TOWARDS GAINING PATIENT CONFIDENCE IN, AND ACCEPTANCE OF THE ELECTRONIC PATIENT

HEALTH RECORD : A STEGANOGRAPHIC PROPOSAL

B.R.Matam, David Lowe
Aston University, UK
{matambr,d.lowe}@aston.ac.uk
sortia across the world. The second but equally important aim of all healthcare providers is to provide individualised care in terms of treatment. This is possible
if a database of all health records is available to study
for purposes such as research, clinical audit, verification
of performance of doctors. But the well-intentioned arguments in favour of putting all medical records online
need to follow basic ethical rules as summarised in [2]:
. . . ethical review must always assess the risk of subjects or groups suffering stigmatization, prejudice, loss
of prestige or self-esteem, or economic loss as a result of
taking part in a study... Epidemiological studies may inadvertently expose groups as well as individuals to harm,
such as economic loss, stigmatization, blame, or withdrawal of services.... Though these rules were specified in the guidelines for epidemiological research, they
are universal and relate to any field of research. Hence
custodians of bioprofiles should make every attempt to
minimise any potential physical, psychological, social or
cultural risks to participants. Confidentiality of personal
data in EPHRs should be based on methods governing
appreciation of an individuals right to privacy. Else individuals may face possible risks of financial loss, physical
pain, emotional distress, embarrassment, cultural dissonance and exploitation.
Consider the case of one such experiment where research took importance over peoples right to privacy, the
Icelandic Health Sector Database (HSD)[10]. The government of Iceland authorised a project in health informatics by deCODE, a US-registered biotechnology company based in Iceland. The project involved the creation
of an electronic archive containing the medical records of
all Icelanders, including genetic data extracted from tissue samples and their genealogical records dating back
most of the last 1,000 years. The HSD project collapsed
as a result of loss of support from the Icelandic population. One main reason was the ruling in November 2003
by the Icelandic Supreme Court [9]in favour of a woman
who petitioned that transfer of her husbands (who had
died in 1991) medical, genealogical or genetic data to the
HSD infringed on the right to privacy of her daughter,
Ragnhildur Gudmundsdottir. As can be seen from the reference [9] which is an analysis of the case, the inclusion
of genetic data of any member of a family automatically
leads to an infringement of privacy of all other members
or relatives of the family.
Though the above case relates to a project developed
for the study and betterment of health, it inadvertently
led to the abuse of the basic human right to privacy.

Abstract: In this paper we look into the ethical concerns arising due to lack of anonymisation or pseudoanonymisation of electronic patient information in digital
medical records used for research and diagnosis. We consider the problems of policing access to patient-sensitive
information, personal empowerment of data ownership
and digital rights management. We propose the use of
steganographic principles as a possible resolution to some
of these issues when used in a two-tier system with cryptographic approaches and call for an explicit privacy standard to be incorporated into the openEHR as a possible
international standardisation of electronic health records.
Keywords: EPHR, medical ethics, patient rights.
INTRODUCTION
The envisaged future Electronic Patient Health Record
(EPHR), also known as a Bioprofile, will be a record of
an individuals health progression from birth to death. It
will contain a vast amount of information, from vaccinations at birth to dental visits, blood test results, EEG,
ECG, scan reports, diagnoses made, treatments given and
even the results of automated machine learning predictive and decision support models applied to a persons
biodata, throughout his or her life. In short the EPHR
will contain the entire medical and genomic history along
with geographic and other personal information linked to
an individual.
Research
in
programmes
promoting
Ehealth/Telemedicine has developed increased importance
in recent years. Telemedicine has been promoted in
many countries with a view to the various advantages it
could provide, such as:
Faster diagnosis and safer treatment available
wherever and whenever care is required.
Specialist opinions can be obtained even if the patient or experts are in remote areas.
Cost savings for both the patient and the administration if previous tests such as X-rays, ECGs,
EEGs can be examined online without repetition
if the patient is away from their normal health
provider.
Care in the home becomes more viable.
The above list of benefits relating to personalised
health care is the key driving factor for Telemedicine con1

