A Criticism of the Current Security, Privacy and Accountability Issues in Electronic Health Records

Cryptography has been widely accepted for security and partly for privacy control as discovered from past works. However, many of these works did not provide a way to manage cryptographic keys effectively especially in EHR applications, as this is the Achilles heel of cryptographic techniques currently proposed. The issue of accountability for legitimate users also has not been so popular and only a few considered it in EHR. Unless a different approach is used, the reliant on cryptography and password or escrow based system for key management will impede trust of the system and hence its acceptability. Also users with right access should also be monitored without affecting the clinician workflow. This paper presents a detailed review of some selected recent approaches to ensuring security, privacy and accountability in EHR and gaps for future research were also identified.

[1]  Anil K. Jain,et al.  Biometric cryptosystems: issues and challenges , 2004, Proceedings of the IEEE.

[2]  Daisuke Mashima,et al.  Enhancing accountability of electronic health record usage via patient-centric monitoring , 2012, IHI '12.

[3]  Madhu Sudan,et al.  A Fuzzy Vault Scheme , 2006, Des. Codes Cryptogr..

[4]  Anil K. Jain,et al.  Securing Fingerprint Template: Fuzzy Vault with Helper Data , 2006, 2006 Conference on Computer Vision and Pattern Recognition Workshop (CVPRW'06).

[5]  Ross J. Anderson,et al.  Combining cryptography with biometrics effectively , 2005 .

[6]  Eric Horvitz,et al.  Patient controlled encryption: ensuring privacy of electronic medical records , 2009, CCSW '09.

[7]  Algimantas Venčkauskas,et al.  Study of Finger Vein Authentication Algorithms for Physical Access Control , 2012 .

[8]  Norm Archer,et al.  Electronic Personal Health Record Systems: A Brief Review of Privacy, Security, and Architectural Issues , 2009, 2009 World Congress on Privacy, Security, Trust and the Management of e-Business.

[9]  Colin J. Fidge,et al.  Access Control Requirements for Processing Electronic Health Records , 2007, Business Process Management Workshops.

[10]  Sharath Pankanti,et al.  Fingerprint-Based Fuzzy Vault: Implementation and Performance , 2007, IEEE Transactions on Information Forensics and Security.

[11]  Tieniu Tan,et al.  Security enhancement of biometrics, cryptography and data hiding by their combinations , 2008 .

[12]  Geetika Manavjeet Kaur Fuzzy Vault with Iris and Retina: A Review , 2013 .

[13]  Dr. Algimantas Venckauskas,et al.  JOURNA Cryptographic Key Generation from Finger Vein , 2013 .

[14]  I. R. Babu,et al.  Performance of Iris Based Hard Fuzzy Vault , 2008, 2008 IEEE 8th International Conference on Computer and Information Technology Workshops.

[15]  V. S. Meenakshi,et al.  Securing Revocable Iris and Retinal Templates using Combined User and Soft Biometric based Password Hardened Multimodal Fuzzy Vault , 2010 .

[16]  James Pope,et al.  Implementing EHRs requires a shift in thinking. PHRs--the building blocks of EHRs--may be the quickest path to the fulfillment of disease management. , 2006, Health management technology.

[17]  Hamid A. Jalab,et al.  Securing electronic medical records transmissions over unsecured communications: An overview for better medical governance , 2010 .

[18]  S. Sastry,et al.  Security and Privacy Issues with Health Care Information Technology , 2006, 2006 International Conference of the IEEE Engineering in Medicine and Biology Society.

[19]  Rafail Ostrovsky,et al.  Searchable symmetric encryption: Improved definitions and efficient constructions , 2011, J. Comput. Secur..

[20]  Josh Benaloh,et al.  Key Compression and its Application to Digital Fingerprinting , 2001 .

[21]  Muhannad Darnasser Toward privacy-preserving emergency access in EHR systems with data auditing , 2013 .

[22]  Salvatore J. Stolfo,et al.  Baiting Inside Attackers Using Decoy Documents , 2009, SecureComm.

[23]  S. Dharanya,et al.  Achieving Secure Personal Health Records Using Multiple-Authority Attribute Based Encryption , 2013 .

[24]  Thomas Neubauer,et al.  A Secure e-Health Architecture based on the Appliance of Pseudonymization , 2008, J. Softw..

[25]  Yuguang Fang,et al.  HCPP: Cryptography Based Secure EHR System for Patient Privacy and Emergency Healthcare , 2011, 2011 31st International Conference on Distributed Computing Systems.

[26]  Ann Cavoukian Biometric Encryption : A Positive-Sum Technology that Achieves Strong Authentication , Security AND Privacy , 2007 .

[27]  Sushil Jajodia,et al.  Over-encryption: Management of Access Control Evolution on Outsourced Data , 2007, VLDB.

[28]  M. H. Hamza Proceedings of the 24th IASTED international conference on Signal processing, pattern recognition, and applications , 2006 .

[29]  Martin Wattenberg,et al.  A fuzzy commitment scheme , 1999, CCS '99.

[31]  Amir H. Chinaei,et al.  Biometric access control for e-health records in pre-hospital care , 2013, EDBT '13.

[32]  Yair Frankel,et al.  On enabling secure applications through off-line biometric identification , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[33]  Stefan Brands Privacy and Security in Electronic Health , .

[34]  Dawn M. Cappelli,et al.  The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures , 2008, Insider Attack and Cyber Security.

[35]  Farzin Deravi,et al.  Evaluating Biometric Encryption Key Generation , 2005 .

[36]  Umut Uludag,et al.  Secure biometric systems , 2006 .

[37]  Milan Petkovic,et al.  Privacy and security in e-health applications , 2011 .

[38]  Mark Evered,et al.  A Case Study in Access Control Requirements for a Health Information System , 2004, ACSW.

[39]  Wai Lok Woo,et al.  Crypto Key Generation using Contour Graph Algorithm , 2006, SPPRA.

[40]  Anil K. Jain,et al.  Multibiometric Template Security Using Fuzzy Vault , 2008, 2008 IEEE Second International Conference on Biometrics: Theory, Applications and Systems.

[41]  Sowkarthika Securing Iris Templates using Double Encryption Method , 2012 .