Electronic healthcare record systems promise to increase the efficiency and effectiveness
of healthcare systems by ensuring that healthcare workers can get timely access to
the correct and complete information that they require in order to provide good health
services to their patients. Electronic healthcare systems have been investigated in many
countries, and numerous research journals and conferences are devoted to their design
Greater distribution of information through an electronic healthcare system brings
with it a risk that patients’ information will be misused, resulting in invasions of privacy
and/or unfair discrimination on the basis of patients’ medical histories. Security
and privacy therefore forms an important part of any electronic healthcare system, and
numerous designs for security and privacy in the healthcare space have been proposed
over the years [4, 5, 10, 15, 18, 19, 20, 21, 23, 43, 45, 50].
Systems for controlling access to sensitive information, both in a healthcare context
and others, are typically designed to enforce the principle of least privileges, that is, the
principle that the human users of a system should have access to the minimum amount
of information required to carry out their assigned job. This principle aims to minimise
the potential for information to misused, without interfering with people’s ability to do
In a privacy context, the principle of consent is widely used in privacy law to restrict
the disclosure of sensitive information according to the wishes of the subject of
that information. Electronic consent (often shortened to “e-consent”), in particular, allows
the subject of some electronic information to permit or deny the disclosure of that
information to particular people in particular circumstances . Electronic consent
systems have been proposed as a method of controlling the disclosure of electronic
healthcare records [3, 34, 35, 44, 49, 53], and (less frequently) for other kinds of personal
information in electronic commerce contexts [6, 25, 28].
Electronic consent systems bear some resemblance to digital rights management
systems. Digital rights management is best known for its use in the protection of intellectual
property , but more recently has also been applied to the protection of
personal information [26, 47]. Digital rights management technology allows information
owners to control the distribution and use of their information by describing a
policy in a machine-readable licence. Information is distributed in a protected form
such that it can only be accessed by special DRM agents that are trusted to comply
with the terms specified licences.
Petkovi´c, et al. examine the potential for digital rights management technology
in securing electronic healthcare records . They argue that digital rights management
technologies already provide many of the features desired in a secure electronic
healthcare system, in that they can provide persistent and homogeneous protection of
information even when it is disseminated throughout a distributed healthcare system.
However, they additionally identify a number of points on which existing digital
rights management systems (specifically, those originally designed for managing
the distribution of sensitive documents within corporate enterprises) do not meet these
the parties that access and manipulate documents may come from many different
domains and it is difficult to predict in advance who these parties might be;
the ownership of data is not clearly defined, as it is shared between healthcare
workers and patients;
access rights are highly context-dependent and are difficult to determine automatically
(for example, is a request an emergency?);
small fragments of records (and not just whole documents, as is usually the case
in intellectual property protection) may be critical;
the membership of roles can change very quickly;
healthcare data may be used for research purposes in an anonymised form; and
healthcare data is prone to numerous inference channels.
In the present document, we describe one possible implementation of a secure electronic
healthcare infrastructure modelled on the digital rights management approach to
privacy protection [26, 47] and workflow-based access control [2, 24, 45]. Our proposal
attempts to address several of the points identified by Petkovi´c, et al., as well as
other issues identified by our own research.
While many of the features of the proposed system could also be provided by an access
control system and/or electronic consent system such as those proposed in earlier
work, the proposed system additionally allows for
persistent protection of information throughout the global electronic healthcare
record infrastructure, local healthcare facilities and mobile healthcare workers;
highly expressive consent directives that can be enforced in an automated fashion;
information flows that cross organisational boundaries.
Anonymisation and inference channels may additionally be addressed by other work
in the iCore Information Security Lab.
In addition to our general application of digital rights management in a healthcare
context, we introduce some new techniques with wider applications in digital rights
management and access control, including
the use of workflow information to provide fine control over the purposes for
which rights-managed data is used; and
the ability to transfer the execution of a task from one device to another (known
as session mobility ) within the confines of a digital rights management system.