Skip to main content

An Enhanced Security Solution for Electronic Medical Records Based on AES Hybrid Technique with SOAP/XML and SHA-1

An Erratum to this article was published on 20 January 2015


This study aims to provide security solutions for implementing electronic medical records (EMRs). E-Health organizations could utilize the proposed method and implement recommended solutions in medical/health systems. Majority of the required security features of EMRs were noted. The methods used were tested against each of these security features. In implementing the system, the combination that satisfied all of the security features of EMRs was selected. Secure implementation and management of EMRs facilitate the safeguarding of the confidentiality, integrity, and availability of e-health organization systems. Health practitioners, patients, and visitors can use the information system facilities safely and with confidence anytime and anywhere. After critically reviewing security and data transmission methods, a new hybrid method was proposed to be implemented on EMR systems. This method will enhance the robustness, security, and integration of EMR systems. The hybrid of simple object access protocol/extensible markup language (XML) with advanced encryption standard and secure hash algorithm version 1 has achieved the security requirements of an EMR system with the capability of integrating with other systems through the design of XML messages.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11


  1. 1.

    van der Linden, H., Kalra, D., Hasman, A., and Talmon, J., Inter-organizational future proof EHR systems: A review of the security and privacy related issues. Int. J. Med. Inform. 78(3):141–160, 2009.

    Article  Google Scholar 

  2. 2.

    David, T., Securing access to healthcare. Biom Technol Today 2011(2):10–11, 2011.

    Article  Google Scholar 

  3. 3.

    Krawczyk, S., and Jain, A. Securing electronic medical records using biometric authentication. Springer, 2005.

  4. 4.

    Toyoda, K., Standardization and security for the EMR. Int. J. Med. Inform. 48(1–3):57–60, 1998.

    Article  Google Scholar 

  5. 5.

    Ruotsalainen, P., and Manning, B., A notary archive model for secure preservation and distribution of electrically signed patient documents. Int. J. Med. Inform. 76(5–6):449–453, 2007.

    Article  Google Scholar 

  6. 6.

    Chang, I. C., Li, Y.-C., Wu, T.-Y., and Yen, D. C., Electronic medical record quality and its impact on user satisfaction — Healthcare providers’ point of view. Gov. Inf. Q. 29(2):235–242, 2012.

    Article  Google Scholar 

  7. 7.

    Beahan, S., In: Thomas, P. (Ed.), 10 - Legal Issues in Medical Records/Health Information Management, in Practical Guide to Clinical Computing Systems. Academic Press, New York, pp. 171–180, 2008.

    Chapter  Google Scholar 

  8. 8.

    Ting, D., Securing access to healthcare. Biom Technol Today 2011(2):10–11, 2011.

    Article  Google Scholar 

  9. 9.

    Lekkas, D., and Gritzalis, D., Long-term verifiability of the electronic healthcare records’ authenticity. Int. J. Med. Inform. 76(5–6):442–448, 2007.

    Article  Google Scholar 

  10. 10.

    Perera, G., Holbrook, A., Thabane, L., Foster, G., and Willison, D. J., Views on health information sharing and privacy from primary care practices using electronic medical records. Int. J. Med. Inform. 80(2):94–101, 2011.

    Article  Google Scholar 

  11. 11.

    Yang, C.-M., Lin, H.-C., Chang, P., and Jian, W.-S., Taiwan’s perspective on electronic medical records’ security and privacy protection: Lessons learned from HIPAA. Comput. Methods Prog. Biomed. 82(3):277–282, 2006.

    Article  Google Scholar 

  12. 12.

    Peleg, M., Beimel, D., Dori, D., and Denekamp, Y., Situation-based access control: Privacy management via modeling of patient data access scenarios. J. Biomed. Inform. 41(6):1028–1040, 2008.

    Article  Google Scholar 

  13. 13.

    Kurtz, G., EMR confidentiality and information security. J. Healthc. Inf. Manag.: JHIM 17(3):41–48, 2003.

    MathSciNet  Google Scholar 

  14. 14.

