Consolidated List of Requirements

This document is a consolidated catalogue of requirements for the Electronic Health Care Record (EHCR) and Electronic Health Care Record Architecture (EHCRA), gleaned largely from work done in the EU Framework III and IV programmes and CEN, but also including input from other sources including world-wide standardisation initiatives. The document brings together the relevant work done into a classified inventory of requirements to inform the on-going standardisation process as well as act as a guide to future implementation of EHCRA-based systems. It is meant as a contribution both to understanding of the standard and to the work that is being considered to improve the standard. Major features include the classification into issues affecting the Health Care Record, the EHCR, EHCR processing, EHCR interchange and the sharing of health care information and EHCR systems. The principal information sources are described briefly. It is offered as documentation that is complementary to the four documents of the ENV 13606 Parts I-IV produced by CEN Pts 26,27,28,29. The requirements identified and classified in this deliverable are referenced in other deliverables

How to break access control in a controlled manner

The Electronic Medical Record (EMR) integrates heterogeneous information within a Healthcare Institution stressing the need for security and access control. The Biostatistics and Medical Informatics Department from Porto Faculty of Medicine has recently implemented a Virtual EMR (VEMR) in order to integrate patient information and clinical reports within a university hospital. With more than 500 medical doctors using the system on a daily basis, an access control policy and model were implemented. However, the healthcare environment has unanticipated situations (i.e. emergency situations) where access to information is essential. Most traditional policies do not allow for overriding. A policy that allows for Break-The-Glass (BTG) was implemented in order to override access control whilst providing for non-repudiation mechanisms for its usage. The policy was easily integrated within the model confirming its modularity and the fact that user intervention in defining security procedures is crucial to its successful implementation and use

Audit-based Compliance Control (AC2) for EHR Systems

Traditionally, medical data is stored and processed using paper-based files. Recently, medical facilities have started to store, access and exchange medical data in digital form. The drivers for this change are mainly demands for cost reduction, and higher quality of health care. The main concerns when dealing with medical data are availability and confidentiality. Unavailability (even temporary) of medical data is expensive. Physicians may not be able to diagnose patients correctly, or they may have to repeat exams, adding to the overall costs of health care. In extreme cases availability of medical data can even be a matter of life or death. On the other hand, confidentiality of medical data is also important. Legislation requires medical facilities to observe the privacy of the patients, and states that patients have a final say on whether or not their medical data can be processed or not. Moreover, if physicians, or their EHR systems, are not trusted by the patients, for instance because of frequent privacy breaches, then patients may refuse to submit (correct) information, complicating the work of the physicians greatly. \ud \ud In traditional data protection systems, confidentiality and availability are conflicting requirements. The more data protection methods are applied to shield data from outsiders the more likely it becomes that authorized persons will not get access to the data in time. Consider for example, a password verification service that is temporarily not available, an access pass that someone forgot to bring, and so on. In this report we discuss a novel approach to data protection, Audit-based Compliance Control (AC2), and we argue that it is particularly suited for application in EHR systems. In AC2, a-priori access control is minimized to the mere authentication of users and objects, and their basic authorizations. More complex security procedures, such as checking user compliance to policies, are performed a-posteriori by using a formal and automated auditing mechanism. To support our claim we discuss legislation concerning the processing of health records, and we formalize a scenario involving medical personnel and a basic EHR system to show how AC2 can be used in practice. \ud \ud This report is based on previous work (Dekker & Etalle 2006) where we assessed the applicability of a-posteriori access control in a health care scenario. A more technically detailed article about AC2 recently appeared in the IJIS journal, where we focussed however on collaborative work environments (Cederquist, Corin, Dekker, Etalle, & Hartog, 2007). In this report we first provide background and related work before explaining the principal components of the AC2 framework. Moreover we model a detailed EHR case study to show its operation in practice. We conclude by discussing how this framework meets current trends in healthcare and by highlighting the main advantages and drawbacks of using an a-posteriori access control mechanism as opposed to more traditional access control mechanisms

Electronic health records to facilitate clinical research

Electronic health records (EHRs) provide opportunities to enhance patient care, embed performance measures in clinical practice, and facilitate clinical research. Concerns have been raised about the increasing recruitment challenges in trials, burdensome and obtrusive data collection, and uncertain generalizability of the results. Leveraging electronic health records to counterbalance these trends is an area of intense interest. The initial applications of electronic health records, as the primary data source is envisioned for observational studies, embedded pragmatic or post-marketing registry-based randomized studies, or comparative effectiveness studies. Advancing this approach to randomized clinical trials, electronic health records may potentially be used to assess study feasibility, to facilitate patient recruitment, and streamline data collection at baseline and follow-up. Ensuring data security and privacy, overcoming the challenges associated with linking diverse systems and maintaining infrastructure for repeat use of high quality data, are some of the challenges associated with using electronic health records in clinical research. Collaboration between academia, industry, regulatory bodies, policy makers, patients, and electronic health record vendors is critical for the greater use of electronic health records in clinical research. This manuscript identifies the key steps required to advance the role of electronic health records in cardiovascular clinical research

NEOREG : design and implementation of an online neonatal registration system to access, follow and analyse data of newborns with congenital cytomegalovirus infection

Today's registration of newborns with congenital cytomegalovirus (cCMV) infection is still performed on paper-based forms in Flanders, Belgium. This process has a large administrative impact. It is imortant that all screening tests are registered to have a complete idea of the impact of cCMV. Although these registrations are usable in computerised data analysis, these data are not available in a format to perform electronic processing. An online Neonatal Registry (NEOREG) System was designed and developed to access, follow and analyse the data of newborns remotely. It allows patients' diagnostic registration and treatment follow-up through a web interface and uses document forms in Portable Document Format (PDF), which incorporate all the elements from the existing forms. Forms are automatically processed to structured EHRs. Modules are included to perform statistical analysis. The design was driven by extendibility, security and usability requirements. The website load time, throughput and execution time of data analysis were evaluated in detail. The NEOREG system is able to replace the existing paper-based CMV records

Secure spontaneous emergency access to personal health record

We propose a system which enables access to the user's Personal Health Record (PHR) in the event of emergency. The access typically occurs in an ad-hoc and spontaneous manner and the user is usually unconscious, hence rendering the unavailability of the user's password to access the PHR. The proposed system includes a smart card carried by the user at all time and it is personalized with a pseudo secret, an URL to the PHR Server, a secret key shared with the PHR Server and a number of redemption tokens generated using a hash chain. In each emergency session, a one-time use redemption token is issued by the smart card, allowing the emergency doctor to retrieve the user's PHR upon successful authentication of his credentials and validation of the redemption token. The server returns the PHR encrypted with a one-time session key which can only be decrypted by the emergency doctor. The devised interaction protocol to facilitate emergency access to the user's PHR is secure and efficient

Designing privacy for scalable electronic healthcare linkage

A unified electronic health record (EHR) has potentially immeasurable benefits to society, and the current healthcare industry drive to create a single EHR reflects this. However, adoption is slow due to two major factors: the disparate nature of data and storage facilities of current healthcare systems and the security ramifications of accessing and using that data and concerns about potential misuse of that data. To attempt to address these issues this paper presents the VANGUARD (Virtual ANonymisation Grid for Unified Access of Remote Data) system which supports adaptive security-oriented linkage of disparate clinical data-sets to support a variety of virtual EHRs avoiding the need for a single schematic standard and natural concerns of data owners and other stakeholders on data access and usage. VANGUARD has been designed explicit with security in mind and supports clear delineation of roles for data linkage and usage