IEEE TRANSACTIONS ON INFORMATION TECHNOLOGY IN BIOMEDICINE, VOL. 8, NO. 1, MARCH 2004 47

A Smart-Card-Enabled Privacy PreservingE-Prescription System

Yanjiang Yang, Xiaoxi Han, Feng Bao, and Robert H. Deng

Abstract—Within the overall context of protection of healthcare information, privacy of prescription data needs specialtreatment. First, the involvement of diverse parties, especiallynonmedical parties in the process of drug prescription complicatesthe protection of prescription data. Second, both patients anddoctors have privacy stakes in prescription, and their privacyshould be equally protected. Third, the following facts determinethat prescription should not be processed in a truly anonymousmanner: certain involved parties conduct useful research on thebasis of aggregation of prescription data that are linkable withrespect to either the patients or the doctors; prescription datahas to be identifiable in some extreme circumstances, e.g., underthe court order for inspection and assign liability. In this paper,we propose an e-prescription system to address issues pertainingto the privacy protection in the process of drug prescription.In our system, patients’ smart cards play an important role.For one thing, the smart cards are implemented to be portablerepositories carrying up-to-date personal medical records andinsurance information, providing doctors instant data accesscrucial to the process of diagnosis and prescription. For the other,with the secret signing key being stored inside, the smart cardenables the patient to sign electronically the prescription pad,declaring his acceptance of the prescription. To make the systemmore realistic, we identify the needs for a patient to delegate hissigning capability to other people so as to protect the privacy ofinformation housed on his card. A strong proxy signature schemeachieving technologically mutual agreements on the delegation isproposed to implement the delegation functionality.

Index Terms—Anonymous, e-prescription, privacy, pseudonym,smart card.

I. INTRODUCTION

EASY and instant access to electronically managed medicaland insurance information is now a key factor determining

the efficiency and quality of health care provision. However, theinvolvement of diverse parties in the process, together with thecontinuously increased mobility of patients, makes it practicallyinfeasible to maintain such information in an unified and glob-ally available manner. To be more specific, i) a number of par-ties get involved in the health care provision, such as hospitals,clinics, general practitioners (GPs), and external business asso-ciates including insurance companies, billing agencies, pharma-cies, and so on, resulting in the heterogeneity of information in-frastructures and business patterns; ii) the mobility of patients

Manuscript received July 9, 2003; revised October 6, 2003. This work wassupported by the IEEE.

Y. Yang, F. Bao, and R. H. Deng are with the Institute for Infocomm Re-search, Singapore 119613 (e-mail: yanjiang@i2r.a-star.edu.sg; baofeng@i2r.a-star.edu.sg; deng@i2r.a-star.edu.sg).

X. Han is with the Institute of Software, Chinese Academy of Sciences Bei-jing 100080, China (e-mail: hxx@ios.ac.cn).

Digital Object Identifier 10.1109/TITB.2004.824731

comes from the facts that people on frequent trips may need tovisit doctors in different cities or even countries; some patientsmay need to seek appropriate medical treatment beyond localfacilities. It is clear that it is hard to achieve the goal of “dataavailability at the point of care” with the current model of stati-cally maintained information repositories. This difficulty can beresolved by smart cards [2] containing the latest personal med-ical and insurance information, carried by the patient themselves[1], [3].

Drug prescription is among the health care processes that fre-quently makes references to patients’ medical and insurance in-formation. Before issuing a prescription, a doctor needs to in-spect a patient’s medical records, complementing his diagnosisprocess as well as checking for possible allergies and harmfuldrug interactions pertaining to the patient; insurance informa-tion is consulted to determine whether the intended drugs areindeed covered by the patient’s health plan. It is apparent that theintroduction of smart card based portable personal informationrepository would significantly simplify the process of drug pre-scription, enabling the doctor to bypass several bureaucratic andtime-consuming procedures if otherwise retrieving informationfrom central databases. Moreover, the doctor would be relievedcompletely from the inconvenience and annoyance caused bythe occasional blockage of network traffic.

In addition to being a data storage device, the smart card iscapable of performing some “intelligent”work. We take advan-tage of this to entail the smart card digital signature signingcapability to sign the electronic prescription pads, declaringthe patient’s authorization to the prescription so as to collectthe prescribed medicine. This proof of authorization will beused by the pharmacy to collect payment from the patient’shealth plan account administrated by the corresponding insur-ance organization. Moveover, this aspect is further extendedto include the delegation of prescription signing capabilityamong users, which we refer to as delegated signing. Simplyspeaking, delegated signing is intended for a designated person(e.g., a relative or custodian who accepts the delegated signingright from the patient) who uses his own smart card to signthe prescription on behalf of the patient in collecting themedicine. Such an extension is motivated by the observationthat, in practice, it is quite common that other people insteadof the patient himself collect the prescribed medicine on hisbehalf. They may be his custodians, relatives, or friends whoaccompany him to visit the doctor. Although it offers the flex-ibility to be carried by someone else than the owner himself,passing the smart card to a delegatee would increase the like-lihood of disclosing sensitive personal medical informationstored in the card and expose the patient to potential threat

1089-7771/04$20.00 © 2004 IEEE

48 IEEE TRANSACTIONS ON INFORMATION TECHNOLOGY IN BIOMEDICINE, VOL. 8, NO. 1, MARCH 2004

of unexpected abuses. From a technical point of view, it isobviously desirable to root out such drawbacks in an e-pre-scription system. Delegated signing avoids the passing of apatient’s smart card to the people who actually sign the pre-scription pad. An additional fact that merits delegated signingis that it does not complicate the system, instead it simpli-fies the system design to avoid considering implementationparticulars. A typical particular is that if the smart card isimplemented as biometrics-based, then passing smart card toothers for signing would be impossible.

Apart from bringing the flexibility and convenience inaccessing personal health and insurance data, the adoptionof smart cards in our system has many other advantages: theauthenticity of the patients is automatically ensured by holdingthe cards, so that many processes would be automated andsped up, e.g., hospital admissions; it prevents patients fromobtaining multiple prescriptions from different practitioners;smart cards can be used as a tool for tracking public healthinitiatives, e.g., vaccinations; with free access to the emergencydata stored in the smart card, emergency treatment would beinstant; to name a few.

Privacy concerns in health care prevail now. Notably, pa-tients worry about their health information being disclosed.The medical community has long been recognizing the ethicaland professional obligation to protect health care information,as stated in the Hippocratic oath: Whatsoever I shall see or hearin the course of my dealing with men, if it be what should notbe published abroad, I will never divulge, holding such thingsto be holy secrets. As a matter of fact, privacy of health infor-mation goes beyond the ethical scope in the sense that com-promising its privacy would harm patients’ dignity, job acqui-sition, and health [4]–[6]. Legislation too has long recognizedthe importance and urgency in maintaining privacy of healthcare information. For instance, the Health Insurance Portabilityand Accountability Act in U.S. [7], Recommendation R (75)in Europe [32], and the Health Information Privacy Code inNew Zealand [39] are all laws on the protection of healthcare information. As far as prescription is concerned, doctorshave privacy concerns too. In particular, doctors’ prescriptionpatterns would be (and have been) collected, analyzed, andutilized by their affiliated organizations, drug companies, etc.,[8]. For instance, the General Practice Research Database [35]maintained in the U.K. serves, among others, exactly this pur-pose. It is therefore crucially important to protect privacy ofboth the patients and the doctors in the course of prescription.We, in respondence, focus on addressing such privacy issuesin the proposed system.

