sli-phd

8/17/2019 sli-phd

1/55

On authentication and authorisationissues in e-Health systems

Ph.D. thesis defense Università degli Studi di Firenze

DSI, INF/01

Massimiliano Masi

[email protected]

http://www.tiani-spirit.com

May 14, 2012

http://www.tiani-spirit.com/http://www.tiani-spirit.com/

8/17/2019 sli-phd

2/55

Introduction

The duration of the life of human beings isdramatically increased

The population of developed countries is

agingIn the EU the number of over-65 will bearound 123 millions in 2030 (source:HIMSS 2011)Huge impact on social, economic, andhealth aspects

Massimiliano Masi 2

8/17/2019 sli-phd

3/55

Introduction/2

Access to healthcare treatment is not alwaysgranted in developing countries

Healthcare and communicationsinfrastructures are missingHospitals and clinics are reachable only byhundred kilometers of sand tracksNo coordination on migrants

Massimiliano Masi 3

8/17/2019 sli-phd

4/55

Introduction/3

Electronic health (e-Health) can help to overcome these problems.The wishes are (but not limited to):

to make possible for patients to maintain a mobile and independentlifestyle

to bring electronic healthcare treatments to citizens and regions, whichotherwise would not have access to it (e.g. telemedicine andteleconsulting )to improve the quality of life by having the same quality of care indifferent organizations

What is the status as today?

Massimiliano Masi 4

8/17/2019 sli-phd

5/55

Governmental initiatives

Health Insurance Portability andAccountability Act (HIPAA, 1996,Kennedy/Kassenbaum/Clinton)

Title I: health insurance coverage for workers and their families when they change and lose their jobs

Title II: the establishment of national standards for EHR transactions and

national identifiers for providers, healthinsurance plans and employers

Massimiliano Masi 5

8/17/2019 sli-phd

6/55

Governmental initiatives/2

The Mandate 403

aims at giving to CEN, CENELEC, andETSI the responsibility to determine the

process for the definition of a set of standards to achieve effective

interoperability for specific use cases in

e-Health

each member state must adopt e-Health

agenda in its governmental procedures

Massimiliano Masi 6

8/17/2019 sli-phd

7/55

Motivations

In order to give an answer to such governmental requests, many

standardization initiatives were born, e.g.:Health Level 7, which aims at standardizing health documents(Clinical Document Architectures , such as patient summaries,discharge summaries, dispensation, prescriptions, continuity of care)

DICOM, which aims at providing a common definition of radiologicalimages and laboratory reports

IHE

Among these initiatives, the Integrating the Healthcare Enterprise (IHE)

international body, is acting as a “glue” among other initiatives, tocomputerize specific clinical use cases. IHE provides the basic buildingblocks for international e-Health approaches. IHE defines a ServiceOriented Architecture.

Massimiliano Masi 7

8/17/2019 sli-phd

8/55

Motivations/2

Many projects have been funded with the aim to provide electronic health

care. Among the many:the U.S. project NwHIN. Around three hundreds million of patientsand $ 22.250 billion dollars [GRAMS10]

the E.U. project epSOS. Potentially around five hundreds millions of

patients and e

36.5 million for the first 5 years

Warning

Design errors in such scenarios can impact the safety of patients

Bottom-up approach: applied research on information security for

e-Health is lacking

Only established libraries and standards are accepted as foundation

Only slight modifications are accepted by projects in production

Massimiliano Masi 8

8/17/2019 sli-phd

9/55

Contributions

We provided a methodology based on formal methods which aims at:guaranteeing interoperability and integration among differentimplementations

proving the absence of security flaws under a specific threat model

expressing security requirements in e-Health projects

We focused on two major industry standards for authentication andauthorisation and:

we model checked SAML-based authentication protocolswe provided a formal semantics of XACML-based access control

Massimiliano Masi 9

8/17/2019 sli-phd

10/55

Authentication

8/17/2019 sli-phd

11/55

A XUA-based protocol [ ICISS09 , JOMS12 ]

The crucial aspect of authentication of healthcare professionals is coveredby IHE in the cross-enterprise user assertion (XUA) profile:

it defines the use of SAML authentication assertions (i.e., anXML-encoded authentication token) for single sign on (by using, e.g.,

Kerberos)it defines a transport method for the assertion

Warning

Unfortunately XUA does not define a method for obtaining theauthentication assertion

