Professional Documents
Culture Documents
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 56
Secure Module for Transmissions Data over Unsecured Channel:
Study Case on Electronic Medical Records
Hamdan O. Alanazi (1, 2, 3), Prof. Dr. Lim (1)
(1)
Department of Computer System and Technology, Faculty of Computer Science and
Information Technology, University of Malaya, 50603 Kuala Lumpur, Malaysia
(2)
Faculty of Applied Medical Science, King Saud University, P.O. BOX 2454,
Riyadh 11451, Kingdom of Saudi Arabia.
(3)
Faculty of Computer and Information Technology, Al-Madinah International
University, Shah Alam, Malaysia.
Abstract
Recently, Health care presents one of the most important subjects in the life. USA
government planed to spend 100 $ billion over the next 10 years, according to experts.
The Electronic Medical Record is usually a computerized legal medical record created in
an organization that delivers care, such as a hospital and doctor's surgery. In age of
technology, one of the most important factors for EMR is that securing the records for
the patients, protect their rights and knowing the responsible of disclosure their data.
Thus, the architecture design of transmission, that could guarantee the privacy of the
patients, plays an important role on building a strong relationship among the medical
center and the patient. Nevertheless, the design must be carried out with awareness to
protect the rights of the patients and maintains the confidentiality, integrity, authenticity
and non repudiation. The architecture of a secure transmission for single medical
records has been descried in this paper; the author has used UML tools on the design.
Keywords: Electronic Medical Record, Information Security, Data Privacy, Rights of Patient and
cryptography algorithms.
C
implications with characteristic focus on
technologies are accompanied in life healthcare aids [2]. Modern medical records
[1]. Services are becoming an can help the scholars to support on those
incrementally important component of researches [3], for these cases; researchers
national economies and it is critical to have used the medical record files to bring
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 10, OCTOBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 57
the required data about the patient [4, 5]. the technical integrity of the information
Most of the people consider information items and the accountability of the
about their health to be highly secured, information items should be verifiable. This
worthy of the strongest protection under the requires specific electronic signature
law [6]. Laws in often states and the age-old approaches and procedures that are long-
tradition of doctor-patient privilege has been lasting and long-verifiable and therefore long
the mainstay of privacy protection for provable ones [16-19]. For applications like
generations [7]. Electronic medical records the electronic medical record, law needs
pose tremendous problems to system algorithms that are protected for at least 30
developers [7-10]. Infrastructure and privacy years (the legal obligation for EMR) [17, 19,
consequences need to be resolved before 20]. Confidentiality, Authentication,
doctors can even start using the records [9, Authorization, Privacy, Integrity and Non-
10]. Non-intrusive hardware might be repudiation are the factors which are used in
required for doctors to do their work (i.e. the security of connotation for each term
interview patients) away from their offices [8, clarify the target of that term. Authentication
11]. But all the labors to solve these means accommodating the identity of the
problems will only succeed if acceptable communicating authorities to one another
care is also agreed to the design of the user [21, 22] meaning that authentication
interface [8, 11]. The National Research approach is a verification approach [23, 24]
Council has established that manufacturing while Authorization is the process by which
spends more than $15 billion on information we certify whether a subject is owed to
technology (IT), an amount that is expanding access [25] which means the Authorization
by 20% a year [12]. The president of USA is the granting or denial of permission to
has pledged to invest $10 billion a year over carry out a given action [26-28].
the next five years on the effort; the cost tag Confidentiality is the term used to prevent
for such a system can be around to $100 the disclosure of information to unauthorized
billion through the next 10 years. individuals or systems [29, 30]. Integrity
Additionally, they note that sticking to his involves protecting against unauthorized
five-year timetable can guarantee to be adaptations (i.e. causeless or intentional) to
daunting. E-Medical Records (EMR) the data [31]. Non-repudiation is the
systems would come out of the $825 billion concept of assuring that a party in a
economic stimulus package Obama wishes challenge cannot cancel, or refute the
to push through Congress [13-15]. A certain validity of a statement or contract [32].
