eHealth Platforms for Personal Health: Model-based ... - ICMCC

eHealth Platforms for Personal Health: Model-based ... - ICMCC

eHealth Platforms for Personal Health:

Model-based Analysis and Design of Advanced

Security and Privacy Services

ICMCC 2010 Tutorial

Bernd BLOBEL 1

eHealth Competence Center, Regensburg University Hospital, Regensburg, Germany

Abstract. The tutorial is based on long term international lecturing experiences at

university level as well as common efforts performed in the EFMI WG “Security,

Safety and Ethics (SSE)” and EFMI WG “Electronic Health Records (EHR)”. It

addresses requirements and solutions for secure, reliable, trustworthy Health Information

Systems (HIS) and Health Networks (HN) reflecting results of several

international and European standards and projects but also related national and regional

activities. It aims at providing a platform for information/discussion on legal,

social, behavioral, organizational, and technical aspects/implications for

trustworthy Health Telematics. The tutorial provides a comprehensive overview on

security threats, risks, and, in particular, solutions in modern distributed Health Information

Systems including Health Networks aiming at communication and application

security. A special focus will be put on formally modeling security and

privacy services embedded in advanced systems' architectures. Taking the recent

developments in European countries and beyond into account, personalized portable

devices including cards will play an increasing role in providing IT-based

health services. Devices for citizens/patients and for health professionals will

change procedures and lead to new ones. Such devices can allow for a better privacy

and safety strategies. Thus, patients’ and professionals’ empowerment, involvement,

and integration into treatment and care processes are keys to be addressed

in this tutorial. As special part, biometrics and ID management will be discussed.

Objectives of the Tutorial

The tutorial concerns requirements and solutions for secure, reliable, and trustworthy

future-proof Health Information Systems and international Health Networks thereby

reflecting the results of several international and European standards as well as European

research and best practice projects but also related activities on a national or even

regional scale. It provides a platform for advanced information and discussion of legal,

social, behavioral, organizational, and underlying technical aspects and implications for

Internet-based trustworthy health telematics and eHealth. Furthermore, the exploitation

of results to wards personalized health service provision (pHealth) including related

standardization issues is highlighted.

1 Corresponding Author: Bernd Blobel, PhD, Associate Professor; eHealth Competence Center, Regensburg

University Hospital; Franz-Josef-Strauss-Allee 11, D-93042 Regensburg, Germany; Email:; URL:

Structure of the Tutorial

Besides an introduction covering the objectives of the tutorial as well as explaining

specific legal, ethical, organizational, functional and technical challenges, threats and

risks in modern Health Information Systems, some basics of cryptography are explained,

followed by a presentation of system security services and mechanisms.

Among others, solutions for a secure HL7 communication according to user requirements

and for a strong user authentication within the EDI security framework are introduced.

A special part of the tutorial introduced in the methodology of formal security

modeling, privilege management and access control as well as related international

standards and practically implemented policies. Eventually, issues concerning specifics

of TTP technical frameworks including personalized devices according to legal requirements

will be presented. The tutorial ends with a summary giving conclusions and

recommendations for nowadays Health Information Systems and Health Networks.

Content of the Tutorial

Requirements for future-proof information systems

Systems, information cycle, models, constraint modeling

EU eHealth strategy and infrastructural services

Challenge of ethics and the ethical principles

Legal and ethical challenges for security, safety and quality in health information


Relevant EU legislation and important equivalent national legislation (e.g. USA)

Dimensions of security and relevant security standards

Organizational aspects of security, safety and quality

Security, safety and quality concerns of different stakeholder groups

Secure EHR communication

Policies, policy statements, policy negotiation, policy bridging

System analysis, design and implementation, unified processes

The Generic Component Model, formal models, and the PMAC example

Security-related knowledge representation, KR languages, constraint modeling

Practical solutions: Communication and application security

Practical solutions: Security infrastructure and infrastructural services

Expected Results

The tutorial will provide well-balanced content with regard to the activities’ starting

points, the main goals and the way how to achieve success within the general framework

of international initiatives. The instructors will provide important project results

both from the medical and the industrial point of view including important legal and

social results as an input for the ongoing legislation process. The focus will also include

practical experiences in using the results of several projects, initiatives, and

standards for real-life Health Information Systems and Health Networks.