Many other examples exist of intentional abuse of patient

records, for example:

BBC NEWS, NORTHERN IRELAND, Wednesday,

2 July, 2003, Dissident operation uncovered, Dissident republican paramilitaries used medical records at
a Belfast hospital in an intelligence gathering operation,
the police have said. It is alleged the Real IRA was using records at the Royal Victoria Hospital to target members of the Policing Board, district policing partnerships,
politicians and police officers. Five people have been arrested. The hospital said one of its employees was being questioned by police about a serious breach of patient confidentiality. The man had access to passwordguarded records and will be dismissed if the allegations
are proven, the hospital said.
These reports of unintentional/intentional misuse of
health records have the potential risk of eroding public
support for electronic health records and can defeat the
very cause of telemedicine applications. The need to ensure patient privacy and confidence is of paramount importance. The decision regarding what information of the
medical record is available online, what safeguards are
implemented to limit the access of this information by
the authorised users only needs to be taken before such
systems are implemented.

identification number (PIN) can be set up by the cardholder to protect the information on the smart card. Data
can be transferred to/ from the card only after a strict authorisation and mutual authentication process.
Estonia: The National Identity Card which is compulsory for every Estonian has the usual person identifying
features - name, picture, date of birth, personal code etc.
[11] The security of the information on the card is based
on the personal identification code enabled in each card
and a certificate in the ID-card which enables digital signing.
Standards for EPHRs
Currently there are many different standards used extensively for the processing and storage of medical records.
The disadvantage of these standards is that there is little
or no interoperability. Some of the standards currently
under use and development are DICOM, Health Level
7 (HL7) Clinical Development Architecture (CDA)[HL7
CDA Release 2.0 2005], CEN EN 13606 EHRcom [CEN
prEN 13606-1 2004], and openEHR [8].
The security policy of the openEHR standard [1]
(which is possibly the closest currently to an internationally accepted standard) is as shown in figure 1.
EHR
EHR Access

CURRENT IMPLEMENTATION EXAMPLES OF

EHEALTH SYSTEMS:

audit

Smart Cards For Health

Taiwan: The Taiwanese smart card-based health IC card
[5] is designed to be a mobile data carrier held by the patient. Its personal information section carries the card
number and date of issuance in addition to the cardholders name, gender, date of birth, ID number and
photo. Its health insurance related information section
further registers major diseases, the number of visits and
admissions to medical institutions, the last menstruation period and pregnancy exams, along with the records
of the cardholders insurance premium and accumulated
medical expenditures and so on. Data stored on the smart
card is encrypted [22] for security purposes. A personal

audit

audit

EHR Status

Traditionally in all countries health care records are paper

based. But use of technology and smart cards for different
functions ranging from simple identification of patients
to a full record of an individuals health has been tested
and is in the process of implementation in many different
countries. Many countries have proposed to bring in such
cards and EPHRs and networked public health systems in
the next few years. Studies about the use of smart cards
for health have been conducted independently by different governments and non-governmental agencies. One
such study was carried out by Health Canada [16]. A
brief description of the security features in some existing
smart cards for health, and standards for electronic health
records is given below.

Demographics

Parties

audit

EHR
ehr_id

Directory
audit

audit
audit

Contributions

audit

audit

audit

commit audit
digital signature or hash
legend

Compositions

Fig. 1: Security Features of the openEHR EHR[1].

