-
STRENGTHENING PRIVACY AND CONFIDENTIALITY PROTECTIONFOR
ELECTRONIC HEALTH RECORDS
Michael CzapskiSeeBeyond Pty. Ltd
[email protected]
Robert SteeleUniversity of Technology, Sydney
[email protected]
ABSTRACTInappropriate disclosure and use of personal
healthinformation could have severe adverse consequences forthe
individual to whom it pertains, but non-disclosurecould adversely
affect other individuals or the society. InAustralia efforts are
under way to develop legislation thatwill address the protection of
confidential healthinformation. Development of large-scale
healthinformation repositories, intended to facilitate access
tohealth information to many more parties than waspreviously
possible, makes the Issue of consentenforcement and access control
more urgent than ever.Literature suggests that the majority of
security threatsarise out of insider activities. It is proposed to
develop aconfidentiality protection framework that will
ensurepersonal, identifiable health information is only disclosedby
consent or under circumstances prescribed by law, andthat all
access to that information is audited. Theframework, based on
encryption of health information atthe time of collection, and
decryption at the time ofauthorised use, provides a number of
advantages over thetraditional, enterprise-centric protection
model.
KEYWORDSElectronic health records, security, privacy,
encryption
1. Introduction
Although not without controversy [I. 2], privacy isconsidered an
important civil right [3, 4] and personalinformation warrants
protection through legislation [5]..As personal health information
is considered the mostsensitive kind of personal information [6],
its protectionis very important. particularly in the context of
theemerging Electronic Health Records systems (EHRs).
EHRs have the potential for privacy andconfidentiality breaches
of a previously unseen severity.To gain the benefits of EHRs while
minimising the risksrequires both legislative and technological
safeguards.
Current protection measures are inadequate. Existingsystems
employ standards and technologies that arebased on the traditional,
enterprise-centric security modelthat is not sufficient to address
the issues posed by theEHRs. These issues are of immediate
relevance toAustralia-specific initiatives already under way, such
asthe HealthConnecf [7] and the Health e-link [8]initiatives, both
of which have been criticized for relyingon legislation without
providing adequate technicalmeasures [9-12].
This paper outlines the issues arising out of theimplementation
of EHRs and perceived threats toconfidentiality of health
information. It further proposesa confidentiality protection
framework that wouldmitigate those threats and discusses its
strengths andweaknesses.
2. Ethical and Legal Context
The notion of protecting confidentiality of healthinformation is
reputed to go back to 460 B.C. with theHippocratic Oath containing
an explicit passage to thateffect [13].
It is expected that personal health information, sharedIII
confidence with health workers, will remainconfidential [14,
15].
Inappropriate disclosure of confidential healthinformation can
lead to long-term adverse psychological,social or financial
consequences for the affectedindividuals. These range from
embarrassment, throughdiscrimination, threat of violence or death,
tounwillingness to undergo medical treatment for fear ofdisclosure
[16].
Disclosure of personal health information about oneindividual
may affect other individuals. For exampleadvances in genetic typing
and research into hereditarydiseases, coupled with inappropriate
use of geneticinformation, may affect not just the individual to
whomthe information pertains but also their relatives. At thesame
time, lack of critical information, for example aboutallergies or
communicable diseases, at critical times, may
mailto:[email protected]:[email protected]
-
lead to adverse consequences for the individual or
thesociety.
Much legislative work was undertaken in recentyears, both in
Australia [6,17-21] and abroad [21, 22], toestablish legal
frameworks for protection of personalhealth information. Both
voluntary regulation [12] andthe legislation currently in force in
Australia arefragmented, differ from state to state and are
consideredinadequate [2 I, 23] The draft National Health
PrivacyCode [17] is not yet a law. Its proposed provisions
arealready controversial [19] with some interest groups,most
notably the Australian Medical Association [24],considering it too
restrictive in some areas whilst notrestrictive enough in
others.
3. Related Work
There is evidence of a number of efforts to
standardiseelectronic health records [25-27], ensure
securetransmission of health records [28, 29], implementelectronic
health record repositories [21] and implementlinkages between
records from different sources [12].
The essential relationship between the electronichealth
information, privacy and legal protectionframeworks is exemplified
by the United States' HealthPortability Accountability Act (HIPAA)
and its explicithealth information privacy protection provisions
[22, 30].
In Australia, under the umbrella of the federalgovernment's
HealthCol1l1ect initiative, a number ofelectronic health records
trials are underway inQueensland, Tasmania and New South Wales[8,
16, 31]Electronic Health Records systems are considered by
theirproponents as essential to improving healthcare [21, 3
I,32],
4. Privacy and Confidentiality Threats
Whilst storage and access to records held by theAustralian EHRs
are subject to consent, and research intoimplementing consent
systems has been undertaken inconjunction with these initiatives
[14], issues such as, forexample, transfer of ownership of records
between partiesare raising concerns [33]
Privacy risks posed by the proposed national EHRsare seen as
severe [10] and the purported benefits, it issuggested, are lesser
to patients than to other parties [16,23,34].
Literature suggests [35-37] that the majority ofsecurity threats
arise out of insider activities. Numerousindividuals, other than
the information subjects and healthworkers, can access patient
information. potentiallybypassing audit and access control
provisions of thesystems that hold and purport to control access to
thoserecords.[9]
Significant advantages that can be derived bynumerous panics,
including governments and privatesector organisations, from access
to personal, identifiable
health information, make those parties seek to gainaccess, not
always by lawful means.
5. Issues
Personal health information about identifiableindividuals is
considerably different from otherconfidential information and must
be treated differently.
Although owner-controlled information schemes wereproposed and
discussed [32, 38], most information aboutindividuals is collected
and stored in information systemsnot under the control of the
information subject.
With some notable exceptions [39], confidentialityprovisions of
information systems [37, 40-42], includingthe HealthCol111ect[7]
and the Health e-link[8], are basedon the traditional,
enterprise-centric model of ownershipand control [9, 43] where a
single enterprise is thecollector, the owner and the custodian of a
collection ofinformation. This model largely pre-determines
dataquality, system security and access control thinking,design and
implementation.
Some of the implied assumptions, for example thatinformation is
collected within the organisation directlyfrom individuals for
internal organisational use, arechallenged by the new electronic
health record systems,that both call for routine transfer of
patient informationbetween General Practitioners, Hospitals and
otherhealthcare settings, and for implementation of
large-scalerepositories, storing personal health information
collectedelsewhere. Confidentiality protection challenges of
thosesystems suggest that a totally new approach must bedeveloped.
