3

This is hypothetical problem, so remarks about whether it is feasible in practice are are off topic.

I have been designing a documentation system for medical records where the patient owns his/her own data (instead of how it currently works in most (?) cases where the data is stored in a big database at a hospital or similar - an excellent target for both black hats and authorities).

For example, by getting a physical printed paper after each visit to a doctor with the notes and other details of the visit on. The objection I always get when I suggest this is that it would be a problem in maltreatment cases and similar if the patient could manipulate the documentation.

My solution to this - and this is where I would appreciate input - would look something like this: each paper the doctor gives the patient contains a digital signature (checksum) calculated with the doctors private encryption key (e.g., a QR-code) in its footer. This prevents the patient from manipulating the document undetected.

Next problem is the document chain: the solution in the previous paragraph does not prevent the patient from handing in paper 1, 2 and 4 but ignoring 3. To solve this, every paper also contains the previous documents digital signature in it's body. If the patient presents page 1, 2 and 4 they checksum for the previous document on 2 will match the checksum on 1 but the the checksum for the previous document on 4 won't match the checksum on 2.

Would this work?

One problem remains: what if the patient just presents paper 1, 2 and 3 but not 4? Or if the patient on its fifth visit to the doctor just show 1, 2 and 3 - meaning you get two documents numbered 4? Any ideas for solutions for these problems? A separate log document? How is it solved in current solutions?

Jedi
  • 3,906
  • 2
  • 24
  • 42
d-b
  • 449
  • 2
  • 8
  • does paper 1/2/4 have a sense without 3 ? – Walfrat Apr 10 '17 at 07:46
  • @Walfrat - I think you can answer that question yourself when you think about how a visit to a doctor may look like. 1 "tried treatment A", 2 "tried treatment B" etc. Of course, 2 could look something like "tried treatment B since A didn't work". But OTOH, 2 could also be something like "Patient hadn't noticed any improvement from the treatment, suggested that he/she tried it for another 2 weeks" and then 3 would be "Changed to treatment B". So, sometimes 3 wouldn't make sense without previous papers, sometimes a missing paper wouldn't be noticed. – d-b Apr 10 '17 at 09:49
  • Then the best would be that the client don't have to give the paper but rely on an application which stores those informations and share it amongs health professional. Of course this may be not doable. – Walfrat Apr 10 '17 at 11:25
  • @Walfrat Of course, a more modern solution would be digital documents on a USB stick the patient can carry with him/her, or a solution "in the cloud" but not the caregivers cloud but the patients private account on something like Dropbox. But that is just a technical detail. The point is that the patient must have full control of the information. The caregiver should not be able to read it independet of the circumstances unless the patient actively allowed it. The purpose is to prevent authorities, black hats etc from accessing the data. – d-b Apr 10 '17 at 11:59
  • 2
    @d-b The problem of the patient discarding pages would be solved if the doctor keeps a record of what pages they have issued, perhaps including a one-way hash of each page to prevent tampering. – Simon B Apr 10 '17 at 12:24

2 Answers2

3

This is hypothetical problem

But if you add one "practicality" it becomes analogous to one already (more-or-less) solved problem. The practicality to add is:

A doctor should always look at the full medical history of a patient. What may look at first as an unrelated problem can be an important point in a diagnosis.

In other words, all medical records of a patient shall always be presented to a doctor. This solves the discussion (in the comments) about whether presenting part of the documentation (e.g. 1/2/4) is meaningful. So, if we can assume that a patient must always give all documents, the problem becomes analogous to a cryptocurrency.

Bitcoin, or any other cryptocurrency for that purpose, sings all transactions with the private key of the wallet from where the transaction originates. Then, when the unit of currency is in another wallet, another transaction will be signed with the private key from that wallet. We have an excellent discussion on that on the bitcoin.SE part of the website.

Therefore a solution where one participant sings a piece of data, the next participant adds more data and signs the result, and so on; does exist and is rather effective. The stack of signatures can be unwind and each verified.

The difference is that with Bitcoin (or any other cryptocurrency for that purpose) the chain is public, because it can be. Medical record are far from something public, but, as you said, the patient can keep them and still be unable to falsify a doctor's signature or tamper with the signed document.

Keeping all the medical records on some media that will store the chain of signed data would actually force a patient to always show his complete medical record to a doctor. Which, in my personal opinion (I'm not a doctor or a lawyer), should be a good thing.

P.S. I'm not considering insurance companies in that last statement.

Community
  • 1
grochmal
  • 5,677
  • 2
  • 19
  • 30
1

Have a look at how git works. It solves all, including merging two version-4s, but not “the patient hides the latest document”. To solve this a log of hashes could be stored else where. You would also have to ensure that the whole thing was computer readable, so that hash could be recalculated, and this computer readable one would be the only one that could be trusted (therefore a human readable version is a security hole).

ctrl-alt-delor
  • 279
  • 1
  • 2
  • 8