enhancing privacy and data protection in electronic medical environments

P1: IZO

Journal of Medical Systems [joms] PP1277-joms-490318 September 20, 2004 23:37 Style file version June 5th, 2002

Journal of Medical Systems, Vol. 28, No. 6, December 2004 ( C© 2004)

Enhancing Privacy and Data Protection in ElectronicMedical Environments

Stefanos Gritzalis1

Raising awareness and providing guidance to on-line data protection is by all meansa crucial issue worldwide. Equally important is the issue of applying privacy-relatedlegislation in a coherent and coordinated way. Both these topics become even morecritical when referring to medical environments and thus to the protection of patients’privacy and medical data. Electronic medical transactions require the transmissionof personal and medical information over insecure communication channels like theInternet. It is therefore a rather straightforward task to construct “patient profiles” thatcapture the electronic medical behavior of a patient, or even reveal sensitive informa-tion in regard with her/his medical history. Clearly, the consequence from maintainingsuch profiles is the violation of the patient’s privacy. This paper studies medical en-vironments that can support electronic medical transactions or/and the provision ofmedical information through the Web. Specifically it focuses on the countermeasuresthat the various actor categories can employ for protecting the privacy of personal andmedical data transmitted during electronic medical transactions.

KEY WORDS: security; privacy; data protection; trusted third parties; EU directives: 95/46; 97/66;2002/58.

INTRODUCTION

Information and Communication Technology (ICT) applications have rapidlyevolved from stand-alone centralized computer systems to open networks and dis-tributed computing environments, establishing communication among different com-puting systems via local area networks and the Internet. The health care sector isan application area that has a lot to gain from the development of a Web-basedinfrastructure.(1) The main objectives of the research and development work cur-rently taking place in the area are

• to increase the efficiency of health care practice;• to increase the quality of health care services;

1Information and Communication Systems Security Laboratory, Department of Information andCommunication Systems Engineering, University of the Aegean, Samos GR-83200, Greece; e-mail:[email protected].

535

0148-5598/04/1200-0535/0 C© 2004 Springer Science+Business Media, Inc.

P1: IZO


536 Gritzalis

• to support new applications, such as telediagnosis, etc.;• to increase information availability; and• to reduce costs.

However, the problem raised is that of security especially as the privacy of com-munication through Internet may be at stake in a number of ways. On-line collectionand processing of personal data forms a severe threat to privacy. Actually, the lackof privacy in communications is the main conservation of the public as far as theutilization of Internet-based services is concerned. This has been also confirmed bya Business Week poll,(2) which has highlighted that the major conservation of theusers in using the Internet is due to the lack of privacy rather than cost, difficultiesin using the service or undesirable marketing messages. This problem is far moresignificant in modern medical environments.(3–7) For example, health care networksare planned and developed according to common standards (e.g., standardized elec-tronic patient case files) linking general practitioners, hospitals, and social centers at anational or/and international scale. Although such networks can reduce the costs andimprove the effectiveness of the health care system, the patient’s privacy is affectedand it must therefore be protected.

With the development of new health care networks, an increasing amount of sen-sitive medical information is being collected, stored, shared among different healthcare professionals, and transferred to different sites worldwide.(8) Furthermore, itis rather common for such health care environments to support electronic medicaltransactions (in the form of telemedicine services) between the patient and the healthcare organization or/and other health professionals. The vast majority of such elec-tronic transactions are offered through the Internet, even though the exchange ofpersonal or/and medical information is a clear prerequisite. It is therefore evidentthat specific measures are necessary for ensuring that the users can access and pro-cess personal data, only if it is necessary for the tasks they are authorized to perform(privacy principle of necessity of data processing) and if the purpose of data process-ing is in line with the purpose for which the data was obtained (privacy principle ofpurpose binding).(9) Moreover, much attention must be paid to the privacy principleof transparency, so that patients must know who has access to their data and forwhat purpose. Needless to say that the confidentiality and integrity of the informa-tion transmitted over the communication channels (including Internet) should beadequately protected.

