Verifiable and Redactable Medical Documents

This paper considers how to verify provenance and integrity of data in medical documents that are exchanged in a distributed system of health IT services. Provenance refers to the sources of health information within the document and integrity means that the information was not modified after generation by the source. Our approach allows intermediate parties to redact the document by removing information that they do not wish to reveal. For example, patients can store verifiable health information and provide subsets of it to third parties, while redacting sensitive information that they do not wish employers, insurers, or others to receive. Our method uses a cryptographic primitive known as a redactable signature. We study practical issues and performance impacts of building, redacting, and verifying Continuity of Care Documents (CCDs) that are protected with redactable signatures. Results show that manipulating redactable CCDs provides superior security and privacy with little computational overhead.

[1]  Yu-Fang Chung,et al.  Redactable Signatures for Signed CDA Documents , 2012, Journal of Medical Systems.

[2]  Daniel Slamanig,et al.  Generalizations and Extensions of Redactable Signatures with Applications to Electronic Healthcare , 2010, Communications and Multimedia Security.

[3]  T. Koepsell,et al.  Use of a Shared Medical Record With Secure Messaging by Older Patients With Diabetes , 2010, Diabetes Care.

[4]  Kazuo Ohta,et al.  A Sanitizable Signature Scheme with Aggregation , 2007, ISPEC.

[5]  Roberto Tamassia,et al.  Authenticating distributed data using Web services and XML signatures , 2002, XMLSEC '02.

[6]  Sasikanth Avancha,et al.  A privacy framework for mobile health and home-care systems , 2009, SPIMACS '09.

[7]  Douglas M. Blough,et al.  Redactable signatures on data with dependencies and their application to personal health records , 2009, WPES '09.

[8]  Wei Chen,et al.  Developing Electronic Health Records in Taiwan , 2010, IT Professional.

[9]  Hideki Imai,et al.  Digitally signed document sanitizing scheme based on bilinear maps , 2006, ASIACCS '06.

[10]  Gene Tsudik,et al.  Sanitizable Signatures , 2005, ESORICS.

[11]  Ralph C. Merkle,et al.  Protocols for Public Key Cryptosystems , 1980, 1980 IEEE Symposium on Security and Privacy.

[12]  Yasuo Hatano,et al.  Efficient signature schemes supporting redaction, pseudonymization, and data deidentification , 2008, ASIACCS '08.

[13]  Blackford Middleton,et al.  Design and implementation of a web-based patient portal linked to an electronic health record designed to improve medication safety: the Patient Gateway medications module. , 2008, Informatics in primary care.

[14]  Daniel Slamanig,et al.  Disclosing verifiable partial information of signed CDA documents using generalized redactable signatures , 2009, 2009 11th International Conference on e-Health Networking, Applications and Services (Healthcom).

[15]  Dawn Xiaodong Song,et al.  Homomorphic Signature Schemes , 2002, CT-RSA.

[16]  Timothy P. Hogan,et al.  Embracing a Health Services Research Perspective on Personal Health Records: Lessons Learned from the VA My HealtheVet System , 2010, Journal of General Internal Medicine.

[17]  Noboru Sonehara,et al.  Aspects of privacy for electronic health records , 2011, Int. J. Medical Informatics.

[18]  Mustaque Ahamad,et al.  Protecting health information on mobile devices , 2012, CODASPY '12.

[19]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.

[20]  Hyang-Sook Lee,et al.  A Short and Efficient Redactable Signature Based on RSA , 2011 .

[21]  Naren Ramakrishnan,et al.  Mining Electronic Health Records , 2010, Computer.

[22]  Peter Stañski,et al.  Content extraction signatures using XML digital signatures and custom transforms on-demand , 2003, WWW '03.

[23]  Joachim Posegga,et al.  Redactable Signatures for Independent Removal of Structure and Content , 2012, ISPEC.

[24]  Stefan Katzenbeisser,et al.  Redactable Signatures for Tree-Structured Data: Definitions and Constructions , 2010, ACNS.

[25]  David Cash,et al.  Minimal information disclosure with efficiently verifiable credentials , 2008, DIM '08.

[26]  Eric C. Pan,et al.  The Value of Personal Health Record (PHR) Systems , 2008, AMIA.

[27]  Ron Steinfeld,et al.  Content Extraction Signatures , 2001, ICISC.

[28]  Bhavani M. Thuraisingham,et al.  Transforming provenance using redaction , 2011, SACMAT '11.

[29]  R. Franklin,et al.  Verification of data in congenital cardiac surgery , 2008, Cardiology in the Young.

[30]  Hideki Imai,et al.  Digitally Signed Document Sanitizing Scheme with Disclosure Condition Control , 2005, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[31]  Joachim Posegga,et al.  Sanitizable Signatures in XML Signature - Performance, Mixing Properties, and Revisiting the Property of Transparency , 2011, ACNS.

[32]  T. Suenaga,et al.  Layered Secure Medical Information Exchange Platform , 2007, 2007 6th International Special Topic Conference on Information Technology Applications in Biomedicine.

[33]  Takashi Yoshioka,et al.  PIATS: A Partially Sanitizable Signature Scheme , 2005, ICICS.

[34]  Yuliang Zheng,et al.  A Hierarchical Extraction Policy for content extraction signatures , 2004, International Journal on Digital Libraries.