Content for TR 22.826 Word version: 17.1.0

6 Security Aspects Word‑p. 51

6.1 Introduction

The healthcare industry is currently undergoing many changes, not only in medicine but also in the information technology that serves as the underpinning of healthcare delivery. In fact, advancement in IT and electronic health records (EHRs), as well as reinforcement of professional collaboration (mentoring) and of telemedicine is leading to numerous new complexities. Electronic information is everywhere, often in more than one place at a time, and shall be accessed from everywhere thus making increasingly difficult to keep sensitive healthcare information well protected.
This has led regulatory bodies in every part of the world to iron out new regulatory texts which businesses in the healthcare industry shall be compliant with. Among them, one can cite the following regulations that already cover a broad range of rules impacting the privacy and security of healthcare data. e.g.:

Health Information Patient Accountability Act (HIPAA) see [25]

Health Information Technology for Economic and Clinical Health (HITECH) see [26]

General Data Protection Regulation (GDPR) see [24]

A strong underlying principle in those regulations, is that natural persons, whatever their nationality or residence, have fundamental rights and freedoms, in particular the right to the protection of their personal data.
A good level of protection is provided when privacy is ensured by design or default, meaning that data protection measures are implemented across all data processing activities and endpoints and in accordance to the level of criticality of that data. As an example, "medical health," "genetic data" and "biometric data" are subject to a higher standard of protection than personal data in general.
Then, security traditionally includes the attributes of "Confidentiality", "Integrity" and "Availability" but recently has been also focused on "Auditability" to demonstrate to regulators that patient safety and privacy is maintained throughout entire processing and transporting chain. Compliance and regulatory expectations demand that data access and transfer be therefore well defined and documented.

6.2 Actors and Responsibilities

In the field of data security, the following roles are often defined:

Controllers: natural or legal person that is responsible for handling the whole data life cycle and will have to establish or amend technical and organizational measures to ensure and prove that the processing of personal data fully complies with regulatory requirements. In practise, controllers can be e.g. hospitals, health houses or physicians…

Processors: natural or legal person that processes medical data. A processor is required to maintain records of all its processing activities and to maintain disclosure readiness of this information to show compliance. A processor could be for instance a cloud provider offering services to a controller for data storage and processing.

In the process of transporting medical data over a 5G network, in particular if the mobile operator is responsible for any key material that can be used to decrypt the medical data, or is otherwise involved in storing or adjusting the data, then this would involve assigning a processor role to telecom operators. Also, if the operator did not provide sufficient safeguards to protect data loss or if the operator lacks behind in fixing known security holes and vulnerabilities, they may be held accountable by health data controllers and processors.
Interactions between data subjects, regulators, controllers and processors are shown on the picture below:

Figure 6.2-1: Role model on personal data security

For more information on general data requirements from regulatory bodies, see Annex A.

6.3 Potential Requirements Word‑p. 52

6.3.1 Existing features partly or fully covering the functionality

Table 6.3.1-1: Applicable existing communication service functional requirements

Reference number
Requirement text
Application / transport
Comment

8.9
The 5G system shall support data integrity protection and confidentiality methods that serve URLLC and energy constrained devices.
T
Requirement taken from TS 22.261, however need to add "high data rates" to the requirement text.

8.2, 8.3
All requirements related to security management in private slices
T
See TS 22.261

6.3.2 Potential New Requirements

Table 6.3.2-1: New communication service performance requirements

Reference number
Requirement text
Application / transport
Comment

6.3.3-1
The 5G system shall support security self-assessment of network functions involved in rendering communication services in order to detect malicious cyber activity or compromised systems in the operator's network.
T
-

6.3.3-2
The 5G system shall provide suitable APIs to allow an authorized third party to consult security related metrics for the network slices dedicated to that third party, and any report on security breach or malicious activity that would have been self-detected.
T
-

6.3.3-3
The 5G system shall allow the operator to authorize a 3rd party to create and modify network slices having appropriate security policies (e.g. user data privacy handling, slices isolation, enhanced logging …) subject to an agreement between the 3rd party and the network operator.
T
-

7 Consolidated potential requirements Word‑p. 53

7.2 Network services performance requirements Word‑p. 54

Table 7.2.1-1: New consolidated performance requirements for wireless operating rooms

Requirement
Characteristic parameter
Communication service availability: target value in %
Communication service reliability: Mean Time Between Failure
End-to-end latency: maximum
Bit rate
Direction
Influence quantity
Message Size [byte]
Survival time
UE speed (km/h)
# of active UEs
Service Area

5.2.2 - 8K 120 fps HDR 10bits real-time video stream with lossless compression

5.2.3 - 4K 120 fps HDR 10bits real-time video stream with lossless compression
>99.99999
>1 year
<1 ms
<50 Gbit/s
UE to Network
~1500 - ~9000 (note 1)
~8ms
stationary
1
Room