Security measures must be an integral part ofinformation systems
and must address known andexpected security threats and exposures
[9, II, 15, 37]Personal health information is typically collected
as partof an encounter between the patient and the
healthcareprofessional, by consent, and in confidence. With
largevolumes of data now held electronically it is
howeverreasonably easy to mass duplicate records withoutdetection
if security and audit mechanisms are bypassed.
In addition to people involved in collecting andrecording
information and those who use it in the courseof interaction with
the subject, a great many otherindividuals may have access to
confidential information,with, or without, explicit
authorisation.
Even though the custodian enterprise may
implementstandards-compliant security policies [43], ensure
thatinformation is transmitted over secure channels[7, 8, 44],and
do all that current best practices dictate, there still
areindividuals, who have no relationship to the informationsubject.
who have access to information about them.
Mass record storage systems, mandated by theHealthCol111ect and
similar initiatives, intended tofacilitate access by many parties
who have not previouslyhad access, further weakens the protection,
assumed toexist when individuals agree to disclose their
personalhealth information in confidence.
-
Whilst a number of standards and standards-basedtechnologies
have been applied to various areas of theproblem domain[40-42, 44],
and research has beenconducted into confidentiality infrastructure
[14, 45],there is no evidence of an effort to develop
acomprehensive confidentiality protection framework.
6. Proposed Confidentiality Framework
6.1 Requirements
The following requirements should be recognized:• apart from the
need for health workers to access
information about an identifiable individual duringthe course of
interaction with those individuals, thereis no need for that
information to be viewable in ahuman-readable fOlID.
• technology measures must back up the legislativeprovisions
[14, 24].
• methods exist whereby information about
identifiableindividuals can be presented in a way such that it
isstill useable for research and statistical purposes butthat it
cannot be directly used to identify theindividual
• aggregated and de-identified information can bemade available
for research and statisticalpurposes[15, 39, 45-47].
It is suggested that• access to confidential health information
should only
be granted to those who have a patient-carerrelationship with
the subject and in relation to thatrelationship, or those who must
have access under thelaw.
• under no circumstances should confidential healthinformation
be able to be viewed without consent orauthorisation, and without
secure audit trail.
• only a system that implements active measures tomake it
impossible to view protected information willsatisfy the
requirements and assist in enforcing healthinformation privacy
legislation.
6.2 Confidentiality Framework
It is proposed that a framework, based on encryptionof stored
records, combined with access auditmechanisms, would prevent
accidental or deliberatedisclosure and would facilitate prosecution
of violators.To be practical. the framework must be built upon
proven,effective technologies and must not impose
excessiveoverheads.
Encrypting information at the point of capture anddecrypting it
at the point of use will satisfy the primarypurpose of personal
health information without exposingit to inappropriate
disclosure.
The framework relies on a number of underlyingconcepts and
infrastructure components described below.
Health In/ormation Classification Hierarchv allowslabelling of
different parts of the record according to the
sensitivity of the information they contain, clinicaldiscipline,
classes of health care workers that typicallyrequire access or the
need to allow the subject toexplicitly grant or deny access.
Certain parts of therecord would be labelled as 'mental health',
'sexualhealth', 'administrative' information or 'grant access
tohospital care team'. Certain classifications would implyother
classifications, for example mental healthinformation would be a
specialisation of general clinicalinformation, allowing, for
example, access granted to aspecialised classification to also
grant access to itssuperclass.
Accessor Classification Hierarchy places eachpotential accessor
into one or more groups that can begranted or denied access to
specific parts of the recordaccording to the information
classification hierarchylabels.
Consent Hierarchy allows the information subject toallow or deny
access to specific parts of the recordaccording to information
sensitivity, clinical discipline,event type, for example
hospitalisation, or anycombination of the Health Information
ClassificationHierarchy labels.
Each record would be represented as a XML InstanceDocument [49],
structured according to the HealthInformation Classification
Hierarchy.
Specific parts of the record would be encrypted usingtechniques
of the XML Encryption Specification[ 48] suchthat parts of the most
confidential nature would beencrypted individually, possibly with
different keysaccording to the classification labels, less critical
partswould be encrypted independently, possibly
causingsuperencryption of some parts, and finally the entirerecord,
with some parts not yet encrypted, would beencrypted in its
entirety. This process would take place atthe point ofrecord
creation and would result in creation ofan encrypted record,
creation of a record entry in theglobal record index and the
creation of a default consententry in the global consent store.
Each record would be identified by a globally uniqueID to
facilitate, in conjunction with the hierarchy labels,location of
appropriate encryption keys.
Encryption keys, accessor enrolment details, subjectconsent
grants and access requests audit trail would beheld independently
of the encrypted records, and wouldbe administered by one or more
organisations establishedfor the purpose.
Access to information contained in encrypted recordswould
involve location and retrieval of the records,request for access,
verification of requestor identity,verification of access grant,
creation of an audit trail,retrieval of decryption keys and finally
decryption of theappropriate parts of the record for viewing.
The supporting technology infrastructure would, atminimum,
include a global, possibly federated, recordindex, participant
register, consent store, encryption keystore and audit trail store,
each of which could, if desired,be independent, possibly
administered by a differentorganisation. This infrastructure would
be deployed at the
-
national level, or at minimum, at the level of a state, aregion
or a province.
As it is encrypted, the health record could be storedanywhere,
and replicated, and transferred, with noconcern for
confidentiality.
The use of current common cryptographic algorithms,standards and
technologies would satisfy the conditions ofproven technology and
minimal impact.
6.3 Advantages
The framework would address all the major issuesassociated with
the electronic health record systems.Encryption will eliminate the
possibility of casualdisclosure and undetected data alteration. All
accesswould be audited, and consent strictly enforced. Largevolume
data storage management, including replication,distribution and
facility management outsourcing. couldbe implemented with a view to
attaining the greatestefficiency and cost-effectiveness. Subsets of
recordscould be distributed on compact disk, or similar media,
toreduce demand for network bandwidth and expediteaccess.
6.4 Disadvantages
Encryption of health records would introduce issuesnot
previously encountered. Most notably, complexity ofapplications
used to view patient information would beincreased. The application
would need to contain thenecessary mechanism to decrypt the data
and validate itsintegrity.
It would be impossible to update old records - newrecords would
need to be created with additional orchanged information.
Separate infrastructure for research would have to beestablished
and data would have to be specially preparedfor inclusion III
research stores. perhaps usmgpseudonymity and anonymity techniques
and methodsdescribed in [39. 45, 46] and elsewhere
7 Conclusions
The legal framework for protection of confidentialhealth
information must be backed up by technologicalsolutions that would
implement appropriate protectionmeasures.