    Barrows, R. C., and Clayton, P. D., Privacy, confidentiality, and electronic medical records. J. Am. Med. Inf. Assoc. 3(2):139–148, 1996.

    Article  Google Scholar 

  15. 15.

    Likourezos, A., Chalfin, D. B., Murphy, D. G., Sommer, B., Darcy, K., and Davidson, S. J., Physician and nurse satisfaction with an Electronic Medical Record system. J. Emerg. Med. 27(4):419–424, 2004.

    Article  Google Scholar 

  16. 16.

    Lim, E. Y. S., In: David Dagan, F. (Ed.), 11 - Data Security and Protection for Medical Images, in Biomedical Information Technology. Academic Press, Burlington, pp. 249–257, 2008.

    Google Scholar 

  17. 17.

    Mohan, J., and Razali Raja Yaacob, R., The Malaysian Telehealth Flagship Application: A national approach to health data protection and utilisation and consumer rights. Int. J. Med. Inform. 73(3):217–227, 2004.

    Article  Google Scholar 

  18. 18.

    Litoiu, M., Migrating to Web services - latency and scalability. in Web Site Evolution, 2002. Proceedings. Fourth International Workshop on. 2002.

  19. 19.

    Van de Velde, R., Framework for a clinical information system. Int. J. Med. Inform. 57(1):57–72, 2000.

    Article  Google Scholar 

  20. 20.

    Xue, Y., Liang, H., Wu, X., Gong, H., Li, B., and Zhang, Y., Effects of electronic medical record in a Chinese hospital: A time series study. Int. J. Med. Inform. 81(10):683–689, 2012.

    Article  Google Scholar 

  21. 21.

    Zimmerman, T. G., The case for electronic medical records—why the time to act is now. Osteopath. Fam. Physician 2(4):108–113, 2010.

    Article  Google Scholar 

  22. 22.

    Lucas, L., Partnering to enhance the nursing curriculum: Electronic medical record accessibility. Clin. Simul. Nurs. 6(3):e97–e102, 2010.

    Article  Google Scholar 

  23. 23.

    Rose, A. F., Schnipper, J. L., Park, E. R., Poon, E. G., Li, Q., and Middleton, B., Using qualitative studies to improve the usability of an EMR. J. Biomed. Inform. 38(1):51–60, 2005.

    Article  Google Scholar 

  24. 24.

    Hannan, T. J., Variation in health care—the roles of the electronic medical record. Int. J. Med. Inform. 54(2):127–136, 1999.

    Article  Google Scholar 

  25. 25.

    Mandl, K. D., Szolovits, P., Kohane, I. S., Markwell, D., and MacDonald, R., Public standards and patients’ control: how to keep electronic medical records accessible but privateMedical information: access and privacyDoctrines for developing electronic medical recordsDesirable characteristics of electronic medical recordsChallenges and limitations for electronic medical recordsConclusionsCommentary: Open approaches to electronic patient recordsCommentary: A patient’s viewpoint. Bmj 322(7281):283–287, 2001.

    Article  Google Scholar 

  26. 26.

    Ishida, Y., and Sakamoto, N., A secure model for communication of health care information by sub-division of information and multiplication of communication paths. Int. J. Med. Inform. 49(1):75, 1998.

    Article  Google Scholar 

  27. 27.

    Brandner, R., Van der Haak, M., Hartmann, M., Haux, R., and Schmucker, P., Electronic signature of medical documents-integration and evaluation of a public key infrastructure in hospitals. Methods Inf. Med. 41(4):321–330, 2002.

    Google Scholar 

  28. 28.

    Beyer, A., Hellmann, S., Hesse, M., Holl, F. L., Morcinek, P., Paulus, S., Reimer, H., Dahms, M., Kausmann, K., and Friedrich-Meier S., Criteria for success of identification, authentication and signing methods based on asymmetric cryptographic algorithms (EKIAS). 2007.

  29. 29.

    Gottesman, D. and Lo, H. K., From quantum cheating to quantum security. Arxiv preprint quant-ph/0111100, 2001.

  30. 30.

