Information Assurance and Security Issues in Telemedicine – Future Directions

Information Assurance and Security Issues in Telemedicine – Future Directions

By Ankur Chattopadhyay and Robert Ruska Jr., University of Wisconsin, Green Bay

May 2019

I. Introduction

One of the challenges in healthcare is to provide equitable access to services, given that the provider and the patient are traditionally expected to be physically present in the same place^{1, 2, 3}. Technological advancements have been made to overcome obstacles to equitable healthcare services and enable convenient access to quality healthcare for consumers throughout the world. The field of digital healthcare, which is known as telemedicine^{2, 3, 4, 5}, is rapidly making its way globally across the healthcare services domain. It allows the transfer of images and video through telecommunication technology, giving physicians the ability to evaluate, diagnose, and in certain cases, treat patients remotely⁶. Patients can visit providers over live video without travelling for immediate care and for follow up treatment. Not only does it give patients the ability to schedule appointments with local physicians via live video communication without having to leave home, but it also allows them to consult with distant healthcare professionals and avail their services remotely.

Telemedicine has significantly evolved over the past decade and is still forming the shape of what it will become². However, even though telemedicine has successfully provided the option of easy remote access to quality equitable healthcare services, it uses advanced telecommunication technology, which comes with its own information assurance and security (IAS) risks^{1, 5, 7, 8, 9}. Having a telemedicine system in place that protects patient information, without intruding individual privacy, and wins patient trust is important for the future. There are multiple IAS issues in telemedicine applications, and as telemedicine progresses, these need to be addressed.

II. IAS Issues in Telemedicine

Telemedicine does suffer from technological barriers, resulting from instances or situations where the tech infrastructure being used is perceived as not being sufficient to perform the telemedicine tasks or accomplish the intended healthcare service objectives⁵. Such technological issues are just one challenge faced by today’s healthcare systems, and not just specific to telemedicine applications. In addition to technological barriers, some significant IAS issues pose challenges for telemedicine applications.

An offensive attack on the information that a telemedicine system transfers could potentially be lethal. Telemedicine related live video communication can be represented as a flow of information from a source to a destination¹. If an unauthorized third party somehow acquired information of a patient or a physician during this information flow, then that would be a security threat for the telemedicine system, resulting in loss of patient privacy and harm to the corresponding healthcare provider’s reputation. There are four categories of such an attack on information flow within telemedicine applications¹.

The first category of this attack is known as interruption, which disrupts the availability of information by making the information unavailable or by destroying the information in transit. For instance, if a third party was able to successfully obstruct the information flow between the patient and the physician in a telemedicine system by blocking or jamming the telemedicine communication, then that would interrupt the telemedicine healthcare services and constitute the first kind of cyber-attack.

Interception is the second form of attack that enables an unauthorized third party to gain access to the information between the patient and the physician in a telemedicine system as well as potentially use it to cause harm. An example of interception would be when a third party intercepts the telemedicine information flow, containing medical data or communication messages in transit, and misuses the intercepted data, for example, to orchestrate another cyber-attack or hostile operation. When an unauthorized third party intercepts data or a message in a telemedicine information flow, the communication channel loses confidentiality and is subjected to privacy invasion, which poses a new threat as well as potential information leak.

Modification of communication data in telemedicine information flow is another type of cyber-attack, which maligns the healthcare service, and, in turn, jeopardizes the users (both the patient and the physician), who are assuming the integrity of  information flow, which has been tampered with. Such a data-tampering scenario compromises the telemedicine-system and deteriorates the quality of healthcare services.

Fabrication is the fourth and last kind of cyber-attack, which specifically alters the communication data in telemedicine information flow by inserting false objects and making up fake data within the communication channel that appears true to the system users. Such instances of fabrication are meant to manipulate a telemedicine system in order to cause disruption to the healthcare services. This type of cyber-attack compromises user data through manufacturing of information leak points by deceiving users in order to make them reveal private data. Figure 1 depicts all these categories of attacks.

