Beruflich Dokumente
Kultur Dokumente
Abstract: In this paper we look into the ethical concerns arising due to lack of anonymisation or pseudoanonymisation of electronic patient information in digital
medical records used for research and diagnosis. We consider the problems of policing access to patient-sensitive
information, personal empowerment of data ownership
and digital rights management. We propose the use of
steganographic principles as a possible resolution to some
of these issues when used in a two-tier system with cryptographic approaches and call for an explicit privacy standard to be incorporated into the openEHR as a possible
international standardisation of electronic health records.
Keywords: EPHR, medical ethics, patient rights.
INTRODUCTION
The envisaged future Electronic Patient Health Record
(EPHR), also known as a Bioprofile, will be a record of
an individuals health progression from birth to death. It
will contain a vast amount of information, from vaccinations at birth to dental visits, blood test results, EEG,
ECG, scan reports, diagnoses made, treatments given and
even the results of automated machine learning predictive and decision support models applied to a persons
biodata, throughout his or her life. In short the EPHR
will contain the entire medical and genomic history along
with geographic and other personal information linked to
an individual.
Research
in
programmes
promoting
Ehealth/Telemedicine has developed increased importance
in recent years. Telemedicine has been promoted in
many countries with a view to the various advantages it
could provide, such as:
Faster diagnosis and safer treatment available
wherever and whenever care is required.
Specialist opinions can be obtained even if the patient or experts are in remote areas.
Cost savings for both the patient and the administration if previous tests such as X-rays, ECGs,
EEGs can be examined online without repetition
if the patient is away from their normal health
provider.
Care in the home becomes more viable.
The above list of benefits relating to personalised
health care is the key driving factor for Telemedicine con1
identification number (PIN) can be set up by the cardholder to protect the information on the smart card. Data
can be transferred to/ from the card only after a strict authorisation and mutual authentication process.
Estonia: The National Identity Card which is compulsory for every Estonian has the usual person identifying
features - name, picture, date of birth, personal code etc.
[11] The security of the information on the card is based
on the personal identification code enabled in each card
and a certificate in the ID-card which enables digital signing.
Standards for EPHRs
Currently there are many different standards used extensively for the processing and storage of medical records.
The disadvantage of these standards is that there is little
or no interoperability. Some of the standards currently
under use and development are DICOM, Health Level
7 (HL7) Clinical Development Architecture (CDA)[HL7
CDA Release 2.0 2005], CEN EN 13606 EHRcom [CEN
prEN 13606-1 2004], and openEHR [8].
The security policy of the openEHR standard [1]
(which is possibly the closest currently to an internationally accepted standard) is as shown in figure 1.
EHR
EHR Access
audit
audit
audit
EHR Status
Demographics
Parties
audit
EHR
ehr_id
Directory
audit
audit
audit
Contributions
audit
audit
audit
commit audit
digital signature or hash
legend
Compositions
provides no direct clue to the identity of the owning patient (indirect clues are of course harder to
control). Stealing an identified EHR involves theft
of data from two servers, or even theft of two physical computers, depending on deployment configuration.
Versioning in the openEHR is its most basic security related feature for data integrity. All logical changes
and deletions as well as additions are therefore physically
implemented as new Versions rather than changes to existing information items. The openEHR also states that
there exists a possibility to digitally sign each Version.
Security in the openEHR is maintained by anonymity.
The EHR data are separate from the demographic records
as depicted in figure 1. A cross-reference database protected by means of encryption or other security mechanisms is used to relate the EHR to a demographic file.
The security mechanisms are left open to be decided by
the third party vendor who implements the network.
The implementation of smart cards for health listed
above represents just a small selection. Similarly the list
of the standards for EPHRs is representative only. The
advantages of smart cards for health and EPHRs are enormous but the chances of misuse also increase proportionally. With eHealth systems generating such controversy and debate across nations and populations including politicians, scientists, health officials and the general
public, we ask whether there can exist possible solutions
to the issues of ethics and patient ownership of the EPHR.
