This section describes some specific security issues involved in telemedicine deployment.
8.1 Synthesis of the answers to the questionnaire
This sub-‐section describes the methods of authentication used to obtain access to the telemedicine service by healthcare professionals or other health service employees; whether the user is logged out after a certain idle time; whether data transfer is encrypted; whether communication is performed via a VPN connection; and whether all access to the system or service is logged and whether anyone inspects the logs. All these aspects of security are important in order to ensure an adequate level of information security for the telemedicine service.
Q29.1 Does the telemedicine service give a healthcare professional or other health service employees access to patients’ health information?
Figure 21: Responses to Q29.1: Can health service employees access patient information? More than half of the respondents (15 out of 26) answered yes to this question. However, more than one-‐third (9 out of 26) of the respondents, stated that their service does not give access to patients’ health information.
To this SIG, this indicates that the term “access to patient’s health information” is not interpreted in the same way by all respondents. Health information does not have to be written or readable electronic information. Listening to and viewing patients via video conference systems also implies having access to patients’ health information. It seems, from the answers to these questions, that several of those who answered no to this question, are dealing with services that are based on video conferencing.
When looking at the 26 telemedicine services dealt with by the Momentum survey, we would assume that nearly all of them would imply that there is access to patients’ health information.
Q29.1(1) If Yes, which methods of authentication are used to obtain access to the telemedicine service, including the patients’ health information?
Figure 22: Responses to Q29.1(1): What method of authentication do they use?
This additional question was answered only by those 15 respondents who answered yes to the first question (Q29.1).
Username and password is by far the most widespread authentication method, as this answer was given by 13 of the 15 respondents. Nearly half of those who gave this response (6 of the 13) said that the method combined a username and password with an additional authentication method, like a one-‐time password or URL (3), PIN (3) or Smartcard/PKI (1). Only one of the 15 respondents has answered that a smartcard/PKI is used, i.e. not together with username and password.
One respondent answered that no authentication is performed. The telemedicine service in this case is a video conference service. Video conference services have no direct authentication method. First, authentication of the caller is achieved by recognising the number/address of the caller. Second, recognising the person that appears in the video image is also an implicit authentication method. Authorisation for access can be achieved by answering known calls and avoiding answering unknown calls.
Q29.2 Is the user automatically logged out from the system/service after a certain idle time (i.e., does the application time out)?
Figure 23: Responses to Q29.2: Does the application time out?
Timeout is one of several precautions to prevent access from unauthorised persons. It is used in the services described by three-‐quarters of the respondents (20 out of 26). However, this is not suitable for all types of services. For infrastructure services like a health network or a call centre, it is not obvious that one should close down the service in periods of no traffic.
Q29.3 Is the data transfer (i.e. communication) encrypted?
Figure 24: Responses to Q29.3: Is the data transfer (i.e. communication) encrypted?
Encrypted communication seems to be the usual way to transfer data, as indicated by more than three-‐quarters of the respondents (20 out of 26). The response to this question may be related to the next question (the use of VPN).
It should be noted that one of those who responded no to this question said in the response to question 6.3 (Description of the telemedicine service) that “secure http” is used, which in fact means SSL or TLS, i.e. encryption at the transport level.
It is unclear whether encryption is a requirement in all countries. In Norway, encryption is required when communicating sensitive information outside local/internal network. It is not, however, mentioned as a requirement in the personal data protection directive (Directive 95/46/EC).
Q29.4 Is the communication performed via a VPN connection?
Figure 25: Responses to Q29.4: Is the communication performed via a VPN connection?
Half of the respondents (13 out of 26) have answered yes to the use of a Virtual Private Network (VPN).
VPN is most often an encrypted connection. Two respondents have answered no to the previous question about encrypted communication (Q29.3) and don’t know to this question about the use of VPN (Q29.4), and one respondent has answered don’t know to both questions. This means that most of the respondents, 23 out of 26, have answered yes to either “encrypted communication” or “use of VPN” or both13. This indicates that most of the telemedicine services use encrypted connections.
Q29.5 Is all access to the system/service logged?
Figure 26: Responses to Q29.5: Is all access to the system/service logged?
Q29.5(1) If Yes, does anyone inspect the logs?
Figure 27: Responses to Q29.5(1): If Yes, does anyone inspect the logs?
13 It is probably 24 of 26, since one of those who responded no to encryption in question 29.3, says in the response to question 6.3 (Description of the telemedicine service) that “secure http” is used.
Most of the respondents (21 out of 26) reported that all access to the service is logged, but it is not obvious to everyone who responded that the logs are investigated, as can be seen from the responses to the follow-‐up question. The usefulness of having logs can be questioned, if they are not inspected.
Logging is important for discovering unauthorised access – in retrospect. Inspection of logs is important in order to reveal misuse, and punitive measures can be taken. However, when data is disclosed, it is too late to reverse the act: as it were, “the cat is out of the bag.” Logging helps indirectly, as a warning or a kind of “scarecrow”, but it does not prevent unauthorised access.
8.2 Synthesis of the stakeholder feedback process
Work on this topic is on-‐going during the course of the project. Comments made by stakeholders at the Momentum Workshop in Berlin on 8 April 2013 included:
• Slowly and incrementally solutions and “get-‐rounds” are found to be issues that were critical in telemedicine some five to seven years ago, such as legal matters. Now, perhaps, issues relating to privacy and information security are higher on the list of potential barriers.
• Security could be described as “today’s issue”: it is now at the core of many policy issues related to information technology in general as well as eHealth and/or telemedicine specifically.
8.3 Synthesis of the literature review
The European eHealth benchmarking III study (SMART 2009/0022) provides an overview of
how Europe’s acute hospitals use eHealth. Its results regarding data protection and security (section 3.4 of the report) are similar to the findings from the Momentum questionnaire. The following points are extracted from the summary of the appropriate section of the benchmarking study:
• Among the different security measures that are taken to protect the patient data stored and transmitted by the hospitals’ [information technology] IT systems, the most commonly used measure is the use of passwords to access workstations. Passwords are used across all the types of hospitals considered.
• The more sophisticated systems, such as encryption of transmitted data and data entry certified by a digital signature, are more likely to be found in large hospitals or those which belong to groups of hospitals or care institutions.
• In more than eight out of ten hospitals, the access to electronic patient records is logged.
In a briefing paper from EHTEL in 2008, “Sustainable Telemedicine: paradigms for future-‐ proof healthcare” (EHTEL, 2008), footnote 2 on page 12 says: “Medical Associations in Germany refuse medical treatment over the Internet without cryptographic security measures.”
A systematic review of information security in telemedicine has been conducted by Vaibhav and Brewer (2011).