Securing the Access to Electronic Health Records on Mobile Phones

  • Alexandra Dmitrienko
  • Zecir Hadzic
  • Hans Löhr
  • Ahmad-Reza Sadeghi
  • Marcel Winandy
Part of the Communications in Computer and Information Science book series (CCIS, volume 273)

Abstract

Mobile phones are increasingly used in the e-health domain. In this context, enabling secure access to health records from mobile devices is of particular importance because of the high security and privacy requirements for sensitive medical data. Standard operating systems and software, as they are deployed on current smartphones, cannot protect sensitive data appropriately, even though modern mobile hardware platforms often provide dedicated security features. Current mobile phones are prone to attacks by malicious software, which might gain unauthorized access to sensitive medical data.

In this paper, we present a security architecture for the protection of electronic health records and authentication credentials that are used to access e-health services. Our architecture is derived from a generic solution and tailored specifically to current mobile platforms with hardware security extensions. Authentication data are protected by a trusted wallet (TruWallet), which leverages trusted hardware features of the phone and isolated application environments provided by a secure operating system. A separate application environment is used to provide runtime protection of medical data. Furthermore, we present a prototype implementation of TruWallet on the Nokia N900 mobile phone. In contrast to commodity systems, our architecture enables healthcare professionals to securely access medical data on their mobile devices without the risk of disclosing sensitive information.

