WO2014028035A1 - Encrypted data store for records - Google Patents

Encrypted data store for records Download PDF

Info

Publication number
WO2014028035A1
WO2014028035A1 PCT/US2012/053215 US2012053215W WO2014028035A1 WO 2014028035 A1 WO2014028035 A1 WO 2014028035A1 US 2012053215 W US2012053215 W US 2012053215W WO 2014028035 A1 WO2014028035 A1 WO 2014028035A1
Authority
WO
WIPO (PCT)
Prior art keywords
record
provider
encrypted
key
patient
Prior art date
Application number
PCT/US2012/053215
Other languages
French (fr)
Inventor
Jun Li
Ram Swaminathan
Sharad Singhal
Original Assignee
Hewlett-Packard Development Company, Lp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett-Packard Development Company, Lp filed Critical Hewlett-Packard Development Company, Lp
Priority to AU2012387663A priority Critical patent/AU2012387663B2/en
Priority to CA2882349A priority patent/CA2882349A1/en
Priority to US14/421,759 priority patent/US9940469B2/en
Priority to CN201280076412.2A priority patent/CN104704527A/en
Priority to EP12891380.3A priority patent/EP2885762A4/en
Priority to JP2015527433A priority patent/JP6300800B2/en
Publication of WO2014028035A1 publication Critical patent/WO2014028035A1/en

Links

Classifications

    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16HHEALTHCARE INFORMATICS, i.e. INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR THE HANDLING OR PROCESSING OF MEDICAL OR HEALTHCARE DATA
    • G16H10/00ICT specially adapted for the handling or processing of patient-related medical or healthcare data
    • G16H10/60ICT specially adapted for the handling or processing of patient-related medical or healthcare data for patient-specific data, e.g. for electronic patient records
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/10Office automation; Time management
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16HHEALTHCARE INFORMATICS, i.e. INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR THE HANDLING OR PROCESSING OF MEDICAL OR HEALTHCARE DATA
    • G16H10/00ICT specially adapted for the handling or processing of patient-related medical or healthcare data
    • G16H10/40ICT specially adapted for the handling or processing of patient-related medical or healthcare data for data related to laboratory analysis, e.g. patient specimen analysis
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16ZINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS, NOT OTHERWISE PROVIDED FOR
    • G16Z99/00Subject matter not provided for in other main groups of this subclass