Implementation of electronic health records systems,facilitating
access to personal. identifiable healthinformation to many more
parties than previouslypossible, makes the requirement for
implementation ofadequate confidentiality protection. consent.
accesscontrol and audit mechanisms an urgent issue.
The confidentiality protection framework proposed inthis paper
will ensure that confidential health informationcan only be viewed
by consent, with authorisation or incircumstances prescribed by
law, and that a completeaudit trail is maintained.
Encrypting patient records at the point where theyenter the
electronic patient records systems, transmittingand storing these
records in an encrypted form, andperforming decryption only at the
time and at the point ofauthorised use, will eliminate the
possibility of casualdisclosure.
Separating large volume data storage from storage andmanagement
of authorisation, consent and encryptionkeys will facilitate
storage design that optimises cost andefficiency.
Of themselves, none of the concepts that form theframework are
entirely new. The systematic assembly ofthose concepts into a
comprehensive health informationconfidentiality framework is, we
believe, what makes animportant contribution to the field.
There are numerous technology applications, conceptsand
standards, both existing and yet to be developed,implied in the
framework. An enormous amount ofresearch is, and that is yet to be,
undertaken in many areasto make the health information
confidentiality frameworkpractical. We trust that the research will
continue to turnthis vision into reality.
References
[1] A. Mackenzie, "Politics of privacy, technologies of
thepolitical and the paradoxes of
individuality".http:t\\ww.lancs.ac.uk-staff'mackcnza.papers:privacy.
pd f,Accessed: October 2004
[2] R. Clarke. "Introduction to Dataveillance and
InformationPrivacy, and Definitions of
Ten11S",http:t:www.anu.cdu.au.pcoplc:Ro£cr.Clarke
.•DVilntro.hlinl.Accessed: October 2004
[3] G. J. Walters. "Privacy and security: an ethical
analysis,"SIGCAS Comput. s«, vol. 31, pp. 8--23. 2001.
[4] B. Phillips, "The Newest and Oldest Human Right".http:.
:www.stthomasu.ca~ahrc·phillips.htmL Accessed:
[5] "Privacy and the Public Sector - Government".http: ww\V.pri
\'
-
[10] Anonymous, "AMA Warning on Single National HealthDatabase",
http:.··.·www.ama.com.au/wcb.nshloc.·WEEN-5G1345N. Accessed:
October 2004
Interim Research Report and DraftFederal Privacy
Commissioner
[11] "HealthConnectSystems
ArchitectureSubmission",http://www.privacv.gov.au 'pu bIica
tions!healthcsub04. pdf,Accessed: January 2004
[12] Anonymous, "PANACEA OR PLACEBO 0 - LinkedElectronic Health
Records and Improvements in HealthOutcomes," NSW Ministerial
Advisory Committee on Privacyand Health Information 2000.
[13] "Hippocratic Oath Classical Version".http:.
\\"ww.pb~.org.·w2.bh. nova doctors/oath classical.html,Accessed:
October 2004
[14] "Electronic Consent Research - Summary of
FinalReports",http:!.\vww7.health.2.0\·.au:hsdd.primcarc.it
docsccofi nal.doc,Accessed: October 2004
[15] P. Armstrong, "Electronic Health Records: Privacy as
anessential building block," in Electronic Health Records:
Privacvas an essential building hlock. Sydney: Speach at the AFR
5thHealth Congress. 2003.
[16] R. Clarke. "Research Challenges in Emergent
e-HealthTechnologies"
,http://www.anu.edu.au·people/Ro~er.Clarke/EC:·eHlthRes.html.Accessed:
October 2004
[17] "Proposed National Health Privacy
Code".http:\\"\\"w.hcalth.2.o\·.au pubs.pcll'codc.pdf, Accessed:
August2004
[18] "Guidelines on Privacy in the Private Health
Sector",htto·';www.privaev.2.0\·.au'publications/hg Ol.htm!'
Accessed:August 2004
[19] "Report on public submissions in relation to draft
NationalHealth Privacy
Code",http://www.health.gov.au.pubs/pdfireport.pdC Accessed:
August2004
[20] "Health Guidelines".http:'
www.pnvacv.oov.au.hcalth.·t!uidelincsimkx.htl11l.Accessed: August
2004
[21] A. Cornwall. "ELECTRONIC HEALTH RECORDS: ANINTERNATIONAL
PERSPECTIVE," Health Iss lies Journal.Health Issues Centre lnc.. La
Trobe Universitv, 2002.
[22J Anonymous, "Summary of the HIPAA Privacy Rule",http:
Iwww.hhs.gov.'ocr·privacysLll11marv,pdf. Accessed:
[35 J P. A. Miller. "Privacy in Cyberspace. with Prof.
ArthurMiller Medical Records".Imp:
cvber.la\\.harvard.edu·pri\·acv99 k,st1Il8.html. Accessed:October
2004
[23] L. Beazley, "The Draft National Health Privacy
Code",http:"www.aar.com.auipubs'bio·fohfeb03.htm, Accessed:October
2004
[24] "AMA submission on draft National Health Privacy
Code".http:\\"ww.amaxom.au'web.nsfdoc \\EE!\-5M46'W,Accessed:
October 2004
[25] O. 1. Batt, ""The" Electronic Health Record
-Standardization and Implementation".http:' \vww.
2.pe2..oT2..databasesprojcctprint.asp"ID~ 25 '),Accessed: October
2004
[26] G. Paterson, M. Shepherd, X Wang, C. Watters, and D.Zitner.
"Using the XML-Based Clinical Document Architecturefor Exchange of
Structured Discharge Summaries," presented atProceedings of the
35th Annual Hawaii InternationalConference on System Sciences
(HICSS'02)- Volume 4, 2002.
[27] "Development of an XML Version of the HL7 Dischargeand
Referral Message (GPCG Project #23) Final
Report",http:·w\vw.gpeg.or2.ipublication,docs'projccts'OOI !ei peG
Projcct23 OI.POF, Accessed:
[28] S. Auton, B. Blobel, K. Engel, P. Humenn, M. Kratz,
M.Nolte, P. Pharow, G. Schadow, G. Seppala, V. Spiegel, M.Tucker,
S. Wagner, and W. Wilson, "Health Level SevenSecurity Services
Framework," HL 7 Secure TransactionsSpecial Interest Group - HL 7
Organisation 1998.
[29] B. Blobel, V. Spiegel, P. Pharow. K. Ngel, and R.
Krohn,"Standard Guide for Implementing EDI (HL 7)
CommunicationSecurity," Otto-von-Guericke University Magdeburg
1999.
