Article Preview
TopIntroduction
Recently, healthcare providers have started to use electronic health record systems which have significant benefits such as reducing healthcare costs, increasing the patient safety, improving the quality of care and empowering patients to more actively manage their health. There are a number of initiatives for adoption of electronic health records (EHRs) from different governments around the world, such as the directive on privacy and electronic communications in the U.S. known as the Health Insurance Portability and Accountability Act (HIPAA) (The US Department of Health and Human Services, 2003), which specify rules and standards to achieve security and privacy of health data. While EHR systems capture health data entered by health care professionals and access to health data is tightly controlled by existing legislations, personal health record (PHR) systems capture health data entered by individuals and stay outside the scope of this legislation. Before going into details on how to address the confidentiality issues, let us introduce the definition of PHR system (The personal health working group final report, 2004):
“An electronic application through which individuals can access, manage and share their health information, and that of others for whom they are authorized, in a private, secure, and confidential environment.”
PHR systems are unique in their design since they try to solve the problem that comes from scattering of medical information among many healthcare providers which leads to unnecessary paper work and medical mistakes (The personal health working group final report, 2004). The PHR contains all kinds of health-related information about an individual (say, Alice) (Tang, Ash, Bates, Overhage & Sands, 2006). Firstly, the PHR may contain medical data that Alice has from various medical service providers, for example about surgery, illness, family history, vaccinations, laboratory test results, allergies, drug reactions, etc. Secondly, the PHR may also contain information collected by Alice herself, for example weight change, food statistics, and any other information connected with her health. Controlling access to PHRs is one of the central themes in deploying a secure PHR system. Inappropriate disclosure of the PHRs may cause an individual serious problems. For example, if Alice has some disease and a prospective employer obtains this, then she might be discriminated in finding a job.
Commercial efforts to build Web-based PHR systems, such as Microsoft HealthVault (Microsoft, 2007) and Google Health (Google, 2007), allow patients to store and share their PHRs with different healthcare providers. In these systems the patient has full control over her PHRs and plays the role of the security administrator - a patient decides who has the right to access which data. However, the access control model of these applications does not give a patient the flexibility to specify a fine-grained access-control policy. For example, today's Google Health access control is all-or-nothing - so if a patient authorizes her doctor to see only one PHR, the doctor will be able to see all other PHRs. Another problem is that the data has to be stored on a central server locked by the access control mechanism provided by Microsoft HealthVault or Google Health, and the patient loses control once the data is sent to the server. PHRs may contain sensitive information such as details of a patients disease, drug usage, sexual preferences, therefore, many patients are worried whether their PHRs will be treated as confidential by companies running data centers. Inappropriate disclosure of a PHR can change patients life, and there may be no way to repair such harm financially or technically. Therefore, it is crucial to protect PHRs when they are uploaded and stored in commercial Web-based systems.
TopProblem Statement
The problem addressed in this paper is the confidentiality of patient PHRs stored in commercial Web-based PHR systems. A solution to the problem is a system which would have the following security requirements:
- •
Protect patient PHRs from third parties (from the commercial Web-based PHR systems)
- •
Provide end-to-end security
- •
Allow only authorized users to have access to the patient PHRs
- •
Allow the patient to change the access policy dynamically