Document Confidentiality Milan Petkovic, Ray Krasinski Structured Documents / Security WGs HL-7 Cambridge Meeting October, 2010 The Problem • Lack of persistent end-to-end encryption for CDA documents – Distributed heterogeneous environments with multiple intermediaries – Encryption currently at transport level (e.g. TLS) – Certain transports lack standard solutions (e.g. USB drive) – Open document-level standard for encryption fosters interoperability – Similar document-level encryption already defined for imaging • Need for enabling technology towards addressing meaningful use (HITECH), privacy legislation… • Continua Health Alliance, national health networks, etc. foreseen as possible adopters Use case Third party opinion in tele-monitoring 1. 2. 3. 4. DMO transfers encrypted CDA document to hospital in different affinity domain Hospital GP accesses the document GP forwards encrypted CDA document to expert specialist Expert specialist accesses document for 2nd opinion Exchanging health records using USB drives 1. Doctor E-mails record summary to patient as encrypted CDA document 2. Patient detaches document and saves it on his USB drive 3. Patient shares encrypted CDA document with healthcare providers Discussion • Document-level-encryption under discussion in IHE for 2010/2011 – Document encryption – Key management • Potential involvement of HL-7 for CDA document encryption – Encryption at the CDA level (XML Encryption to encrypt body and selected header fields) – Advantage: fine-grained protection (selectively protect metadata and content, …) which allows for routing, searching, de-identification, etc.