Security Aspects of Electronic Health Records and Possible Solutions

Health related information of a person in systematic format using information and Communication technology is definitely required. Storing patient information according to guidelines provided by government will help to achieve the concept of one person one record. There is also need to share the personal health record whenever necessary. If patient record (History) is readily available, it will help to make correct decisions related to patient’s treatment. In our country (India) Ministry of Health and Family Welfare have recommended to eliminate conventional health record system. The major focus of this paper is to represent various methodologies that are adopted to implement web based health record system. As there is need of security while accessing and sharing of health related information, security is the major factor. Use of block chain, cryptography and timestamp based log record method is discussed. To assure the sharing of records, Inter Planetary File System (IPFS) is also discussed. Major purpose is to provide systematic and easy to use interoperable electronic health Record system. Keywords—Patient history; cryptography; blockchain; timestamp based record; IPFS; electronic health records


I. INTRODUCTION
To provide an effective EHR System it is necessary to focus on some factors related to health care services. There are certain medical terms that definitely need to be studied. The various health record standards are also recommended by health authorities in India. Whenever there is a need to share patient's medical record to other medical expert or other health care centre it is necessary that it should be provided in standard format recommended by government health authority. If medical records are in unstructured or scattered format it is very difficult to analyze the record and that may extend the delay in decision making about the treatment. Web based system is easy to configure and easy to use system. This can be a conventional system to implement EHR system. Various Human Machine Interaction styles are adopted in web based system. The major disadvantage of the web based system is high demand of security arrangements as it has its own limitations. In India most of the medical practitioners are using fully specified names or locally identified terms while recording the diagnosis about the disease. Web based system is found feasible to record the healthcare information using standard terms and it will be feasible to share and analyze healthcare data [13]. Security related issues are definitely required to be addressed. There are various standards such as ICD, SNOMED-CT, LOINC, UML to represent patient's disease information. HL7 and XML are one of the popular communication standards to share Patients information. These standards are beneficial to represent correct medical terms for patient data. Most of the doctors are using locally identified terms to represent patient health information. Very few practitioners have adopted ICD to represent the patient disease information. In India there is a rare scenario to maintain patient's health care information in standard format and in computer memory in electronic form. Web based system will also provide facility to share health record using communication standards such as XML and HL-7. Concept of hashing and block chain is emerging area in security of multiuser system [17].

II. INDIAN SCENARIO ABOUT HEALTH FACILITY
In India the health care system is decentralised. Health services hierarchy in India is from rural sector to urban sector. It is necessary to provide easy to use EHR system. EHR system should also assure meaningful use of data. In 2013, Ministry of Health and Family Welfare notified Electronic Health Records (EHR) Standards for India. The set of Standards given therein were selected from successful standards applicable to EHRs from around the world [14]. Detailed analysis is carried out about suitability and applicability of these standards in India by some expert group. Standards have been improvised and made according to the ever changing need of the mass. In these guidelines detailed recommendation on interoperability standards and clinical informatics standards, data ownership, privacy and security aspects are discussed.
Salient features [11] of electronic health record systems are i) Availability of Records ii) Summary of Clinical events iii) Evidenced Based Care. iv) Faster and Accurate diagnosis and v) Enhance the personalised care. There are certain challenges towards EHR in India. In the recent article from Hindustan Times it is mentioned that in India there are 1 Million doctors of Modern medicine to treat 1.3 Billion of its Population. There are hardly 1.5Lakh Doctors in Public service to serve patients. There is absolute non-existence of patient centric care in our Country. In India there are very less medical facility units to provide healthcare to huge population. Below mentioned table specifies the statistics of public health centres in India. We can observe from the below mentioned table 1 that, there is a growth in number of health centers in India, but these numbers are much below the requirement as far as population of India (133 Cr) is concerned. www.ijacsa.thesai.org There are certain challenges such as lack of manpower, lack of infrastructure and lack of awareness among all service providers regarding proper recording of health care information [1].
In India there are various treatment methods such as allopathy, Homeopathy, Ayurveda and Unani. There are also various successful treatment methods which are found successful for some select diseases. Most of the people are dependent on general practitioners and traditional treatment methods in urban and semi-urban areas. It is necessary if all treatment related history to be recorded in standard format and that will definitely add a benefit to healthcare services in India. There is no any methodology adapted to record patient's health care data.
Health records are generated at every health service centre. Most of the records are either lost or just lying in physical form with medical service unit or with the patient. Some records are destroyed after certain period [2].OPD record is normally handed over to patients. To make it varied purpose EHR is necessary in India. It can be made available for various users for various purposes. It can also be made available for all direct and indirect stakeholders. It is also necessary to provide Patient Centric health information system along with addressing Security and privacy issues. There is also need to address issues of ownership and governance.