Massimiliano Masi 11

8/17/2019 sli-phd

12/55

A XUA-based protocol [ ICISS09 , JOMS12 ]

The crucial aspect of authentication of healthcare professionals is covered

by IHE in the cross-enterprise user assertion (XUA) profile:it defines the use of SAML authentication assertions (i.e., anXML-encoded authentication token) for single sign on (by using, e.g.,Kerberos)

it defines a transport method for the assertion

A security flaw

We discovered a security flaw in the protocol “naively” resulting from

the XUA specification (due to a bad assertion layout, missing channelauthentication)

We proposed an amendment to the protocol (i.e. a more restrictiveuse of the XUA specifications) for a secure token issuance


8/17/2019 sli-phd

13/55

A XUA-based protocol/2

Creator (C ) Intruder STS Registry (REG )

(1). RST (1). RST

(2). Challenge (2). Challenge

(3). Challenge (3). Challenge

(4). SAML Token (4). SAML Token

(5). XDS Query w/SAML

(5). XDS Query Response

(5). XDS Query w/SAML

(5). XDS Query Response


8/17/2019 sli-phd

14/55


How to prove that our protocol solves the security flaw that we discovered?We applied our proposed verification method:

we specified the protocol using the process calculus COWS

we specified the desired security properties using the temporal logicSocL

we model checked the SocL formulæ w.r.t. the terms using the toolCMC (reachability analysis)


8/17/2019 sli-phd

15/55


We have instantiated a well known methodology

Our intruder is based on the well known Dolev-Yao model

Each actor is rendered as a process calculus term

Desired security properties are defined as temporal logic formulæ

The verification of the formulæ over the terms is software assisted

Our favour towards COWS

COWS is designed to cope with the specific characteristics of SOA

COWS provides verification tools


8/17/2019 sli-phd

16/55

The approach

XUA Protocol COWS Spec AnalysisFormulation Analysis


Th h/2

8/17/2019 sli-phd

17/55

The approach/2


* [C] [MsgId1] [User] [Salt] [Iteration] [Timestamp1] [URI] [RST]

sts.rst?.

( -- Retrieve the User’s password sts.getPwd!| [Pwd] sts.getPwdResp?.

( -- Calculate the derived key

sts.hashReq!

| [DKey] sts.hashResp?.

( -- Create the challenge

sts.encReq!

| [Challenge] sts.encResp?.

( -- Send the challenge to the consumer

C.rstr!

| -- Receive the challenge response


Th h/3

8/17/2019 sli-phd

18/55

The approach/3


AG [request(samlToken,requestedBy,c)]

not EF (systemUnderAttack(i) and deliveringResource(to,i))

FAILGlobally (AG), that if ([ ˙ ]) a token is requested by c , then it does not holdthat eventually (EF) the system will not be under attack by i


H lth f d l i t i

8/17/2019 sli-phd

19/55

e-Health for developing countries

Rural areas of (least) developingcountries may not have Internetconnection

Problem when sharing EHRs of

migrant populationsExamples are: Malawi, Limpopo,MpumalangaWe extended our XUA-basedprotocol to provide an authenticatedEHR exchange in (least) developingcountries


8/17/2019 sli-phd

20/55

Th VAN t l

8/17/2019 sli-phd

21/55

The VAN protocol

Again, we used COWS to provide a formalspecification of this protocol

We have defined a threat model, driven bya local risk assessmentWe identified a trusted controller namedsecurity officer, prosecutor

We analysed the protocol w.r.t. the threatmodel, with SocL and CMCWe implemented the protocol


The threat model

8/17/2019 sli-phd

22/55

The threat model

We have identified four types of relevant attacks:

the intruder suppresses a message

the intruder impersonates a clinic by reusing a previously issued SAML

tokenthe intruder obtains a message by listening on the channel representedby the VAN, suppresses it, and sends a new message by reusing theSAML token

the intruder replies the message


The Sebokeng experience [AFRICOMM11]

8/17/2019 sli-phd

23/55

The Sebokeng experience [ AFRICOMM11 ]

In 2008, the Gauteng department of Health(GDoH) established the E-HR.GP:

A Proof-of-Concept running in 3 clinics(around 700 beds)

Three phases: definition of the PoC, fullimplementation, extension to the wholeregionWill run in Gauteng, the smallest provincein South Africa, but the most densely

populated (nine millions, 90% urbanized)


