Security challenges in integration of a PHR-S into a standards based national EHR.

Health related data provided by patients themselves is expected to play a major role in future healthcare. Data from personal health devices, vaccination records, health diaries or observations of daily living, for instance, is stored in personal health records (PHR) which are maintained by personal health record systems (PHR-S). Combining this information with medical records provided by healthcare providers in electronic health records (EHR) is one of the next steps towards "personal care". Austria currently sets up a nationwide EHR system that incorporates all healthcare providers and is technically based on international standards (IHE, HL7, OASIS, ...). Looking at the expected potential of merging PHR and EHR data it is worth to analyse integration approaches. Although knowing that an integration requires the coordination of processes, information models and technical architectures, this paper specifically focuses on security issues by evaluating general security requirements for a PHR-S (based on HL7 PHR-S FM), comparing them with the information security specifications for the Austrian's national EHR (based on ISO/IES 27000 series) and identifying the main challenges as well as possible approaches.

Concepts for a standard based cross-organisational information security management system in the context of a nationwide EHR.

Working with health related data necessitates appropriate levels of security and privacy. Information security, meaning ensuring confidentiality, integrity, and availability, is more organizational, than technical in nature. It includes many organizational and management measures, is based on well-defined security roles, processes, and documents, and needs permanent adaption of security policies, continuously monitoring, and measures assessment. This big challenge for any organization leads to implementation of an information security management system (ISMS). In the context of establishing a regional or national electronic health record for integrated care (ICEHR), the situation is worse. Changing the medical information exchange from on-demand peer-to-peer connections to health information networks requires all organizations participating in the EHR system to have consistent security levels and to follow the same security guidelines and rules. Also, the implementation must be monitored and audited, establishing cross-organizational information security management systems (ISMS) based on international standards. This paper evaluates requirements and defines basic concepts for an ISO 27000 series-based cross-organizational ISMS in the healthcare domain and especially for the implementation of the nationwide electronic health record in Austria (ELGA).