A different application of the ICT technologies in the health care sector is that oforganizations maintaining Web sites for providing users with medical information andadvice. Although such an environment is not necessarily linked to that of a health carenetwork, as described above, the offered services are very similar to the electronicmedical transaction since the user (probably a patient) can address, through Internet,a specific request to the medical Web site and obtain the information she/he wants.Depending on the Web site, in order for the patient to access the on-line medicalinformation, it may be necessary to register. Usually this is an electronic processthat requests from the user-specific personal information. The implication is that theorganization maintaining the medical Web site can easily generate “user profiles,” byrecording how often some user is visiting the site and furthermore the type of medical

P1: IZO


Enhancing Privacy and Data 537

information she/he is interested on. It is therefore clear that the privacy violation isagain an existing problem although not necessarily as severe as in the case of healthcare networks or/and during electronic medical transactions.

Consequently additional technological, procedural, and organizational mea-sures are necessary for fulfilling requirements like integrity, confidentiality, availabil-ity, and accountability of the information exchanged through a telecommunicationnetwork. It is stressed that the terms security and privacy, which are often confusedin the literature, are distinct and complementary:(10) A piece of information is securewhen its content is protected, whereas it is private when the identity of its owner isprotected. To this direction several privacy-enhancing technologies have been widelyemployed for protecting privacy.(11) However, a long list of technological counter-measures and a secure infrastructure are not enough for ensuring the privacy of theinformation. For instance, even if we assume the existence of an ultra-secure hospitalinformation system, it may be the case that the hospital decides to disseminate per-sonal and medical data of its patients, thus violating the privacy of those individuals.In information society, privacy is adopted as a fundamental right of the individual andis related to issues like the type of the information collected, how and for what pur-pose is this information used, how it is protected, shared, rented, sold, or otherwisedisseminated.(3–7)

This paper is organized as follows. In Section 2 there is a brief overview ofthe legislation concerning privacy. Section 3 provides an overview of the medicalenvironments that support electronic medical transactions or/and the provision ofmedical information through the Web. Furthermore, it introduces the actors thathave been identified to participate in such medical environments. Section 4 lists therisks that a patient is facing, while Section 5 provides the essential steps that each actorcategory should follow for protecting privacy in accordance with existing legislation.Finally, Section 6 provides some concluding remarks.

PRIVACY AND LAW

Privacy, as a social and legal issue, has for a long time been a concern ofsocial scientists, philosophers, lawyers, and physicians. The United Nations Declara-tion of Human Rights, the International Convenant on Civil and Political Rights,(12)

and many other national and international treaties have recognized Privacy as afundamental human right that must be protected in democratic societies. TwoAmerican lawyers, S. Warren and L. Brandeis, defined Privacy as “the right tobe alone.”(13) In general, the concept of privacy can be applied in three differentaspects:(14)

• territorial privacy, the protection of the close physical area surrounding aperson;

• privacy of the person, the protection of a person against undue interference;and

• informational privacy, the control of whether and how personal data can begathered, stored, processed or selectively disseminated.

P1: IZO


538 Gritzalis

Certain researchers have tried to provide alternative definitions for privacy, express-ing the above-mentioned “control” of an individual in terms of property, autonomy,and seclusion. Privacy may be understood as property in the sense that a person maygive away part of the control over her/his personal information in exchange for somebenefit. Furthermore, it may be perceived as autonomy in the sense that each personis free to partially or completely authorize a third party to obtain, process, distribute,share, and use her/his personal information for a specific aim. Finally, privacy maybe understood as seclusion in the sense that everyone has the right to remain undis-turbed. In this paper we discuss about informational privacy and we assume thatprivacy is the indefeasible right of an individual to control the ways in which per-sonal information is obtained, processed, distributed, shared, and used by any otherentity.

With the arrival of modern Information and Communication Technologies sys-tems, privacy is increasingly endangered. As rapid computerization brought fear ofa surveillance society, some nations sought to protect individuals from the misuseof personal data. In European Union, the Directive 95/46, “On the protection ofindividuals with regard to the processing of personal data and on the free movementof such data,”(4) sets the prerequisites for data owners and processors for collect-ing, processing, and exchanging personal data. The U.S. government promotes thenotion of “self regulation,” a set of data protection rules applying to a plurality ofmarket sectors, the content of which has been primarily determined by members ofthe specific trade sector.

Special emphasis has been put on the use of Unified Codes, in several inter-pretations of 95/46 Directive. Every collection and processing of the Internet users’data (i.e., e-mail address, Internet Protocol IP address, etc.) fall into the provisionsof the above Directive. Any use of the telecommunications services as stipulated inthe 97/66 and 2002/58 Directive(5,7) is protected by the provisions for the secrecy ofthe telecommunications. The lifting of secrecy in public authorities is allowed onlyfor specific reasons and under specific conditions and procedures provided by thedomestic country’s law framework.