    Boneh, D., Joux, A., and Nguyen, P. Q., Why Textbook ElGamal and RSA Encryption Are Insecure, in Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology, Springer-Verlag. p. 30–43,2000.

  31. 31.

    Fournaris, A. P., and Koufopavlou, O., A new RSA encryption architecture and hardware implementation based on optimized Montgomery multiplication. in Circuits and Systems, 2005. ISCAS 2005. IEEE International Symposium on. 2005.

  32. 32.

    Robinson, S., Still guarding secrets after years of attacks, rsa earns accolades for its founders. SIAM News 36(5):1–4, 2003.

    Google Scholar 

  33. 33.

    Lenstra, A. K., Recent developments in cryptography. Information Security Summit, p. 30–31, 2001.

  34. 34.

    Lenstra, A. K., and Verheul, E. R., Selecting cryptographic key sizes. J. Cryptol. 14(4):255–293, 2001.

    MATH  MathSciNet  Google Scholar 

  35. 35.

    Ganesan, R., Yaksha: augmenting Kerberos with public key cryptography. in Network and Distributed System Security, 1995., Proceedings of the Symposium on. 1995.

  36. 36.

    Pellegrini, A., Bertacco, V., and Austin, T., Fault-based attack of RSA authentication. 2010.

  37. 37.

    Song, R., and Korba, L., Scalability of Security Technologies on Multi-agent Applications, 2003.

  38. 38.

    Feldhofer, M., Dominikus, S., and Wolkerstorfer, J., Strong authentication for RFID systems using the AES algorithm. Cryptogr. Hardw. Embed. Syst.-CHES 2004:85–140, 2004.

    Google Scholar 

  39. 39.

    Medani, A., Gani, A., Zakaria, O., Zaidan, A., and Zaidan, B., Review of mobile short message service security issues and techniques towards the solution. Sci. Res. Essays 6(6):1147–1165, 2011.

    Google Scholar 

  40. 40.

    Xinmiao, Z., and Parhi, K. K., High-speed VLSI architectures for the AES algorithm. Very Large Scale Integration (VLSI) Systems. IEEE Trans. 12(9):957–967, 2004.

    Google Scholar 

  41. 41.

    Elbaz, R., Torres, L., Sassatelli, G., Guillemin, P., and Bardouillet, M., PE-ICE: Parallelized Encryption and Integrity Checking Engine. in Design and Diagnostics of Electronic Circuits and systems, 2006 IEEE. 2006.

  42. 42.

    Vaslin, R., Gogniat, G., Diguet, J.-P., Tessier, R., and Burleson, W., Low latency solution for confidentiality and integrity checking in embedded systems with off-chip memory. in ReCoSoc proceeedings 2007. 2007.

  43. 43.

    Asenjo, J. C., The Advanced Encryption Standard–Implementation and Transition to a New Cryptographic Benchmark. Netw. Secur. 2002(7):7–9, 2002.

    Article  Google Scholar 

  44. 44.

    Bouhraoua, A., Design Feasibility Study For A 500 Gbits/s AES Cypher Decypher Engine. in Microelectronics, 2006. ICM '06. International Conference on. 2006.

  45. 45.

    Shen-Fu, H., Ming-Chih, C., and Chia-Shin, T., Memory-free low-cost designs of advanced encryption standard using common subexpression elimination for subfunctions in transformations. Circuits and Systems I: Regular Papers. IEEE Trans. 53(3):615–626, 2006.

    Google Scholar 

  46. 46.

    Chih-Chung, L. and Shau-Yin, T., Integrated design of AES (Advanced Encryption Standard) encrypter and decrypter. in Application-Specific Systems, Architectures and Processors, 2002. Proceedings. The IEEE International Conference on. 2002.

  47. 47.

    Itani, W., and Kayssi, A., J2ME application-layer end-to-end security for m-commerce. J. Netw. Comput. Appl. 27(1):13–32, 2004.

    Article  Google Scholar 

  48. 48.

    Eastlake, D. and Jones, P., Network Working Group D. Eastlake, 3rd Request for Comments: 3174 Motorola Category: Informational P. Jones Cisco Systems September 2001. 2001. RFC 3174.

