Periodic Reporting for period 2 - KONFIDO (KONFIDO - Secure and Trusted Paradigm for Interoperable eHealth Services)
Berichtszeitraum: 2018-05-01 bis 2019-10-31
For healthcare, the constantly increasing digitalization, the digital preservation and use of sensitive data, the introduction of cloud computing and decentralized architectures, as well as the booming market of mobile and wearable devices, come along with the cost of proliferation of cyber-crime and the creation of malicious applications. In addition, during the last decade, we witness a considerable increase of citizen’s mobility in Europe for education, training, working and touristic purposes due to the affordable travel costs driven by low-cost airlines. Travellers suffering from chronic diseases are facing obstacles when travelling either within or outside their country of residence. Moreover, increasing mobility of patients is an important feature for independent living along the lines of active and healthy ageing.
KONFIDO aims at facilitating EU citizens to travel within Europe by allowing the widespread eHealth deployment and the secure exchange of Patient Summary and ePrescription among cross-border health systems.
KONFIDO advances the state of the art of eHealth technology with respect to four key dimensions of digital security, namely: data preservation, data access and modification, data exchange, and interoperability and compliance. To address the challenges of secure storage and exchange of eHealth data, protection and control over personal data, and security of health-related data gathered by mobile devices, KONFIDO takes a holistic approach – i.e. one targeting all the architectural layers of an IT infrastructure, and specifically: storage, dissemination, processing, and presentation. KONFIDO builds on and extends the results of a best of breed selection of successful projects, notably epSOS, STORK, DECIPHER, EXPAND, and ANTILOPE. The approach is implemented in a technological framework that relies on six technology pillars:
1) Security extensions provided by main CPU vendors;
2) Security solutions based on photonic technologies;
3) Homomorphic encryption mechanisms;
4) Customised eIDAS-compliant eID support;
5) Customized extensions of selected SIEM solutions; and
6) Disruptive logging and auditing mechanisms based on blockchain.
The usability of the proposed solutions will be tested in a realistic setup, deployed on top of a federated cloud infrastructure, where data will be exchanged and services interoperate cross-border. Experimental evidence will be collected, proving that KONFIDO solutions provide effective protection even against attacks by privileged software (e.g. the Operating System or the Hypervisor) or privileged users (e.g. the System Administrator or the Cloud Provider). KONFIDO has a dramatic potential in terms of innovation in the field of coordinated care towards improved quality of healthcare solutions since it builds on results that are already widely accepted and relies on a handful of complementary technologies (some of which are already at a high level of maturity).
KONFIDO aims at facilitating EU citizens to travel within Europe by allowing the widespread eHealth deployment and the secure exchange of Patient Summary and ePrescription among cross-border health systems.
KONFIDO advances the state of the art of eHealth technology with respect to four key dimensions of digital security, namely: data preservation, data access and modification, data exchange, and interoperability and compliance. To address the challenges of secure storage and exchange of eHealth data, protection and control over personal data, and security of health-related data gathered by mobile devices, KONFIDO takes a holistic approach – i.e. one targeting all the architectural layers of an IT infrastructure, and specifically: storage, dissemination, processing, and presentation. KONFIDO builds on and extends the results of a best of breed selection of successful projects, notably epSOS, STORK, DECIPHER, EXPAND, and ANTILOPE. The approach is implemented in a technological framework that relies on six technology pillars:
1) Security extensions provided by main CPU vendors;
2) Security solutions based on photonic technologies;
3) Homomorphic encryption mechanisms;
4) Customised eIDAS-compliant eID support;
5) Customized extensions of selected SIEM solutions; and
6) Disruptive logging and auditing mechanisms based on blockchain.
The usability of the proposed solutions will be tested in a realistic setup, deployed on top of a federated cloud infrastructure, where data will be exchanged and services interoperate cross-border. Experimental evidence will be collected, proving that KONFIDO solutions provide effective protection even against attacks by privileged software (e.g. the Operating System or the Hypervisor) or privileged users (e.g. the System Administrator or the Cloud Provider). KONFIDO has a dramatic potential in terms of innovation in the field of coordinated care towards improved quality of healthcare solutions since it builds on results that are already widely accepted and relies on a handful of complementary technologies (some of which are already at a high level of maturity).
