Intel healthcare: SOA Expressway for Health Care
http://www.intel.com/healthcare/ps/soa/index.htm?iid=health+lhn_soa
Intel has created a scalable, easy to deploy health care network with the hopes of enabling sharing and collaboration of health care information. Intel Health Care network is build upon common components such as J2EE and the .Net framework, relying upon a High-performance XML Engine for data transmission. It is a “codeless” system, which means the network can be deployed and managed without the need for software development assistance. Once fully deployed this network promises great cost and efficiency gains, as healthcare and patient information can be shard much more easily. However the creation of a new system which will handle large amounts of sensitive patient and drug information brings about many interesting security questions.
Assets:
· Patient Information – it is of utmost importance to protect all sensitive patient information, including condition and treatment as well as address and billing information.
· Drug information – Many hospitals have strict regulatory policies on the management of drugs, outlining proper administration and inventory practices. The integrity (and sometimes secrecy) of information regarding the status of the pharmaceuticals in the organization must be maintained.
Adversaries:
· Doctors and hospital workers – The primary users of the system will be the various hospital staff. They will have the most interaction with the system as they will use it on a daily basis. Hospital staff utilizing the network will require a certain amount of authority (within the system) in order to properly operate it. This presents a potential threat, as they will have direct access to patient and drug information, as well as the authority to modify this information.
· Network maintenance technicians – The system is designed to be stand-alone on a day-to-day basis. There will be instances when the system will require a certain amount of routine technical maintenance. The people performing this maintenance will be very familiar with the internal workings of the system and will have full access to the system. This poses a threat, as it could potentially compromise patient information.
· Patients – If patients are given a chance to interact with the system, it may be possible that they can in some way compromise the system to extract confidential information, or falsify information.
Potential Weaknesses:
· Information Storage – If sensitive information is stored on accessible and/or unencrypted hard drives, it becomes increasingly easy to tamper with those components (the disks) in the interest of obtaining or modifying confidential information.
· Information Interception over Transmission – When sensitive information is shared between multiple nodes (a network), there must some kind of transmission mechanism. Such a mechanism could be a weakness if it does not properly protect the integrity and confidentiality of the data being transmitted. Also if the mechanism is not robust or reliable, this could result in the loss of important patient information, vital to patient care.
Defenses:
· Required authentication – all persons who will have any interaction with the system should have a strong means of identifying and authenticating themselves as valid users. All users should be limited in their actions and given just enough authority to perform the needed task.
· All information (both patient and otherwise) should be stored on encrypted hard drives which are protected physically.
· Any transmission of information should be done through an encrypted channel.
Risks:
The risks associated with this system are of grave consequences, as they involve sensitive and personal information for many patients. The risk of information leakage/compromise is present not only when the system is accessed/operated by hospital staff, but is also inherent in the fact that much sensitive information is stored and transmitted over potentially unsafe mediums.
Conclusion:
The Intel SOA Expressway for Health Care is a very promising technology which unites health care services and provides access to a great breadth of information. It is important to handle this information with great care and a sense of responsibility, as the information is oftentimes sensitive private. Intel is doing this by utilizing industry standard security practices, such as XML and web Security.