The general features of the security policy of the
openEHR are as listed below
Indelibility: health record information cannot be
deleted; logical deletion is achieved by marking the
data in such a way as to make it appear deleted (implemented in version control).
Audit trailing: All changes made to the EHR including content objects as well as the EHR status and access control objects are audit-trailed with
user identity, time-stamp, reason, optionally digital signature and relevant version information; one
exception is where the modifier is the patient,
in which case, a symbolic identifier can be used
(known as PARTY SELF in openEHR).
Anonymity: the content of the health record is separate from identifying demographic information.
This can be configured such that theft of the EHR

provides no direct clue to the identity of the owning patient (indirect clues are of course harder to
control). Stealing an identified EHR involves theft
of data from two servers, or even theft of two physical computers, depending on deployment configuration.
Versioning in the openEHR is its most basic security related feature for data integrity. All logical changes
and deletions as well as additions are therefore physically
implemented as new Versions rather than changes to existing information items. The openEHR also states that
there exists a possibility to digitally sign each Version.
Security in the openEHR is maintained by anonymity.
The EHR data are separate from the demographic records
as depicted in figure 1. A cross-reference database protected by means of encryption or other security mechanisms is used to relate the EHR to a demographic file.
The security mechanisms are left open to be decided by
the third party vendor who implements the network.
The implementation of smart cards for health listed
above represents just a small selection. Similarly the list
of the standards for EPHRs is representative only. The
advantages of smart cards for health and EPHRs are enormous but the chances of misuse also increase proportionally. With eHealth systems generating such controversy and debate across nations and populations including politicians, scientists, health officials and the general
public, we ask whether there can exist possible solutions
to the issues of ethics and patient ownership of the EPHR.
Since the security is mostly based on cryptographic techniques, we discuss the advantages and disadvantages of
most encryption mechanisms in the following section to
highlight the vulnerability of such systems under purposeful attacks or accidental error by legitimate health
personnel.
IS USE OF CRYPTOGRAPHY FOR PRIVACY
PROTECTION SUFFICIENT?
Cryptography or data encryption is widely used for preventing the misuse of data from unauthorised users. Security of the data is largely dependent on the technique
and key used to encrypt the data. The exact knowledge
of the encryption method and key is necessary to decrypt
the data. Algorithms such as RSA [19] rely on the size
of the key. The larger the key size, the better is the security provided. Since the key is a huge number, the authorised person will need to carry it in some form (written
or stored in some storage device or embedded in a smart
card).
Whilst basic data security across networks is adequately provided for through strong cryptographic means
for example, Diffie-Hellman, RSA [19], encrypted headers containing text details such as patient information are
attached to medical files. This is insecure and inappropriate. Since the header information is attached, the link
between medical data and patient details can occasionally get mangled by protocol converters [13]. What are
the consequences of attaching the wrong personal details

with a medical record, to the patient?

In addition, at some point the personal medical data is
decrypted and at that point becomes vulnerable to misuse.
What happens if a nurse with the key to view and alter all
the information forgets to log out and an intruder gets access to the health records? Will tracing the intruder or
health worker who has divulged this private information
onto the internet or unauthorised person for financial or
personal gain, and punishing him or her be a sufficient deterrent to other malicious people not attempting it? Will
this erase the emotional, social, financial pain caused to
the victim of this attack?
Hence, cryptographic means alone are never going to
provide sufficient protection to satisfy patient confidence
in the EPHR. Patient confidence in an eHealth system lies
not only on the privacy provided to the patient by the system, but also on authentication. Ensuring data is both
legally and medically appropriate to the potential user in
this case, the clinician, when data is transmitted over the
grid is important. The implications of treating a person
with the medical record of a different person are disastrous. Also the encrypted information does not provide
a clue to the amount of distortion the medical file has
undergone during transmission. Is there a mechanism to
authenticate the measure of originality of the file received
by the clinician?
DATA HIDING AND STEGANOGRAPHY
A complementary approach to data hiding involves
Steganography [6], the art of hiding data in plain sight,
which dates back centuries. Steganography is being actively investigated worldwide by commercial organizations for DRM (digital rights management) primarily in
audio and video for control purposes of downloaded media content. In the context of biopatterns, encoding key
patient information (such as patient name, address, genetic information or metadata) so that it is intimately integrated with the data could be a possible solution.
Embedded patient metadata could also be used to
verify data integrity and source, be used to track and
combine different biopatterns of a bioprofile distributed
across a HealthGrid through the use of distributed agents,
or be used to register access to data. Since the metadata is
embedded in the format of the medical file it is not visible to any user of the health network without the right key,
thus the personal details remain private incase of accidental or purposeful viewing of an EPHR by an unauthorised
person. Altering the embedded data without corrupting
the original data is not possible. Retrieval of the patient
details from a medical file authenticates that the medical
record actually belongs to this particular individual, indicating that the medical record is legally and medically
appropriate for use by the clinician. Inability of an authorised user with the right key and knowledge to obtain
this embedded information is a clear indication that the
medical file has been tampered. The amount of distortion to the embedded data gives the measure of distortion
undergone by the original medical record. Steganogra-

