E-prescription as a tool for improving services and the financial viability of healthcare systems: the case of the Greek national e-prescription system.

E-prescription systems can help improve patient service, safety and quality of care. They can also help achieve better compliance for the patients and better alignment with the guidelines for the practitioners. The recently implemented national e-prescription system in Greece already covers approximately 85% of all prescriptions prescribed in Greece today (approximately 5.5 million per month). The system has not only contributed already in significant changes towards improving services and better monitoring and planning of public health, but also substantially helped to contain unnecessary expenditure related to medication use and improve transparency and administrative control. Such issues have gained increasing importance not only for Greece but also for many other national healthcare systems that have to cope with the continuous rise of medication expenditure. Our implementation has, therefore, shown that besides their importance for improving services, national e-prescription systems can also provide a valuable tool for better utilisation of resources and for containing unnecessary healthcare costs, thus contributing to the improvement of the financial stability and viability of the overall healthcare system.

The new Greek national e-prescription system: an effective tool for improving quality of care and containing medication costs.

The national e-prescription system of Greece was first introduced in 2010 and already covers more than 80% of all prescriptions prescribed today (more than 5 million per month). Its introduction provided a powerful tool for improving patient services and public health planning. The system is also already a valuable source of planning, control and transparency data for the Greek healthcare system. In addition, the experience from its application at national level in Greece has also shown that e-Prescription systems can also provide a very useful tool for better administrative control and for containing unnecessary expenditure related to medication use.

Programming secure mobile agents in healthcare environments using role-based permissions.

The healthcare environment consists of vast amounts of dynamic and unstructured information, distributed over a large number of information systems. Mobile agent technology is having an ever-growing impact on the delivery of medical information. It supports acquiring and manipulating information distributed in a large number of information systems. Moreover is suitable for the computer untrained medical stuff. But the introduction of mobile agents generates advanced threads to the sensitive healthcare information, unless the proper countermeasures are taken. By applying the role-based approach to the authorization problem, we ease the sharing of information between hospital information systems and we reduce the administering part. The different initiative of the agent's migration method, results in different methods of assigning roles to the agent.

Developing a Public Key Infrastructure for a secure regional e-Health environment.

OBJECTIVES: Internet technologies provide an attractive infrastructure for efficient and low cost communications in regional health information networks. The advantages provided by the Internet come however with a significantly greater element of risk to the confidentiality and integrity of information. This is because the Internet has been designed primarily to optimize information sharing and interoperability, not security. The main objective of this paper is to propose the exploitation of public-key cryptography techniques to provide adequate security to enable secure healthcare Internet applications. METHODS: Public-key cryptography techniques can provide the needed security infrastructure in regional health networks. In the regional health-care security framework presented in this paper, we propose the use of state-of-art Public Key Infrastructure (PKI) technology. Such on e-Health PKI consists of regional certification authorities that are implemented within the central hospitals of each region and provide their services to the rest of the healthcare establishments of the same region. RESULTS: Significant experience in this area has been gained from the implementation of the PKI@AUTH project. CONCLUSIONS: The developed PKI infrastructure already successfully provides its security services to the AHEPA university hospital. The same infrastructure is designed to easily support a number of hospitals participating in a regional health information network.

Integrating the lightweight authentication protocol (LAP) with access control mechanisms in wireless health care information systems.

Health information networks are expected to support information exchange that is authentic, accurate, private and available when, where and to whom is needed. With the increase of the shared medical information and resources in healthcare wireless information systems, unauthorized access to the information by illegal users also increases. The security of the transmitted information is a vital issue. In this paper, we report on the development of the Lightweight Authentication Protocol (LAP), which makes a mobile and distributed system more secure and flexible and we implement it in a Health Care Environment where the clinicians use mobile and wireless devices like PDAs. We also provide an indicative example of integrating the LAP with access control mechanisms. Context-based Team Access Control (C-TMAC) model is used in this example, since it provides great flexibility on user-permissions management in collaborative healthcare environments. LAP is indeed capable to support efficiently the advanced authorization procedures of such demanding active security models.

Security of medical multimedia.