The European Internet Task Force recently published a report concerning on-line data protection. It is critical to mention the four guidelines that have beenrecommended for all European Countries:

• raising awareness of the Internet users;• applying existing legislation in a coherent and coordinated way;• developing and using privacy-compliant, privacy-friendly, and privacy-

enhancing technologies; and• building trusted mechanisms for control and feedback.

In addition, the identification of the protection level “adequacy” offered by thedestination country has become the most distinct debate with regard to transborderdata flow. The European Union Directive 95/46(4) and the Council of Europe ModelContract of 1992(15) have adopted the term adequate level of protection, while OECDGuidelines state that transborder flows may be restricted in case that no “equivalent”protection exists.(4)

P1: IZO



INVOLVED ACTORS

Figure 1 provides a high level picture of the entities involved in systems that eithersupport electronic medical transactions or provide medical information through theWeb.

For the first case the envisaged environment is distributed and consists of Hospi-tal Information Systems, General Practitioners, Social Centers, Insurance companies,etc., all of them being interconnected through the Internet—although specific partsof the network may be implemented through private dedicated lines, the systemsmust be accessible by patients through Internet.

Some indicative examples of electronic medical transactions that can be sup-ported by such an environment are

• Home monitoring;• Emergency consultation;• Electronic notification of laboratory examination results;• Access to the Electronic Medical Records of patients by General Practition-

ers; and• Insurance claims.

On the other hand, the infrastructure for medical information provision ser-vices is very much the same as other on-line information sources, aiming to attract

Fig. 1. A high-level picture of entities involved in electronic medical transactions or medicalinformation provision.

P1: IZO


540 Gritzalis

independent Internet users (patients) by presenting them with practical informationon several medical issues.

Having in mind the above-mentioned environments, the identified actors are asfollows.

1. Users: In this paper the term Users represents the “patients” since they arethe ones utilizing the offered services. Although health care professionals,hospital employees, insurance agents, etc., are also users of the system, theyare not taken into account since, for the scenarios under consideration, theirprivacy is not threatened.

2. Internet Service Provider (ISP): The entity providing the infrastructure (hard-ware and possibly applications) for facilitating access to the Internet Services.

3. Telecommunications Provider: The entity providing the physical communica-tion channels, i.e., digital lines, signal retransmission equipment using digitalcenters, satellites, etc. These entities are often big telecommunications orga-nizations.

4. End Service Provider (ESP): The entity that offers telemedical services oroperating the medical Web site. Examples of such entities include health careproviders (e.g., national or local health care authorities, health care centersand clinics, hospitals), but also employees who support the operation of theWeb site that provides medical information.

An additional actor, who, although not directly involved, plays an important rolein carrying out telemedical services, is a Trusted Third Party (TTP) or a CertificationService Provider.(16) These entities supply technically and legally reliable means forprotecting the data and for producing objective evidence during electronic transac-tions, using public-key cryptography techniques. TTPs are operationally connectedthrough chains of trust, usually called certificate paths, realizing a web of trust knownas Public Key Infrastructure (PKI). PKI consists of one or several TTPs that generatecryptographic key pairs (private-key, public-key), and issue and revoke certificatesfor users and other TTPs. These certificates include public-keys, which are used bothduring verification processes with digital signatures and for the implementation ofvarious encryption mechanisms. TTPs may be organized in many ways, including, forexample, a hierarchy or a decentralized web of trust. Certification Authority (CA) isa functionally independent unit of a TTP, which manages (i.e., issues and revokes) acertificate. In telemedical services, a TTP can be used for generating, distributing, andrevoking certificates to patients, medical practitioners, and health care organizationsthat wish to communicate in a secure way.

RISKS FOR PATIENTS

The ability of a patient to interact with health care organizations or/and pro-fessionals through various types of electronic medical transactions or to explore themedical information provided through specific Web sites, is undoubtedly beneficialfor her/him and leads to high-quality health care services. However, as in most real-life situations, there is a cost we should pay for the advantages we are enjoying. In this

P1: IZO



case the cost is related to the inherent risks that the patients are facing and specificallyto actions that may result in the violation of the patient’s privacy. Some indicativeexamples are given next:

• During a consultation at a hospital or at a private doctor the patient agrees toreveal sensitive medical information about her/him. However, she/he is nowfacing the risk that this information may be accessible, without her/him know-ing or giving her/his consent, by other authorized or nonauthorized persons.Therefore the confidentiality of the data is at stake.

