Background
Methods
Pillar 1: Gap analysis study
-
End-user perspectives across diverse settings in KONFIDO pilot countries: Santobono Pausilipon Hospital (Italy), Odense University Hospital & Svendborg Hospital (Denmark), and Hospital Clínic Barcelona (Spain).
-
National cybersecurity strategies and reference reports: Documents regarding the currently applied cybersecurity strategies in the pilot countries and relevant reports (e.g. regarding guidelines or best practices) primarily provided by the European Union Agency for Network and Information Security (ENISA) [17, 18].
Pillar 2: User scenarios definition
Phase 1: Milan Anna is a 45-year-old university professor living in Milan (Lombardy Region), Italy. For the summer holidays, Anna and her daughter are planning a cruise to Barcelona, Spain. Anna suffers from Diabetes type 2, while her 6-year-old daughter Cristina has heart disease since she was born. Being a chronic patient, Anna has learnt how to live with her disease and to manage her daughter’s health too, undertaking routine tasks such as measuring periodically Cristina’s vital signs (e.g., blood pressure), taking medicines, or performing tasks like glucose measurements and insulin injections. Cristina was enrolled in the Regional Program called CReG (Chronic Related Groups) and together with her mother they use a tele-monitoring service. CReG is a program which delegates the care management of chronic patients to General Practitioners, supporting them in the prescription, monitoring and renewal of care plans. The hospital of Milan has equipped both Anna and Cristina with a tele-monitoring kit for remote monitoring of their health condition. The kit includes medical devices and a gateway which sends the measured vital signs to the respective Service Center in Milan. Phase 2: Naples Travelling by car for a conference in Naples (Campania Region) with her husband and their daughter, Anna experiences a quite serious car accident and Cristina has serious wounds. The healthcare authorities in Naples, where the accident takes place, offer an innovative telemedicine application empowered by KONFIDO. Particularly, using the national eID technology that KONFIDO recognizes and handles properly, the retrieval of all the information needed to intervene while in the ambulance (patient identification, clinical details, immunization details, and usual therapy) is made possible. Specifically, Cristina’s data are retrieved from the EHR system of the healthcare authorities in the Lombardy Region. Using the telemedicine application and a tablet, Cristina’s personal data (including pictures of her wounds) are transmitted through the mobile network to the emergency department by paramedics. Using KONFIDO technologies, paramedics can safely authenticate her and the encrypted transmission of her medical data is conducted. The application monitors the child, suggests actions, possibly re-routes the ambulance, and makes sure that everything is ready upon arrival at the hospital with the aim to speed-up the triage process and reinforce the preparedness levels. Phase 3: Barcelona After a few weeks, Cristina is discharged from the hospital in Naples and, given her risky heart condition, the doctor in Milan is immediately informed by the hospital in Naples that anti-coagulant therapy had to be interrupted. Consequently, the doctor decides to adjust the therapy and review the monitoring plan. Cristina and Anna can realize their vacation plans in Spain using the tele-monitoring service. Anna and Cristina know that in case of problems, any hospital they might have to visit in Barcelona will have access to their patient summaries in Italy. During the journey, Anna faints and she is transferred to the nearest hospital in Barcelona to check her health condition. While the Spanish doctor is accessing Anna’s patient summary, a cyberattack tries to compromise the data exchange. Specifically, an international hacker group, using a system vulnerability, attacks and takes control of the NCP in the Spanish OpenNCP deployment. Thanks to KONFIDO security mechanisms, Anna’s data integrity and confidentiality is protected against the cyberattack and the doctor can make a diagnosis and provide the medical treatment. |
Pillar 3: User requirements elicitation
Pillar 4: Feedback from key stakeholders
Results
Outcome 1: Comprehensive user requirements definition
ID | Business process | Description |
---|---|---|
BP1 | Grant access to own Medical Record | A patient in the visiting country grants the foreign HCP access to his/her medical record to facilitate treatment. |
BP2 | Access the medical record of a foreign patient | The HCP accesses a foreign patient’s medical record, e.g. his/her medical history summary, medication treatment plan, diagnosis and relevant lab examination results. |
BP3 | User authentication using the national eID infrastructure | The user is being authenticated via his/her nationally-issued eID. |
BP4 | Transmitting data for remote monitoring | The user transmits data using a telemonitoring service. |
BP5 | Accessing the patient’s medical record while transferred via an ambulance | Paramedics retrieve data from the patient’s medical record. |
BP6 | Exchanging triage information, while the patient is transferred to the hospital via an ambulance | Paramedics transmit triage data to the respective hospital, e.g. wound pictures. The application transmits patient data in the ambulance and may provide guidance to the paramedics. |
