In today’s health care system, the availability of sound information has a tremendous impact on decisions regarding a patient’s care and thus on the quality of treatment and patient health. Electronic health records (EHR) were introduced over the past several years in order to improve communication between health care providers and access to data and documentation, leading to better clinical and service quality. EHRs promise the reduction of adverse drug events accounting for about $175 billion a year in the U.S. and for the very high number of more than 100,000 cases of death per year in the U.S. by providing physicians and their health care team with decision support systems and guidelines for drug interactions. Furthermore, EHRs promise massive savings by digitizing diagnostic tests and images. A study by the nonprofit research organization Rand Corporation concludes that adopting EHRs could result in more than $81 billion in annual savings in the U.S., if 90 percent of the health care providers used them.
The discussion of privacy is one of the fundamental issues in health care today and a trade-off between the patient’s requirement for privacy as well as the society’s needs for improving efficiency and reducing costs of the health care system. With informative and interconnected health-related data comes highly sensitive and personal information, which could be exploited (e.g., by using Data Mining). Because of health data‘s high sensitivity, there is increasing social and political pressure to prevent its misuse. On the one hand, it is a fundamental right of every citizen to demand privacy and on the other hand, the disclosure of medical data may cause
serious problems for the patient. For example, a history containing substance abuse or HIV infection might result in discrimination or harassment. For instance, insurance companies could use sensitive medical data to deny health coverage or to increase insurance premiums for those affected, whereas employers might refuse to employ people based on their health records. Along with social and political pressure for the protection of health data are also legal acts and policies that demand it. In 2006, the United States Department of Health & Human Services issued the Health Insurance Portability and Accountability Act (HIPAA), which demands the protection of any patient data that is shared from its original source of collection. Since 2005, processing and movement of personal data is regulated within the EU by the Directive 95/46/EC. A citizen’s right to privacy is also recognized in the European Convention for the Protection of Human Rights and Fundamental Freedoms. Additionally, many domestic acts (e.g., the Austrian Data Protection Act) dictate strict regulations on the processing of personal data. Along with the benefit of interconnection comes the increasing fear of data abuse. And this, in turn, brings along the adoption of laws leading to the development of a variety of techniques for protecting patients’ identity and privacy, such as encryption. As medical data tends to be very large, and encryption is a highly time-consuming operation, the process to encrypt all data would not be efficient in practice. Thus, several organizations have proposed using pseudonyms for the protection of privacy. Pseudonymization is a technique whereby identification data is transformed into a specifier and is then subsequently replaced by it. The specifier can only be associated with the identification data by means of a certain secret. Thus, the concept of pseudonymization allows an association with a patient exclusively under specified and controlled circumstances. Nonetheless, existing approaches exhibit major shortcomings.
Secure Business Austria has developed a new (patended) system for the pseudonymization of health data that differs from existing systems in its ability to securely integrate primary and secondary usage of health data and thus provide a solution to security shortcomings of existing approaches. The approach comprises methods for data sharing, authorization, and recovery that allow recovering the access to health care records if the security token carrying the keys (e.g., a smartcard) is lost or stolen.
This system is based on a hull-architecture, where every hull consists of one or more secrets (e.g., encrypted keys or hidden relations), which are only accessible with the unveiled secrets from the next outer hull. For instance, patients’ inner private key (e‘) in the inner hull is encrypted with the outer public key (d) on their smartcards, which represents the outer hull or authentication layer. Moreover, a specific anamnesis dataset, which is associated with a list of pseudonyms, can only be accessed with the knowledge of the related secret, which has been encrypted with the inner symmetric key (K). As the inner symmetric key has been preliminarily encrypted with the inner public key (d‘), this encryption operation has to be reversed to gain access to this key in plain-text. In other words, if patients want to access their data, they first have to decrypt their inner private key, which is stored encrypted inside the system, with the outer public key of their smartcard. Second, they are able to decrypt the inner symmetric key with their inner private key. Afterwards, they can use the inner symmetric key, which is now available to them in plain-text, to gain access to the encrypted secrets in the inner-most hull, the concealed data hull, by decrypting them. In contrast to existing approaches, our concept does not depend on a patient list that reflects the association between the patient’s identity and medical data, or a breakable algorithm. Instead, we base our architecture on a layered structure that guarantees that patients are in full control of their data. The concept can be used as an extension to EHR applications but also as a basis for national EHR initiatives.
PIPE 2.0:
In this project, PIPE is further developed to broaden the approach in order to suit different application scenarios. In particular, the system will demonstrate the secure and confidential storage and retrieval of medical data in the context of genetic testing. Still, PIPE retains its versatility by implementing a generic workflow pattern that can be adapted to different application areas. In order to support this adaptability, the system is developed as a configurable toolbox which provides different functions and services, depending on the requirements of the particular application scenario.
One major research area is to provide an advanced method to securely query for specific health records using semi-structured meta data. On the one hand, this query process must not reveal any association between meta data and related medical records for unauthorized persons. On the other hand, the meta data should allow patients and health care providers a structured and efficient search for medical records. To this end, PIPE is integrated with SemCrypt, a system developed at the JKU Linz providing sophisticated methods for querying and updating encrypted documents. SemCrypt exploits the structural semantics of XML documents and relies on client-side cryptographic operations only for ensuring data privacy.
Another research focus lies in the application of PIPE in a widely untrusted environment. This includes the consideration of a localized or centralized execution of the PIPE logic. In the localized architecture, a user-owned security token is the only trusted instance acting as local cryptographic module. In the centralized scenario, a hardware security module acts as server-side trusted instance responsible for executing the necessary cryptographic operations.
Current status:
The main field of activity encompassed the analysis of the basic requirements of the PIPE core system as well as the specific requirements for supporting genetic testing related workflows within the first work package. This includes the necessary adaptations of the PIPE core in order to implement the PIPE toolbox. Current work includes the definition of the PIPE/SemCrypt interfaces and the overall design specification.
Publications:
- Bernhard Riedl, Thomas Neubauer, Gernot Goluch: A secure architecture for the pseudonymization of medical data; Proceedings of the Second International Conference on Availability, Reliability and Security (ARES’07); IEEE Computer Society; 2007.
- Bernhard Riedl, Veronika Grascher, Thomas Neubauer: Pseudonymization for securing e-health applications; accepted for 13th IEEE Pacific Rim Dependable Computing Conference (PRDC’07); IEEE Computer Society; 2007.
- Bernhard Riedl, Thomas Neubauer, and Oswald Boehm. Patent: Datenverarbeitungssystem zur Verarbeitung von Objektdaten. Austrian Patent 503291; September 2007.
- Bernhard Riedl, Veronika Grascher, Thomas Neubauer: Pseudonymization for improving the privacy in e-Health applications; accepted for 41st Hawaii International Conference on Systems Science (HICSS’08); IEEE Computer Society; 2008.
- Thomas Neubauer, Bernhard Riedl, Thomas Mück: Pseudonymisierung zur sicheren Umsetzung des elektronischen Gesundheitsakts, OCG Journal 4, 2007 (pdf).
Contact:
Thomas Neubauer: neubauer@securityresearch.at