The remainder of the paper is organized as follows. We inves-tigate the privacy issues regarding patients as well as doctors in-volved in the process of prescription in Section II. In Section III,we present a strong proxy signature scheme achieving mutualagreements between the delegator and the delegatee, to enablethe delegated signing functionality in our system. In Section IV,we propose our protocol to implement a smart-card-based e-pre-scription system, meeting the identified needs of privacy protec-tion. We also outline the aspects on protecting data in the smartcard and review some works that are closely related to ours. Sec-tion V is a summary of the paper.

II. PRIVACY IN PRESCRIPTION

Electronic medical records (EMRs) are gradually substitutingthe traditional paper-based medical records in health care do-main, providing more efficient and timely collaboration and in-formation exchange among various health care organizations,as well as external business associates (e.g., pharmacies, insur-ance organizations, billing companies, etc.). Besides the directimpact on the quality and efficiency of health care provision,the wide use of EMRs eases medical research. For example,researchers in health care organizations normally conduct re-search on the basis of inspection of clinical data to find andevaluate new treatments; insurance companies and other healthcare providers frequently engage in extensive research on thecost effectiveness of certain medical treatments and practices,capitalizing on health care data. Although this type of researchis important and beneficial, it is a potential threat to the pri-vacy of health care information. From the privacy perspective, itseems enough to de-identify the EMRs prior to their statisticalprocessing. However, there are frequent cases in which patientsbenefit from being traceable by the research, such as in the as-sessment of treatment safety [9].

Protecting health care information goes far beyond the basicethical principle of respecting individuals’ privacy in a civi-lized society. Inappropriate disclosure of an individual’s healthcare information has varying consequences, ranging from in-convenience to ruin [41] (see http://www.healthprivacy.org fora number of concrete cases). The protection of security and pri-vacy of the health care information is now under the jurisdictionof laws around the world. For example, U.S. enacted the HealthInsurance Portability and Accountability Act (HIPAA) [7], [10];European Union issued the Recommendation R (75) [32] andPrivacy Directive [42], Japan has the Data Protection Bill [43],and South Korea has similar Acts [44].

Privacy protection of prescription information is relevant inthe overall context of protecting health care information pri-marily due to the fact that prescription data are quite revealingof a patient’s health history. In other words, it is by no meansvery hard to deduce one’s health condition by inspecting his pre-scription information. In this sense, there is little difference be-tween prescription data and other kinds of medical records interms of privacy concern from the viewpoint of patients. On theother hand, doctors also have privacy concern in prescriptiondata since their prescription habit is reflected there. This infor-mation can be then utilized for many purposes. Consider thisexample: a hospital, based on the comparison of doctors’ pre-scription patterns, may issue guidelines on prescription of cer-tain drugs, and doctors are then required to follow. Those failingto comply would be treated negatively. Another example: drugcompanies take advantage of doctors’ prescription informationfor marketing purpose, tempting doctors to prescribe their drugs[8]. Patients’ information regarding their drug purchasing can beused for a similar reason by drug companies.

The process of prescription is a little particular in the sensethat it involves external business associates such as pharmacyand insurer other than medical related parties. The activeinvolvement of several parties would inevitably cause multiplevulnerabilities in terms of privacy protection. Moreover,

YANG et al.: A SMART-CARD-ENABLED PRIVACY PRESERVING E-PRESCRIPTION SYSTEM 49

while it is reasonable to presume medical personnel wouldbe bound by strong ethical obligation and good professionalfaith in maintaining privacy of the prescription information,it seems baseless to assume the same for nonmedical partiessuch as pharmacies and insurance companies. Worse yet, lawregulations do not suffice in stopping these organizations fromleaking prescription information while it is being used for, say,aforementioned cost-effectiveness research. In the U.S., forinstance, there is no federal law on the protection of medicalrecords kept by pharmacies; on the contrary, pharmacies benefitfinancially from selling prescription information: over 99% ofprescription claims are collected and processed by PharmacyBenefits Management Systems (PBMs) [11].

The protection of privacy should not result in a pseudony-mous process. If prescription pads were issued in a trulypseudonymous manner, a wide range of drug abuses could beexpected. There is already a thriving black market on prescrip-tion medicines [12]. More importantly, laws and regulationsrequire pharmacies to maintain records that can be identifiedfor possible inspection and preventing drug interactions [13].For example, Section 164.512(2)(d) of HIPAA states thatdisclosure of protected health information including audits maybe made to health oversight agencies for authorized oversightactivities. In addition, some current beneficial research basedon prescription data would be rendered impossible once trulypseudonymous prescription is applied. As a consequence, it isdesirable that prescription data i) achieves two-way anonymity,i.e., normally they are sustained pseudonymous, but allowedfor feasible pseudonymity revocation [29]; ii) provides link-ability to enable useful research on data aggregation. Notethat linkability of prescription data is also conducive to fraudprevention of patients and doctors. To be more specific, i)prescription information of a patient should be identifiable tothe insurer for billing purpose, pseudonymous be linkable tothe pharmacies or PBMs for enabling research and fraud pre-vention, and pseudonymity be revocable under law provision;ii) pseudonymity of a doctor should be similarly revocable, andprescription from the same doctor should be pseudonymousto the health care organization as well as the pharmacy, butlinkable to the insurer for fraud prevention.1

III. A STRONG PROXY SIGNATURE SCHEME

In Section II, we have identified the need for delegation ofprescription signing rights (delegated signing). In this section,we propose a strong proxy signature scheme based on theSchnorr signature scheme [25]. Its extension to other DLP-likesignature schemes is straightforward.

For ease of reference, we list below the notations to be usedin this section:

the original signer, the proxy signer, and the verifier,respectively.large primes with .an element of order in .

1There may be controversies to this point. We may alternatively employ, e.g.,a trusted third party under supervision from government agencies, to managethe linkability part of doctors. However, this would complicate the system.

key pair of user for signing, with .a digital signature of a message signed by a con-ventional DLP-like signature scheme.the verification algorithm of digital signature.a delegation warrant.

In the proxy signature setting, the original signer (delegator)would delegate his signing capability to the proxy signer (del-egatee), so the proxy signer is authorized to issue proxy signa-tures on behalf of the original signer. References [26], [27] areamong the earliest work on the idea of proxy signature, and theconcept was later systematically studied in [20] with three typesof delegations, namely, full delegation, partial delegation, anddelegation by warrant. In full delegation, the original signersimply gives his secret signing key to the proxy signer . Thiskind of delegation seems to have little practical significance as

loses complete control of his signature. In partial delegation,a new key pair is generated from ’s secret, and the newly gen-erated secret is delivered to via a private channel. As thename implies, a delegation by warrant capitalizes on a policywarrant to certify as entrusted. To satisfy the varying dele-gation requirements, combination of the last two types of dele-gation seems practical and viable. In fact, our scheme capitalizeson this combination. The schemes in [20] do not offer nonrepu-diatability since both and know the proxy signing key.The work in [22] suffers from the same problem. To overcomethis, Zhang proposed in [23] a nonrepudiable proxy signaturescheme, which however was found not to be successful [24]. Leeet al.[18] first introduced the concept of strong proxy signaturewhich represents both ’s signature and ’s signature. Nonre-pudiatability regarding both and is thus implied in a strongproxy signature. An earlier scheme in [21] based on the Schnorrsignature was in fact a strong proxy signature, whereas the roleasymmetry of and is not well reflected from a valid signa-ture itself. The strong proxy scheme in [18] and its applicationvariant adaptable to mobile agent environment [28] offer asym-metry in roles, but they are found subject to ’s forgery attack[19]. Our proposed scheme is a modification of this scheme tothwart the forgery attack by . Moreover, in our modification,

becomes designated instead of originally nondesignated formobile agent environments.

