E-Health Security

The security of electronic health (e-health) systems was another research area I was looking into in the past. While this area is on the one hand an application domain on general system security, it has some particular issues on the other hand which make it an interesting specific subfield. In healthcare, privacy and security come more closer together than in most other fields, and usable security has a very strong demand due to the situations patients can be (e.g. from simply sick to unable to talk, more, or even remember any credentials for authentication or alike). 

Secure Storage of Health Records in the Cloud

Within the project e-Business Plattform für Gesundheit (eBPG), I led a small research team at university, where we designed and developed a cryptographic protection of health care data that can be stored at decentralized and outsourced places (e.g. in the cloud). The cryptographic mechanism should be compatible to existing access control and management frameworks, but it should also be usable in practice, especially for older or technology-unskilled people. We developed a fully functioning prototype ranging from a OpenXDS-based electronic health record database, an own user front-end implementation, and of course the encryption and security components that allowed an easy to use end-to-end encryption of the health data. We published a whitepaper about this project.


Moreover, in another line of research I was experimenting with the idea of applying the concept of Trusted Virtual Domains to the e-health cloud. You can read more about it in the article "Securing the E-Health Cloud".

Secure Access of Health Records on End Devices

Once we are able to securely store EHRs in the cloud, we still need to allow for a secure access of these data on the end devices (laptops, smartphones, etc.). In particular, using mobile devices poses challenges, not only in general but very much in the healthcare domain. The reason is that in healthcare there are other circumstances and additional requirements on technical equipment usage when it comes to immediate help for patients. A medical doctor cannot afford to fumble with password login or other security controls when access to patient data is critical for the patient's life. For example, I discussed this issue in this article (in German).


During my postdoc time at university, I was the acting project manager of the RUBTrust/MediTrust project, where we aimed at developing and evaluating a secure and trustworthy client platform for the administration and processing of sensitive data. RUBTrust concerned data of students in an electronic administration system of a university, and MediTrust concerned electronic health data of patients. Both projects included an intensive end-user study to evaluate the usability of the underlying security mechanisms. In particular, this project was implementing and testing ideas from applying the TVD concept to the e-health cloud.

Research Works

Follow #ehealth2011: Measuring the Role and Effectiveness of Online and Social Media in Increasing the Outreach of a Scientific Conference
Marcel Winandy, Patty Kostkova, Ed de Quincey, Connie St Louis, Martin Szomszor.
Journal of Medical Internet Research 2016; 18(7):e191, DOI: 10.2196/jmir.4480
Adobe Acrobat Document 3.5 MB
Whitepaper - Sicherheitsaspekte der einrichtungsübergreifenden Elektronischen Patientenakte
Thomas Hupperich, Lennart Köster, Christoph Kowalski, Hiva Mahmoodi, Ahmad-Reza Sadeghi, Marcel Winandy.
Technical Report, Ruhr-Universität Bochum, December 2013.
Adobe Acrobat Document 1.9 MB
Mit Sicherheit Mobil: Die Nutzung mobiler Geräte stellt Herausforderungen an Datenschutz und -sicherheit im Klinikalltag
Agnes Gawlik, Marcel Winandy.
E-HEALTH-COM, Nr. 6, 2013, S. 38-39.
Adobe Acrobat Document 114.3 KB
Standardorientierte Speicherung von verschlüsselten Dokumenten in einem XDS-Repository
Lennart Köster, Fatih Korkmaz, Marcel Winandy.
Proceedings of the eHealth2013, May 23-24, Vienna, Austria, OCG, 2013.
Adobe Acrobat Document 401.8 KB
Informationssicherheit in der Arztpraxis: Aktuelle Herausforderungen und Lösungsansätze
Marcel Winandy.
Datenschutz und Datensicherheit (DuD) 06/2012, pp. 419-424, Springer Gabler, 2012.
Adobe Acrobat Document 1.1 MB
Requirements for Integrating End-to-End Security into Large-Scale EHR Systems
Agnes Gawlik, Lennart Köster, Hiva Mahmoodi, Marcel Winandy.
Amsterdam Privacy Conference (APC 2012), Workshop on Engineering EHR Solutions (WEES), 2012
Adobe Acrobat Document 465.0 KB
Flexible Patient-Controlled Security for Electronic Health Records
Thomas Hupperich, Hans Löhr, Ahmad-Reza Sadeghi, Marcel Winandy.
IHI 2012: Proceedings of the 2nd ACM SIGHIT International Symposium on Health Informatics, ACM, 2012.
Adobe Acrobat Document 366.0 KB
MediTrust: Secure Client Systems for Healthcare IT to Protect Sensitive Data of Patients
Ammar Alkassar, Biljana Cubaleska, Hans Löhr, Ahmad-Reza Sadeghi, Christian Stüble, Marcel Winandy.
Med-e-Tel - Global Telemedicine and eHealth Updates: Knowledge Resources, Vol. 4, pp. 385-389, ISfTeH, Luxembourg, 2011.
Adobe Acrobat Document 870.5 KB
A Security Architecture for Accessing Health Records on Mobile Phones
Alexandra Dmitrienko, Zecir Hadzic, Hans Löhr, Ahmad-Reza Sadeghi, Marcel Winandy.
Proceedings of the 4th International Conference on Health Informatics (HEALTHINF 2011), pp. 87-96, SciTePress.
Adobe Acrobat Document 1.3 MB
Securing the E-Health Cloud
Hans Löhr, Ahmad-Reza Sadeghi, Marcel Winandy.
Proceedings of the 1st ACM International Health Informatics Symposium (IHI 2010), pp. 220-229, ACM.
Adobe Acrobat Document 774.2 KB
A Note on the Security in the Card Management System of the German E-Health Card
Marcel Winandy
Electronic Healthcare, Third International Conference, eHealth 2010, LNICST 69, pp. 196-203, Springer, 2012.
Adobe Acrobat Document 221.6 KB