[30J D. Baumer, J. B. Earp, and F. C. Payton, "Privacy ofmedical
records: IT implications of HIPAA." SIGCAS Comput.Soc, vol. 30, pp.
40--47, 2000.
[31] "A NSW Health Strategy for the Electronic Health
RecordGovernment's Action Plan for Health".
w\\·w.health.nsw.2.ov.au'il1l'ibs'chr'docul1lcnts,'chr strategv
detaiIeJ.pdl~ Accessed: August 2004
[32] R. Clarke, "Human Identification in Information
Systems:Management Challenges and Public Policy
Issues",http:,',:\\'ww.anu.edu.au/people'Rol!cr.Clarke:DVilIumanID.html.
Accessed: October 2004
[33] K. Dearne, "Prescribing a privacy cure",http:'
·wV,\\.consensus.col1l.au'ITWritersA
wards!ITWarchivdlTWcntries02/15KarcnDcarne.htm. Accessed: October
2004
[34] M. Carter. "Integrated electronic health records and
patientprivacy: possible benefits but real dangers".http:
ww\\.mja.col11.au·public. i"ues '1"2 0 I 030 IOO':cal1er
carter.hlml, Accessed: 178
[36J R. G. Smith. "Teleruedicine and crime".http:
\\\\"w.aic.l!o\'.au publicClti,'ns landi u69.pdf. Accessed:
[37] T. Huston, "Security issues for implementation of e-medical
records," COlli III lIll. ACAI, vol. 44, pp. 89--94, 2mJI.
http://www.privacv.gov.auhttp://www.health.gov.au.pubs/pdfireport.pdC
-
[38 J c. Gates and J. Slonim, "Owner-controlled
Information."presented at Proceedings of the 2003 workshop on New
securityparadigms. 2003.
[39] A. Rector. "Clinical e-Science Framework: A New MRC-Funded
Interdisciplinary Project," Biomedical InformaticsTodav NEWSLETTER
OF THE BRITISH J/EDICALINFORMATICS SOCIETY. 2002.
[40] M. Jurecic and H. Bunz, "Exchange of patient
records-prototype implementation of a security attributes service
inX.500," presented at Proceedings of the 2nd ACM Conferenceon
Computer and communications security. 1994.
[41] B. Blobel. "Onconet: A Secure Infrastructure to
ImproveCancer Patients' Care," European Journal or Medical
Research,vol. 5, pp. 360-368, 2000.
[42] J. Halamka, P. Szolovits, and D. Rind. "A WWWImplementation
of National Recommendations for ProtectingElectronic Health
Information," JAm Med Intorm Assoc. vol, 4.pp.458-464, 1997.
[43] "ISO/IEC 17799:2000 Information technology - Code
ofpractice for information security management." in
ISO/IEC17799.2000,2000
[44] "Health Level Seven - Secure HL 7 Transactions
USll1gInterne I Mail." Health Level Seven Inc. 1999.
[45] Anonymous, "CLEF - integrating information for theclinical
e-Scientist",
http:!\vww.clinical-escience.org/st:1I1.html,Accessed: October
2004
[46] R. Clarke, "Identification. Anonymity and Pseudonymityin
Consumer Transactions: A Vital Systems Design and PublicPolicy
Issue".http:·,w\\,\\·.anu.edu.auipcople,RoQer.ClarkeDV.'AnonPsPol.html,
Accessed:
[47] "Health informatics - Anonymity user requirements
fortrusted anonymisation
facilities".http:www.centc2:'I.org.·TCMeet'doclistTCdocOOiNOO-013.pdC
Accessed:
[48] T. Imamura. B. Dillaway, and E. Simon, "XML
EncryptionSyntax and Processing, W3C Recommendation 10
December2002", W3C XML Encryption Working Group, World WideWeb
Consortium, Available: http://www.w'.orgITIVxmlenc-corC!, Accessed:
April 2005.
[49] eXtensible Markup Language (XML), World Wide WebConsortium,
Available: hnp.z'www.w.I.org/Xfvll..'.
http://hnp.z'www.w.I.org/Xfvll..'.
-
Proceedings of the lASTED International ConferenceWEB
TECHNOLOGIES, APPLICATIO:\TS, AND SERVICESJuly 4-6, 2005, Calgary,
Alberta, Canada
STRENGTHENING PRIVACY AND CONFIDENTIALITY PROTECTIONFOR
ELECTRONIC HEALTH RECORDS
Michael CzapskiSeeBeyond Pty. Ltd
[email protected]
Robert SteeleUniversity of Technology, Sydney
[email protected]
ABSTRACTInappropriate disclosure and use of personal
healthinformation could have severe adverse consequences forthe
individual to whom it pertains, but non-disclosurecould adversely
affect other individuals or the society. InAustralia efforts are
under way to develop legislation thatwill address the protection of
confidential healthinformation. Development of large-scale
healthinformation repositories, intended to facilitate access
tohealth information to many more parties than waspreviously
possible, makes the issue of consentenforcement and access control
more urgent than ever.Literature suggests that the majority of
security threatsarise out of insider activities. It is proposed to
develop aconfidentiality protection framework that will
ensurepersonal, identifiable health information is only disclosedby
consent or under circumstances prescribed by law, andthat all
access to that information is audited. Theframework, based on
encryption of health information atthe time of collection, and
decryption at the time ofauthorised use, provides a number of
advantages over thetraditional, enterprise-centric protection
model.
KEYWORDSElectronic health records, security, privacy,
encryption
1. Introduction
Although not without controversy [I, 2], privacy isconsidered an
important civil right [3, 4] and personalinformation warrants
protection through legislation [5] ..As personal health information
is considered the mostsensitive kind of personal information [6],
its protectionis very important, particularly in the context of
theemerging Electronic Health Records systems (EHRs).
EHRs have the potential for privacy andconfidentiality breaches
of a previously unseen severity.To gain the benefits of EHRs while
minimising the risksrequires both legislative and technological
safeguards.
494-029
Current protection measures are inadequate. Existingsystems
employ standards and technologies that arebased on the traditional,
enterprise-centric security modelthat is not sufficient to address
the issues posed by theEHRs. These issues are of immediate
relevance toAustralia-specific initiatives already under way, such
asthe HealthConnect [7] and the Health e-link [8]initiatives, both
of which have been criticized for relyingon legislation without
providing adequate technicalmeasures [9-12].
This paper outlines the issues arising out of theimplementation
of EHRs and perceived threats toconfidentiality of health
information. It further proposesa confidentiality protection
framework that wouldmitigate those threats and discusses its
strengths andweaknesses.