BP7 | Exchange of medical information between HCPs | HCPs exchange medical information directly, e.g. in the case of a medication safety issue, and notify the treating physician accordingly. This BP refers to an active way of communication and not to keeping notes in the patient’s medical record. |
ID | Description | Category | Comments |
---|---|---|---|
A1 | Medical record information | Information | The main asset to be protected. |
A2 | HCP credentials | Information | e.g. usernames, passwords etc. |
A3 | HCP authentication means | Infrastructure | e.g. eID card |
A4 | Intention of accessing medical record | Information | The intention of accessing a patient’s medical record is crucial. On the one hand, it could imply an attack attempt and, in this case, the medical record owner should be notified. On the other hand, it should be protected as it clearly implies that the doctor intends to conduct a medical transaction, and this could contain sensitive information. |
ID | Type | Assets | Malicious actors | Description/Example scenario |
---|---|---|---|---|
T1 | Spoofing | All information assets | Other actors without a clear role in the BP | An external actor could pretend to be legitimate, in order to get the HCP credentials and use them to access information (e.g. patient’s medical record), on behalf of the HCP. |
T2 | Tampering | All information assets | Other actors without a clear role in the BP | A malicious user could (perhaps combined with a spoofing attack) modify the information assets (e.g. the patient’s medical record or the HCP’s credentials) in a malicious way for social, financial or for personal reasons. |
T3 | Repudiation | All information assets | HCPs | Deny accessing medical information to avoid legal consequences upon an HCP (e.g. in a case of a medical error). |
T4 | Information disclosure | All information assets | HCPs and other actors without a clear role in the BP | An HCP could provide access to a patient’s medical record, aiming at patient’s financial or personal harm or for personal financial benefit. |
T5 | Denial of Service | Medical record information | Other actors without a clear role in the BP | Hinders access to the respective services, aiming to cause damage to the patient or the healthcare organization providing the medical services. |
T6 | Privilege Elevation | Medical record information | Other actors without a clear role in the BP | Assign privileges to one or multiple medical records aiming at exploiting or damaging data, or alternatively aiming at patients’ financial or personal harm. |
T7 | Physical stealing | Physical authentication means | Other actors without a clear role in the BP | Stealing the eID card of the HCP could facilitate spoofing, information disclosure and privilege elevation. |
G11 | Prevent tampering attacks |
---|---|
Goal Type | Non-functional |
Actor(s) | Other actors without a clear role in the BP |
Reference(s) | BP2 |
Description | As someone could (perhaps combined with a spoofing attack) modify the information assets (e.g. the patient’s medical record or the HCP’s credentials) in a malicious way for social, financial or personal reasons, KONFIDO should be able to prevent such kind of malicious actions. |
G12 | Prevent ambiguity issues |
---|---|
Goal Type | Functional |
Actor(s) | HCP, Patient |
Reference(s) | BP1, BP2, JASeHN deliverable D5.3 (section IV) |
Description | Semantic ambiguity can be a burden in cross-border health data exchange. Referencing to diseases and medication might be confusing in clinical practice due to different drug brand names, clinical protocols/procedures, etc. KONFIDO should promote semantic interoperability in order to minimize these risks. |
Original source category | Percentage of goals referring to the category |
---|---|
Standards | 29% |
Business Processes | 24% |
Threats | 13% |
Outcome 2: Barriers and facilitators for HIT acceptance
Gap analysis template clause | Gap analysis objective | Question/security control | Current status and gap mitigation |
---|---|---|---|
Security Policy | Information security policy | Does the analysis subject facilitate or promote the idea of information security policy document? | A formal information security policy document does not yet exist; however, PAUSIL is planning to introduce operational procedures and policies regarding security. |
Physical and environmental security | Secure areas | Does the analysis subject facilitate or promote protecting against external and environmental threats? | Protection against external and environmental threats is not centrally documented/planned. |
Usability | Effectiveness | Does the analysis subject facilitate or promote the operability regarding the respective security aspects? | The process of changing user passwords could be improved in terms of usability. |
Communications and operations management | Media handling | Does the analysis subject facilitate or promote management of removable media? | No formal procedures are enforced for the management of removable media |
ID | Description | Expected impact on technical design and/or the overall KONFIDO project activities | Category |
---|---|---|---|
B1 | Lack of awareness regarding information technology risks | Need to reinforce awareness on cybersecurity risks associated with healthcare delivery. | Awareness |
B2 | Lack of end-user confidence on their overall electronic health data handling | The technical design shall account for a comprehensive and transparent data handling scheme. | Trust |