The application of information technology to health care has generated growing concern about the privacy and security of medical information. Furthermore, data and communication security requirements in the field of multimedia are higher. In this paper we describe firstly the most important security requirements that must be fulfilled by multimedia medical data, and the security measures used to satisfy these requirements. These security measures are based mainly on modern cryptographic and watermarking mechanisms as well as on security infrastructures. The objective of our work is to complete this picture, exploiting the capabilities of multimedia medical data to define and implement an authorization model for regulating access to the data. In this paper we describe an extended role-based access control model by considering, within the specification of the role-permission relationship phase, the constraints that must be satisfied in order for the holders of the permission to use those permissions. The use of constraints allows role-based access control to be tailored to specifiy very fine-grained and flexible content-, context- and time-based access control policies. Other restrictions, such as role entry restriction also can be captured. Finally, the description of system architecture for a secure DBMS is presented.

Access control based on attribute certificates for medical intranet applications.

BACKGROUND: Clinical information systems frequently use intranet and Internet technologies. However these technologies have emphasized sharing and not security, despite the sensitive and private nature of much health information. Digital certificates (electronic documents which recognize an entity or its attributes) can be used to control access in clinical intranet applications. OBJECTIVES: To outline the need for access control in distributed clinical database systems, to describe the use of digital certificates and security policies, and to propose the architecture for a system using digital certificates, cryptography and security policy to control access to clinical intranet applications. METHODS: We have previously developed a security policy, DIMEDAC (Distributed Medical Database Access Control), which is compatible with emerging public key and privilege management infrastructure. In our implementation approach we propose the use of digital certificates, to be used in conjunction with DIMEDAC. RESULTS: Our proposed access control system consists of two phases: the ways users gain their security credentials; and how these credentials are used to access medical data. Three types of digital certificates are used: identity certificates for authentication; attribute certificates for authorization; and access-rule certificates for propagation of access control policy. Once a user is identified and authenticated, subsequent access decisions are based on a combination of identity and attribute certificates, with access-rule certificates providing the policy framework. CONCLUSIONS: Access control in clinical intranet applications can be successfully and securely managed through the use of digital certificates and the DIMEDAC security policy.

A framework for an institutional high level security policy for the processing of medical data and their transmission through the Internet.

BACKGROUND: The Internet provides many advantages when used for interaction and data sharing among health care providers, patients, and researchers. However, the advantages provided by the Internet come with a significantly greater element of risk to the confidentiality, integrity, and availability of information. It is therefore essential that Health Care Establishments processing and exchanging medical data use an appropriate security policy. OBJECTIVE: To develop a High Level Security Policy for the processing of medical data and their transmission through the Internet, which is a set of high-level statements intended to guide Health Care Establishment personnel who process and manage sensitive health care information. METHODS: We developed the policy based on a detailed study of the existing framework in the EU countries, USA, and Canada, and on consultations with users in the context of the Intranet Health Clinic project. More specifically, this paper has taken into account the major directives, technical reports, law, and recommendations that are related to the protection of individuals with regard to the processing of personal data, and the protection of privacy and medical data on the Internet. RESULTS: We present a High Level Security Policy for Health Care Establishments, which includes a set of 7 principles and 45 guidelines detailed in this paper. The proposed principles and guidelines have been made as generic and open to specific implementations as possible, to provide for maximum flexibility and adaptability to local environments. The High Level Security Policy establishes the basic security requirements that must be addressed to use the Internet to safely transmit patient and other sensitive health care information. CONCLUSIONS: The High Level Security Policy is primarily intended for large Health Care Establishments in Europe, USA, and Canada. It is clear however that the general framework presented here can only serve as reference material for developing an appropriate High Level Security Policy in a specific implementation environment. When implemented in specific environments, these principles and guidelines must also be complemented by measures, which are more specific. Even when a High Level Security Policy already exists in an institution, it is advisable that the management of the Health Care Establishment periodically revisits it to see whether it should be modified or augmented.

Development of an Internet Security Policy for health care establishments.

The Internet provides unprecedented opportunities for interaction and data sharing among health care providers, patients and researchers. However, the advantages provided by the Internet come with a significantly greater element of risk to the confidentiality and integrity of information. This paper defines the basic security requirements that must be addressed in order to use the Internet to safely transmit patient and/or other sensitive Health Care information. It describes a suitable Internet Security Policy for Health Care Establishments and provides the set of technical measures that are needed for its implementation. The proposed security policy and technical approaches have been based on an extensive study of the related recommendations from the security and standard groups both in EU amid USA and our related work and experience. The results have been utilized in the framework of the Intranet Health Clinic project, where the use of the Internet for the transmission of sensitive Health Care information is of vital importance.

Implementing security on a prototype hospital database.

