On the use of OpenEHR in a portable PHR

Quality medical acts rely on patient medical information. With paper records, the responsibility of gathering the disparate information and making it available to the caregivers, falls exclusively upon the patient. This still is, to great extent, the case with electronic health documents. The consensus is that the advantages of patient involvement in his own health are numerous. With the advent of recent technologies and their deployment in healthcare, new ways of involving the patient and making him an active part of his own health are possible. Electronic Health Records (EHR) and specially Personal Health Records (PHR) are important tools for patient empowerment but data population and management through non-intuitive structured forms is time consuming, takes a great amount of effort, and can be deterring specially for people that are not very computer-oriented. PHRs can be simple and scalable applications that the patient uses to get started and afterwards evolve towards complexity. In any case, compliance with standards must be accomplished. In this paper we present a PHR simple to use, implemented on a USB Flash pen for mobility, and compliant with the openEHR specification. Our model builds on openEHR and adds security and privacy features, allows patient data management and can work as an information repository

A systematic literature review on security and privacy of electronic health record systems: technical perspectives

Abstract Background: Even though many safeguards and policies for electronic health record (EHR) security have been implemented, barriers to the privacy and security protection of EHR systems persist. Objective: This article presents the results of a systematic literature review regarding frequently adopted security and privacy technical features of EHR systems. Method: Our inclusion criteria were full articles that dealt with the security and privacy of technical implementations of EHR systems published in English in peer-reviewed journals and conference proceedings between 1998 and 2013; 55 selected studies were reviewed in detail. We analysed the review results using two International Organization for Standardization (ISO) standards (29100 and 27002) in order to consolidate the study findings. Results: Using this process, we identified 13 features that are essential to security and privacy in EHRs. These included system and application access control, compliance with security requirements, interoperability, integration and sharing, consent and choice mechanism, policies and regulation, applicability and scalability and cryptography techniques. Conclusion: This review highlights the importance of technical features, including mandated access control policies and consent mechanisms, to provide patients' consent, scalability through proper architecture and frameworks, and interoperability of health information systems, to EHR security and privacy requirements

Uma arquitectura segura e colaborativa para registos de saúde electrónicos com suporte a mobilidade

Doutoramento em InformáticaDurante as ultimas décadas, os registos de saúde eletrónicos (EHR) têm evoluído para se adaptar a novos requisitos. O cidadão tem-se envolvido cada vez mais na prestação dos cuidados médicos, sendo mais pró ativo e desejando potenciar a utilização do seu registo. A mobilidade do cidadão trouxe mais desafios, a existência de dados dispersos, heterogeneidade de sistemas e formatos e grande dificuldade de partilha e comunicação entre os prestadores de serviços. Para responder a estes requisitos, diversas soluções apareceram, maioritariamente baseadas em acordos entre instituições, regiões e países. Estas abordagens são usualmente assentes em cenários federativos muito complexos e fora do controlo do paciente. Abordagens mais recentes, como os registos pessoais de saúde (PHR), permitem o controlo do paciente, mas levantam duvidas da integridade clinica da informação aos profissionais clínicos. Neste cenário os dados saem de redes e sistemas controlados, aumentando o risco de segurança da informação. Assim sendo, são necessárias novas soluções que permitam uma colaboração confiável entre os diversos atores e sistemas. Esta tese apresenta uma solução que permite a colaboração aberta e segura entre todos os atores envolvidos nos cuidados de saúde. Baseia-se numa arquitetura orientada ao serviço, que lida com a informação clínica usando o conceito de envelope fechado. Foi modelada recorrendo aos princípios de funcionalidade e privilégios mínimos, com o propósito de fornecer proteção dos dados durante a transmissão, processamento e armazenamento. O controlo de acesso _e estabelecido por políticas definidas pelo paciente. Cartões de identificação eletrónicos, ou certificados similares são utilizados para a autenticação, permitindo uma inscrição automática. Todos os componentes requerem autenticação mútua e fazem uso de algoritmos de cifragem para garantir a privacidade dos dados. Apresenta-se também um modelo de ameaça para a arquitetura, por forma a analisar se as ameaças possíveis foram mitigadas ou se são necessários mais refinamentos. A solução proposta resolve o problema da mobilidade do paciente e a dispersão de dados, capacitando o cidadão a gerir e a colaborar na criação e manutenção da sua informação de saúde. A arquitetura permite uma colaboração aberta e segura, possibilitando que o paciente tenha registos mais ricos, atualizados e permitindo o surgimento de novas formas de criar e usar informação clínica ou complementar.Since their early adoption Electronic Health Records (EHR) have been evolving to cope with increasing requirements from institutions, professionals and, more recently, from patients. Citizens became more involved demanding successively more control over their records and an active role on their content. Mobility brought also new requirements, data become scattered over heterogeneous systems and formats, with increasing di culties on data sharing between distinct providers. To cope with these challenges several solutions appeared, mostly based on service level agreements between entities, regions and countries. They usually required de ning complex federated scenarios and left the patient outside the process. More recent approaches, such as personal health records (PHR), enable patient control although raises clinical integrity doubts to other actors, such as physicians. Also, information security risk increase as data travels outside controlled networks and systems. To overcome this, new solutions are needed to facilitate trustable collaboration between the diverse actors and systems. In this thesis we present a solution that enables a secure and open collaboration between all healthcare actors. It is based on a service-oriented architecture that deals with the clinical data using a closed envelope concept. The architecture was modeled with minimal functionality and privileges bearing in mind strong protection of data during transmission, processing and storing. The access control is made through patient policies and authentication uses electronic identi cation cards or similar certi cates, enabling auto-enrollment. All the components require mutual authentication and uses cyphering mechanisms to assure privacy. We also present a threat model to verify, through our solution, if possible threats were mitigated or if further re nement is needed. The proposed solution solves the problem of patient mobility and data dispersion, and empowers citizens to manage and collaborate in their personal healthcare information. It also permits open and secure collaboration, enabling the patient to have richer and up to date records that can foster new ways to generate and use clinical or complementary information