On Privacy in Medical Services with Electronic Health Records

On Privacy in Medical Services with Electronic Health Records

SiHIS 2009, IMIA WG 4, Hiroshima, Japan

Sebastian HaasGünter Müller

University of Freiburg, Germany

Sven WohlgemuthIsao Echizen

Noboru SoneharaNational Institute of Informatics, Japan

OnPrivacy inMedical Serviceswith ElectronicHealthRecords

IIG- TelematicsNational Institute of Informatics

1. Medical Systems and Electronic Health Records

2. Shift to a new Health Record Scenario

3. The Patient as Target

4. Usage Control: Data Provenance by Digital Watermarking

5. Conclusion

Agenda

1



Various medical systems used to support treatment.

Systems use electronic health records (EHR) about the patient.

Many EHRs at different locations.

1.MedicalSystemsandElectronicHealthRecords

2

Hospital

Laboratory

Examination

Dentist

Pharmacy

Patient



2.ShifttoanewHealthRecordScenario(1/2)

3

Castle Marketplace Metropolis

Mainframe Internet De-Perimetrization

Insiders andOutsiders

Server-based Security

Client-based Security



All data about the patient stored in one location:A central EHR

Patient is in charge of this data.

2.ShifttoanewHealthRecordScenario(2/2)

4

Patient’s data is stored in many medical systems.

Each medical system is in charge of patient’s data.

Hospital

Laboratory

Examination

Dentist

Pharmacy

Current scenario New scenario

Patient



Patient “inherits” responsibility and risk.

Dishonest parties may force patient toreveal medical data.

Ø Privacy Problem

How can the patient be protectedfrom being forced to revealmedical data?

3.ThePatientasaTarget

5

Hospital

Examination

Dentist

Pharmacy

Laboratory

Insurance

Advertiser

Employer

Patient



ReactivePreventive

4.UsageControl:DataProvenancebyDigitalWatermarking

6

Mechanisms &Methods

Before theexecution

During theexecution

After theexecution

Policies

- Process Rewriting- Workflow Patterns- Vulnerability Analysis

- Extended Privacy Definition

Tools(ExPDT)

- Model Reconstruction- Audits / Forensics- Architectures for Data Provenance

- Execution Monitoring- Unlinkable Delegation of Rights

Research collaboration between University of Freiburg and NII



Data provenance– Information to determine the derivation history

In an audit, data provenance can be used to restore the information flow.

4.DataProvenanceinEHR

7

Example

Patient

EmployerLaboratory

Medical Data

PatientAdvertiser

Medical Data

PatientAdvertiserEmployer

Medical Data

PatientAdvertiserLaboratoryEmployer

Medical Data

PatientAdvertiserLaboratory

Data Provenance

AdvertiserEmployer



Watermarking is a method to bind provenance information as a tag to data.

The EHR/Medical system must enforce that– disclosed data is tagged with updated provenance information– provenance information is authentic.

4.DigitalWatermarkingMethod

8

EHR/Medical system

Data Data consumer(e.g. Laboratory)

WatermarkingService

2) Fetch data

3) Apply tag4) Deliver tagged data

Steps of a disclosure:

1) Access request

Data provider(e.g. Advertiser)



4.DigitalWatermarking Scheme

9

Data provenance information– Linking identities of data provider and data consumer with access to medical data.

Detection by the patient via delegated access rights for medical data.

Data provider Data consumer

Apply Tag

Patient Data provider

Verify Tag

Data consumer


Patient(rights)

Advertiser Laboratory Patient(rights)


Advertiser

Laboratory

PatientAdvertiserLaboratoryLaboratory Advertiser

寿

Laboratory

Advertiser

寿



Patient becomes a weak spot

Data provenance can be used asbasis for accountability

Patient can prove that unwanteddisclosures have occurred

5.Conclusion

10

Hospital

Examination

Dentist

Pharmacy

Laboratory

Insurance

Advertiser

Employer

Patient

ありがとうございましたThank you

Healthcare

On Privacy in Medical Services with Electronic Health Records