An Example:

Fig. 2: Two Tier Approach of Providing Security to Medical Records.

phy hence addresses some of the questions left open by

cryptography.
However practical steganographic techniques need to
be able to explore the tradeoff of robustness, imperceptibility and data rate. Robustness refers to the capability of
the embedded data to remain hidden from unauthorised
users. Malicious attacks wherein the embedded data is
distorted as seen in multimedia applications may be rare
in the medical domain. The intention of a malicious attacker will be to try to retrieve the embedded data as close
as possible to the actual data. Since medical records are
used for diagnosis, the embedded data should not significantly alter the original EEG, ECG or X-Ray. The embedded message should be imperceptible. The embedded
data should have enough information to correctly identify a record. Additionally extra details such as a record
of certain diagnoses relating to sexual or mental health
which needs to be private should become a part of the
metadata. In brief the metadata should not interfere with
the medical quality of the biopatterns, but still be able to
deliver an acceptable data rate whilst degrading smoothly
under transmission and other legitimate benign attacks.

In this example we show how different forms of medical

data can be used as the cover work and how varied rates
of the metadata can be embedded into the medical record.
We try to show how steganography techniques complement the traditional cryptography techniques. The twotier approach of cryptography (Level 1) and steganography (Level 2) shown in figure 2 has the possibility to resolve many of the conflicting arguments generated in the
implementation of an EPHR system.
A Sample Medical File: The following examples show
cases of hiding personal information into typical biomedical data as part of an individuals bioprofile.

Name: Mr. Xxx Xxxxxxxx

Sex : M
Age : 61yrs
Address: 23, 12th Floor,
New Regent Street,
Birmingham,
UK
NHS Number: AB123XXYZ01

Fig. 3: Personal Identification Details of Patient 1.

Steganographic Techniques:
Some preliminary work [20] [14] [12] [3] [17] [15] [21]
[4] [18] [7] has started to explore some of the possible trade-offs to assess the viability of this proposed approach to hiding intimate patient details. An example
of one such study and the results obtained is described
below. The embedding of the metadata, in this exemplar case the personal identification details of a patient,
can be done in the spatial domain of the cover work (the
medical record) or in the transform domain (the space
into which the medical record is transformed acts as the
cover). Though the representation of medical data is
mainly in the time domain, embedding the metadata in
the transformed domain helps resolve the issues involving localisation of the embedded data and fidelity of the
cover work (medical record).

Fig. 4: CT Result.
Consider as an example patient 1 whose personal
identification details are as shown in figure 3 and who
has undergone a CT scan figure 4 after an acute stroke.
The CT scan is used to show areas of abnormalities in
the brain, and determine if the abnormalities are caused
by insufficient blood flow (ischemic stroke), a ruptured
blood vessel (haemorrhage), or some other problem.
In the second example patient 2, presented in figure 5,
has an EEG, figure 6, taken to find evidence of epileptic
seizures.

Name: Miss Y
Sex : F
Age : 16yrs
Address: 35, High Ridge,
East Side,
Birmingham,
UK
NHS Number: CD342WUV87

Fig. 5: Personal Identification Details of Patient 2.

Fig. 7: CT Scan Image Embedded With Personal Details.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

3000

Scale
846
+

Fig. 6: EEG Test Result.

