Securing electronic health records without impeding the flow of information

doi:10.1016/j.ijmedinf.2006.09.015

International Journal of Medical Informatics

Volume 76, Issues 5–6, May–June 2007, Pages 471-479

https://doi.org/10.1016/j.ijmedinf.2006.09.015 Get rights and content

Abstract

Objective

We present an integrated set of technologies, known as the Hippocratic Database, that enable healthcare enterprises to comply with privacy and security laws without impeding the legitimate management, sharing, and analysis of personal health information.

Approach

The Hippocratic Database approach to securing electronic health records involves (1) active enforcement of fine-grained data disclosure policies using query modification techniques, (2) efficient auditing of past database access to verify compliance with policies and track security breaches, (3) data mining algorithms that preserve privacy by randomizing information at the individual level, (4) de-identification of personal health data using an optimal method of k-anonymization, and (5) information sharing across autonomous data sources using cryptographic protocols.

Conclusions

Our research confirms that policies concerning the disclosure of electronic health records can be reliably and efficiently enforced and audited at the database level. We further demonstrate that advanced data mining and anonymization techniques can be employed to analyze aggregate health records without revealing individual patient identities. Finally, we show that web services and commutative encryption can be used to share sensitive information selectively among autonomous entities without compromising security or privacy.

Introduction

The 1995 European Union Directive on Data Protection (“Directive”) [1] set forth stringent cross-industry standards regarding privacy and security of personal data. Pursuant to these standards, EU member states enacted data protection laws that obligate controllers of health data to provide all data subjects with: (1) notice of the purposes for which they collect and use personal data; (2) choice regarding whether their data may be disclosed to third parties or used for a different purpose than it was originally collected or subsequently authorized; (3) reasonable assurance that the data will be secured and its integrity maintained; (4) access to the data and the opportunity to correct inaccuracies; (5) legal recourse to ensure compliance with data protection requirements. EU states may allow processing of health data without patient consent for purposes of preventative medicine, diagnosis, treatment, management of medical services, or otherwise under professional confidentiality obligations, only if suitable safeguards are provided.

Similar laws in the United States [2], Canada [3], Australia [4], and Japan [5] require healthcare institutions to protect the privacy and security of personal health data. Advisory reports commissioned by the United States government [6], [7] also stress the importance of developing secure, interoperable electronic health records systems that preserve patient privacy. As countries around the world transition from paper-based to electronic health records infrastructures, compliance with these data protection laws will require sophisticated information management technologies. Healthcare organizations must implement privacy and security protections that do not unduly constrain proper use and dissemination of health data or inhibit scientific discovery. Technical and policy challenges concerning the widespread adoption of electronic health records systems have been discussed, for example, in [8] and [9].

The Hippocratic Database (“HDB”) [10] is an integrated set of technologies that manages disclosure of electronic health records in compliance with data protection laws without impeding the legitimate flow of information. HDB's Active Enforcement component limits disclosure of personal health information at a fine-grained level in strict accordance with enterprise policies, legal regulations, and individual patient choices. Its Compliance Auditing component efficiently tracks past disclosures to verify compliance with these policies. Finally, its data mining, de-identification, and information sharing components enable organizations to derive maximum value from sensitive data without compromising privacy or security.

The remainder of this paper is organized as follows. Sections 2 Active Enforcement, 3 Compliance Auditing describe Active Enforcement and Compliance Auditing. Sections 4 Privacy-Preserving Data Mining, 4.1 Privacy-Preserving Data Mining scenario, 5 Optimal, 5.1 Optimal, 6 Sovereign Information Integration discuss HDB's Privacy-Preserving Data Mining, Optimal k-Anonymization, and Sovereign Information Integration components. In each section, we include example scenarios demonstrating practical applications of these technologies. In Section 7, we suggest a number of opportunities for further research in securely managing electronic health records. We conclude in Section 8.

Section snippets

Active Enforcement

HDB Active Enforcement (“AE”) [11] is a disclosure management component that is transparent to enterprise applications and agnostic to database systems. It resides in a layer above the database, rewriting user queries to conform to the organization's data disclosure policies and individual patient choices. AE enforces disclosure policies down to the cell-level in the database, allowing health organizations to comply with detailed requirements of data protection laws without recoding their

Compliance Auditing

Pursuant to the EU Directive and member state laws enacted thereunder, health organizations must be accountable to patients for all processing of their personal data. Upon request, patients are entitled to a description of the data disclosed, the recipients of the data, and the purposes of the processing. Further, member states must provide patients with a remedy for any breach of their rights under these data protection laws. In the United States, the Health Insurance Portability and

Privacy-Preserving Data Mining

HDB's Privacy-Preserving Data Mining (“PPDM”) [17] allows health organizations to mine aggregate data without revealing individually identifiable information. Thus, it enables analysis of large data sets for epidemiological studies and other medical research without violating patient privacy.