The Sebokeng experience/2

8/17/2019 sli-phd

24/55

The Sebokeng experience/2

Warning

Although the PoC ran without known security issues,the extension of thePoC to the whole Gauteng introduces severe security flaws, due to the fact

that IHE profiles are made for high speed Internet communications

We have shown that our VAN protocol can solve the underestimatedsecurity flaw without affecting the software already in production


Brokered Trust: European use case [EHEALTH10]

8/17/2019 sli-phd

25/55

Brokered Trust: European use case [ EHEALTH10 ]

By means of the EU mandate 403, each government started to havean electronic healthcare agenda

Many national initiatives born, in France, Italy, Austria, UK, exploiting

IHE profiles

We contributed on tailoring our XUA based protocol to fulfill therequirements of an Austrian project, around 1.5 million patients,

covering a direct brokered trust scenario


Cross Community Fetch [XCFStandard]

8/17/2019 sli-phd

26/55

Cross Community Fetch [ XCFStandard ]

In 2008, the EU commission funded the epSOS project with the aim toconnect all the governmental initiatives. We actively participated in thedevelopment of the security infrastructure.

Each country is uniquely identified by a national contact point (NCP),

a gateway which facilitates various aspects of cross border data sharingNCP denotes the boundary between the epSOS infrastructure and acountry’s existing national e-health infrastructure

We contributed in the development of the base protocol for exchangingpatient summaries and e-Prescription, being a new IHE profile


Implementation

8/17/2019 sli-phd

27/55

Implementation

We provided a full implementation of:

the XUA-based protocol, with a new SAML Identity Provider

now integrated in a commercial product

the VAN protocol for disconnected clinics, by exploiting the IHE XDMimplementation of Tiani “Spirit” GmbH

the IHE XCF (reference implementation, being used in the newupcoming IHE connectathon)

the Brokered Trust scenario (now in production in an Austrian Region)


8/17/2019 sli-phd

28/55

Authorization

XACML [ESSOS12]

8/17/2019 sli-phd

29/55

XACML [ ESSOS12 ]

is a widely used implementation of PBAC

defines an XML-based language for writing policies

defines an XML-based language for representing requests

defines how to make authorization decisions (by PDP)is currently used in many large scale projects (e.g., epSOS, NHIN,involving both industries and academia)

is a recommendation from ITU, US VA Office


The XACML workflow

8/17/2019 sli-phd

30/55

The XACML workflow

ContextHandler

PDP

PEPAccess

requester

4. request notification

5. attribute queries

10. attributes

11. response context

3. request

12. response

2. access

requestObligations

Service

Resource

13. obligations

9. resource

content

PIP

8. attribute

6. attribute

query

Subjects

7a. subject

attributes

PAP

1. policy

Environment

7b. environment

attributes

7c. resource

attributes


Motivations

8/17/2019 sli-phd

31/55

Mot at o s

Designing XACML policies is a difficult and error-prone task

The language has an XML syntax

it makes writing XACML policies awkward by using common editors(XML is not neither readable nor writable by human)

there exist ad-hoc policy editors, but they are cumbersome andineffective when dealing with real-world policies


Motivations

8/17/2019 sli-phd

32/55





Example: patient privacy consent policy from epSOS (part1/4)

< P o l i c y

P o l i c y I d =" p o l i c y I d 1 "R u l e C o m b i n i n g A l g I d =" u r n : o a s i s : n a m e s : t c : x a c m l : 1 . 0 :

r u l e −c o m b i n i n g−a l g o r i t h m : p e r m i t −o v e r r i d e s ">

< S u b j e c t s >< S u b j e c t >< S u b j e c t M a t c h M a t c hI d=" u r n : o a s i s : n a m e s : t c : x a c m l : 1 . 0 :

f u n c t i o n : s t r i n g −e q u a l ">< A t t r i b u t e V a l u e Da ta Ty pe=" ht t p : //www. w3 . or g /2001/XMLSchema#s t r i n g ">

m e d ic a l d o c to r< / A t t r i b u t e V a l u e >< S u b j e c t A t t r i b u t e D e s i g n a t o r

A t t r i b u t e I d =" u r n : o a s i s : n a m e s : t c : x a c m l : 2 . 0 : s u b j e c t : r o l e "

DataType=" ht t p : //www. w3 . o rg /2001/ XMLSchema#s t r i n g "/>< / S u b j e c t M a t c h >< S u b j e c t M a t c h M a t c hI d=" u r n : o a s i s : n a m e s : t c : x a c m l : 1 . 0 :

f u n c t i o n : s t r i n g −e q u a l ">< A t t r i b u t e V a l u e Da ta Ty pe=" ht t p : //www. w3 . or g /2001/XMLSchema#s t r i n g ">

TREATMENT< / A t t r i b u t e V a l u e >

. . .


