GEMSS: Privacy and Security for a Medical Grid

 

 Buy Article Permissions and Reprints

Summary

Objectives: The GEMSS project is developing a secure Grid infrastructure through which six medical simulations services can be invoked. We examine the legal and security framework within which GEMSS operates.

Methods: We provide a legal qualification to the operations performed upon patient data, in view of EU directive 95/46, when using medical applications on the GEMSS Grid. We identify appropriate measures to ensure security and describe the legal rationale behind our choice of security technology.

Results: Our legal analysis demonstrates there must be an identified controller (typically a hospital) of patient data. The controller must then choose a processor (in this context a Grid service provider) that provides sufficient guarantees with respect to the security of their technical and organizational data processing procedures. These guarantees must ensure a level of security appropriate to the risks, with due regard to the state of the art and the cost of their implementation.

Our security solutions are based on a public key infrastructure (PKI), transport level security and end-to-end security mechanisms in line with the web service (WS Security, WS Trust and SecureConversation) security specifications.

Conclusion: The GEMSS infrastructure ensures a degree of protection of patient data that is appropriate for the health care sector, and is in line with the European directives. We hope that GEMSS will become synonymous with high security data processing, providing a framework by which GEMSS service providers can provide the security guarantees required by hospitals with regard to the processing of patient data.

• References

• 1 D. 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. O.J. 23/11/1995:L 281,00310050..
  PubMedGoogle Scholar
• 2 Herveg J, Poullet Y. Directive 95/46 and the use of GRID technologies in the healthcare sector: selected legal issues. Proceedings of the 1st European Health GRID Conference, Lyon, January. 2003: 229-36.
  Google Scholar
• 3 Article 17, § 1, of Directive 95/46.
  PubMedGoogle Scholar
• 4 Cf. also. http://europa.eu.int/comm/internal_market/privacy/workingroup_en.htm.
  PubMedGoogle Scholar
• 5 Information technology – Open Systems Interconnection – The Directory: Authentication Framework. ITU-T Recommendation X.509, ISO/IEC 95948.March. 2000
  Google Scholar
• 6 Arsenault A, Turner S. Internet X.509 Public Key Infrastructure: Roadmap. Internet Draft, PKIX Working Group, July. 2002
  Google Scholar
• 7 Chokhani S, Ford W, Sabett R, Merrill C, Wu S. Internet X.509 Public Key Infrastructure – Certificate Policy and Certification Practices Framework. Internet Draft, PKIX Working Group, April. 2003
  Google Scholar
• 8 Crazzolara F. GEMSS Certificate Policy, v 1.0, September. 2003
  Google Scholar
• 9 Information technology – Open Systems Interconnection – The Directory: Authentication Framework. ITU-T Recommendation X.509, ISO/IEC 95948.March. 2000
  PubMedGoogle Scholar
• 10 D. 1999/93 on a Community Framework for Electronic Signatures. O.J. 19/01/2000: L013,00120020..
  PubMedGoogle Scholar
• 11 Security in a Web Services World: A Proposed Architecture and Roadmap. IBM Corporation and Microsoft Corporation – joint security whitepaper, Version 1.0, April. 2002
  PubMedGoogle Scholar
• 12 GEMSS public home page. http://www.ccrl-nece.de/gems.
  PubMedGoogle Scholar