EAGER: SeaCat: An SDN End-to-End Application Containment ArchitecTure to Enable Secure Role Based Network Access in Healthcare

EAGER：SeaCat：SDN 端到端应用遏制架构，可在医疗保健领域实现基​​于角色的安全网络访问

• 批准号: 1343713
• 负责人: Jacobus VAN DER MERWE
• 金额: $ 29.87万
• 依托单位: University of Utah
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2013
• 资助国家: 美国
• 起止时间: 2013-09-01 至 2016-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1343713&HistoricalAwards=false
• 关键词: EAGER; SeaCat; SDN; End; Application

Healthcare is being transformed by information technology. However, with the promises of the technology have come concerns about the privacy, confidentiality and operational integrity of healthcare information and systems. Physicians and other healthcare professionals increasingly rely on networked applications for tasks as diverse as accessing patient records, remote diagnoses and consultations, in-home patient monitoring, healthcare related analytics and even remote surgical procedures. In addition to these domain specific applications, healthcare professionals use all the other more typical vocational applications, often from the same device. This diversity of applications and in particular the fact that the same individual, possibly using the same device, might be concurrently using these different applications, presents a particular challenge to healthcare information technology (IT) operations. Ideally, the role an individual is playing by using a specific networked application, should determine both the security and the performance context associated with that role. This project develops, integrates, and tests a prototype system for end-to-end isolation and containment of healthcare data and applications based on Software Defined Networking (SDN) technology. Health care applications are generally trusted, but need to operate securely and protect the data they access, in a host and network environment that might contain untrusted applications and entities. The project addresses these concerns by developing and prototyping an SDN End-to-end Application Containment ArchitecTure (SeaCat), and demonstrating its utility with electronic health record (EHR) and medical imaging applications. The project will combine software defined networking (SDN) primitives with application containment mechanisms to realize end-to-end application containment in a health care IT environment. After a EHR application user has authenticated with SeaCat, an EHR specific context is dynamically created from the EHR Server, through the network and extending into the endpoint. The EHR application and any temporary local data it is using are contained within this context and protected from data leakage and malicious actors in both the network and the endpoint. Once the user application ends, the complete end-to-end context, including any data temporarily stored within the endpoint or network devices, is removed and the environment reverts to a clean state.The importance of safeguarding healthcare data is well known. The HIPAA privacy and security rules reflect legislated mandates for such safeguards. Yet at the same time healthcare IT applications are being extended over a larger geographic region beyond healthcare campuses, and applications are making use of high-bandwidth, low-latency networks linking to the new locations, often with smartphones and tablets. The application containment architecture in this project will support isolation and privacy concerns for healthcare and facilitate the deployment of future gigabit healthcare applications.

信息技术正在改变医疗保健。 然而，随着该技术的前景，人们对医疗保健信息和系统的隐私、机密性和操作完整性产生了担忧。医生和其他医疗保健专业人员越来越依赖网络应用程序来执行各种任务，例如访问患者记录、远程诊断和咨询、家庭患者监护、医疗保健相关分析甚至远程手术程序。除了这些特定领域的应用程序之外，医疗保健专业人员通常还使用同一设备上的所有其他更典型的职业应用程序。应用程序的多样性，特别是同一个人可能使用同一设备，可能同时使用这些不同的应用程序，给医疗保健信息技术 (IT) 运营带来了特殊的挑战。理想情况下，个人通过使用特定网络应用程序所扮演的角色应确定与该角色相关的安全性和性能上下文。该项目开发、集成和测试原型系统，用于基于软件定义网络 (SDN) 技术的医疗数据和应用程序的端到端隔离和遏制。 医疗保健应用程序通常是受信任的，但需要在可能包含不受信任的应用程序和实体的主机和网络环境中安全地运行并保护它们访问的数据。该项目通过开发 SDN 端到端应用遏制架构 (SeaCat) 并对其进行原型设计来解决这些问题，并展示其在电子健康记录 (EHR) 和医学成像应用中的实用性。该项目将软件定义网络 (SDN) 原语与应用程序遏制机制相结合，以在医疗保健 IT 环境中实现端到端应用程序遏制。 EHR 应用程序用户通过 SeaCat 进行身份验证后，将从 EHR 服务器动态创建 EHR 特定上下文，通过网络并延伸到端点。 EHR 应用程序及其正在使用的任何临时本地数据都包含在此上下文中，并防止网络和端点中的数据泄漏和恶意行为者。一旦用户应用程序结束，完整的端到端上下文（包括临时存储在端点或网络设备中的任何数据）将被删除，环境将恢复到干净的状态。保护医疗数据的重要性是众所周知的。 HIPAA 隐私和安全规则反映了此类保护措施的立法要求。 但与此同时，医疗保健 IT 应用程序正在扩展到医疗保健园区以外的更大地理区域，并且应用程序正在利用高带宽、低延迟网络连接到新位置（通常通过智能手机和平板电脑）。 该项目中的应用程序遏制架构将支持医疗保健的隔离和隐私问题，并促进未来千兆位医疗保健应用程序的部署。