III. DESIGN CONSIDERATIONS OF EHR SYSTEM
Following is a screen shot of primary model that comprise of web based recording of patient's data. It is based on salient features recommended by ministry of health and family welfare (MOHFW) govt. of India. A Doctor is motivated from the EHR systems initiated by various countries worldwide.
Web Based Approach: To initiate the EHR system, a web Based system is recommended. In this initial approach PHP MY SQL and JASON is widely adopted. As shown in figure 1 below, we have provided facility to automatically insert ICD and SNOMED CT code for diseases. This is a system proposed for General Practitioners and same can be further stored in standard form on centralised accessible system. Doctors use fully Specified Name or Locally Identified name to record patient case. It is feasible for them to store record in less available time. In above web based system efforts are made to store the information in two standard formats for one FSN or Local Name of the disease. That mapping will help to store disease information in ICD as well as in SNOMED code for each medicinal interaction. Mapping table is generated by including all necessary standards; one can definitely get benefit of using these standards. Following table  is a compact version of the mapping table. To create mapping of these standards special efforts need to be taken to locate the correct equivalent name and verify it be Subject Matter Experts [5]. It is mandatory to involve experts in this mapping process.
Pre-mapped disease names as shown in the table 2, will help to store the patient disease information with standard names (codes). Doctors can also retrieve the same in required format for particular Patient based on simple web based programs for the same [4]. Database and record will be generated. Health information can be accessed with SQL query. We can insert the key term in the text box and key specific data can be retrieved. Natural Language processing method of SQL and that will also help to access patient information based on some key terms. We can browse the patients with specific disease based on FSN, SNOMEDCT or UML key terms. Users can be provided with facility to type their query in simple English sentence as well as we can get their speech converted into text. Further that text can be used as an input string to access relevant data. In MySql NLP Full Text Search technique MySql will look for rows or documents that are relevant to the free-text natural human language query. Accessing Health data will be especially for researchers who wish to apply some analytics to the health data [6]. It will be also useful for organizations to take any strategic decision from the available systematic data. Figure 2 represents the interface to type a simple English question for particular information.   The basic goal of adopting NLP is to build intelligent system that will provide man-machine interface to understand speech and Text. Using NLP we can achieve computer aided Instruction Mechanism that can provide the information when and wherever required. It will also help to enhance the automatic storage and manage the information. NLP for EHR is mainly needed to extract healthcare information stored in unstructured form such as Files, Clinical Notes Reports etc. NLP search technique will search each keyword of the string and will provide the row of the matching words in the database will be retrieved [12]. This will also provide the specific record about the intended search criteria. Figure 3 shows the output for the string that has a simple English question "I want Patients with disease code A23" NLP test technique will provide all the patients having disease code A23.

IV. SECURITY ISSUES
As far as security is concerned there are three major aspects of security as Human Factors, Technological Factors and Policy (Legal and Logical) factors. As it is a web based model there are certain limitations as far as security issues are faced while handling or accessing records. The major issues with respect to security are privacy, data breach and identity theft [3].

1) Data breach:
There is a possibility that data may be shared unknowingly to the outside world through the devices such as smart phones or hand held devices such as tabs and palmtops.
There may be sharing of the data without any intention to malicious threats. If the information consist of any confidential information and that may be disclosed to unauthorized users. Some people will try to process the information either by updating or erasing important health related data. We may adopt some measure towards security and avoid the unauthorised access but it is not possible to avoid the possibilities in which manner data will be accessed.

