On Privacy in Medical Services with Electronic Health Records
SiHIS 2009, IMIA WG 4, Hiroshima, Japan
Sebastian HaasGünter Müller
University of Freiburg, Germany
Sven WohlgemuthIsao Echizen
Noboru SoneharaNational Institute of Informatics, Japan
OnPrivacy inMedical Serviceswith ElectronicHealthRecords
IIG- TelematicsNational Institute of Informatics
1. Medical Systems and Electronic Health Records
2. Shift to a new Health Record Scenario
3. The Patient as Target
4. Usage Control: Data Provenance by Digital Watermarking
5. Conclusion
Agenda
1
OnPrivacy inMedical Serviceswith ElectronicHealthRecords
IIG- TelematicsNational Institute of Informatics
Various medical systems used to support treatment.
Systems use electronic health records (EHR) about the patient.
Many EHRs at different locations.
1.MedicalSystemsandElectronicHealthRecords
2
Hospital
Laboratory
Examination
Dentist
Pharmacy
Patient
OnPrivacy inMedical Serviceswith ElectronicHealthRecords
IIG- TelematicsNational Institute of Informatics
2.ShifttoanewHealthRecordScenario(1/2)
3
Castle Marketplace Metropolis
Mainframe Internet De-Perimetrization
Insiders andOutsiders
Server-based Security
Client-based Security
OnPrivacy inMedical Serviceswith ElectronicHealthRecords
IIG- TelematicsNational Institute of Informatics
All data about the patient stored in one location:A central EHR
Patient is in charge of this data.
2.ShifttoanewHealthRecordScenario(2/2)
4
Patient’s data is stored in many medical systems.
Each medical system is in charge of patient’s data.
Hospital
Laboratory
Examination
Dentist
Pharmacy
Current scenario New scenario
Patient
OnPrivacy inMedical Serviceswith ElectronicHealthRecords
IIG- TelematicsNational Institute of Informatics
Patient “inherits” responsibility and risk.
Dishonest parties may force patient toreveal medical data.
Ø Privacy Problem
How can the patient be protectedfrom being forced to revealmedical data?
3.ThePatientasaTarget
5
Hospital
Examination
Dentist
Pharmacy
Laboratory
Insurance
Advertiser
Employer
Patient
OnPrivacy inMedical Serviceswith ElectronicHealthRecords
IIG- TelematicsNational Institute of Informatics
ReactivePreventive
4.UsageControl:DataProvenancebyDigitalWatermarking
6
Mechanisms &Methods
Before theexecution
During theexecution
After theexecution
Policies
- Process Rewriting- Workflow Patterns- Vulnerability Analysis
- Extended Privacy Definition
Tools(ExPDT)
- Model Reconstruction- Audits / Forensics- Architectures for Data Provenance
- Execution Monitoring- Unlinkable Delegation of Rights
Research collaboration between University of Freiburg and NII
OnPrivacy inMedical Serviceswith ElectronicHealthRecords
IIG- TelematicsNational Institute of Informatics
Data provenance– Information to determine the derivation history
In an audit, data provenance can be used to restore the information flow.
4.DataProvenanceinEHR
7
Example
Patient
EmployerLaboratory
Medical Data
PatientAdvertiser
Medical Data
PatientAdvertiserEmployer
Medical Data
PatientAdvertiserLaboratoryEmployer
Medical Data
PatientAdvertiserLaboratory
Data Provenance
AdvertiserEmployer
OnPrivacy inMedical Serviceswith ElectronicHealthRecords
IIG- TelematicsNational Institute of Informatics
Watermarking is a method to bind provenance information as a tag to data.
The EHR/Medical system must enforce that– disclosed data is tagged with updated provenance information– provenance information is authentic.
4.DigitalWatermarkingMethod
8
EHR/Medical system
Data Data consumer(e.g. Laboratory)
WatermarkingService
2) Fetch data
3) Apply tag4) Deliver tagged data
Steps of a disclosure:
1) Access request
Data provider(e.g. Advertiser)
OnPrivacy inMedical Serviceswith ElectronicHealthRecords
IIG- TelematicsNational Institute of Informatics
4.DigitalWatermarking Scheme
9
Data provenance information– Linking identities of data provider and data consumer with access to medical data.
Detection by the patient via delegated access rights for medical data.
Data provider Data consumer
Apply Tag
Patient Data provider
Verify Tag
Data consumer
PatientAdvertiserLaboratory
Patient(rights)
Advertiser Laboratory Patient(rights)
PatientAdvertiserLaboratory
Advertiser
Laboratory
PatientAdvertiserLaboratoryLaboratory Advertiser
寿
Laboratory
Advertiser
寿
OnPrivacy inMedical Serviceswith ElectronicHealthRecords
IIG- TelematicsNational Institute of Informatics
Patient becomes a weak spot
Data provenance can be used asbasis for accountability
Patient can prove that unwanteddisclosures have occurred
5.Conclusion
10
Hospital
Examination
Dentist
Pharmacy
Laboratory
Insurance
Advertiser
Employer
Patient
ありがとうございましたThank you