Definitions

  • EHRs Electronic Health Records
  • healthcare participants e.g., patients, healthcare providers, payers, and researchers
  • EHRs may facilitate access to healthcare information
  • the sharing of healthcare information may involve many complex technical and legal issues. These issues may be burdensome for healthcare participants that lack the resources and expertise to enable such sharing while ensuring consistency, privacy, and security of the healthcare information.
  • Figure 1 is a block diagram illustrating one embodiment of an electronic health record store processing environment.
  • Figure 2 is a block diagram illustrating one embodiment of a metadata tree and an encrypted data store.
  • Figure 3 is a block diagram illustrating one embodiment of a provider system.
  • Figure 4 is a schematic diagram illustrating one embodiment of storing an encrypted record using a provider key.
  • Figure 5 is a schematic diagram illustrating one embodiment of accessing an encrypted record using a provider key.
  • Figure 6 is a block diagram illustrating one embodiment of a patient system.
  • Figure 7 is a schematic diagram illustrating one embodiment of accessing an encrypted record using a patient key.
  • Figure 8 is a schematic diagram illustrating one embodiment of accessing an encrypted record using a shared key.
  • Embodiments described herein provide an electronic health record (EHR) storage processing environment that enables secure, seamless sharing of EHRs among healthcare participants (e.g., patients, healthcare providers, payers, and researchers).
  • the environment includes an encrypted data store that stores encrypted EHRs of patients and a metadata tree for each patient that provides a mapping to the EHRs of a given patient in the encrypted data store.
  • Each EHR is uniquely encrypted using a patient key, a provider key, and a location corresponding to the EHR in the metadata tree prior to being stored in the encrypted data store.
  • the metadata tree for each patient is visible to healthcare participants, such as healthcare providers, to allow the participants to store and access EHRs of patients.
  • each healthcare provider uses a unique provider key for each patient (referred to herein as K pat ient, provider) that is generated based on a corresponding patient key (referred to herein as K pa tient) of a patient and a provider identifier (referred to herein as provider-id).
  • K pat ient provider
  • provider-id provider identifier
  • the provider then generates a record key (referred to herein Krecord) based on the provider key and the location in the metadata tree, encrypts the EHR using the record key, stores the encrypted EHR in the encrypted data store, and updates the metadata tree to include a reference o the EHR at the determined location.
  • the provider may also generate and share a record key with another healthcare participant to allow the participant to store EHRs on behalf of the provider.
  • a provider accesses the metadata tree for the patient and determines the location that corresponds to the EHR in the metadata tree. If the provider generated the EHR (e.g., if the EHR is one of the provider's records), then the provider accesses the EHR from the encrypted data store, generates the record key based on the provider key and the location of the reference to the EHR in the metadata tree, and decrypts the EHR using the record key. If the provider did not generate the EHR (e.g., if the EHR was generated by another provider), then the provider requests and receives the record key from the other provider or the patient, accesses the EHR from the encrypted data store, and decrypts the EHR using the record key.
  • the provider did not generate the EHR (e.g., if the EHR was generated by another provider)
  • the provider requests and receives the record key from the other provider or the patient, accesses the EHR from the encrypted data store, and decrypts the EHR using the record key.
  • provider and record keys are generated based on patient keys, patients have the ability to access all records from all providers using the metadata tree. Patients, as well as providers that generate EHRs, may share EHRs with other providers by generating the record keys for selected EHRs and providing the record keys to the other providers. The other providers may select EHRs in which to request access using the metadata tree for the patient.
  • the processing environment described herein enables providers from different healthcare institutions to directly store EHRs of a patient in a common data store and provide access to selected EHRs to other providers.
  • the term "healthcare participant” refers to a patient, a healthcare provider, a payer, a researcher, or other suitable person involved in a healthcare process of a patient that generates and / or uses healthcare information corresponding to a patient.
  • patient refers to a person that receives at least one healthcare service from a healthcare provider.
  • healthcare provider also referred to as “provider” refers to a person and / or institution that provides at least one healthcare service to a patient.
  • EHR electronic health record
  • Encrypted electronic health record refers to an electronic health record that has been encrypted with an encryption key such as a record key.
  • patient key refers to an encryption key of a patient.
  • provider key refers to an encryption key that is generated based on a patient key and a provider identifier.
  • record key refers to an encryption key that is generated based on a provider key and a location in a metadata tree of a patient that corresponds to an EHR of the patient.
  • shared key refers to a record key that is provided from a patient to a provider that did not generate a given EHR or from a provider that generated a given EHR to another, unaffiliated provider.
  • metadata refers to a set of information that describes at least one record, such as an electronic health record.
  • metadata tree refers to a set of nodes that include metadata where each node has a specified relationship with at least one other node in the set.
  • FIG. 1 is a block diagram illustrating one embodiment of an electronic health record store processing environment 10.
  • Environment 10 includes a patient system 20, a set of provider systems 30(1 )-30(/W) where M is an integer that is greater than or equal to two, an electronic health record (EHR) manager 40, an electronic health record (EHR) store 50, and a communications network 60.
  • EHR electronic health record
  • EHR manager 40 electronic health record
  • EHR store 50 communicate with one another using communications network 60.
  • Environment 10 may be implemented using any suitable type, number, and configuration of processing systems to form patient system 20, provider systeTM 0 30, EHR manager 40, and EHR store 50 as well as any suitable type, numbe and configuration of communications devices to form communications network 60.
  • Environment 10 provides the ability to create and manage EHRs of patients including a patient 12 that corresponds to patient system 20 (other patients and patient systems not shown).
  • patient 12 interacts with patient system 20 to register with EHR manager 40 using a patient manager 42.
  • Patient manager 42 causes patient information of patient 12 to be received and stored in a patient database 44 and initializes a metadata tree 70 (shown in Figure 2) corresponding to patient 12 in metadata store 56.
  • Patient manager 42 may include portions of the registration information in metadata tree 70 of patient 12 in some embodiments.
  • patient 12 may register in other suitable ways and / or metadata tree 70 for patient 12 may be initialized in other suitable ways.
  • Patient 12 communicates with EHR store 50 using a data access adaptor 24 in patient system 20 to access, store, manage, and share encrypted EHRs 80 of patient 12 (shown in Figure 2).
  • Data access adaptor 24 in patient system 20 to access, store, manage, and share encrypted EHRs 80 of patient 12 (shown in Figure 2).
  • Patient system 20 stores a patient key 22 (K pa tient) that represents an encryption key that is unique to patient 12.
  • Patient 12 may generate or receive patient key 22 using patient system 20.
  • Patient key 22 may also be stored on a smart card or other suitable processing system (not shown) that includes at least one machine-readable storage media.
  • Patient key 22 provides root access to metadata tree 70 of patient 12.
  • Providers interact with corresponding provider systems 30 to register with EHR manager 40 and receive a corresponding provider identifier 31.
  • a provider manager 46 causes provider information of providers to be received and stored in a provider database 48.
  • Provider manager 46 assigns a provider identifier (provider-id) to each provider and stores the provider-ids in provider database 48.
  • provider-id represents informatio that may be used in combination with a patient key to generate a provider key (Kpatient, pro ider) for each patient of the provider.
  • Provider manager 46 may provide provider-ids 31 to provider systems 30 in any suitable way such as by transmitting provider-ids 31 to provider systems 30 using communications network 60.
  • Provider keys for each patient may be generated by patients (e.g., patient 12).
  • patient system 20 or another suitable processing system (not shown) generates a unique provider key 32 for patient 12 based on patient key 22 and a corresponding provider-id 31.
  • patient system 20 generates a provider key 32(1 ) based on patient key 22 and provider-id 31 (1 ) and provides provider key 32(1 ) to provider system 30(1 ) in any suitable secure way such as via a smart card or via
  • patient system 20 generates provider keys 32 for each provider using a cryptographic keyed, one-way hash function that generates provider keys 32 as a function of patient key 22 and corresponding provider-ids 31.
  • other suitable functions may be used to generate provider keys 32 based on patient keys 22 and provider-ids 31 .
  • each provider maintains a single provider key 32 for each patient (e.g., each provider system 30 stores a provider key 32 for patient 12).
  • Provider keys 32 allow a provider to generate encrypted EHRs 80 for patient 12 and store encrypted EHRs 80 in encrypted data store 54.
  • Providers access EHR store 50 using a corresponding data access adaptor 34 to access, store, manage, and share encrypted EHRs 80 of patient 12.
  • Data access adaptor 34 communicates with data access front 52 on EHR store 50 using communications network 60 to access encrypted data store 54, metadata store 56, and audit log 58 in EHR store 50 as described in additional detail below.
  • EHR store 50 encrypted data store 54 stores encrypted EHRs 80 of patient 12 as well as encrypted EHRs of other patients (not shown).
  • Encrypted data store 54 includes any suitable type, number, and / or configuration of machine-readable storage media to store the encrypted EHF Because the EHRs are encrypted and because encrypted data store 54 doe not include encryption keys (i.e., record keys) for the EHRs, encrypted data store 54 does not need to be a trusted data store (e.g., encrypted data store 54 may be owned or operated by one or more untrusted third parties).
  • Encrypted data store 54 includes any suitable type, number, and / or configuration of machine-readable storage media to store the encrypted EHF Because the EHRs are encrypted and because encrypted data store 54 doe not include encryption keys (i.e., record keys) for the EHRs, encrypted data store 54 does not need to be a trusted data store (e.g., encrypted data store 54 may be owned or operated by one or more untrusted third parties).
  • Metadata store 56 includes metadata tree 70 for patient 12 as well as metadata trees of other patients (not shown). As shown in Figure 2, metadata tree 70 represents a hierarchical tree structure with a root node 72, any number of intermediate nodes 74, and a single leaf node 76 for each encrypted EHR 80 where each leaf node 76 stores metadata regarding a corresponding encrypted EHR 80.
  • Root node 72 may include information that identifies patient 12, intermediate nodes 74 represent logical groupings of EHRs (e.g., by provider or by categories of patient information such as treatment conditions) and include information that describes the groupings, and leaf nodes 76 each include a single, unique reference 78 to a corresponding encrypted EHR 80 in encrypted data store 54 as well as information that describes the corresponding encrypted EHRs 80. References 78 may be used to access encrypted EHRs 80 in encrypted data store 54.
  • the entire metadata tree 70 is accessible by patient 12 and all providers that have registered with EHR manager 40.
  • other security measures such as encryption, may be applied to metadata tree 70 to limit access to metadata tree 70 to desired healthcare participants.
  • Metadata tree 70 allows unaffiliated providers (e.g., providers practicing under different, unrelated business entities) to store different encrypted EHRs 80 of patient 12 to encrypted data store 54. Encrypted EHRs 80 are each encrypted with different record keys such that a record key for one encrypted EHR 80 may not be used to decrypt any other encrypted EHR 80. Providers may use metadata tree 70 to determine which encrypted EHRs 80 they need to access and can request access (i.e., record keys) from other providers that generated the needed encrypted EHRs 80 or patient 12 as described in additional detail below.
  • providers e.g., providers practicing under different, unrelated business entities
  • EHR store 50 maintains audit log 58 to log all data accesses to encrypted data store 54 and metadata store 56. Audit log 58 may be used fc. audit or other suitable purposes.
  • Communications network 60 includes any suitable type, number, and combination of wired and / or wireless communications devices that allow patient system 20, provider systems 30, EHR manager 40, and EHR store 50 to communicate with one another.
  • Environment 10 including, patient system 20, provider systems 30, EHR manager 40, and EHR store 50 may be implemented with any suitable type, number, and configuration of processing systems that each include one or more processors for executing instructions stored in one or more memories.