2) Identity theft:
Once data is available in digital form there is a high risk of identity theft. Normally person will not be willing to share his health information to everyone who is on the digital network. Patient may share that data to his attending doctor, insurance provider and his family members. There is a possibility that data may be sold to similar service providers such as Private hospitals and insurance provider companies and pharmacy companies. Some data challengers may alter the historical data and then it will be very difficult to revert back to earlier version of information. It is observed that there are major challenges towards sharing of medical records. Following are the major challenges are with respect to interoperability. As we have mentioned earlier that Detailed and reliable workflows to share the data outside of the originating organization have not been established. Syntactic, Semantic and Process.
3) Interoperability: EHR is not just creation of the patient's health information but it is necessary to Exchange of Information Between two Different Healthcare Systems. To provide a system that is model l with EHR Standards recommended by Government of India. Policy regarding Patient Identifiers and Coding Terms should be available [9].
Data can be stored in encrypted form as well as it can be made secured using the hashing and block chain technique [15]. Hashing is carried out and same is encapsulated using a block chain. To assure the protection of confidential health related data, Block chain method is used for each transaction that took place in patient's health information [8]. When at each time when patient's record is generated a unique key will be generated for each record if there is any update in health record the new key will be generated by encapsulating the previously generated unique key. Every time for each new transaction the block will be updated [16]. Same is represented in Figure 4.

4) Time stamp recording of a data access: To keep
track of the interactions carried out with the patient record a timestamp based hashing is created [10]. Whenever patient record is accessed each time its hash key will be generated and stored separately in a database along with the timestamp. This is recommended just to keep track of changes (if any) in the record. So that any change in the record can be identified. Following table shows the typical timestamp based hashes for each accessed record. If there is a change in the record its hash value will change else there is no any change reflected in hash value. So any authorized or unauthorized access can also be identified for the health data.
As mentioned in the table 3, one can observe that for patient id 532 there is access of record three times and when record was accessed on Dec 7, 2020 at 20:49 and at 20:50 at both this access points there is no change in hash; no change in record, but when this patient id was accessed and changed at 20:55 we can identify the change in hash. So from log record we can easily detect any change for the said record. www.ijacsa.thesai.org  The Inter Planetary File System is a protocol and peer-topeer network for storing and sharing data in a distributed file system. IPFS uses content-addressing to uniquely identify each file in a global namespace connecting all computing devices. IPFS can be used to share the patient specific information. The major advantage of IPFS is that it creates an IPFS key, normally called as IPFS key or also called as cryptographic Hash. In health records if we want to share images, health reports or a specific patient information, then we can use ipfs to create its compress key and send this key to the intended user. The recipient can use IPFS to retrieve the file in its original form. In this research we have tested IPFS for sharing DICOM (file with extension .dcm) images. A file having size of 1.62 MB is converted into a file as an encrypted string with a smaller size of only 1 KB or less than that. IPFS has represented the huge file knees.dcm to a small string as "QmcmteXR2CLXy6bSMU97iMum9ppmMriq7kaFvs8qCmA JAL" this string can be send to the recipient and at the recipient end this can be regenerated using ipfs I/O environment. Figure  5 represents the detailed description of IPFS to share the files. Only problem is that if there is a need to protect the file from public viewing this IPFS has some limitations. We can encrypt the file and then share to keep the confidentiality of the content. Figure 6 gives a stepwise representation of encrypting the file. There are two approaches as either encrypt the file or encrypt the string generated by the IPFS. As shown in the figure a file is encrypted first and then its encrypted form will be converted into IPFS key. It will be forwarded to the recipient to assure the privacy of the file.

VI. CONCLUSION AND FUTURE WORK
There is a definite need to use Various Electronic Health Record Standards to create easy to use Web Based EHR System. A knowledge base of the EHR standards can be implemented where mapping of disease names can be made available so that it will help doctors to generate systematic Health records. It is need of the time to insist on Patient's www.ijacsa.thesai.org Healthcare Information along with EHR standards [7]. To promote globally sharing of health records communication Standards like HL7 and XML are suitable for the same. We can easily access the Patient's Information. To make it more feasible NLP Full Text method is found suitable to access specific data of a patient.
A major challenge is there to providing a role based access to avoid data challenges. Real Time and Instant Recording of Data using smart devices is future scope of this research. It is also recommended to make it suitable for some Ayurvedic Terms. To motivate the intended users it is recommended to Train the users of the system.