In summary, a strong proxy signature scheme should satisfythe following security requirements.

Strong Unforgeability: No one else (including theoriginal signer) except the designated proxy signer cangenerate a valid proxy signature.Verifiability: Anyone can verify the signature basedon the publicly available parameters.Strong Identifiability: A proxy signer’s identity canbe determined from the proxy signature it generates.Strong Undeniability: The proxy signer cannot repu-diate his signatures.Prevention of Misuse: The proxy key pair should notbe used for purposes other than the designated ones.

To better understand our scheme, we first review the schemein [18] and the attack proposed in [19], respectively.

50 IEEE TRANSACTIONS ON INFORMATION TECHNOLOGY IN BIOMEDICINE, VOL. 8, NO. 1, MARCH 2004

The Scheme:— Delegation:

In the delegation phase, the original signer choosesrandomly , computes and

. Then sends secretly tothe triple , , , which is in fact ’s signature

on under Schnorr’s signature scheme. acceptsthe triple as long as holds.Note that , is ’s key pair.

— Signing and Verification:The proxy signer computes his proxy key pair ,

as

and

where , is ’s key pair. then signs amessage conforming to as using aconventional DLP-like signature scheme. The tuple

is then a valid proxy signature.To verify the tuple, the verifier computes

and then checks

The scheme is, however, found to suffer from the orig-inal signer’s forgery attack, failing to satisfy the so-called“strong unforgeability” property. The attack works as fol-lows.

The Attack:In the strong proxy signature scheme, a dishonest orig-

inal signer computes , thus

is a valid proxy signature signing key andis a valid proxy signature because

We are now ready to present our strong proxy signa-ture scheme, which works as shown in the diagram at thebottom of the page.

In our scheme, both consents from and are demon-strated explicitly in the scheme itself. To see this, is ac-tually the signature from and is ’s signature. Forthis reason, there is no need to include in the delegationwarrant the identities of and , as well as certainpolicy stating the acceptance of the delegation by the twosides. Recall that is a signature from on , thisis more notably a countermeasure against the above attackthan demonstrating ’s acceptance of the delegation.

Theorem 1: The proposed strong proxy signature scheme issecure against the original signer’s forgery attack.

Proof: Intuitively, the original signer’s forgery attack tothe original scheme takes advantage of the fact that is al-lowed to change by substituting it with . Inour scheme, however, (together with ) is signed by toproduce . Since cannot forge ’s signature, thus, it cannotforge . This avoids the attack.

Theorem 2: The proposed strong proxy signature schemefullfills all the security requirements listed above.

Proof (sketch):

1) Strong Unforgeability: From Theorem 1, cannot forgevalid proxy signatures. For other people, the private proxysigning key contains ’s private key, therefore, onlycan generate valid proxy signatures.

wherewhere with

checkswhere

accepts as long as holdscomputes the private proxy signing key as

the proxy signing key held by is thus

checks

YANG et al.: A SMART-CARD-ENABLED PRIVACY PRESERVING E-PRESCRIPTION SYSTEM 51

2) Verifiability: , demonstrates the consent of onthe delegation; shows ’s acceptance of thedelegation; verifiability of the signed message is obvi-ously based on the underlying DLP-like digital signaturescheme.

3) Strong Identifiability: The inclusion of ’s public keyin the public proxy signing key implies that is

identifiable.4) Strong Undeniability: The proxy signer cannot repudiate

his signatures because only he can compute the privateproxy signing key used in the signature.

5) Prevention of Misuse: Expiration date of the proxysigning key can be readily checked against the validityof the keys held by and , from which the proxysigning key is derived. serves practically to preventabuses of the proxy signing key. In the context of oure-prescription system, proxy signing keys are intendedfor the mere use of prescription signing.

An alternative method for generating proxy signing keyis simply that the proxy signer chooses a key pair as theproxy signing key and the original signer certifies it usinghis signing key by issuing a certificate, and the certificatestates the delegation policy. There exists a controversy on thepractical significance of proxy signing schemes since they donot demonstrate convincing efficiency advantages over thisalternative method. With no exception, our proposed schemefaces the same problem. However, one thing is clear regardingour scheme that both the original signer and the proxy signerare explicit from a valid proxy signature itself. This as we willsee, is quite critical to make prescription data linkable withrespect to the patients.

IV. METHOD AND SYSTEM IMPLEMENTATION

In this section, we present a detailed implementation of thee-prescription system, wherein privacy of the patients and thedoctors are appropriately protected. In addition, we also addressthe problem of how to protect data in smart cards.

A. Basic Idea

We make specific the process of a typical e-prescription ser-vice in real world. A patient visits his doctor and on the basisof the diagnosis, the doctor prepares a prescription pad. To thisend, the doctor normally connects to the central medical recorddatabase to check for allergies and possible harmful drug inter-actions or medical history concerning the patient. At the sametime, the doctor may query an information system maintainedby the patient’s insurer to determine whether certain intendeddrugs are covered by the patient’s health plan. Upon comple-tion of the drug selection, the doctor signs the pad electronically,which would serve as evidence that the doctor vouches for thesafe use of the medicine. The prescription is then directed tothe pharmacy and added to the patient’s medical records. Thepatient later goes to the pharmacy where the prescription padis retrieved. The pharmacy collects enough evidence in fillingthe prescription to meet the requirements of law regulations.Then the pharmacy charges the insurer (or the patient) for the

medicine upon the patient’s authorization (signed by the patient)and delivers the medicine to the patient. The prescription padmay then be forward to the PBMs for statistical research.

To simplify this process, we introduce the smart card into oursystem. The smart card serves dual roles: one as a portable datarepository, storing personal medical records and insurance in-formation; the other as a signature generating tool to sign elec-tronically the prescription pad when the patient goes to the phar-macy to collect the medicine. Yet another major characteristic ofour system lies in the introduction of delegated signing, whichallows patients to delegate their signing rights to other people.As a result, a patient does not need to pass his smart card to an-other party to sign prescription pads on his behalf. We leverageon the proxy signature scheme proposed in Section III to achievedelegated signing. To delegate his prescription signing right, thepatient (the original signer) negotiates a proxy signing key withthe intended person (the proxy signer) who stores the key inhis own smart card. Theoretically, a patient can delegate to mul-tiple proxy signers. The accommodation of delegated signaturesmakes our system efficient and practical.

