Risk analysis of information security in a mobile instant messaging and presence system for healthcare
Introduction
Use of instant messaging services is becoming increasingly popular with Internet based systems like America Online's Instant Messaging, AIM (http://www.aim.com/), Microsoft's MSN Messenger (http://messenger.msn.com/), Yahoo! Messenger (http://messenger.yahoo.com/), and ICQ (http://www.icq.com/).
However, public instant messaging systems have been criticised for having a number of security weaknesses [1], [2], [3]. These weaknesses include the facts that the IM clients are always on, that logs can contain sensitive information, and that the communication goes via an externally controlled server. Most IM services were never intended for secure communication in the first place [2]. The rapid growth in the number of public IM users has created a new security concern for IT managers. New worms and viruses are increasingly using IM to spread, and 5–10% of the IM traffic today can be categorised as spam over IM (SPIM) [4].
Within the healthcare sector information security aspects are of vital importance, and may be of serious hindrance for the adoption of IM based services. In this paper we will examine the feasibility of using instant messaging systems in the healthcare sector from the viewpoint of information security.
Healthcare professionals are working in a mobile environment with rapid changes in their availability status, and they are exposed to interruptions at any time, anywhere. In addition to traditional desktop IM clients, IM for use in healthcare settings should therefore also offer clients on mobile devices.
In order to take care of both mobility and security aspects, we have proposed our own architecture: the MedIMob system. An overview of the MedIMob architecture is presented in this paper. Components of the MedIMob system have been further developed at the Norwegian Centre for Telemedicine (NST).
The main contribution of the paper is the results from a risk analysis of the MedIMob system, based on the architectural design of the system. The results of this risk analysis may be valid to other systems with a similar approach. In the risk analysis the assumed environment for the system was a hospital department, and communication within the department and between IM clients inside the department and IM clients outside. Information security challenges were identified as a number of security threats of different risk levels. Solutions are proposed for improvements of the unacceptable threats.
Section snippets
Background
Instant messaging (IM) is a lightweight near-synchronous communication technology. Technically it offers asynchronous communication, but it is used as synchronous communication because the messages are delivered almost in real time. Additional functionality for publishing and subscribing to presence information makes it possible for the users to see which other users and resources are available at any time. Presence information can be based on, e.g. schedules and calendar information, user
Architecture of the MedIMob system
To study the information security properties of IM we devised a preliminary architecture for an enterprise IM which embeds a number of the information security techniques usually deployed in areas with high security requirements. This architecture served as basis for the risk analysis presented later in the paper.
In our architecture we propose to use instant messaging and presence techniques to handle the availability and presence aspects, with mobile clients to support the mobility aspects of
Risk analysis method
To analyse the security challenges of an IM service for healthcare, we performed a qualitative risk analysis of the information security aspects of our proposed architecture and the intended environment. The goal was to identify security threats to the use of our instant messaging service within a hospital department, and find acceptable solutions to the threats.
Based on our experience from the CORAS project [15], [16], we performed the risk analysis by going through the five main steps
Risk analysis results
Table 2 shows the threats that were identified during the risk analysis. Fig. 2 shows for each threat the estimated likelihood and consequences.
Many of the identified threats are general when dealing with mobile devices and sensitive data (threat ID 1–10 in Fig. 2); others are threats which are more specific to our application and architecture.
In our risk analysis we found five threats which had an unacceptably high risk level, as can be seen from the risk matrix in Fig. 2. Three of these
Discussion
There are basically four different approaches to handle a risk [23]:
- •
Accept the risk, in accordance with the organisation's security policy. These are the risks that are low enough to be acceptable. It is worth remembering that accepting the risk does not mean accepting the unwanted incident indicated by the threat.
- •
Reduce the risk to an acceptable level. Since the risk is a product of likelihood and consequence, this means to reduce the likelihood, the consequence, or both. It is most often
Conclusion
The success of IM in other fields makes us believe that there is a potential for use also in the healthcare sector. Since the security level supported by existing public instant messaging services are insufficient, we have described a secure architecture for use within healthcare, based on the XMPP protocol. For our service we included the use of mobile devices, because healthcare workers are operating in a mobile environment with rapid changes in their availability status.
During the design
Future work
The use of instant messaging and presence services within organisations has been the focus of several evaluation studies [5], [6], [7], [8]. To our knowledge, no similar evaluation studies have been performed within healthcare settings with the purpose to understand the usefulness and limitations of IM technology in the healthcare domain.
To conclude on the usefulness of a service like this, a thorough observation and evaluation of the use of a messaging service will be conducted, focusing on
Acknowledgement
We would like to thank our colleagues at Norwegian Centre for Telemedicine who have given valuable feedback on this paper.
References (23)
- et al.
Collaboration—a new IT-service in the next generation of regional health care networks
Int. J. Med. Inf.
(2003) - et al.
Information security concepts and practices: the case of a provincial multi-speciality hospital
Int. J. Med. Inf.
(2004) - J. Stone, S. Merrion, Instant Messaging or Instant Headache? ACM Queue, ACM, 2004,...
- F. Langa, More Instant-Messaging Security Holes, InformationWeek, TechWeb, 2001,...
- D. Jacobson, M. Glowacki, Hidden Threats to HIPAA, Palisade Systems Inc., 2003,...
- Top Five Security Risks for Instant Messaging in 2005. IMlogic, 2005,...
- et al.
Interaction and outeraction: instant messaging in action
- et al.
The character, functions and styles of instant messaging in the workplace
- et al.
IM[@Work] adoption of instant messaging in a knowledge worker organisation
- et al.
I M mobile, where R U?