  • data access front 52, encrypted data store 54, metadata store 56, and audit log 58 may be implemented using different processing systems in some embodiments.
  • Embodiments of patient system 20 and provider systems 30 are shown in Figures 6 and 3, respectively, and described in additional detail below.
  • FIG. 3 is a block diagram illustrating one embodiment of a provider system 30.
  • Provider system 30 includes a set of one or more processors 102 configured to execute a set of instructions stored in a memory system 104, memory system 104, and at least one communications device 106.
  • Processors 102, memory system 104, and communications devices 106 communicate using a set of interconnections 108 that includes any suitable type, number, and / or configuration of controllers, buses, interfaces, and / or other wired or wireless connections.
  • Provider system 30 represents any suitable processing device or portion of a processing device such as a server computer, a laptop computer, a tablet computer, a desktop computer, a mobile telephone with processing capabilities (i.e., a smart phone), or another suitable type of electronic device with processing capabilities.
  • Each processor 102 is configured to access and execute instructions stored in memory system 104 and to access and store data in memory system 104.
  • Memory system 104 includes any suitable type, number, and configuration of volatile or non-volatile machine-readable storage media configured to store instructions and data. Examples of machine-readahi p storage media in memory system 104 include hard disk drives, random acce: memory (RAM), read only memory (ROM), flash memory drives and cards, and other suitable types of magnetic and / or optical disks.
  • the machine-readable storage media are considered to be part of an article or article of manufacture.
  • An article or article of manufacture refers to one or more manufactured components.
  • Communications devices 106 include any suitable type, number, and / or configuration of communications devices configured to allow provider system 30 to communicate across one or more wired or wireless networks such as communications network 60 (shown in Figure 1 ).
  • Data access adaptor 34 includes instructions that, when executed by processors 102, causes processors 102 to perform the functions of data access adaptor 34 that will now be described with reference to Figures 4 and 5.
  • Figure 4 is a schematic diagram illustrating one embodiment of storing an encrypted record 80 using a provider key 32
  • Figure 5 is a schematic diagram illustrating one embodiment of accessing an encrypted record using a provider key.
  • data access adaptor 34 accesses metadata tree 70 of patient 12 from metadata store 56 through data access front 52 as indicated by an arrow 141.
  • Metadata store 56 provides metadata tree 70 to provider system 30 through data access front 52 as indicated by an arrow 142.
  • Data access adaptor 34 determines a location 1 12 in metadata tree 70 for a new or updated EHR 1 10 as indicated by an arrow 143.
  • Location 112 represents a fully qualified path in metadata tree 70 (i.e., a uniform resource identifier (URI)).
  • URI uniform resource identifier
  • Data access adaptor 34 generates a record key 1 14 (K reC ord) based on provider key 32 (K pa tient, pro ider) and location 1 12 as indicated by an arrow 144.
  • Data access adaptor 34 encrypts EHR 1 10 using record key 1 14 to generate an encrypted EHR 120 as indicated by an arrow 145.
  • Data access adaptor 34 provides encrypted EHR 120 to encrypted data store 54 through data access front 52 as indicated by an arrow 146.
  • Encrypted data store 54 provides a status to data access adaptor 34 through data access front 52 as indicated by an arrow 147. If the status indicates tha f encrypted EHR 120 was not stored successfully, then data access adaptor 3 may retry the store.
  • data access adaptor 34 updates metadata tree 70 to add a leaf node 76 to include a reference 78 to the successfully stored encrypted EHR 80 in encrypted data store 54 and provides the updated metadata tree 70 to metadata store 56 through data access front 52 as indicated by an arrow 148.
  • Metadata store 56 provides a status to data access adaptor 34 through data access front 52 as indicated by an arrow 149. If the status indicates that the updated metadata tree 70 was not stored successfully, then data access adaptor 34 may retry the update.
  • Data access adaptor 34 repeats the process shown in Figure 4 for each EHR that is stored in encrypted data store 54.
  • a provider may access the encrypted EHR 80 from encrypted data store 54 as shown in Figure 5.
  • data access adaptor 34 accesses metadata tree 70 of patient 12 from metadata store 56 through data access front 52 as indicated by an arrow 151.
  • Metadata store 56 provides metadata tree 70 to provider system 30 through data access front 52 as indicated by an arrow 1 52.
  • Data access adaptor 34 displays metadata tree 70 to the provider to allow the provider to select a desired encrypted EHR 80 as indicated by an arrow 1 53.
  • Data access adaptor 34 determines a location 1 1 2 in metadata tree 70 corresponding to the encrypted EHR 80 as indicated by an arrow 1 54.
  • location 1 12 represents a fully qualified path in metadata tree 70 (i.e., a uniform resource identifier (URI)).
  • URI uniform resource identifier
  • Data access adaptor 34 generates a record key 1 14 (K rec0 rd) based on provider key 32 (K pa tient, provider) and location 1 1 2 as indicated by an arrow 1 55.
  • Data access adaptor 34 accesses the encrypted EHR 80 from encrypted data store 54 through data access front 52 as indicated by an arrow 1 56.
  • Encrypted data store 54 provides the desired encrypted EHR 80 through data access front 52 as indicated by an arrow 1 57.
  • Data access adaptor 34 stores the encrypted EHR 80 (shown as encrypted EHR 1 20) and decrypts encrypted EHR 1 20 into a decrypted EHR 1 1 0 using record key 1 14 as indicated by an arrow 1 58.
  • Data access adaptor 34 displays decrypted EHR 1 1 0 to the provider as indicated by an arrow 1 59.
  • Data access adaptor 34 repeats the process shown in Figure 5 for each encrypted EHR generated by a provider that is accessed from encrypted data store 54 by the provider.
  • FIG. 6 is a block diagram illustrating one embodiment of patient system 20.
  • Patient system 20 includes a set of one or more processors 202 configured to execute a set of instructions stored in a memory system 204, memory system 204, and at least one communications device 206.
  • Processors 202, memory system 204, and communications devices 206 communicate using a set of interconnections 208 that includes any suitable type, number, and / or configuration of controllers, buses, interfaces, and / or other wired or wireless connections.
  • Patient system 20 represents any suitable processing device or portion of a processing device such as a server computer, a laptop computer, a tablet computer, a desktop computer, a mobile telephone with processing capabilities (i.e., a smart phone), or another suitable type of electronic device with processing capabilities.
  • Each processor 202 is configured to access and execute instructions stored in memory system 204 and to access and store data in memory system 204.
  • Memory system 204 includes any suitable type, number, and configuration of volatile or non-volatile machine-readable storage media configured to store instructions and data. Examples of machine-readable storage media in memory system 104 include hard disk drives, random access memory (RAM), read only memory (ROM), flash memory drives and cards, and other suitable types of magnetic and / or optical disks.
  • Communications devices 206 include any suitable type, number, and / or configuration of communications devices configured to allow patient system 20 to communicate across one or more wired or wireless networks such as communications network 60 (shown in Figure 1 ).
  • Data access adaptor 24 includes instructions that, when executed by processors 202, causes processors 202 to perform the functions of data access adaptor 24 that will now be described with reference to Figure 7.
  • Figure 7 is a. schematic diagram illustrating one embodiment of accessing an encrypted record 80 using a patient key 22.
  • the process of Figure 7 allows patient 12 to may access any encrypted EHR 80 from encrypted data store 54 (i.e., encrypted EHRs 80 generated by any provider).
  • patient 12 may generate any record key 214 using patient key 22, the provider-id 31 of the provider that generated the encrypted EHR 80, and a location 212 in metadata tree 70 corresponding to the encrypted EHR 80.
  • data access adaptor 24 accesses metadata tree 70 of patient 12 from metadata store 56 through data access front 52 as indicated by an arrow 161.
  • Metadata store 56 provides metadata tree 70 to patient system 20 through data access front 52 as indicated by an arrow 162.
  • Data access adaptor 24 displays metadata tree 70 to patient 12 to allow patient 12 to select a desired encrypted EHR 80 as indicated by an arrow 163.
  • Data access adaptor 24 determines a location 212 in metadata tree 70 corresponding to the encrypted EHR 80 as indicated by an arrow 164.
  • location 212 represents a fully qualified path in metadata tree 70 (i.e., a uniform resource identifier (URI)).
  • URI uniform resource identifier
  • Data access adaptor 24 determines a provider-id 31 of the provider that generated the encrypted EHR 80 (e.g., by accessing provider-id 31from EHR manager 40) as indicated by an arrow 165.
  • Data access adaptor 24 generates a record key 214 (K reC ord) based on patient key 22 (K pa tient) > provider-id 31 , and location 212 as indicated by an arrow 166.
  • Data access adaptor 24 accesses the encrypted EHR 80 from encrypted data store 54 through data access front 52 as indicated by an arrow 167.
  • Encrypted data store 54 provides the encrypted EHR 80 through data access front 52 as indicated by an arrow 168.
  • Data access adaptor 24 stores the encrypted EHR 80 (shown as encrypted EHR 220 in Figure 3) and decrypts encrypted EHR 220 into a decrypted EHR 210 as indicated by an arrow 169.
  • Data access adaptor 24 displays decrypted EHR 210 to patient 12 as indicate by an arrow 170.
  • Data access adaptor 24 repeats the process shown in Figure 7 for each encrypted EHR that is accessed from encrypted data store 54 by patient 12.
  • both providers that generate encrypted EHRs 80 and patient 12 may generate record keys 1 14 and 214, respectively, which are used to decrypt the encrypted EHRs 80.
  • To share an encrypted EHR 80 with another provider either the provider that generates the encrypted EHR 80 or patient 12 shares record key 1 14 or 214, respectively, to allow the other provider to access and decrypt the encrypted EHR 80.
  • data access adaptor 34 further includes instructions that, when executed by processors 102, causes processors 102 to perform the functions of data access adaptor 34 that will now be described with reference to Figure 8.
  • Figure 8 is a schematic diagram illustrating one embodiment of accessing an encrypted record using a shared key.
  • data access adaptor 34 accesses metadata tree 70 of patient 12 from metadata store 56 through data access front 52 as indicated by an arrow 181.
  • Metadata store 56 provides metadata tree 70 to provider system 30 through data access front 52 as indicated by an arrow 182.
  • Data access adaptor 34 displays metadata tree 70 to the provider to allow the provider to select a desired encrypted EHR 80 as indicated by an arrow 183.
  • Data access adaptor 34 determines a location 1 12 in metadata tree 70 corresponding to the encrypted EHR 80 as indicated by an arrow 184.
  • location 112 represents a fully qualified path in metadata tree 70 (i.e., a uniform resource identifier (URI)).
  • URI uniform resource identifier
  • Data access adaptor 34 receives a shared key 1 16 for the encrypted EHR 80 from another provider or patient 12 as indicated by an arrow " 185.
  • Data access adaptor 34 accesses the encrypted EHR 80 from encrypted data store 54 through data access front 52 as indicated by an arrow 186.
  • Encrypted data store 54 provides the desired encrypted EHR 80.through data access front 52 as indicated by an arrow 187.
  • Data access adaptor 34 stores the encrypted EHR 80 (shown as encrypted EHR 120) and decrypts encrypted EHR 120 into a decrypted EHR 1 10 using shared key 1 16 as indicated by an arrow 188.
  • Data access adaptor 34 displays decrypted EHR 1 10 to the provider as indicated by an arrow 189.
  • Data access adaptor 34 repeats the process shown in Figure 8 for each encrypted EHR generated by one provider that is accessed from encrypted data store 54 by another provider.
  • Providers may also store encrypted EHRs 120 on behalf of other providers by using shared key 1 16 in a variation of the embodiment of Figure 4. To do so, a provider uses data access adaptor 34 to receive shared key 1 16 for the encrypted EHR 80 from another provider and omits step 144 in Figure 4. Data access adaptor 34 encrypts an EHR 1 10 using shared key 116, rather than record key 1 14, to generate an encrypted EHR 120 in step 145 and performs the remaining steps of Figure 4 as described above.
  • the above embodiments may advantageously allow patients to securely manage access to EHRs created by different healthcare providers in a common encrypted data store.
  • the embodiments allow a patient to maintain a single encryption key and allow providers to maintain a single encryption key per patient.
  • the patient may access all EHRs using the patient key, and providers may access all EHRs using either a provider key or a shared key from another provider or the patient.
  • the metadata tree provides the patient and providers with the ability to navigate a patient's entire health history while preserving privacy and security. As a result, the embodiments may shift the primary responsibility of making record access decisions to the providers while ensuring that the patient has access to all EHRs at any time.

