IMPLEMENTATION OF SECURE MEDICAL RECORD USING SMARTCARD TECHNOLOGY

Transcription

1 IMPLEMENTATION OF SECURE MEDICAL RECORD USING SMARTCARD TECHNOLOGY JOTHI PRAKASH A/L MURUGAN DISSERTATION SUBMITTED IN FULFILMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF COMPUTER SCIENCE FACULTY OF COMPUTER SCIENCE AND INFORMATION TECHNOLOGY UNIVERSITY MALAYA KUALA LUMPUR July 2009

2 ABSTRACT Patients medical histories are documented within their medical records and these records must accompany them over the course of their lifetimes. Until recently, the majority of medical records were handwritten or printed on paper and kept in a paper folder. Healthcare institutions are now moving away from traditional paper-based records to electronic versions; patients entire medical histories are recreated in a digital format as the healthcare field incorporates more technology into its daily practices. Although many healthcare institutions have adopted electronic medical record (EMR) systems, the goals of comprehensive, continuous and patient-centered care have not occurred due to lack of mechanisms that provide practitioners timely and efficient access to the patient's complete health history. Thus, to be able to retrieve patient s health record timely and efficiently, smartcard technology was adopted into EMR systems. Although substantial benefits were expected from smartcard-based EMR systems to solve those primary issues, privacy and confidentiality of EMRs are obviously at risk if the implementations of such EMR systems are not made secured. This research effort addresses two major areas. Firstly is to analyze and scrutinize the implementation of EMR-based systems in healthcare sector. The second area is to attempt to manage EMRs in a secure smartcard platform. Crucial factors affecting a smartcard-based EMR, such as security, privacy and implementation methodology is presented in detail in the first part of this research. Subsequently a four-level security authentication model has been introduced in an attempt to secure the EMR smartcard which complies with international standards for smartcard. The software methodology used in this research area is Unified Modeling Language (UML), an object oriented modeling technique. The significant contribution of this study is to present an implementation model for a secure smartcard-based EMR system. A patient-centered EMR smartcard interface prototype is developed to prove its integration viability. Testing results from the prototype demonstrates that the idea of using smartcard technology to secure EMR is viable. Further enhancement to safeguard the EMR on smartcard has been presented in the research which would greatly benefits the healthcare industry in general and the patients in particular. ii

3 ACKNOWLEDGEMENTS I wish to express my heartiest gratitude to all the people who have helped me in completing this dissertation especially to my supervisor Dr. Rosli bin Salleh, for his encouragement, patience and invaluable guidance throughout the process of writing this dissertation. Special thanks to Ms. Devi and Mr. Mathura for proof reading my dissertation and their helpful comments and moral support that they gave. I m also greatly thankful to my friends and colleagues, who have given me ideas and constant inspiration for the continuation and completion of this dissertation. Last but not least, I dedicate this dissertation to all my family members who have always been there to support me in all my endeavors, especially my mother and demised father who had sacrificed their lifetime for my success. iii

4 TABLE OF CONTENTS Abstract Acknowledgement Table of Contents List of Figures List of Tables ii iii iv vi viii Chapter 1: Introduction 1.1 Background And Motivation Advancement of Medical Informatics in Malaysia Changes in Medical Record Keeping Trend The Electronic Medical Record The Emergence of Smartcards in Healthcare Problem Statement Objectives Scope and Limitations Research Methodology Expected Research Outcome Organization Of Dissertation 19 Chapter 2: Literature Review 2.1 Introduction Definition and Terminologies An Analysis On Medical Record Terminologies Capabilities of EMR EMR Adoption Model Healthcare in Malaysia Security, Privacy and Confidentiality of EMR Case Study On Security Breaches in EMR Systems Technical Review of Smartcard Technology Smartcards in Healthcare An Analysis Of Previous Healthcare Smartcard Implementations Current Researches in EMR Smartcard Summary of Related Literature 65 Chapter 3: Research Methodology 3.1 Key Methodological Approaches Identify The Modeling Technique for EMR Smartcard Software Development Methodology Requirement Capturing and Modeling Requirement Analysis Analysis and Design A Systematic Test Procedure 104 iv