• During electronic medical transactions the patients always face the man-in-the-middle risk. That means that somebody may act as an eavesdropper andmonitor/record all the traffic exchanged through the communication channelutilized by the patient. In such cases the identity of the patient can be revealedor/and the confidentiality of the data may be sacrificed.

• The information transmitted over a communication channel, during an elec-tronic medical transaction or while accessing a medical Web site, can be de-liberately or accidentally modified, thus sacrificing data integrity.

• When a user visits a medical Web site, it is technically feasible, through theappropriate processing of “cookies,” to collect personal information withoutthe user’s prior consent. It is therefore feasible to simulate the “electronicbehavior” of the user but also to extrapolate the medical issues on whichshe/he is interested.

• ISPs can easily generate a “user profile” by gathering information on howoften her/his medical data are accessed, the type of electronic medical trans-actions she/he normally performs, and the frequency and type of the medicalWeb sites that she/he visits.

• Whenever a patient is requested to provide specific personal or/and medicalinformation, either for completing an electronic medical transaction or forbeing allowed to establish a session with a medical Web site, she/he runs intothe danger of revealing much more information than it is really necessary forthe specific task she/he is trying to complete.

In all the above cases it is evident that if the provisions of the applicable data protec-tion law are not taken into account, the collection and processing of personal medicalinformation may lead to violations of the user’s privacy.

COUNTERMEASURES

The antidote to the violation of an individual’s privacy is the establishmentof communication channels that do not reveal the identity of the communicatingparts. It is therefore necessary the technology that will be employed to be capable ofprotecting the security of communications and safeguarding the fundamental rightsof users as far as the freedom of expression and the privacy of personal informa-tion are concerned. New technologies have emerged supporting Internet users toenhance the security of their communication channels and to safeguard their rightof anonymity and secrecy.(10,17) The former technologies are known as Information

P1: IZO


542 Gritzalis

Security Technologies (IST) whereas the latter are known as Privacy EnhancingTechnologies (PET). Many of ISTs can be used for enhancing privacy as well.

A list of countermeasures, organized per actor category, suitable for the medicalenvironments addressed in this paper, is presented in the sections that follow. Theimplementation of most of them is based on ISTs and PETs.

Protection Measures for the Users

As already mentioned in previous sections, the term Users is used for repre-senting the “patients” performing an electronic medical transaction or accessing amedical Web site. It should be stressed, however, that specific countermeasures (likethe bullets 1, 3, and 4 that follow) cannot be implemented under the sole responsi-bility of patients, since they must be supported by the service providers (health careorganizations, Web site hosting institutions, etc.). Nevertheless, even in such cases,having ensured that the patients know the existence and purpose of such counter-measures means that they have the capability of judging the security level of theelectronic medical services offered to them.

1. Use of secure technology: Capitalize on all available means for protectingthe confidentiality and integrity of user’s personal and medical data that aretransmitted over communication channels. Such means are the available legaland technological tools of data cryptography, of electronic mail, of accesscodes, etc.

2. Moderate disclosure of personal data: The users should be cautious aboutthe information they disclose while navigating through various medical Websites. More specifically this information may concern:• Personal identification data like surname, name, address, etc., transmitted

with the user’s consent.• Information transmitted without the user’s knowledge (e.g., IP address).

Frequently, transmission of such information is imposed by the communi-cation protocols.

3. Seeking anonymity: Evaluate all available mechanisms and procedures thatguarantee anonymity to the extent dictated by the applicable law. The bestway to safeguard privacy is the employment of anonymous access.

4. Use of pseudonym: The use of nicknames is an extremely effective counter-measure for ensuring anonymity. In cases where full anonymity is not allowedby law, the correlation between the nickname and the real person must bedisclosed only to trusted entities.