Level 1: Traditional Encryption:
Cryptographic techniques can be used to convert the
plain view personal details in figure 3 into a random binary message for example the age 61yrs is converted to
1000010100011110110000010111010100110 . . . .
Level 2: Embedding Encrypted Personal Details In A
Medical File:
Figure 4 shows the original CT Scan image and figure 7
is the resulting CT scan image obtained after embedding
the patient identification details in figure 3 (the encrypted
version of the data in figure 3 is used as the metadata).
Figure 8 depicts one of the channels of the EEG
shown in figure 6, channel 6. Figure 9 shows the result
of embedding the details of patient 2 shown in figure 5
(the encrypted version of the details is used as the metadata) into the single channel EEG. The distortion due to
the embedded binary WM to the unwatermarked EEG is
given by the Signal to Noise Ratio of the watermarked
EEG. The signal being the unwatermarked EEG and the
noise considered is the distortion due to the embedded binary watermark the SNR obtained is 38.55dB and figure

MEASUREMENT OF EEG ( v)

10 is a plot of the power spectrum of the unwatermarked

EEG superimposed on the power spectrum of the watermarked EEG with the difference between the two shown
below. Only clinically relevant frequencies below 25Hz
have been shown. The embedding process is observed to
be broadband and does not affect specific harmonics.

2000

1000

1000

2000

3000
0

4
6
DURATION OF EEG (seconds)

10

Fig. 8: Segment of Channel 6 Of The EEG.

As can be seen, the distortion to the original medical
file is minimal. The embedded message is imperceptible.
This shows that the embedded message will not lead to
a wrong diagnosis by the clinician. Since the message is
embedded into the original file, anybody who gains access to the medical file rightfully for purposes of research
or wrongfully with an intention of misusing the details
will not be able to see the details.
Data Rates
Figure 11 shows the CT Scan image in which most of
the Introduction section of this paper is embedded. (The
precise details of how the embedding is achieved is unimportant for the current purposes of this paper, and many
methods could be employed) and figure 12 is the EEG
with most of the text constituting the Introduction section
of this paper embedded into it.

MEASUREMENT OF EEG ( v)

3000

2000

1000

1000

2000

3000
0

4
6
DURATION OF EEG (seconds)

10

110

Fig. 11: CT Scan Image Embedded With Most of The

Introduction.
3000

Unwatermarked
Watermarked

100
90

MEASUREMENT OF EEG ( v)

Power Spectrum of EEG (dB)

Fig. 9: Segment of Channel 6 Of The EEG Embedded

With Personal Details.

80
70
60
0

0.01

0.02
0.03
Normalised Frequency (f/fs)

0.04

1.5
1
0.5

1000

1000

2000

0
0.5

2000

10

20
30
Number of Samples

40

50

Fig. 10: (a). 10log10 f () of EEG Before and After Message Embedding with f s = 512Hz. (b) Difference of the
two 10log10 f () shown in (a).
This shows that not only the details capable of identifying the owner of the records but also other information
such as who has accessed the record, portions of the medical history which need to be private and protected and
other relevant information can also be integrated into the
medical file. Though a significant portion of the Introduction section has been embedded the differences between
figure 4 and figure 11, and figure 8 and figure 12 cannot
be distinguished by the naked eye.
ADVANTAGE OF USING BOTH
CRYPTOGRAPHY AND STEGANOGRAPHY
As we have seen Steganography helps resolve some of the
issues which cannot be answered by Cryptography. Encrypting the personal details adds an extra level of security to the already secure system. Retrieval of the embedded message requires exact knowledge of both the keys
k1 and k2.
It is clearly observed that the embedded data causes
minimal distortion to the original data which is the main
criterion, since integrity of medical records are life-

3000
0

4
6
DURATION OF EEG (seconds)

