Requirements for Integrating End-to-End Security into Large-Scale EHR Systems
12 Pages Posted: 19 Jun 2014
Date Written: June 23, 2014
Abstract
Electronic Health Records (EHR) are becoming a growing trend in the healthcare industry. Especially when applied across healthcare organizations, EHRs provide benefits such as financial incentives and a more complete view of a patient’s history. However, they also face security issues regarding the confidentiality and privacy of the patients’ data, especially when the EHRs are stored at third-party providers or in the cloud. In general,confidentiality can be ensured by using cryptographic mechanisms or access control. Unfortunately, both techniques diminish the usability of the EHR if they are applied straightforwardly. Privacy and confidentiality have to be ensured in a way that does not restrict usability as it reduces the benefits of the EHR. This paper presents experiences from a requirements analysis we made during ongoing projects. We summarize the requirements for integrating end-to-end confidentiality into large-scale EHR systems in a usable fashion. In particular, show(i)which data granularity is useful to been crypted without interfering with access control, (ii) requirements for an authorization mechanism to access encrypted data, (iii) a privacy classification of typical metadata in EHRs, and (iv) interoperability issues that must be solved to allow for secure and usable EHR implementations.
Suggested Citation: Suggested Citation