Ph.D. Defense of Dissertation Announcement

Title: Safeguarding Health Data with Enhanced Accountability and Patient Awareness

Daisuke Mashima
School of Computer Science
College of Computing
Georgia Institute of Technology

Date: Friday, July 20, 2012
Time: 10:00 AM - 12:00 PM
Location: Klaus 3126 (GTISC War Room)

Committee: (Listed in alphabetical order)

• Prof. Mustaque Ahamad, School of Computer Science (Advisor)
• Prof. Douglas M. Blough, School of Electrical & Computer Engineering
• Prof. Mark Braunstein, School of Computer Science and Health Systems Institute
• Prof. Wenke Lee, School of Computer Science
• Prof. Ling Liu, School of Computer Science

Abstract:
Several factors are driving the transition from paper-based health records to electronic health record systems. In the United States, the adoption rate of electronic health record systems significantly increased after "Meaningful Use" incentive program was started in 2009. While increased use of electronic health record systems could improve the efficiency and quality of healthcare services, it can also lead to a number of security and privacy issues, such as identity theft and healthcare fraud. Such incidents could have negative impact on trustworthiness of electronic health record technology itself and thereby could limit its benefits.

In this dissertation, we tackle three challenges that we believe are important to improve the security and privacy in electronic health record systems. Our approach is based on an analysis of real-world incidents, namely theft and misuse of patient identity, unauthorized usage and update of electronic health records, and threats from insiders in healthcare organizations. Our contributions include design and development of a user-centric monitoring agent system that works on behalf of a patient (i.e., an end user) and securely monitors usage and update of the patient's identity credentials as well as access to her electronic health records. Such a monitoring agent can enhance patient's awareness and control and improve accountability for health records even in a distributed, multi-domain environment, which is typical in an e-healthcare setting. This will reduce the risk and loss caused by misuse of stolen data. In addition to the solution from a patient's perspective, we also propose a secure system architecture that can be used in healthcare organizations to enable robust auditing and management over client devices. Thus we can further enhance patients' confidence in secure use of their health data. In sum, our contributions in this dissertation are:
(1) A user-centric monitoring agent system for identity credentials and electronic health records that are stored, consumed, and shared in a distributed, multi-domain e-healthcare system.
(2) A scheme and associated protocols to enable patient-centric, actionable information accountability of electronic health records.
(3) A secure design of an e-healthcare system architecture and client-device enhancement to counter insider threats, malware, and physical device thefts.

The prototype implementation of these systems and the results of performance evaluation are presented. We also discuss how our system can be incorporated in state-of-the-art health information sharing mechanisms, including Nationwide Health Information Network (NHIN), to safeguard health data throughout its lifetime. By presenting a detailed design and a proof-of-concept prototype, in this dissertation, we demonstrate that it is possible to establish accountability and support patient awareness and control in large-scale, distributed, multi-domain environment to safeguard sensitive health data.