Figure 1. Four Categories of Potential Cyber Attacks in Telemedicine (Photo Credit – Security in Telemedicine: Issues in Watermarking Medical Images, by Jasni Zain and Malcolm Clarke¹).

III. Addressing IAS Issues in Telemedicine

There are multiple ways to address these IAS issues in telemedicine. Some of these techniques to overcome the IAS related challenges, especially in the context of confidentiality and integrity, are already in place and are in use. Existing literature shows a threat table based approach to assess and manage IAS threats in telemedicine applications^{8, 9}. However, when it comes to the domain of trust and visual authentication, there is still work that needs to be done in telemedicine communications. We next discuss the different kinds of methods used to address these IAS issues in telemedicine

A. Awareness and Training

An important and useful method for keeping telemedicine related information safe is by creating awareness and by training the stakeholders¹⁰. Not everyone in telemedicine system or healthcare services is aware of the IAS risks and educated in this regard. Training these concerned individuals to be able to identify attacks and potential IAS risks would prove vital to keeping a telemedicine system secure and can be considered as both a preventive measure as well as a remedial strategy learning exercise. An example of an awareness session topic (or awareness material to be distributed) in this regard is virus protection.  This educational subject can simply and briefly be addressed by describing what a virus is, what can happen if a virus infects a telemedicine user’s system, what the user should do to protect the system, and what the user should do if a virus is discovered^{7, 10}. Awareness is just a stepping stone towards recognizing IAS threats. Raising awareness is a valuable way to counter data attacks and prevent information leaks. Additionally, having proper training implemented and delivered in this regard is also essential.

B. Watermarking and Anti-Virus Technologies

IAS is technically an extension of the traditional information technology (IT) security, which is aimed at protecting systems, applications and data that get exposed to a variety of cyber-attacks via the internet, ranging from data theft and espionage to corruption of data and denial of service attacks^{7, 11}. There are several defensive solutions to these cyber-attacks, such as having digital watermarking and anti-virus technology on systems^{1, 6, 12, 13, 14}. Digital watermarking is the practice of adding an “invisible” watermark to not only pictures, but to important healthcare documents as well^{1, 12, 14}. This defensive technique of placing and transmitting a small amount of data imperceptibly in host has many applications, including broadcast monitoring, owner identification, proof of ownership and content authentication. Figure 2 illustrates a watermarking algorithm that has been proposed for protection against identity theft and can be used for telemedicine applications. It is notable that a biometric feature like a fingerprint has been utilized in digital watermarking.

Hostile attacks on a patient or the healthcare system within telemedicine applications are relatively easy to execute, but at the same time, more complicated to decipher. This means with the advancements in telemedicine technology and healthcare systems, the hackers also get smarter.  These perpetrators are always trying to come up with sophisticated offensive techniques to attack healthcare systems. Security of medical images, derived from strict ethics and legislative rules, is meant to safeguard patient rights and offer protection for healthcare professionals^{1, 12, 14}. These defensive measures cover three mandatory characteristics: confidentiality, reliability and availability, which all orbit around the same principle of protecting patients and the healthcare providers, while making a telemedicine system reliable. Another security practice is having a concrete anti-virus system in place⁷. This helps prevent cyber-attacks on telemedicine systems, and aids in identifying attacks when they occur. It is crucial to implement these defensive mechanisms within future telemedicine systems.

Figure 2. A Proposed Watermarking Algorithm against Identity Theft (Photo Credit – Applications of Digital Watermarking to Cyber Security, by Agbaje, M.O, Awodele O., and Ogbonna A.C¹¹).

