Journal of Information Technology Services (한국IT서비스학회지)

Korea Society of IT Services (한국IT서비스학회)
권호 표지
DOI QR코드

DOI QR Code

OHDSI OMOP-CDM Database Security Weakness and Countermeasures

OHDSI OMOP-CDM 데이터베이스 보안 취약점 및 대응방안

  • 이경환 (서울과학기술대 IT정책전문대학원) ;
  • 장성용 (서울과학기술대 IT정책전문대학원)
  • Received : 2022.06.25
  • Accepted : 2022.08.22
  • Published : 2022.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

Globally researchers at medical institutions are actively sharing COHORT data of patients to develop vaccines and treatments to overcome the COVID-19 crisis. OMOP-CDM, a common data model that efficiently shares medical data research independently operated by individual medical institutions has patient personal information (e.g. PII, PHI). Although PII and PHI are managed and shared indistinguishably through de-identification or anonymization in medical institutions they could not be guaranteed at 100% by complete de-identification and anonymization. For this reason the security of the OMOP-CDM database is important but there is no detailed and specific OMOP-CDM security inspection tool so risk mitigation measures are being taken with a general security inspection tool. This study intends to study and present a model for implementing a tool to check the security vulnerability of OMOP-CDM by analyzing the security guidelines for the US database and security controls of the personal information protection of the NIST. Additionally it intends to verify the implementation feasibility by real field demonstration in an actual 3 hospitals environment. As a result of checking the security status of the test server and the CDM database of the three hospitals in operation, most of the database audit and encryption functions were found to be insufficient. Based on these inspection results it was applied to the optimization study of the complex and time-consuming CDM CSF developed in the "Development of Security Framework Required for CDM-based Distributed Research" task of the Korea Health Industry Promotion Agency. According to several recent newspaper articles, Ramsomware attacks on financially large hospitals are intensifying. Organizations that are currently operating or will operate CDM databases need to install database audits(proofing) and encryption (data protection) that are not provided by the OMOP-CDM database template to prevent attackers from compromising.

Keywords

References

  1. 김강한, "가명화 개인건강정보 보호 관련 기본권보장에 관한 연구", 세계헌법연구, 제27권, 제2호, 2021, 27-73.
  2. 윤현아, "공통 데이터 모델을 이용한 성인 조현병 환자의 항정신병 약물 처방 패턴 분석", 한국보건사회 약료경영학회지, 제9권, 제2호, 2021, 111-120.
  3. DISA, "PostgreSQL 9.X Security Technical Implementation Guide (STIG) Overview Version 2, Release 2", 2022, Available at: https://www.stigviewer.com/stig/postgresql_9.x/.
  4. DoD CIO, "Department of Defense Net-Centric Data Strategy", 2007, Available at: https://dodcio.defense.gov/Portals/0/documents/DoD_NetCentricServicesStrategy.pdf.
  5. Hammond, K. W., Efthimiadis, E. N., and Laundry, R. J., "Efficient De-identification of Electronic Patient Records for User Cognitive Testing", IEEE, 2012, Available at: https://ieeexplore.ieee.org/document/6149163.
  6. ISO, "ISO/IEC 27001:2013 Information technology - Security techniques - Information security management systems - Requirements", 2013, Available at: https://www.iso.org/standard/54534.html.
  7. Kaddoura, S. and Haraty, R. A., "A Parallelized Database Damage Assessment Approach after Cyberattack for Healthcare Systems", 2021, Available at: https://www.researchgate.net/publication/350540292_A_Parallelized_Database_Damage_Assessment_Approach_after_Cyberattack_for_Healthcare_Systems.
  8. Kan, M., "A ransomware attack is spreading worldwide, using alleged NSA exploit: UK's National Health Service was among the organizations hit by the Wanna Decryptor ransomware on Friday", 2017, Available at: https://www.computerworld.com/article/3196378/a-ransomware-attack-is-spreading-worldwide-using-alleged-nsa-exploit.html.
  9. NIST, "Framework for Improving Critical Infrastructure Cybersecurity Version 1.1", 2018, Available at: https://nvlpubs.nist.gov/nistpubs/cswp/nist.cswp.04162018.pdf.
  10. NIST, "SP 800-53r4 Security and Privacy Controls for Federal Information Systems and Organizations", 2014, Available at: https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/archive/2015-01-22.
  11. NIST, "SP 800-60r1 Guide for Mapping Types of Information and Information Systems to Security Categories", 2004, Available at: https://csrc.nist.gov/publications/detail/sp/800-60/vol-1-rev-1/final.
  12. OHDSI, "The Book of OHDSI", 2021, Available at: https://ohdsi.github.io/TheBookOfOhdsi/.
  13. Wilson, R. "Emerging ransomeware threats: An anticipatory ethical anaylsis", 2021, Available at: https://ieeexplore.ieee.org/document/9629211.