Recall that a central objective of our e-prescription systemis to protect the privacy of patients and doctors in medicineprescriptions, and such a protection should still support usefulresearch on the basis of data aggregation. To this end, weadopt the following techniques. i) The patient applies for apseudonym from his insurer, which links the pseudonym withthe patient’s real identity. This is crucial as the insurer paysthe prescription on the absolute discretion of the patient. Thepatient then engages in the prescription process in the name ofthe pseudonym, thereby gaining pseudonymity. Transactionsunder the same pseudonym apparently offers linkability.Revocation of the pseudonymity can be done by the insurerwhen necessary. ii) The doctor joins a group of affiliated healthcare organization. Whenever the doctor issues a prescription,the Group Manager signs a group signature in the name ofthe group, so the pseudonymity of the doctor is achieved.Given a signed pad, only the group manager is able to identifythe doctor who issued it. We assume the group manager isindependent of the health care organization in the sense thathe would not do anything in favor of the latter, e.g., helpthe organization to link a specific doctor’s prescription data.We point out that an off-the-shelf group signature schemeseems more convenient to doctor pseudonymity. However,virtually all existing group signature schemes are ineffectivein revocation of group members, thereby insufficient for adynamic group. Considering this, we let the Group Managersign on behalf of the doctors. The Group Manager issues eachdoctor a pseudonym, which serves to hide the real identity ofthe doctor. We point out that a pseudonym system [29] does notseem quite relevant in our case, many of whose properties, e.g.,unlinkability of the pseudonyms, are unnecessary for our use.

It may be argued that the Group Manager computing groupsignatures for every doctor would become a bottleneck, af-fecting overall performance of the system. Referring to Fig. 1,there are two methods for the Group Manager to calculategroup signatures. In case of Fig. 1(a), a prescription is firstpassed to the Group Manager for signing before reachingthe pharmacy. In case of Fig. 1(b), the doctor first delivers to

52 IEEE TRANSACTIONS ON INFORMATION TECHNOLOGY IN BIOMEDICINE, VOL. 8, NO. 1, MARCH 2004

Fig. 1. Group signature modes.

the pharmacy which later relays to the Group Manager forsigning. This actually offers the flexibility that the prescriptionis signed at any point of time before the patient collects themedicine, alleviating to some extent the situation that the GroupManager becomes a bottleneck of our system.

We note that long-term linkable pseudonyms would risk thepatients being identified. We, therefore, accommodate the flex-ibility to readily renew pseudonyms. In responding to this, thesigning key of a patient is rendered short term. In other words,the signing key is certified to be valid within a short period oftime, e.g., half a year; or once the patient senses his privacyis at risk, he is able to revoke his pseudonym and the associ-ated signing key [in this case, the signing key is announced ina public certificate revocation list (CRL), and then applies fora new pseudonym and new a signing key]. The same applies tohis proxy signing keys. In our system, a proxy signing key isderived from both sides’ signing keys, governed by the strongproxy signature scheme in Section III. As a consequence, re-voking either side’s signing key results in the revocation of theproxy signing key. As a signing key is short termed and cred-ited under the pseudonym, it is obviously insufficient to be usedto identify the patient’s real identity when needed. We then em-ploy a long-term key, master key, to associate with the real iden-tity of the patient. The master key is intended for authenticatingreal authority of the patient beyond the prescription context. Asa result, there are three kinds of keys in a patient’s smart card,namely, the master key (long term), the signing key (short term),and possibly proxy signing keys (short term).

Based on the above discussions, we now formally define theparties involved in our e-prescription system.

1) Definition of Entities:

• Patient . The patient is the entity to whom a prescrip-tion is issued. The patient needs to provide informationpertaining to his health plan for drug prescription. To col-lect the prescribed medicine, the patient is required to signthe prescription pad to show his consent on the prescrip-tion. This authorization will be recognized by the insurerto pay the prescribed medicine.

• Doctor . The doctor is the entity that issues theprescription. The doctor signs the prescription pad toclaim his assurance of the prescribed drugs benefitingthe patient from medical perspective. The signature canas well be used as a nonrepudiatable evidence to assignliability if the prescribed medicine cause disputes.

• Insurer . The insurer is the entity to provide healthbenefits plan to the patient and pays for the prescription.The insurer may engage in certain statistical research. Inour system, we designate to be responsible for detectionof fraud by the doctor. It issues pseudonyms to the patient,certifies public signing keys, and revokes pseudonymity ofthe patient when necessary.

• Proxy Signer . The proxy signer accepts del-egated rights from the patient, signs the prescription, andcollects the medicine on the patient’s behalf.

• Pharmacy . The pharmacy is the entity to filethe prescription. In filling a prescription, the pharmacycollects the payment from the insurer and delivers themedicine to the patient. The pharmacy must collect suf-ficient evidences on the sale of the medicine, includingsignatures from both the doctor and the patient. The phar-macy also engages in data aggregation for the purpose ofstatistical research to better manage medicine provision.

• Group Manager . The group manager managesprivacy issues of the doctor. signs the prescriptionwhile keeps trail of the doctor who issued a particular pre-scription. is responsible for revoking pseudonymityof the doctor when required.

• Certificate Authority . The certificate authorityissues public key certificates to related entities. A maybe a medical board that qualifies and certifies the doctor’scapability in issuing prescription.

There may be other entities involved in the process ofprescription, such as law enforcement agencies overseeingmedicine prescription. However, they are not directly relatedto our discussion.

Note that the introduction of group manager as a trustedparty in our system is in fact under the jurisdiction of HIPAA,Section 164.512(f), where it is referred to as privacy officer

, together with , constitutes the trusted infrastructure ofour system.

A prescription system is said to be privacy preserving if itsatisfies the following requirements.

2) Privacy Requirements:1) Pseudonymity. Actual identities of the patient and

the doctor are hidden by means of pseudonyms;pseudonymity, however, can be revoked by designatedtrusted entities.

2) Linkability of patients. Under the pseudonymity provi-sion, prescriptions to the same patient are linkable tothe pharmacy .

3) Linkability of doctors. Under the pseudonymity provi-sion, prescriptions issued by the same doctor are link-able to the insure .

YANG et al.: A SMART-CARD-ENABLED PRIVACY PRESERVING E-PRESCRIPTION SYSTEM 53

TABLE INOTATIONS

4) Unlinkability of doctors. Prescriptions by the samedoctor are pseudonymous and unlinkable by the phar-macy.

5) Least data disclosure. Unless absolutely necessary, pre-scription data is kept confidential.

B. Proposed Protocol

In this subsection, we present our protocols and methods toimplement a smart card enabled e-prescription system. For theease of references, we list the notations in Table I.

We then streamline the process of our e-prescription systemwith the following phases, and outline the interactions that arebest relevant for electronic processing.

1) Initialization: At this stage, each involved entity getsitself prepared for the engagement into the prescription process,including establishing necessary keys and obtaining corre-sponding certificates.

applies for a personal smart card from his primary healthcare organization storing initially the latest medical records, es-tablishes his long-term master key , and getsthe corresponding certificate under his real identity. then en-rolls in an insurer’s health plan. To do this, he establishes hisshort-term signing key , contacts the insurer ,and directs to it the public part of the signing key .generates a random pseudonym for ,2 issues a certificatefor the signing key under the pseudonym, finalizes the healthplan with , and enters related information together withinto a private database for . Relevant insurance information

and the certificate are delivered to via a reliable channel,e.g., registered postal mail. then negotiates with proxy signers

to delegate his prescription signing right to them and helpsthem generate proxy signing keys , .himself may be a proxy signer by accepting others’ delegationand generates correspondingly proxy signing keys ,

that are delegated to him. Finally, public parts of the

2Alternatively, generates himself a random pseudonym and forwards it totogether with the signing key.

generated key materials, insurance information obtained fromare added to ’s smart card. Note that secret parts of the keysare generated directly inside the smart card during their estab-lishment. The above process is depicted as follows.

