Patient-centric e-Health System using Programmable Smart Cards

[Print-friendly version]

Dr Richard Au is undertaking research to investigate effective patient-centric use of programmable smart cards for access to a national e-Health system. The purpose of adopting a programmable smart card will be to ensure the highest levels of security and users’ privacy. Each client could utilise a personal smart card to securely hold information for multiple usages to include, for example, different medical consultations. Whenever medical record information from different clinics/hospitals for the same client is needed to be linked together, the client can dynamically release the necessary identifier information from his smart card. The smart card can also provide a secure platform for hosting and execution of different software “agents” from different parties. Utilising a patient-centric approach, sensitive medical information can be collected from distributed medical databases in different clinic/hospitals and linked together on demand dynamically without revealing the patient's identity. While this pseudo-anonymity preserves user privacy, the architecture design allows the anonymity to be revokable under well-defined policies with legal-compliance. Thus the new system can inherit the advantages in centralised management and access to distributed medical databases while protecting patient privacy.

Dr Richard Au’s prior research included the development of smart card (or personal secure device) for authorisation and access control. The Java card has been used to provide a secure environment for small programs known as cardlets to be downloaded from remote servers and execute under user control. A smart card, although constrained by its limited computing power and resources, can operate as an effective secure token for dynamic identity management in e-health system.

Related Publications:

Mark Looi, Paul Ashley, Loo Tang Seet, Richard Au, Gary Gaskell, Mark Vandenwauver. Enhancing SESAMEV4 with Smart Cards. In Proceedings of Third Smart Card Research and Advanced Application Conference (CARDIS’ 98), Louvain-la-Neuve, Belgium, 14 – 16 September 1998.

Richard Au, Mark Looi, Paul Ashley. Cross Domain One-Shot Authorisation using Smart Card. In Proceedings of 5th ACM Conference on Computer and Communication Security (CCS’ 2000), pages 220–227, ACM Publication, Athens, Greece, 1 – 4 November 2000.

Richard Au, Mark Looi, Paul Ashley. Using Java Card as Authorisation Device in Multi-Application Environment. In Proceedings of Gemplus Developer Conference 2000 (GDC’ 2000), Montpellier, France, 20 – 21 July 2000.

Further publications related to pseudo-anonymity for privacy protection in e-commerce environments. (Note that, the use of personal secure device to provide SCAE and the anonymous authorisation architecture are also applicable to e-health systems).

Richard Au, Ming Yao, Mark Looi, Paul Ashley. Secure Client Agent Environment (SCAE) for World Wide Web. In Proceedings of the 3rd International Conference on Electronic Commerce and Web Technologies (EC-Web 2002), Volume 2455 of Lecture Note in Computer Science,
Springer-Verlag, pages 234 – 244, Aix-en-Provence, France, 2 – 6 September

Richard Au, Kim-Kwang Raymond Choo, Mark Looi. A Secure Anonymous Authorisation Architecture for E-Commerce. In Proceedings of IEEE International Conference on e-Technology, e-Commerce and e-Service (EEE’05), Hong Kong, China, 29 March – 1 April 2005.