Conference PaperPDF Available

Protecting Patient Privacy when Sharing Medical Data


Abstract and Figures

This paper describes a national eHealth platform concept with a multi-level privacy protection in order to improve the security and privacy of medical information on their storage locations as well as during the exchanging/sharing processes. The key idea is to classify and split-up data into different servers. A Trusted Third Party server manages personal identifying data together with the related pseudonyms while the medical information server manages the related medical data assigned to pseudonyms. The well known IHE-XDS profiles are enriched by Public Key Infrastructure, symmetric and asymmetric encryption together with pseudonymization methods. IHE-XDS promote the interoperability level and the extensions increase the security level.
Content may be subject to copyright.
Protecting Patient Privacy when Sharing Medical Data
Stefan Benzschawel
CR SANTEC - Public Research Center Henri Tudor
Luxembourg-Kirchberg, Luxembourg
Marcos Da Silveira
CR SANTEC - Public Research Center Henri Tudor
Luxembourg-Kirchberg, Luxembourg
Abstract This paper describes a national eHealth platform
concept with a multi-level privacy protection in order to
improve the security and privacy of medical information on
their storage locations as well as during the
exchanging/sharing processes. The key idea is to classify and
split-up data into different servers. A Trusted Third Party
server manages personal identifying data together with the
related pseudonyms while the medical information server
manages the related medical data assigned to pseudonyms. The
well known IHE-XDS profiles are enriched by Public Key
Infrastructure, symmetric and asymmetric encryption together
with pseudonymization methods. IHE-XDS promote the
interoperability level and the extensions increase the security
Keywords— eHealth; Patient Privacy; Electronic Health
Records; Secure Patient Data Storage
Healthcare technologies are moving from isolated and
autonomous solutions to more interoperable ones. The main
expectations of this change are to provide better ways to
exchange and share medical information and to improve the
quality of services offered to the patients.
In this context, medical data is supposed to be available
online where healthcare professionals can access it at any
time and from any place. Basically, it will be transmitted
over Internet, dedicated Virtual Private Networks (VPN),
and hospital networks. The on-line access to medical
information can have two major consequences: it can
support healthcare professional to take better decisions; it
can increase the risk of loss of privacy and malicious
attacks. The goal of designing and implementing eHealth
platforms is to reinforce the former consequence and to
reduce or eliminate the second one. This paper focuses on
the strategy to widely reduce the malicious attacks’ risk and
to assure the privacy of patients during the storing and
exchange (sharing) of medical information by using the
eHealth platform.
Some cryptographic protocols have proved their
efficiency to provide data-security for communications over
networks but they do not fully prevent attacks to users’
computers or servers. An eHealth platform has to deal with
these risks, control authentication, authorization, and
integrity. Several countries are implementing different
solutions to satisfy these needs, but the evolution of the
applications, methods and laws had forced some of them to
review partially or completely their approaches.
The terms “central” and “decentral” mostly refer to the
location of the information repositories. In enlarging this
interpretation towards different components of a system, the
term “central” refers to a system where the components are
in one location, managed by one staff of administrators. The
term “decentral” then refers to a distributed system. The
security advantage of decentral systems is that an attacker
will get only a part of the stored information. The
disadvantage is that the components (satellites) of the
distributed system may not be protected in the same “best”
way, as one can do for a centralized system.
The proposed solution respects both aspects – (1) avoid a
single attack point and (2) data-security for the satellites'
data. If the information stored in one satellite is unusable for
an attacker as long as information from other satellites is
missing, thus the hacked information of one satellite is
worthless alone. This paper describes a secure IT-platform
based on this idea. It protects the stored information against
external intruder attacks as well as against internal
administrator attacks. The layout is based on the IHE-XDS
[1] profile, extended with pseudonymization, encryption,
and signature functionalities.
Patients' data are distributed within the system in two
main parts: One for storing the medical information under
pseudonyms and the other for mapping the pseudonyms to
the patients' identity data. The benefit is: if one part of data
is stolen, the information is useless. Neither the mapping
table nor the medical database with pseudonyms is really
useful alone.
In the case where medical data contains additional person
identifying information, like a name printed on an X-ray
picture, then the medical data (i.e., the X-ray) is encrypted
and stored under a pseudonym.
The access to the stored information is realized with a
web application. As the web-server in the Internet is a high
security risk, the patient's identifying data are hidden against
the web-server. Illegal server logs on the web-server are
useless. Also to avoid illegal web-server logs, the
transferred medical results are encrypted on their way over
the web-server.
The platform is protected against unauthorized access by
multiple security levels. The initial login is done with a
108Copyright (c) IARIA, 2011. ISBN: 978-1-61208-003-1
eTELEMED 2011 : The Third International Conference on eHealth, Telemedicine, and Social Medicine
personal ID-card. A user&role directory guards the legal
access to the system.
Finally, an elaborated consent management protects any
undesired access on the base of the patients' will. The
special case of an information access during an emergency
situation of the patient implies sending an information about
the data access to the patient, his family doctor or any other
named contact person.
In the next section, some related works are shortly
presented and discussed. Section III introduces the
architectural approach.
Data stored in and transmitted through an Internet-based
platform are confronted with a set of attack possibilities. In
health care domain, medical data and personal data can be
exchanged and managed by services provided in a platform.
