Reviewing Security and Privacy Aspects in Combined Mobile Information System (CMIS) for health care systems

Abstract: Medical area has been benefited by the use of ICT (Information and Communication Technology) in recent days. CMIS (Combined Mobile Information System), our proposed model system, is such a system targeted for health care system. IMIS (Integrated Mobile Information System), a system for diabetic healthcare, which is being developed in Blekinge Institute of Technology will be taken as a case study for our proposed system. CMIS is a multi-role system with core service being medical-care related and others like self-monitoring, journal-writing, communicating with fellow patients, relatives, etc. The main reason for not using CMIS could be the security and privacy of the users' information. Any system connected to Internet is always prone to attack, and we think CMIS is no exception. The security and privacy is even more important considering the legal and ethical issues of the sensitive medical data. The CMIS system can be accessed through PDA (Personal Digital Assistant), smart phones or computer via Internet using GPRS (General Packet Radio Service)/UMTS (Universal Mobile Telecommunication System) and wired-communication respectively. On the other hand, it also increases the burden for security and privacy, related to the use of such communications. This thesis discusses various security and privacy issues arising from the use of mobile communication and wired communication in context of CMIS i.e., issues related to GPRS (mobile) and web application (using wired communication). Along with the threats and vulnerabilities, possible countermeasures are also discussed. This thesis also discusses the prospect of using MP2P (Mobile Peer-to-Peer) as a service for some services (for example, instant messaging system between patients) in CMIS. However, our main concern is to study MP2P feasibility with prospect to privacy. In this thesis, we have tried to identify various security and privacy threats and vulnerabilities CMIS could face, security services required to be achieved and countermeasure against those threats and vulnerabilities. In order to accomplish the goal, a literature survey was carried out to find potential vulnerabilities and threats and their solution for our proposed system. We found out that XSS (cross-site scripting), SQL injection and DoS attack being common for a web application. We also found that attack against mobile communication is relatively complex thus difficult to materialize. In short, we think that an overall planned security approach (routinely testing system for vulnerabilities, applying patches, etc) should be used to keep threats and attacks at bay.