item of information must be secured even
LIMITATION OF RESEARCH
more than 30 years after it was stored. It
should be stored unchanged all that time,
The paper outlines several
and it must be accessible. Therefore, both of
objectives. The main objective of the
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 10, OCTOBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 58
3- This paper has not paid any emergent system features for
database. The author has been and store occupancy. They might
addition, no one has the authority to features. It means that they are
access the database from illegal always more critical than individual
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 10, OCTOBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 59
the whole system is unusable. Non- following phases will fully depend on
functional requirements needed in this phase. In other words, the
securing Electronic Medical Records backbone of this paper is this phase.
system are identified as performance In this phase can lead the whole
requirements, safety requirements, paper to be successful.
and software quality attributes.
II. Phase Two:
I. Phase One:
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 10, OCTOBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 60
[33, 34, 35, 36, 37, 38, 39, 40, 41, 42,
43, 44] They have mentioned about the
securing of electronic medical record.
However, they do not present which
algorithm can be used. [45, 46, 47, 17,
48, 49, 50] They used RSA to secure
the EMR. [51] They used ECC to
Fig2. Use Case of Create Account
achieve securing for EMR. However the
RSA and ECC are entirely broken [52,
53, 54]. [36, 37, 38, 39, 54, 56, 57, 58,
48, 49, 50, 43, 44] They have discussed
some of the factors of the security. This
is good but they do not cover the Non
Repudiation which is very important
element in order to know who is
responsible about disclosure the patient
record. Fig3. Use Case of Login
System Module
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 10, OCTOBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 61
Fi
g6. Use Case of View the EMR
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 10, OCTOBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 62
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 10, OCTOBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 63
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 10, OCTOBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 64
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 10, OCTOBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 65
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 10, OCTOBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 66
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 10, OCTOBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 67
6. Izet Masic, H.P. Requirements for Journal of Mental Health, 2009. 18(3): p. 193-
Security and Privacy. in Medical Informatics in 197.
Enlarged Europe. 2007. Brijuni, Croatia: Pro
15. Mearian, L., Obama's national health
Universitate.
records system will be costly, daunting But an
7. Barton, B.H., Do Judges Systematically electronic health records system could save the
Favor the Interests of the Legal Profession. Ala. nation $300B a year, in computerworld. 2009.
L. Rev., 2007. 59: p. 453.
16. Bruun-Rasmussen, M., et al., The
8. Plaisant, C., et al. LifeLines: using impact of EHR and digital electrocardiograms.
visualization to enhance navigation and analysis The new navigators: from professionals to
of patient records. in Clinical Infrastructure for the patients: proceedings of MIE2003, 2003.
21 st Century. 1998 Orlando, FL: American
17. Pharow, P., et al., Security infrastructure
Medical Informatics Association.
services for electronic archives and electronic
9. Plaisant, C. and A. Rose. Exploring health records. Medical and care compunetics 1,
LifeLines to visualize patient records. in American 2004: p. 434.
Medical Informatics Association Annual Fall
18. Brandner, R., et al., Electronic Signature
Symposium. 1996. USA: Citeseer.
of Medical Documents--Integration and
10. Plaisant, C., et al. Visualizing medical Evaluation of a Public Key Infrastructure in
records with LifeLines. in Conference on Human Hospitals. Methods of Information in Medicine-
Factors in Computing Systems. 1998. Los Methodik der Information in der Medizin, 2002.
Angeles, California, United States: ACM. 41(4): p. 321-330.
11. Phd, C.P., et al. LifeLines: Using 19. Pharow, P. and B. Blobel, Electronic
Visualization to Enhance Navigation and Analysis signatures for long-lasting storage purposes in
of Patient Records. in Aparadigm Shift in Health electronic archives. International Journal of
Care Information Systems: Clinical Infrastructure Medical Informatics, 2005. 74(2-4): p. 279-287.
for the 21 st Century. 1998. Orlando, FL.
