An example of an electronic record system can be found in electronic health record systems. Electronic health record systems use computer memory stores to retain information relating generally to the healthcare and medical episodes of patients. Users of electronic health record systems include patients, primary care doctors, clinical specialists, hospital doctors, acute care nurses, community nurses, medical researchers, healthcare managers, healthcare policy analysts, and agents of health insurance companies. Electronic health record systems bring a range of benefits to patients, to authorised users and to healthcare systems generally. These benefits include easier and/or faster access to important healthcare information at the point of clinical care where treatment is being delivered to patients, improved clinical outcomes resulting from better quality information being available at the point of clinical care, less frequent re-admissions to hospital as a result of better information being available to primary healthcare providers, reduced costs associated with the gathering of redundant clinical information, reduced costs associated with re-keying of clinical information from paper records, and enhanced quality of healthcare across the entire healthcare system resulting from continuous improvement to treatment modalities made possible by accumulated performance data.
Electronic health record systems generally require patients to be unambiguously identified so that authorised users with a legitimate interest in a given patient may reliably access information pertaining to that patient and to that patient alone.
It will be appreciated by persons skilled in the field of electronic health record systems that the systems can generally be constructed in a range of ways in respect of the degree of centralization of the component data items that together constitute the whole of a given person's electronic health record. It is possible to construct an electronic health record system where all component data items relating to each patient (or a significant majority of the component data items relating to each patient) are stored within a substantially single centralized computer memory store. Alternatively, it is possible to construct an electronic health record system where component data items relating to each patient are stored separately within a plurality of different decentralised computer memory stores. Users of decentralised electronic health record systems may be provided with search engine computer software which may automatically locate data items pertaining to a given patient wherever the records are located across the plurality of computer memory stores, and additional computer software which may subsequently collate, process and/or present to the user information from the component data items.
Whether an electronic health record system is constructed to use centralized memory storage or to use decentralised memory storage, it remains an important requirement that each patient be unambiguously identified.
Electronic health record systems generally include an access control function which serves to restrict the type of information, amount of information and/or degree of detail of information made available to different types of users. As is generally understood by those skilled in the field of electronic health records, different types of users have different needs in respect of the information they are entitled to exchange with an electronic health record system. Certain users may be authorised to write new information into the electronic health record of a given patient or to modify existing information relating to a patient, while other users may only be authorised to read information without modifying the information. Further, information retrieved from an electronic health record system may be ‘de-identified’ before being made available to a user, depending on the type of user who requested the information. The term ‘de-identified’ refers to patient data from which has been removed accompanying identifying information, such identifying information enabling the patient to be associated with that data unless removed.
In general, authorised healthcare providers with a direct clinical interest in a patient may be entitled to access identifiable patient information pertaining to that patient from an electronic health record. The authorised healthcare providers may include primary care doctors, hospital doctors, specialist doctors, acute care nurses, community care nurses, medical diagnosticians, and allied health workers. Non-clinical health system workers with no direct clinical interest in patients may nevertheless have legitimate interests in de-identified electronic health records for purposes such as population health research, epidemiological investigation, compilation of evidence as to the efficacy of given healthcare protocols, and analysis of cost-benefit data across health systems. The non-clinical health system workers could include academic researchers, public policy analysts, authorised civil servants from public health systems, human resources professionals, and authorised administrators of healthcare institutions. The access control function of an electronic health record may be designed to include a categorization scheme for authorised users to be applied when processing requests from users to access information within the electronic health record system.
Health authorities generally issue members of the public with unique health system identification numbers. Such identification numbers are conventionally printed on the surface of a health system identification card (referred to herein as a Health ID Card) together with the name of the person to whom the identification number has been issued (referred to herein as a Card Holder). Different health systems make use of different types of card technologies to convey health system identification numbers, including paper, cardboard or plastic cards. Plastic Health ID Cards may additionally feature magnetic stripe memory storage and/or integrated circuit memory storage. The additional memory storage may be used to store the name of the Card Holder, the health system identification number of the Card Holder and/or other Card Holder information. Information stored in magnetic stripe memory or integrated circuit memory is more readily entered into healthcare computer systems with which the Health ID Card may be used, at the time and place in which healthcare services are provided.
Health ID Cards may be issued and distributed by government authorities and used widely across national health systems. National Health ID Card systems are known in relation to the management of public health insurance entitlements and payments. Independent Health ID Card systems may additionally be created by commercial organizations such as private health insurers, by regional or local government healthcare authorities, and/or by healthcare institutions such as hospitals.
In order to maximise patient privacy in the design of electronic health record systems, it is desirable to minimise the amount of identifiable personal information which is contained in each component data item of the electronic health record. Yet the need to index patient information generally requires that some type of record pointer information uniquely linked to the identity of the patient be stored within each component data item pertaining to that patient. It has been recognised by the present inventor that this design requirement leads to a potential problem, where if an unauthorised person obtains access to an electronic health record and additionally has knowledge of the linkage between patients' identities and their respective record pointer values, then the unauthorised person can readily match component data items from the electronic health record with the identities of patients, thus inappropriately identifying healthcare information which is intended to remain private and confidential.