It also includes privacy and data protection. Patients want to
be sure that their personal and medical information is not
misused. They want to know how their data is utilized,
disclosed, and protected, and the degree of control they will
have over the dissemination of this information. They are
also worried about possible undesirable economic and social
consequences from the misuse of such information [2][3].
Users of healthcare services are unwilling to have their
personal information distributed other than for purposes of
clinical care and they would like to be consulted before their
information is released. The right to decide which personal
information can be communicated to others and under
which conditions constitutes their privacy rights and need to
be implemented in the platform system. Assuring privacy
implies that the platform needs to deal with, at least two
attack risks eavesdropper and server intruders or curious
insiders [4]. Three potential types of attackers are described
in [4]: Client intruder, which attack the client computer
(e.g., trojan); Eavesdropper, which compromise or owns a
subset of communication’s nodes to collect and analyze
messages that are routed over them; Curious insider or
server intruder, this attackers have administrative privileges
and can access all data in the server.
For the client intruders’ risk, we assume that users are
responsible for the protection of their own system and of
data saved in their computer. The access to the platform is
protected by a system based on the electronic cards that
provides identification and signature services. If an intruder
steals the identity of the user he will need to have his card
and know his password to use the platform. Other countries
have also adopted electronic cards for health data
management and patient identification (eCard in Austria[5],
eGK in Germany[6], Vitale in France[7], etc), this type of
card has shown its efficacy in banking domain and are
widely accepted by users.
The other two types of attacks are directly related to the
security strategy of the platform. Cryptography (e.g., Public
Key Infrastructure) is commonly used in eHealth platforms
to avoid eavesdropper, however a communication protocol
should be defined to avoid that encrypted data and
decryption keys cross the same node without a specific
protection. The Belgium platform deals with this problem
by implementing an end-to-end communication [8], then the
private key is expected to never leaves the client computer.
However, this solution does not allow sharing data when the
receiver is unknown. For example, a prescription cannot be
accessed by a pharmacy if the pharmacy was not chose by
patient/doctor at the moment of the e-prescription creation.
In Luxembourg [9], the eHealth platform has been
designed to store (temporarily) medical data, and users will
be able to access this data. In this case, the information
cannot be encrypted with the public key of the (unknown)
receiver and saving unencrypted data will open a door for
server intruders or curious insiders attacks. The protocol
proposed in this paper deals with this situation using
symmetric encryption associated to asymmetric encryption
for the symmetric keys [10], an identity and role control
system and a pseudonymization of unencrypted data [11].
This encryption technologies are well known by Network
administrators, however, associating it with
pseudonymization techniques are not usual, as much as we
know the proposed solutions use proprietary message
structures. As semantic interoperability is an important step
to promote sharing/exchange of information in the medical
domain, the contribution of our work is the association of
these technologies within the IHE-XDS profile.
Ideally, privacy is assured if a consumer uses a resource
or service without disclosing his consumer identity; the
resource or service can be used multiple times without
others being able to link these uses together (unlinkability)
or observe that this resource is being used (unobservability)
[2]. In medical domain, it can be illustrated by a doctor
accessing a set of data of one patient stored in several
repositories. The system need to assure that nobody else can
know that all these data belongs to the same patient
(unlinkability). Or, when a patient access his own data, the
system should assure that nobody will observe it
(unobservabiity), because if the user (patient) is associated
to the data, the unlinkability criteria is lost. The encryption
and the pseudonymization techniques can not solve this
problem. An organizational strategy is necessary to improve
the privacy of patients, and this is another contribution of
the paper.
The eHealth architecture detailed in the next section
shows how privacy, hiding users’ identity and assuring
authenticity/integrity of documents and messages can be
established. The approach is based on a multi-level
architecture where: users are authenticated by a trust
authority and associated to a set of rights access; data are
pseudonymized; non-anonymized documents are encrypted;
strict sequences of activities are provided; and messages are
stored encrypted for audits purposes.
109Copyright (c) IARIA, 2011. ISBN: 978-1-61208-003-1
eTELEMED 2011 : The Third International Conference on eHealth, Telemedicine, and Social Medicine
The main components of the proposed eHealth platform
are presented in Figure 1. Some components (e.g., LDAP,
CA, STS, etc.) are omitted to improve the visibility and the
architecture explanation. The technology used to implement
these components are out of the scope of this paper. The
architecture was defined to support centralized and
decentralized information repositories, based on the IHE
XDS infrastructure profile with a central registry, one or
more centralized repositories and one or multiple
decentralized repositories.
The heart of this platform is the Central Medical
Registry (CMReg). Each document provided by the primary
systems is registered in the CMReg with its physical
location in one of the repositories. For illustration, Figure 1
shows two centralized repositories: (1) the Centralized
Medical Data Repository (CMDRepo) stores unencrypted
information without any person identifying data; and (2) the
Internal Document Management System (Int. DMS) that
stores encrypted medical information, which may contain,
as well, person identifying data. External storage of data is
also supported by the platform. For example, Primary
Systems may decide to use their own repositories (Ext.
DMS), placed in a DMZ (Demilitarized Zone) from their
network. Those external repositories always contain
encrypted information.
This organization allows normalizing data storage and
data retrieving within all data repositories. CMReg keeps
meta-data of all information registered in the platform, what
makes the CMReg a potential target for malicious attacks.