C. Federal Legislation and HIPAA Guidelines

In addition to defending against data hacks and cyber-attacks, IAS issues related to privacy and confidentiality need to be handled as well for real-time use of telemedicine applications. Telemedicine systems must follow the Health Insurance Portability and Accountability Act, also known as the HIPAA guidelines^{15, 16, 17}. In addition to federal law, each state has its own legislation regarding telemedicine. As advancements are being made in telemedicine applications, the HIPAA guidelines take these advancements into account when creating the legislative rules. For a telemedicine company to be compliant with these HIPAA guidelines, there are several considerations that need to be made first. For example, one of the guidelines states that only authorized users should have access to electronic protected health information (ePHI)^{15, 16, 17}. The more the number of personnel members involved in handling healthcare data, the higher is the chance that the data becomes at risk. Successful addressing of IAS issues within telemedicine systems depends on compliance with several criteria or factors, among which are recognized value proposition to the physician, robust device performance validation, ease of use for the patient, reliability of connectivity, safe and secure data transmission, and economic feasibility^{4, 7}.

D. Future Steps towards Trustworthy Telemedicine

Some areas of future work within telemedicine related IAS issues that remain relatively unexplored are the trust and visual authentication aspects of multimedia based telemedicine services. There are very few prior instances of work in computer vision based authentication models for video-calls in telemedicine communications. Standard applied cryptographic techniques have been used for user access control and for secure caller identification within telemedicine communications¹⁸. Computer vision techniques, like gesture recognition and user tracking, have been applied in interactive telemedicine services in order to enhance user trust¹⁹. However, face recognition based user authentication has not been actually experimented with in video telemedicine services. Facial biometrics, when applied to the telemedicine services, can potentially aid in addressing user authentication and reliability issues within live video streams, thereby making the healthcare system more trustworthy^{19, 20}. A potential future research question is: can facial biometrics be also applied in telemedicine applications to validate and protect video communications? This open research question could attribute to a future direction of work in order to enhance user trust and visual authentication in telemedicine.

Malicious attacks have already been orchestrated at replicating individual faces in an attempt to fool communication systems, and facial recognition is just as difficult, if not more tough to crack, as fingerprint recognition^{7, 20}. Facial recognition technology (FRT), which is based upon authenticating a user identity by using the face as a biometric feature, has emerged as a strong solution for addressing many contemporary needs of identification and verification of identity claims²⁰. Visual recognition of users is extensively being used today to unlock smartphones. Therefore, the application of biometrics could be useful in securing telemedicine-based healthcare systems in order to identify user credentials and safeguard against identity theft. However, there are certain inherent challenges in applying FRT based biometrics, given that the performance of FRT is contingent on multiple factors, the most significant of which are light conditions, image age, consistency in camera usage and gallery size²⁰. These are crucial for having a high-performance FRT system.

Facial features are known to change as we age. Therefore, having the most recent images of a face makes the system perform to its full potential. Not only does the age of the image come into play but the background can have a significant factor in using facial recognition. These factors all have something in common in that the images must be the most recent, with trying to get these photos to look as similar as possible to the original image captured. Not only do the features in the image play a significant role but the equipment used to take the image can also play a role in quickly identifying faces, as all cameras are not equally good in quality. This would allow for the most efficient use of facial recognition technology.

IV. Concluding Summary

There have been advancements in telemedicine applications over the past decade, and telemedicine will keep evolving, given the healthcare benefits associated with it. Existing IAS issues in telemedicine, as discussed, pose challenges to today’s healthcare services. In order to address these IAS concerns, defensive techniques, involving digital watermarking and intelligent anti-virus tools, have been proposed for securing telemedicine applications. The HIPAA regulations have also helped in handling privacy issues in telemedicine based electronic healthcare. However, existing literature show that there is hardly any notable research and development work in applying FRT for achieving a visually authenticated and more trustworthy telemedicine communication. As IAS experts work with healthcare professionals for further securing future telemedicine systems, application of FRT can form a future direction of work in this area.

