This paper investigates the use of Internet technology to provide secure multilingual access to the medical records of a cardiology clinic. Information extracted from the medical record archive is used to create mini-Webs of interlinked pages that may be viewed using a standard browser.
The main features of the reported project are its multilingual nature – of particular significance in Europe, the provision of strict secure measures, and the support of usage profiles. Medical data may be viewed either in Greek – the language in which the data are stored – or in English, through an automated translation process. Security measures are as follows: 1) a password is required for access; 2) all transactions are logged; 3) the patient’s name and medical data are never transmitted together; 4) mini-Webs are deleted when the transaction is complete; 5) the remote user never has direct access to the central database.
The Internet, particularly in the form the World Wide Web, is playing an ever-increasing role in our daily life and cardiologists have begun to realise its potential in a medical context [1]. Recently, attempts have been made to take advantage of Internet facilities in medical database applications [2-6].
Figure 1: Configuration of the computer systemThis paper reports on the use of Internet technology to provide secure remote access to the computerised medical records maintained in the Cardiology Department of Heraklion University Hospital, Crete. Since the hospital is in a touristic region, a significant number of foreign patients are treated in our cardiology clinic every year and other patients sometimes need to be transferred to hospitals elsewhere in Greece. Thus, the purpose of this project was twofold: to share data with other departments within the same institution and to allow physicians in other regions or countries to see the clinical data of patients of theirs who may have been treated here.
The medical archive is stored in a relational database built using the Corel Paradox™ software package. An Apache web server was installed and configured to create temporary ‘mini-Webs’ containing the medical data of specific patients. These patient mini-Webs may be viewed using standard Internet browser software (Figure 1).
Figure 2 shows a typical transaction sequence. The authorised user logs on with an encrypted password and has the opportunity to select the language in which the subsequent data will be displayed (Figure 3 ). Currently, two usage profiles are supported. The first one provides access to the medical data of a single patient through a patient password, and the second one provides access to the whole archive through a user password.
Figure 3: Part of the login screen, showing password entry and language selectionUpon the submission of a valid password, the user is redirected to a patient confirmation page (Figure 4 ). This is the only time that the patient's name is transmitted.
Figure 4: Part of the patient confirmation screen
If a user password is provided, then a
patient must be selected first, based on a few letters of the first and last
names. In this case, the user is given the opportunity to select from a list of
patients whose names match the letters given (Figure
5 ). This selection leads to the patient confirmation page. If the
user accepts the patient shown, the subsequent data appear in a new browser
window. The patient's name is never transmitted again.
The starting point for navigation through the patient's mini-Web is the demographics page (Figure 6 ). This includes address, telephone numbers, profession, and other fundamental information. The demographics page also contains a hyperlink to a page of risk factors for coronary artery disease and one or more hyperlinks to pages with data relating to the patient's admissions to the clinic.
Figure 6. The first page of a patient’s mini-WebEach admission page (Figure 7 ) contains information such as dates of admission and discharge, presenting symptoms, diagnoses, and medication. The admission page also includes hyperlinks to other pages with information about specific examinations, such as electrocardiograms and laboratory findings. Images or other data files can be referenced from the relevant page by a hyperlink and viewed either within the browser window or by using suitable plug-in software (as in the case of digital electrocardiograms).
Once the user has finished viewing the data, which may be printed out or stored on disk, the transaction is closed and the files that comprise the mini-Web are deleted. If the user does not explicitly end the transaction, a periodic check removes files whose access period has expired.
Figure 7: Example of an admission page
The system consists of two components: the database and a database-independent web server component (Figure 8. ). The reason for this design was to allow flexibility and easy portability to other database platforms.
The database component uses Object PAL, the programming language that forms part of the Paradox database package. Object PAL scripts read the HTML templates line by line, as text files, insert data from the database, search for meta-statements and perform the necessary actions, add standard headers and, finally, write the completed page to the appropriate mini-Web location.
If the language specified is English, the translation from Greek takes place as the mini-Web pages are created. Proper names and addresses are transliterated using a dedicated algorithm. For other data, such as the diagnoses in Figure 7 , lookup tables are used to obtain the equivalent English terms.
The time required to complete this process varies according to the number of pages to be created and whether or not translation is required. However, in the demonstration version the mini-Web is normally ready for access within 5-10 seconds from the time the user specifies the identity of the requested patient. In general, the time taken to construct the mini-Web is small in comparison with the total Internet access time. Indeed, even with a dial-up Internet connection the total time lapse between selecting a patient and entering the mini-Web can be as little as three seconds.
The automatic extraction of data from an information system and its formatting according to alternative templates is an active research area[7]. The approach we followed in this system is simple and extensible and works on all browsers.
The system maintains one set of HTML templates for each language supported. Which set of templates is used depends on the language selected on the login page.
In addition to the text and formatting instructions found in standard HTML files, our HTML templates contain delimited field names and commands from a simple meta-language. Each template is associated with a 'root' table in the database, from which most or all of the data are extracted and inserted in positions indicated by the relevant field names. Meta-statements indicate the insertion points for data from tables other than the form's 'root' table or for hyperlinks to other mini-Web pages, details of image or other files that must be copied to the temporary mini-Web location, and so on.