M1 Enroll ReqM2

Insurance InfoM3 establish

In M1, Enroll_Req is an enrollment request stating whichplan to enrol and is the public part of the prescriptionsigning key. Note that computes using his master key

to authenticate his real authority to . In response,returns to the certificate under a pseudonym

for and the insurance information (Insurance_Info)under the enrolled health plan in M2. , included in thecertificate, is the expiration date of . In order not tobe leaked, the signed insurance information is encrypted bya random session key . In M3, exchanges informationwith a proxy signer , establishing the proxy signingkey , delegated to . may alsoset up for himself , by accepting delega-tions from other people. Recall that a proxy signing key isderived from both entities’ short-term prescription signingkeys under the strong proxy signature scheme introduced inSection III. is the original signer and is the proxysigner ; and are keypairs , and , , respectively. They collectivelyproduce the proxy signing key , . It isclear that , is valid only when both

and are valid.The doctor joins a group, such as his affiliated health care

organization, where he is entailed and certified as to the capacityof issuing prescriptions. The group manager is the actualentity that computes digital group signatures on behalf of thegroup members. issues a random pseudonymand certifies ’s key material under his real identity.

chooses a group signing key and obtains the certificate,from related certificate authority , for committing group sig-natures to the prescription. chooses also a secret keyknown only to himself, for symmetric encryption and a key pairfor asymmetric encryption.

2) Prescription Preparation: When the patient visits thedoctor , he presents his personal smart card and signs arandom message on the fly to , proving his successful en-rollment in a particular health plan. The process of diagnosisby may be complemented by the medical data stored inthe smart card. Upon completion of the diagnosis, preparesthe prescription. To do this, he makes references to the medicaldata in the smart card for checking drug allergies, drug interac-tions, and insurance information for determining whether cer-tain intended drugs are indeed covered by ’s health benefitsplan and checking the account status under the plan.3 thengenerates an electronic prescription pad including no identitiesof and . Afterwards, concatenates the prescriptionpad with and delivers the concatenation to the pharmacy

3To avoid leaking sensitive account information, the smart card tells onlywhether the balance in the account can cover the charges

54 IEEE TRANSACTIONS ON INFORMATION TECHNOLOGY IN BIOMEDICINE, VOL. 8, NO. 1, MARCH 2004

. Note that is pseudonymous to . Finally, up-dates ’s smart card by adding to it the particulars of currentvisit and prescription.

M4M5

In M4, computes a signature on , the currenttime stamp, using his prescription signing key to show his suc-cessful enrolment in a health plan dictated by the insurer . Theprescription is forwarded by to in M5, where andare random session keys for to decrypt and check ,and are transaction headers as defined in Table I, is theprescription pad including a serial number Prescription_Id,is intended only for , is a signature on under the realidentity of which serves to tell who issues the pre-scription. included in M4 and M5 is used to verify .

3) Prescription Signing: The pharmacy transfers theprescription to the group manager for signing. To mini-mize the likelihood of leaking prescription information, it makessense to hide the exact prescription content from . This,however, will not cause trouble because is in charge ofpseudonymity revocation of doctors, so he is able to keep thescrambled message traceable; this would also prevent fromotherwise substituting certain drugs for discriminative purposesagainst . Therefore, in our system, issues a unlinkablegroup signature to the encrypted prescription. A cryptographicprimitive, namely, blind digital signature [30], [31] does notmeet our need here, simply because the entity (i.e., ) re-quiring signing is not the actual originator of the message.includes in the group signature a linkable token in an attempt forthe insurer to link doctors’ data. then returns the signedprescription to . The process is illustrated by the followinginteractions:

M6M7

In M6, relays received in M5 to . then de-crypts to get and . Since is a signature (under ’sactual identity) on , verifies . From , retrievesfrom his database the real identity corresponding to , andchecks against the one indicated by . In M7, returnsto the group signature on , where is a transactionheader, is a random session key, and is the symmetrickey known only to so can be opened only by

, is the ciphertext by the insurer ’s public key, therebyopenable only to , and is intended for to link doctors’ pre-scription data. Since keeps an original copy of , he can de-tect ’s modification of by comparing the returned signed

with the original copy. Apparently, has also no chance tosubstitute drugs in the prescription.

4) Prescription Filling: To collect the medicine, the patientor a proxy signer goes to the pharmacy , where he

signs the prescription using his own smart card. Signatures ofboth and are the evidences that must be collected byin compliance with law regulations for legal sale of medicine.

gets the electronic payment from the insurer by providingthe signed prescription information, and delivers the medicine

to or . The prescription information is then passed to

PBM for statistical research. The following interactions explainthe process:

M8M8M9 Prescription IdM9 Prescription IdM10M11 Electronic Payment

Prescription IdBefore signing, or must verify the prescription. To

this end, submits to ’s ( ’s) smart card in M8(M8 ), where and are the same session keys as in M5 fordecrypting included in . Note that we assume the submis-sion channel from ’s workstation to the smart card is secure,so and are in cleartext. Upon confirmation, orsigns the prescription in M9 or M9 . The Prescription_Id, to-gether with obtained from , uniquely identifies a prescrip-tion. To collect payment, forwards the signed prescription

, ’s signature , and the encrypted session keys , tothe insurer . Upon validating the prescription, pays the billand returns a signature to . At this point, a successful pre-scription session is completed. , , and are a set of com-pleted evidence of a prescription to be collected by . Notethat we have avoided the prescription to be signed in a recursivefashion, i.e., one entity signs upon another entity’s signature.Verifying such a recursively signed message must proceed in asequential manner. Instead, , , and can be verified inde-pendently and in parallel.

C. Analysis

In this subsection, we discuss how the above protocolmeets the previously stated privacy requirements. Our proof isinformal and intended only to offer an intuitive exposition. Infact, a formal proof would be quite involved, and would requiremore elaborated definitions of the privacy requirements as wellas the cryptographic primitives relied on in the system.

Theorem 3: The proposed e-prescription system is privacypreserving, satisfying the privacy requirements.

Proof:1) Pseudonymity. Pseudonymity requires that actual identi-

ties of the patient and the doctor are appropriatelyprotected, but revocable to the designated entities. In thesystem, and engage in the process of prescriptionwith respective pseudonyms, with the only exception inthe Initialization phase. In particular, interacts underhis real name with the insurer to apply for a pseudonymas well as the certificate for the prescription signing key,and to negotiate a health plan; communicates withthe group manager to acquire his pseudonym andcredentials for issuing prescriptions. Both cases, however,are deemed reasonable considering the fact that and

are designated entities taking the responsibility forpseudonymity revocation of and , respectively.The real identity of is also included in messagesexchanged in M5, M6, M7, M8 (M8 ), and M10. Butnotice that in all cases, only can decrypt the corre-sponding ciphertexts to read the identity. In addition, no

YANG et al.: A SMART-CARD-ENABLED PRIVACY PRESERVING E-PRESCRIPTION SYSTEM 55

identity information of and is incorporated in theprescription pad . With these, pseudonymity of bothpatients and doctors are achieved.

Pseudonymity revocation of is clear in the sense thatgiven any signed prescription data under the pseudonym

, only the insurer can map to the real identityof . As to , in M7, includes inand , which are readable only to and thuspseudonymous to other entities. This means, given a validprescription data , only can tell who exactly is-sued the prescription.

