The ASCLEPIOS vision – Making the cloud a secure place for eHealth services

The potential of eHealth

The healthcare sector is undergoing a massive digital transformation and eHealth stands in the spotlight. Although the core idea in the early stages of eHealth was mainly to digitalise handwritten patient records, scientists have gone a long way beyond that: they envisioned a world where patients could access their digital medical record and share it with healthcare professionals regardless of their location.

Another breakthrough in health and wellness has been the emergence of mobile devices and wearables. Smartphones, fitness trackers and other devices and gadgets have spread far and wide, creating massive volumes of data, which await to be collected, analysed and transformed into behavioural and health insights. These data of enormous volume, velocity, veracity and variety -Big Data-, spanning from patient lifestyles and dietary preferences to disease incidence and treatment effects, call for scalable and powerful processing solutions.

And here came the cloud and high-performance computing technologies, bringing new potential for the healthcare sector. Cloud computing will enable organisations to provide improved and reliable services to patients and reduce eHealth expenses [1], while powerful health data analytics will accelerate research on major healthcare issues and lead to enhancing drug administration protocols and treatments or even to discovering new drugs. All with the help of distributed data processing, ever improving machine learning algorithms and artificial intelligence.

The glitches

With this great potential lying before the health sector, one could expect rapid adoption of these promising technologies. The reality however is far from that, and the lack of effective security mechanisms is to blame. This lack is reflected in the mistrust of healthcare professionals towards storing sensitive data online, resulting in a gradual but overall slow adoption of eHealth.

The main challenge for cybersecurity, irrespectively of context and risk level, remains the same: How do we prevent unauthorized access to data? Unfortunately, storing data on the cloud remains a security challenge, and as it seems, encryption is the way to go. However, with the existing protocols, Cloud Service Providers (CSPs) are responsible for both encrypting and storing the data, which makes them a high-value target for hackers. Another issue with current practices, is that only a limited set of cryptographic primitives is used, although research has new and refined techniques to propose!

In the era of Internet of Things, where connectivity with the outer world is both desired and inevitable, security can’t just be a matter of internal fortification. The external, internet-connected devices pose another threat: they can be hijacked by attackers, who take control of the device, extract information or even change its functionalities, eventually penetrating our safeguards. How can this be prevented? By ensuring the device’s integrity before using it, a procedure that is called attestation.

And last but not least: the human factor. With 95% of all security incidents involving some kind of human error, and 60% of these attacks being carried out by insiders, it would be naive to assume that by applying a robust security framework, the system is 100% safe. On the contrary, incidents like the WannaCry ransomware attack in the U.K.’s National Health System (NSH) [2] revealed that inadequate security awareness among non-technical healthcare professionals is one of the greatest threats for the healthcare sector.

The concept of ACLEPIOS

Figure 1 General Overview of ASCLEPIOS Framework

Driven by the vision to bridge new technologies and health data security, the ASCLEPIOS project will address these challenges and build a cloud-based eHealth framework that protects users’ privacy. The contribution of ASCLEPIOS revolves mainly around three axes:

1/ A combination of modern cryptographic schemes, will bring new possibilities in medical data encryption and sharing. Symmetric Searchable Encryption, which allows searching over encrypted data, together with Attribute Based Encryption, making user access revocation more efficient, will be combined in a trusted execution hardware environment (like Intel SGX). The possibilities of Functional Encryption in performing analysis on medical data will also be explored under the scope of ASCLEPIOS. Practitioners and researchers will be able to perform statistical analysis in a privacy-preserving way, without any identifiable data of patients being unnecessarily revealed.

2/ The second axis of ASCLEPIOS will be the remote attestation of devices. All of the existing attestation protocols rely on the use of trusted hardware. This however cannot always apply, as a lot of medical devices are not equipped with such. ASCLEPIOS will design a complementary software-based protocol which will not require any special hardware.

3/ The last focus point of ASCLEPIOS will be raising security awareness of non-technical employees. Activities such as seminars and workshops will be executed, with the participation of healthcare staff, and their progress will be assessed afterwards.

The efficiency and applicability of the developed solutions will be tested and showcased on three real-life demonstrators provided by three leading European hospitals.

ASCLEPIOS is a project funded by the EU and will end at November 2021.

[1] J. Kabachinski, “What’s the forecast for cloud computing in healthcare?,” Biomed Instrum Technol, vol. 45, pp. 146–50, 2011.