10

Fig. 12: Segment of Channel 6 Of The EEG Embedded

With Most of The Introduction.
critical. Any significant alteration to the medical file
could result in severe consequences for the patient.
If the medical file itself undergoes any changes during transmission, the embedded message will also be distorted. Hence any processing of the medical file which
will considerably alter the medical file must be done prior
to the embedding. Similarly at the receiver, the embedded
message needs to be extracted from the received medical file before applying any signal processing techniques
that could distort the medical file. Signal processing techniques such as filtering, compression may cause minimal
errors in the embedded message, which can be prevented
by the use of error correcting codes or spreading of the
embedded binary message across the whole medical file
at the transmitter.
Exact retrieval of the embedded message can be an indication of the authenticity of the original file. An incorrectly retrieved message is a clear indication of the drastic
changes to the medical file being received. In this sense
we can consider a steganographic fragile watermarking
method. In a fragile watermarking method the watermark
(metadata) is vulnerable towards modifications. Small
changes to the original (the medical record) will destroy

the embedded information. Hence this hidden message is

a measure of authentication that the received medical file
is suitable for the purpose it has been transmitted.
An audit trail of who has accessed the medical file,
the reason for accessing the file, the date and time of access, optionally a digital signature and other relevant information can also be incorporated into the metadata of
the steganographic system. This is evident by figures 10
and 11 which have most of the Introduction embedded
into the CT scan, and a segment of one of the EEG channels respectively.
CONCLUSION
This paper is an attempt to resolve the conflict involving
the advantages of electronic patient records, e-Health systems and confidentiality, authentication and security of
the medical records. We have used two different types of
medical data: an image, and a time series, and shown how
a random sequence (the encrypted version of the personal
data) and actual text can be embedded into these medical
data exemplars. As shown in the experimental results,
significantly useful amounts of data can be easily embedded. We have discussed embedding in a CT scan image
and an EEG. Actual implementation details and recovery
of the embedded data, degradation of the message under
attack are not discussed as part of the paper. These details
are available from the references listed in the section on
Data Hiding and Steganography. Though the list is not
exhaustive, it represents a significant amount of interest
in Medical Steganography from academicians around
the world.
We also take this opportunity to propose that open
standards such as openEHR which are being studied
widely should consider steganographic techniques for security and authentication. Steganographic principles implemented at the very basic level such as Versioning
(integrating metadata into each Version of the EHR) can
provide better security to private personal data than cryptographic levels at a much higher level of the EHR.
ACKNOWLEDGMENTS
This work was partially supported by the EU BIOPATTERN Network of Excellence, under contract 508803.
The CT scan image is from the educational service of the
Stroke Center at Barnes-Jewish Hospital and Washington
University School of Medicine.

APPENDIX:
Algorithm 1: Algorithm to Embed a Message in
Biomedical Data
Problem: Embed a random binary string into a
biomedical signal/image. Inputs: Biomedical
signal/image (cover) c, message to be embedded
msg. Outputs: Watermarked cover data. void
DataEmbedding(cover data, msg) {
Input the cover data, msg;
if embedding in transform domain then
Apply tranform to cover data (FFT, DCT,
DWT, PCA, ICA);
end
Encrypt msg applying suitable encryption
algorithm (RSA, Diffie-Hellman) using key k1 to
obtain a random binary string m;
Embed m into c choosing suitable method (LSB,
QIM) to obtain watermarked cover x;
if message m embedded in tranform domain of
cover c then
Apply inverse transform to x to reconvert to
time domain;
end
}
Transmit the watermarked biomedical signal/
image;

Algorithm 2: Algorithm to Retrieve The

Embedded Message From The Received
Biomedical Data
Problem: Retrieve the embedded data from the
received biomedical signal/image if required at the
receiver. Inputs: Watermarked biomedical
signal/image (cover) x. Outputs: Embedded
message. void DataDecoding(watermarked cover)
{
Input the watermarked cover;
if embedded message required then
if message embedded in transform domain then
Apply tranform used at embedder (FFT,
DCT, DWT, PCA, ICA);
end
Apply inverse of embedding method (LSB,
QIM) to obtain the estimate of embedded
binary string m;

Decrypt m
applying encryption algorithm
(RSA, Diffie-Hellman) used at encoder using
key k1 to obtain estimate message msg;