2) Linkability of patient. This property requires that underthe pseudonymity provision, prescriptions to the same pa-tient are linkable to the pharmacy . Linkability ofpatient to follows immediately if the prescriptions to

are signed by himself in M9. If the prescriptions toare signed by a proxy signer in M9 , according

to a property of our proposed strong proxy scheme, i.e.,identities of both the original signer and the proxy signerare explicit in a valid proxy signature, linkability of thepatient is also achieved.

3) Linkability of doctor. This requires that under thepseudonymity provision, prescriptions issued by the samedoctor are linkable to the insure . Prescriptionsissued by the doctor are signed by the group managerin M7. includes in the group signature

. Since the insurer is able to decrypt using his privatekey, linkability of the doctor to is thus achieved. is asemantically secure public key cryptosystem, by reading

without decryption, no one can do the same linking.4) Unlinkability of doctor. This property requires that

prescriptions by the same doctor are pseudonymousand unlinkable to the pharmacy . Pseudonymity ofthe doctor to holds true as we already discussedin the first requirement. It then suffices for us to showthat is unlinkable to . Included in are ,, , , and : is random; and

are random dictated by random sessionkeys; so is ; and as we just discussed, fromno one including can do the same linking as doesby decrypting . Unlinkability of the doctor to isthus achieved. Interestingly, andcannot be simply replaced by , as other-wise a portion of the ciphertext might be fixed, makingthe prescriptions by linkable to . To see this,consider the following scenario: suppose the symmetriccipher is the widely used DES (its block size is 64 bits)and the text length of exceeds 64 bits, then the firstblock of is always a fixed value.

5) Least data disclosure. It requires that unless absolutelynecessary, prescription data be kept confidential. It wouldbe quite hard to precisely define and then prove the im-plication of least data disclosure in the system. We, how-ever, mention two outstanding facts of our system relatingto this point. First, to protect the information including theprescription data stored in a patient’s smart card, the pa-tient delegates his signing right to other people to avoid thepossibility of his card being carried by others. Second, to

avoid unnecessarily disclosing information while withoutaffecting its functionality, the group manager is de-signed to “blindly” sign prescriptions.

D. Smart Card Aspects

Needless to say, security of the smart card is of paramount im-portance in our system. We consider the smart card as a tamper-resistant device that offers significant resistance to physical at-tacks. The smart card is equipped with a crypto-coprocessor forperforming crypto-algorithms. The SLE66CX microcontrollerfamily from Infineon Technologies [48] and the AT90SC mi-crocontroller family [49] from Atmel seem to be sufficient forour use since they perform fast discrete logarithm computationsby hardware. There are normally three types of memories con-stituting the storage system of a smart card, namely, workingmemory, program memory, and user memory. Working memoryis made up of random access memory (RAM) chips, providingtemporary storage for the data exchanged during program ex-ecution. Data in working memory will get lost when power isoff. Program memory is a kind of nonerasible read only memory(ROM). The operating system and the security module that en-forces security mechanisms resides in this area. The content ofprogram memory is entered when the chip is manufactured, andany later attempt to modify it would ruin the card. User memory,taking advantage of EEPROM technology, is programmable inthe sense that it can be erased and rewritten by electronic means.All personal data used in our system including medical records,insurance information, key materials (master key, signing key,and proxy signing keys from other people if any) are stored inthis area.

We further organize the user memory into different sectionsto accommodate data requiring different maintenance and ac-cess control. Note that the allocation of space is theoretical, andthe precise structure and the data access control will be imple-mented in accordance with existing standards [45]–[47]

• Secret SectionThis section is designed to be written only once andcannot be read from the outside by either physical orlogical means [17]. The data in this area are retainedthroughout the life cycle of a smart card, and can only beread by its own microprocessor. The following data arearchived in this section:

— the card manufacture’s PIN;— the card holder’s long-term master key: The master key

serves to authenticate the patient’s actual identity, e.g.,when the patient enrols in a health plan by interactingwith the insurer.

• Sensitive SectionThis section is similar to the secret section, but allows foroccasional updates. The following information is storedhere:

— the card issuer’s PIN (CIN): The card issuer in oursystem is the patient’s primary health care providingorganization. CIN serves to protect the applicationdata against unauthorized operations such as erase andwrite;

— the card holder’s PIN (CHN): The card holder is obvi-ously the patient himself in our system. CHN is used to

56 IEEE TRANSACTIONS ON INFORMATION TECHNOLOGY IN BIOMEDICINE, VOL. 8, NO. 1, MARCH 2004

activate certain functionalities of the smart card, e.g.,to review the protected information.

• Working SectionThis section can be erased and rewritten, whereas suchupdates can be accomplished only by designated entities,the card issuer or holder in our case. The information inworking section is read protected, write protected, or eraseprotected through appropriate access control codes (CINor CHN), depending on the nature of the data. The fol-lowing data are managed in this section:

— private part of the card holder’s short-term signing key:The signing key serves to sign electronically the pre-scription when the patient collects the medicine in thepharmacy;

— private part of the short term proxy signing keys del-egated to the card holder: The card holder may agreeto be the proxy signer of other people in terms of pre-scription signing. If this is the case, the proxy signingkeys are stored in this area;

— medical information: The medical information set in-cludes coded personal medical records, consultationdetails, and prescription information;

— insurance information.• Public Section

Data in public section can be read free, requiring no pro-tection. The following data are stored in this area:

— serial number of the card;— pseudonym and related personal pseudonymous infor-

mation;— emergency medical information: such information in-

cludes blood type, drug allergies, etc.;— public keys and their corresponding certificates: These

include the delegation warrants stating delegationpolicy for the use of the proxy signing keys.

We summarize the data managed in the user memory inTable II.

In the following, we clarify some particulars presented in thetable.

• By Reading Forbidden, the data can only be read throughthe microprocessor of the smart card.

• The design of the data structure for medical record ismerely indicative instead of descriptive. In other words,we code the medical record using a well-structuredtemplate. As a result, most of the fields accept binaryvalues “YES” or “NO.” Reference [1] provides an ex-ample of such a structured template. For example, if apatient has “Obsessive–compulsive disorder,” the corre-sponding field will be “ .” Similarly, all fields are filledwith either “ ” or “ .” In this way, the 40-B space allo-cated for the patient’s medical records can accommodate320 fields.

• We assume that discrete logarithm based public keycryptosystems are used to compute digital signatures andissue key certificates. This makes typically 160-b privatekeys, 212-B public keys, and 84-B digital signatures. Apublic key (short-term) certificate is simplified to containminimally the user’s name, ’s name, expiration date,and a digital signature on them. Other certificates, such

TABLE IIDATA MANAGEMENT

as those for proxy signing keys, may contain a simplifiedversion of policy. With these, the length of a public keytogether with its certificate is expected not to exceed350 B.

• For the master key, as it is for long-term use, the publickey certificate should be produced in a standard format.Because of space limitation, we do not include this certifi-cate in the smart card, thereby not providing a verifier forthe convenience to verify a signature off-line. This, how-ever, does not degrade the efficiency of our e-prescriptionsystem, for the master key is used only once in the initial-ization phase.

• The area for consultation details and prescription infor-mation is writable under the card holder’s PIN (CHN).With this, our system offers the flexibility that such in-formation can be added to the smart card under the autho-rization of the patient. This is significant when the patientvisits a doctor in other place than his primary health careorganization.