B3 | Lack of trust to private companies providing HIT services | The solution should focus on using infrastructure in the most transparent way possible. | Trust |
B4 | Lack of interest regarding the “Terms and Conditions” for using HIT services | ▪ Need to make “Terms and Conditions” more comprehensive for all users. ▪ Need to support the implementation of a comprehensive and transparent data handling scheme. | Trust |
B5 | Inadequate level of legislation awareness | Need to promote awareness on legislation aspects. | Awareness |
B6 | Lack of perceived effectiveness of legislation by end-users | Need to explain and illustrate the effectiveness of legislation to end-users. | Trust |
B7 | Lack of clear and transparent consent processes currently applied | Need to design a comprehensive consent mechanism. | Trust |
B8 | Legislation not aligned among EU Member States | Need to track ongoing legislation initiatives and adapt the technical design accordingly. | Legislation |
B9 | Immaturity of existing frameworks | Need to reduce strong dependencies with such frameworks to the extent possible. | Usability |
B10 | Partial lack of management commitment | Need to raise awareness on cybersecurity risks associated with healthcare delivery. | Awareness |
B11 | Lack of a cybersecurity-oriented culture in everyday operations | Need to raise awareness on the cybersecurity risks associated with healthcare delivery. | Awareness |
B12 | Lack of budget | Need to raise awareness on the impact of cybersecurity incidents and the economic burden that these may entail. | Awareness |
B13 | Usability reduced due to IT security measures | Need to prioritize usability in the technical design process. | Usability |
B14 | Inadequate use of established cybersecurity mechanisms (e.g. active directory, intrusion detection systems, etc.) | Need to promote the use and added value of novel/standard cybersecurity mechanisms. | Awareness |
B15 | Diversity of information workflows among organizations | Need to contextualize the technical design, in order to accommodate the requirements of local healthcare delivery processes and therefore increase end-user acceptance through enhanced usability. | Usability |
B16 | Free-text content in different languages | Need to employ reference medical terminologies/encodings to address interoperability. | Interoperability |
B17 | Legislation not aligned among EU Member States | Need to follow ongoing legislation initiatives and adapt the design according to EU directives. | Legislation |
B18 | Legal issues not clarified (e.g. data ownership, liability etc.) | Focus on provenance and auditing mechanisms, in order to clarify details if/when needed and, therefore, increase trust on the overall data exchange process. | Legislation |
B19 | Lack of inter-organizational trust | Need to promote robust and transparent cybersecurity measures while illustrating the added value of health data sharing (e.g. considering patient safety, quality of care, etc.). | Trust |
B20 | Complexity of consent process | Need to design a comprehensive consent mechanism for patients. | Usability |
B21 | Lack of available IT expertise in organizations | Need to raise awareness about the required personnel to address cybersecurity risks in organizations delivering healthcare services. | Awareness |
B22 | Data exchange agreement’s complexity | Need to establish data exchange agreements compliant with legal norms. | Usability |
ID | Description | Expected impact on technical design and/or the overall KONFIDO project activities |
---|---|---|
F1 | The need for HIT services and applications tends to overcome the insecurity regarding personal data misuse | It confirms the need for solutions that provide added value in real-world healthcare settings, while still promoting a holistic security approach. |
F2 | End-users support cross-border data exchange (even for research) | It confirms the value of the KONFIDO key concepts. Does not affect design decisions. |
F3 | Common legislation activities between EU Member States | GDPR and other initiatives will form the legal base for the solution and guide the respective design decisions (e.g. on the consent process). |
F4 | Technical EU initiatives are currently ongoing | The design will create a liaison with and build upon existing/evolving frameworks in Europe (epSOS, OpenNCP, eIDAS). |
F5 | Standards already established and widely accepted | The design and implementation will follow security standards, such as those from ISO/IEC 27k. |
F6 | Wide recognition of the need for a security policy based on standards | The technical solution should be based on widely-accepted standards and therefore implicitly increasing compatibility with standard based security policies. |
F7 | Exchange of data between organizations is based on agreements following GDPR | The design shall take GDPR into account wherever applicable (e.g. in the design of the consent process). |
F8 | Common mechanism of eID currently built (eIDAS) | The design of the solution shall be based on eIDAS, which is expected to be the de-facto standard among EU Member States. |
F9 | Cloud services, compatible with medical data exchange legislation | KONFIDO will be able to use cloud infrastructure being compatible with the respective legislation. |
F10 | Credible network services available | Facilitate the engagement in high mobility scenarios. |