References 

1. 1. Zain, Jasni, and Malcolm Clarke. “Security in telemedicine: issues in watermarking medical images.” Sciences of Electronic, Technologies of Information and Telecommunications, 2005. [Online]. Available: https://www.researchgate.net/profile/Jasni_Mohamad_Zain/publication/228576599_Security_in_Telemedicine_Issues_in_Watermarking_Medical_Images/links/00b7d53ab9171dca2e000000.pdf.
   2. Mahar, Jamal H., J. G. Rosencrance, and Peter A. Rasmussen. “Telemedicine: Past, present, and future.” Cleveland Clinic Journal of Medicine, vol. 85, pp. 938-942, 2018. [Online]. Available: https://mdedge-files-live.s3.us-east-2.amazonaws.com/files/s3fs-public/issues/articles/mahar_telemedicine.pdf.
   3. Mechanic, Oren. “Telemedicine and Digital Health to Improve the Value of Health Care.” Telehealth and Medicine Today, 2018. [Online]. Available: https://telehealthandmedicinetoday.com/index.php/journal/article/view/123.
   4. Holekamp, Nancy M. “Moving from Clinic to Home: What the Future Holds for Ophthalmic Telemedicine” American Journal of Ophthalmology, 187, pp. xxviii-xxxv, 2018. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S0002939417304786.
   5. Paul, David L., Keri E. Pearlson, and Reuben R. McDaniel. “Assessing technological barriers to telemedicine: technology-management implications.” IEEE Transactions on engineering management 46.3, pp. 279-288, 1999. [Online]. Available: http://www2.ic.uff.br/~celio/classes/mmnets/slides/Paul99.pdf.
   6. Asadullah, S., M. Muhammad, and S. M. Muniba. “A system design for a telemedicine health care system.” International Multi Topic Conference. 2008. [Online]. Available: https://pdfs.semanticscholar.org/4084/910dd7ec04b8ae1a3061888cb3fd0a2b6dd6.pdf.
   7. Guillen, Edward, et al. “Analysis of security requirements in telemedicine networks.” Proceedings of the International Conference on Security and Management (SAM). The Steering Committee of The World Congress in Computer Science, Computer Engineering and Applied Computing (WorldComp), 2011. [Online]. Available: https://pdfs.semanticscholar.org/4b10/0518ac2a0ca1beba1c7f9b4c5acb1ec7f9aa.pdf.
   8. Pendergrass, John C., Karen Heart, C. Ranganathan, and V. N. Venkatakrishnan. “A Threat Table Based Approach to Telemedicine Securityi.” ICHITA-2013 TRANSACTIONS (2013): 104.
   9. Pendergrass, John C., Karen Heart, C. Ranganathan, and V. N. Venkatakrishnan. “A threat table based assessment of information security in telemedicine.” International Journal of Healthcare Information Systems and Informatics (IJHISI) 9, no. 4 (2014): 20-31.
   10. Wilson, Mark and Joan Hash. “Building an information technology security awareness and training program.” NIST Special publication, vol. 800.50, pp. 1-39, 2003. [Online]. Available: https://citadel-information.com/wp-content/uploads/2012/08/nist-sp800-50-building-information-security-wareness-programs-2003.pdf.
   11. Agbaje, Micheal, Oludele Awodele, and Chibueze Ogbonna. “Applications of digital watermarking to cyber security (cyber watermarking).” Proceedings of Informing Science & IT Education Conference (InSITE). 2015. [Online]. Available: http://proceedings.informingscience.org/InSITE2015/InSITE15p001-011Agbaje1518.pdf.
   12. Swaraja, K. “Medical image region based watermarking for secured telemedicine.” Multimedia Tools and Applications 77, pp. 28249-28280, 2018. [Online]. Available: https://link.springer.com/article/10.1007%2Fs11042-018-6020-7.
   13. Kulkarni, Pratibha C., and S. K. Bhatia. “Security in Telemedicine using DWT-CDCS.” International Journal of Computer Applications, vol. 136.7, 2016. [Online]. Available: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.741.6765&rep=rep1&type=pdf.
   14. Yassin, Nisreen, and Nancy Salem. “C14. Robust Watermarking Scheme for Telemedicine Applications.” Radio Science Conference (NRSC), 2013 30th National. IEEE, 2013. [Online]. Available: https://ieeexplore.ieee.org/abstract/document/6587922.
   15. HIPAA Journal. “HIPAA Guidelines on Telemedicine,” HIPAA Journal. [Online] Available: https://www.hipaajournal.com/hipaa-guidelines-on-telemedicine/.
   16. U.S. Department of Health & Human Services. “Summary of the HIPAA Privacy Rule.” U.S. Department of Health & Human Services, 2005. [Online]. Available: https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html.
   17. U.S. Department of Health & Human Services. “The HIPAA Privacy Rule. Health and Information Privacy,” U.S. Department of Health & Human Services, 2006. [Online]. Available: https://www.hhs.gov/hipaa/for-professionals/privacy/index.html.
   18. Tulu, Bengisu, Samir Chatterjee, Tarun Abhichandani, and Haiqing Li. “Secured video conferencing desktop client for telemedicine.” In Proceedings 5th International Workshop on Enterprise Networking and Computing in Healthcare Industry (HealthCom), pp. 61-65. IEEE, 2003.
   19. Kang, Sung-Kwan, Kyungyong Chung, and Jung-Hyun Lee. “Real-time tracking and recognition systems for interactive telemedicine health services.” Wireless personal communications 79, no. 4 (2014): 2611-2626.
   20. Introna, L., and Helen Nissenbaum. “Facial recognition technology a survey of policy and implementation issues.” lancs.ac.uk, 2010. [Online]. Available: http://eprints.lancs.ac.uk/49012/.

