During the last few years the Electronic Health Record is one of the most security-critical big information systems of Estonia. The increased security requirements of the system arise from the following circumstances:
The EHR is a centralized information system considering its architectural structure. Therefore, sensitive personal data of all residents of Estonia will be gathered into one actual location and this will result in a big risk of the data being maliciously used, including data leakage. Due to the large security risk and the extreme vulnerability of the field, the data also has to be protected from the technical employees, i.e. the internal attack has to be excluded.
Medical employees do not have technical limitations when they want to view any patient related data. This kind of viewing requires an existing treatment relationship that can be verified under normal circumstances at a later time, but this will leave very big possibilities for the person executing the authentication attack, for this type of situation provides the attacker with good opportunities to hide their tracks.
The system has a big risk of becoming non-transparent, because the end users can’t monitor the complex electronic system as easily as they can paper documents.
- Three main security principles have been considered during the development of the EHR in order to manage these risks:
- The security risk in the central system has been diffused by several technical and administrative security methods. The principle of complex security has been used as the basis, and according to this no simple attack on the system can cause any serious damage, but several coordinated simple attacks forming an advanced complex attack would be needed. Also, there will be no „super administrators“ who could access all data without leaving any tracks of it in the central system – different roles will be separated.
Initially the data in the central system is coded, i.e. personal data and health data in the database is kept separately. In addition, all data stored on the drive has been encrypted and is accessible only through a special security module of the database – this will exclude data leakage in the event the drive is stolen or illegally copied.
Also, there is a comprehensive analysis of all activities, i.e. monitoring, added to the above mentioned security methods. This should discover all malicious activity in a very early stage and initiate a counter-activity preventing the execution of the complex attack. The mentioned set of methods will make a successful attack on the central system to be highly unlikely.
- Secure authentication is used for all users of the EHR – the ID card, mobile ID or other similar method is required for authentication. Password based authentication is forbidden in the EHR since this method is very vulnerable to Trojan attacks.
- Maximum security principle is used in the event of all data stored in the EHR. All activities in the system, such as adding, changing or viewing data, will leave tracks that can’t be changed later. This enables patients to log into the system via patient’s portal and to view who and when has viewed or added data to their record.
The principle of separate obligations together with special security technologies ensures that not even the technical employees (administrators) of the EHR can surpass these logs nor maliciously change already stored log records.
In addition, in order to prevent any malicious changes, all documents stored in the central system have digital signatures of people who compiled or sent the documents.