GEMSS: Privacy and Security for a Medical Grid

S. E. Middleton; J. A. M. Herveg; F. Crazzolara; D. Marvin; Y. Poullet

doi:10.1055/s-0038-1633942

Methods of Information in Medicine, Inhaltsverzeichnis

Methods Inf Med 2005; 44(02): 182-185
DOI: 10.1055/s-0038-1633942

Original Article

Schattauer GmbH

GEMSS: Privacy and Security for a Medical Grid

S. E. Middleton

¹IT Innovation Centre, University of Southampton, Southampton, UK

,

J. A. M. Herveg

²Centre de Recherches Informatique & Droit, FUNDP, Belgium

,

F. Crazzolara

³C&C Research Laboratories, NEC Europe Ltd., St. Augustin, Germany

,

D. Marvin

¹IT Innovation Centre, University of Southampton, Southampton, UK

,

Y. Poullet

²Centre de Recherches Informatique & Droit, FUNDP, Belgium

› Institutsangaben

Abstract

Summary

Objectives: The GEMSS project is developing a secure Grid infrastructure through which six medical simulations services can be invoked. We examine the legal and security framework within which GEMSS operates.

Methods: We provide a legal qualification to the operations performed upon patient data, in view of EU directive 95/46, when using medical applications on the GEMSS Grid. We identify appropriate measures to ensure security and describe the legal rationale behind our choice of security technology.

Results: Our legal analysis demonstrates there must be an identified controller (typically a hospital) of patient data. The controller must then choose a processor (in this context a Grid service provider) that provides sufficient guarantees with respect to the security of their technical and organizational data processing procedures. These guarantees must ensure a level of security appropriate to the risks, with due regard to the state of the art and the cost of their implementation.

Our security solutions are based on a public key infrastructure (PKI), transport level security and end-to-end security mechanisms in line with the web service (WS Security, WS Trust and SecureConversation) security specifications.

Conclusion: The GEMSS infrastructure ensures a degree of protection of patient data that is appropriate for the health care sector, and is in line with the European directives. We hope that GEMSS will become synonymous with high security data processing, providing a framework by which GEMSS service providers can provide the security guarantees required by hospitals with regard to the processing of patient data.

Keywords

Grid - legal - medical - personal data - security

Volltext

Referenzen

References
1 D. 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. O.J. 23/11/1995:L 281,00310050..
2 Herveg J, Poullet Y. Directive 95/46 and the use of GRID technologies in the healthcare sector: selected legal issues. Proceedings of the 1st European Health GRID Conference, Lyon, January. 2003: 229-36.
3 Article 17, § 1, of Directive 95/46.
4 Cf. also. http://europa.eu.int/comm/internal_market/privacy/workingroup_en.htm.
5 Information technology – Open Systems Interconnection – The Directory: Authentication Framework. ITU-T Recommendation X.509, ISO/IEC 95948.March. 2000
6 Arsenault A, Turner S. Internet X.509 Public Key Infrastructure: Roadmap. Internet Draft, PKIX Working Group, July. 2002
7 Chokhani S, Ford W, Sabett R, Merrill C, Wu S. Internet X.509 Public Key Infrastructure – Certificate Policy and Certification Practices Framework. Internet Draft, PKIX Working Group, April. 2003
8 Crazzolara F. GEMSS Certificate Policy, v 1.0, September. 2003
9 Information technology – Open Systems Interconnection – The Directory: Authentication Framework. ITU-T Recommendation X.509, ISO/IEC 95948.March. 2000
10 D. 1999/93 on a Community Framework for Electronic Signatures. O.J. 19/01/2000: L013,00120020..
11 Security in a Web Services World: A Proposed Architecture and Roadmap. IBM Corporation and Microsoft Corporation – joint security whitepaper, Version 1.0, April. 2002
12 GEMSS public home page. http://www.ccrl-nece.de/gems.