gms | German Medical Science

49. Jahrestagung der Deutschen Gesellschaft für Medizinische Informatik, Biometrie und Epidemiologie (gmds)
19. Jahrestagung der Schweizerischen Gesellschaft für Medizinische Informatik (SGMI)
Jahrestagung 2004 des Arbeitskreises Medizinische Informatik (ÖAKMI)

Deutsche Gesellschaft für Medizinische Informatik, Biometrie und Epidemiologie
Schweizerische Gesellschaft für Medizinische Informatik (SGMI)

26. bis 30.09.2004, Innsbruck/Tirol

On a Surveillance Service for Drug Prescription using Distributed Patient Records and a P2P Infrastructure

Meeting Abstract (gmds2004)

Search Medline for

  • corresponding author presenting/speaker Claus Eikemeier - DIMSA, Institute for Mathematics and Informatics, St. Gallen und Bremen, Schweiz
  • Rolf Grütter - Institute for Media and Communications Management, St. Gallen, Schweiz
  • Walter Fierz - Inst. for Clinical Microbiology, St. Gallen, Schweiz

Kooperative Versorgung - Vernetzte Forschung - Ubiquitäre Information. 49. Jahrestagung der Deutschen Gesellschaft für Medizinische Informatik, Biometrie und Epidemiologie (gmds), 19. Jahrestagung der Schweizerischen Gesellschaft für Medizinische Informatik (SGMI) und Jahrestagung 2004 des Arbeitskreises Medizinische Informatik (ÖAKMI) der Österreichischen Computer Gesellschaft (OCG) und der Österreichischen Gesellschaft für Biomedizinische Technik (ÖGBMT). Innsbruck, 26.-30.09.2004. Düsseldorf, Köln: German Medical Science; 2004. Doc04gmds023

The electronic version of this article is the complete one and can be found online at:

Published: September 14, 2004

© 2004 Eikemeier et al.
This is an Open Access article distributed under the terms of the Creative Commons Attribution License ( You are free: to Share – to copy, distribute and transmit the work, provided the original author and source are credited.



Introduction and description of the system

The missing integration of data in different entities of the healthcare domain is reason for a number of drug interactions and side effects. It is estimated that in Germany 10.000 to 30.000 patients die each year because of this reason [1]. At least a significant reduction of this number is demanded because of ethical and economical reasons. An automatic, real-time surveillance service on the overall prescription given to a patient by the different healthcare providers will reduce these problems. Commonly the health record is distributed at the healthcare providers that have been involved in the treatment of the patient before. Data access to the logical patient record is possible in two ways: using a central data archive solution that keeps all recorded data (or pointers and metadata of them to the HC providers) or concentrating on the relevant data "on demand". The comparison of both approaches is beyond the scope of this paper. We will deal with only the second one during the rest of the paper.

When a prescription is issued all other care providers are demanded for additional information on that particular patient. Similar to a P2P system the demand is spread among the members of the network [2]. Even if the surveillance system is using beneficial characteristics of P2P systems, it is different from traditional P2P systems like Napster, Gnutella etc. [3]. All relevant data is sent encrypted to an official Clearing House (CH) that uncovers the previously encrypted pieces of information and checks them against rules that represent current expert knowledge in that domain. In the case of possible adverse events, a notice describing the problem, is issued to the physician that initiated the last prescription. The physician is responsible to evaluate this notice. The system therefore is used as decision support system.

The CH reasoning system is maintained by a group of experts that define `golden rules` based on current research results (e.g. evidence based). These rules are dynamically adapted to new findings and as the computation is done in real-time, only up-to-date knowledge is used. Some other information (statistical, explorative) can even be inferred from those pieces of data that are received by the CH. Thus some aspects of a data mining solution on the distributed patient records are implemented additionally. It is important to mention that the IT systems at the data providers only need marginal modifications (a database interface with a standard encryption mechanism).

Security Aspects

As this system deals with patient data, data safety is of very high importance. Neither the issuing physician is allowed to see pieces of data from the patient that do not origin from himself, nor the other provider adding additional information (e.g. old prescriptions) to the message may see any other data of the patient. Only the CH is able to uncover all data and check the message content. Today's security software librariesprovide public key infrastructure mechanisms, means to encrypt data and offer the ability to built hash keys to avoid data fraud [4].