Motivations

8/17/2019 sli-phd

33/55






. . .< S u b j e c t A t t r i b u t e D e s i g n a t o r

A t t r i b u t e I d =" u r n : o a s i s : n a m e s : t c : x s p a : 1 . 0 : s u b j e c t : p u r p o s e o f u s e "DataType=" ht t p : //www. w3 . o rg /2001/ XMLSchema#s t r i n g "/>

< / S u b j e c t M a t c h >< / S u b j e c t >

< / S u b j e c t s >< R e s o u r c e s >< R e s o u r c e >

< Re s o u r c e M a t c h M a t c hI d=" u r n : o a s i s : n a m e s : t c : x a c m l : 1 . 0 :f u n c t i o n : s t r i n g −e q u a l ">

< A t t r i b u t e V a l u e Da ta Ty pe=" ht t p : //www. w3 . or g /2001/XMLSchema#s t r i n g ">34133 −9

< / A t t r i b u t e V a l u e >< R e s o u r c e A t t r i b u t e D e s i g n a t o r

A t t r i b u t e I d =" u r n : o a s i s : n a m e s : t c : x a c m l : 1 . 0 : r e s o u r c e : r e s o u r c e −i d "DataType=" ht t p : //www. w3 . o rg /2001/ XMLSchema#s t r i n g "/>

< / R e s o u r c e >< / R e s o u r c e s >

. . .


Motivations

8/17/2019 sli-phd

34/55






. . .< D e s c r i p t i o n >

Ma tch es a l l t he READ o p e r a t i o n s t o r e q u e s t s c o n t a i n i n g t hec o r r e c t p e r m i s s i o n s

< A c t i o n s >< A c t i o n >< A c t i o n M a t c h M a t c h I d=" u r n : o a s i s : n a m e s : t c : x a c m l : 1 . 0 :

f u n c t i o n : s t r i n g −e q u a l ">< A t t r i b u t e V a l u e D ata Ty pe=" ht t p : //www. w3 . o rg /2001/ XMLSchema#s t r i n g ">

Read< / A t t r i b u t e V a l u e >< A c t i o n A t t r i b u t e D e s i g n a t o r

A t t r i b u t e I d =" u r n : o a s i s : n a m e s : t c : x a c m l : 1 . 0 : a c t i o n : a c t i o n −i d "DataType=" ht t p : //www. w3 . o rg /2001/ XMLSchema#s t r i n g "/>

< / A c t i o n >

< / A c t i o n s >

< C o n d i t i o n >

. . .


Motivations

8/17/2019 sli-phd

35/55





XACML comes without a formal semantics

the standard is written in prose

it contains loose points that may give rise to different interpretations(this could lead to different implementation choices)

the portability of XACML policies could be undermined


. . .

< A t t r i b u t e V a l u e Da ta Ty pe=" ht t p : //www. w3 . or g /2001/XMLSchema#s t r i n g ">u r n : o a s i s : n a m e s : t c : x s p a : 1 . 0 : s u b j e c t : h l 7 : p e r m i s s i o n : P R D −003

< / A t t r i b u t e V a l u e >< A t t r i b u t e V a l u e Da ta Ty pe=" ht t p : //www. w3 . or g /2001/XMLSchema#s t r i n g ">

u r n : o a s i s : n a m e s : t c : x s p a : 1 . 0 : s u b j e c t : h l 7 : p e r m i s s i o n : P R D −005< / A t t r i b u t e V a l u e >< A t t r i b u t e V a l u e Da ta Ty pe=" ht t p : //www. w3 . or g /2001/XMLSchema#s t r i n g ">

u r n : o a s i s : n a m e s : t c : x s p a : 1 . 0 : s u b j e c t : h l 7 : p e r m i s s i o n : P R D −010< / A t t r i b u t e V a l u e >< A t t r i b u t e V a l u e Da ta Ty pe=" ht t p : //www. w3 . or g /2001/XMLSchema#s t r i n g ">

u r n : o a s i s : n a m e s : t c : x s p a : 1 . 0 : s u b j e c t : h l 7 : p e r m i s s i o n : P R D −016