2. Ethical and Legal Context
The notion of protecting confidentiality of healthinformation is
reputed to go back to 460 B.C. with theHippocratic Oath containing
an explicit passage to thateffect [13].
It is expected that personal health information, sharedin
confidence with health workers, will remainconfidential [14,
15].
Inappropriate disclosure of confidential healthinformation can
lead to long-term adverse psychological,social or financial
consequences for the affectedindividuals. These range from
embarrassment, throughdiscrimination, threat of violence or death,
tounwillingness to undergo medical treatment for fear ofdisclosure
[16].
Disclosure of personal health information about oneindividual
may affect other individuals. For exampleadvances in genetic typing
and research into hereditarydiseases, coupled with inappropriate
use of geneticinformation, may affect not just the individual to
whomthe information pertains but also their relatives. At thesame
time, lack of critical information, for example aboutallergies or
communicable diseases, at critical times, may
35
mailto:[email protected]:[email protected]
-
lead to adverse consequences for the individual or
thesociety,
Much legislative work was undertaken in recentyears, both in
Australia [6,17-21] and abroad [21, 22], toestablish legal
frameworks for protection of personalhealth information, Both
voluntary regulation [12] andthe legislation currently in force in
Australia arefragmented, differ from state to state and are
consideredinadequate [21, 23). The draft National Health
PrivacyCode [17] is not yet a law. Its proposed provisions
arealready controversial [19] with some interest groups,most
notably the Australian Medical Association [24],considering it too
restrictive in some areas whilst notrestrictive enough in
others.
3. Related Work
There is evidence of a number of efforts to
standardiseelectronic health records [25-27], ensure
securetransmission of health records [28, 29], implementelectronic
health record repositories [21] and implementlinkages between
records from different sources [12].
The essential relationship between the electronichealth
information, privacy and legal protectionframeworks is exemplified
by the United States' HealthPortability Accountability Act (HIPAA)
and its explicithealth information privacy protection provisions
[22, 30].
In Australia, under the umbrella of the federalgovernment's
HealthConnect initiative, a number ofelectronic health records
trials are underway inQueensland, Tasmania and New South Wales[8,
16,31).Electronic Health Records systems are considered by
theirproponents as essential to improving health care [21,
31,32],
4. Privacy and Confidentiality Threats
Whilst storage and access to records held by theAustralian EHRs
are subject to consent, and research intoimplementing consent
systems has been undertaken inconjunction with these initiatives
[14], issues such as, forexample, transfer of ownership of records
between partiesare raising concerns [33].
Privacy risks posed by the proposed national EHRsare seen as
severe [10] and the purported benefits, it issuggested, are lesser
to patients than to other parties [16,23,34].
Literature suggests [35-37] that the majority ofsecurity threats
arise out of insider activities. Numerousindividuals, other than
the information subjects and healthworkers, can access patient
information, potentiallybypassing audit and access control
provisions of thesystems that hold and purport to control access to
thoserecords. [9].
Significant advantages that can be derived bynumerous parties,
including governments and privatesector organisations, from access
to personal, identifiable
health information, make those parties seek to gainaccess. not
always by lawful means.
5. Issues
Personal health information about identifiableindividuals is
considerably different from otherconfidential information and must
be treated differently.
Although owner-controlled information schemes wereproposed and
discussed [32, 38], most information aboutindividuals is collected
and stored in information systemsnot under the control of the
information subject.
With some notable exceptions [39], confidentialityprovisions of
information systems [37, 40-42], includingthe HealthConnect[7] and
the Health e-link[8], are basedon the traditional,
enterprise-centric model of ownershipand control [9, 43] where a
single enterprise is thecollector, the owner and the custodian of a
collection ofinformation. This model largely pre-determines
dataquality, system security and access control thinking,design and
implementation.
Some of the implied assumptions, for example thatinformation is
collected within the organisation directlyfrom individuals for
internal organisational use, arechallenged by the new electronic
health record systems,that both call for routine transfer of
patient informationbetween General Practitioners, Hospitals and
otherhealthcare settings, and for implementation of
large-scalerepositories, storing personal health information
collectedelsewhere. Confidentiality protection challenges of
thosesystems suggest that a totally new approach must bedeveloped.
Security measures must be an integral part ofinformation systems
and must address known andexpected security threats and exposures
[9, II, 15,37]Personal health information is typically collected as
partof an encounter between the patient and the health
careprofessional, by consent, and in confidence. With largevolumes
of data now held electronically it is howeverreasonably easy to
mass duplicate records withoutdetection if security and audit
mechanisms are bypassed.
In addition to people involved in collecting andrecording
information and those who use it in the courseof interaction with
the subject, a great many otherindividuals may have access to
confidential information,with, or without, explicit
authorisation.
Even though the custodian enterprise may
implementstandards-compliant security policies [43], ensure
thatinformation is transmitted over secure channels[7, 8, 44],and
do all that current best practices dictate, there still
areindividuals, who have no relationship to the informationsubject,
who have access to information about them.
Mass record storage systems, mandated by theHealthConnect and
similar initiatives, intended tofacilitate access by many parties
who have not previouslyhad access, further weakens the protection,
assumed toexist when individuals agree to disclose their
personalhealth information in confidence.
36
-
Whilst a number of standards and standards-basedtechnologies
have been applied to various areas of theproblem domain[ 40-42.
44). and research has beenconducted into confidentiality
infrastructure [14, 45),there is no evidence of an effort to
develop acomprehensive confidentiality protection framework.
6. Proposed Confidentiality Framework
6.1 Requirements
The following requirements should be recognized:• apart from the
need for health workers to access
information about an identifiable individual duringthe course of
interaction with those individuals, thereis no need for that
information to be viewable in ahuman-readable form.
• technology measures must back up the legislativeprovisions
[14, 24).
• methods exist whereby information about
identifiableindividuals can be presented in a way such that it
isstill useable for research and statistical purposes butthat it
cannot be directly used to identify theindividual
• aggregated and de-identified information can bemade available
for research and statisticalpurposes[15, 39, 45-47).
It is suggested that• access to confidential health information
should only
be granted to those who have a patient-carerrelationship with
the subject and in relation to thatrelationship, or those who must
have access under thelaw.
• under no circumstances should confidential healthinformation
be able to be viewed without consent orauthorisation, and without
secure audit trail.
• only a system that implements active measures tomake it
impossible to view protected information willsatisfy the
requirements and assist in enforcing healthinformation privacy
legislation.
