Flexible Patient-Controlled Security for Electronic Health Records

Thomas Hupperich, Hans Löhr, Ahmad-Reza Sadeghi, Marcel Winandy

ACM SIGHIT International Symposium on Health Informatics (IHI), Miami, January 2012


Electronic health records (EHR) are a convenient method to exchange medical information of patients between di erent healthcare providers. In many countries privacy laws require to protect the con dentiality of these data records and let the patient control the access to them. Existing approaches to protect the privacy of EHRs are either insucient for these strict laws or they are too restrictive in their usage. For example, smartcard-based encryption systems require the patient to be always present to authorize access to medical records. However, this does not allow a physician to access an EHR of a patient who is unable to show up in person.

In this paper, we propose a security architecture for EHR infrastructures that provides more exibility but retains the security of patient-controlled encryption. In our proposal patients are able to authorize access to their records remotely (e.g. via phone) and time-independent for later processing by the physician. The security of our approach relies on modern cryptographic schemes and their incorporation into an EHR infrastructure. The adoption of our security architecture would allow to ful ll strict privacy laws while relaxing usage restrictions of existing security protections.


tags: electronic, health, Records