5. Limited to the purpose disclosure of data: Reveal only data that are nec-essary for the attainment of the purposes pursued through the particularcommunication. Attention must be paid in cases of disclosure of sensitivedata.(4) In such cases, the use of secure communication channels is recom-mended. The Secure Socket Layer (SSL)(18) communication protocol imple-ments exactly that. SSL is frequently used in combination with the HypertextTransfer Protocol (HTTP) protocol providing secure bilateral communica-tions using Web services. The user can recognize the activation of the above

P1: IZO



protocol by looking for the initials “https://” to the address of the electronicpage.

6. Cautious use of e-mail lists: The e-mail address constitutes personal informa-tion and falls under the same protection level as all other personal data.Therefore, one should avoid participating in e-mail address lists that donot notify the purpose of collection, the processing duration, the poten-tial recipients of the data, and do not explicitly provide an unsubscribeprocess.

7. Cautious downloading of medical information: Particular attention shouldbe paid while downloading files through the Internet, as personal data maybe processed and transferred to Internet sites unknown to the user. Currenttechnological tools of active content, i.e., Java, ActiveX, JavaScript, etc., canbe used for the collection and processing of personal data without the userknowing.

8. Avoid installation of cookies: Cookies are files sent to the user’s machine bythe Web sites. They are used for storing personal data, information concerningnavigation attributes, the duration of the visit to the specific site, etc. The nexttime that the user visits the same site, it is possible for the Web server to adaptits operation to the specific user preferences. The cookie installation must bedisabled through the security adjustments of the Web browser.

9. Be aware of applicable legislation: Users should be aware of the latest legis-lation framework guidelines related to the protection of personal data pro-cessing and communication.

Protection Measures for Internet Service Providers

The ISPs should

1. Use software and hardware of certified quality, capable of ensuring the se-curity of the information transferred. ISPs should inform and facilitate theusers, if possible, to acquire such software. For example, ISPs could installa Secure Shell server (SSH) and facilitate their subscribers to get the SSHclient. This program supports encryption of data and facilitates the user toestablish secure electronic connections through various protocols like Telnet,File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP) fore-mail.

2. Perform a detailed risk analysis study to identify all possible threats to the In-formation System, decide and implement the appropriate security measures,and develop a specific security policy. In that way the physical and logicalsecurity of the communication equipment used by ISP will be in accordanceto the 95/46 Directive.

3. Develop an ethics code on the protection of personal data that will be basedon the provisions of the 95/46, 97/66, and 2002/58 Directives and that shall benotified to the management and all staff.

4. Inform the users about their rights, as far as the protection of personal data isconcerned, and facilitate their access to information security resources. For

P1: IZO


544 Gritzalis

instance, ISPs should inform users about their right to object to the collectionof personal and/or sensitive data affecting them.

5. Publicize, through the home page, the privacy policies adopted pursuant to95/46 Directive and the applicable domestic law.

6. Collect the subscribers’ data in a transparent way. The practical implicationis that cookies and active content technologies should not be employed. Therecommended method is the use of electronic application forms. The collecteddata should be only those that are necessary for the conclusion of the contractbetween the subscriber and ISP. If ISP wishes to collect further data, theyshould be clearly marked as noncompulsory (i.e., an asterisk sign or a changein the color of the letter line in the name of the field) and there should be anexplicit indication for the purpose of their collection.

7. Do not downgrade the functionality offered to the user in cases that she/hehas avoided giving personal data, which are not necessary for the conclusionof the contract between the subscriber and ISP. For example, the materialappearing on the Hypertext Markup Language (HTML) pages of the user’sbrowser should not be restricted because of the fact that the user has deniedthe installation of a cookie at her/his computer. In addition to the above, theaccess options should not be restricted if the user has not filled in personal datafields that were marked as noncompulsory when the data for the conclusionof the contract are submitted via electronic forms.

8. In relation to the above paragraph, it is emphasized that ISP should notsubsidize in any way the consent of the user to the collection of data, whichare not necessary for the conclusion of the contract between the subscriberand ISP.

9. Employ all the appropriate security measures for protecting the personaldata required for the conclusion of the contract, when such data are sub-mitted electronically. In such cases, the use of public key cryptography isrecommended. A suitable technology would be that of digital certificates inconjunction with the use of the SSL protocol. In this way the communica-tion channel, at least for the electronic pages employed for the collection ofpersonal information, can be secured in an acceptable way.

