CipherMe: electronic health records in the hands of patients – owners Igor Hansen CLAN Systems Ltd
Abstract CipherMe technologies enable individual entities to securely store private information about themselves and to manage access to selected items by other parties, as dictated by needs or legal obligations. CipherMe in medicine, a specific application, gives an individual exclusive ownership of his medical records that are currently dispersed among doctors, hospitals and laboratories.
CipherMe is a unique new technology empowering individual entities: persons, institutions or objects to control their personal data. It gives individuals exclusive, secure and private ownership of information about themselves such as medical records or financial or career details.
1
CipherMe architecture
Traditionally, each administrative body sets out to build its own complete independent information technology system (Fig 1). The largest part of each such system is a database for storing information about administered entities: taxpayers, national insurance contributors, healthcare system patients. From the citizen’s point of view, the whole of administration is distributed amongs giant information technology projects, each with its own concept of user interface and with its own problems of scale. Many systems far exceed their original budgets and few achieve the originally targetted functionality. Access to data by citizens themselves is often down the list of unimplemented priorities. When such access appears, data itself remains the hostage of a centralised system. CipherMe (Fig 2) is an alternative to systems focusing on the administrative body itself. CipherMe focuses on each individual citizen or any other legal entity: business enterprise, vehicle or even farm stock. Each such entity becomes the factual owner of all data that concerns it. Selected data items are then licensed for access by other entities, according to the needs of the owner or according to legal requirements. Data is distributed amongst its rightful owners and there is no need to maintain separate huge information technology projects with their problems of scale, often duplicated and incosistent entries and problems of data iterchange. In a CipherMe system each entity has all its personal data concentrated in one secure place and it can access this data through its own personalised portal.
CipherMe data storage gives citizens full freedom of administrative movement over institutional, regional and even national borders, for example within European Union.
Fig 1:
Fig 2:
traditional e-administration for citizens
CipherMe: lightweight administration for e-citizens
CipherMe provides its users with freedom of choice, privacy and security, direct awareness of areas like own health or costs of health care delivery, independence of centralised decisons, often driven by political caprices.
1.1
basic operation
The core elements of CipherMe architecture are a distributed collection of personal, secure data spaces plus a collection of software tools which enable secure access to contained data, its viewing and management. Personal data space is a collection of medical, identification and other objects, each individually encrypted and placed on a chosen CipherMe server.
telecomms infrastructure Internet, Intranet
Fig 3:
user terminal, personal data space and tools server
The server delivers such encrypted objects to user terminal only upon requests digitally signed by the user access card. It delivers only those objects to which the user is entitled and only on conditions stipulated by that entitlement. The terminal uses the card to decrypt data objects and makes data available for viewing and processing. Majority of data access tools are based on Internet browsing technologies and most of them are delivered free of charge from a dedicated national CipherMe operator server. Some adminstrative bodies may decide to supply their own tools and supporting data, like tax return forms or lists of licensed medicines and refund rules. Administrations may also publish tools for viewing data supplied to data owners in the language of place of presentation. This enables the showing of a French driving license in German language in Berlin and Polish vehicle registration document in Italian in Milan.
1.2
data security and anonymity
Just like security in a bank concentrates on protecting storage and transportation, the security of traditional Internet systems concentrates on securing data storage locations and communications channels and Secure Socket Layer protocol becomes the equivalent of the bank armoured van.
Fig 4:
data security on a traditional Internet server
However, after we hand over a document to a clerk he can do with it whatever he likes. Similarly, an Internet server administrator can read the content of our E-mail. Access to our health records in a medical centre by an employee is similarly beyond our control. Our data remains in the danger zone all the time. The owner of such traditional database stores data about third parties and he must bear the overheads of compliance with data privacy regulations. CipherMe adds to those traditional security techniques its own equivalent of anonymous safe deposit boxes.
Fig 5:
data security and anonymity on a CipherMe server
Each data object is stored in a separate box, each with different key and with keys under control of data space owner. The owner of this collection of boxes remains anonymous and his identity information is locked up in one of the boxes. A box remains locked throughout storage and transport to and from user terminal, where it can be opened only by the authorised holder of an appropriate key.
