A Secure Electronic Healthcare Record Infrastructure in the Digital Rights Management Model
Electronic healthcare record systems promise to increase the efficiency and effectiveness of healthcare systems by ensuring that healthcare workers can get timely access to the correct and complete information that they require in order to provide good health services to their patients. Electronic healthcare systems have been investigated in many countries, and numerous research journals and conferences are devoted to their design and evaluation. Greater distribution of information through an electronic healthcare system brings with it a risk that patients’ information will be misused, resulting in invasions of privacy and/or unfair discrimination on the basis of patients’ medical histories. Security and privacy therefore forms an important part of any electronic healthcare system, and numerous designs for security and privacy in the healthcare space have been proposed over the years [4, 5, 10, 15, 18, 19, 20, 21, 23, 43, 45, 50]. Systems for controlling access to sensitive information, both in a healthcare context and others, are typically designed to enforce the principle of least privileges, that is, the principle that the human users of a system should have access to the minimum amount of information required to carry out their assigned job. This principle aims to minimise the potential for information to misused, without interfering with people’s ability to do their jobs. In a privacy context, the principle of consent is widely used in privacy law to restrict the disclosure of sensitive information according to the wishes of the subject of that information. Electronic consent (often shortened to “e-consent”), in particular, allows the subject of some electronic information to permit or deny the disclosure of that information to particular people in particular circumstances . Electronic consent systems have been proposed as a method of controlling the disclosure of electronic healthcare records [3, 34, 35, 44, 49, 53], and (less frequently) for other kinds of personal information in electronic commerce contexts [6, 25, 28]. Electronic consent systems bear some resemblance to digital rights management systems. Digital rights management is best known for its use in the protection of intellectual property , but more recently has also been applied to the protection of personal information [26, 47]. Digital rights management technology allows information owners to control the distribution and use of their information by describing a 4 policy in a machine-readable licence. Information is distributed in a protected form such that it can only be accessed by special DRM agents that are trusted to comply with the terms specified licences. Petkovi´c, et al. examine the potential for digital rights management technology in securing electronic healthcare records . They argue that digital rights management technologies already provide many of the features desired in a secure electronic healthcare system, in that they can provide persistent and homogeneous protection of information even when it is disseminated throughout a distributed healthcare system. However, they additionally identify a number of points on which existing digital rights management systems (specifically, those originally designed for managing the distribution of sensitive documents within corporate enterprises) do not meet these needs, including: the parties that access and manipulate documents may come from many different domains and it is difficult to predict in advance who these parties might be; the ownership of data is not clearly defined, as it is shared between healthcare workers and patients; access rights are highly context-dependent and are difficult to determine automatically (for example, is a request an emergency?); small fragments of records (and not just whole documents, as is usually the case in intellectual property protection) may be critical; the membership of roles can change very quickly; healthcare data may be used for research purposes in an anonymised form; and healthcare data is prone to numerous inference channels. In the present document, we describe one possible implementation of a secure electronic healthcare infrastructure modelled on the digital rights management approach to privacy protection [26, 47] and workflow-based access control [2, 24, 45]. Our proposal attempts to address several of the points identified by Petkovi´c, et al., as well as other issues identified by our own research. While many of the features of the proposed system could also be provided by an access control system and/or electronic consent system such as those proposed in earlier work, the proposed system additionally allows for persistent protection of information throughout the global electronic healthcare record infrastructure, local healthcare facilities and mobile healthcare workers; highly expressive consent directives that can be enforced in an automated fashion; and information flows that cross organisational boundaries. 5 Anonymisation and inference channels may additionally be addressed by other work in the iCore Information Security Lab. In addition to our general application of digital rights management in a healthcare context, we introduce some new techniques with wider applications in digital rights management and access control, including the use of workflow information to provide fine control over the purposes for which rights-managed data is used; and the ability to transfer the execution of a task from one device to another (known as session mobility ) within the confines of a digital rights management system.
Digital management, healthcare record