20. Winslade, W.J., Confidentiality of
12. Anderson, J.G., Security of the medical records: An overview of concepts and
distributed electronic patient record: a case- legal policies. Journal of Legal Medicine, 1982.
based approach to identifying policy issues. 3(4): p. 497-533.
International Journal of Medical Informatics,
21. Needham, R.M. and M.D. Schroeder,
2000. 60(2): p. 111-118.
Using encryption for authentication in large
13. Marmor, T., J. Oberlander, and J. White, networks of computers. Communications of the
The Obama administration's options for health ACM, 1978. 21(12): p. 999.
care cost control: hope versus reality. Annals of
22. Bellare, M. and P. Rogaway. Entity
Internal Medicine, 2009. 150(7): p. 485.
authentication and key distribution. in 13th
14. Goldman, H.H., President Obama and Annual International Cryptology Conference
Mental Health Policy–the Audacity to Hope. Santa Barbara, California, USA August 22–26,
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 10, OCTOBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 68
1993 Proceedings. 1993. California, USA: 31. Lee, H.J., A review of IPTV threats
Springer. based on the value chain. KSII Transactions on
the Internet and Systems, 2009. 3(2): p. 163-77.
23. Han, C.C., et al., Personal
authentication using palm-print features* 1. 32. Harb, H., H. Farahat, and M. Ezz.
Pattern Recognition, 2003. 36(2): p. 371-381. SecureSMSPay: Secure SMS Mobile Payment
model. in Anti-counterfeiting, Security and
24. Perrig, A. The BiBa one-time signature
Identification, 2008. ASID 2008. 2nd International
and broadcast authentication protocol. in
Conference 2008. Guiyang
Proceedings of the 8th ACM conference on
Computer and Communications Security. 2001. 37. Blobel, B., Advanced tool kits for EPR
Philadelphia, PA, USA: ACM. security. International Journal of Medical
Informatics, 2000. 60(2): p. 169-175.
25. Nakamur, Y., S. Hada, and R. Neyama,
Towards the integration of Web services security 38. Espinosa, A.L., Availability of health data:
on enterprise environments. saint-w, 2002: p. requirements and solutions. International Journal
166. of Medical Informatics, 1998. 49(1): p. 97-104.
26. Alfieri, R., R. Cecchini, and V. Ciaschini, 39. Kluge, E.H.W., Secure e-health: managing
From gridmap-file to VOMS: managing risks to patient health data. International Journal
authorization in a Grid environment. Future of Medical Informatics, 2007. 76(5-6): p. 402-406.
Generation Computer Systems, 2005. 21(4): p.
40. Ahmad, N., Restrictions on cryptography in
549-558.
india-a case studyof encryption and privacy.
27. Jo, S.M., et al. Access Authorization Computer Law & Security Review, 2009. 25(2): p.
Policy for XML Document Security. in Lecture 173-180.
Notes in Computer Science. 2005. Nanjing,
41. Julià-Barcelَ, R. and T. Vinje, "Towards a
China: Springer.
european framework for digital signatures and
28. Lee, A.J., et al. Traust: a trust encryption" : The european commission takes a
negotiation-based authorization service for open step forward for confidential and secure
systems. in Proceedings of the eleventh ACM electronic communications. Computer Law &
symposium on Access control models and Security Report. 14(2): p. 79-86.
technologies. 2006. Lake Tahoe, California, USA:
ACM.
42. Janczewski, L. and X. Shi, Development of
29. Carney, P.A., et al., Current medicolegal information security baselines for healthcare
and confidentiality issues in large, multicenter information systems in New Zealand. Computers
research programs. American journal of & Security, 2002. 21(2): p. 172-192.
epidemiology, 2000. 152(4): p. 371.
43. Takeda, H., et al., An assessment of PKI and
30. Stallings, W., Cryptography and network networked electronic patient record system:
security. 2010: Prentice Hall. lessons learned from real patient data exchange
at the platform of OCHIS (Osaka Community
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 10, OCTOBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 69
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 10, OCTOBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 70