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Strategic Management (AREA)
  • Human Resources & Organizations (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Medical Informatics (AREA)
  • Primary Health Care (AREA)
  • Epidemiology (AREA)
  • Public Health (AREA)
  • Marketing (AREA)
  • General Business, Economics & Management (AREA)
  • Tourism & Hospitality (AREA)
  • Quality & Reliability (AREA)
  • Operations Research (AREA)
  • Economics (AREA)
  • Data Mining & Analysis (AREA)
  • Bioethics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Medical Treatment And Welfare Office Work (AREA)
  • Measuring And Recording Apparatus For Diagnosis (AREA)

Abstract

A method performed by a processing system includes determining a location in a metadata tree of a patient for an electronic health record, generating a record key for the electronic health record based on the location and a provider key corresponding to a provider, the provider key generated from a patient key corresponding to the patient, encrypting the electronic health record using the record key to generate a encrypted record, and providing the encrypted record to an encrypted data store.

Description

ENCRYPTED DATA STORE FOR RECORDS
Cross Reference to Related Application
[0001] This application claims priority to U.S. Provisional Patent Application No. 61/683,694, entitled "Secure Storing and Sharing of Electronic Medical Records in the Cloud Environment", and filed August 15, 2012. The disclosure of this application is incorporated by reference herein.
Background
[0002] Electronic Health Records (EHRs) may enable healthcare participants (e.g., patients, healthcare providers, payers, and researchers) to improve coordination of care and access to health information. Although EHRs may facilitate access to healthcare information, the sharing of healthcare information may involve many complex technical and legal issues. These issues may be burdensome for healthcare participants that lack the resources and expertise to enable such sharing while ensuring consistency, privacy, and security of the healthcare information.
Brief Description of the Drawings
[0003] Figure 1 is a block diagram illustrating one embodiment of an electronic health record store processing environment. [0004] Figure 2 is a block diagram illustrating one embodiment of a metadata tree and an encrypted data store.
[0005] Figure 3 is a block diagram illustrating one embodiment of a provider system.
[0006] Figure 4 is a schematic diagram illustrating one embodiment of storing an encrypted record using a provider key.
[0007] Figure 5 is a schematic diagram illustrating one embodiment of accessing an encrypted record using a provider key.
[0008] Figure 6 is a block diagram illustrating one embodiment of a patient system.
[0009] Figure 7 is a schematic diagram illustrating one embodiment of accessing an encrypted record using a patient key.
[0010] Figure 8 is a schematic diagram illustrating one embodiment of accessing an encrypted record using a shared key.
Detailed Description
[001 1] In the following detailed description, reference is made to the accompanying drawings, which form a part hereof, and in which is shown by way of illustration specific embodiments in which the disclosed subject matter may be practiced. It is to be understood that other embodiments may be utilized and structural or logical changes may be made without departing from the scope of the present disclosure. The following detailed description, therefore, is not to be taken in a limiting sense, and the scope of the present disclosure is defined by the appended claims.
[0012] Embodiments described herein provide an electronic health record (EHR) storage processing environment that enables secure, seamless sharing of EHRs among healthcare participants (e.g., patients, healthcare providers, payers, and researchers). The environment includes an encrypted data store that stores encrypted EHRs of patients and a metadata tree for each patient that provides a mapping to the EHRs of a given patient in the encrypted data store. Each EHR is uniquely encrypted using a patient key, a provider key, and a location corresponding to the EHR in the metadata tree prior to being stored in the encrypted data store. The metadata tree for each patient is visible to healthcare participants, such as healthcare providers, to allow the participants to store and access EHRs of patients.
[0013] To allow EHRs to be stored in the encrypted data store, each healthcare provider uses a unique provider key for each patient (referred to herein as Kpatient, provider) that is generated based on a corresponding patient key (referred to herein as Kpatient) of a patient and a provider identifier (referred to herein as provider-id). To store an EHR of a patient, a provider accesses the metadata tree for the patient and determines a location for the EHR in the metadata tree. The provider then generates a record key (referred to herein Krecord) based on the provider key and the location in the metadata tree, encrypts the EHR using the record key, stores the encrypted EHR in the encrypted data store, and updates the metadata tree to include a reference o the EHR at the determined location. The provider may also generate and share a record key with another healthcare participant to allow the participant to store EHRs on behalf of the provider.
[0014] To access an EHR of a patient, a provider accesses the metadata tree for the patient and determines the location that corresponds to the EHR in the metadata tree. If the provider generated the EHR (e.g., if the EHR is one of the provider's records), then the provider accesses the EHR from the encrypted data store, generates the record key based on the provider key and the location of the reference to the EHR in the metadata tree, and decrypts the EHR using the record key. If the provider did not generate the EHR (e.g., if the EHR was generated by another provider), then the provider requests and receives the record key from the other provider or the patient, accesses the EHR from the encrypted data store, and decrypts the EHR using the record key. [0015] Because provider and record keys are generated based on patient keys, patients have the ability to access all records from all providers using the metadata tree. Patients, as well as providers that generate EHRs, may share EHRs with other providers by generating the record keys for selected EHRs and providing the record keys to the other providers. The other providers may select EHRs in which to request access using the metadata tree for the patient.
Accordingly, the processing environment described herein enables providers from different healthcare institutions to directly store EHRs of a patient in a common data store and provide access to selected EHRs to other providers.
[0016] As used herein, the term "healthcare participant" (also referred to as "participant") refers to a patient, a healthcare provider, a payer, a researcher, or other suitable person involved in a healthcare process of a patient that generates and / or uses healthcare information corresponding to a patient. The term "patient" refers to a person that receives at least one healthcare service from a healthcare provider. The term "healthcare provider" (also referred to as "provider") refers to a person and / or institution that provides at least one healthcare service to a patient.
[0017] The term "electronic health record" (EHR) refers to a set of healthcare information generated by a healthcare participant and stored in an electronic format on at least one machine-readable storage medium. The term "encrypted electronic health record" refers to an electronic health record that has been encrypted with an encryption key such as a record key.
[0018] The term "patient key" refers to an encryption key of a patient. The term "provider key" refers to an encryption key that is generated based on a patient key and a provider identifier. The term "record key" refers to an encryption key that is generated based on a provider key and a location in a metadata tree of a patient that corresponds to an EHR of the patient. The term "shared key" refers to a record key that is provided from a patient to a provider that did not generate a given EHR or from a provider that generated a given EHR to another, unaffiliated provider. [0019] The term "metadata" refers to a set of information that describes at least one record, such as an electronic health record. The term "metadata tree" refers to a set of nodes that include metadata where each node has a specified relationship with at least one other node in the set.
[0020] Figure 1 is a block diagram illustrating one embodiment of an electronic health record store processing environment 10. Environment 10 includes a patient system 20, a set of provider systems 30(1 )-30(/W) where M is an integer that is greater than or equal to two, an electronic health record (EHR) manager 40, an electronic health record (EHR) store 50, and a communications network 60. Patient system 20, provider systems 30, EHR manager 40, and EHR store 50 communicate with one another using communications network 60. Environment 10 may be implemented using any suitable type, number, and configuration of processing systems to form patient system 20, provider syste™0 30, EHR manager 40, and EHR store 50 as well as any suitable type, numbe and configuration of communications devices to form communications network 60.
[0021] Environment 10 provides the ability to create and manage EHRs of patients including a patient 12 that corresponds to patient system 20 (other patients and patient systems not shown). In one embodiment, patient 12 interacts with patient system 20 to register with EHR manager 40 using a patient manager 42. Patient manager 42 causes patient information of patient 12 to be received and stored in a patient database 44 and initializes a metadata tree 70 (shown in Figure 2) corresponding to patient 12 in metadata store 56. Patient manager 42 may include portions of the registration information in metadata tree 70 of patient 12 in some embodiments. In other embodiments, patient 12 may register in other suitable ways and / or metadata tree 70 for patient 12 may be initialized in other suitable ways.
