1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. HEART

Wiki

Clone wiki

HEART / PossibleFormatDiscussion

View History

Possible Use Case format

Excerpt ACE use case draft-ietf-ace-usecase-01

http://datatracker.ietf.org/doc/draft-ietf-ace-usecases/?include_text=1

2.3. Personal Health Monitoring The use of wearable health monitoring technology is expected to grow strongly, as a multitude of novel devices are developed and marketed. The need for open industry standards to ensure interoperability between products has lead to initiatives such as Continua Alliance (continuaalliance.org) and Personal Connected Health Alliance (pchalliance.org). Personal health devices are typically battery driven, and located physically on the user. They monitor some bodily function, such as e.g. temperature, blood pressure, or pulse. They are connected to the Internet through an intermediary base-station, using wireless technologies. Through this connection they report the monitored data to some entity, which may either be the user herself, or some medical personnel in charge of the user.Medical data has always been considered as very sensitive, and therefore requires good protection against unauthorized disclosure. A frequent, conflicting requirement is the capability for medical personnel to gain emergency access, even if no specific access rights exist. As a result, the importance of secure audit logs increases in such scenarios.Since the users are not typically trained in security (or even computer use), the configuration must use secure default settings, and the interface must be well adapted to novice users. Parts of the system must operate with minimal maintenance. Especially frequent changes of battery are unacceptable.

2.3.1. John and the heart rate monitor

John has a heart condition,that can result in sudden cardiac arrests. He therefore uses a device called HeartGuard that monitors his heart rate and his position. In case of a cardiac arrest it automatically sends an alarm to an emergency service, transmitting John’s current location. This requires the device to be close to a wireless access point, in order to be able to get an Internet connection (e.g. John’s smartphone).

The device includes some authentication mechanism, in order to prevent other persons who get physical access to it from acting as the owner and messing up the access control and security settings. John can configure additional persons that get notified in an emergency, for example his daughter Jill. Furthermore the device stores data on John’s heart rate, which can later be accessed by a physician to assess the condition of John’s heart.

However John is a privacy conscious person, and is worried that Jill might use HeartGuard to monitor his location while there is no emergency. Furthermore he doesn’t want his health insurance to getaccess to the HeartGuard data, or even to the fact that he is wearing a HeartGuard, since they might refuse to renew his insurance if they decided he was too big a risk for them. Finally John, while being comfortable with modern technology and able to operate it reasonably well, is not trained in computer security. He therefore need an interface for the configuration of the HeartGuard security that is easy to understand and use. If John does not understand the meaning of some setting, he tends to leave it alone, assuming that the manufacturer has initialized the device to secure settings.

NOTE: Monitoring of some state parameter (e.g. an alarm button) and the position of a person also fits well into an elderly care service. This is particularly useful for people suffering from dementia, where the relatives or caregivers need to be notified of the whereabouts of the person under certain conditions. In this case it is not the patient that decides about access.

2.3.2. Authorization Problems Summary

U3.1 A principal, such as the owner of a health monitoring device, wants to pre-configure access rights to specific data for persons or groups, in the context of an emergency. U3.2 A principal wants to selectively allow different persons or groups to access medical data. U3.3 The security measures could affect battery lifetime of the devices and should changes of battery are highly inconvenient. U3.4 Devices are often used with default access control settings. U3.5 Principals are often not trained in computer use and especially computer security. U3.6 Security mechanisms themselves could provide opportunities for denial of service attacks on the device.· U3.7 The device provides a service that can be fatal for the principal if it fails. Accordingly, the principal wants a security mechanism to provide a high level of security.

Updated