The relatively high level of familiarity and widespread availability of many existing Health ID Card systems may appear to make them attractive options for indexing electronic health records. However, it has now been recognised that the re-use of existing health system identification numbers as pointers to index electronic health records can cause problems in respect of privacy. Health system identification numbers as printed on Health ID Cards become known to indeterminate numbers of people through the normal use and visual sightings of the cards over time in the healthcare system. Unscrupulous persons may make illicit copies of patients' names together with matching health system identification numbers. Under these circumstances any electronic health record system which utilises health system identification numbers as pointers to index patient information will be vulnerable to unauthorised access by persons with knowledge of patient information from Health ID Cards. Thus, existing health system identification numbers and Health ID Cards should not be used without significant modification as a method to more securely index patient information in an electronic health record.
While such problems have been described with reference to electronic health records, similar problems exist in many other electronic record systems, such as passport identification data systems. The term “electronic passport” refers to recent developments where conventional passports are made more resistant to forgery, and more useful for border surveillance, by the inclusion of a microchip and a communications interface, typically wireless. The microchip contains information about the passport holder, such as a biometric template. When the passport holder passes through an immigration checkpoint, information is retrieved from the microchip by a customs officer using a workstation, and compared with other information at hand, such as a fresh biometric scan taken from the holder, in order to, amongst other things, confirm they are indeed the person to whom the passport was issued.
Significant security and privacy vulnerabilities arise in some electronic passport designs by virtue of the method used to retrieve information from the passport, and the way that information is formatted. For instance, it may be possible in some designs for information to be retrieved by unauthorised wireless receivers. Information stored within electronic passports is not necessarily encrypted, and may include personal, identifying information, such as name and date of birth.
A further feature of certain electronic record systems is the use of Public Key Infrastructure as a method to authenticate users of the electronic record systems. Public Key Infrastructure refers broadly to the issuance of so-called Public Key Certificates to registered users in a defined transaction system, the usage in software programs of the Public Key Certificates as inputs to verify so-called Digital Signatures which secure electronic transmissions and electronic data records, and the deployment of computer systems and management processes to facilitate the lifecycle maintenance of the Public Key Certificates.
A Public Key Certificate is an electronic document containing in a standardised format at least the following:                information pertaining to the person or entity to whom the Public Key Certificate is issued (known as the “Certificate Holder”, “Certificate Subject” or “Certificate Subscriber”)        a copy of an asymmetric cryptographic Public Key assigned to the Certificate Holder        information pertaining to the identity of the entity which issued the Public Key Certificate (the issuing entity being known as a “Certification Authority”)        date and time information defining a Validity Period for the Public Key Certificate        the Digital Signature of the Certification Authority.        
A Certification Authority may be assisted by one or more Registration Authorities in respect of the process of issuing Public Key Certificates to Certificate Holders. The Registration Authorities are affiliated with the Certification Authority and verify the identity and eligibility of persons applying to be issued with Public Key Certificates according to identification protocols and other conditions laid down by the Certification Authority. Further, a Certification Authority may publish copies of Public Key Certificates together with other pertinent information in a generally available online repository so that parties to electronic transactions involving Certificate Holders may verify information provided by the Certificate Holders against the information published in the repository.
The phrase Digital Signature refers generally to a computer generated code related to a given digital data item and created through the operation of a cryptographic algorithm on the data item in conjunction with a unique asymmetric cryptographic Private Key to which is linked a unique asymmetric cryptographic Public Key. Verification that a given Digital Signature was in fact created from a given data item may be performed through a further operation of a related cryptographic algorithm on the Digital Signature in conjunction with the asymmetric cryptographic Public Key. Provided the asymmetric cryptographic Private Key is reliably under the control of a Public Key Certificate Holder, a third party is able to reliably ascribe a digitally signed data item to the Public Key Certificate Holder, by being informed of the associated Public Key and verifying a Digital Signature code and the digitally signed data item in conjunction with the Public Key.
An important purpose of Public Key Certificates is therefore to provide to persons using Public Key Infrastructure reliable and widely available evidence of the association between a given Public Key Certificate Holder and their respective asymmetric cryptographic Public Key, and by extension the association between that Certificate Holder and their respective asymmetric cryptographic Private Key.
In certain embodiments of Public Key Infrastructure the usability and security of asymmetric cryptographic Private Keys is enhanced by the storage of the Private Keys under the control of a portable personal computing device, one example of which is that commonly known as a smartcard.
Where Public Key Infrastructure is used within an electronic record system, certain events occurring in the system may be securely recorded with the aid of Digital Signatures of persons associated with the events. In particular where a given authorised user has originated a new data item to be written into the electronic record then the data item may be Digitally Signed by the authorised user. In the particular case of an electronic health record system where a given healthcare provider has originated a new data item pertaining to a given patient to be written into the electronic record, then the data item may be digitally signed by both the healthcare provider and the patient.
However, it has now been recognised that such Public Key Infrastructure poses certain problems in respect of the privacy of persons whose personal information is contained in an electronic record system. In particular where Public Key Certificates are made generally available by Certificate Authorities via repositories it may be possible for unauthorised persons to readily identify Public Key Certificate Holders.
Any discussion of documents, acts, materials, devices, articles or the like which has been included in the present specification is solely for the purpose of providing a context for the present invention. It is not to be taken as an admission that any or all of these matters form part of the prior art base or were common general knowledge in the field relevant to the present invention as it existed before the priority date of each claim of this application.
Throughout this specification the word “comprise”, or variations such as “comprises” or “comprising”, will be understood to imply the inclusion of a stated element, integer or step, or group of elements, integers or steps, but not the exclusion of any other element, integer or step, or group of elements, integers or steps.