[0022] Patient 12 communicates with EHR store 50 using a data access adaptor 24 in patient system 20 to access, store, manage, and share encrypted EHRs 80 of patient 12 (shown in Figure 2). Data access adaptor 24
communicates with a data access front 52 on EHR store 50 using communications network 60 to access an encrypted data store 54, a metadata store 56, and an audit log 58 in EHR store 50 as described in additional detail below. Patient system 20 stores a patient key 22 (Kpatient) that represents an encryption key that is unique to patient 12. Patient 12 may generate or receive patient key 22 using patient system 20. Patient key 22 may also be stored on a smart card or other suitable processing system (not shown) that includes at least one machine-readable storage media. Patient key 22 provides root access to metadata tree 70 of patient 12.
[0023] Providers (not shown) interact with corresponding provider systems 30 to register with EHR manager 40 and receive a corresponding provider identifier 31. A provider manager 46 causes provider information of providers to be received and stored in a provider database 48. Provider manager 46 assigns a provider identifier (provider-id) to each provider and stores the provider-ids in provider database 48. Each provider-id represents informatio that may be used in combination with a patient key to generate a provider key (Kpatient, pro ider) for each patient of the provider. Provider manager 46 may provide provider-ids 31 to provider systems 30 in any suitable way such as by transmitting provider-ids 31 to provider systems 30 using communications network 60.
[0024] Provider keys for each patient may be generated by patients (e.g., patient 12). To generate a provider key 32, patient system 20 or another suitable processing system (not shown) generates a unique provider key 32 for patient 12 based on patient key 22 and a corresponding provider-id 31. For example, patient system 20 generates a provider key 32(1 ) based on patient key 22 and provider-id 31 (1 ) and provides provider key 32(1 ) to provider system 30(1 ) in any suitable secure way such as via a smart card or via
communications network 60. In one embodiment, patient system 20 generates provider keys 32 for each provider using a cryptographic keyed, one-way hash function that generates provider keys 32 as a function of patient key 22 and corresponding provider-ids 31. In other embodiments, other suitable functions may be used to generate provider keys 32 based on patient keys 22 and provider-ids 31 . As may be seen, each provider maintains a single provider key 32 for each patient (e.g., each provider system 30 stores a provider key 32 for patient 12).
[0025] Provider keys 32 allow a provider to generate encrypted EHRs 80 for patient 12 and store encrypted EHRs 80 in encrypted data store 54. Providers access EHR store 50 using a corresponding data access adaptor 34 to access, store, manage, and share encrypted EHRs 80 of patient 12. Data access adaptor 34 communicates with data access front 52 on EHR store 50 using communications network 60 to access encrypted data store 54, metadata store 56, and audit log 58 in EHR store 50 as described in additional detail below.
[0026] In EHR store 50, encrypted data store 54 stores encrypted EHRs 80 of patient 12 as well as encrypted EHRs of other patients (not shown).
Encrypted data store 54 includes any suitable type, number, and / or configuration of machine-readable storage media to store the encrypted EHF Because the EHRs are encrypted and because encrypted data store 54 doe not include encryption keys (i.e., record keys) for the EHRs, encrypted data store 54 does not need to be a trusted data store (e.g., encrypted data store 54 may be owned or operated by one or more untrusted third parties).
[0027] Metadata store 56 includes metadata tree 70 for patient 12 as well as metadata trees of other patients (not shown). As shown in Figure 2, metadata tree 70 represents a hierarchical tree structure with a root node 72, any number of intermediate nodes 74, and a single leaf node 76 for each encrypted EHR 80 where each leaf node 76 stores metadata regarding a corresponding encrypted EHR 80. Root node 72 may include information that identifies patient 12, intermediate nodes 74 represent logical groupings of EHRs (e.g., by provider or by categories of patient information such as treatment conditions) and include information that describes the groupings, and leaf nodes 76 each include a single, unique reference 78 to a corresponding encrypted EHR 80 in encrypted data store 54 as well as information that describes the corresponding encrypted EHRs 80. References 78 may be used to access encrypted EHRs 80 in encrypted data store 54. In one embodiment, the entire metadata tree 70 is accessible by patient 12 and all providers that have registered with EHR manager 40. In other embodiments, other security measures, such as encryption, may be applied to metadata tree 70 to limit access to metadata tree 70 to desired healthcare participants.
[0028] Metadata tree 70 allows unaffiliated providers (e.g., providers practicing under different, unrelated business entities) to store different encrypted EHRs 80 of patient 12 to encrypted data store 54. Encrypted EHRs 80 are each encrypted with different record keys such that a record key for one encrypted EHR 80 may not be used to decrypt any other encrypted EHR 80. Providers may use metadata tree 70 to determine which encrypted EHRs 80 they need to access and can request access (i.e., record keys) from other providers that generated the needed encrypted EHRs 80 or patient 12 as described in additional detail below.
[0029] EHR store 50 maintains audit log 58 to log all data accesses to encrypted data store 54 and metadata store 56. Audit log 58 may be used fc. audit or other suitable purposes.
[0030] Communications network 60 includes any suitable type, number, and combination of wired and / or wireless communications devices that allow patient system 20, provider systems 30, EHR manager 40, and EHR store 50 to communicate with one another.
[0031] Environment 10 including, patient system 20, provider systems 30, EHR manager 40, and EHR store 50 may be implemented with any suitable type, number, and configuration of processing systems that each include one or more processors for executing instructions stored in one or more memories. In addition, data access front 52, encrypted data store 54, metadata store 56, and audit log 58 may be implemented using different processing systems in some embodiments. Embodiments of patient system 20 and provider systems 30 are shown in Figures 6 and 3, respectively, and described in additional detail below.
[0032] Figure 3 is a block diagram illustrating one embodiment of a provider system 30. Provider system 30 includes a set of one or more processors 102 configured to execute a set of instructions stored in a memory system 104, memory system 104, and at least one communications device 106. Processors 102, memory system 104, and communications devices 106 communicate using a set of interconnections 108 that includes any suitable type, number, and / or configuration of controllers, buses, interfaces, and / or other wired or wireless connections.
[0033] Provider system 30 represents any suitable processing device or portion of a processing device such as a server computer, a laptop computer, a tablet computer, a desktop computer, a mobile telephone with processing capabilities (i.e., a smart phone), or another suitable type of electronic device with processing capabilities. Each processor 102 is configured to access and execute instructions stored in memory system 104 and to access and store data in memory system 104. Memory system 104 includes any suitable type, number, and configuration of volatile or non-volatile machine-readable storage media configured to store instructions and data. Examples of machine-readahip storage media in memory system 104 include hard disk drives, random acce: memory (RAM), read only memory (ROM), flash memory drives and cards, and other suitable types of magnetic and / or optical disks. The machine-readable storage media are considered to be part of an article or article of manufacture. An article or article of manufacture refers to one or more manufactured components. Communications devices 106 include any suitable type, number, and / or configuration of communications devices configured to allow provider system 30 to communicate across one or more wired or wireless networks such as communications network 60 (shown in Figure 1 ).
[0034] Data access adaptor 34 includes instructions that, when executed by processors 102, causes processors 102 to perform the functions of data access adaptor 34 that will now be described with reference to Figures 4 and 5. Figure 4 is a schematic diagram illustrating one embodiment of storing an encrypted record 80 using a provider key 32, and Figure 5 is a schematic diagram illustrating one embodiment of accessing an encrypted record using a provider key.
[0035] Referring to Figures 3 and 4, data access adaptor 34 accesses metadata tree 70 of patient 12 from metadata store 56 through data access front 52 as indicated by an arrow 141. Metadata store 56 provides metadata tree 70 to provider system 30 through data access front 52 as indicated by an arrow 142. Data access adaptor 34 determines a location 1 12 in metadata tree 70 for a new or updated EHR 1 10 as indicated by an arrow 143. Location 112 represents a fully qualified path in metadata tree 70 (i.e., a uniform resource identifier (URI)). Data access adaptor 34 generates a record key 1 14 (KreCord) based on provider key 32 (Kpatient, pro ider) and location 1 12 as indicated by an arrow 144. Data access adaptor 34 encrypts EHR 1 10 using record key 1 14 to generate an encrypted EHR 120 as indicated by an arrow 145.
[0036] Data access adaptor 34 provides encrypted EHR 120 to encrypted data store 54 through data access front 52 as indicated by an arrow 146.
Encrypted data store 54 provides a status to data access adaptor 34 through data access front 52 as indicated by an arrow 147. If the status indicates thaf encrypted EHR 120 was not stored successfully, then data access adaptor 3 may retry the store. Once the store is successful, data access adaptor 34 updates metadata tree 70 to add a leaf node 76 to include a reference 78 to the successfully stored encrypted EHR 80 in encrypted data store 54 and provides the updated metadata tree 70 to metadata store 56 through data access front 52 as indicated by an arrow 148. Metadata store 56 provides a status to data access adaptor 34 through data access front 52 as indicated by an arrow 149. If the status indicates that the updated metadata tree 70 was not stored successfully, then data access adaptor 34 may retry the update.