  49. 49.

    Quinlan, S. and Dorward, S., Venti: a new approach to archival storage. 2002.

  50. 50.

    Madson, C. and Glenn, R., The use of HMAC-MD5-96 within ESP and AH. 1998.

  51. 51.

    Stoica, I., Morris, R., Karger, D., Kaashoek, M. F., and Balakrishnan, H., Chord: A scalable peer-to-peer lookup service for internet applications. SIGCOMM Comput. Commun. Rev. 31(4):149–160, 2001.

    Article  Google Scholar 

  52. 52.

    Xiao, D., Liao, X., and Deng, S., One-way Hash function construction based on the chaotic map with changeable-parameter. Chaos, Solitons Fractals 24(1):65–71, 2005.

    Article  MATH  MathSciNet  Google Scholar 

  53. 53.

    Mao-Yin, W., Chih-Pin, S., Chih-Tsun, H., and Cheng-Wen, W., An HMAC processor with integrated SHA-1 and MD5 algorithms. in Design Automation Conference, 2004. Proceedings of the ASP-DAC 2004. Asia and South Pacific. 2004.

  54. 54.

    Traw, C. B. S., and Aucsmith, D. W., Content protection for transmission systems, Google Patents, 1999.

  55. 55.

    Michail, H. E., Kakarountas, A. P., Milidonis, A., and Goutis, C. E., Efficient implementation of the keyed-hash message authentication code (HMAC) using the SHA-1 hash function. in Electronics, Circuits and Systems, 2004. ICECS 2004. Proceedings of the 2004 11th IEEE International Conference on. 2004.

  56. 56.

    Siddiqui, B., Exploring XML Encryption, Part 1. IBM developerWorks, 2002. 3.

  57. 57.

    Mukkamala, R., and Balusani, S., Active certificates: a new paradigm in digital certificate management. in Parallel Processing Workshops, 2002. Proceedings. International Conference on. 2002.

  58. 58.

    Simon, E., Madsen, P., and Adams, C., XML Digital Signature. 2001.

  59. 59.

    Avila-Campillo, I., Green, T. J., Gupta, A., Onizuka, M., Raven, D., and Suciu, D., XMLTK: An XML toolkit for scalable XML stream processing. 2002.

  60. 60.

    McGregor, C., Purdy, M., and Kneale, B., Compression of XML physiological data streams to support neonatal intensive care unit Web services. in e-Technology, e-Commerce and e-Service, 2005. EEE '05. Proceedings. The 2005 I.E. International Conference on. 2005.

  61. 61.

    Pal, S., Cseri, I., Seeliger, O., Schaller, G., Giakoumakis, L., and Zolotov, V., Indexing XML data stored in a relational database. 2004. VLDB Endowment.

  62. 62.

    Chester, T. M., Cross-platform integration with XML and SOAP. IT Prof. 3(5):26–34, 2001.

    Article  Google Scholar 

  63. 63.

    Achard, F., Vaysseix, G., and Barillot, E., XML, bioinformatics and data integration. Bioinformatics 17(2):115, 2001.

    Article  Google Scholar 

  64. 64.

    Bagnasco, A., Chirico, M., and Scapolla, A. M., XML technologies to design didactical distributed measurement laboratories. in Instrumentation and Measurement Technology Conference, 2002. IMTC/2002. Proceedings of the 19th IEEE. 2002.

  65. 65.

    Kreger, H., Fulfilling the Web services promise. Commun. ACM, 2003. 46(6): p. 29–ff.

  66. 66.

    Jia, Z., and Jen-Yao, C., A SOAP-oriented component-based framework supporting device-independent multimedia Web services. in Multimedia Software Engineering, 2002. Proceedings. Fourth International Symposium on. 2002.

  67. 67.

    Chiu, K., Govindaraju, M., and Bramley, R., Investigating the limits of SOAP performance for scientific computing. in High Performance Distributed Computing, 2002. HPDC-11 2002. Proceedings. 11th IEEE International Symposium on. 2002.