5.2.4 - Stereoscopic 4K 120 fps HDR 10bits real-time video stream with lossless compression
>99.99999
>1 year
<2 ms
<24 Gbit/s (note 2)
Network to UE; UE to Network
~1500 - ~9000 (note 1)
~8ms
stationary
1
Room

5.2.2 - 8K 120 fps HDR 10bits real-time video stream with lossless compression

5.2.3 - 4K 120 fps HDR 10bits real-time video stream with lossless compression

5.2.4 - 4K 120 fps HDR 10bits real-time video stream with lossless compression
>99.99999
>1 year
<1 ms
<50 Gbit/s
Network to UEs
~1500 - ~9000 (note 1)
~8ms
stationary
<10
Room

5.2.3 3D 256 x 256 x 256 voxels 24 bits 10 fps ultrasound unicast data stream
>99.9999
>1 year
<10ms
<4 Gbit/s
UE to Network
~1500
~100 ms
stationary
1
Room

5.2.4 - Motion control data stream
>99.999999
>10 year
<2 ms
<16 Mbit/s
Network to UE; UE to Network
<2000
~1 ms
Stationary
1
Room

5.2.4 - Haptic feedback data stream
>99.999999
>10 year
<2 ms
<16 Mbit/s
Network to UE; UE to Network
<2000
~1 ms
Stationary
1
Room

NOTE 1:
MTU size of 1500 bytes is not generally suitable to gigabits connections as it induces many interruptions and loads on CPUs. On the other hand, Ethernet jumbo frames of up to 9000 bytes require all equipment on the forwarding path to support that size in order to avoid fragmentation.

NOTE 2:
No subsampling considered for the generation of the stereoscopic view

Table 7.2.1-2: New consolidated performance requirements over a PLMN in static conditions

Requirement
Characteristic parameter
Communication service availability: target value in %
Communication service reliability: Mean Time Between Failure
End-to-end latency: maximum
Bit rate
Direction
Influence quantity
Message Size [byte]
Survival time
UE speed (km/h)
# of active UEs
Service Area

5.3.2 - Compressed 4K (3840x2160 pixels) 60 fps 12 bits per pixel color coded (e.g. YUV 4:1:1) real-time video stream

5.3.4 - Compressed 4K video stream
>99.99
>1 month
<20 ms
<25 Mbit/s
UE to Network; Network to UE
~1500
~100 ms
stationary
<20 per 100 km2
Regional

5.3.2 - Uncompressed 512x512 pixels 32 bits 20 fps video stream from ultra-sound probe

5.3.4 - Uncompressed 512x512 pixels 32 bits 20 fps video stream from ultra-sound probe
99.999
>>1 month (<1 year)
<20 ms
160 Mbits/s
UE to Network
~1500
~50 ms
stationary
<20 per 100 km2
Regional

5.3.3 - Stereoscopic 4K 60 fps HDR 10bits frame packed real time video (loss less compressed)

5.3.4 - Stereoscopic 4K 60 fps 12 bits per pixel color coded (e.g. YUV 4:1:1) real time video (loss less compressed)
99.99 - 99.9999 (note 2)
>1 month (<1 year) (note 2)
< 250 ms
<6 Gbit/s
Network to UE; UE to Network
~1500 - ~9000 (note 1)
~16 ms
stationary
<20 per 100 km2
National; Regional

5.3.3 - 4K 60 fps 12 bits per pixel color coded (e.g. YUV 4:1:1) real time video (loss less compressed)
>99.999
>>1 month (<1 year)
< 250 ms
<2 Gbit/s
Network to UEs
~1500 - ~9000 (note 1)
~16 ms
stationary
<5 per 100m2 (note 3)
National

5.3.3 - Haptic feedback

5.3.4 - Haptic feedback data stream
>99.9999
> 1 year
<20 ms
<16 Mbit/s
Network to UE; UE to Network
<2000
~1 ms
stationary
<20 per 100 km2
National; Regional

NOTE 1:
MTU size of 1500 bytes is not generally suitable to gigabits connections as it induces many interruptions and loads on CPUs. On the other hand, Ethernet jumbo frames of up to 9000 bytes require all equipment on the forwarding path to support that size in order to avoid fragmentation.

NOTE 2:
Higher values are needed for telesurgery systems.