Verify the decrypted message;

else
Process biomedical signal/image for further
use;
end
}

REFERENCES
[1] Copyright
openEHR
Foundation
2001-2006
www.openEHR.org.
[2] International guidelines for ethical review of epidemiological studies. Council for International Organizations
of Medical Sciences, 1991.
[3] U. R. Archarya, D. Anand, P. S. Bhat, and U. C. Niranjan.
Compact storage of medical images with patient information. IEEE Transactions on Information Technology in
Biomedicine, 5:320323, December 2001.
[4] H. Chao, C. Hsu, and S. Miaou. A data hiding technique with authentication, integration, and confidentiality
for electronic patient records. IEEE Transactions on Information Technology in Biomedicine, 6(1):4653, March
2002.
[5] C. S. Chuang. Human rights concern in an information
society-thoughts on personal data protection in taiwan.
The World Summit on the Information Society.Asian Regional Conference, pages 277315, January 2003.
[6] I. J. Cox, M. L. Miller, and J. A. Bloom. Applications
and properties. In Digital Watermarking, pages 1139.
Morgan Kaufmann Publishers, 2002.
[7] S. Dandapat, O. Chutatape, and S. M. Krishnan. Perceptual model based data embedding in medical images. Proceedings of International Conference on Image Processing (ICIP), 4:23152318, October 2004.
[8] M. Eichelberg, T. Aden, J. Reismeier, A. Dogac, and
G. B. Laleci. A survey and analysis of electronic
healthcare record standards. ACM Computing Surveys,
37(4):277315, December 2005.
[9] R. Gertz. An analysis of the icelandic supreme court
judgement on the health sector database act. 1:2 SCRIPTed 241, 2004.
[10] J. R. Gulcher and K. Stefansson. The icelandic healthcare
database and informed consent. N Engl J Med, page 342
1827, 2000.
[11] A. Kalja, A. Reitsakas, and N. Saard. egovernment in
estonia: Best practices. IEEE Journal Technologay Management: A Unifying Discipline for Melting The Boundaries, pages 500 506, 31 July-4 Aug 2005.
[12] X. Kong. Watermarking medical signals for telemedicine.
IEEE Transactions on Information Technology in
Biomedicine, 5(3):195201, September 2001.
[13] B. Macq and F. Dewey. Trusted headers for medical images. DFG VIII - D II Watermarking Workshop, October
1999.
[14] B. R. Matam and D. Lowe. Steganography, biopatterns
and independent components. Proceedings of the 7th International Conference on Mathematics in Signal Processing, pages 206209, December 2006.
[15] J. Nayak, U. R. Archarya, P. S. Bhat, and U. C. Niranjan. Simultaneous storage of medical images in the spatial and frequency domain: a comparative study. Biomedical Engineering Online. availabe http://www.biomedicalengineering-online.com/content/3/1/17.
[16] O. of Health and H. C. the Information Highway. International activities toward electronic health records: Unique
identification and pki. September 1998.
[17] B. M. Planitz and A. J. Maeder. Medical image watermarking: A study on image degradation. Proceedings of
the Australian Pattern Recognition Society (APRS) Workshop on Digital Image Computing (WDIC 2005), Brisbane, Australia, pages 38, February 2005.

[18] B. M. Planitz and A. J. Maeder. A study of block-based

medical image watermarking using a perceptual similarity metric. Proceedings of the Digital Image Computing:
Techniques and Applications (DICTA 2005), pages 483
490, December 2005.
[19] W. Stallings. In Cryptography and Network Security
Principles and Practice. Pearson Education International,
2003.
[20] B. Toch and D. Lowe. Watermarking of medical signals. Proceedings of the 2nd International Conference on
Computational Intelligence in Medicine and Healthcare,
pages 231236, July 2005.
[21] C. Woo, J. Du, and B. Pham. Multiple watermark method
for privacy control and tamper detection in medical images. Proceedings APRS Workshop on Digital Image
Computing (WDIC 2005), pages 5964, December 2005.
[22] www.martsoft.com/reference/healthcare/tw nhi 2003Sep.pdf.