Thomas Hupperich’s research while affiliated with Ruhr University Bochum and other places

Electronic health records (EHR) are a convenient method to exchange medical information of patients between different healthcare providers. In many countries privacy laws require to protect the confidentiality of these data records and let the patient control the access to them. Existing approaches to protect the privacy of EHRs are either insufficient for these strict laws or they are too restrictive in their usage. For example, smartcard-based encryption systems require the patient to be always present to authorize access to medical records. However, this does not allow a physician to access an EHR of a patient who is unable to show up in person. In this paper, we propose a security architecture for EHR infrastructures that provides more flexibility but retains the security of patient-controlled encryption. In our proposal patients are able to authorize access to their records remotely (e.g. via phone) and time-independent for later processing by the physician. The security of our approach relies on modern cryptographic schemes and their incorporation into an EHR infrastructure. The adoption of our security architecture would allow to fulfill strict privacy laws while relaxing usage restrictions of existing security protections.