The security of electronic health (e-health) systems was another research area I was looking into in the past. While this area is on the one hand an application domain on general system security, it has some particular issues on the other hand which make it an interesting specific subfield. In healthcare, privacy and security come more closer together than in most other fields, and usable security has a very strong demand due to the situations patients can be (e.g. from simply sick to unable to talk, more, or even remember any credentials for authentication or alike).
Within the project e-Business Plattform für Gesundheit (eBPG), I led a small research team at university, where we designed and developed a cryptographic protection of health care data that can be stored at decentralized and outsourced places (e.g. in the cloud). The cryptographic mechanism should be compatible to existing access control and management frameworks, but it should also be usable in practice, especially for older or technology-unskilled people. We developed a fully functioning prototype ranging from a OpenXDS-based electronic health record database, an own user front-end implementation, and of course the encryption and security components that allowed an easy to use end-to-end encryption of the health data. We published a whitepaper about this project.
Moreover, in another line of research I was experimenting with the idea of applying the concept of Trusted Virtual Domains to the e-health cloud. You can read more about it in the article "Securing the E-Health Cloud".
Once we are able to securely store EHRs in the cloud, we still need to allow for a secure access of these data on the end devices (laptops, smartphones, etc.). In particular, using mobile devices poses challenges, not only in general but very much in the healthcare domain. The reason is that in healthcare there are other circumstances and additional requirements on technical equipment usage when it comes to immediate help for patients. A medical doctor cannot afford to fumble with password login or other security controls when access to patient data is critical for the patient's life. For example, I discussed this issue in this article (in German).
During my postdoc time at university, I was the acting project manager of the RUBTrust/MediTrust project, where we aimed at developing and evaluating a secure and trustworthy client platform for the administration and processing of sensitive data. RUBTrust concerned data of students in an electronic administration system of a university, and MediTrust concerned electronic health data of patients. Both projects included an intensive end-user study to evaluate the usability of the underlying security mechanisms. In particular, this project was implementing and testing ideas from applying the TVD concept to the e-health cloud.