10. Avoid transferring personal or/and sensitive data (including medical data)to non-EU countries or to third countries that do not impose a protec-tion level comparable to that of European member states. For this specificreason, the acquisition of digital certificates from such countries must beavoided.

11. Encourage and provide appropriate technological means for achievinganonymous communications.(19,20) In cases where full anonymity is not al-lowed by law, ISP should maintain a list of nicknames. Typically, this list shouldprovide the one-to-one correlation between physical persons and nicknames.These correlations should not be revealed to any third party.

12. Avoid monitoring and recording user communications, unless this is necessaryfor pricing purposes.

13. In cases where recording is a prerequisite for the provision of specific userservices, i.e., use of proxies, the inherent risks must be communicated to the

P1: IZO



users. The use of such services must be allowed only after obtaining the user’sexplicit consent.

14. Control the banners hosted, in regard to the personal information that canbe intercepted in case the user selects the banner.

Protection Measures for Telecommunications Providers

Although the identification of protection measures for TelecommunicationsProviders is outside the scope of this paper, it is worth mentioning that they should

1. perform a detailed risk analysis study to identify all possible threats to theInformation and Communication Systems they use,

2. decide on and implement the appropriate security measures, and3. develop a specific security policy.

In that way the physical and logical security of the communication equipmentused by the Telecommunications Providers will be in accordance to the 95/46 and2002/58 Directives.

Protection Measures for End Service Providers

The ESPs supporting electronic medical transactions or/and maintaining medi-cal information Web sites, in addition to bullets 1 to 10, 12, and 14, which are in forcefor ISP, should keep in mind the following.

1. During the precontract stage (in cases that a contract exists), the ServiceProvider should obtain the user’s consent in regard with the transactions thatwill be offered to her/him. Specifically, in cases of on-line “user agreements”the following should apply.• The agreement should be clear.• It should be understandable by the user.• It should not be lengthy.• The transaction should not take place unless the user explicitly gives her/his

consent.• The user should have the option to withdraw from the agreement in any

stage, even if she/he has agreed in previous stages.Finally, the user should have the option to download the agreement, read it,and then submit it to ESP in order for the transaction to take place.

2. There must be an explicit consent of the user for her/his inclusion in e-maillists, maintained by ESP or by her/his work associates, which are utilized forthe promotion of ESP’s services.

3. There should be a clear and easy-to-use procedure for a user to opt out frome-mail lists. Such a procedure should always be available to the user. Clearly,the initial sending of an e-message to the user containing information on theopting-out option is not enough, as that message may be lost. For this reason,the opting-out procedure should be available in alternative ways, like forinstance in the form of a hyperlink on ESP’s home page.

P1: IZO


546 Gritzalis

4. In cases where ESP has forwarded the e-mail address of a user to her/hiswork associates, for inclusion in e-mail lists maintained by them, it is her/hisresponsibility to notify them about the user’s decision to opt out from thee-mail lists.

Protection Measures for Trusted Third Parties

The TTPs should

1. Include in the text of the Certificate Policy and the Certification PracticeStatement, which are announced to the users, their privacy policy.

2. Employ the appropriate software or/and hardware for providing users withthe option of utilizing private key(s) for data encryption and digital signatures.The possibilities offered by the currently available technology are• Creation of the user’s private key from the software installed at the user’s

computing system.(17) In this case, TTP simply certifies the public key ofthe subscriber.

• Creation of the user’s private key from the software installed at TTP’scomputing system. In this case, TTP delivers the certificate and the privatekey to the subscriber via a transferable storage medium.(17) The storageof the private key at the TTP side, for maintainability reasons, shouldconstitute an additional service offered by TTP. Such service, though, willbe in the discretion of the subscriber.

3. Be in a position to issue anonymous certificates for carrying out anonymoustransactions. In such cases, TTPs are responsible for ensuring the secrecy ofthe one-way correlation between the subscriber and the nickname she/heuses. The techniques employed by TTP for fulfilling the above requirementshould be included in the privacy protection policy.