5 Chapter 4: Development & Testing 4.1 Introduction System Overview Objective Of The Software Software And Hardware Technology Consideration System Architecture Graphical User Interface Implementation Using The Tool Test Results And Discussion System Limitation Summary 144 Chapter 5: Discussion And Conclusion 5.1 Introduction Research Outcomes and Discussion Challenges Limitation Future Enhancements Summary 153 APPENDIX A The Smartcard Protocols: ISO/IEC 7816-PART4 155 APPENDIX B EMRSmartcard Source Code 183 REFERENCES 227 v

6 LIST OF FIGURES Figure 1.1 The Four Components of Malaysian Telehealth Application 3 Figure 1.2 Research Methodology 17 Figure 2.1 Popularity of Terminologies used in Medical Software 24 Figure 2.2 Sources of EMR 27 Figure 2.3 EMR Adoption Model 36 Figure 2.4 The different types of insider threats to information 45 Figure 2.5 Level of vulnerability exploitation 47 Figure 2.6 Level of vulnerability severity 48 Figure 2.7 Vulnerability duration 48 Figure 2.8 Level of protection against vulnerability 52 Figure 3.1 Methodology Approaches of this research 69 Figure 3.2 File Base Modeling Sample for Smartcard 71 Figure 3.3 A 3DES Encryption/Decryption Procedure 80 Figure 3.4 Memory Mapping of EMR Smartcard 83 Figure 3.5 Unified Process disciplines and phases 87 Figure 3.6 Abstract Use Cases 94 Figure 3.7 Use Case Diagram for Secure medical record clinic management system Figure 3.8 Use Case Diagram for Smartcard 97 Figure 3.9 Use Case Realization for Add Patient Record Use Case 99 Figure 3.10 Collaboration diagram for Add Patient Record Use Case 99 Figure 3.11 Write Medical Record Use Case realization 100 Figure 3.12 Write Medical Record Collaboration Diagram 100 Figure 3.13 Read Medical Record Use Case realization 101 Figure 3.14 Read Medical Record Collaboration Diagram 101 Figure 3.15 Add Patient Record sequence diagram 102 Figure 3.16 Layered security model 106 Figure 4.1 Architecture Diagram 115 Figure Level Security Implementation Architecture 117 Figure 4.3 Protecting Access to EMR using smartcard 118 Fugue 4.4 Protecting Access to Smartcard vi

7 Figure 4.5 Protecting Health Records on a Smartcard 120 Figure 4.6 Basic Frame for the GUI of EMRSmartcard 122 Figure 4.7 File Creation with Secure Messaging 124 Figure 4.8 Key Creation with Secure Messaging 124 Figure 4.9 User Login to EMRSmartcard Application 128 Figure 4.10 Select Patient Registration submenu from Main Menu 129 Figure 4.11 Enter New Patient Details 130 Figure 4.12 Completed Patient Registration Form 131 Figure 4.13 EMRSmartcard Read/Write Interface 132 Figure 4.14 Search Patient Record Using EMRSmartcard 133 Figure 4.15 Implementation of Transmission Level Security 143 Figure 4.16 Implementation of Card Level Security 143 vii

8 LIST OF TABLES Table 1.1 Research Outcome Summary 18 Table 2.1 EMR and EHR Comparison 32 Table 2.2 Different Smartcard Implementation and Description 61 Table 2.3 Implementation of Smartcard and its benefits 62 Table 3.1 File Organization for EMRSmartcard 82 Table 3.2 Activities and Deliverables for phases in USDP 88 Table 3.3 Abstract Healthcare Domain Use Case 94 Table 3.4 Use Case Description 95 Table 3.5 Security Services Security Mechanisms Test Plan 107 Table 3.6 Compliance Test Plan 108 Table 3.7 Performance Test Plan #1 110 Table 3.8 Performance Test Plan #2 110 Table 3.9 Performance Test Plan #3 111 Table 3.10 Performance Test Plan #4 112 Table 3.11 Performance Test Plan #5 112 Table 4.1 Initial Requirements and Respective Interface Modules 121 Table 4.2 List of Administration and Security Command Set 125 Table 4.3 List of Response Code 127 Table 4.4 Security Services Security Mechanisms Test Result 134 Table 4.5 Compliance Test Result 136 Table 4.6 Performance Test Result #1 137 Table 4.7 Performance Test Result #2 138 Table 4.8 Performance Test Result #3 139 Table 4.9 Performance Test Result #4 139 Table 4.10 Performance Test Result #5 140 viii

9 ix