Potential Participants

Informaticians and computer scientists, medical doctors and technicians intended or

engaged to, or responsible for, analysis, design, implementation, and use of distributed

health information systems and health networks including Internet should attend. The

tutorial provides a well-defined combination of about 50% basics and another 50% of

enhanced knowledge and understanding of security issues for non-specialists. Besides a

general understanding for health IT processes, there are no other prerequisites.

Tutor: Bernd Blobel, PhD, Associate Professor, Head of the German eHealth Competence

Center in Regensburg, Fellow of the American College for Medical Informatics

The tutor has been partner and national coordinator in several EU projects within EU

Frameworks like Information Society Technology Programme (IST) and Information

Society Initiatives for Standards (ISIS) Programme funded by the European Commission.

In detail, such projects are ISHTAR, TrustHealth, HARP, RESHEN, and Bio-

Health. Bernd Blobel is Chair of the German Health Informatics Standards Body and

Head of the German Delegation to ISO TC 215 and CEN TC 251, but also Chair of

HL7 Germany. He is chair/co-chair of several international and German working

groups dealing with security, EHR and system architecture in health care as, e.g., the

EFMI Working Groups "Security Safety and Ethics" and "Electronic Health Records",

the German Medical Informatics Association WG “Standards for Interoperability and

EHR”, and the German Data Ombudsmen Association WG "Data Protection and Data

Security in Healthcare and Welfare". He is Fellow of the American College of Medical


Selected References

[1] Bake C, Blobel B, Münch P (Hrsg.): Handbuch Datenschutz und Datensicherheit im Gesundheits- und

Sozialwesen, 3. überarbeitete und erweiterte Auflage. DATAKONTEXT-FACHVERLAG GmbH,

Frechen 2009. (in German)

[2] Blobel B, Nordberg R, Davis JM, Pharow P (2006) Modelling privilege management and access

control. International Journal of Medical Informatics 75, 8 (2006) pp. 597-623.

[3] Blobel B (2006) Advanced and secure architectural EHR approaches. International Journal of Medical

Informatics 75, 3-4 (2006) pp. 185-190.

[4] Pharow P, Blobel B (2005) Electronic signatures for long-lasting storage purposes in electronic archives.

International Journal of Medical Informatics 74, 2-4, March 2005, pp. 279-287.

[5] Blobel B, Davis JM (2005) Chapter 11: HealthePeople Security Architecture. In: Demetriades JE,

Kolodner RM, Christopherson GA (Edrs.): Person-Centred Health Records – Towards HealthePeople,

pp 147-168. Health Informatics Series. Springer, New York.

[6] Blobel B (2004) Authorisation and Access Control for Electronic Health Record Systems. International

Journal of Medical Informatics 73 (2004) pp. 251-257.

[7] Blobel B, Hoepner P, Joop R, Karnouskos S, Kleinhuis G, Stassinopoulos G (2003) Using a privilege

management infrastructure for secure web-based e-health applications. Computer Communications 26

(2003), pp. 1863-1872.

[8] Blobel B: Analysis, Design and Implementation of Secure and Interoperable Distributed Health Information

Systems. Series “Studies in Health Technology and Informatics” Vol. 89. IOS Press, Amsterdam


[9] Allaert F-A, Blobel B, Louwerse K and Barber B (Edrs.): Security Standards for Healthcare Information

Systems – A Perspective from the EU ISIS MEDSEC Project. Series “Studies in Health Technology

and Informatics” Vol. 69. IOS Press, Amsterdam 2002.

[10] Blobel B, Roger-France F (2001) A Systematic Approach for Analysis and Design of Secure Health

Information Systems. International Journal of Medical Informatics 62 (3), 51-78.

[11] The ISHTAR Consortium (Edr.):Implementing Secure Health Telematics Applications in Europe.

Series “Studies in Health Technology and Informatics” Vol. 66. IOS Press, Amsterdam 2001.

More magazines by this user
Similar magazines