Since the security is mostly based on cryptographic techniques, we discuss the advantages and disadvantages of
most encryption mechanisms in the following section to
highlight the vulnerability of such systems under purposeful attacks or accidental error by legitimate health
personnel.
IS USE OF CRYPTOGRAPHY FOR PRIVACY
PROTECTION SUFFICIENT?
Cryptography or data encryption is widely used for preventing the misuse of data from unauthorised users. Security of the data is largely dependent on the technique
and key used to encrypt the data. The exact knowledge
of the encryption method and key is necessary to decrypt
the data. Algorithms such as RSA [19] rely on the size
of the key. The larger the key size, the better is the security provided. Since the key is a huge number, the authorised person will need to carry it in some form (written
or stored in some storage device or embedded in a smart
card).
Whilst basic data security across networks is adequately provided for through strong cryptographic means
for example, Diffie-Hellman, RSA [19], encrypted headers containing text details such as patient information are
attached to medical files. This is insecure and inappropriate. Since the header information is attached, the link
between medical data and patient details can occasionally get mangled by protocol converters [13]. What are
the consequences of attaching the wrong personal details
An Example:
Steganographic Techniques:
Some preliminary work [20] [14] [12] [3] [17] [15] [21]
[4] [18] [7] has started to explore some of the possible trade-offs to assess the viability of this proposed approach to hiding intimate patient details. An example
of one such study and the results obtained is described
below. The embedding of the metadata, in this exemplar case the personal identification details of a patient,
can be done in the spatial domain of the cover work (the
medical record) or in the transform domain (the space
into which the medical record is transformed acts as the
cover). Though the representation of medical data is
mainly in the time domain, embedding the metadata in
the transformed domain helps resolve the issues involving localisation of the embedded data and fidelity of the
cover work (medical record).
Fig. 4: CT Result.
Consider as an example patient 1 whose personal
identification details are as shown in figure 3 and who
has undergone a CT scan figure 4 after an acute stroke.
The CT scan is used to show areas of abnormalities in
the brain, and determine if the abnormalities are caused
by insufficient blood flow (ischemic stroke), a ruptured
blood vessel (haemorrhage), or some other problem.
In the second example patient 2, presented in figure 5,
has an EEG, figure 6, taken to find evidence of epileptic
seizures.
Name: Miss Y
Sex : F
Age : 16yrs
Address: 35, High Ridge,
East Side,
Birmingham,
UK
NHS Number: CD342WUV87
3000
Scale
846
+
MEASUREMENT OF EEG ( v)
2000
1000
1000
2000
3000
0
4
6
DURATION OF EEG (seconds)
10
MEASUREMENT OF EEG ( v)
3000
2000
1000
1000
2000
3000
0
4
6
DURATION OF EEG (seconds)
10
110
Unwatermarked
Watermarked
100
90
MEASUREMENT OF EEG ( v)
80
70
60
0
0.01
0.02
0.03
Normalised Frequency (f/fs)
0.04
1.5
1
0.5
1000
1000
2000
0
0.5
2000
10
20
30
Number of Samples
40
50
Fig. 10: (a). 10log10 f () of EEG Before and After Message Embedding with f s = 512Hz. (b) Difference of the
two 10log10 f () shown in (a).
This shows that not only the details capable of identifying the owner of the records but also other information
such as who has accessed the record, portions of the medical history which need to be private and protected and
other relevant information can also be integrated into the
medical file. Though a significant portion of the Introduction section has been embedded the differences between
figure 4 and figure 11, and figure 8 and figure 12 cannot
be distinguished by the naked eye.
ADVANTAGE OF USING BOTH
CRYPTOGRAPHY AND STEGANOGRAPHY
As we have seen Steganography helps resolve some of the
issues which cannot be answered by Cryptography. Encrypting the personal details adds an extra level of security to the already secure system. Retrieval of the embedded message requires exact knowledge of both the keys
k1 and k2.
