Requirements for Integrating End-to-End Security into Large-Scale EHR Systems
12 Pages Posted: 19 Jun 2014
Date Written: June 23, 2014
Electronic Health Records (EHR) are becoming a growing trend in the healthcare industry. Especially when applied across healthcare organizations, EHRs provide beneﬁts such as ﬁnancial incentives and a more complete view of a patient’s history. However, they also face security issues regarding the conﬁdentiality and privacy of the patients’ data, especially when the EHRs are stored at third-party providers or in the cloud. In general,conﬁdentiality can be ensured by using cryptographic mechanisms or access control. Unfortunately, both techniques diminish the usability of the EHR if they are applied straightforwardly. Privacy and conﬁdentiality have to be ensured in a way that does not restrict usability as it reduces the beneﬁts of the EHR. This paper presents experiences from a requirements analysis we made during ongoing projects. We summarize the requirements for integrating end-to-end conﬁdentiality into large-scale EHR systems in a usable fashion. In particular, show(i)which data granularity is useful to been crypted without interfering with access control, (ii) requirements for an authorization mechanism to access encrypted data, (iii) a privacy classiﬁcation of typical metadata in EHRs, and (iv) interoperability issues that must be solved to allow for secure and usable EHR implementations.
Suggested Citation: Suggested Citation