• We allow information regarding the latest 30 consultationsand 10 prescriptions being stored in the smart card. Re-moval of this kind of information is on a “first in, firstout” basis. Because of space limitation, a card holder ispermitted to be the proxy signer of at most three people.Therefore, maximally 1,050 (350 3) B of space is allo-cated for proxy signing keys and their certificates.

• The total space to accommodate all the data is estimatedto be 5 kB. Therefore, a smart card with 8-kB memorysuffices for our system.

As a final note, we point out some existing health card sys-tems for comparison with ours. The Health Smart Card in Texas[33] serves mainly as a medical data container, and the HealthCard in France [34], besides containing health care information,is intended more as a paying means for health services. TheHealth Professional Card (HPC) [36] has been standardized onEuropean level as CEN prEVN 13 729 “Health Informatics—Secure User Identification—Strong Authentication using Mi-croprocessor Cards” [37] as well as consistently on the Germannational level as the HPC Protocol [38]. HPC tends to provideidentification services with security functionalities such as dig-ital signature and encryption.

YANG et al.: A SMART-CARD-ENABLED PRIVACY PRESERVING E-PRESCRIPTION SYSTEM 57

E. Related Work

The anonymous e-prescription system in [14] solves privacyprotection problems in the following way. The privacy of a pa-tient is reserved by applying for a pseudonym from his insurerand signing the prescription under the pseudonym. Linkabilityis achieved also with respect to the pseudonym. Apparently, re-vocation can be accomplished by the insurer. Anonymity of thedoctor is achieved by the doctor joining a group and then is-suing group signatures on the prescription pads (a group sig-nature scheme [15] is employed for static groups and an onlinegroup signature scheme is designed for highly dynamic groups).Special care is given to make the group signatures linkable. Thework in [16] is intended to protect doctors’ identities in theprescription pads while at the same time allow data to be ag-gregated for the purposes of research and statistical analysis.The method utilized is to present prescription data in two dis-tinct batches: one batch includes prescription information withscrambled doctor references and the other batch contains thescrambled doctor reference and the exact doctor information.The identity of the doctor could then be released or kept hidden,according to the doctor’s preference. Another work related toours is in [50]; it presents a clearing scheme for the Germanyhealth care system, addressing the privacy issues among var-ious parties such as physician, insurers, pharmacies, etc., in theoverall context of medical processes.

V. CONCLUSION AND FUTURE WORK

In this paper, we have introduced a smart card enabled e-pre-scription system with the following features distinguishing itfrom the system in [14]. First, the introduction of a smart cardcarrying personal health and insurance information greatly sim-plifies the process of diagnosis and medicine prescription, whilesmart card in [14] is intended only for signing purposes. Second,pre-approval for a prescription from the insurer in [14] is nolonger deemed necessary in our case, because the doctor hasenough information in the smart card to support his prescrip-tion, for which the patient can later get reimbursement from theinsurer. Third, we identified and accommodated the need for thepatients to delegate their prescription rights to other people, e.g.,the custodians. This would protect the privacy of informationstored in the smart cards, making our system more acceptable inpractice. The work in [14] did not consider delegated signing. Inaddition, we explicitly pointed out that the prescription signingkey of a patient to be short term, so the renewal of the patient’spseudonym, prescription signing key, and proxy signing keyscan be facilitated easily.

We believe that our proposed system is quite practical con-sidering smart cards have already been deployed in some healthcare systems [33], [34], [36]. Implementation of each step of ourprotocol at the smart card level within a real word e-prescriptionenvironment is our future work.

ACKNOWLEDGMENT

The authors would like to thank the anonymous reviewers fortheir valuable suggestion, to improve the quality of this paper.

REFERENCES

[1] C. Lambrinoudakis and S. Gritzalis, “Managing medical and insuranceinformation through a smart-card-based information system,” J. Med.Syst., vol. 24, no. 4, pp. 213–234, 2000.

[2] J. L. Zoreda and J. M. Oton, Smart Cards. Norwood, MA: ArtechHouse, 1994.

[3] T. S. Chan, “Integrating smart card access to web-based medical in-formation system,” in Proc. ACM Symp. Applied Computing, 2003, pp.246–250.

[4] D. F. Linowes and R. C. Spencer. (1997) How empolyers handle em-ployees’ personal information. [Online]. Available: http://www.kentlaw.edu/ilw/erepj/v1n1/lino-main.htm

[5] N. Keene, W. Hobbie, and K. Ruccione, Childhood Cancer Survivors:A Practical Guide to Your Future: O’Reilly & Associates Inc., 2000.

[6] R. Weiss, “Ignorance undercuts gene tests’ potential,” The WashingtonPost, p. A1, 2000.

[7] National Standards to Protect the Privacy of Personal Health In-formation, Office for Civil Rights. (2001). [Online]. Available:http://www.hhs.gov/ocr/hipaa/

[8] T. Albert. (2000) Doctors ask AMA to assure some privacy for their pre-scription pads. [Online]. Available: http://www.ama-assn.org/sci-pubs/amnews/pick_00/prl11225.htm,

[9] Food and Drugs Administration. Medwatch: The FDA Safety Infor-mation and Adverse Event Reporting Program. [Online]. Available:http://www.fda.gov/medwatch/

[10] Standards for Privacy of Individually Identifiable Health Information,Office for Civil Rights. (2001). [Online]. Available: http://www.hhs.gov/ocr/hipaa/finalmaster.html

[11] Health Care Financing Administration. (2001) Study of Pharmaceu-tical Benefit Management. [Online]. Available: http://www.hcfa.gov/research/pharmbm.pdf

[12] J. Ledbetter. (1999) Is Buying Drugs on the Web too Easy?. [Online].Available: http://www.cnn.com/TECH/computing/9906/29/drugs.idg/index.html

[13] California Board of Pharmacy, California Pharmacy Laws Sacra-mento, CA.

[14] G. Ateniese and B. Medeiros, “Anonymous e-prescriptions,” in Proc.ACM Workshop Privacy in the Electronic Society (WPES02), 2002.

[15] G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik, “A practical andprovably secure colalition-resistant group signature scheme, advancesin cryptology,” in Proc. CRYPTO’00 (Lecture Notes in ComputerScience). Berlin, Germany: Springer-Verlag, 2000, vol. 1880, pp.255–270.

[16] V. Matuás Jr, “Protecting doctor’s identity in drug prescription analysis,”Health Informatics J., vol. 4, p. 4, 1998.

[17] B. Schneier and A. Shostack, “Breaking up is hard to do: Modeling secu-rity threats for smart cards,” in Proc. USENIX Workshop on Smart CardTechnology, 1999, pp. 175–185.

[18] B. Lee, H. Kim, and K. Kim, “Strong proxy signature and its applica-tions,” in Proc. SCIS, 2001, pp. 603–608.

[19] H. M. Sun and B. T. Hsieh, “On the security of some proxy signatureschemes,” Cryptology ePrint Archive no. 068, 2003.

[20] M. Mambo, K. Usuda, and E. Okamoto, “Proxy signature for delegatingsigning operation,” in Proc. 3rd ACM Conf. Computer and Comminica-tions Security, 1996.

