Isolated and Trusted Execution Environments in Healthcare

An Isolated and Trusted Execution Environment (ITEE) is a security component present in many modern computer systems. It provides a higher level of security where sensitive operations can be executed securely and separated from other software. In e-Health systems the use of ITEE can provide an additional layer of protection and improve the overall security significantly. But first let us discuss why e-Health systems require this level of security…

Healthcare is different

A common approach to practical IT security in companies and organisations is to estimate the damage caused by various threats and use that to justify certain countermeasures. For example, if computers at an art gallery are infected with malware all operations may stop for a day or two, which is probably costly enough to justify purchasing some antivirus software. A similar disruption in a power-plant is much more costly and would probably also justify extensive training of personnel. Healthcare is different from other sectors in that disruptions can be life-threatening. Furthermore, the information handled by healthcare systems can be highly sensitive and a leakage may cause great personal pain to the involved persons. To make matters more complicated, healthcare systems have stringent availability requirements to allow doctors and nurses at all time access information vital to their work. At the same time all information should not be available to everyone, requiring rigorous access-control mechanisms. Lastly, another factor that should be taken into account, is that the people using these systems often have minimal knowledge about computers and computer security and may operate under time pressure. In summary, security in healthcare is a surprisingly hard problem. To achieve an acceptable level of security, special measures may be required.

ITEE in healthcare

Consider a handheld medical device used by a security professional. This device may be network connected and retrieve information about the patient and/or transmit measured data. This requires a secure communication link, which in turns requires the device to securely identify itself (otherwise anyone could retrieve the data from the server) and cryptographic keys to ensure data integrity and confidentiality. If the handheld device is lost or infected by malware, both could end up in the hands of malicious individuals. To minimize the risk of this, sensitive data and operations can be moved to a specially designed secure part of the device – this could be an ITEE. Now consider the server communicating with the device. This server may communicate with thousands of other handheld devices, each connected to a specific operator and a patient. What if a malicious handheld device retrieves data for another patient? Or what if a malicious entity breaks into the server, either remotely or physically, and retrieves data for all patients? To minimize such risk, sensitive operations are moved into isolated compartments together with the corresponding cryptographic keys for encryption and more. ITEE server technologies provide mechanisms for exactly this kind of security. Finally, consider the use of aggregated data in a research project. How can the contributing hospitals ensure their data is not used for other purposes? This may be achieved by constructing an application everyone agrees on and cryptographically locking the data to that application. At runtime, an ITEE attests the validity of the application (and itself) and unlocks the data.

ASCLEPIOS use of ITEE

In ASCLEPIOS we aim to improve security of medical devices and medical systems by employing the features of ITEEs. In particular, the project plans to provide the following:
  •  Protocols for key, firmware, patch and workload management in ITEE
  •  Protocols for remote attestation of components, systems and services
  •  Improved interoperability for secure architecture-independent operation
The presented protocols and solutions will be subject to security evaluations to ensure correctness. Stay tuned for more information about the ITEE-enabled security protocols of ASCLEPIOS, in our next blogposts.