6.2 Confidentiality Framework
It is proposed that a framework, based on encryptionof stored
records, combined with access auditmechanisms, would prevent
accidental or deliberatedisclosure and would facilitate prosecution
of violators.To be practical, the framework must be built upon
proven,effective technologies and must not impose
excessiveoverheads.
Encrypting information at the point of capture anddecrypting it
at the point of use will satisfy the primarypurpose of personal
health information without exposingit to inappropriate
disclosure.
The framework relies on a number of underlyingconcepts and
infrastructure components described below.
Health In/ormation Classification Hierarchy allowslabelling of
different parts of the record according to the
sensitivity of the information they contain, clinicaldiscipline,
classes of health care workers that typicallyrequire access or the
need to allow the subject toexplicitly grant or deny access.
Certain parts of therecord would be labelled as 'mental health',
'sexualhealth', 'administrative' information or 'grant access
tohospital care team' _ Certain classifications would implyother
classifications, for example mental healthinformation would be a
specialisation of general clinicalinformation, allowing, for
example, access granted to aspecialised classification to also
grant access to itssuperclass.
Accessor Classification Hierarchy places eachpotential accessor
into one or more groups that can begranted or denied access to
specific parts of the recordaccording to the information
classification hierarchylabels.
Consent Hierarchy allows the information subject toallow or deny
access to specific parts of the recordaccording to information
sensitivity, clinical discipline,event type, for example
hospitalisation, or anycombination of the Health Infonnation
ClassificationHierarchy labels.
Each record would be represented as a XML InstanceDocument [49),
structured according to the HealthInformation Classification
Hierarchy.
Specific parts of the record would be encrypted usingtechniques
of the XML Encryption Specification[ 48) suchthat parts of the most
confidential nature would beencrypted individually, possibly with
different keysaccording to the classification labels, less critical
partswould be encrypted independently, possibly
causingsuperencryption of some parts, and finally the entirerecord,
with some parts not yet encrypted, would beencrypted in its
entirety. This process would take place atthe point of record
creation and would result in creation ofan encrypted record,
creation of a record entry in theglobal record index and the
creation of a default consententry in the global consent store.
Each record would be identified by a globally uniqueID to
facilitate, in conjunction with the hierarchy labels,location of
appropriate encryption keys.
Encryption keys, accessor enrolment details, subjectconsent
grants and access requests audit trail would beheld independently
of the encrypted records, and wouldbe administered by one or more
organisations establishedfor the purpose.
Access to information contained in encrypted recordswould
involve location and retrieval of the records,request for access,
verification of requestor identity,verification of access grant,
creation of an audit trail,retrieval of decryption keys and finally
decryption of theappropriate parts of the record for viewing.
The supporting technology infrastructure would, atminimum,
include a global, possibly federated, recordindex, participant
register, consent store, encryption keystore and audit trail store,
each of which could, if desired,be independent, possibly
administered by a differentorganisation. This infrastructure would
be deployed at the
37
-
national level, or at minimum, at the level of a state, aregion
or a province.
As it is encrypted, the health record could be storedanywhere,
and replicated, and transferred, with noconcern for
confidentiality.
The use of current common cryptographic algorithms,standards and
technologies would satisfy the conditions ofproven technology and
minimal impact.
6.3 Advantages
The framework would address all the major issuesassociated with
the electronic health record systems.Encryption will eliminate the
possibility of casualdisclosure and undetected data alteration. All
accesswould be audited, and consent strictly enforced. Largevolume
data storage management, including replication,distribution and
facility management outsourcing, couldbe implemented with a view to
attaining the greatestefficiency and cost-effectiveness. Subsets of
recordscould be distributed on compact disk, or similar media,
toreduce demand for network bandwidth and expediteaccess.
6.4 Disadvantages
Encryption of health records would introduce issuesnot
previously encountered. Most notably, complexity ofapplications
used to view patient information would beincreased. The application
would need to contain thenecessary mechanism to decrypt the data
and validate itsintegrity.
It would be impossible to update old records - newrecords would
need to be created with additional orchanged information.
Separate infrastructure for research would have to beestablished
and data would have to be specially preparedfor inclusion 111
research stores, perhaps usingpseudonymity and anonymity techniques
and methodsdescribed in [39, 45, 46] and elsewhere
7 Conclusions
The legal framework for protection of confidentialhealth
information must be backed up by technologicalsolutions that would
implement appropriate protectionmeasures.
Implementation of electronic health records systems,facilitating
access to personal, identifiable healthinformation to many more
parties than previouslypossible, makes the requirement for
implementation ofadequate confidentiality protection, consent,
accesscontrol and audit mechanisms an urgent issue.
The confidentiality protection framework proposed inthis paper
will ensure that confidential health informationcan only be viewed
by consent, with authorisation or incircumstances prescribed by
law, and that a completeaudit trail is maintained.
Encrypting patient records at the point where theyenter the
electronic patient records systems, transmittingand storing these
records in an encrypted 1'01111, andperforming decryption only at
the time and at the point ofauthorised use, will eliminate the
possibility of casualdisclosure.
Separating large volume data storage from storage andmanagement
of authorisation, consent and encryptionkeys will facilitate
storage design that optimises cost andefficiency.
Of themselves, none of the concepts that form theframework are
entirely new. The systematic assembly ofthose concepts into a
comprehensive health informationconfidentiality framework is, we
believe, what makes animportant contribution to the field.
There are numerous technology applications, conceptsand
standards, both existing and yet to be developed,implied in the
framework. An enormous amount ofresearch is, and that is yet to be,
undertaken in many areasto make the health information
confidentiality frameworkpractical. We trust that the research will
continue to turnthis vision into reality.
References
[1] A. Mackenzie, "Politics of privacy, technologies of
thepolitical and the paradoxes of individuality",htl p:
':'W\\,v.lancs.ac.u k!staffmac kcnzafpapcrs:'pri \·acv. pd
f,Accessed: October 2004
[2] R. Clarke, "Introduction to Dataveillance and
InformationPrivacy, and Definitions of
Terms",http:'\\"\\w.anu.cdu.3u:'pcoplc'Rogcr.Clarkc·DV·lntro.htI111,Accessed:
October 2004
[3] G. J. Walters, "Privacy and security: an ethical
analysis,"SIGCAS Comput. Soc., vol. 3\, pp. 8--23,2001.