Protecting the CMReg is one priority of our security
strategy. A set of components is combined to improve the
security of the system. In order to describe the data
exchange protocol, it is assumed that an existing Public Key
Infrastructure (PKI) is in place and each registered entity
has a public/private identity key pair. The notations
introduced in Table 1 are used.
Table 1: Notations
Notation Meaning
PI Patient Identifying Data (name, address, sex, …)
MD Medical Data (lab results, diagnosis, …)
EU End User. Can be patients, health providers,
researchers, etc.
SK Symmetric key
Tk Token
ps Pseudonym
(m)SK Message encrypted with a symmetric key
(m)UPK Message encrypted with the public key of a user U
A. User identification
Two groups of users are considered for the eHealth
platform, according to the role that they play: (1) Primary
Systems, who uses the platform to send medical data
produced by healthcare providers (ex., laboratory results, x-
rays, or discharge letters) via the “Push” web-service; (2)
End Users, healthcare professionals or patients that use the
platform to acquire stored medical information.
The procedure to use the platform is the same for both
groups. Users need an electronic card (eID for short) for
authentication and for data integrity (through e-signature of
The access to the system requests the following steps:
Figure 1: Architecture of the Platform
110Copyright (c) IARIA, 2011. ISBN: 978-1-61208-003-1
eTELEMED 2011 : The Third International Conference on eHealth, Telemedicine, and Social Medicine
1. Users holding their eID to request an “entry ticket”
to the Secure Token Service (STS). The user can request
an entry token via Web (i.e., as data consumer through a
Web-client right side of Figure 1) or via an Intranet
(i.e., as data producer through HealthNet left side of
Figure 1). The request message is signed on user's side
and encrypted with the STS public key.
2. STS verifies the signature with the certification
authority (CA). If refused, the user’s access is denied.
CA STS: (Check result)STSPK
3. STS requests access rights information to
Lightweight Directory Access Protocol (LDAP)
manager. The answer is a set of roles that this user can
4. STS prepares the entry ticket, encrypts it with the
user’s public key and sends it to the user.
STS User: (entry ticket)UserPK
For the client, the entry ticket will give the access to a set
of Web-applications in the Web-Server and for the Primary
Systems, it will allow them to use the “Push” web-services
provided by CMReg system.
This protocol requires that users are pre-registered at
STS, that they have an eID recognized by a certification
authority (CA) and that he uses this eID during the whole
process (entry and service request). Data (e.g., the entry
ticket) will be rendered encrypted and the user needs his
private key to decrypt. This strategy protects users from eID
B. Pseudonymization
As medical data are registered in the CMReg, they are
associated to pseudonyms and stored in one of the data
repositories. The mapping between pseudonyms and the
corresponding person identifying data is stored in a Trusted
Third Party (TTP). We use the term TTP for the mapping
software and TTP driver for the organization that operates
this software. The mapping between the person identifying
data and the pseudonyms must never be disclosed. To assure
this, a «token» is used and all communication is encrypted.
The psedonymization service can be summarized in the
following 6 steps:
1. The Primary Systems (PrS) provides a clean
separation of person identifying data and its related
medical data (i.e., two separated documents are created).
The medical data may be unencrypted but without any
person-identifying information, or encrypted.
2. The person identifying data is sent to the TTP
together with a token. PrS TTP: (Tk,PI)TTPPK
3. The medical data (or a reference to the medical
data) is sent to the CMReg (Push service) with the same
token. The document itself is stored in one of the
repositories. PrS CMReg: (Tk, MD)CMReg PK
4. The TTP generates a pseudonym, stores it besides
the person identifying data and waits for the CMReg
asking for the pseudonym.
5. The CMReg sends a request to TTP with the
“token” and gets back the generated pseudonym:
TTP CMReg: (Tk,ps)CMReg PK
6. CMReg establish a mapping between the
pseudonym and the (encrypted) document with the
medical data. The pseudonym becomes part of the meta-
data of the document and is not visible outside of the
Additional security packs can be used to improve the
privacy of patients. For example:
Scheduled pseudonym exchange: The pseudonyms
will be exchanged on a regular basis each hour or if
necessary in shorter intervals. The stolen mapping table
of a hypothetical evil TTP administrator only works if
the hypothetical evil PMIP administrator has stolen the
medical databases during the same time interval. If this
extension gets necessary further elaboration concerning
the switching time has to be done.
Multiple pseudonymization: To further enlarge the
trust level, multiple pseudonymization steps are
possible. The first pseudonymization service maps real
identities to pseudonyms. The second pseudonymization
service maps the first pseudonym to a second
pseudonym. The n-th pseudonymization service maps
the (n-1)-th pseudonym to an n-th pseudonym. Each
pseudonymization mapping is hosted by an independent
trusted N-th party.
A combination of scheduled pseudonym exchange
and multiple pseudonymization with different
pseudonym exchange intervals of the different levels is
111Copyright (c) IARIA, 2011. ISBN: 978-1-61208-003-1
eTELEMED 2011 : The Third International Conference on eHealth, Telemedicine, and Social Medicine
C. Encryption/Re-Encryption
When the separation of person identifying data and the
related medical data is not possible (e.g., X-ray image), the
privacy is guaranteed by a combined encryption strategy. It
consists of 5 steps:
1. The medical document (MD) is symmetrically
encrypted with a symmetric key generated by the PrS
one for each document, respectively;
2. The symmetric key is encrypted with the public
key of TTP;
3. The encrypted document and the encrypted key is
stored together in one of the repositories.