Keywords

Mobile Phone Electronic Health Record Personal Health Record Trusted Platform Module Virtual Private Network 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Aggarwal, M., Vennon, T.: Study of BlackBerry proof-of-concept malicious applications. Technical Report White paper, SMobile Global Threat Center (January 2010)Google Scholar
  2. 2.
    Agreiter, B., Alam, M., Hafner, M., Seifert, J.P., Zhang, X.: Model driven configuration of secure operating systems for mobile applications in healthcare. In: Proceedings of the 1st International Workshop on Mode-Based Trustworthy Health Information Systems (2007)Google Scholar
  3. 3.
    Akinyele, J.A., Lehmann, C.U., Green, M.D., Pagano, M.W., Peterson, Z.N.J., Rubin, A.D.: Self-protecting electronic medical records using attribute-based encryption. Cryptology ePrint Archive, Report 2010/565 (2010), http://eprint.iacr.org/2010/565
  4. 4.
    Alves, T., Felton, D.: TrustZone: Integrated hardware and software security. Technical report, ARM (July 2004)Google Scholar
  5. 5.
    Anderson, J.P.: Computer security technology planning study. Technical Report ESD-TR-73-51, AFSC, Hanscom AFB, Bedford, MA, AD-758 206, ESD/AFSC (October 1972)Google Scholar
  6. 6.
    Android Open Source Project. Project website (2010), http://www.android.com
  7. 7.
    Apple Inc. iOS website (2010), http://www.apple.com/iphone/ios4
  8. 8.
    Azema, J., Fayad, G.: M-ShieldTMmobile security technology: making wireless secure. Texas Instruments White Paper (February 2008), http://focus.ti.com/pdfs/wtbu/ti_mshield_whitepaper.pdf
  9. 9.
    Benelli, G., Pozzebon, A.: Near Field Communication and Health: Turning a Mobile Phone into an Interactive Multipurpose Assistant in Healthcare Scenarios. In: Fred, A., Filipe, J., Gamboa, H. (eds.) BIOSTEC 2009. CCIS, vol. 52, pp. 356–368. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  10. 10.
    Brygier, J., Fuchsen, R., Blasum, H.: PikeOS: Safe and secure virtualization in a separation microkernel. Technical report, Sysgo (September 2009)Google Scholar
  11. 11.
    Dmitrienko, A., Hadzic, Z., Löhr, H., Sadeghi, A.-R., Winandy, M.: A security architecture for accessing health records on mobile phones. In: Proceedings of the 4th International Conference on Health Informatics (HEALTHINF 2011), pp. 87–96. SciTePress (2011)Google Scholar
  12. 12.
    EMSCB Project Consortium. The European Multilaterally Secure Computing Base (EMSCB) project (2005-2008), http://www.emscb.org
  13. 13.
    Fraim, L.: SCOMP: A solution to the multilevel security problem. IEEE Computer, 26–34 (July 1983)Google Scholar
  14. 14.
    Gajek, S., Löhr, H., Sadeghi, A.-R., Winandy, M.: TruWallet: Trustworthy and migratable wallet-based web authentication. In: The 2009 ACM Workshop on Scalable Trusted Computing (STC 2009), pp. 19–28. ACM (2009)Google Scholar
  15. 15.
    Gardner, R.W., Garera, S., Pagano, M.W., Green, M., Rubin, A.D.: Securing medical records on smart phones. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Medical and Home-Care Systems, SPIMACS 2009, pp. 31–40. ACM (2009)Google Scholar
  16. 16.
    Google Android. Security and permissions (2010), http://developer.android.com/intl/de/guide/topics/security/security.html
  17. 17.
    Han, D., Park, S., Lee, M.: THE-MUSS: Mobile U-Health Service System. In: Fred, A., Filipe, J., Gamboa, H. (eds.) BIOSTEC 2008. CCIS, vol. 25, pp. 377–389. Springer, Heidelberg (2008)Google Scholar
  18. 18.
    Hildon Application Framework. Project website (2010), http://live.gnome.org/Hildon
  19. 19.
    Iozzo, V., Weinmann, R.-P.: Ralf-Philipp Weinmann & Vincenzo Iozzo own the iPhone at PWN2OWN (March 2010), http://blog.zynamics.com/2010/03/24/ralf-philipp-weinmann-vincenzo-iozzo-own-the-iphone-at-pwn2own/
  20. 20.
    Karger, P.A., Zurko, M.E., Bonin, D.W., Mason, A.H., Kahn, C.E.: A VMM security kernel for the VAX architecture. In: Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, CA, pp. 2–19. IEEE Computer Society, Technical Committee on Security and Privacy (May 1990)Google Scholar
  21. 21.
    Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: Formal verification of an OS kernel. In: Proceedings of the 22nd ACM Symposium on Operating Systems Principles, Big Sky, MT, USA. ACM Press (October 2009)Google Scholar
  22. 22.
    Kostiainen, K., Dmitrienko, A., Ekberg, J.-E., Sadeghi, A.-R., Asokan, N.: Key Attestation from Trusted Execution Environments. In: Acquisti, A., Smith, S.W., Sadeghi, A.-R. (eds.) TRUST 2010. LNCS, vol. 6101, pp. 30–46. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  23. 23.
    Kostiainen, K., Ekberg, J.-E., Asokan, N., Rantala, A.: On-board credentials with open provisioning. In: ASIACCS 2009: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pp. 104–115. ACM (2009)Google Scholar
  24. 24.
    Liedtke, J.: On microkernel construction. In: Proceedings of the 15th ACM Symposium on Operating Systems Principles (SOSP 1995), Copper Mountain Resort, Colorado (December 1995); Appeared as ACM Operating Systems Review 29.5Google Scholar
  25. 25.
    Loscocco, P., Smalley, S.: Integrating flexible support for security policies into the Linux operating system. In: Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, pp. 29–42. USENIX Association (2001)Google Scholar
  26. 26.
    Lua. Project website (2010), http://www.lua.org
  27. 27.
    Maemo. Project website (2010), http://maemo.org
  28. 28.
    Microsoft. Windows mobile website (2010), http://www.microsoft.com/windowsmobile
  29. 29.
    Open Kernel Labs. OKL4 project website (2010), http://okl4.org
  30. 30.
    Paros. Project website (2010), http://www.parosproxy.org
  31. 31.
    Picciotto, J., Epstein, J.: Trusting X: Issues in building Trusted X window systems –or– what’s not trusted about X? In: 14th National Computer Security Conference (1991)Google Scholar
  32. 32.
    Selhorst, M., Stüble, C., Feldmann, F., Gnaida, U.: Towards a Trusted Mobile Desktop. In: Acquisti, A., Smith, S.W., Sadeghi, A.-R. (eds.) TRUST 2010. LNCS, vol. 6101, pp. 78–94. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  33. 33.
    Shapiro, J.S., Smith, J.M., Farber, D.J.: EROS: a fast capability system. In: Proceedings of the 17th ACM Symposium on Operating Systems Principles (SOSP 1999), Kiawah Island Resort, near Charleston, Sout Carolina, pp. 170–185 (December 1999); Appeared as ACM Operating Systems Review 33.5Google Scholar
  34. 34.
    Sunyaev, A., Leimeister, J.M., Krcmar, H.: Open security issues in german healthcare telematics. In: Proceedings of the 3rd International Conference on Health Informatics, HEALTHINF 2010, pp. 187–194. INSTICC (2010)Google Scholar
  35. 35.
    Symbian Foundation Community. Project website (2010), http://www.symbian.org
  36. 36.
    The OpenTC Project Consortium. The Open Trusted Computing (OpenTC) project (2005-2009), http://www.opentc.net
  37. 37.
    Felton, D., Alves, T.: TrustZone: Integrated Hardware and Software Security (July 2004), http://www.arm.com/pdfs/TZ%20Whitepaper.pdf
  38. 38.
    Trusted Computing Group. TPM Main Specification, Version 1.2 rev. 103 (July 2007), http://www.trustedcomputinggroup.org
  39. 39.
    Vennon, T.: Android malware. A study of known and potential malware threats. Technical Report White paper, SMobile Global Threat Center (February 2010)Google Scholar
  40. 40.
    Vouyioukas, D., Kambourakis, G., Maglogiannis, I., Rouskas, A., Kolias, C., Gritzalis, S.: Enabling the provision of secure web based m-health services utilizing xml based security models. Security and Communication Networks 1(5), 375–388 (2008)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Alexandra Dmitrienko
    • 1
  • Zecir Hadzic
    • 1
  • Hans Löhr
    • 1
  • Ahmad-Reza Sadeghi
    • 2
  • Marcel Winandy
    • 1
  1. 1.Horst Görtz Institute for IT-Security (HGI)Ruhr-University BochumBochumGermany
  2. 2.Center for Advanced Security Research Darmstadt (CASED)Technische Universität DarmstadtDarmstadtGermany

Personalised recommendations