DEGREE PROJECT IN COMPUTER SCIENCE AND ENGINEERING, SECOND CYCLE, 30 CREDITS STOCKHOLM, SWEDEN 2018 Secure Handling of Electronic Health Records for Telemedicine Applications FREDRIK LJUNG KTH ROYAL INSTITUTE OF TECHNOLOGY SCHOOL OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE Secure Handling of Electronic Health Records for Telemedicine Applications FREDRIK LJUNG Master in Computer Science Date: June 29, 2018 Supervisor: Sonja Buchegger Examiner: Mads Dam Swedish title: Säker hantering av elektroniska patientjournaler School of Computer Science and Communication iii Abstract Medical record systems are used whenever caregiving is practiced. The medical records serve an important role in establishing patient safety. It is not possible to prevent honest-but-curious doctors from accessing records since it is legally required to allow doctors to ac- cess health records for emergency cases. However, it is possible to log accesses to records and mitigate malicious behaviour through rate limiting. Nevertheless, many of the records systems today are lacking good authentication, logging and auditing and existing proposals for securing medical records systems focus on the context of multiple dif- ferent healthcare providers. In this thesis, an architecture for an elec- tronic health records system for a telemedicine provider is designed. The architecture is based on several requirements from both the le- gal perspective and general security conventions, but also from a doc- tor’s perspective. Unlike the legal and general security conventions perspective, doctor requirements are more functionality and usability concerns rather than security concerns. The architecture is evaluated based on two main threat models and one secondary threat model, i.e. insider adversaries. Almost all requirements are satisfied by the solution design, but the two main threat models can not be entirely mitigated. It is found that confidentiality can be violated by the two main threat models, but the impact is heavily limited through audit logging and rate limiting. iv Sammanfattning Journalsystem är en central del inom vården och patientjournaler har en stor roll i att uppnå bra patientsäkerhet. Det är inte möjligt att för- hindra läkare från att läsa särskilda journaler eftersom läkare behö- ver tillgång till journaler vid nödsituationer. Däremot går det att logga läkarnas handlingar och begränsa ondsint beteende. Trots det saknar många av dagens journalsystem bra metoder för autentisering, logg- ning och granskning. Befintliga förslag på att säkra journalsystemen fokuserar på sammanhang där flera olika vårdgivare är involverade. I den här rapporten presenteras en arkitektur för ett patientjournalsy- stem till en telemedicinsk leverantör. Arkitekturen utgår från flerta- let krav baserade på både ett legalt perspektiv och generella säker- hetskonventioner, men även läkares perspektiv. Arkitekturen är eva- luerad baserat på två huvudsakliga hotmodeller och en sekundär hot- modell. Arkitekturen uppfyller så gott som alla krav, men de två hu- vudsakliga hotmodellerna kan inte mitigeras helt och hållet. De två huvudsakliga hotmodellerna kan bryta sekretessen, men genom flö- desbegränsning och granskning av loggar begränsas påverkan. v Acknowledgements I would like to thank Kry for giving me the opportunity to do my the- sis project with them and especially my supervisor at Kry, Calle Svens- son, for his continuous great feedback and suggestions throughout the whole project. I would also like to thank my supervisor at KTH, Sonja Buchegger, for her help and advice from start to finish. Finally I would like to thank my family and friends for their great support. Contents 1 Introduction1 1.1 Research Question......................2 1.2 Objective............................2 1.3 Related Work.........................2 2 Background7 2.1 Electronic Health Record...................7 2.2 EHR System..........................7 2.3 EHR Users...........................8 2.4 Laws & Regulations......................9 2.4.1 Sammanhållen journalföring & NPÖ........9 2.4.2 Patientdatalagen................... 10 2.4.3 General Data Protection Regulation........ 10 2.5 Access control......................... 10 2.5.1 Identification and Authentication......... 10 2.5.2 Authorization..................... 11 2.6 Encryption........................... 12 2.6.1 AES........................... 12 2.6.2 RSA........................... 12 2.7 End-to-End Encryption.................... 13 2.7.1 Hyker......................... 13 2.7.2 Signal.......................... 13 2.8 Cryptographic Anchor.................... 14 2.8.1 Hardware Security Module............. 14 2.9 Audit Logging......................... 14 2.9.1 Emergency Situations................ 15 2.10 Formal Specification..................... 