< S u b j e c t A t t r i b u t e D e s i g n a t o r

A t t r i b u t e I d =" u r n : o a s i s : n a m e s : t c : x s p a : 1 . 0 : s u b j e c t : h l 7 : p e r m i s s i o n "DataType=" ht t p : //www. w3 . o rg /2001/ XMLSchema#s t r i n g "/>

< / C o n d i t i o n >


Motivations

8/17/2019 sli-phd

36/55




Motivations

8/17/2019 sli-phd

37/55




the standard is written in natural language (english)

it contains loose points that may give rise to different interpretations

(this could lead to different implementation choices)

the portability of XACML policies could be undermined

no formal reasoning on policies can be carried out


Contributions of this work

8/17/2019 sli-phd

38/55





Contributions of this work

8/17/2019 sli-phd

39/55




Our proposal

An alternative syntax

A formal semantics

An implementation driven by the formal semantics


A BNF-like syntax

8/17/2019 sli-phd

40/55

Syntax

PDPpolicies ::= {Palg ; Policies } (Retrieved policies)

Palg ::= only-one-applicable | Ralg (Policy-combining alg.)

Ralg ::= deny-overrides | permit-overrides (Rule-combining alg.)| first-applicable| ordered-deny-overrides| ordered-permit-overrides

Policies ::= (Policies)

{Palg ; target :{ [ Targets ] } ; Policies } (policy set)| Ralg ; target :{ [ Targets ] } ; rules :{Rules } (policy)| Policies Policies

Targets ::= MatchId (value,name) (Targets)| Targets ∨ Targets | Targets ∧ Targets | Targets Targets

MatchId ::= string-equal | integer-equal (Match functions)| integer-greater-than | . . .

Rules ::= (Effect [ ; target :{ Targets } ] (Rules)[ ; condition :{expression} ] )

| Rules Rules

Effect ::= permit | deny (Effects)


A BNF-like syntax: an example

8/17/2019 sli-phd

41/55

Example: patient privacy consent policy from epSOS

permit-overrides ;target :{ string-equal(“medical doctor”, subject.role)

∧ string-equal(“TREATMENT”, subject.purposeofuse) string-equal(“34133-9”, resource.resource-id) } ;

rules :{(permit ; target :{ string-equal(“Read”, action.action-id) } ;

condition :{ string-subset(

string-bag(“PRD-003”,“PRD-005”,“PRD-010”,“PRD-016”),subject.permission) })

(deny) }

The policy specifies in its target:

a subject: a medical doctor with an healthcare TREATMENT purpose

a resource : a patient summary (identified by the code 34133-9)


A BNF-like syntax: an example

8/17/2019 sli-phd

42/55



∧ string-equal(“TREATMENT”, subject.purposeofuse) string-equal(“34133-9”, resource.resource-id) } ;

rules :{(permit ; target :{ string-equal(“Read”, action.action-id) } ;

condition :{ string-subset(

string-bag(“PRD-003”,“PRD-005”,“PRD-010”,“PRD-016”),subject.permission) })

(deny) }

The policy contains two rules:the first has effect permit if the requestor aims at performing a Read actionand has at least the permissions PRD-003 . . . PRD-016

the second has always effect deny


Formal semantics

8/17/2019 sli-phd

43/55

General idea

The semantics is given in a denotational style


Formal semantics

8/17/2019 sli-phd

44/55

General idea


It is defined by a function [[·]]R given a policy/policy set

and given a set R of requests(e.g. all possible requests, requests with given structure, a single request)


Formal semantics

8/17/2019 sli-phd

45/55

General idea


It is defined by a function [[·]]R given a policy/policy set

and given a set R of requests(e.g. all possible requests, requests with given structure, a single request)

[[·]]R returns a decision tuple of the form

( permit : R p ; deny : R d ; not-applicable : R n ; indeterminate : R i )

where R p , R d , R n, and R i are a partition of R


Example

8/17/2019 sli-phd

46/55

Taking into account the previous policy



∧ string-

equal(“TREATMENT”,

subject.