[21] S. Kim, S. Park, and D. Won, “Proxy signatures, revisited,” in Proc. Int.Conf. Information and Communication Security (Lecture Notes in Com-puter Science). Berlin, Germany: Springer-Verlag, 1997, vol. 1334,pp. 223–232.

[22] H. Pertersen and P. Horster, “Sefl-certified keys-concepts and applica-tions,” in Proc. Communications and Multimedia Security, IFIP, 1997,pp. 102–116.

[23] K. Zhang, “Threshold proxy signature schemes,” in Proc. InformationSecurity Workshop, Japan, 1997, pp. 191–197.

[24] N. Y. Lee, T. Hwang, and C. H. Wang, “On Zhang’s nonrepudiable proxysignature schemes,” in Proc. 3rd Australasian Conf. Information Secu-rity and Privacy, 1998, pp. 415–422.

[25] C. Schnorr, “Efficient identification and signature for smart cards,” inAdvances in Cryptology, CRYPTO’89 (Lecture Notes in Computer Sci-ence). Berlin, Germany: Springer-Verlag, 1989, vol. 435, pp. 235–251.

[26] V. Varadharajan, P. Allen, and S. Black, “An analysis of the proxyproblem in distributed systems,” in Proc. IEEE Symp. Research inSecurity and Privacy, 1991, pp. 255–275.

58 IEEE TRANSACTIONS ON INFORMATION TECHNOLOGY IN BIOMEDICINE, VOL. 8, NO. 1, MARCH 2004

[27] B. C. Neuman, “Proxy-based authorization and accounting for dis-tributed systems,” in Proc. 13th Int. Conf. Distributed ComputingSystems, 1993, pp. 283–291.

[28] B. Lee, H. Kim, and K. Kim, “Secure mobile agent using strong non-designated proxy signature,” in Proc. ACISP (Lecture Notes in Com-puter Science). Berlin, Germany: Springer-Verlag, 2001, vol. 2119,pp. 474–486.

[29] A. Lysyanskaya, R. Rivest, A. Sahai, and S. Wolf, “Pseudonym sys-tems,” in Selected Areas in Cryptography (Lecture Notes in ComputerScience). Berlin, Germany: Springer-Verlag, 1999, vol. 1758.

[30] J. Camenisch, J. M. Piveteau, and M. Stadler, “Blind signatures basedon the discrete logarithm problem,” in Advances in Cryptology, EURO-CRYPT ’94, vol. 950, LNCS, 1994, pp. 428–432.

[31] D. Pointcheval and J. Stern, “Provably secure blind signature schemes,”in Advances in Cryptology, ASIACRYPT’96 (Lecture Notes in ComputerScience). Berlin, Germany: Springer-Verlag, 1996, vol. 1163, pp.252–265.

[32] Council of Europe, “On the Protection of Medical Data,” Recommen-dation R(75), 1997.

[33] Council of Europe. [Online]. Available: http://www.healthsmartcard.net/

[34] R. Neame, “Smart cardsCthe key to trustworthy health information sys-tems,” BMJ, vol. 314, pp. 573–577, 1997.

[35] Council of Europe. [Online]. Available: http://www.gprd.com[36] B. Blobel and P. Pharow, “Security infrastructure of an oncological net-

work using health professional cards,” in Health Cards ’97 (Series inHealth Technology and Informatics). Amsterdam, The Netherlands:IOS Press, 1997, vol. 49, pp. 323–334.

[37] “Health Informatics-Secure User Identification-Strong AuthenticationUsing Microprocessor Cards (SEC-ID/CARDS),” report, CEN TC 251prENV 13 729, 1999.

[38] (1999) The German HPC Specification for An Electronic Doctor’sLicence, Version 0.81. HPC. [Online]. Available: http://www.hpc-protocol.de

[39] New Zealand Privacy Commissioner, “Health Information PrivacyCode,”, 1994.

[40] European Committee for Standardization. Technical Committee forHealth Informatics. Rep. CEN/TC251. [Online]. Available: www.centc251.org

[41] Y. J. Yang, “Security Issues in Health Care,”, Term Rep., 2003.[42] “The European Union Privacy Directive,” report, 95/46/EC.[43] “Bill to Protect Personal Data,”, Japan, 1999.[44] “Act for the Protection of Personal Information Maintained by Public

Agencies,”, South Korea, 1994.[45] ISO/IEC, “Information Technology-Identification Cards-Integrated Cir-

cuit(s) Cards With Contacts-Part 4:Interindustry Commands for Inter-change,” standard, Std. ISO/IEC 7816-4, 1995.

[46] , “Information Technology-Identification Cards-Integrated Cir-cuit(s) Cards With Contacts-Part 8 Security Related InterindustryCommands,” standard, Std. ISO/IEC 7816-8, 1999.

[47] , “Information Technology-Identification Cards-Integrated Cir-cuit(s) Cards With Contacts-Part 9 Additional Interindustry Commandsand Security Attributes,” standard, Std. ISO/IEC 7816-9, 2000.

[48] [Online]. Available: http://www.infineon.com/[49] [Online]. Available: http://www.atmel.com/[50] G. Bleumer and M. Schunter, “Privacy oriented clearing for the german

health care system,” in Personal Information Security, Engineering andEthics, I. R. Anderson, Ed. New York: Springer-Verlag, 1997, pp.175–194.

Yanjiang Yang received the B.S. degree in computerscience from Nanjing University of Aeronautics andAstronautics, Nanjing, China, in 1995 and the M.S.degree in biomedical imaging from National Univer-sity of Singapore, Singapore, in 2001.

He is now working towards the Ph.D. degree atthe School of Computing, National University of Sin-gapore, attached to the Institute for Infocomm Re-search, A*STAR, Singapore. His research areas in-clude information security, biomedical imaging.

Xiaoxi Han received the B.S. degree in mathematicsand the M.S. degree in electronic engineering in 1992and 1997, respectively. He is now working towardsthe Ph.D. degree at the Laboratory of Computer Sci-ence, Institute of Software, Chinese Academy of Sci-ences, Beijing, China.

His research areas include information securityand smart card applications.

Feng Bao received the B.S. and M.S. degrees fromPeking University, Beijing, China, and the Ph.D. de-gree from Gunma University, Gunma, Japan, in 1984,1986, and 1996, respectively.

From 1990 to 1991, he was a Visiting Scholar atthe Hamburg University, Hamburg, Germany, andfrom 1987 to 1993, an Assitant/Associate Professorat the Institute of Software, Chinese Academy ofSciences, Beijing. Currently he is a Lead Scientistand the Head of the Cryptography Lab of the Institutefor Infocomm Research, Singapore. His research

areas include algorithm, automata theory, complexity, cryptography, distributedcomputing, fault tolerance, and information security. He has published morethan 80 international journal/conference papers and filed 16 patents.

Robert H. Deng received the B.Eng. degree fromthe National University of Defense Technology,Changsha, China, in 1981 and the M.Sc. and Ph.D.degrees from the Illinois Institute of Technology,Chicago, in 1983 and 1985, respectively.

He is currently the Principal Scientist and Man-ager of Infocomm Security Department, Institute forInfocomm Research, Singapore. He has 10 patentsand more than 130 technical publications in refereedjournals and conferences in the areas of error con-trol coding, digital communications, computer net-

working, cryptographic techniques, and information security. He has served onthe advisory, technical and program committees of numerous international con-ferences.

Dr. Deng received the Outstanding University Researcher Award from theNational University of Singapore in 1999.