Double encryption of anonymized electronic data interchange

Albert Vlug


Medical data
At the Erasmus University in the Netherlands we developed the national drug-safety system IPCI (Integrated Primary Care Information). A central database with Computerized Patient Records (CPR) of about 500.000 patients enable researchers to assess the effects and side-effects of the prescriptions. About 150 participating primary care doctors deliver weekly an update of all the changed CPR\x{FFFD}s to the IPCI database. In the Netherlands it is allowed to use CPRs for scientific research, but after 6 months the data must be destroyed. Since we aim to built a continuously increasing database of at least 5 years, we have to anonymize the data before they are sent to the central database.

Anonymization of the data
Both the patient identification in the data and the doctor identification in the data must be anonymized. We skip the name and address; only the sex and the month-year of birth will be sent from the doctor to the central database. Even the number of the patient in the doctors database will be replaced, because once the doctor may be a researcher using the central database who recognizes one of the patients based on the number. When data are collected for sending all patients are randomly numbered. The list of these numbers are stored in the database of the doctor, because each time a follow-up of a CPR is sent, the random number of the same patient must be the same in order to reconstruct the whole CPR in the central database. Not only the patient and the docter identification in the data, but also the doctor as the sender of data must be anonymized. An empty envelope around a floppy disk is sufficient for the anonymization of the doctor as sender, but electronic envelopes receives automatically a sender identification in the header of the electronic message. We cut this electronic head by creating a virtual postbox, that forwards all the incoming electronic data thereby replacing the doctors address by its own address. All the data we receive in the central database have one sender: the virtual postbox. Once this problem was solved a large complication occurs.

Encryption of the data
Collecting medical data electronically requires, according to our moral belief, also some kind of encryption. To be sure that the data are really sent by the sender of the electronic message, the double encryption of PGP is a suitable and widely used protocol. The sender encrypts his message with his secret key firstly and with the public key of the receiver secondly and afterwards he sends the message. The receiver must decrypt that message first with his own secret key and second with the public key of the sender according to the header. When the message is readable after this double decryption, one can be sure that the message was meant to be received by the decrypting receiver and the message was really sent by the sender named in the header of the message. Thus: double encryption needs the sender identification in order to decrypt the message with the senders public key. The problem with an anonymized electronic message is that the senders identification was anonymized by the virtual postbox!

Encryption of anonymized data
To use double encryption for anonymized electronic communication, new requirements must be specified. In this paper we suggest additional features that network providers must incorporate in the functionality of electronic message handlers. In fact we propose to add some ‘intelligence’ to the virtual postbox: instead of automatically forwarding, the postbox must now be able to read the sender from the header, select the appropriate public key from that sender, decrypt the message with that public key, replace the senders identification and encrypt the message with its own public key. On the receiver side (the central database) we have to decrypt the message with the secret key of the virtual postbox and after that with the secret key of the central database receiver. This procedure requires the availability of a list with only public keys at the virtual postbox, as well as a prgram to intervene the electronic communication. Unfortunately, so far none of the network providers is willing or has been able to implement it. We are building it ourselves first, to convince the technical feasability. Meanwhile it is a nice example of ethical constraints demanding new technology, instead of the opposite