SiHIS 2009, IMIA WG 4, Hiroshima, Japan Centralized electronic health records (EHR) accumulate medical data of patients to improve their availability and completeness. This in turn increases the efficiency of business processes for medical services. As EHRs are not tied to a single medical institution they may be offered by enterprises with the capacity and knowledge to maintain this kind of databases. Legislation, e.g. the US American Health Insurance Portability and Accountability Act (HIPAA) and the German Act for the Modernization of the Health Insurance by Law (GMG), usually prohibit any disclosure to third parties without the patient’s explicit consent. Existing systems for EHRs like Microsoft HealthVault and Google Health comply with this by letting the patients decide on the usage and disclosure of their data. But they fail in providing three essential safeguards to privacy. Firstly, they do not offer mechanisms to guarantee the compliance of the EHR system especially regarding the enforcement of patients’ decisions. Secondly, patients cannot express or enforce obligations on further usage and disclosure of their data to third parties. Thirdly, they fail to guarantee confidentiality of the patients’ health data towards the EHR provider organization, which should not be able to access the data since this increases the risk of unauthorized disclosure. Those drawbacks stem from the fact that privacy-enhancing technologies focus on controlling external access to personal data but not on their usage. But even if health data is protected against those threats, EHR providers are able to create profiles about patients by examining the access requests to their data. We propose a privacy-protecting information system for controlled disclosure of personal data to third parties. Firstly, patients should be able to express, enforce, and observe obligations regarding disclosure of health data to third parties. Secondly, an organization providing EHRs should neither be able to gain access to these health data nor establish a profile about patients.

1. On Privacy in Medical Services
with Electronic Health Records
SiHIS 2009, IMIA WG 4, Hiroshima, Japan
Sebastian Haas
Günter Müller
University of Freiburg, Germany
Sven Wohlgemuth
Isao Echizen
Noboru Sonehara
National Institute of Informatics, Japan

2. On Privacy in Medical Services with Electronic Health Records
IIG - TelematicsNational Institute ofInformatics
1. Medical Systems and Electronic Health Records
2. Shift to a new Health Record Scenario
3. The Patient as Target
4. Usage Control: Data Provenance by Digital Watermarking
5. Conclusion
Agenda
1

3. On Privacy in Medical Services with Electronic Health Records
IIG - TelematicsNational Institute ofInformatics
Various medical systems used to support treatment.
Systems use electronic health records (EHR) about the patient.
Many EHRs at different locations.
1. Medical Systems and Electronic Health Records
2
Hospital
Laboratory
Examination
Dentist
Pharmacy
Patient

4. On Privacy in Medical Services with Electronic Health Records
IIG - TelematicsNational Institute ofInformatics
2. Shift to a new Health Record Scenario (1/2)
3
Castle Marketplace Metropolis
Mainframe Internet
De-
Perimetrization
Insiders and
Outsiders
Server-based
Security
Client-based
Security

5. On Privacy in Medical Services with Electronic Health Records
IIG - TelematicsNational Institute ofInformatics
All data about the patient stored in one location:
A central EHR
Patient is in charge of this data.
2. Shift to a new Health Record Scenario (2/2)
4
Patient’s data is stored in
many medical systems.
Each medical system is in
charge of patient’s data.
Hospital
Laboratory
Examination
Dentist
Pharmacy
Current scenario New scenario
Patient

6. On Privacy in Medical Services with Electronic Health Records
IIG - TelematicsNational Institute ofInformatics
Patient “inherits” responsibility and risk.
Dishonest parties may force patient to
reveal medical data.
Ø Privacy Problem
How can the patient be protected
from being forced to reveal
medical data?
3. The Patient as a Target
5
Hospital
Examination
Dentist
Pharmacy
Laboratory
Insurance
Advertiser
Employer
Patient

7. On Privacy in Medical Services with Electronic Health Records
IIG - TelematicsNational Institute ofInformatics
ReactivePreventive
4. Usage Control: Data Provenance by Digital Watermarking
6
Mechanisms &
Methods
Before the
execution
During the
execution
After the
execution
Policies
- Process Rewriting
- Workflow Patterns
- Vulnerability Analysis
- Extended Privacy
Definition
Tools(ExPDT)
- Model Reconstruction
- Audits / Forensics
- Architectures for Data
Provenance
- Execution Monitoring
- Unlinkable Delegation
of Rights
Research collaboration
between University of
Freiburg and NII

8. On Privacy in Medical Services with Electronic Health Records
IIG - TelematicsNational Institute ofInformatics
Data provenance
– Information to determine the derivation history
In an audit, data provenance can be used to restore the information flow.
4. Data Provenance in EHR
7
Example
Patient
EmployerLaboratory
Medical
Data
Patient
Advertiser
Medical
Data
Patient
Advertiser
Employer
Medical
Data
Patient
Advertiser
Laboratory
Employer
Medical
Data
Patient
Advertiser
Laboratory
Data Provenance
AdvertiserEmployer

9. On Privacy in Medical Services with Electronic Health Records
IIG - TelematicsNational Institute ofInformatics
Watermarking is a method to bind provenance information as a tag to data.
The EHR/Medical system must enforce that
– disclosed data is tagged with updated provenance information
– provenance information is authentic.
4. Digital Watermarking Method
8
EHR/Medical system
Data Data consumer
(e.g. Laboratory)
Watermarking
Service
2) Fetch data
3) Apply tag
4) Deliver tagged data
Steps of a disclosure:
1) Access request
Data provider
(e.g. Advertiser)

10. On Privacy in Medical Services with Electronic Health Records
IIG - TelematicsNational Institute ofInformatics
4. Digital Watermarking Scheme
9
Data provenance information
– Linking identities of data provider and data consumer with access to medical data.
Detection by the patient via delegated access rights for medical data.
Data provider Data consumer
Apply Tag
Patient Data provider
Verify Tag
Data consumer
Patient
Advertiser
Laboratory
Patient
(rights)
Advertiser Laboratory
Patient
(rights)
Patient
Advertiser
Laboratory
Advertiser
Laboratory
Patient
Advertiser
LaboratoryLaboratory Advertiser
寿
Laboratory
Advertiser
寿

11. On Privacy in Medical Services with Electronic Health Records
IIG - TelematicsNational Institute ofInformatics
Patient becomes a weak spot
Data provenance can be used as
basis for accountability
Patient can prove that unwanted
disclosures have occurred
5. Conclusion
10
Hospital
Examination
Dentist
Pharmacy
Laboratory
Insurance
Advertiser
Employer
Patient
ありがとうございました
Thank you