4. When requested by an authorized user, the
encrypted key of the document is separated from the
document, sent to TTP, which will be in charge of re-
encrypting the key with the public key of the legal
requester, and regrouped with the document:
5. Both, the encrypted document and the re-encrypted
key, are sent to the end-user.
This distributed encryption/re-encryption strategy
prevents both insiders’ server attacks and eavesdroppers.
The repositories store the encrypted documents with the
encrypted keys. The re-encryption of the encrypted
symmetric keys is done at the TTP side. The TTP never has
access to the encrypted document while the repository never
has access to a disclosed symmetric key. For eavesdroppers
of the repository or eavesdroppers of the TTP the same
argument holds like for the corresponding administrators.
Only with simultaneous access to TTP and repository the
information can be disclosed. In this process, the
pseudonym of the patient can differs from one primary
source to another, what improve the unlinkability of the
D. Hiding information from the servers’ administrators
Two types of files with medical data are stored in the
platform one unencrypted/pseudonymized and the other
encrypted/pseudonymized. At least 4 servers compose the
platform infrastructure (TTP, CMReg, Repositories, Web-
server). TPP and Repositories are protected by the trick
described above. The Web-server is often the main target of
attacks because it is used to transmit data to/from the end
user. A malicious administrator may install an illegal
logging, catching the requests containing patient names and
catching the results containing medical data for those
patients. With a simple strategy, after cumulating this log
information, the administrator may associate the set of
health data with patients’ identity. To prevent this, patient
identifying data are encrypted with the public key of the
TTP. Then the web-server only transmits the information to
the TTP. And the TTP has one additional step to do: it has
to decrypt the patient identifying data. Then it continues by
looking-up and providing the pseudonyms and waiting for
the CMReg request for the pseudonym-list. An analogous
tunneling method is applied for result transmission over the
web-server to the receiver.
E. Consent and User Management
A secure token service with a healthcare related LDAP
guards the access to the whole system. Users need to be pre-
registered and associate to a set of access rights to use the
applications of the system. An elaborated consent
management system protects medical information from any
unwished access on the basis of the patient's will. For
example:for all documents, for an episode, for a
medical case;
for all doctors, for all doctors of a special
discipline, for named doctors;
for exchange over borders;
for access in emergency case;
A specific consent description language [12] has been
proposed to declare consents. CMReg checks the
conformance of an access first with the patients' consent
declaration for each requested document. Patients can
access the system via web-applications and their identity
will be substituted by a pseudonym define by TTP
(following the same process described in 3.2).
F. Trustful statistics
Pseudonymized results in the platform offers the
possibility of using data for statistics analysis without the
risk of data protection violations. Therefore a preparation
process is necessary to exchange the internal used
pseudonyms by other pseudonyms created for the statistics
purposes. Internal used pseudonyms are supposed to be
hidden from external users. Statistics analysis can use a
predefined set of not encrypted medical data that must not
contain patient identity information. If further statistical
research has to be done, where personal data like age and
sex are necessary, exceptions can be created. But, it may
require special authorizations from public authorities in
order to guarantee citizens’ privacy.
112Copyright (c) IARIA, 2011. ISBN: 978-1-61208-003-1
eTELEMED 2011 : The Third International Conference on eHealth, Telemedicine, and Social Medicine
This paper has presented an architecture for eHealth
platforms that combine different methods for data protection
in order to improve the security level and assure the privacy
of patient’s data.
The architecture’s concept was developed based on
standards protocols and proposes some extensions for
multi-level privacy protection. The extensions consist
mainly on the communication with the Trusted Third Party
server and are shown to be necessary when considering
potential intern attacks (malicious administrators). A
“ticket” based protocol is proposed to assure authentication
of users. It is associated with an electronic card (provided
by a certification authority) that offers signature and
identification services.
The architecture was designed to promote exchange and
sharing of medical data and to collect/store data for statistics
finalities. Thus, the collected data could not be encrypted,
but the identity of the patients is never exposed. The
proposed approach uses pseudonymization methods for
hiding patient’s identifying data. But, during the data
exchange process, even pseudonymized data are encrypted
using PKI solutions to avoid eavesdroppers attacks. As the
platform was not conceived to provide P2P communication,
a strategy to safely store unanonymized data was necessary.
An association of symmetric and asymmetric encryption is
proposed, which involves at least two different servers to
provide the necessary information to the end user. This
approach has shown to be efficient against insiders’ servers
attacks and against client intruders that try to steal the client
Future works are planned to improve the identity
protection when the patient should be able to access his own
data. This particular increase the risk of eavesdroppers
attacks over the web-server because the identity of the
patient is known (equal to the requester identity). We are
also working on the implementation of the platform and on
the validation with case studies specified with user groups.
The authors thank their partners from the Health Ministry
of Luxembourg for their very helpful advises and for
providing insights into organizational and legal aspects of
the eHealth platform.
[1] IHE Integrating the Healthcare Enterprise. IT infrastructure
technical framework vol.1 (iti tf-1) integration profiles.
Technical report, 2007. Last access: 10/12/2010
[2] G. Bansal, F. Zahedi, and D. Gefen, "The impact of personal
dispositions on information sensitivity, privacy concern and
trust in disclosing health information online," Decision
Support Systems, vol. 49, 2010, pp. 138-150.