[0037] Data access adaptor 34 repeats the process shown in Figure 4 for each EHR that is stored in encrypted data store 54.
[0038] Once a provider stores an encrypted EHR 80 to encrypted data store 54, the provider may access the encrypted EHR 80 from encrypted data store 54 as shown in Figure 5.
[0039] Referring to Figures 3 and 5, data access adaptor 34 accesses metadata tree 70 of patient 12 from metadata store 56 through data access front 52 as indicated by an arrow 151. Metadata store 56 provides metadata tree 70 to provider system 30 through data access front 52 as indicated by an arrow 1 52. Data access adaptor 34 displays metadata tree 70 to the provider to allow the provider to select a desired encrypted EHR 80 as indicated by an arrow 1 53. Data access adaptor 34 determines a location 1 1 2 in metadata tree 70 corresponding to the encrypted EHR 80 as indicated by an arrow 1 54. As noted above, location 1 12 represents a fully qualified path in metadata tree 70 (i.e., a uniform resource identifier (URI)). Data access adaptor 34 generates a record key 1 14 (Krec0rd) based on provider key 32 (Kpatient, provider) and location 1 1 2 as indicated by an arrow 1 55.
[0040] Data access adaptor 34 accesses the encrypted EHR 80 from encrypted data store 54 through data access front 52 as indicated by an arrow 1 56. Encrypted data store 54 provides the desired encrypted EHR 80 through data access front 52 as indicated by an arrow 1 57. Data access adaptor 34 stores the encrypted EHR 80 (shown as encrypted EHR 1 20) and decrypts encrypted EHR 1 20 into a decrypted EHR 1 1 0 using record key 1 14 as indicated by an arrow 1 58. Data access adaptor 34 displays decrypted EHR 1 1 0 to the provider as indicated by an arrow 1 59.
[0041 ] Data access adaptor 34 repeats the process shown in Figure 5 for each encrypted EHR generated by a provider that is accessed from encrypted data store 54 by the provider.
[0042] Figure 6 is a block diagram illustrating one embodiment of patient system 20. Patient system 20 includes a set of one or more processors 202 configured to execute a set of instructions stored in a memory system 204, memory system 204, and at least one communications device 206. Processors 202, memory system 204, and communications devices 206 communicate using a set of interconnections 208 that includes any suitable type, number, and / or configuration of controllers, buses, interfaces, and / or other wired or wireless connections.
[0043] Patient system 20 represents any suitable processing device or portion of a processing device such as a server computer, a laptop computer, a tablet computer, a desktop computer, a mobile telephone with processing capabilities (i.e., a smart phone), or another suitable type of electronic device with processing capabilities. Each processor 202 is configured to access and execute instructions stored in memory system 204 and to access and store data in memory system 204. Memory system 204 includes any suitable type, number, and configuration of volatile or non-volatile machine-readable storage media configured to store instructions and data. Examples of machine-readable storage media in memory system 104 include hard disk drives, random access memory (RAM), read only memory (ROM), flash memory drives and cards, and other suitable types of magnetic and / or optical disks. The machine-readable storage media are considered to be part of an article or article of manufacture. An article or article of manufacture refers to one or more manufactured components. Communications devices 206 include any suitable type, number, and / or configuration of communications devices configured to allow patient system 20 to communicate across one or more wired or wireless networks such as communications network 60 (shown in Figure 1 ).
[0044] Data access adaptor 24 includes instructions that, when executed by processors 202, causes processors 202 to perform the functions of data access adaptor 24 that will now be described with reference to Figure 7. Figure 7 is a. schematic diagram illustrating one embodiment of accessing an encrypted record 80 using a patient key 22. The process of Figure 7 allows patient 12 to may access any encrypted EHR 80 from encrypted data store 54 (i.e., encrypted EHRs 80 generated by any provider). In particular, patient 12 may generate any record key 214 using patient key 22, the provider-id 31 of the provider that generated the encrypted EHR 80, and a location 212 in metadata tree 70 corresponding to the encrypted EHR 80.
[0045] Referring to Figures 6 and 7, data access adaptor 24 accesses metadata tree 70 of patient 12 from metadata store 56 through data access front 52 as indicated by an arrow 161. Metadata store 56 provides metadata tree 70 to patient system 20 through data access front 52 as indicated by an arrow 162. Data access adaptor 24 displays metadata tree 70 to patient 12 to allow patient 12 to select a desired encrypted EHR 80 as indicated by an arrow 163. Data access adaptor 24 determines a location 212 in metadata tree 70 corresponding to the encrypted EHR 80 as indicated by an arrow 164. As noted above, location 212 represents a fully qualified path in metadata tree 70 (i.e., a uniform resource identifier (URI)). Data access adaptor 24 determines a provider-id 31 of the provider that generated the encrypted EHR 80 (e.g., by accessing provider-id 31from EHR manager 40) as indicated by an arrow 165. Data access adaptor 24 generates a record key 214 (KreCord) based on patient key 22 (Kpatient)> provider-id 31 , and location 212 as indicated by an arrow 166.
[0046] Data access adaptor 24 accesses the encrypted EHR 80 from encrypted data store 54 through data access front 52 as indicated by an arrow 167. Encrypted data store 54 provides the encrypted EHR 80 through data access front 52 as indicated by an arrow 168. Data access adaptor 24 stores the encrypted EHR 80 (shown as encrypted EHR 220 in Figure 3) and decrypts encrypted EHR 220 into a decrypted EHR 210 as indicated by an arrow 169. Data access adaptor 24 displays decrypted EHR 210 to patient 12 as indicate by an arrow 170.
[0047] Data access adaptor 24 repeats the process shown in Figure 7 for each encrypted EHR that is accessed from encrypted data store 54 by patient 12.
[0048] As described above, both providers that generate encrypted EHRs 80 and patient 12 may generate record keys 1 14 and 214, respectively, which are used to decrypt the encrypted EHRs 80. To share an encrypted EHR 80 with another provider, either the provider that generates the encrypted EHR 80 or patient 12 shares record key 1 14 or 214, respectively, to allow the other provider to access and decrypt the encrypted EHR 80.
[0049] Referring back to Figure 3, data access adaptor 34 further includes instructions that, when executed by processors 102, causes processors 102 to perform the functions of data access adaptor 34 that will now be described with reference to Figure 8. Figure 8 is a schematic diagram illustrating one embodiment of accessing an encrypted record using a shared key.
[0050] Referring to Figures 3 and 8, data access adaptor 34 accesses metadata tree 70 of patient 12 from metadata store 56 through data access front 52 as indicated by an arrow 181. Metadata store 56 provides metadata tree 70 to provider system 30 through data access front 52 as indicated by an arrow 182. Data access adaptor 34 displays metadata tree 70 to the provider to allow the provider to select a desired encrypted EHR 80 as indicated by an arrow 183. Data access adaptor 34 determines a location 1 12 in metadata tree 70 corresponding to the encrypted EHR 80 as indicated by an arrow 184. As noted above, location 112 represents a fully qualified path in metadata tree 70 (i.e., a uniform resource identifier (URI)). Data access adaptor 34 receives a shared key 1 16 for the encrypted EHR 80 from another provider or patient 12 as indicated by an arrow" 185.
[0051] Data access adaptor 34 accesses the encrypted EHR 80 from encrypted data store 54 through data access front 52 as indicated by an arrow 186. Encrypted data store 54 provides the desired encrypted EHR 80.through data access front 52 as indicated by an arrow 187. Data access adaptor 34 stores the encrypted EHR 80 (shown as encrypted EHR 120) and decrypts encrypted EHR 120 into a decrypted EHR 1 10 using shared key 1 16 as indicated by an arrow 188. Data access adaptor 34 displays decrypted EHR 1 10 to the provider as indicated by an arrow 189.
[0052] Data access adaptor 34 repeats the process shown in Figure 8 for each encrypted EHR generated by one provider that is accessed from encrypted data store 54 by another provider.
[0053] Providers may also store encrypted EHRs 120 on behalf of other providers by using shared key 1 16 in a variation of the embodiment of Figure 4. To do so, a provider uses data access adaptor 34 to receive shared key 1 16 for the encrypted EHR 80 from another provider and omits step 144 in Figure 4. Data access adaptor 34 encrypts an EHR 1 10 using shared key 116, rather than record key 1 14, to generate an encrypted EHR 120 in step 145 and performs the remaining steps of Figure 4 as described above.
[0054] The above embodiments may advantageously allow patients to securely manage access to EHRs created by different healthcare providers in a common encrypted data store. The embodiments allow a patient to maintain a single encryption key and allow providers to maintain a single encryption key per patient. The patient may access all EHRs using the patient key, and providers may access all EHRs using either a provider key or a shared key from another provider or the patient. In addition, the metadata tree provides the patient and providers with the ability to navigate a patient's entire health history while preserving privacy and security. As a result, the embodiments may shift the primary responsibility of making record access decisions to the providers while ensuring that the patient has access to all EHRs at any time.