purposeofuse) string-equal(“34133-9”, resource.resource-id) } ;rules :{(permit ; target :{ string-equal(“Read”, action.action-id) } ;

condition :{ string-subset(string-bag(“PRD-003”,“PRD-005”,“PRD-010”,“PRD-016”),subject.permission) })

(deny) }


Example

8/17/2019 sli-phd

47/55

Doctor’s request (∈ R p ):

request :{ (subject.role,“medical doctor”)(subject.purposeofuse,“TREATMENT”)(subject.organization,“NewYorkGH”)(subject.permission,“PRD-003”)

(subject.permission,“PRD-005”)(subject.permission,“PRD-010”)(subject.permission,“PRD-016”)(resource.resource-id,“34133-9”)(action.action-id,“Read”) } ;

response :{ id :{“34133-9”} ; permit }

Nurse’s Request (∈ R d )

request :{ (subject.role,“nurse”)(subject.purposeofuse,“EMERGENCY”)(subject.organization,“NewYorkGH”)

(subject.

permission,

“PPD-003”)(subject.permission,“POE-007”)(resource.resource-id,“34133-9”)(action.action-id,“Read”) } ;

response :{ id :{“34133-9”} ; not-applicable }


PDP engine implementation

8/17/2019 sli-phd

48/55

We have a prototype tool that implements a XACML PDP. Theimplementation is driven by the formal semantics

.xacml file

.req file

Policy

compiler

Request

compiler

.java

policy

.java

request

.class

policy

.class

request

Decision

Java

compiler

XACML

XML Policies /

Requests

We have a GWT frontend that implements epSOS policies

We have a tool that translates from XACML policies to our syntax


8/17/2019 sli-phd

49/55

Conclusions

Conclusions

8/17/2019 sli-phd

50/55

We have:

Introduced a methodology based on formal methods for thespecification of standard based protocols for e-Health scenarios

Proposed a protocol based on IHE XUA for a secure healthcareprofessional authentication

Proposed a protocol for secure EHR exchange in (least) developingcountries

Proposed a formal semantics for the XACML standard


Ongoing work

8/17/2019 sli-phd

51/55

We plan to enhance our XUA-based protocol by:

including the LoA and trust elevation methods in the model

studying the applicability of XML rewrite attacks, e.g., analysingalready existing results with our approach

considering also social security aspects that can occur in (least)developing countries, and the applicability of the VAN protocol with

low bandwidth network connections

In particular, we are actually working on:

applying our formal semantics to XACML 3.0 (draft)

study the behavior of XACML with highly dynamical and

context-sensitive policies

improve the implementation by adding CASE tools (i.e., an Eclipseplugin for our syntax)


8/17/2019 sli-phd

52/55

Thank You

Relevant Publications I

8/17/2019 sli-phd

53/55

M. Masi, R. Pugliese, F. TiezziOn Secure Implementation of an IHE XUA-Based Protocol forAuthenticating Healthcare ProfessionalsICISS09 , Volume 5905 of LNCS, 55-70

M. Masi, R. Pugliese, F. Tiezzi

A standard-driven communication protocol for disconnected clinics in ruralareasIEEE HEALTHCOM11, 304-311

M. Masi, R. Pugliese, F. Tiezzie-Health for Rural Areas in Developing Countries: Lessons from the

Sebokeng ExperienceAFRICOMM11, Volume 92 of LNICST


Relevant Publications II

8/17/2019 sli-phd

54/55

M. Masi, R. MaurerOn the usage os SAML delegate assertions in an healthcare scenario with

federated communitieseHealth 2010 , volume 69 of LNICST, 212-220

S. Bittins, M. MasiCross Community FetchIHE IT Infrastructure Technical Framework , supplement for trialimplementation

M. Masi, R. Pugliese, F. TiezziSecurity Analysis of Standards-Driven Communication Protocols for

Healthcare Scenarios

Journal of Medical Systems, 2012

M. Masi, R. Pugliese, F. TiezziFormalisation and Implementation of the XACML Access Control Mechanism

ESSoS 2012 , Volume 7159 of LNCS, 60-74


For further readings I

8/17/2019 sli-phd

55/55

R. Grams.The Obama EHR Experiment.Journal of Medical Systems , Volume 36, Number 2 (2012), 951-956


sli-phd

Documents