[3] R. Au and P. Croll, "Consumer-Centric and Privacy-
Preserving Identity Management for Distributed E-Health
Systems," Proceedings of the 41st Annual Hawaii
International Conference on System Sciences (HICSS 2008),
2008, pp. 234-234.
[4] D. Slamanig and C. Stingl, "The Degree of Privacy in Web-
based Electronic Health Records," ECIFMBE 2008, J. Vander
Sloten, P. Verdonck, M. Nyssen, and J. Haueisen, (Eds.),
2008, pp. 974-977.
[5] Last access: 10/12/2010
[6] Last access: 10/12/2010 http://www.telematik-
[7] Last access: 10/12/2010 http://www.sesam-
[8] Last access: 10/12/2010
[9] S. Benzschawel, H. Zimmermann, M. Da Silveira, U. Roth, A.
Jahnen, “IT infrastructure for National Electronic Health
Records in Luxembourg – Acceptance occurs when benefits
outweigh disadvantages.” Global Telemedicine and eHealth
Updates: Knowledge Resources, vol. 3, Malina Jordanova and
Frank Lievens (Eds.), 2010, pp. 141-145
[10] D. Galindo and E. R. Verheul, “Pseudonymized Data
Sharing”. Privacy and Anonymity in Information
Management Systems. J. Nin, J. Herranz (Eds.). Series:
Advanced Information and Knowledge Processing, vol. 0, Part
3, 2010, pp. 157-179, DOI: 10.1007/978-1-84996-238-4_8
[11] T. Neubauer and J. Heurix, “A methodology for the
pseudnymization of medical data”. In press. International
journal of medical informatics, 2010,
[12] C. Pruski, “e-CRL: A Rule-based Language for Expressing
Patient Electronic Consent,” eTelemed 2010, Second
International Conference on eHealth, Telemedicine, and
Social Medicine, 2010, pp.141-146.
113Copyright (c) IARIA, 2011. ISBN: 978-1-61208-003-1
eTELEMED 2011 : The Third International Conference on eHealth, Telemedicine, and Social Medicine
... However, confidential health care information is often subject to a variety of risks, and an inconsistency and loss of such information can result in severe consequences [8]. Hence, a patient-centric e-Health system must provide the patients with control over the utilisation and dissemination of their own private information [9]. Unfortunately, traditional security mechanisms are insufficient to meet the requirements of patient-centric e-Health services in an open, dynamic Cloud Computing environment, mainly due to: ...
... Benzschawel et. al. pointed out that the main expectations of e-Health are to provide better ways to exchange and share medical information and to improve the quality of services offered to patients [9]. A multi-level architecture is proposed to protect patient privacy, which uses: a Central Medical Registry (CMReg) for authentication and authorisation purposes; a Centralised Medical Data Repository for storing anonymised medical documents; and a Document Management System for authorised users to associate medical documents with real patient identities. ...
... An object is identified by a unique identifier (UID) assigned by its owner domain. To withstand contextual privacy attacks [24], opaque pseudonyms are often used in place of transparent UIDs [9]. • Attribute: This refers to an atomic unit of information that is used to describe an object. ...
... We notice that most of the discussed works (Barua et al. (2011);Benzschawel & Da Silveira (2011);Fan et al. (2012);Hupperich et al. (2012)) apply public key cryptography (PKE). Benzschawel & Da Silveira (2011);Fan et al. (2012) have adopted the traditional PKE where PKI is involved to deliver key pairs (private / public) and digital certificates to authenticate users through a certificate authority CA. ...
... We notice that most of the discussed works (Barua et al. (2011);Benzschawel & Da Silveira (2011);Fan et al. (2012);Hupperich et al. (2012)) apply public key cryptography (PKE). Benzschawel & Da Silveira (2011);Fan et al. (2012) have adopted the traditional PKE where PKI is involved to deliver key pairs (private / public) and digital certificates to authenticate users through a certificate authority CA. However, if the CA is compromised, the cyber criminal could issues false certificates and misleads users to send data to illegitimate recipients. ...
Full-text available
Remote patient monitoring (RPM) system is an efficient technology that allows reducing healthcare costs and contamination risks, especially in the context of a pandemic. However, security and data privacy are the major challenges that hinder the development of such technology. A secure RPM system should satisfy several security requirements such as authentication, confidentiality, and access control. Public Key Infrastructure (PKI) is one of the main widely-used key management schemes. Unfortunately, in an e-Health system supporting constrained devices, PKI suffers from some issues related to the burden of certificate management (e.g., revocation, storage, and distribution) and the computational cost of certification verification. In this paper, we present our contribution to the development of a secure RPM system. Our security solution is based on Certificate-less Public Key Cryptography (CL-PKC) which ensures a dynamic solution for securing communications between patient devices and the e-Health services core. The proposed solution provides secure authentication and key agreement protocol to establish secret session keys. These keys are used for secure exchanging real-time electronic health records (EHR). To evaluate our approach, we conducted both simulation and real experiments. The security and performance analysis show that our approach is secure and effective while being easy to implement on resource-constrained devices with a low computational cost.
... Benzschawel and Da Silveira [44], proposed privacy preserving scheme using one-way (ir-reversible) pseudonymization. The personal identification data is separated from the medical document. ...
