Purpose: E-health enables the sharing of patient-related data whenever and wherever necessary. Electronic health records (EHRs) promise to improve communication between health care providers, thus leading to better quality of patients' treatment and reduced costs. However, as highly sensitive patient information provides a promising goal for attackers and is also frequently demanded by insurance companies and employers, there is increasing social and political pressure regarding the prevention of health data misuse. This work addresses this problem and introduces a methodology that protects health records from unauthorized access and lets the patient as data owner decide who the authorized persons are, i.e., who the patient discloses her health information to. Therefore, the methodology prevents data disclosure that negatively influences the patient's life (e.g., by being denied health insurance or employment).
Methods: This research uses a combination of conceptual-analytical, artifact-building and artifact-evaluating research approaches. The article starts with a detailed exploration of existing privacy protection mechanisms, such as encryption, anonymization and pseudonymization, by comparing and analyzing related work (conceptual-analytical approach). Based on these results and the identified shortcomings, a pseudonymization methodology is defined and evaluated by means of a threat analysis. Finally, the research results are validated with the design and implementation of a prototype (artifact building and artifact evaluation).
Results: This paper presents a new methodology for the pseudonymization of medical data that stores health data decoupled from the corresponding patient-identifying information, allowing privacy-preserving secondary use of the health records in clinical studies without additional anonymization steps. In contrast to clinical studies, where it is not necessary to identify the individual participants, insurance companies and employers are interested in the health status of individuals such as potential insurance or job applicants. In this case, pseudonymized records are practically useless for these parties as the patient controls who is able to reestablish the link between health records and patient for primary use - usually only trusted health care providers.
Conclusions: The framework provides health care providers with a unique solution that guarantees data privacy (e.g., according to HIPAA) and allows primary and secondary use of the data at the same time. The security analysis showed that the methodology is secure and protected against common intruder scenarios.
Copyright © 2010 Elsevier Ireland Ltd. All rights reserved.