  68. 68.

    Brown, A., Fox, B., Hada, S., LaMacchia, B., and Maruyama, H., SOAP security extensions: Digital signature. W3C Note, 2001.

  69. 69.

    Curbera, F., Duftler, M., Khalaf, R., Nagy, W., Mukhi, N., and Weerawarana, S., Unraveling the Web services web: An introduction to SOAP, WSDL, and UDDI. Internet Comput. IEEE 6(2):86–93, 2002.

    Article  Google Scholar 

  70. 70.

    Kagal, L., Finin, T., Paolucci, M., Navcen, S., Sycara, K., and Denker, G., Authorization and privacy for semantic Web services. Intell. Syst. IEEE 19(4):50–56, 2004.

    Article  Google Scholar 

  71. 71.

    Ping, Z., Zhiyong, L., Tao, Q., and Xinxing, J., Research based on XML/SOAP BACnet and internet integration technology. in Intelligent Computing and Integrated Systems (ICISS), 2010 International Conference on. 2010.

  72. 72.

    Ostrand, T., White-Box Testing. Encyclopedia of Software Engineering, 2002.

  73. 73.

    Tonella, P. and Ricca, F., A 2-layer model for the white-box testing of Web applications. in Web Site Evolution, 2004. WSE 2004. Proceedings. Sixth IEEE International Workshop on. 2004.

  74. 74.

    Tonella, P., and Ricca, F., Statistical testing of Web applications. J. Softw. Maint. Evol. Res. Pract. 16(1–2):103–127, 2004.

    Article  Google Scholar 

  75. 75.

    Yu, Y.-C., and Hou, T.-W., Utilize common criteria methodology for secure ubiquitous healthcare environment. J. Med. Syst. 36(3):1689–1696, 2012.

    Article  Google Scholar 

  76. 76.

    Touati, F., and Tabish, R., U-Healthcare System: State-of-the-Art Review and Challenges. J. Med. Syst. 37(3):1–20, 2013.

    Article  Google Scholar 

  77. 77.

    Nikooghadam, M., and Zakerolhosseini, A., Secure communication of medical information using mobile agents. J. Med. Syst. 36(6):3839–3850, 2012.

    Article  Google Scholar 

  78. 78.

    Wu, Z.-Y., Chen, L., and Wu, J.-C., A Reliable RFID Mutual Authentication Scheme for Healthcare Environments. J. Med. Syst. 37(2):1–9, 2013.

    Article  MATH  Google Scholar 

  79. 79.

    Hsu, C.-L., and Lu, C.-F., A Security and Privacy Preserving E-Prescription System Based on Smart Cards. J. Med. Syst. 36(6):3637–3647, 2012.

    Article  Google Scholar 

  80. 80.

    Chen, H.-M., Lo, J.-W., and Yeh, C.-K., An Efficient and Secure Dynamic ID-based Authentication Scheme for Telecare Medical Information Systems. J. Med. Syst. 36(6):3907–3915, 2012.

    Article  Google Scholar 

  81. 81.

    Wu, S., Chen, K., and Zhu, Y., A Secure Lightweight RFID Binding Proof Protocol for Medication Errors and Patient Safety. J. Med. Syst. 36(5):2743–2749, 2012.

    Article  Google Scholar 

  82. 82.

    Lee, T.-F., and Liu, C.-M., A Secure Smart-Card Based Authentication and Key Agreement Scheme for Telecare Medicine Information Systems. J. Med. Syst. 37(3):1–8, 2013.

    Google Scholar 

  83. 83.

    Khan, M., and Kumari, S., An authentication scheme for secure access to healthcare services. J. Med. Syst. 37(4):1–12, 2013.

    Article  Google Scholar 

  84. 84.

    Rubio, Ó.J., Alesanco, Á., and García, J., A robust and simple security extension for the medical standard SCP-ECG. J. Biomed. Inf., (0).

  85. 85.

    Sucurovic, S., Implementing security in a distributed web-based EHCR. Int. J. Med. Inform. 76(5):491, 2007.

