Information Systems Frontiers

, Volume 14, Issue 1, pp 87–104 | Cite as

Protecting privacy during peer-to-peer exchange of medical documents

  • Jens H. Weber-JahnkeEmail author
  • Christina Obry


Privacy is an important aspect of interoperable medical information systems. Governments and health care organizations have established privacy policies to prevent abuse of personal health data. These policies often require organizations to obtain patient consent prior to exchanging personal information with other interoperable systems. The consents are defined in form of so-called disclosure directives. However, policies are often not precise enough to address all possible eventualities and exceptions. Unanticipated priorities and other care contexts may cause conflicts between a patient’s disclosure directives and the need to receive treatments from informed caregivers. It is commonly agreed that in these situations patient safety takes precedence over information privacy. Therefore, caregivers are typically given the ability to override the patient’s disclosure directives to protect patient safety. These overrides must be logged and are subject to privacy audits to prevent abuse. Centralized “shared health record” (SHR) infrastructures include consent management systems that enact the above functionality. However, consent management mechanisms do not extend to information systems that exchange clinical information on a peer-to-peer basis, e.g., by secure messaging. Our article addresses this gap by presenting a consent management mechanism for peer-to-peer interoperable systems. The mechanism restricts access to sensitive, medical data based on defined consent directives, but also allows overriding the policies when needed. The overriding process is monitored and audited in order to prevent misuse. The mechanism has been implemented in an open source project called CDAShip and has been made available on SourceForge.


Security and privacy eHealth Peer-to-peer interoperability CDA Consent management Disclosure directives Access control Auditing Non-repudation 


  1. Booth, N. (2003). Sharing patient information electronically throughout the NHS. British Medical Journal, 327(7407), 114.CrossRefGoogle Scholar
  2. Allas, A. (2006). Canada health infoway: EHRS blueprint. Health Canada Infoway.Google Scholar
  3. NEHTA (2010). NEHTA Blueprint v. 1.0. National eHealth Transition Authority.
  4. Bishop, M. (2002). Computer security: Art and science. Addison-Wesley.Google Scholar
  5. Dolin, R. H., Alschuler, L., Beebe, C., Biron, P. V., Boyer, S. L., Essin, D., et al. (2001). The HL7 clinical document architecture. Journal of the American Medical Informatics Association, 8(6), 552.CrossRefGoogle Scholar
  6. OASIS (2005). XACML eXtensible Access Control Markup Language (XACML) Version 2.0, OASIS Standard.
  7. Gerck, E. (2000). Overview of certification systems: X. 509, PKIX, CA, PGP& SKIP. The Bell, 1(3), 8.Google Scholar
  8. Shamir, A. (1979). How to share a secret. Communications of the ACM, 22(11), 612–613.CrossRefGoogle Scholar
  9. Ferreira, A., Cruz-Correia, R., Antunes, L., Farinha,P., Oliveira-Palhares, E., Chadwick, D. W., et al. (2006). How to break access control in a controlled manner. 19th IEEE Intl Symposium on Computer-Based Medical Systems, pp. 847–851, IEEE CS.Google Scholar
  10. Povey, D. (2000). Optimistic security: A new access control paradigm. In WNSP: New Security Paradigms Workshop. ACM Press.Google Scholar
  11. Firozabadi, B. S., Rissanen, E., & Sergo, M. (2006). Towards a mechanism for discretionary overriding of access control. In Christianson et al. (eds). Security Protocols, LNCS 3957, pp. 312–319, Springer.Google Scholar
  12. Hwang, G., & Chang, T.-K. (2004). An operational model and language support for securing XML documents. Computers & Security, 23(6), 498–529.CrossRefGoogle Scholar
  13. Ferrari, E., & Bertino, E. (2002). Secure and selective dissemination of XML documents. ACM Transactions on Information and System Security, 5(3), 290–331.CrossRefGoogle Scholar
  14. Blakley, G. R. (1979). Safeguarding cryptographic keys. Proc. of National Computer Conference, pp. 313–317.Google Scholar
  15. Benaloh, J. C. (1987). Secret sharing homomorphisms: keeping shares of a secret secret. In Proc. on Advances in cryptology—CRYPTO ’86, pp. 251–260, London, UK. Springer.Google Scholar
  16. Feldman, P. (1987). A practical scheme for non-interactive verifiable secret sharing.Proc. of 28th Annual Symposium on the Foundations of Computer Science, pp. 427–437, IEEE.Google Scholar
  17. Herzberg, A., Jarecki, S., Krawczyk, H., & Yung, M. (1995). Proactive secret sharing, or: How to cope with perpetual leakage. Proc. of the 15th Annual Intl Cryptology Conference on Advances in Cryptology,pp. 339–352, Springer.Google Scholar
  18. Kaiser, F., Angus, J., & Stevens, H. (2005). e-MS Clinical Document Architecture Implementation Guide.261 pages, Vancouver Island Health Authority, available online at:
  19. Hu, J., Chen, H. H., & Hou, T. W. (2010). A hybrid public key infrastructure solution (HPKI) for HIPAA privacy/security regulations. Computer Standards & Interfaces, 32(5–6), 274–280. Elsevier.CrossRefGoogle Scholar
  20. Anciaux, N., Benzine, M., Bouganim, L., Jacquemin, K., Pucheral, P., & Yin, S. Restoring the patient control over her medical history (2008) 21st IEEE Intl Symposium on Computer-Based Medical Systems, pp.132–137, IEEE CS.Google Scholar
  21. Mell, P., Scarfone, K., & Romanosky, S. (2007). CVSS—A complete guide to the common vulnerability scoring system version 2.0. Forum of Incident Response and Security Teams (FIRST).
  22. Ming, Z., Zhigang, T., Cochran, J. J., Cox, L. A., Keskinocak, P., Kharoufeh, P., et al. (2010). k-out-of-n Systems. John Wiley & Sons.Google Scholar
  23. Head, B., & Kuhn, K. (2005). e-MS Exchange Protocol (e-MSEP), Version 1.0. 171 pages, Vancouver Island Health Authority, available online at:
  24. Coiera, E., & Clarke, R. (2004). e-Consent: the design and implementation of consumer consent mechanisms in an electronic environment. J Am Med Inform Assoc.v.11(2).Google Scholar
  25. Stepien, B., Felty, A., & Matwin, S. (2009) A non-technical user-oriented display notation for XACML conditions. E-Technologies: Innovation in an Open World, pp. 53–64. Springer.Google Scholar
  26. Blobel, B., & Holena, M. (1997). Comparing middleware concepts for advanced healthcare system architectures. Pp. 69–85, Intl. J. of Medical Informatics, v. 46(2), Springer.Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2011

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity of VictoriaVictoriaCanada

Personalised recommendations