Safeguarding health data with enhanced accountability and patient awareness

Abstract

Several factors are driving the transition from paper-based health records to electronic health record systems. In the United States, the adoption rate of electronic health record systems significantly increased after "Meaningful Use" incentive program was started in 2009. While increased use of electronic health record systems could improve the efficiency and quality of healthcare services, it can also lead to a number of security and privacy issues, such as identity theft and healthcare fraud. Such incidents could have negative impact on trustworthiness of electronic health record technology itself and thereby could limit its benefits. In this dissertation, we tackle three challenges that we believe are important to improve the security and privacy in electronic health record systems. Our approach is based on an analysis of real-world incidents, namely theft and misuse of patient identity, unauthorized usage and update of electronic health records, and threats from insiders in healthcare organizations. Our contributions include design and development of a user-centric monitoring agent system that works on behalf of a patient (i.e., an end user) and securely monitors usage of the patient's identity credentials as well as access to her electronic health records. Such a monitoring agent can enhance patient's awareness and control and improve accountability for health records even in a distributed, multi-domain environment, which is typical in an e-healthcare setting. This will reduce the risk and loss caused by misuse of stolen data. In addition to the solution from a patient's perspective, we also propose a secure system architecture that can be used in healthcare organizations to enable robust auditing and management over client devices. This helps us further enhance patients' confidence in secure use of their health data.