The first part of the security system is the building of a hash key from the patients metadata (e.g. the first, last character of the name: -MR- if Miller is the name). The encrypted name and prescription and the unencrypted hash code are spread around to all connected care providers. Their IT systems automatically check for all patients with the same hash key (Cave: as this will also include Mayer, he cannot be sure that the information will match in the end) and send the received data and their (elder) information to the Clearing House. This decrypts all parts of the message and examines if the different parts belong together (there will also be messages for patient Miller -MR- that has added content for Mayer). If yes, the expert knowledge rules are applied and a possible problematic outcome is issued to the initiating physician.

Other security aspects are to be mentioned, too. One of them is the formation of the Clearing House. If all data is sent to exactly one central CH facility, data can partly be exploited there. To prevent this and because of performance reasons, a variety of Clearing Houses can work in parallel. The actual addressee of the data is chosen arbitrarily and so an overall exploitation of the data is not possible. It is demanded that the underlying expert knowledge base is kept the same on all Clearing House entities.

Other Aspects

The described surveillance system will benefit from aspects of the Peer-to-Peer paradigm. It is highly scalable and will offer, e.g. similar to the Freenet P2P system (in [1]), a very high degree of data integrity and security. Neither is it possible to read the encrypted information (if not being in the Clearing House) nor is it possible to be aware where the data is evaluated. With the redundant concept of a collection of Clearing Houses, being run by official authorities (e.g. BfArM (D), Schweizerisches Heilmittelinstitut (CH) ), the possibility to exploit the medical information is minimal. There is no single point of failure. The implementation of the described system is easy as only small modifications on the existing software are needed. The software will read data from the physicians archive and sent those items that match the hash key in an encrypted way to the Clearing House. These changes do not influence the underlying data structure of the different systems. Thus stable systems remain nearly untouched.

Results and Discussion

The presented concept is base for an efficient system to avoid serious adverse events in drug prescription. All pieces of data will remain at the edges of the system, in this case at the physician or hospital where they have been collected. This is one of the main advantages of this system compared to others where data is taken away from the control of the creating entity.

The Clearing House approach allows to encrypt the data as long as possible. The used hash key mechanism veils the original data from being exploited by the questioned peer entities on the way to the Clearing House.

Introduction in real life is evolutionary, that means, it can start on a small group of systems and will improve the more entities are connected and the more data is fed into the system. Further optimisations allow tuning the base concept. In a further step, the usage of a patient healthcare card (e.g. as to be introduced in Germany in 2006 [5]) will simplify the overall system and enhance the matching performance. Other benefits will be obtained by extensive usage of statistical information (e.g. distribution of patient IDs for hash key creation). The clinical expert knowledge can be taken from existing databases. Only the adaptation to the concrete usable form is needed.

Open questions for the introduction most likely come from an economical and political point of view: "what are the incentives to participate in the system?" is the key question to be answered. As mentioned earlier a huge group of patients will benefit from the introduction of such system. So life and health insurances will also get monetary advantages and will likely pay for this. The introduction itself can be forced by official authorities.

The comparison against highly controlled systems (like patient record on healthcare card) is beyond the scope of this paper.

This system is key to a new high quality service that has not been realized before even if the underlying problems already are known for a longer time and the solution were generally available. It is remarkable that exploiting the benefits of Peer-to-Peer systems leads to such simple, yet powerful solution.


Stieler W: Elektronische Gesundheitskarte soll eine Milliarde einsparen, in Heise Newsticker, 2004-03-22
Eikemeier, C.: Introducing P2P in Healthcare, Swiss Medical Informatics, Issue 51/2003, pp. 6 - 9
Oram, A.: Peer-to-Peer - Harnessing the Power of Disruptive Technologies, O`Reilly, 2001
Gutmann, P: Crypto Tutorial, online at URL: (2004-03-25)
Bales, S.: Welche Möglichkeiten bringt die neue elektronische Gesundheitskarte den Patienten? Online at URL: (2004-03-10)