Service Providers Healthcare Service
Patient
Doctor
Lab
Nurse
Admin
Pharmacy
Service Req
XML Msg
Append message to patient signed by Nurses IK
encrypted by HSs CK
XML Msg
Append message to Admin about billing signed by
Pharmacys IK encrypted by Admins CK
Decrypts all the messages which are encrypted in
HSs CK and append those to XML Encrypt the full
message in tsK
XML Msg
XML Msg
XML Msg
Request Msg encrypted in tsK
XML Msg
XML Msg
Append Lab Results signed by Labs IK encrypted
by Doctors CK
Append XML message to Nurse health
information Signed by Doctors IK and encrypted
by Nurses CK Append XML message to Pharmacy
about drugs Signed by Doctors IK and encrypted
by Pharmacy s CK Append XML message to Patient
doctors comments Signed by Doctors IK and
encrypted by HS s CK
Append data reading for Lab signed by Doctors
IK encrypted by Labs CK
Append Health information encrypted by Doctors
CK Append Patient information encrypted by
Admins CK Msg signed by HSs IK
XML Msg
Append invoice signed by Admins IK encrypted
by HSs CK
IK private key CK public key
16Protocol - Data Access Level ( Contd.)
- Same XML document is manipulated over different
user levels. - Data access is restricted using XML elements.
- Same XML message can be sent to external service
providers. - HS appends information required for external
parties signed by HSs private key and encrypted
by receivers public key
17Advantages
- Healthcare information is protected in the mobile
environment - Stockholders in the Healthcare service operator
are responsible for information sent - Different access levels are defined in a single
healthcare information document for different
user levels
18Thank You !