There is a growing need for a systematic management of health-related and/or medical data. Diagnostic reports from different hospitals or clinics, prescriptions, medication consumption logs, etc may be kept securely and access to such medical data may be made convenient for the user. Such a health data management application may be used, for example, for patients who suffer from chronic diseases and the elderly, who tend to be forgetful and require assistance in managing their health records. Recently, the concept of Personal Health Record (PHR) that can be managed by the users themselves has been proposed. Such a PHR can be used for storing and controlling access to the users' health data. Electronic Medical Records (EMR) and Electronic Health Records (EHR) from hospital can be imported into the user's PHR, allowing ubiquitous access to the user's health data whenever an Internet connection is available.
By the default, access to the PHR is only permitted to the users themselves. However, the users can also define an access control list or other access control mechanisms. For example, Julien Kunzi, Paul Koster Milan Petkovic, Emergency Access to Protected Health Records, in K.-P. Adlassnig et al. (Eds.): Medical Informatics in a United and Healthy Europe, MIE 2009, IOS Press, 2009, pp. 705-709, hereinafter: Kunzi et al, discloses granting access to a user's family members, friends and relatives. Also, the elderly may delegate the task of managing their medical records by granting full permission to a family member who is more competent. Such pre-defined access control policies fall short when a doctor or ambulance team intends to provide treatment to an unconscious user in an emergency situation. The emergency doctor and the ambulance team will not be able to access the user's PHR because the user is not capable of providing his password and the access control policy may not allow unauthorized individuals access to the data. However, it would be beneficial if some background information about the user's health condition can be provided while he is being treated in the event of emergency. Research has shown that many fatal errors could have been avoided if the doctor had had access to information about the patient before emergency treatment.
Künzi et al. discloses sending an access request by an emergency doctor, indicating that this is an emergency override. Access is granted and then logged if the requesting entity has the appropriate credentials, i.e., the requesting entity is a certified medical doctor. Subsequently, the access log is used for post-access auditing to determine whether access to the user's health data is legitimate. However, such mechanism is ineffective as it infringes the user's health data privacy rights if the emergency override was malicious. Essentially, auditing is not a preventive measure to prevent malicious access to the PHR.
In an emergency situation, because the user is unconscious, he is not able to provide his password to enable accessing the PHR. Thus, this triggers the need for emergency access to the user's PHR. However, it is difficult for the PHR Server to distinguish between a genuine emergency situation and a malicious attempt to access the PHR, because in both cases, the user is unavailable.
“Implementing Security And Access Control Mechanisms For An Electronic Healthcare Record”, Frank K. Uckert et al, AMIA 2002 Annual Symposium Proceedings, discloses a system in which the user can provide read access to an emergency subset of his EHR by enabling and defining this within his record. When this feature is enabled, an emergency TAN is created. The combination of web address, username and this emergency TAN printed on a small wallet card can be taken along by the patient and used by any other person in cases of an emergency for this patient. With TAN (transaction numbers) a user is able to give access to parts of his record to anybody for only one session. The principle of the TAN is similar to the one known from international online banking. After one usage the TAN is invalid. A new TAN can be produced by the user whenever necessary.