15 vi CONTENTS vii 3 Requirements 16 3.1 Law Requirements...................... 16 3.1.1 Literature....................... 16 3.1.2 Interview....................... 18 3.2 Security Requirements.................... 19 3.2.1 The Parkerian Hexad................. 20 3.2.2 ISO/IEC 27001.................... 21 3.3 Doctor Requirements..................... 21 3.4 Summary of Requirements.................. 22 3.5 Adversarial Models...................... 23 3.6 Scenarios............................ 23 4 Architecture Proposals 26 4.1 Architecture 1......................... 26 4.2 Architecture 2......................... 27 4.3 Architecture 3......................... 28 4.4 Architecture 4......................... 29 5 Solution Design 30 5.1 High-level Design....................... 30 5.1.1 Cryptographic Functions.............. 31 5.2 Workflows/Operations.................... 32 5.2.1 Read Record...................... 32 5.2.2 Write Record..................... 33 5.2.3 Add New Patient................... 35 5.2.4 Direct Access to Database or Log.......... 36 5.3 Logs............................... 37 5.4 Specification.......................... 39 5.4.1 Event-B........................ 39 5.4.2 Formal Modelling with Event-B: Read Record.. 40 6 Security Analysis 44 6.1 Must-have Requirements................... 44 6.1.1 Fully achievable requirements........... 45 6.1.2 Partially Achievable Requirements......... 48 6.2 Nice-to-have Requirements................. 52 6.2.1 Classification and Policy............... 52 6.2.2 Secure Key Management and Log Tamper Resis- tance.......................... 53 viii CONTENTS 7 Conclusion 55 7.1 Evaluation........................... 55 7.1.1 Ethics and sustainability............... 56 7.2 Conclusion........................... 56 7.3 Future Work.......................... 57 Bibliography 59 A Interview questions 65 CONTENTS ix Acronyms EHR Electronic Health Record EMR Electronic Medical Record PHR Personal Health Record RBAC Role Based Access Control PDL Patientdatalagen GDPR General Data Protection Regulation NPÖ Nationell Patientöversikt CWE Common Weakness Enumeration AES Advanced Encryption Standard RSA Rivest Shamir Adleman 2FA Two Factor Authentication CRUD Create, Read, Update, Delete ACL Access Control List NIST National Institute of Standard and Technology PKCS Public Key Cryptographic Standards E2EE End-to-End Encryption HSM Hardware Security Module BTG Break The Glass PdS Patient-data-Service AWS Amazon Web Services ECDHE Elliptic-curce Diffie-Hellman Ephemeral GCM Galois/Counter Mode PSS Probabilistic Signature Scheme x CONTENTS OCSP Online Certificate Status Protocol PKI Public Key Infrastructure KDS Key Distribution System RNG Random Number Generator Chapter 1 Introduction Within healthcare doctors need to perform record keeping of their pa- tients. In the beginning this was done by paper, today it is done elec- tronically and most medical record systems are adapted to fit the op- erations of traditional physical medical centres. Lately, however, we have seen an uprise in digitalization of healthcare. For example, Ap- ple announced that they want to increase the accessibility of medical information by introducing a new functionality where it will be pos- sible to store your personal records in your iPhone [43]. In Sweden, primary healthcare applications like Kry and Min Doktor are growing in popularity [9]. Letting people interact with doctors and psychol- ogists or access their health records via their smartphones opens up great possibilities in regards to accessibility. Healthcare applications like these have the potential of reaching out to hundreds of thousands of patients. On the other hand it has incurred security and privacy is- sues. The nonprofit organisation privacy rights clearinghouse reports that in January 2018 there have been 15 security breaches disclosing over 390.000 medical records in the US alone. Since 2005, the number of disclosed records in the US is over 228 million [13]. Since patient data is so sensitive there are several laws and regulations caregivers need to abide by. In Sweden there is the Patient Data Act (Patient- datalagen, PDL) and the regulations set up by The National Board of Health and Welfare (Socialstyrelsen). For countries in the European Union the General Data Protection Regulation (GDPR) will come into effect in May 2018. Having such a large amount of patients and thou- sands of doctors involved with tight regulations and possibly devas- tating consequences requires a more modern way of handling medical 1 2 CHAPTER 1. INTRODUCTION records. This thesis will investigate if a secure medical records system can be built for a telemedicine based healthcare provider. Relevant laws, regulations and security conventions will be identified and from them requirements