... Group membership refers to group they are member of. Attribute certificate contains certificate holder access information [44]. Attribute authority manages the access by storing the access control policies in the access policy file. ...
Full-text available
Recent advancement in digital and communication technologies has brought privacy aspects to the forefront. Although e-health has many advantages and it facilitates the patients and health service providers significantly, the possibility of privacy breaches can allow sensitive health care information to move into the wrong hands. Designing robust privacy preserving policies to strengthen the trust of patients in Electronic Health Records (EHRs) is imperative for its wide spread acceptance and success. In this paper, we propose, a framework to solve the privacy problem in a heterogeneous network of many clinical institutions, while preserving data utility and patients’ privacy. The contributions of the work include: (i) Scalable privacy-enabled architecture supporting reidentification of patient identity, (ii) context-aware privacypreserving scheme supporting named and anonymous linked inter-HSP and intra-HSP access to medical records. Moreover, to demonstrate the correctness of proposed privacy-aware scheme, we performed formal modeling and verification using High Level Petri Nets (HLPN) and Z3 Solver.
... This is for instance the case in Luxembourg regarding the security of the stored data [1]. Actually, in order to protect patient privacy and to prevent illegal use of personal health information, the data located on the platform must remain de-identified and encrypted [2]. This strong constraint is a clear barrier to implement efficient information retrieval mechanisms to support health professionals (HP) when searching for relevant information since submitted queries cannot be evaluated without the decryption of the data causing security breaches. ...
... It provides an overview of the content of the document without revealing information values such as the result of a medical exam and the identity of the patient. The encryption and pseudonymization of the data is ensured by a mechanism implementing a trusted third party in charge of maintaining the association between patient identity and pseudonyms used to index the documents [2] but this aspect goes beyond the scope of this paper. As a result, three kinds of document or information are available. ...
Full-text available
The recent development of eHealth platforms across the world, whose main objective is to centralize patient's healthcare information to ensure the best continuity of care, requires the development of advanced tools and techniques for supporting health professionals in retrieving relevant information in this vast quantity of data. However, for preserving patient's privacy, some countries decided to de-identify and encrypt data contained in the shared Electronic Health Records, which reinforces the complexity of proposing efficient medical information retrieval approach. In this paper, we describe an original approach exploiting standards metadata as well as knowledge organizing systems to overcome the barriers of data encryption for improving the results of medical information retrieval in centralized and encrypted Electronic Health Records. This is done through the exploitation of semantic properties provided by knowledge organizing systems, which enable query expansion. Furthermore, we provide an overview of the approach together with illustrating examples and a discussion on the advantages and limitations of the provided framework.
Full-text available
The variety and amount of patient healthcare digital data is rapidly expanding. The field of artificial intelligence has fast proven revolutionary for healthcare, allowing for unprecedented speed and precision in data analysis. Many hospitals have already transitioned to electronic health records (EHRs), a digital version of paper medical information. Information Technology has already aided in simplifying operations in this area, making the process far more efficient and patient-centered than in the past. A patient’s trust may disintegrate in the face of recurrent incidents if there is no precise control and safety in place. As a result, it limits the potential for digital health to promote an age of more accessible, connected, and individualized treatment. When it comes to picking a cloud solution, healthcare providers are most concerned about security and privacy. In this research, we seek to demonstrate various ways that aid patient data privacy while simultaneously allowing cloud services to be used.
Full-text available
Background: The collection of data and biospecimens which characterize patients and probands in-depth is a core element of modern biomedical research. Relevant data must be considered highly sensitive and it needs to be protected from unauthorized use and re-identification. In this context, laws, regulations, guidelines and best-practices often recommend or mandate pseudonymization, which means that directly identifying data of subjects (e.g. names and addresses) is stored separately from data which is primarily needed for scientific analyses. Discussion: When (authorized) re-identification of subjects is not an exceptional but a common procedure, e.g. due to longitudinal data collection, implementing pseudonymization can significantly increase the complexity of software solutions. For example, data stored in distributed databases, need to be dynamically combined with each other, which requires additional interfaces for communicating between the various subsystems. This increased complexity may lead to new attack vectors for intruders. Obviously, this is in contrast to the objective of improving data protection. What is lacking is a standardized process of evaluating and reporting risks, threats and countermeasures, which can be used to test whether integrating pseudonymization methods into data collection systems actually improves upon the degree of protection provided by system designs that simply follow common IT security best practices and implement fine-grained role-based access control models. To demonstrate that the methods used to describe systems employing pseudonymized data management are currently heterogeneous and ad-hoc, we examined the extent to which twelve recent studies address each of the six basic security properties defined by the International Organization for Standardization (ISO) standard 27,000. We show inconsistencies across the studies, with most of them failing to mention one or more security properties. Conclusion: We discuss the degree of privacy protection provided by implementing pseudonymization into research data collection processes. We conclude that (1) more research is needed on the interplay of pseudonymity, information security and data protection, (2) problem-specific guidelines for evaluating and reporting risks, threats and countermeasures should be developed and that (3) future work on pseudonymized research data collection should include the results of such structured and integrated analyses.
There is more computing power in your smart phone now than all the computers used by NASA in 1969 to place man on the moon.