[4] B. Phillips, "The Newest and Oldest Human Right",http::
W\\w.stthol11asu.ca.:~ahrc/phillips.htl11l, Accessed:
[5] "Privacy and the Public Sector - Government",http:!
www.privacv.gov.au/!!overnment..index.html. Accessed:
[6] "AUSTRALIANS ENCOURAGED TO COMMENT ONNEW HEALTH PRIVACY
SAFEGUARDS",h ttp: .•/www.health.!!ov.au ..intemet/wcl11s:.Publ ish
ing.ns l!C ontent .health-mediarel-vr~002-kp-kp0213-l.htl11,
Accessed: October2004
[7] "HealthCol1l1ect System Architecture," HealthConnectProgram
Office, Australian Government Department of Healthand Ageing
2003.
[8] "EHR*Net Refined Requirements and Architecture
Report",w\\w.hcalth.nsw.!!ov.auiil11/ibsfchL·docul11cnts/rcfined
reguircments architcctun:v!.1 rcport.doc, Accessed: September
2002
[9] M. Czapski. "A question of confidence, not a question
oftrust. Better data confidentiality protection is
necessary,"presented at HIC 2004, Brisbane, Australia, 2004.
38
http://www.privacv.gov.au/!!overnment..index.html.http:///www.health.!!ov.au
-
[10] Anonymous. "AM A Warning on Single National
HealthDatabase", http:·\\w\\.ama.cllm.auiweb.n-;C'docWEEN-5GB45N.
Accessed: October 2004
[II] "HealthConnectSystems
ArchitectureSubmission",http://www.privacv.\!ov.au·publications/healthcsub04.pdt~Accessed:
January 2004
Interim Research Report and DraftFederal Privacy
Commissioner
[12] Anonymous. "PANACEA OR PLACEBO? - LinkedElectronic Health
Records and Improvements in HealthOutcomes," NSW Ministerial
Advisory Committee on Privacyand Health Information 2000.
[13] "Hippocratic Oath Classical
Version",http://www.pbs.org/\\·gbh··novaidoctorsfoalhclassical.html.Accessed:
October 2004
[14] "Electronic Consent Research - Summary of
FinalReports",http://www7 .health. gov .awhsddipri
mcarc/it/docs/ccofi nal.doc,Accessed: October 2004
[15] P. Armstrong, "Electronic Health Records: Privacy as
anessential building block," in Electronic Health Records:
Privacyas an essential building block. Sydney: Speach at the AFR
5thHealth Congress, 2003.
[16] R. Clarke, "Research Challenges in Emergent
e-HealthTechnologies",http:.!/www.anu.edu.au p.:ople
Ro\!er.Clarke'EC/eHlthR.:s.hlml,Accessed: October 2004
[17] "Proposed National Health Privacy
Code",hltp:!/www.hcalth.!!Ov.au pub,pdrcodc.pdt~ Accessed:
August2004
[18] "Guidelines on Privacy in the Private Health
Sector",http://www.privacv.gov.au'publications/hg Ol.html,
Accessed:August 2004
[19] "Report on public submissions in relation to draft
NationalHealth Privacy
Code",http:i\vww.health.\!oy.au.pubs,'pdhep0l1.pdL Accessed:
August2004
[20] "Health
Guidelines",http://www.privacv.!!o\.aU/health!\!uidelines/index.html.Accessed:
August 2004
[21] A. Cornwall. "ELECTRONIC HEALTH RECORDS: ANINTERNATIONAL
PERSPECTIVE," Health Issues 101l1'//al.Health Issues Centre Inc ..
La Trobe University, 2002.
[22] Anonymous, "Summary of the HIPAA Privacy
Rule".http:,\vww.hhs.!!O\·.·ocr/privacvsummarv.pdf, Accessed:
[35] P. A. Miller, "Privacy in Cyberspace, with Prof.
ArthurMiller - Medical Records".http:.!/cyber.law.harvard.cdu.
privacv99/lesson8.html, Accessed:October 2004
[23] L. Beazley. "The Draft National Health Privacy
Code".http:·/w\\w.aar.com.au/pubs.'L1io·fohfeb03.htm,
Accessed:October 2004
[24] "AMA submission on draft National Health Privacy
Code",http:·.www.ama.com.auiweb.nsf.doc/\VEEN- ••M462W.Accessed:
October 2004
[25] O. J. Bott, ""The" Electronic Health Record
-Standardization and
Implementation",http://www.!!pcg.onz/databascs.'projcctprinl.asp'lID=152,Accessed:
October 2004
[26] G. Paterson, M. Shepherd, X. Wang, C. Watters, and
D.Zitner, "Using the XML-Based Clinical Document Architecturefor
Exchange of Structured Discharge Summaries," presented
atProceedings of the 35th Annual Hawaii InternationalConference on
System Sciences (HICSS'02)- Volume 4,2002.
[27] "Development of an XML Version of the HL 7 Dischargeand
Referral Message (GPCG Project #23) Final
Report",http://www.gpCg.org/publicationsfdocs/projccts2001/GPeG
Projcct23 OJ.PDF, Accessed:
[28] S. Auton, B. Blobel, K. Engel, P. Humenn, M. Kratz,
M.Nolte, P. Pharow, G. Schadow, G. Seppala, V. Spiegel, M.Tucker.
S. Wagner, and W. Wilson, "Health Level SevenSecurity Services
Framework," HL 7 Secure TransactionsSpecial Interest Group - HL 7
Organisation 1998.
[29] B. Blobel, V. Spiegel, P. Pharow, K. Ngel, and R.
Krohn,"Standard Guide for Implementing EDI (HL 7)
CommunicationSecurity," Otto-von-Guericke University Magdeburg
1999.
[30] D. Baumer, J. B. Earp, and F. C. Payton, "Privacy ofmedical
records: IT implications of HIPAA," SIGCAS COIllPUI.s«; vol. 30,
pp. 40--47, 2000.
[31] "A NSW Health Strategy for the Electronic Health
RecordGovernment's Action Plan for Health",
www.hcalth.nsw.gov.auiimiibs/ehr/documentsichr stratcQ,v
dctailed.pdC Accessed: August 2004
[32] R. Clarke, "Human Identification in Information
Systems:Management Challenges and Public Policy
Issues",http:.'/w\\w.anu.edu.auipeoplc'Ro!!er.ClarkeDV/1 Iuman ID.
hlml, Accessed: October 2004
[33] K. Dearne, "Prescribing a privacy
cure",http://www.consensus.colll.auiIT\VritersAwards/ITWarchivedTWentries02/15KarenDearne.htm,
Accessed: October 2004
[34] M. Carter, "Integrated electronic health records and
patientprivacy: possible benefits but real
dangers",htlp).fwww.mja.colll.au/publiciisslles·l72 0 I 030
lOn/carter/carter.html. Accessed: 178
[36] R. G. Smith, "Telemedicine and crime",http:
\\'ww.aic.gov.au'pllbllcations·tandili69.pdf, Accessed:
[37] T. Huston, "Security issues for implementation of e-medical
records," COII/IIlUIl. ACM, vol. 44, pp. 89--94,2001.