Claims

CLAIMS What is claimed is:
1 . A method performed by a processing system, the method comprising: determining a first location in a metadata tree of a patient for a first electronic health record;
generating a first record key for the first electronic health record based on the first location and a first provider key corresponding to a first provider, the first provider key generated from a patient key corresponding to the patient; encrypting the first electronic health record using the first record key to generate a first encrypted record; and
providing the first encrypted record to an encrypted data store.
2. The method of claim 1 further comprising:
updating the first location in the metadata tree to include a first reference to the first encrypted record in the encrypted data store; and
providing the metadata tree to a metadata store that is accessible by a second provider.
3. The method of claim 2 wherein a second location in the metadata tree includes a second reference to a second encrypted record in the encrypted data store, wherein the second encrypted electronic health record is generated by a second provider, and wherein the second provider is not affiliated with the first provider.
4. The method of claim 3 further comprising:
receiving a second record key for the second encrypted record, the second record key generated based on the second location in the metadata tree that includes the second reference and a second provider key corresponding to the second provider, the second provider key generated from the patient key; accessing the second encrypted record from the encrypted data store; and
decrypting the second encrypted record using the second record key.
5. The method of claim 1 further comprising:
receiving the patient key from the patient;
accessing a provider identifier corresponding to the first provider; and generating the first provider key based on the patient key and the provider identifier.
6. The method of claim 1 further comprising:
determining a second location in the metadata tree of the patient for a second electronic health record;
generating a second record key for the second electronic health record based on the second location and the first provider key;
encrypting the second electronic health record using the second record key to generate a second encrypted record; and
providing the second encrypted record to the encrypted data store.
7. The method of claim 6 wherein the first record key differs from the second record key such that the first record key is not usable to decrypt the second encrypted record and the second record key is not usable to decrypt the first encrypted record.
8. A processing system comprising:
a set of one or more processors; and
a memory storing a set of instructions that, when executed by the set of processors, cause the set of processors to:
determine a first location in a metadata tree of a patient that corresponds to a first encrypted electronic health record in an encrypted data store; generate a first record key for the encrypted electronic health record based on the first location and a first provider key corresponding to a first provider;
access the first encrypted electronic health record from the encrypted data store using the first reference; and
decrypt the first encrypted electronic health record using the first record key.
9. The processing system of claim 8 wherein the first location in the metadata tree includes a first reference to the first encrypted electronic health record in the encrypted data store, wherein a second location in the metadata tree includes a second reference to a second encrypted electronic health record in the encrypted data store, wherein the second encrypted electronic health record is generated by a second provider, and wherein the second provider is not affiliated with the first provider.
10. The processing system of claim 8 wherein the first record key is not usable to decrypt the second encrypted electronic health record, wherein a second record key is usable to decrypt the second encrypted electronic health record, and wherein the second record key is not usable to decrypt the first encrypted electronic health record.
1 1 . The processing system of claim 8 wherein the set of instructions, when executed by the set of processors, cause the set of processors to:
generate the first provider key based on a patient key corresponding to the patient.
12. The processing system of claim 8 wherein the set of instructions, when executed by the set of processors, cause the set of processors to: access the metadata tree from a metadata store that is accessible to the patient, the first provider, and a second provider that is not affiliated with the first provider.
13. An article comprising at least one machine-readable storage medium storing instructions that, when executed by a processing system, cause the processing system to:
determine a first location in a metadata tree of a patient that corresponds to a first encrypted electronic health record, the first encrypted electronic health record generated by a first provider;
receive a first record key for the first encrypted electronic health record, the first record key generated based on the first location and a first provider key corresponding to the first provider;
access the first encrypted electronic health record from an encrypted data store using the first reference; and
decrypt, by a second provider, the first encrypted electronic health record using the first record key.
14. The article of claim 13, wherein the first location in the metadata tree includes a first reference to the first encrypted electronic health record in the encrypted data store, wherein a second location in the metadata tree includes a second reference to a second encrypted electronic health record in the encrypted data store, wherein the second encrypted electronic health record is generated by the second provider, and wherein the second provider is not affiliated with the first provider.
15. The article of claim 14, wherein the first record key is not usable to decrypt the second encrypted electronic health record, wherein a second record key is usable to decrypt the second encrypted electronic health record, and wherein the second record key is not usable to decrypt the first encrypted electronic health record.
16. The article of claim 13, wherein the instructions, when executed by the processing system, cause the processing system to:
request the first record key from the first provider; and
receive the first record key from the first provider.
17. The article of claim 13, wherein the instructions, when executed by the processing system, cause the processing system to:
request the first record key from the patient; and
receive the first record key from the patient.
PCT/US2012/053215 2012-08-15 2012-08-30 Encrypted data store for records WO2014028035A1 (en)

Priority Applications (6)

Application Number Priority Date Filing Date Title
AU2012387663A AU2012387663B2 (en) 2012-08-15 2012-08-30 Encrypted data store for records
CA2882349A CA2882349A1 (en) 2012-08-15 2012-08-30 Encrypted data store for records
US14/421,759 US9940469B2 (en) 2012-08-15 2012-08-30 Encrypted data store for records
CN201280076412.2A CN104704527A (en) 2012-08-15 2012-08-30 Encrypted data store for records
EP12891380.3A EP2885762A4 (en) 2012-08-15 2012-08-30 Encrypted data store for records
JP2015527433A JP6300800B2 (en) 2012-08-15 2012-08-30 Encrypted data storage device for recording