Recently, both security and privacy are the growing concerns in eHealth platforms that deal with sensitive clinical data stored in electronic health records (EHR). Breaches or damage of sensitive data of an individual’s health record can be occurred due to attacks by hackers or malicious insiders. Therefore, it is very crucial to enforce privacy and security of clinical data in eHealth applications by technological means. Understanding and finding the issues related to the security and privacy of eHealth systems are important in designing and developing an effective eHealth system. In this paper, we therefore aim to investigate and analyze the recent security issues in eHealth applications and explore their solutions to preserve privacy and security of sensitive health data.
Full-text available
With the development of communication technologies, new forms of information collection, storage, and exchange have taken on a new importance in the field of health care. From a scientific point of view, the extensive sharing of medical information, along with the exchange and transfer of sensitive data and the combination of individual patient data with other available data sources, is seen as key strategy for discovering unknown factors influencing disease susceptibility and development. The merits of data sharing cannot be discussed without acknowledging the implicit dangers of misuse or unintended disclosure of health-record data. This chapter uses the concept of an eHealth platform, as an illustrative example of the potential action required to tackle the dichotomy between large-scale sharing of sensitive health data and the utmost protection of the data-subject’s privacy. An eHealth platform manages common access to electronic health records (EHR) by interdisciplinary and intersectoral health staff. Sharing is limited to each patient’s most relevant medical information and explicitly does not include all available medical details on the patient compiled in local health facilities. This chapter provides an analysis of the interdependence of public acceptance of eHealth technologies and legislation on data protection. The latter is enshrined by various international conventions as a fundamental human right. In the European Union, the protection of personal health data enjoys the very highest level of protection. Against this background, new information technologies in health care mean that the precise standards that define appropriate privacy protection, or, more specifically, what exactly the famous informed consent is good for, is still subject to ongoing disputes. Does consent remain the pivotal issue for any decision to legitimize the exceptional processing of data? Are research purposes of public interest deemed to be a sufficient justification for granting general access to an identifiable person’s sensitive data on the eHealth platform?
Technical Report
Full-text available
A national Electronic Health Record (EHR) platform aims to provide an environment where the most relevant medical information of patients can be safely shared and exchanged. The relevant information is compiled by the health professionals as users of the so called primary systems. These selections are composed into the national health record of each patient and/or send directly to an other involved health professional. The benefits of sharing are the increase of quality of care activities, reduction of redundant exams, and better contextualization of patients' health evolution with the full range of information about a patient's health constitution. Next steps are the implementation of decision support systems that use the available information in the EHR of a patient to support healthcare activities. This is the way towards a personalized medicine. Besides these direct personal advantages, statistical evaluations of a medical data can indirectly contribute to the improvement of care activities. The knowledge of systematic correlations can have an impact on the future treatment of patients. Sharing implies the trust on each other and it rises the danger of misuse of shared information. The access to such data by private insurance companies, banks, employers, etc. is forbidden by the law. Illegal attacks to access the information have to be avoided. Technically, the backbone of the system is described as follows: (1) Certificate-based user authentication for health professionals and patients. (2) Role-based user management with preregistered users. (3) Separated storage of identification data and medical data by use of pseudonymization. (4) Encryption of clinical documents. (5) Individual access restrictions through IT consent declarations. (6) Access to the logging information by the patient and automatic notifications to patients as psychological barrier against unjustified accesses done in the name of an “emergency situation”. (7) Nondisclosure guarantee with respect to administrators and intruders of the systems. External services of other parties in the healthcare sector can reuse the user authentication and user management that is offered by the platform. For statistical use, data protection is based on four pillars: (a) Stripped fragments of the medical reports are stored in a separated database. (b) Fragments are definitively without any person identifying data. (c) Same pseudonymization techniques are applied for the fragments. (d) Governmental IT consents are mandatory for using the data fragments for statistical analysis. The proposed concept for the eHealth platform is well founded on standards for document sharing and exchange in medical environments. The basic IT infrastructure consists of one central registry and multiple central and/or decentral repositories for the clinical documents. In order to assure a high level of data protection, the proposed concept includes some improvements with respect to the commonly usage of security standards. These improvements can be described as pragmatic combination of document exchange and sharing standards together with pseudonymization, encryption, and electronic signatures. This document will be used as conceptual implementation guide for the national eHealth platform of Luxembourg. As immediate next step a prototype of the eHealth platform will be implemented mainly to validate the technical feasibility of the proposed improvements. After this proof of concept the implementation guide and the experience gained with the implementation of the prototype will be presented to potential industrial partners in order to implement the productive eHealth platform.
Full-text available
Electronic Health Records (EHR) systems manage the most intimate and private information. The acceptance of EHR systems is proportional to their positive balance of benefits weighted against the risk of insufficient data protection. An objective, better treatment process for patients on the one side and a highly secured system on the other side are the most important preconditions. The aim of this paper is to present the requirements to design architectures to national eHealth platforms and to describe the architecture proposed by SAN-TEC team.
Conference Paper
Full-text available
A new framework of privacy-preserving identity management for distributed e-health systems is proposed. Utilizing a consumer-centric approach, the healthcare consumer maintains a pool of pseudonymous identifiers for use in different healthcare services. Without revealing the identity of consumers, health record data from different medical databases distributed in various clinic/hospitals can be collected and linked together on demand. While pseudo-anonymity preserves user privacy, the architectural design allows the anonymity to be revoked by a trusted authority under well-defined policies with legal-compliance. This framework inherits the advantages in centralized management for distributed medical databases Security of the interactions among different entities in the architecture is guaranteed by certification and cryptographic technologies.