2
CipherMe in health care systems – beyond traditional EHR
CipherMe is an existing and working system which enables the creation of a highly functional Electronic Health Records architecture. It can satisfy and exceed all the functional requirements currently set as modernisation targets for most national health records system. Importantly, such architecture can be created at a fraction of costs currently estimated by most administrations. In most current systems patient medical data is dispersed amongst doctors, hospitals, laboratories and medical centres. Due to frequent unavailability it often has to be duplicated causing loss of time and additional costs. hospital A
laboratory II medical centre patient’s home
dentist
practice 1
laboratory I
practice 2 health spa hospital B
Fig 6:
health insurer national health service
patient data dispersal in a traditional health care system
Doctors and medical centres have problems with maintaining complete records of all professional decisions that they are responsible for. Concentrating all such data in a single electronic national health records system will not solve the problems of universal data availability or patient feeling of loss amongst several separate administrative bodies. CipherMe concentrates complete medical records in the hands of their rightful owners – patients and enables those patients to present those records at any time and in any chosen points of health care delivery. The system cuts down the costs of large centralised administrations. Its Internet-style tooling enables immediate introduction of both technical and legal enhancements with minimum of cost and with immediate effect throughout the administered
region. Updates on licensed medicines list find their way immediately into prescription issue tools of all doctors. In cases of emergency, ambulance crew can use patient card and a two-slot mobile phone to license the target hospital for immediate access to patient critical medical data. Within less than two minutes the hospital can feed back into ambulance phone any critical warnings concerning the place of action: dangerous allergies, pregnancy or implants. 2.1
visiting a doctor
A doctor is licensed by each medical practice to access data objects that are relevant for him while receiving patients at that practice. By inserting his own card into practice terminal the doctor gains access to his personal data, like means of identification or professional qualifications certificates, but also to the working environment of the practice.
Fig 7:
doctor and patient in a medical practice
The patient inserts his own card into the terminal and in this way gives the doctor access his medical records: previous visits, results of tests, procedures and history of medicine taking. The doctor creates a new medical note, signs it electronicaly with his card and then the patient card places the note in the patients data space. The patient, the doctor and the practice all obtain nonremovable read access to that note. In this way the patient collects all his medical data in his own data space. The doctor creates a distributed archive of all his professional decisions, independently of the number of places he works for and how often he changes them. The practice obtains a distributed archive of all professional decisions taken by doctors whilst working at that practice. The doctor and the practice do not have to worry about complying with
personal data protection regulations and they do not have to worry about security of data on their local computer system from technical failure or theft. Such medical visit can take place anywhere and at anytime, not only at the site of practice, but on holiday, when visiting a specialist or even at home at the patient bedside. 2.2
creating a prescription
During the visit, the doctor can issue a digital prescription. During its creation, the choice of active substance is automatically verified against the declared allergies in the patient data space. Then, the list of currently licensed medicines containing that substance is fetched from the Ministry of Health server. In this way the doctor’s electronic prescription pad is automatically up-to-date with all the current medicine issue regulations. The choice of medicine gives the doctor a link to that medicine full information leaflet on the manufacturer Web site. All leaflets are in a standard XML format allowing their uniform presentation for comparisons. 2.3
issue of medicine in a pharmacy
A pharmacist is licensed by the pharmacy to data like medicines lists and their prices. His card gives him access both to his personal data and to the working environment of the pharmacy.
Fig 8:
patient in a pharmacy
The patient inserts his card in a pharmacy reader allowing the pharmacist to see all the currently active prescriptions.
Medicine issue is a contract signed digitally by both, the pharmacist and the patient, cards. The issue can be for only part of the prescribed volume allowing the implementation of long term prescriptions without the need for repeat visits to the practice. The signed contract is placed in the patient data space. Its copy is also placed in the accounting section of pharmacy own data space. 2.4
refund of medical service costs
A right to refund of medical health care costs is represented by a refund certificate in patient data space. This may be issued to him by the national insurance authority or it can be a certificate from a private health insurance company. While purchasing the prescribed medicine the patient makes that certificate available to the pharmacy and the refund formula specified in that certificate sets the division of medicine price between this payable by the patient and that payable by the refund body.