NOTE 3:
This comprises a maximum of 5 displays gathered in the same 100m2 room considering a room density <2 per 1000km2

Table 7.2.1-3: New consolidated performance requirements over a PLMN in moving conditions

Requirement
Characteristic parameter
Communication service availability: target value in %
Communication service reliability: Mean Time Between Failure
End-to-end latency: maximum
Bit rate
Direction
Influence quantity
Message Size [byte]
Survival time
UE speed (km/h)
# of active UEs
Service Area

5.5.2 - Uncompressed 2048x2048 pixels 16 bits per pixel 10 fps real-time video scan stream
99.99
>>1 month (<1 year)
< 100ms
670 Mbit/s
UE to Network
~1500
<100 ms
<150
<20 per 100 km2
Regional

5.5.2 - Compressed 4K (3840x2160 pixels) 12 bits per pixel (e.g. YV12) 60 fps real time video stream
99.99
>1 month
< 100ms
25 Mbits/s
UE to Network
~1500
<100 ms
<150
<20 per 100 km2
Regional

5.5.2 - Physical vital signs monitoring data stream
>99.999
>>1 month (<1 year)
<100 ms
<1 Mbit/s
UE to Network
~80
-
<150
<20 per 100 km2
Regional

5.5.2 - High quality audio stream
>99.99
>1 month
<100 ms
<128 kbit/s
Network to UE; UE to Network
~300
~16 ms
<150
<20 per 100 km2
Regional

5.5.3 - Cardiac telemetry outside the hospital (note 2)
>99.9999
<1 year (>>1 month)
<100 ms
0.5 Mbit/s
UEs to Network
<1000
<1 s
<500
10/km2 - 1000/km2
Country wide including rural areas; Deep Indoor (note 1)

NOTE 1:
In this context, "deep indoor" term is meant to be places like e.g. elevators, building's basement, underground parking lot, …

NOTE 2:
These performance requirements aim energy-efficient transmissions performed using a device powered with a 3.3V battery of capacity <1000 mAh that can last at least 1 month without recharging and whereby the peak current for transmit operations stays below 50 mA.

7.3 Clock synchronization requirements Word‑p. 57

Table 7.3-1: Clock Synchronization service performance requirements

Use case reference
Number of devices for clock synchronisation
Clock synchronicity requirement
Service area

5.3.3 - Communication QoS requirement for robotic telesurgery
Up to 10 UEs
< 50 μs
400 km

8 Conclusion and recommendations Word‑p. 58

The current TR provides a number of use cases for communication services related to critical medical applications in the following categories:
Image Assisted Surgery inside hybrid operating rooms equipped with high quality and augmented imaging systems
Robotic Aided Surgery inside hybrid operating rooms or in remote medical facilities
Tele-diagnosis and monitoring in ambulances, hospitals or remote healthcare facilities
For the above listed areas, the document identifies potential performances requirements for 3GPP communication systems involved in the delivery of care or surgery to patients so that considered medical procedures are carried out with adequate level of safety and efficiency.
In addition, the document also proposes potential requirements needed to ensure handling of medical related data in 3GPP communication systems while fulfilling confidentiality, integrity and auditability principles set forth in regulatory texts.
It is proposed that those requirements are considered for development of normative requirements.

A Security Considerations Word‑p. 59

A.1 Regulatory texts' analysis

As a general rule, organizations involved in controlling and/or processing the data have to be careful with the data and exact in knowing where it is being stored, how it is being processed and whether consent has been given. Parsing national regulations along those lines for general data management requirements in light of the role models explained in clause 6.2, leads to the following mapping of high-level requirements on the involved actors.

Table A.1-1: Mapping of general data requirements from regulatory bodies

Requirements Controllers Processors Comment

Explicit Consent: data subjects to explicitly give their consent (declaratory statement or opt-in tick box) for processing their medical, genetic or biometric data X

Right to Data Portability: data subjects to have their personal data sent back to them to transmit elsewhere more easily X

Right to Be Forgotten: data subjects to have their personal data erased without undue delay X

Right to rectification: data subjects to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her X

Right to restriction of processing: data subjects to obtain from the controller restriction of processing under certain circumstances X

Subject Access Rights, the request to access data must be addressed quickly (less than one month) X

Appointment of a Data Protection Officer where medical, genetic or biometric data is processed in a large scale X X

Data Protection Impact Assessment: risk assessment of the impact of anticipated processing activities on personal, medical, genetic or biometric data X X For telcos, this implies a certain level of security policies parametrization in order to cope with different type of data

Mandatory data breach reporting: breaches must be reported to a data protection regulator within 72 hours, and those affected by the breach must also be informed. X X

Anonymization: the method of processing personal data in order to irreversibly prevent identification. X X

Data confidentiality: protection of data from being accessed by unauthorised parties through e.g. pseudonymization and/or encryption of personal data X X

Data Integrity: maintenance of the accuracy and consistency of data throughout its entire life cycle X X

Integrity, availability and resilience of processing systems and services against accidental loss, destruction or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data X X For telcos, this requirement leads to the need of having self-assessment of systems related to their ability to process the data according to regulatory rules

Existence of a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing X X For telcos this means the ability to monitor and assess security policies and their efficiency

Traceability: care providers to determine the initial source of the data, and what happened to it through its various locations and transformations. X X For telcos this implies enhanced logging capabilities for highly secured communication services

$ Change history Word‑p. 61