• ing text, laboratory results, and images) to be transmitted outside the organization are encrypted by a server within a health care provider's information system. The encryption is designed so that the information can be accessed only by special software (possibly a Java "applet") with an encryption key supplied by the server on receipt of properly authenticated user credentials.
  • Potential users authenticate themselves through one of the public-key schemes and present authorization credentials for access to an appropriate part of the record. Types of access might include viewing demographic information only; viewing details of the most recent provider visit; viewing the full patient record except for potentially sensitive areas; or viewing, printing, and copying the entire record. Each access request would be logged to ensure accountability, and the software would destroy the access key after each use so that subsequent uses require reauthentication.
  • The user downloads special access software from the provider (or trusted third party) that contains a key to decrypt the document upon authentication and tracks the use of portions of the document according to authorized privileges. Viewing software must be secure against tampering, and the system must make it difficult to implement work-arounds, such as "screen scraping" and core dump analyses, that would give users uncontrolled access to the decrypted material. Some workers in this field have gone so far as to propose that this approach could succeed only in the context of closed "network appliance" machines to which the user would have no access for software reconfiguration. If the encrypted document were sent to other users, they could access it only with the viewer application supplied by the provider, which would require new authentication and authorization before allowing access.

Although it is unlikely that such a rights management system can be made foolproof against the most technically competent unethical user, it may provide an audit trail of access up to a point of abuse, including recording that a local copy has been made (presumably against privacy protection laws) or that an overt act to circumvent software controls had occurred. Further it might be possible cryptographically to watermark digital medical record documents with the identities of the users to whom they were issued in confidence so that if a subsequent inappropriate disclosure is made, its source could be identified.

An obvious extension of these ideas would be to use rights management inside organizations as well, to enforce organizational policy on data collection, access, and dissemination. For example, an organization could use rights management tools to ensure that clinical data cannot be collected or aggregated even by internal staff except with the approval of



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement