=Paper=
{{Paper
|id=Vol-2749/paper7
|storemode=property
|title=Blockchain as an Enabler for Cybersecurity Use Case: Electronic Health Records in Switzerland
|pdfUrl=https://ceur-ws.org/Vol-2749/paper7.pdf
|volume=Vol-2749
|authors=Pascal Moriggl,Petra Maria Asprion,Fabienne Kramer
|dblpUrl=https://dblp.org/rec/conf/ifip8-1/MorigglAK20
}}
==Blockchain as an Enabler for Cybersecurity Use Case: Electronic Health Records in Switzerland==
https://ceur-ws.org/Vol-2749/paper7.pdf
Blockchain as an Enabler for Cybersecurity
Use Case: Electronic Health Records in Switzerland
Pascal Moriggl[1], Petra Maria Asprion[1], Fabienne Kramer[1]
FHNW, University of Applied Sciences and Arts Northwestern Switzerland, CH-4002 Basel
Abstract. In the application of Electronic Health Records (EHR), cybersecurity
is an essential control and needs to be strongly considered to fulfil data protection
requirements. Regarding cybersecurity needs in Healthcare, blockchain-based
technologies seem promising due to the inherent security features. Therefore, this
study investigates in cybersecurity requirements for EHR and whether a block-
chain-based solution can cover these. There are already approaches which apply
Blockchain for EHR, but these do not explicitly consider cybersecurity, which
forms the research gap. As a unit of analysis, 'Hyperledger Sawtooth' as an en-
terprise blockchain platform was used. The results showed that Hyperledger Saw-
tooth performs quite well regarding the coverage of cybersecurity-relevant re-
quirements for EHR. However, there are 'natural' divergences concerning spe-
cific cybersecurity attributes between blockchain-based and non-blockchain-
based systems. The outcome of this study is a generic assessment tool which can
be used to assess the coverage of cybersecurity requirements for both blockchain-
based and non-blockchain-based EHR systems.
Keywords: Hyperledger Sawtooth, Blockchain, Cybersecurity, Healthcare,
Electronic Health Records.
1 Introduction
The rise of the Blockchain technology (in this study referred to as Blockchain) started
back in the year 2008 with the publication of the whitepaper' Bitcoin: A Peer-to-Peer
Electronic Cash System', that was published with the alias Satoshi Nakamoto [1].
Blockchain is, therefore, more than a decade around. Since the publication of the white-
paper, many other possible applications for Blockchain outside of cryptocurrencies
emerged [2]. Gartner [3] lists in their 2018 hype cycle for emerging technologies'
Blockchain for data security' - which is part of this study's focus area - in the innovation
trigger phase and that it will reach the plateau in five to ten years. Blockchain itself is
already descending on the cycle. However, Blockchain is still within the peak of the
inflated expectations phase, which means that early publicity produces success stories
but also failures [4]. While still in the early stages, there exist already some promising
use cases regarding blockchain focused on cybersecurity applications [5] [6] [7].
Hölbl, Kompara, Kamišalić, & Zlatolas [8] argue that the Blockchain offers excel-
lent potential for its use in Healthcare because this sector processes masses of sensitive
“Copyright © 2020 for this paper by its authors. Use permitted under Creative Com-
mons License Attribution 4.0 International (CC BY 4.0).”
80
�data for which data security must be guaranteed. Rabah [9] complement that Block-
chain in Healthcare offers lower costs by, e.g., reducing waiting times, paperwork or
avoiding multiple registration processes. Furthermore, Blockchain has unique charac-
teristics that enable innovations in cybersecurity [7]. Cybersecurity is an essential need
when establishing EHR because of the necessary adherence to regulations, mainly dig-
ital data protection. For this reason, this study addresses Blockchain as innovation and
an enabler for cybersecurity in the context of Healthcare.
2 Research Rationales
This study evaluates the characteristics of Blockchain in the context of Healthcare
in short 'health' and notably in the Swiss landscape, as a cybersecurity risk mitigation
technology. Cyber threats are increasing and becoming steadily more targeted, complex
and sophisticated. Especially the Healthcare sector is vulnerable to cyber threats.
Healthcare organizations have with 6.45 million US Dollars the highest cost associated
with data breaches for the ninth consecutive year. That is over 60% above the global
average for all industries and therefore, more than the costs of a data breach in the
financial sector [10]. Blockchain is extremely interesting for this sector because it offers
promising opportunities to enhance cybersecurity [5,6,7]. According to Gartner [3],
Blockchain 'has the potential to increase resilience, reliability, transparency and trust in
centralized systems. This study aims at exploring whether a Blockchain can be used to
enable cybersecurity for EHR in the first place. The following research questions were
derived:
RQ1: What are the relevant cybersecurity-requirements for EHR?
RQ2: Hyperledger Sawtooth covers which requirements (RQ1)?
RQ3: How does Hyperledger Sawtooth compare to a 'traditional' data-based solu-
tion in terms of meeting the requirements (RQ2)?
EHR integrates an individual's medical health records generated by a health service
provider (e.g. a physician, a medical assistant, a pharmacist) and private health records
generated by the individual. EHR allows the sharing of data between authorized pro-
viders. However, an individual should be able to decide and provide its authorization
[11]. This also applies to the situation in Switzerland where collections of personal
documents with information about an individual's health will be stored in a nationwide
system called 'Elektronisches Patientendossier'1, or 'Swiss Electronic Patient File'
(EPF). It is aimed that this information can be accessed by the individual and authorized
Healthcare providers at any time; the individual decides on who can view which infor-
mation during which time frame [12]. The Swiss office of the national coordinator for
'Health Information Technology' [13] distinguishes between 'Electronic Medical Rec-
ords' (EMR), 'Electronic Health Records' (EHR) and 'Personal Health Records' (PHR).
EMR holds information that is created and located within a single Healthcare institution
1 https://www.patientendossier.ch/de/bevoelkerung/kurz-erklaert (in German only)
81
�(e.g. a medical centre or hospital). EHR, on the other hand, include information that
can be managed, supplemented and accessed across several Healthcare institutions. Fi-
nally, PHRs are digital applications that enable an individual to access, manage and
share the individual health information and that of others for whom he or she is author-
ized, in a private, safe and confidential environment. The Swiss EPF system will be
such a digital PHR application that handles EHR. Health records are particularly sensi-
tive data and underlie laws and regulations.
Table 1. Data types of PHR based on Roehrs et al. [17]
Data Type Reference
Allergies Allergies and adverse reactions
Demographic Patient statistics and clinical data
Documents Attached files (photos, scanned documents)
Evolution Progress and clinic notes, care plan
Family history Family medical history
General Patient registration information, emergency contact
Genetic Genetic information
Home monitor Home-monitored data
Immunizations Immunization records (vaccine), tracking immunizations
Insurance Insurance plan information, coding for billing
Laboratory results Laboratory and imaging test results (laboratory tests)
Major illnesses List of major diseases
Medications Medication list prescribed, past medicines taken
Prescriptions Medical prescription refills (renewing)
Prevention Preventive health recommendations
Providers Previous Healthcare provider list
Scheduling Appointments, past procedures, hospitalizations
Social history Social history, lifestyle (health habits)
Summaries Admissions, permanency, and discharges
Vital signs Status of bodily functions
According to the Swiss Federal Act on Data Protection (DSG) Art. 3 para. c dig. 2
health, intimacy or racial origin are particularly sensitive personal data. These data may
only be processed with the explicit permission of the person concerned (DSG Art. 4
para. 5). As a total revision of the Swiss DSG is being planned [14], the current legal
situation in the European Union (EU) with its relatively new 'General Data Protection
82
�Regulation' (GDPR) is sketched out below. GDPR came into effect in 2018 and affected
subjects (citizens or residents of the EU) as well as controllers (persons who determine
how and why personal data is processed) and processors (third parties who process
personal data for a data controller). GDPR is one of the world's strictest data protection
and security law. Violating fines are at a maximum of 20 million Euro or 4% of the
global revenue [15]. Based on GDPR, it is forbidden to process health data unless ex-
ceptions apply. One of the exceptions is when the subject gives explicit consent to the
processing (GDPR Art. 9). In practice, several different EHR data types on an individ-
ual's level (PHR) can occur in a digital application and are subject to the law, such as
stated in the GDPR description. Roehrs, Da Costa, Da Rosa Righi, & De Oliveira [17]
derived from 48 articles a list of datatypes used in PHR applications such as the Swiss
EPF is. It can be anticipated that EHR may include all or particular data types listed in
Table 1. In contrast to the data types in Table 1, EHRs also contain additional infor-
mation outside of the medical field, such as access logs, access, change rights or service
provider information.
An assessment tool could provide a point of reference for digital EHR systems to
comply with legal (e.g. GDPR) and technical (e.g. cybersecurity) requirements in
Healthcare. Therefore, the next section is dedicated to the compilation of cybersecurity
requirements/criteria that such systems ideally should fulfil.
3 Cybersecurity Requirements for EHR
Hoerbst & Ammenwerth [18] published a highly regarded study in which they com-
piled an extensive list of qualitative requirements for EHR systems. They collected cri-
teria that relate to cybersecurity attributes such as 'confidentiality', 'integrity', 'availa-
bility', 'authenticity' or 'data security' [19].
The (cyber) security-related attributes are explained in the following: 'confidentiali-
ty' is given if the data in a system is only accessible to authorized persons. Measures
must be taken to ensure access rights and access protection [20] and to guarantee con-
fidentiality. 'Integrity' may include authenticity and non-repudiation and involves the
completeness and correctness of data and the correct functioning of the system in which
it is processed [20]. 'Availability' covers systems, applications and services as well as
the data processed within it means that the systems, applications and services are oper-
ational at the defined times and that the data can be accessed as intended [20]. For
'availability', Hoerbst & Ammenwerth [18] indicated four requirements that EHR sys-
tems should provide; these are (1) availability of data/information should be ensured,
(2) the system should support archiving of data, (3) the readability of archived data
should be preserved, (4) deleted data should not be available in the system (e.g. display,
export, …). For all attributes together, the adapted list contains 59 qualitative require-
ments that an EHR system should cover [19] and provides an answer to RQ1.
Supporting structures, we call them 'frameworks' are essential for providing guide-
lines or assessment tools for a specific use case solution. There are already frameworks
that guide the development of EHR systems using Blockchain. A systematic literature
83
� review using keywords such as 'EHR', 'EMR', 'PHR', 'Blockchain', 'Cybersecurity' and
'Framework' or 'Assessment Tool' was conducted. An overview of the found frame-
works differentiated according to 'theoretical' and 'operative' solutions is presented in
Table 2 and Table 3.
Table 2. Theoretical solution proposals for Blockchain used in the EHR field.
Framework Reference Main Feature Architecture
- Shahnaz et al. Framework focusing on secure stor- Ethereum, three-layer ar-
(2019) [28] age of EHRs concerning granular ac- chitecture
cess management
BBDS Xia et al. (2017) Data Sharing framework focusing on Permissioned, three-
[29] access control for data in the cloud layer architecture
BHEEM Vora et al. (2019) Framework focusing on efficient stor- Ethereum, four compo-
[30] age and maintenance of EHRs nents
BPDS Liu et al. (2018) Preservation of privacy in EMR shar- Consortium, three-layer
[31] ing architecture
DASS-CARE Al-Karaki et al. Framework focusing on healthcare in- Blockchain in general
(2019) [32] cluding the management of EMRs
EACMS Rajput et al. (2019) Access control management of PHRs Permissioned
[33] in case of emergencies (Hyperledger Fabric)
EMR-Share Xiao et al. (2019) Framework focusing on cross-organi- Permissioned, three-
[34] zational medical data sharing and ac- layer architecture +
cess management Blockchain network
MeDShare Xia et al. Sharing of medical data between Four-layer architecture
(2017) [35] cloud service providers
Table 3. Operative solution proposals for Blockchain used in the EHR field.
Framework Reference Main Feature Architecture
MedBlock (Medblock, 2017b) Solution focusing on business-to-busi- Hyperledger Fabric
[36] ness Blockchain protocol implementa-
tions, facilitating data analytics
MedChain Shen et al. (2019) User-driven framework for Healthcare Dual-network architecture
[37] data sharing
Medicalchain (Medicalchain, Solution focusing on maintaining a sin- Hyperledger Fabric and
2019) [38] gle true version of patient data and issu- Ethereum
ing tokens
Med-Rec Azaria et al. (2016) System to handle EMRs with mining re- Ethereum
MedRec (n.d.) [39] wards to medical stakeholders
DASS-CARE Al-Karaki et al. Framework focusing on healthcare in- Blockchain in general
(2019) [32] cluding the management of EMRs
EACMS Rajput et al. (2019) Access control management of PHRs in Permissioned
[33] case of emergencies (Hyperledger Fabric)
EMR-Share Xiao et al. (2019) Framework focusing on cross-organiza- Permissioned, three-layer ar-
[34] tional medical data sharing and access chitecture + Blockchain
MeD- Xia et al. Sharing of medical data between cloud Four-layer architecture
Share (2017)[35] service providers
The findings showed that there is no framework for building Blockchain-based EHR
systems in consideration of strong cybersecurity requirements nor specifically for use
in Switzerland (regulatory perspective). No found framework did specifically consider
(cyber) security. The lack of a means to check whether Blockchain covers the relevant
84
�EHR requirements for cybersecurity constitutes the research gap. Therefore, a cyberse-
curity requirement assessment tool for its use in the EHR context is sketched, which
aims at facilitating the cybersecurity requirements comparison and coverage assess-
ment of Blockchain and other - traditional - (database-based) systems (section 4.2 and
resulting artefact in [19]). In the next step, the assessment tool is applied for the use
case of EHR in Switzerland. In order to compare and contrast the open-source Block-
chain platform 'Hyperledger Sawtooth' as an alternative to the database solution 'Swiss
Electronic Patient File' (EPF).
4 Use Case: Hyperledger Sawtooth for EHR
Hyperledger Sawtooth, in the following referred to as Sawtooth, is an open-source
project under the umbrella of the Hyperledger family hosted by the Linux Foundation
[22]. Sawtooth is a modular platform that comes - by default - with robust security
functionalities and offers various customizing options, and hence was chosen to repre-
sent a relevant Blockchain [23]. Sawtooth is focusing on modularity which allows en-
terprises so select the suited transaction rules, permissioning and consensus algorithms.
While Sawtooth provides its consensus algorithm 'Proof-of-Elapsed-Time' (PoET), it
supports the use of other types of consensus algorithms [24]. PoET is based on a random
lottery function. A random period is given for each participating node in the network,
to which the node must adhere to. The node whose time is the shortest wins the block
and can add the block to the Blockchain [25]. Sawtooth differentiates between PoET-
‘SGX' (Intel® Software Guard Extensions), which requires special hardware to ensure
a trusted execution environment, and PoET simulator which can be executed on any
type of hardware [24]. Concerning cryptography, Sawtooth uses the secure hash algo-
rithms SHA-256 and SHA-512 as cryptographic safeguards in the transaction process
[26]. With the Sawtooth-Ethereum integration project (Seth), it is possible to integrate
Ethereum smart contracts to Sawtooth [24].
For our use case, we decided to use EPF - a Swiss, non-blockchain solution for the
collection of personal documents with treatment-relevant information from patients.
These include, for example, the discharge report of a hospital, the medication list, x-
rays or the vaccination card. The EPF does not contain all electronically collected health
information, but only those that are relevant for other professionals and further treat-
ment. In addition to the EPF, the health service provider (e.g. the general practitioner)
continues to keep a personal medical history, which contains more information than the
EPF. The EPF does not contain documents from authorities or health insurance com-
panies. Authorities and health insurers do not have access to the EPF [12]. All persons
in Switzerland can request having their data in the EPF. With the EPF, patients can
divide their documents into confidentiality levels and can grant and withdraw access to
health service providers [12]. The EPF is decentral established; it is an association of
regional implementations from various providers. However, the legal requirements and
rules are the same throughout Switzerland ('Technical and Organizational Certification
Requirements for Communities and Core Communities' [20]). The decentralized ap-
proach offers basic security since not all EHR data is stored in a single place. The
85
�Federal Act on EPF stipulates how EPF must be organized and technically secured.
Every provider of the EPF is examined, certified, and regularly inspected [12].
4.1 Assessment Tool Development
Following the research questions RQ2 and RQ3, the assessment tool is tested by filling
in Sawtooth capabilities matching the requirements (resulting artefact in [19]). Subse-
quently, the results are compared to the Swiss EPF. Categories and unstructured rea-
sonings will be assigned to compare whether Sawtooth or the Swiss EPF cover the EHR
system requirements (based on systems documentation). The following listing explains
the defined assessment categories:
Table 4. Requirements assessment category and their reasoning
Category Reasoning
Yes Evidence has been found that the system meets the given require-
ment.
By configuration The system does not support the requirement by default. However,
the requirement can be met with additional tools that enhance the
system. For Sawtooth, this means an enhancement of the Blockchain
network.
By extension The system does not support the requirement by default. However,
the requirement can be met when the system is extended by addi-
tional soft- or hardware outside of the system.
Organizational The requirement is unrelated to technology and can be met on an or-
ganizational level by following suited frameworks or standards.
No Framework focusing on healthcare including the management of
EMRs
Unclear No indication was found that the requirement could be covered by
the system, by the configuration of the system, by extension outside
of the system or by organizational measurements.
The assignment of the categories in Table 4 to each requirement was carried out in three
iterations. For each EHR requirement, a compare and coverage assessment for Saw-
tooth and EPF was conducted, peer-reviewed and validated by qualitative expert inter-
views. The experts were selected in the Swiss Blockchain research and the EHR devel-
opment communities. Unclear requirements were specified by consulting the documen-
tation' Technical and Organizational Certification Requirements for Communities and
Core Communities' [21]; this document was used as a basis for assessing the require-
ments coverage by the Swiss EPF. It is essential to state that, since it is a requirements
documentation, a final EPF solution must cover those requirements for certification but
can additionally cover more features, e.g., towards cybersecurity. The final and full
assessment tool is visible in [19].
4.2 Comparison and Coverage
The results of the assessment of the coverage of EHR system requirements by Saw-
tooth and by the Swiss EPF are visualized in Fig. 1. If only those requirements are
86
�considered that have been categorized as 'Yes', many EHR system requirements that
are not covered by default (category 'yes') would be missed.
Fig. 1. EHR system requirements coverage by Sawtooth and by the EPF.
Thus, it can be argued that Sawtooth with 55 (93%) covered EHR system require-
ments more thoroughly than the Swiss EPF with 43 (73%) covered EHR system re-
quirements, when considering the assigned categories 'Yes', 'By Configuration', and 'By
Extension'. The individual perspective shows that Sawtooth allows freedom to meet the
requirements, either by choosing the right configuration or by relying on an extension
(Fig. 2) and only meets a bit more than half of the requirements by default. Although
Sawtooth covers the requirements well, it has disadvantages. Sawtooth poorly covers
EHR system requirements pointing to the deletion of data. This is also due to the fact
of inherent persistency of a Blockchain.
Fig. 2. EHR system requirements coverage by Sawtooth.
There are various approaches to handling the issue. One of them is storing data off-
chain. It is generally not necessary to store all transaction data on-chain. Data can as
87
�well be stored in another database and be linked by hashes to the Blockchain. Storing
data off-chain would enable deletion following the EU GDPR [27]. This would also
make sense for big files such as imaging. While Sawtooth covers many EHR system
requirements, organizational factors should not be left out. An example is key manage-
ment, with their critical tasks assigning, storing, and retrieving in case the keys were
lost.
Fig. 3. EHR system requirements coverage by EPF.
The individual perspective on the EPF shows that the system covers more require-
ments by default, but has a significantly high number of cybersecurity requirements
that are not met at all (Fig. 3). Because it is a system that has to fit into the existing
health systems landscape, it allows for less flexibility in its design when comparing to
Sawtooth. In conclusion, it can be said that a qualitative and quantitative comparison
between the systems is possible. However, the two differ significantly in their architec-
ture primarily since the compare and coverage assessment is based on a document for
the Technical and Organizational Certification Requirements for Communities and
Core Communities [21] and not on a concrete instance.
5 Conclusion and Further Research
The main contribution of this study is the assessment tool proposition as the possi-
bility to assess the coverage of cybersecurity relevant EHR system requirements by
Sawtooth and the Swiss EPF both as an exemplary use case. This study first outlined
the relevance of EHR in combination cybersecurity requirements and Blockchain as a
potential enabling technology. For the foundation, the intersection cybersecurity,
Blockchain, and EHR were discussed. Based on that, we developed an assessment tool
which considered cybersecurity-related EHR requirements. The assessment tool was
subsequently developed and applied to Sawtooth and the Swiss EPF. The comparison
showed that Blockchain, and in particular Sawtooth could be used to enable cyberse-
curity for EHR. However, Sawtooth does not perform well on those requirements where
permanent deletion of data is required. Thus, the critical characteristic 'persistency' - a
strength of Blockchain in general - is a weakness in the context of EHR or for sensitive
data in general. In section 4.2, it was mentioned that there are approaches to solving
this problem. Besides, it should be noted that the Swiss EPF also covers many of the
88
�EHR requirements. This means that while Blockchain can be used to enable cyberse-
curity for EHRs, this can also be achieved with a non-Blockchain based system. In
addition to contributing to research, the final assessment tool in [19] could serve EHR
custodians for their analysis of system variants.
6 References
1. Nakamoto, S. (2008). Bitcoin: A Peer-to-Peer Electronic Cash System, (2008). Consulted,
1–9. Journal for General Philosophy of Science, (1). https://doi.org/10.1007/s10838-008-
9062-0.
2. Zhao, J. L., Fan, S., & Yan, J. (2016). Overview of business innovations and research op-
portunities in blockchain and introduction to the special issue. Financial Innovation, 2(1),
1–7. https://doi.org/10.1186/s40854-016-0049-2.
3. Gartner. (2018). 5 Trends Emerge in the Gartner Hype Cycle for Emerging Technologies,
2018. Retrieved from https://www.gartner.com/smarterwithgartner/5-trends-emerge-in-
gartner-hype-cycle-for-emerging-technologies-2018/.
4. Gartner. (2019). Interpreting technology hype. Retrieved from https://www.gart-
ner.com/en/research/methodologies/gartner- hype-cycle
5. Kshetri, N. (2017). Blockchain's roles in strengthening cybersecurity and protecting privacy.
Telecommunications Policy, 41(10), 1027–1038. https://doi.org/10.1016/j.tel-
pol.2017.09.003.
6. Liu, L., & Xu, B. (2018). Research on information security technology based on blockchain.
2018 3rd IEEE International Conference on Cloud Computing and Big Data Analysis,
ICCCBDA 2018, 380–384. https://doi.org/10.1109/ICCCBDA.2018.8386546.
7. Taylor, P. J., Dargahi, T., Dehghantanha, A., Parizi, R. M., & Choo, R. (2019). A Systematic
Literature Review of Blockchain Cyber Security. Digital Communications and Networks.
https://doi.org/10.1016/j.dcan.2019.01.005.
8. Hölbl, M., Kompara, M., Kamišalić, A., & Zlatolas, L. N. (2018). A systematic review of
the use of blockchain in healthcare. Symmetry, 10(10). https://doi.org/
10.3390/sym10100470.
9. Rabah, K. (2017). Challenges & Opportunities for Blockchain Powered Healthcare Systems:
A Review. Mara Research Journal of Medicine & Health Sciences, 1(1), 45–52.
10. IBM Security and Ponemon Institute. (2019). Cost of a Data Breach Report.
11. Ambinder, E. P. (2005). Electronic Health Records. Journal of Oncology Practice, 57–63.
12. ehealthsuisse. (2017). Meine Gesundheitsinfos. Zur richtigen Zeit am richtigen Ort. Meine
Gesundheitsinfos. Zur richtigen Zeit am richtigen Ort. Retrieved from https://www.e-health-
suisse.ch/fileadmin/user_upload/Dokumente/2017/D/171219_EPD-Broschuere_Bevoelker
ung_d.pdf.
13. The Office of the National Coordinator for Health Information Technology. (2019). What
are the differences between electronic medical records, electronic health records, and per-
sonal health records? Retrieved from https://www.healthit.gov/faq/what-are-differences-be-
tween-electronic-medical-records-electronic-health-records-and- personal.
14. Schweizerische Eidgenossenschaft. (2017a). Botschaft zum Bundesgesetz über die Totalre-
vision des Bundesgesetzes über den Datenschutz und die Änderung weiterer Erlasse zum
Datenschutz.
15. GDPR.eu. (n.d.). What is GDPR, the EU's new data protection law? Retrieved November
28, 2019, from https://gdpr.eu/what-is- gdpr/.
89
�16. Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB). (n.d.). Schweige-
pflicht. Retrieved from https://www.edoeb.admin.ch/edoeb/de/home/datenschutz/gesund-
heit/schweigepflicht.html.
17. Roehrs, A., Da Costa, C. A., Da Rosa Righi, R., & Kleinner, F. (2017). Personal health
records: A systematic literature review. Journal of Medical Internet Research, 19(1).
https://doi.org/10.2196/jmir.5876.
18. Hoerbst, A., & Ammenwerth, E. (2010). Electronic health records: A systematic review on
quality requirements. Methods of Information in Medicine, 49(4), 320–336.
https://doi.org/10.3414/ME10-01-0038.
19. Moriggl, P., Asprion, P., Kramer, F. (2020) Appendix. Assessment Tool Application Com-
parison between a blockchain and a traditional database solution for electronic health rec-
ords. BES2020. 10.13140/RG.2.2.24736.81924
20. Bedner, M., & Ackermann, T. (2010). Schutzziele der IT-Sicherheit. Datenschutz Und
Datensicherheit - DuD, 34(5), 323–328. https://doi.org/10.1007/s11623-010-0096-1.
21. Eidgenössisches Departement des Innern EDI. (2019). Technische und organisatorische Zer-
tifizierungsvoraussetzungen für Gemeinschaften und Stammgemeinschaften. Retrieved
from https://www.bag.admin.ch/dam/bag/de/dokumente/nat- gesundheitsstrategien/strate-
gie-ehealth/anhoerung-ausfuehrungsrecht/verordnungen/epdv-edi- anhang2.pdf.down-
load.pdf/08-2_de_epdv-edi_anhang_2.pdf.
22. The Linux Foundation. (2018). Hyperledger Sawtooth. Retrieved from https://www.hy-
perledger.org/projects/sawtooth.
23. Moriggl P., Asprion P.M., Schneider B. (2021) Blockchain Technologies Towards Data Pri-
vacy—Hyperledger Sawtooth as Unit of Analysis. In: Dornberger R. (eds) New Trends in
Business Information Systems and Technology. Studies in Systems, Decision and Control,
vol 294. Springer, Cham. https://doi.org/10.1007/978-3-030-48332-6_20.
24. Intel Corporation. (n.d.-e). Sawtooth - Introduction. Retrieved from https://sawtooth.hy-
perledger.org/docs/core/nightly/1- 1/introduction.html?highlight=immutable.
25. Intel Corporation. (n.d.-f). Sawtooth - PoET 1.0 Specification. Retrieved from https://saw-
tooth.hyperledger.org/docs/core/nightly/1-1/architecture/poet.html?highlight=poet.
26. Intel Corporation. (n.d.-b). Sawtooth - Building and Submitting Transactions. Retrieved
from https://sawtooth.hyperledger.org/docs/core/nightly/1-1/_autogen/txn_submit_tuto-
rial.html?highlight=sha.
27. Finck, M. (2019). Blockchain and the General Data Protection Regulation - Can distributed
ledgers be squared with European data protection law? Retrieved from https://www.euro-
parl.europa.eu/RegData/etudes/STUD/2019/634445/EPRS_STU(2019)634445_EN.pdf.
28. Shahnaz, A., Qamar, U., & Khalid, A. (2019). Using Blockchain for Electronic Health Rec-
ords. IEEE Access, PP, 1. https://doi.org/10.1109/ACCESS.2019.2946373.
29. Xia, Q., Sifah, E. B., Smahi, A., Amofa, S., & Zhang, X. (2017). BBDS: Blockchain-based
data sharing for electronic medical records in cloud environments. Information (Switzer-
land), 8(2). https://doi.org/10.3390/info8020044.
30. Vora, J., Nayyar, A., Tanwar, S., Tyagi, S., Kumar, N., Obaidat, M. S., & Rodrigues, J. J. P.
C. (2019). BHEEM: A Blockchain-Based Framework for Securing Electronic Health Rec-
ords. 2018 IEEE Globecom Workshops, GC Wkshps 2018 - Proceedings, 1–6.
https://doi.org/10.1109/GLOCOMW.2018.8644088.
31. Liu, J., Li, X., Ye, L., Zhang, H., Du, X., & Guizani, M. (2018). BPDS: A Blockchain Based
Privacy-Preserving Data Sharing for Electronic Medical Records. 2018 IEEE Global Com-
munications Conference, GLOBECOM 2018 - Proceedings, 1–6. https://doi.org/10.1109/
GLOCOM.2018.8647713.
90
�32. Al-Karaki, J. N., Gawanmeh, A., Ayache, M., & Mashaleh, A. (2019). DASS-CARE: A
Decentralized, Accessible, Scalable, and Secure Healthcare Framework using Blockchain.
15th International Wireless Communications & Mobile Computing Conference (IWCMC),
330–335. https://doi.org/10.1109/iwcmc.2019.8766714.
33. Rajput, A. R., Li, Q., Ahvanooey, M. T., & Masood, I. (2019). EACMS: Emergency Access
Control Management System for Personal Health Record Based on Blockchain. IEEE Ac-
cess, 7, 84304–84317. https://doi.org/10.1109/ACCESS.2019.2917976.
34. Xiao, Z., Li, Z., Liu, Y., Feng, L., Zhang, W., Lertwuthikarn, T., & Goh, R. S. M. (2019).
EMRShare: A Cross-Organizational Medical Data Sharing and Management Framework
Using Permissioned Blockchain. Proceedings of the International Conference on Parallel
and Distributed Systems - ICPADS, 2018-Decem, 998–1003. https://doi.org/10.1109/
PADSW.2018.8645049.
35. Xia, Q., Sifah, E. B., Asamoah, K. O., Gao, J., Du, X., & Guizani, M. (2017). MeDShare:
Trust-Less Medical Data Sharing among Cloud Service Providers via Blockchain. IEEE Ac-
cess, 5, 14757–14767. https://doi.org/10.1109/ACCESS.2017.2730843.
36. Medblock. (2017b). MedBlock. Retrieved from https://www.medblock.co.uk/.
37. Shen, B., Guo, J., & Yang, Y. (2019). MedChain: Efficient healthcare data sharing via block-
chain. Applied Sciences (Switzerland), 9(6). https://doi.org/10.3390/app9061207.
38. Medicalchain. (2019). Medicalchain - Blockchain for electronic health records. Retrieved
from https://medicalchain.com/en/#mobile-site-navigation.
39. Azaria, A., Ekblaw, A., Vieira, T., & Lippman, A. (2016). MedRec: Using blockchain for
medical data access and permission management. Proceedings - 2016 2nd International Con-
ference on Open and Big Data, OBD 2016, 25–30. https://doi.org/10.1109/OBD.2016.1
91