Conference Paper
Full-text available
Since the advent of the Web, the health domain is progressively adopting emerging technologies what forces new paradigms, concepts and tools to be defined. Electronic consent is one of them. This recently defined notion aims at formalising electronically the agreement of the patient on sharing personal health information. However, existing approaches dealing with electronic consent do not provide the adequate concepts to express, in an unambiguous manner, patients' wishes with respect to the access and management of their personal health data. To correct this lack, we propose the e-CRL language. This language has been designed in order to facilitate the capture and to formalise the expression of patients' consent regarding the access and management of their health information. In this paper, we first discuss the objective such language must fulfil, we then introduce the syntax and the semantics of the e-CRL language and we eventually give some examples of e-CRL rules.
In this chapter pseudonymization and pseudonym intersection algorithms are proposed and analyzed. These two procedures combined make pseudonymized data sharing possible. Pseudonymized data sharing is used by organizations, that typically do not share information, to build and provide pseudonymized copies of their private databases to third parties – called researchers. Some basic security properties are satisfied: pseudonymity, meaning that it is infeasible to relate a pseudonym to its identity; and unlinkability, meaning that it is infeasible to decide if pseudonyms belonging to different researchers correspond to the same identity. Computing the equijoin of pseudonymized databases held by researchers A and B is enabled provided that they are given proper cryptographic keys. The outcome of the equijoin protocol between A and B is that party A learns virtually nothing, while party B learns the equijoin of A and B’s pseudonymized databases. We are able to prevent that malicious researchers abuse equijoin transitivity in the following sense: colluding researchers A, B, C cannot use equijoin keys for (A, B) and (B, C) to compute the equijoin of (A, C). As a prominent application of these algorithms we discuss the privacy-enhanced secondary usage of electronic health records.
Patient’s privacy is a crucial issue in the emerging field of Electronic Health Records (EHRs). Actual concepts mainly focus on patient centric and patient moderated solutions. Due to the sensitive character of medical data and the time and location independent access to these data there is the need for innovative methods which strongly protect the patient’s privacy. Many approaches that realize EHR systems do not provide adequate security concepts. In this paper we examine threats in context of EHRs and discuss methods that help to improve the privacy of patients.
Reluctance to provide personal health information could impede the success of web-based healthcare services. This paper focuses on the role of personal dispositions in disclosing health information online. The conceptual model argues that individuals' intention to disclose such information depends on their trust, privacy concern, and information sensitivity, which are determined by personal dispositions—personality traits, information sensitivity, health status, prior privacy invasions, risk beliefs, and experience—acting as intrinsic antecedents of trust. The data (collected via a lab experiment) and the analysis shed light on the role of personal dispositions. This could assist in enhancing healthcare websites and increase the success of online delivery of health services.
Purpose: E-health enables the sharing of patient-related data whenever and wherever necessary. Electronic health records (EHRs) promise to improve communication between health care providers, thus leading to better quality of patients' treatment and reduced costs. However, as highly sensitive patient information provides a promising goal for attackers and is also frequently demanded by insurance companies and employers, there is increasing social and political pressure regarding the prevention of health data misuse. This work addresses this problem and introduces a methodology that protects health records from unauthorized access and lets the patient as data owner decide who the authorized persons are, i.e., who the patient discloses her health information to. Therefore, the methodology prevents data disclosure that negatively influences the patient's life (e.g., by being denied health insurance or employment). Methods: This research uses a combination of conceptual-analytical, artifact-building and artifact-evaluating research approaches. The article starts with a detailed exploration of existing privacy protection mechanisms, such as encryption, anonymization and pseudonymization, by comparing and analyzing related work (conceptual-analytical approach). Based on these results and the identified shortcomings, a pseudonymization methodology is defined and evaluated by means of a threat analysis. Finally, the research results are validated with the design and implementation of a prototype (artifact building and artifact evaluation). Results: This paper presents a new methodology for the pseudonymization of medical data that stores health data decoupled from the corresponding patient-identifying information, allowing privacy-preserving secondary use of the health records in clinical studies without additional anonymization steps. In contrast to clinical studies, where it is not necessary to identify the individual participants, insurance companies and employers are interested in the health status of individuals such as potential insurance or job applicants. In this case, pseudonymized records are practically useless for these parties as the patient controls who is able to reestablish the link between health records and patient for primary use - usually only trusted health care providers. Conclusions: The framework provides health care providers with a unique solution that guarantees data privacy (e.g., according to HIPAA) and allows primary and secondary use of the data at the same time. The security analysis showed that the methodology is secure and protected against common intruder scenarios.
Pseudonymized Data Sharing". Privacy and Anonymity in Information Management Systems
  • D Galindo
  • E R Verheul
D. Galindo and E. R. Verheul, "Pseudonymized Data Sharing". Privacy and Anonymity in Information Management Systems. J. Nin, J. Herranz (Eds.). Series: Advanced Information and Knowledge Processing, vol. 0, Part 3, 2010, pp. 157-179, DOI: 10.1007/978-1-84996-238-4_8
A methodology for the pseudnymization of medical data". In press
  • T Neubauer
  • J Heurix
T. Neubauer and J. Heurix, "A methodology for the pseudnymization of medical data". In press. International journal of medical informatics, 2010, doi:10.1016/j.ijmedinf.2010.10.016