CONCLUSIONS

In modern “digital societies,” privacy and confidentiality remain important val-ues to the human psyche. The protection of personal information or/and sensitivemedical data, within the framework of electronic medical transactions and elec-tronic requests to Web sites providing medical information, constitutes a crucial fac-tor for the successful attainment of Information Society’s purposes. To protect thepersonality of an individual from being offended, all entities-actors (users/patients,ISPs, Telecommunications Providers, ESPs, and Trusted Third Parties) involved inan electronic transaction should employ the appropriate organizational, procedural,and technical countermeasures. As far as the technical countermeasures are con-cerned, they mainly focus on ensuring the security of the communication channels,protecting the anonymity of the users, protecting the confidentiality of the informa-tion through encryption, supporting digital signatures, etc. On the other hand, theorganizational and procedural countermeasures are equally important since they areclosely linked to the legal and regulatory framework governing the issues of “privacyprotection” and “protection of personal and, especially, sensitive data.” Within the

P1: IZO



evolving telemedicine framework it is a clear necessity that all involved entities mustbe constantly informed on the aforementioned issues, thus enabling them to adoptthe suitable set of countermeasures. This is the only way that telemedicine servicescan be further developed, while respecting the “patients” in the digital era.

REFERENCES

1. The ISHTAR Consortium, Implementing Secure Healthcare Telematics Applications in Europe, IOSPress, Amsterdam, 2002.

2. Business Week, A little net privacy please. Retrieved March 16, 1998, from http://www.businessweek.3. The Council of Europe, Convention No. 108, On the Convention for the Protection of individuals

with regard to automatic processing of personal data, 1981.4. The European Parliament and the Council of the European Union, Directive 95/46, On the protection

of individuals with regard to the processing of personal data and on the free movement of such data,Oct. 24, 1995.

5. The European Parliament and the Council of the European Union, Directive 97/66, On the protectionof individuals with regard to the processing of personal data in the telecommunication sector, Dec.15, 1997.

6. The European Parliament and the Council of the European Union, Recommendation R(97)5, Onthe Protection of Medical Data, 1997.

7. The European Parliament and the Council of the European Union, Directive 2002/58, Privacy andElectronic Communications: Processing of Personal Data and the Protection of Privacy in the Elec-tronic Communications Sector, July 12, 2002.

8. Gritzalis, S., Iliadis, J., Gritzalis, D., Spinellis, D., and Katsikas, S., Developing secure Web-basedmedical applications. Med. Inform. Internet Med. 24(1):75–90, 1999.

9. Fischer-Hubner, S., IT Security and Privacy, Lecture Notes in Computer Science 1958, Springer-Verlag, New York, 2001.

10. Ghosh, A., Security and Privacy for e-Business, Wiley, New York, 2001.11. Argyrakis, J., Gritzalis, S., and Kioulafas, C., Privacy enhancing technologies: A review. In

Traunmuller, R. (ed.), Proceedings of the EGOV03 2nd International Conference on Electronic Gov-ernment, Prague, Czech Republic, LNCS 2739, pp. 282–287, Springer-Verlag, New York, 2003.

12. Privacy International, Electronic Privacy Information Center, Privacy and human rights—An inter-national survey of privacy laws and developments. Retrieved from http://www.privacy.org/pi/survey,1999.

13. Warren, S., and Brandeis, L., The rights to privacy. Harv. Law Rev. 5:193–220, 1890.14. Rosenberg, R., The Social Impact of Computers, Academic Press, New York, 1992.15. OECD, Implementing the OECD Privacy Guidelines in the Electronic Environment: Focus on the

Internet, DSTI/ICCP/REG(97)6/FINAL, Paris, May 27, 1998.16. Gritzalis, S., Gritzalis, D., Moulinos, K., and Iliadis, J., An integrated architecture for deploying a

Virtual Private Medical Network over the Web. Med. Inform. Internet Med. 26(1):49–72, 2001.17. Lambrinoudakis, C., and Gritzalis, S., Managing medical and insurance information through a smart

card based information system. J. Med. Syst. 24(4):213–234, 2000.18. Freier, A., Karlton, P., and Kocher, P., SSL ver. 3.0, Netscape Communications Corp., California,

1996.19. Froomkin, A., Flood Control on the Information Ocean: Living With Anonymity, Digital Cash and

Distributed Databases, University of Pittsburgh Journal of Law and Commerce. Retrieved fromhttp://www.law.miami.edu/∼froomkin/articles/oceanno.htm, 1996.

20. Gritzalis, S., Enhancing web privacy and anonymity in the digital era. Manuscript submitted forpublication, accepted for publication in Information Management and Computer Security, 2004.

enhancing privacy and data protection in electronic medical environments

Documents