PPDM uses a randomizing function to perturb sensitive values in a patient's record such that they cannot be estimated with reasonable precision. From the randomized data, it reconstructs the original data

Optimal k-Anonymization

The EU Directive generally prohibits the processing of personal health data without patient consent, unless required in connection with the provision of medical care. However, member states may allow exemptions to this prohibition if the data are processed under an obligation of professional secrecy or for reasons of substantial public interest, subject to suitable safeguards. In the US, HIPAA allows healthcare organizations to process personal data without patient consent if they remove all

Sovereign Information Integration

HDB's Sovereign Information Integration (“SII”) [22] component enables two or more autonomous entities to run queries across their databases in such a way that the results of the query are revealed, but no other data is exposed among the databases. SII uses a web services infrastructure to apply a set of commutative encryption functions to uniquely identifiable data in different orders and at different locations. The multiply encrypted values are then compared, and the query results provided,

Policy specification

Effective HDB Active Enforcement controls rely on the ability of policies to capture the intent of the policy maker accurately. At the same time, the policy specification should be clear enough that the patient can easily understand the policy and the implications of his choices. While privacy policy specification languages such as P3P offer vast improvement over long legal texts of privacy policies and make polices amenable to symbolic manipulation, they fall short on readability and

Conclusion

We have shown how Hippocratic Database technologies protect the security of personal health records without sacrificing the value of information for diagnosis, treatment, or research purposes. Our example scenarios demonstrate how each of these technologies enables efficient management, sharing, and processing of sensitive data in compliance with the principles of the EU Directive and other data protection laws. We have also identified a number of significant technical challenges that remain in

References (26)

I. Iakovidis
Towards personal health record: current situation, obstacles and trends in implementation of electronic healthcare record in Europe
Int. J. Med. Inform.
(1998)
European Union Directive on Data Protection
Off. J. Eur. Commun.
(1995)
Health Insurance Portability and Accountability Act of 1996, United States Public Law, pp....
Personal Information Protection and Electronic Documents Act, Second Session, Thirty-sixth Parliament, 48–49 Elizabeth...
Privacy Act of 1988, Commonwealth of Australia, Act No. 119 of 1988 as...
Law on the Protection of Personal Information, promulgated by the Diet of Japan on May 30,...
President's Information Technology Advisory Committee, Revolutionizing Health Care through Information Technology,...
Commission on Systemic Interoperability, Ending the Document Game: Connecting and Transforming Your Healthcare through...
B. Humphreys
Electronic health record meets digital library
J. Am. Med. Inform. Assoc.
(2000)
R. Agrawal et al.
Hippocratic databases

K. Lefevre et al.

Limiting disclosure in hippocratic databases

R. Sandhu et al.

Role-based access control models

IEEE Comput.

(1996)

L. Cranor et al.

Platform for Privacy Preferences 1.0 (P3P1.0) Specification

W3C Recommendation

(2002)

Cited by (97)