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201261683694P 2012-08-15 2012-08-15
US61/683,694 2012-08-15

Publications (1)

Publication Number Publication Date
WO2014028035A1 true WO2014028035A1 (en) 2014-02-20

Family

ID=50685679

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2012/053215 WO2014028035A1 (en) 2012-08-15 2012-08-30 Encrypted data store for records

Country Status (7)

Country Link
US (1) US9940469B2 (en)
EP (1) EP2885762A4 (en)
JP (1) JP6300800B2 (en)
CN (1) CN104704527A (en)
AU (1) AU2012387663B2 (en)
CA (1) CA2882349A1 (en)
WO (1) WO2014028035A1 (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2535183B (en) * 2015-02-11 2017-02-15 Livedrive Internet Ltd Methods and systems for virtual file storage and encryption
EP3661117B1 (en) * 2015-03-03 2023-10-18 Wonderhealth, LLC Access control for encrypted data in machine-readable identifiers
CN106302312B (en) * 2015-05-13 2019-09-17 阿里巴巴集团控股有限公司 Obtain the method and device of electronic document
US9906361B1 (en) 2015-06-26 2018-02-27 EMC IP Holding Company LLC Storage system with master key hierarchy configured for efficient shredding of stored encrypted data items
US9779269B1 (en) * 2015-08-06 2017-10-03 EMC IP Holding Company LLC Storage system comprising per-tenant encryption keys supporting deduplication across multiple tenants
IT201800002895A1 (en) * 2018-02-21 2019-08-21 Stmicroelectronics Application Gmbh PROCESSING SYSTEM, RELATED INTEGRATED CIRCUIT, DEVICE AND PROCEDURE
US20200021570A1 (en) * 2018-07-16 2020-01-16 Che-Min Lin Blockchain dental implant system
US20200020424A1 (en) * 2018-07-16 2020-01-16 Che-Min Lin Blockchain electronic medical record system
US11128460B2 (en) 2018-12-04 2021-09-21 EMC IP Holding Company LLC Client-side encryption supporting deduplication across single or multiple tenants in a storage system
US11019033B1 (en) 2019-12-27 2021-05-25 EMC IP Holding Company LLC Trust domain secure enclaves in cloud infrastructure
US12105788B2 (en) 2021-12-27 2024-10-01 Praia Health Inc. Single sign-on across multiple application instances, such as electronic medical record system instances
US20240160776A1 (en) * 2022-11-16 2024-05-16 Providence St. Joseph Health Using vendor-independent protocols to perform identity and access management for electronic medical record instances

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030074564A1 (en) * 2001-10-11 2003-04-17 Peterson Robert L. Encryption system for allowing immediate universal access to medical records while maintaining complete patient control over privacy
US20050256742A1 (en) * 2004-05-05 2005-11-17 Kohan Mark E Data encryption applications for multi-source longitudinal patient-level data integration
JP2008237426A (en) * 2007-03-27 2008-10-09 Ge Medical Systems Global Technology Co Llc Medical image file output device and medical image diagnostic device

Family Cites Families (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4011641B2 (en) * 1995-10-18 2007-11-21 大日本印刷株式会社 Portable information recording medium
JP2001352321A (en) 2000-04-06 2001-12-21 Sony Corp Information processing system, information processing method, and information recording medium, and program providing medium
US6904432B2 (en) * 2001-11-30 2005-06-07 Intelligent Medical Objects, Inc. Adaptive data manager
KR100562895B1 (en) 2002-05-13 2006-03-21 주식회사 바이오폴리메드 Biologically Active Polymeric Conjugate For Hepatocyte Targeting Of Drug
US20030033169A1 (en) * 2002-07-30 2003-02-13 Dew Douglas K. Automated data entry system and method for generating medical records
KR100924773B1 (en) * 2002-09-16 2009-11-03 삼성전자주식회사 Method for encrypting and decrypting metadata and method for managing metadata and system thereof
JP2005115565A (en) * 2003-10-06 2005-04-28 Nec Soft Ltd Medical information trust system and method for providing services for the same
JP2006099548A (en) 2004-09-30 2006-04-13 Hitachi Ltd Data sharing system, data sharing method, data holder device and data server
US20080172737A1 (en) 2007-01-11 2008-07-17 Jinmei Shen Secure Electronic Medical Record Management Using Hierarchically Determined and Recursively Limited Authorized Access
US8065166B2 (en) * 2007-10-30 2011-11-22 Onemednet Corporation Methods, systems, and devices for managing medical images and records
US8554577B2 (en) 2007-12-05 2013-10-08 Ronald Stephen Joe Electronic medical records information system
US20090150292A1 (en) 2007-12-10 2009-06-11 Dean Trinh System and method for secure storing, displaying, organizing electronic, and transferring medical records
US20090193267A1 (en) 2008-01-28 2009-07-30 Chiasen Chung Secure electronic medical record storage on untrusted portal
US8977572B2 (en) 2008-07-31 2015-03-10 General Electric Company Systems and methods for patient-controlled, encrypted, consolidated medical records
CN102457508A (en) 2010-11-02 2012-05-16 江苏大学 Digital signature method of electronic medical record based on XML (Extensive Makeup Language)
US20130006865A1 (en) * 2011-06-29 2013-01-03 Mckesson Financial Holdings Limited Systems, methods, apparatuses, and computer program products for providing network-accessible patient health records
CN102331998A (en) 2011-07-22 2012-01-25 大连亿创天地科技发展有限公司 Method and system for downloading video electronic case history under authorization

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030074564A1 (en) * 2001-10-11 2003-04-17 Peterson Robert L. Encryption system for allowing immediate universal access to medical records while maintaining complete patient control over privacy
US20050256742A1 (en) * 2004-05-05 2005-11-17 Kohan Mark E Data encryption applications for multi-source longitudinal patient-level data integration
JP2008237426A (en) * 2007-03-27 2008-10-09 Ge Medical Systems Global Technology Co Llc Medical image file output device and medical image diagnostic device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
JOSH BENALOH ET AL.: "CCSW ' : PROCEEDINGS OF THE ACM WORKSHOP ON CLOUD COMPUTING SECURITY", 13 November 2009, ACM, article "Patient controlled encryption: Ensuring privacy of electronic medical records", pages: 103 - 114
See also references of EP2885762A4

Also Published As

Publication number Publication date
CA2882349A1 (en) 2014-02-20
JP2015526048A (en) 2015-09-07
EP2885762A4 (en) 2017-04-05
US9940469B2 (en) 2018-04-10
AU2012387663B2 (en) 2016-02-25
AU2012387663A1 (en) 2015-03-05
JP6300800B2 (en) 2018-03-28
EP2885762A1 (en) 2015-06-24
US20150220746A1 (en) 2015-08-06
CN104704527A (en) 2015-06-10

Similar Documents

Publication Publication Date Title
US9940469B2 (en) Encrypted data store for records
US20220084643A1 (en) Blockchain-based mechanisms for secure health information resource exchange
US10771240B2 (en) Dynamic blockchain system and method for providing efficient and secure distributed data access, data storage and data transport
US11373736B2 (en) Metadata tree with key rotation information
CN116114025A (en) Secure storage and retrieval of sensitive information
US20130006865A1 (en) Systems, methods, apparatuses, and computer program products for providing network-accessible patient health records
US9977922B2 (en) Multi-tier storage based on data anonymization
Sánchez-Guerrero et al. Collaborative ehealth meets security: Privacy-enhancing patient profile management
JP2020519097A (en) Creating a matching cohort and exchanging protected data using blockchain
US20090307488A1 (en) Health keyset management
AU2012387668B2 (en) Metadata tree of a patient with lockboxes
US20230317224A1 (en) Patient specified health record on blockchain
Nath et al. Development of EHR Using Blockchain Technology
WO2023104745A1 (en) A distributed communication network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12891380

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2015527433

Country of ref document: JP

Kind code of ref document: A

Ref document number: 2882349

Country of ref document: CA

WWE Wipo information: entry into national phase

Ref document number: 14421759

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2012891380

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 2012387663

Country of ref document: AU

Date of ref document: 20120830

Kind code of ref document: A