It is clearly observed that the embedded data causes
minimal distortion to the original data which is the main
criterion, since integrity of medical records are life-
3000
0
4
6
DURATION OF EEG (seconds)
10
APPENDIX:
Algorithm 1: Algorithm to Embed a Message in
Biomedical Data
Problem: Embed a random binary string into a
biomedical signal/image. Inputs: Biomedical
signal/image (cover) c, message to be embedded
msg. Outputs: Watermarked cover data. void
DataEmbedding(cover data, msg) {
Input the cover data, msg;
if embedding in transform domain then
Apply tranform to cover data (FFT, DCT,
DWT, PCA, ICA);
end
Encrypt msg applying suitable encryption
algorithm (RSA, Diffie-Hellman) using key k1 to
obtain a random binary string m;
Embed m into c choosing suitable method (LSB,
QIM) to obtain watermarked cover x;
if message m embedded in tranform domain of
cover c then
Apply inverse transform to x to reconvert to
time domain;
end
}
Transmit the watermarked biomedical signal/
image;
Decrypt m
applying encryption algorithm
(RSA, Diffie-Hellman) used at encoder using
key k1 to obtain estimate message msg;
REFERENCES
[1] Copyright
openEHR
Foundation
2001-2006
www.openEHR.org.
[2] International guidelines for ethical review of epidemiological studies. Council for International Organizations
of Medical Sciences, 1991.
[3] U. R. Archarya, D. Anand, P. S. Bhat, and U. C. Niranjan.
Compact storage of medical images with patient information. IEEE Transactions on Information Technology in
Biomedicine, 5:320323, December 2001.
[4] H. Chao, C. Hsu, and S. Miaou. A data hiding technique with authentication, integration, and confidentiality
for electronic patient records. IEEE Transactions on Information Technology in Biomedicine, 6(1):4653, March
2002.
[5] C. S. Chuang. Human rights concern in an information
society-thoughts on personal data protection in taiwan.
The World Summit on the Information Society.Asian Regional Conference, pages 277315, January 2003.
[6] I. J. Cox, M. L. Miller, and J. A. Bloom. Applications
and properties. In Digital Watermarking, pages 1139.
Morgan Kaufmann Publishers, 2002.
[7] S. Dandapat, O. Chutatape, and S. M. Krishnan. Perceptual model based data embedding in medical images. Proceedings of International Conference on Image Processing (ICIP), 4:23152318, October 2004.
[8] M. Eichelberg, T. Aden, J. Reismeier, A. Dogac, and
G. B. Laleci. A survey and analysis of electronic
healthcare record standards. ACM Computing Surveys,
37(4):277315, December 2005.
[9] R. Gertz. An analysis of the icelandic supreme court
judgement on the health sector database act. 1:2 SCRIPTed 241, 2004.
[10] J. R. Gulcher and K. Stefansson. The icelandic healthcare
database and informed consent. N Engl J Med, page 342
1827, 2000.
[11] A. Kalja, A. Reitsakas, and N. Saard. egovernment in
estonia: Best practices. IEEE Journal Technologay Management: A Unifying Discipline for Melting The Boundaries, pages 500 506, 31 July-4 Aug 2005.
[12] X. Kong. Watermarking medical signals for telemedicine.
IEEE Transactions on Information Technology in
Biomedicine, 5(3):195201, September 2001.
[13] B. Macq and F. Dewey. Trusted headers for medical images. DFG VIII - D II Watermarking Workshop, October
1999.
[14] B. R. Matam and D. Lowe. Steganography, biopatterns
and independent components. Proceedings of the 7th International Conference on Mathematics in Signal Processing, pages 206209, December 2006.
[15] J. Nayak, U. R. Archarya, P. S. Bhat, and U. C. Niranjan. Simultaneous storage of medical images in the spatial and frequency domain: a comparative study. Biomedical Engineering Online. availabe http://www.biomedicalengineering-online.com/content/3/1/17.
[16] O. of Health and H. C. the Information Highway. International activities toward electronic health records: Unique
identification and pki. September 1998.
[17] B. M. Planitz and A. J. Maeder. Medical image watermarking: A study on image degradation. Proceedings of
the Australian Pattern Recognition Society (APRS) Workshop on Digital Image Computing (WDIC 2005), Brisbane, Australia, pages 38, February 2005.