Periodic Reporting for period 2 - ProTego (Data-protection toolkit reducing risks in hospitals and care centers)
Période du rapport: 2020-07-01 au 2021-12-31
The main objectives are:
- Holistic approach to protect data from EHR against cyber risks generated by remote devices access, agnostic to health care IT infrastructure
- Improve situational awareness during an attack
- Protect sensitive data inside the hospital infrastructure and at the boundary between hospitals and BYOD/IoT domains
- Cybersecurity solutions for ePHI protection released as integrated toolkit
- Provision of an Educational framework: Methodologies and protocols for the correct usage of cyber-security tools, for attacks prevention and reaction to be used by health sector staff (IT and physicians) and patients
- Validate in scenarios involving emerging technologies in health care informatics: IoT and BYOD
Support of connected IoT devices. Different types of connected IoT and medical devices were analyzed, and a procedure to integrate them with ProTego was designed.
Educational Framework designed and developed, identifying stakeholders, and providing specific content for each of them based on their educational needs.
Risk assessment tools:
- Complete risk models built and updated for both Pocket EHR and FoodCoach. Demonstrated how ProTego components reduce risks in both scenarios.
- Investigated collaborative, cross-organisation risk modelling via information hiding approach where different stakeholders can focus on their parts of the system.
- Extended dynamic risk assessment, risk recalculation to determine resulting risk level due to vulnerabilities, and recommendations to reduce risk level.
- Additional support for web applications.
- Extended domain model knowledge base to support relevant aspects of mobile devices.
- Extended vulnerability detection capabilities of SIEM to include web applications (besides infrastructure vulnerability detection).
- Improved detection capabilities of the SIEM by using Deep Learning techniques, implementing a new neuronal network architecture based on a combination of multilayer perceptron (MLP) with attention mechanisms.
Risk mitigation tools:
- Developed Parquet Modular Encryption. Data Gateway can be run inside a Trusted Execution Environment utilizing hardware to provide cryptographic protection for data-in-processing. Extended Open Source Fybrik framework supplying role-based, fine-grained access to the underlying FHIR database, providing policy-driven access control and redaction to data down to the FHIR resource.attribute level.
- Modular Access Control and Key Management Framework designed and implemented. Research focused on improving flexibility and functionality, or by providing additional security protection.
- Smartphone continuous authentication architecture designed and implemented, collecting and analysing behavioural user events.
- Network slicing solutions for a hospital environment were studied, and a solution for network isolation in terms of performance and security provided.
Platform architecture devised, integration work undertaken and final version of toolkit delivered. Updatable continuous integration platform deployed.
Ospedale San Raffaele deployed the ProTego toolkit on premise. OSR integrated the ProTego toolkit and FoodCoach, a web application that was used as the demonstrator of the Nutritional Case Study, which makes use of a non-connected device to collect the physical activity of the patient.
Marina Salud implemented Pocket EHR in a cloud-based architecture to show how the ProTego toolkit can be used in a novel, trending and challenging scenario. MS integrated the cloud-based deployment of ProTego with its EMR (Cerner Millennium) through a commercial and wide-used integration engine (Orion Rhapsody). Pocket EHR developed in a serverless cloud infrastructure. “Connected IoT” functionality developed, emulating an IoT trough a Raspberry PI 4, demonstrating how medical vendors can integrate the ProTego toolkit.
Intensive testing of the toolkit was performed in both hospitals with very satisfactory results:
- Acceptance tests
- Non-functional metrics
- Usability evaluation
Research outcomes disseminated and communicated to relevant stakeholders. Dissemination activities performed range from scientific publications and whitepaper to social media and blog posts to press releases and videos. All dissemination and communication targets set in the beginning of the project, have been reached.
First-known SIEM integrated with a risk assessment tool created for dynamic risk recalculation in an automated way for both infrastructures and web applications.
The development of Parquet Modular Encryption and its rapid implementation and adoption by the Apache community is a major achievement for ProTego. PME is now part of the standard Apache Spark distribution.
The D-ABAC scheme provides fine-grained and flexible access control and allows to enforce more complex access control policies. The CP-ABAC and C-ABAC scheme improve the state-of-the-art in terms of security. Both scheme protect against attacks where both the access control and key management component as well as the database containing the sensitive medical data, have been compromised.
Developing a mobile continuous authentication solution improves over current market solutions since they are computer-based. This way a new field of applicability, focused on mobile phones and BYOD policies, was explored.
The Network Slicing Isolation solution progressed together with the state-of-the-art open-source network slicing solutions. Its advancements have been aligned and focused on integrating different network virtualization techniques which can be availed by future research and possible integration with a 5G core.