39
http://http:.!/www.anu.edu.auhttp://hltp:!/www.hcalth.!!Ov.auhttp://www.privacv.gov.au'publications/hghttp://www.!!pcg.onz/databascs.'projcctprinl.asp'lID=152,http://www.gpCg.org/publicationsfdocs/projccts2001/GPeGhttp://www.hcalth.nsw.gov.auiimiibs/ehr/documentsichr
-
[3RJ c. Gates and J. Slonim, "Owner-controlled
information."presented at Proceedings of the 2003 workshop on New
securityparadigms, 2003.
[39] A. Rector, "Clinical e-Science Framework: A New MRC-Funded
Interdisciplinary Project," Biomedical InformaticsTodav -
NEWSLETTER OF THE BRITISH AJEDICALINFORMA TICS SOCIETY. 2002.
[40] M. Jurecic and H. Bunz, "Exchange of patient
records-prototype implementation of a security attributes service
inX.500," presented at Proceedings of the 2nd ACM Conferenceon
Computer and communications security, 1994.
[41] B. Blobel, "Onconet: A Secure Infrastructure to
ImproveCancer Patients' Care," European Journal of Medical
Research,vol. 5, pp. 360-368,2000.
[42] J. Halamka, P. Szolovits, and D. Rind, "A WWWImplementation
of National Recommendations for ProtectingElectronic Health
Information," JAm Med Inform Assoc, vol. 4,pp. 458-464, 1997.
[43] "ISOfIEC 17799:2000 Information technology - Code
ofpractice for information security management," in
ISO/IEC17799.2000, 2000.
[44J "Health Level Seven - Secure HL7 Transactions
uSlllglnterncl Mail." Health Level Seven Inc. 1999.
[45J Anonymous, "CLEF - integrating information for theclinical
e-Scientist",
http://www.clinical-cscicnce.orl!/start.html.Accessed: October
2004
[46] R. Clarke, "Identification, Anonymity and Pseudonymityin
Consumer Transactions: A Vital Systems Design and PublicPolicy
Issue",http:!'www.anu.edu.au/pcoplc!Ro!!:cr.Clarkc!DV!
AnonPsl'ol.hlml, Accessed:
[47] "Health informatics - Anonymity user requirements
fortrusted anonymisation
facilities",http:/\\\'>,\·.ccntc251.omTCMect'doclistTCdocOO!NOO-o
l3.pdj~ Accessed:
[48] T. Imamura, B. Dillaway, and E. Simon, "XML
EncryptionSyntax and Processing, W3C Recommendation 10
December2002", W3C XML Encryption Working Group, World WideWeb
Consortium. Available: http:'.\~,\w.w3.or~.'TR.!xmlcnc-corc!,
Accessed: April 2005.
[49] eXtensible Markup Language (XMLj, World Wide WebConsortium,
Available: http://www.w3.org/XMLI.
40
http://www.clinical-cscicnce.orl!/start.html.http://http:!'www.anu.edu.au/pcoplc!Ro!!:cr.Clarkc!DV!http://www.w3.org/XMLI.
-
[Proceeding] Web Technologies, Applications, and Services ~WTAS
2005~ Page 1 0[3
QAeTA A Scientific and Technical Publishing Cor
Horne login My Cart Reviewers Only Contact FAQ lASTED Print
page
Publication Search:
IRates (USD):$110.00 (Hardcopy);$100.00 (Online);$110.00
(CD)
Individual Articles (USD):$20.00 (Online)
_Journals Web Technologies, Applications, andServices
-WTAS 2005-_ Proceedings
_ Papers
_ Subscriptions 7/4/2005 - 7/6/2005Calgary, Alberta, Canada
_ Submissions
_ Call for PapersEditor(s): M.H. Hamza
210 pages
advanced search
ISSN: N/A; ISSN (CD): N/A;ISBN: 0-88986-483-7; ISBN (CD):
0-88986-485-3
Please choose a year: 120053'Add to Shopping Cart
The lASTED Conference onWeb Technologies,Applications, and
ServicesCalgary, Alberta, Canada
July 17·19, 2006
Hardcopy >1 __ O_n_li•••n
•••e...;.;.S...;.;u_b_SC•••f..;.iP•..•.ti_o •..n_ •... CD
Abstracts may contain minor errors and formatting
inconsistencies.Please contact us if you have any concerns or
questions.
Track - Web·Based Applications Free Subscr
494-038 An Evolvable, Composable Framework for RapidApplication
Development and Dynamic Integration of Medical Image
Abstract Buy noProcessing Web ServicesT. Mitsa and P. Joshi
(USA)
494-043 WebFace: A Web-based Facial Animation SystemAbstract Buy
noM. AI-Marri, A. AI-Qayedi, and R. Benlamri (UAE)
494-079 Load Balancing Grid Computing MiddlewareAbstract Buy
noA. Touzene, S. AI Yahyai, K. Day, and B. Arafeh (Sultanate of
Oman)
494-081 Post-Deployment Specification, Analysis and Testing
ofEnterprise Web Applications Abstract Buy noW. Haque, A. Kranz,
and R.A. Lucas (Canada)
http://www.actapress.com/Content_ oC
Proceeding.aspx?proceedingID=310 19/04/2006
http://www.actapress.com/Content_
Page 1TitlesSTRENGTHENING PRIVACY AND CONFIDENTIALITY PROTECTION
1. Introduction 2. Ethical and Legal Context
Page 2Titles3. Related Work 4. Privacy and Confidentiality
Threats 5. Issues
Page 3Titles6. Proposed Confidentiality Framework
Page 4Titles7 Conclusions References
Page 5Page 6Page 7TitlesWeb Techn and CALL FOR PAPERS WEB
TECHNOLOGIES, APPLICATIONS -WTAS 2005-
ImagesImage 1
Page 8ImagesImage 1Image 2
Page 9ImagesImage 1Image 2Image 3Image 4Image 5Image 6Image
7
Page 10TitlesTel: 403-288-1195 E-mail: [email protected] Back
tQlhe_WTAS 2Q05 Harne Page
ImagesImage 1Image 2
Page 11TitlesSTRENGTHENING PRIVACY AND CONFIDENTIALITY
PROTECTION 1. Introduction 2. Ethical and Legal Context
Page 12Page 13Titles6. Proposed Confidentiality Framework
Page 14Titles7 Conclusions References
Page 15Titles39
Page 16Titles40