RSA based encryption approach for preserving confidentiality of big data
2022, Journal of King Saud University - Computer and Information Sciences
Sensitive Health Information (SHI) is a developing patient-centric model of medical data exchange, which is frequently outsourced to be stored at third party servers. Though, there have been various privacy issues as SHI could be disclosed to the unauthorised and third parties. This is a promising method to encrypt the SHI before outsourcing to assure the patients’ control over access to their own SHI. However, challenges like scalability in key management and flexible access have remained the most significant issues toward achieving fine-grained, cryptographically data access control. In this paper, the authors proposed a novel patient-centric system model for access control to SHIs stored in semi-honest servers. For fine-grained and scalable access control for SHIs, authors have proposed an encryption technique which is an improvement over RSA techniques to encrypt every patient’s SHI file. To different from previous works in secure data transmission, the authors focus on the data owner and divide users into several domains in SHI, which greatly decrease the key management complexity for data owners and users. Comprehensive analytical and experimental results are presented which reflect the efficiency of the proposed approach.
An anonymity communication protocol for security and privacy of clients in IoT-based mobile health transactions
2021, Computer Networks
Citation Excerpt :
However, using mHealth technologies increases the concerns regarding security, privacy, and anonymity. According to Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule [1–4], revealing sensitive identities over healthcare transactions conducts various privacy threats to mHealth clients [5–7]. The lack of security and privacy in different components of electronic healthcare transactions is manifested in various security flaws along with ramifications ranging from privacy violation to endangering patients’ health [5].
Mobile Health (mHealth) technology facilitates patients’ care and decreases healthcare costs by remotely monitoring healthcare processes and medical data management. Nonetheless, there are many concerns regarding the security, privacy, and anonymity of the mHealth transactions. Conventionally, privacy includes anonymity, untraceability, unlinkability, unforgeability, and confidentiality. Transactions’ confidentiality can be easily protected using confidential transaction techniques. However, anonymity, untraceability, unlinkability, and unforgeability properties are quite challenging issues in healthcare transactions. This paper proposes a UDP-based anonymous protocol for mHealth transactions to protect the security of data and privacy of clients’ identities. In this work, we aim to investigate utilizing one of the best anonymity solutions, onion structure (onion encryption, onion routing, and onion network), with blockchain smart contracts upon the UDP platform to make a protocol for transferring data in IoT-based mHealth applications. In the proposed protocol, every malicious client who sends false data can be easily detected using an identity disclosure process. In this way, mHealth clients, without exchanging sensitive identities, can establish an authorized connection and be protected against different kinds of attacks. According to our experimental results and security/privacy proofs, the proposed protocol has an acceptable computational cost and security protections for IoT-based mHealth transactions.
Do data security measures, privacy regulations, and communication standards impact the interoperability of patient health information? A cross-country investigation
2021, International Journal of Medical Informatics
The lack of interoperability is one of the biggest obstacles to the complete digitalization of patient health information in electronic medical records (EMR). The high volume of data breaches has put pressure on care providers to adopt data protection measures to remain compliant with legal requirements. Extreme data protection measures can impede information flow, but they also instill confidence in secure information sharing. This study investigates how the adoption of security measures, privacy regulations, and communication standards has impacted patient health information interoperability at technical (TI), semantic (SI), and organizational (OI) levels within the hospitals.
The study utilizes a quasi-experimental research design to probe the relationships of interest. Secondary data from a survey of randomly selected 773 hospitals conducted by the European Commission in over 30 countries in Europe is used to understand the relationships. The study counters selection bias and accounts for systematic differences in adopting treatments of interest in the hospitals using the propensity score-based approaches for the observational data.
The empirical models that account for selection bias explain more observational data variations than those that did not. Access control measures on workstations are linked to 44 % lesser odds of experiencing TI problems. However, hospitals with regional and organizational level privacy regulations have 85 % and 76 % higher odds of experiencing SI and OI problems, respectively. On the other hand, hospitals with a single hospital-wide EMR are 53 % and 43 % less likely to experience TI and SI problems, respectively, in comparison to those with multiple EMR systems.
The study highlights the differential impacts of data protection measures on the hospitals' three key types of interoperability problems (i.e., TI, SI, and OI). Homogenous EMR systems type and substantial investment in technology are critical to supporting health information interoperability within the hospitals. The study findings inform policy considerations for improving specific aspects of health information's interoperability while preserving patient data privacy and security.
Research issues for privacy and security of electronic health services
2017, Future Generation Computer Systems
With the prevalence of information and communication technologies, Electronic Health Services (EHS) are commonly used by patients, doctors, and other healthcare professionals to decrease healthcare costs and provide efficient healthcare processes. However, using EHS increases the concerns regarding security, privacy, and integrity of healthcare data. Several solutions have been proposed to address these issues in EHS. In this survey, we categorize and evaluate state-of-the-art electronic health system research based on their architecture, as well as services including access control, emergency access, sharing, searching, and anonymity methods by considering their cryptographic approaches. Our survey differs from previous EHS related surveys in being method-based such that the proposed services are classified based on their methods and compared with other solutions. We provide performance comparisons and state commonly used methods for each category. We also identify relevant open problems and provide future research directions.
The impacts of multiple privacy regulations and national security infrastructure on health information exchange: a study of hospitals across Europe
2024, Digital Policy, Regulation and Governance
Enabling Health Data Sharing with Fine-Grained Privacy
2023, International Conference on Information and Knowledge Management, Proceedings

View all citing articles on Scopus

¹: Work done while the author was at IBM Almaden Research Center.

View full text