Who can I trust with my medical data?
UvA researcher develops alternative to National Switching Point (LSP)
This week, UvA researcher Guido van 't Noordende will launch the Whitebox pilot project – an alternative to the National Switching Point (LSP) designed to facilitate the secure communication of medical data. The pilot is set to run until the end of this year. Why this alternative, and how does it work in practice?
Privacy and security researcher Van ’t Noordende has been closely monitoring developments surrounding the LSP (the former National Electronic Patient Dossier) for some seven years. The LSP was originally designed to help care providers exchange medical patient data in an efficient and secure manner. In 2010, Van ’t Noordende voiced his reservations about the project.
‘The Electronic Patient Dossier was originally presented as a decentralised data storage system. The question is: how does a decentralised national exchange system work in practice, and how safe can it really be? I assessed the system's inner workings in collaboration with a student. Although data is stored by the general practitioner on a decentralised basis, the information is accessed from a central point. In reality, it's just as centralised as a central database containing all patient data,’ Van ‘t Noordende explains.
Furthermore, general practitioners have no way of determining who has been accessing their patients' information. Van ’t Noordende: ‘The party seeking to access the information will sign the request using a smart card. This request is then sent to the LSP and forwarded to the end system: the general practitioner. However, the GP's system doesn't get to see the signature. As a result, general practitioners are forced to blindly trust the LSP. Furthermore, GPs do not have control over who accesses what information. That's no way to design a threat-proof architecture. Any system that relies on a single central point to handle all requests to me simply isn't good enough.’
Van 't Noordende decided to draw attention to the problems. ‘As far as I'm concerned, it's part of my responsibility as a researcher. I stressed my safety concerns and offered the developers suggestions to improve the system. Unfortunately, they didn't really put them to use. Seven years down the road, we're still using the same system, now managed by a private consortium instead of the government.’
For many, it boils down to a simple dilemma: do you opt for privacy or the broad accessibility of medical data? Van 't Noordende poses that this is dilemma is not as black-and-white as it often seems. Although he certainly values privacy, he also stresses the importance of enabling care providers to exchange information with colleagues where necessary. The challenge then becomes: how do you ensure secure health information exchange while safeguarding privacy?
Having spent the past few years working on the problem, Van 't Noordende recently presented a solution: the Whitebox. The Whitebox is a small computer installed in general practices, and is owned by the doctors themselves. The Whitebox can share medical data with the after hours clinic and hospital specialists through individual links. This involves specific authorisations on a small scale. This way, information can be made available to health professionals that are involved with managing the patient's healthcare, but keep all others out. For example, a pharmacist can obtain information from a GP's medication record when dealing with a patient's prescription, but others cannot. This limits the 'surface of attack' on a patient's information, and ensures that patient information is only managed by a typically small number of healthcare professionals that are known and trusted by patients.
If needed, information can also be made accessible at a larger scale at the request of the patient. For example when the GP's record contains information that might be critical in an emergency. However, because this relies on a centralised system, patients should be made aware of the security and privacy risks involved and give permission in advance. Many doctors feel there is little need to make patient data available outside the small circle of directly involved care providers; this demand is mostly limited to patients with complex medication or chronic illnesses, a group estimated to make up 10-15% of the overall patient population.
Cooperation with GP's
Van 't Noordende developed Whitebox in close cooperation with general practitioners. ‘This represents a real advantage over the LSP, which was initiated as a top-down measure. Such an approach seldom proves effective in the care sector. The Whitebox was developed in response to a demand from both care providers and patients seeking to exchange medical data in specific situations. Data can be exchanged efficiently without any need to make information accessible to a large number of care providers.’
Whitebox is currently being tested at general practices throughout Amsterdam, offering the after hours clinic access to information during the evening and night shifts. The potential for exchanging information with pharmacies and hospitals will be assessed in the near future.
About the initiators
Huisartsen Kring Amsterdam-Almere is the regional branch of the Dutch National Association of General Practitioners (LHV). The organisation decided to participate in the Whitebox project in response to a survey amongst Amsterdam-based general practitioners showing that two thirds of all GPs preferred a regional system over the LSP.
Whitebox Systems is a University of Amsterdam spin-off established by security researcher Guido van ‘t Noordende. The company focuses on computer system security and privacy protection for communications in the healthcare sector. The underlying technology is the product of research conducted at the UvA as a part of the COMMIT/ project. Collaborations with general practitioners have been prioritised from the outset in an effort to ensure that the system accurately reflects the professional practice and becomes user-friendly.