    Article  Google Scholar 

  86. 86.

    Blobel, B., Nordberg, R., Davis, J. M., and Pharow, P., Modelling privilege management and access control. Int. J. Med. Inform. 75(8):597–623, 2006.

    Article  Google Scholar 

  87. 87.

    Lekkas, D., Gritzalis, S., and Katsikas, S., Quality assured trusted third parties for deploying secure internet-based healthcare applications. Int. J. Med. Inform. 65(2):79–96, 2002.

    Article  Google Scholar 

  88. 88.

    Smith, E., and Eloff, J., Security in health-care information systems—current trends. Int. J. Med. Inform. 54(1):39–54, 1999.

    Article  Google Scholar 

  89. 89.

    Moehr, J., and McDaniel, J., Adoption of security and confidentiality features in an operational community health information network: the Comox Valley experience—case example. Int. J. Med. Inform. 49(1):81–87, 1998.

    Article  Google Scholar 

  90. 90.

    Blobel, B., Pharow, P., Spiegel, V., Engel, K., and Engelbrecht, R., Securing interoperability between chip card based medical information systems and health networks. Int. J. Med. Inform. 64(2–3):401–415, 2001.

    Article  Google Scholar 

  91. 91.

    Chen, K., Chang, Y.-C., and Wang, D.-W., Aspect-oriented design and implementation of adaptable access control for Electronic Medical Records. Int. J. Med. Inform. 79(3):181–203, 2010.

    Article  Google Scholar 

  92. 92.

    Liu, D., Wang, X., Pan, F., Xu, Y., Yang, P., and Rao, K., Web-based infectious disease reporting using XML forms. Int. J. Med. Inform. 77(9):630, 2008.

    Article  Google Scholar 

  93. 93.

    Schweiger, R., Brumhard, M., Hoelzer, S., and Dudeck, J., Implementing health care systems using XML standards. Int. J. Med. Inform. 74(2–4):267–277, 2005.

    Article  Google Scholar 

  94. 94.

    Ruotsalainen, P., A cross-platform model for secure Electronic Health Record communication. Int. J. Med. Inform. 73(3):291–296, 2004.

    Article  Google Scholar 

  95. 95.

    Gritzalis, D., and Lambrinoudakis, C., A security architecture for interconnecting health information systems. Int. J. Med. Inform. 73(3):305–310, 2004.

    Article  Google Scholar 

  96. 96.

    Rassinoux, A. M., Lovis, C., Baud, R., and Geissbuhler, A., XML as standard for communicating in a document-based electronic patient record: a 3 years experiment. Int. J. Med. Inform. 70(2–3):109–115, 2003.

    Article  Google Scholar 

  97. 97.

    Stalidis, G., Prentza, A., Vlachos, I. N., Maglavera, S., and Koutsouris, D., Medical support system for continuation of care based on XML web technology. Int. J. Med. Inform. 64(2):385–400, 2001.

    Article  Google Scholar 

  98. 98.

    Papadakis, I., Chrissikopoulos, V., and Polemi, D., Secure medical digital libraries. Int. J. Med. Inform. 64(2–3):417–428, 2001.

    Article  Google Scholar 

  99. 99.

    Norifusa, M., Internet security: Difficulties and solutions. Int. J. Med. Inform. 49(1):69, 1998.

    Article  Google Scholar 

Download references


This Research has been partially funded from high impact research unite (HIR) at University of Malaya, under grant number UM.C/HIR/MOHE/FCSIT/12. A special thank goes to Multimedia University and Sunway University for providing several researches facilities, important recourses and providing experts consultations to improve this work.

Author information



Corresponding author

Correspondence to A. A. Zaidan.

Additional information

An erratum to this article is available at

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Kiah, M.L.M., Nabi, M.S., Zaidan, B.B. et al. An Enhanced Security Solution for Electronic Medical Records Based on AES Hybrid Technique with SOAP/XML and SHA-1. J Med Syst 37, 9971 (2013).

Download citation


  • EMR security
  • RSA
  • AES
  • SHA-1
  • SOAP
  • XML