Dr. Ankur Chattopadhyay is currently an Assistant Professor of Computer Science at the University of Wisconsin, Green Bay (UWGB). He is the director of the center of cybersecurity education and outreach at UWGB, as well as the principal investigator of the NSA/NSF GenCyber program at UWGB. He has a Ph.D. in computer science from the University of Colorado. His research interests include visual privacy and trust, intersections of cybersecurity and computer vision, privacy-enhancing computer vision and pattern recognition, and computer science & cybersecurity education. He has published and presented in several international conferences like IEEE Security & Privacy, IEEE FIE, IEEE CVPR, ACM SIGCSE and ACM SIGITE. Chattopadhyay has more than 16 years of experience in both academics and industry. As an academician, his passion is investigation of interdisciplinary cybersecurity research questions, and innovation of computer science & cybersecurity education. His industry profile includes multiple roles such as IT analyst, software engineer and embedded systems engineer at Tata Consultancy Services.

Robert Ruska Jr. is currently an undergraduate student at the University of Wisconsin-Green Bay (UWGB) pursuing a BS in Information Assurance and Security. He is a U.S. Army Veteran, who has always had an interest in cybersecurity. He plans on pursuing a MS in Information Assurance in the near future. He is presently a student of Dr. Ankur Chattopadhyay, and works as a lab admin as well as a research assistant at the UWGB cyber-center, which motivates the next generation of cybersecurity professionals. His research interests include telemedicine, cyber-education and IAS issues in current technologies.

Editor: 

Dr. Fatima Hussain is currently working as an Adjunct Professor in Ryerson University, Toronto. Prior to this, she was working as an Assistant Professor in University of Guelph, Canada. Ms. Hussain has done her PhD and MASc. in Electrical & Computer Engineering from Ryerson University. She is engaged in various NCSER funded industrial projects such as; Smart Machine Automation, Smart Warehouse, Smart Watch etc. Dr. Hussain has more than 8 years of teaching/ research experience in GTA and overseas. Her research interests include Machine Learning, Internet of Things Networks, and Public Safety. She has dozens of journals and conference papers and an introductory book on “Internet of Things; Building Blocks and Business Models”, on her credit. She is serving as an editor and technical lead for IEEE WIE Newsletter, Toronto section.