Although PHR systems may indeed promote communication between patients and their healthcare providers, they also generate new security and privacy issues (Win et al., 2006;
Kaelber et al., 2008; Avancha et al., 2012). One of the greatest concerns of the patients in every type of electric healthcare applications including PHRs is the issue of security and privacy of their health records (Win et al., 2006; Kaelber et al., 2008; Zheng, 2011). For example, a working group sponsored by the Markle Foundation conducted a consumer survey of PHR systems, and ninety-one percent of the respondents reported that they are “very concerned”
about the privacy and security of their personal health records (Markle Foundation, 2003).
Given that the focus of this section is on privacy and security of PHR systems, it is essential that we clearly define both terms within the context of healthcare. The National Committee for Vital and Health Statistics (NCVHS) described privacy as the user’s right to “control the acquisition, uses or disclosures of his or her identifiable health data. Confidentiality, which is closely related, refers to the obligations of those who receive information to respect the privacy
Clinic Charts
Inpatient Notes
PHR
XML
Flexible Expression of Structured Data Figure 3.7: CCR/CDA File
Document, Data, EHRs
50
interests of those to whom the data relate. Security is altogether different. It refers to physical, technological, or administrative safeguards or tools used to protect identifiable health data from unwarranted access or disclosure” (Cohn, 2006).
Like any other electronic healthcare application, privacy is one of the greatest concerns of the patients in PHR systems (Win et al., 2006; Avancha et al., 2012). PHR systems support a wide range of health related functions such as: sharing personal health records with the healthcare provider, (to support patient-doctor relationship); empowering patients with chronic conditions see their progress over time; and also encourage good health practices (Kaelber et al., 2008).
In such settings, privacy becomes a complex issue. Patients need subtle control over the dissemination and access to their personal health records (Markle Foundation, 2003).
Avancha et al. 2012 identified and described three different types of threats12 to PHR: (1) Identity threats (misuse of patient identities), (2) Access threats (unauthorized access to PHR) and (3) Disclosure threats (unauthorized disclosure of PHR). When these threats are realised in any PHR system, the consequences may result into exposure of identifiable personal health data, which leads to loss of reputation, harm to health or even death
There are two main concerns related to patient’s identity. First, the patient may lose his/her identity credentials, enabling unauthorised users to have access to patient’s PHR. This may compromise patients’ privacy, since unauthorised users may read, modify or even disclose the patient’s health records. Furthermore, insiders may use a patient’s identity for medical fraud or malicious damage. In the following section, the researcher review literature related to authentication and cryptographically enforced access control methods, which preserve patient’s privacy.
3.12.1 Authentication Method
In healthcare settings, authentication is the process of determining whether: (1) the legitimate patient is being detected; (2) the authorised provider(s) have access to the medical records and (3) the patient’s health records are sent to the authentic PHR system (s). Authentication is a foundational technology that impacts patient’s privacy. Without authentication, PHR systems cannot provide correct patients’ information and controls. Authentication failures expose
12 Threat to user privacy is the possibility that the user’s right to control his\her PHR is weakened or eliminated due to erroneous or malicious actions
51
health records to disclosure and/or modification. Poor authentication interfaces can also be troublesome, because they encourage unsafe user behaviours such as password sharing (Avancha et al., 2012).
Studies conducted by Citizenship and Immigration Canada (2003), and Furnell and Dowland (2000) found that user IDs and passwords are the most widely used authentication methods, and are often rated highly in terms of user acceptability. The methods don’t require patients to carry any extra hardware device, and they can be changed at the user's choice. Among the PHR systems that deploys user IDs and password methods include Microsoft’s HealthVault and PHRAnywhere. First time users register for the service and the system verifies the user’s entered data against the information provided by the employer. Members are then issued a user ID and password, which they use for subsequent log-ins. In addition, users can also sign in with OpenID accounts in order to offer a second-factor authentication via a physical USB keys.
Other companies such as Fujitsu use biometric tool called PalmSecure technology to provide authentication to PHR (Moore, 2009).
3.12.2 Public Key Infrastructure (PKI) for Authentication
Public Key Infrastructure is mainly used with smartcards (Dwivedi et al., 2003; Sax, Kohane,
& Mandl, 2005). The smartcards stores encrypted certificates that are issued by the PKI provider along with other relevant information in order to provide robust user authentication (Dwivedi et al., 2003). Smartcards are widely used in healthcare, mostly in Germany, France and Belgium (Cross, 2000; Dwivedi et al., 2003). Healthcare providers use a combination of smartcards and PKI technology to generate patient’s prescriptions electronically (Dwivedi et al., 2003). In addition, through the application of PKI technologies, it is possible to generate unique digital signatures for each healthcare professional and patient’s records (Petrogiannis, 1999).
Although the application of PKI technologies offers robust user authentication and strong digital signature support, there are number of obstacles to consider. First, there is pre-enrolment problem. Users (Sender and recipient) must have a certificate before communication takes place. In an environment where patients don’t have specific healthcare provider(s), this may not be possible. Secondly, the sender must obtain the certificate of the recipient, which is published via a directory. This introduces the problem of trust and information leakage (Housley & Polk, 2001). Finally, while the binding between certificate and identity was true at the time of issuance, there is no guarantee that it remains true after that single point in time.
52
The sender should confirm first the validity of the recipients’ certificate before sending the encrypted data. This is called certificate revocation problem (Voltage security report, 2013).
The problems of certificate revocation have been in existence for many years. Before communication takes place, potential senders should be in position to obtain and ascertain the validity of all the potential recipients. Even if the recipients have certificates, the validity of these certificates must be determined before the data is sent. Approaches for checking the status of the certificate have been to deploy an online certificate status server, which must be accessed by all the senders of the data or publishing certificate revocation lists (CRL’s), which must be frequently updated. In both cases, the servers must be online all the time in order to validate the status of the recipients’ certificate. All these requirements introduce complexity of the key archive processes.