The key achievements of KONFIDO during the first 18 months include:
- An overall analysis of the legal framework for the exchange of Electronic Health Records in the European Union, focusing on the 3 countries involved in the KONFIDO use cases (Denmark, Italy and Spain);
- The definition of the KONFIDO Ethical Framework and its methodology;
- The conduction of a systemic gap analysis along four different dimensions:
(a) Security frameworks for eHealth (OpenNCP, STORK 2.0 DECIPHER);
(b) eHealth interoperability frameworks (ANTILOPE, CALLIOPE, epSOS, JAseHN);
(c) National cybersecurity strategies and reference reports in the domain of eHealth security (e.g. from ENISA), and
(d) Input from end-user organizations as part of the KONFIDO Consortium;
- The compilation of a use case inventory involving multiple actors, organizations and access policies, cross-border data exchange requirements and storage needs, accounting for different settings across EU countries;
- The organization of a pan-European survey concerning the acceptance of eHealth solutions and the consequent KONFIDO solution adaptation;
- The organisation of 2 end-user workshops; the first one targeted primarily healthcare organizations (both from public and the private sector), health authorities (regional and national), as well as eHealth/IT companies, while the second targeted patients/citizens and aspects regarding security and privacy of health-related data;
- The definition of the KONFIDO architecture, the identified components, the interactions among them, as well as the deployment of the architecture via the combination of complementary security-enhancing technologies;
- The design and development of the first six prototypes on:
o The coexistence between the Intel SGX trusted execution environment and OpenNCP;
o The use of physical unclonable functions (PUFs) as true random number generators that will provide a physical secure source of entropy to all other modules, and as a challenge-response provider for authentication applications;
o The Cingulata interface for different homomorphic cryptosystems and the design of an interoperability interface between Homomorphic Encryption Mechanisms (HEM) and the OpenNCP framework;
o A customised SIEM solution that meets the additional requirements of the KONFIDO deployment;
o A Blockchain-based Auditing Mechanism for log and informed consent auditing in OpenNCP;
o An eIDAS compliant eID for OpenNCP.
- An overall analysis of the legal framework for the exchange of Electronic Health Records in the European Union, focusing on the 3 countries involved in the KONFIDO use cases (Denmark, Italy and Spain);
- The definition of the KONFIDO Ethical Framework and its methodology;
- The conduction of a systemic gap analysis along four different dimensions:
(a) Security frameworks for eHealth (OpenNCP, STORK 2.0 DECIPHER);
(b) eHealth interoperability frameworks (ANTILOPE, CALLIOPE, epSOS, JAseHN);
(c) National cybersecurity strategies and reference reports in the domain of eHealth security (e.g. from ENISA), and
(d) Input from end-user organizations as part of the KONFIDO Consortium;
- The compilation of a use case inventory involving multiple actors, organizations and access policies, cross-border data exchange requirements and storage needs, accounting for different settings across EU countries;
- The organization of a pan-European survey concerning the acceptance of eHealth solutions and the consequent KONFIDO solution adaptation;
- The organisation of 2 end-user workshops; the first one targeted primarily healthcare organizations (both from public and the private sector), health authorities (regional and national), as well as eHealth/IT companies, while the second targeted patients/citizens and aspects regarding security and privacy of health-related data;
- The definition of the KONFIDO architecture, the identified components, the interactions among them, as well as the deployment of the architecture via the combination of complementary security-enhancing technologies;
- The design and development of the first six prototypes on:
o The coexistence between the Intel SGX trusted execution environment and OpenNCP;
o The use of physical unclonable functions (PUFs) as true random number generators that will provide a physical secure source of entropy to all other modules, and as a challenge-response provider for authentication applications;
o The Cingulata interface for different homomorphic cryptosystems and the design of an interoperability interface between Homomorphic Encryption Mechanisms (HEM) and the OpenNCP framework;
o A customised SIEM solution that meets the additional requirements of the KONFIDO deployment;
o A Blockchain-based Auditing Mechanism for log and informed consent auditing in OpenNCP;
o An eIDAS compliant eID for OpenNCP.
KONFIDO project advances the state-of-the-art by enhancing OpenNCP with security enclaves based on CPU hardware, homomorphic encryption, photonic hardware key generation, eIDAS-compliant eID support, a Security Information and Event Management (SIEM) system, as well as log and informed consent auditing based on blockchain.
The integrated KONFIDO prototype that will combine the aforementioned technologies will be evaluated in 2 pilots that will take place in three countries (Denmark, Italy, Spain) in two phases. The outcomes and lessons learnt from each phase will feed into the updated version of the integrated KONFIDO prototype.
In terms of impact, KONFIDO will:
- Provide better protection against unauthorised use of personal data, breach of confidentiality and cybercrime;
- Ensure the right of patients to cross-border healthcare;
- Encourage Member States to widen the use of eHealth;
- Achieve better acceptance of eHealth solutions among patients;
- Support the development of European legal and operational standards for cross-border data exchange and patient privacy protection;
- Increase the awareness of stakeholders, private and public ones, on the current level of data security.
The integrated KONFIDO prototype that will combine the aforementioned technologies will be evaluated in 2 pilots that will take place in three countries (Denmark, Italy, Spain) in two phases. The outcomes and lessons learnt from each phase will feed into the updated version of the integrated KONFIDO prototype.
In terms of impact, KONFIDO will:
- Provide better protection against unauthorised use of personal data, breach of confidentiality and cybercrime;
- Ensure the right of patients to cross-border healthcare;
- Encourage Member States to widen the use of eHealth;
- Achieve better acceptance of eHealth solutions among patients;
- Support the development of European legal and operational standards for cross-border data exchange and patient privacy protection;
- Increase the awareness of stakeholders, private and public ones, on the current level of data security.