This paper describes the methodology used and the experience gained from the application of a new secure database design approach and database security policy in a real life hospital environment. The applicability of the proposed database security policy in a major Greek general hospital is demonstrated. Moreover, the security and quality assurance of the developed prototype secure database is examined, taking into consideration the results from the study of the user acceptance.

Security of medical image databases.

Medical images are an integral and indispensable part of health care information systems. Because of the critical nature of image information and stringent privacy requirements in medical environments, the medical images database systems must provide reasonable safeguards to assure confidentiality, integrity and availability of images to be deployable. In this paper we address mainly the confidentiality issues. Only authorized users should have for example access to medical images. Access to images is usually based on certain security constraints. Security constraints processing is a widely used mechanism for obtaining the appropriate level of the security required in traditional (non-multimedia) database systems. However, the security constraints processing in multimedia environments possess a number of interesting problems. In this paper we address the advantages and problems of using content-based security constraints on medical image databases. We also propose a methodology for the integration of security constraints into medical image databases, taking into account the true multimedia nature of the medical images (e.g. the content of the medical images).

Secure medical databases: design and operation.

Medical database security plays an important role in the overall security of medical information systems. The development of appropriate secure database design and operation methodologies is an important problem in the area and a necessary prerequisite for the successful development of such systems. The general framework for medical database security and a number of parameters of the secure medical database design and operation problem are presented and discussed. A secure medical database development methodology is also presented which could help overcome some of the problems currently encountered.

EDI system definition for a European medical device vigilance system.

EDI is expected to be the dominant form of business communication between organizations moving to the Electronic Commerce era of 2000. The healthcare sector is already using EDI in the hospital supply function as well as in the clinical area and the reimbursement process. In this paper, we examine the use of EDI in the healthcare administration sector and more specifically its application to the Medical Device Vigilance System. Firstly, the potential of this approach is examined, followed by the definition of the EDI System Reference Model and the specification of the required system architecture. Each of the architecture's components are then explained in more detail, followed by the most important implementation options relating to them.

Cardiological database management system as a mediator to clinical decision support.

An object-oriented medical database management system is presented for a typical cardiologic center, facilitating epidemiological trials. Object-oriented analysis and design were used for the system design, offering advantages for the integrity and extendibility of medical information systems. The system was developed using object-oriented design and programming methodology, the C++ language and the Borland Paradox Relational Data Base Management System on an MS-Windows NT environment. Particular attention was paid to system compatibility, portability, the ease of use, and the suitable design of the patient record so as to support the decisions of medical personnel in cardiovascular centers. The system was designed to accept complex, heterogeneous, distributed data in various formats and from different kinds of examinations such as Holter, Doppler and electrocardiography.

Security aspects for medical device vigilance information exchange.

The implementation of appropriate security mechanisms for an effective and efficient medical device vigilance information exchange is very important, as the system handles sensitive information. These mechanisms have to be designed in such a way that they maintain confidentiality, integrity and availability of the data of medical devices. In this paper the security aspects of the information exchange on medical device vigilance is examined in detail.

Design and implementation of secure medical database systems.

Medical database security plays an important role in the overall security of medical information systems and networks. This is both because of the nature of this technology and its widespread use today. Database security not only involves fundamental ethical principles, but also essential prerequisites for effective medical care. The development of appropriate secure medical database design and implementation methodologies is an important research problem in the area and a necessary prerequisite for the successful development of such systems. The general framework and requirements for medical database security are given and a number of parameters of the secure medical database design and implementation problem are presented and discussed in this paper. A secure medical database development methodology is also presented which could help overcome some of the problems currently encountered.

An integrated secure design of a medical database system.

An integrated secure design methodology for the enhancement of database security in a hospital environment is presented in this paper. The proposed design methodology is based on both the discretionary and the mandatory database security policies. In this way, the advantages of both approaches are combined to enhance medical database security. The experimental implementation of the methodology in a major Greek hospital is also presented. The implementation has shown that the combined discretionary and mandatory security enforcement effectively limits unauthorized access to the medical database, without severely restricting the capabilities of the system.

Enhancing medical database security.

A methodology for the enhancement of database security in a hospital environment is presented in this paper which is based on both the discretionary and the mandatory database security policies. In this way the advantages of both approaches are combined to enhance medical database security. An appropriate classification of the different types of users according to their different needs and roles and a User Role Definition Hierarchy has been used. The experience obtained from the experimental implementation of the proposed methodology in a major general hospital is briefly discussed. The implementation has shown that the combined discretionary and mandatory security enforcement effectively limits the unauthorized access to the medical database, without severely restricting the capabilities of the system.