Fig 9:
refund of medicine costs
The refund certificate also contains the public cryptographic key of the issuing body. The key is subsequently used by the pharmacy to license its copy of medicine issue transaction for read access by that refund body. In a similar way other health care service providers license refund bodies to see transactions that are subject to refunds by those bodies. This transaction licensing scheme creates distributed, fast, efficient and digitally certified health care services refund system. Refund processing costs are fractioned,
most processing errors and scope for fraud are eliminated and refunds can be almost instantaneous, benefiting both service providers and health funds. Health care resources really follow the patient improving his mobility and freedom of choice.
3
deployment benefits, costs and status
Personal data spaces in CipherMe technology can form a foundation for almost any system of supervision and management, where geographically distributed entities enter data which in short time should become available to other entities. CipherMe decentralised approach and data physically in the hands of its owners avoid the negative aspects of other centralised national information technology projects. The technology already exists and it is beginning to appear as a system for storage and exchange of information in a number of areas, including medical and dental records, business management, identity and entitlement verification, warranty and refund processes, vehicle and animal data management, and general access to secure data for standard applications. 3.1
healthcare benefits
Giving an individual the ownership of his records benefits all participants in the health care system by improving security, flexibility and management. It reduces the overheads of patient data management and mobility, The technology removes the costs of specialised networks within hospitals or between sites of a medical service provider. It equally supports patient moving between blocks of a hospital, moving from a dental surgeon chair to dental hygienist or going abroad for a specialist consultation. enables efficient cross-care over institutional, regional and national borders, delivers patients’ full medical records during home visits, by the bedside, reduces doctors’ professional risks, form-filling and reporting overheads, reduces costs of compliance with data privacy regulations and should satisfy all privacy concern groups, enables instant updates of licensed medicines lists and of refund policies, enables close supervision over refund entitlements, where refunds themselves can be automatic, with no need for intermediate fund holding, enables management of core strategies, supported by efficient security and auto-regulation mechanisms, makes possible real-time monitoring of emerging health hazards, epidemics or efficiency of vaccination campaigns, delivers critical data in emergencies instantly to the receiving hospital.
3.2
Costs
Costs to the individual are minimal and in Poland they are about 25¢ per month. CipherMe eliminates having to pick up tests results from a laboratory and the price of a saved two-way tram journey will cover four months of CipherMe costs, not counting savings of time and effort. For a medical centre, the provision of up-to-date, free-of charge medical software tools reduces the costs of a single medical workplace often to less than a half. 3.3
deployment path
CipherMe structures can be introduced gracefully and with minimum investment risk. It is possible to painlessly adjust the scale and speed of deployment to current needs and resources and to introduce an agreed, automated cost sharing between interested parties. Finacial risks of pilot deployment are minimal as it does not require any significant initial investment by the institution and running costs are strictly proportional to the scale of such deployment. This anables smooth expansion to follow the growth of system acceptance and trust. The grain of growth is a single user data space, hence there is no step function accross the whole scale of deployment allowing imperceptible transition from pilot to full scale. Due to its distribution, the efficiency of CipherMe architecture is also independent of scale or speed of deployment. Expansion is smooth and requires no structural adjustments. The structure of databases relies on a dynamic population of small fast servers, each capable of supporting few thousand of individual databases. This allows to retain the appropriate ratio between the number of users and throughput of server cryptographic computations required by the system. Servers themselves are placed at various, but audited and licensed hosting sites, usually at the sites of already established Internet Services Providers. The size and distribution of individual hosting sites have no special impact on the effectiveness of the system as a whole.
3.4
CipherMe in a particular dental practice
Amongst others, dental tools from a Polish CipherMe operator are being used in a Warsaw practice of doctor Falkowski to manage dental records of patients within their own private data spaces.
Fig 10:
CipherMe tools and patient data in a dental practice
These records are easily available during pastients’ visits both in his dental practice and in a separate implant surgery. Some diagnostic data, like panoramic X-rays can be entered by an independent medical diagnostics company.
References 1.
“Założenia do koncepcji Rejestru Usług Medycznych”, Zespół d.s. RUM, Warszawa, kwiecień 2002 2. “Information for Health (An Information Strategy for the Modern NHS 1998-2005)”, Frank Burns, Head of IM&T for the NHS, NHS Executive, September 1998 3. “Delivering 21st Century IT Support for the NHS – National Specification for Integrated Care Records Service”, Department of Health, 26 July 2002 4. “Delivering 21st Century IT Support for the NHS – National Strategic Programme”, Department of Health, 2002