For example, in Figure 6 the hyperlinks to the admission pages are created by a 'LINK' meta-statement within the template. The software looks in the underlying Paradox database for records in the 'Admissions' table that are linked to the current patient record and creates a hyperlink for each. Recursion is used to create the linked admission pages in the mini-Web, based on parameters that follow the 'LINK' meta-statement.
To create each admission page (Figure 7 ), the data relating to presenting symptoms (Reason for Admission), diagnoses and medication are read from other tables according to the 'INCLUDE' meta-statement. In this case, the data are inserted into the page in tabular form, rather than being referred to through hyperlinks. Hyperlinks are used to point to the electrocardiogram and laboratory pages.
The web server component is
database-independent, built on CGI, PERL and ODBC technologies. Using any
Internet browser, authorised users (i.e. cardiologists, patients, referring
physicians) submit CGI forms that trigger the execution of PERL scripts. These
scripts log user requests, mediate database access, and redirect the user to the
appropriate parts of the patient’s mini-Web. Logging in to the system triggers a PERL script
that authenticates the user password and records the request in the database
using ODBC. PERL scripts are used to confirm a patient’s identity, invoke the
execution of Object PAL scripts that create the patient mini-Web, and redirect
the user to it. They are also used to create dynamic Web pages in case of error.
Patient mini-Webs are stored for the duration of user transactions. If the user
exits the system normally (clicking the close button), a PERL script is executed
that deletes the mini-Web. Otherwise, the mini-Web is deleted later by the
clean-up utility of the web server component.
The question of the security of Internet
traffic is a thorny one [8-9].
The main issues are the restriction of access to authorised users, maintaining
the integrity of the database, and minimising the risk of the loss or 'theft' of
data in transit.
In the system presented here an encrypted password is required for access. The number of valid passwords represents only a tiny proportion of the number of possible passwords (10-8), so that the chances of an unauthorised user hitting on a valid password by accident are acceptably close to zero. Passwords are checked for internal consistency at login time and if three invalid passwords are received from the same location than that location is 'blacklisted' and further access is denied until the matter has been investigated. Furthermore, all transactions are logged so that the administrator can monitor which patients' records have been viewed when, from where and by whom. Any suspicious entries can be investigated.
The mini-Web consisting of pages of information relating to a specific patient typically only exists for a few minutes and for a maximum of half an hour. These pages are linked only through the initial patient confirmation screen and the web server itself is a dedicated one that is used for no other purpose. It is thus unlikely that these pages will ever come to the intention of a casual, or even a determined Web surfer.
Regarding data integrity, it should be noted that the remote user never has access to the central clinical database, which is located on a separate computer that is accessed through a password-protected network. Thus, the question of tampering or deleting data simply does not arise.
As far as data transmission is concerned, it is impossible to guarantee the security of data sent over the Internet with 100% confidence. However, the same is true for data sent by mail, fax, or courier service. Furthermore, the sheer volume of information transmitted through the Internet nowadays provides its own security: the medical data supplied in the system described here represent but a tiny drop in the ocean of total Internet traffic.
To reduce the probability of unauthorised interception even further, the patient's name is sent only once: all subsequent screens containing medical data are anonymous. We believe that the risk of a given patient’s confidential information becoming available to an interested, but unauthorised party is acceptably low.
As an extension of the system described here, we plan to add other usage profiles that will allow access to specific subgroups of patients within the database. The system will also be expanded to handle additional examinations and a variety of image and other data types.
The use of Internet technologies for remote access to medical records is undoubtedly a convenient way of sharing patient information within and between healthcare facilities. The security measures, in our opinion, are adequate for permitting access only to authorised users without compromising the confidentiality of medical records. The multilingual aspect, discussed only briefly above, may be of particular interest in Europe, where business, study and recreation increasingly involve travelling abroad.
A demonstration version of the above scheme, using fictitious data, can be seen on the Internet at either of the following URLs:
http://arachne.ics.forth.gr:8080/cardioS or at http://cardio.med.uch.gr/DBdemo
[1] Brennecke R, Hammermeister K. Computers and the Internet in cardiac care. Will cardiology rise to this extraordinary opportunity? Eur Heart J 1997;18:1382-4.
[3] Pinciroli F, Combi C, Portoni L, Violante FF. KHOSPAD: Knocking at the HOSpital for PAtient Data. In: Computers in Cardiology 1997. Lund: IEEE Computer Society Press, 1997:267-70.
[4] Pinciroli F, Portoni L, Combi C, Violante FF. WWW-based access to object-oriented clinical databases: the KHOSPAD project. Comput Biol Med 1998;28:531-52.
[5] Cimino JJ, Socratous SA, Clayton PD. Internet as clinical information system: application development using the World Wide Web. J Am Med Inform Assoc 1995;2:273-84.
[6] Mizushima H, Uchiyama E, Akiyama M, Yamamoto R, Tatsumi H. Medical Internet exchange project in Japan. MedInfo 1998;9:417-9.
[7] Maret P, Beney J, and Rubel P. Multimedia Information Interchange: Web Forms Meet Data Servers. ICMCS, Vol. 2 1999: 499-505.
[8] Baker DB, Masys DR. PCASSO: a design for secure communication of personal health information via the Internet. Int J Med Inf 1999;54:97-104.
[9] Rind DM, , Kohane IS, Szolovits P, Safran C, Chueh HC, Barnett GO. Maintaining the confidentiality of medical records shared over the Internet and the World Wide Web. Ann Intern Med 1997;127:138-41.
