Daniel Slamanig, Christian Stingl


If medical data are provided to third parties for secondary use, the protection of the patients privacy is an essential issue. In general this is accomplished by removing identifying and quasi-identifying information to provide k-anonymity for a given data set. This means, that one patient cannot be distinguished from at least k-1 other individuals. However, if the single records of the data set are digitally signed, the modification of the respective records destroys their integrity as well as their authenticity. Hence, digital signatures, which are an invaluable tool for verifying the integrity and authenticity of digital medical data, seem to be inadequate in this scenario. But, especially in context of secondary use, malicious manipulations and processing errors may lead to serious failures in a subsequent medical (treatment) process. In this paper we propose a novel approach based on generalized redactable signatures that realizes k-anonymity for sets of digitally signed records. To the best of our knowledge this is the first work that combines these seemingly contradictory topics very efficiently. In particular, the proposed solution allows any party to verify the original digital signatures for medical data, although these data are modified during the process of achieving k-anonymity. The main advantage of this approach is that all parties involved in the aforementioned process are able to verify the integrity and authenticity based on the original digital signatures.


  1. Ateniese, G., Chou, D., de Medeiros, B., and Tsudik, G. (2005). Sanitizable Signatures. In ESORICS 2005, volume 3679 of LNCS, pages 159-177. Springer.
  2. Bakken, D. E., Parameswaran, R., Blough, D. M., Franz, A. A., and Palmer, T. J. (2004). Data Obfuscation: Anonymity and Desensitization of Usable Data Sets. IEEE Security and Privacy, 2(6):34-41.
  3. Bloom, B. H. (1970). Space/Time Trade-offs in Hash Coding with Allowable Errors. Commun. ACM, 13(7):422-426.
  4. Ciriani, V., di Vimercati, S. D. C., Foresti, S., and Samarati, P. (2007). k-Anonymity. In Secure Data Management in Decentralized Systems, pages 323-353. Springer.
  5. Dolin, R., Alschuler, L., and et al., C. B. (2001). The HL7 Clinical Document Architecture. J. Am. Med. Inform. Assoc, 6:552-569.
  6. Eastlake, D., Reagle, J., and Solo, XML-Signature syntax and http://www.w3.org/TR/xmldsig-core/.
  7. D. (2002).
  8. Emam, K. E. (2008). Heuristics for De-identifying Health Data. IEEE Security & Privacy, 6(4):58-61.
  9. Goldreich, O., Goldwasser, S., and Micali, S. (1986). How to Construct Random Functions. J. ACM, 33(4):792- 807.
  10. Huda, N., Sonehara, N., and Yamada, S. (2008). A Privacy Management Architecture for Patient-Controlled Personal Health Record System. In NetApps 2008. IEEE Computer Society.
  11. Johnson, R., Molnar, D., Song, D., and Wagner, D. (2002). Homomorphic Signature Schemes. In CT-RSA 7802, volume 2271 of LNCS, pages 244-262. Springer.
  12. Li, N., Li, T., and Venkatasubramanian, S. (2007). tCloseness: Privacy Beyond k-Anonymity and lDiversity. In ICDE 2007, pages 106-115. IEEE Computer Society.
  13. Machanavajjhala, A., Kifer, D., Gehrke, J., and Venkitasubramaniam, M. (2007). l-Diversity: Privacy beyond k-Anonymity. ACM Transactions on Knowledge Discovery from Data, 1(1).
  14. Merkle, R. (1989). A Certified Digital Signature. In CRYPTO 7889, volume 435 of LNCS, pages 218-238. Springer.
  15. Miyazaki, K., Hanaoka, G., and Imai, H. (2006). Digitally Signed Document Sanitizing Scheme Based on Bilinear Maps. In ASIACCS 2006, pages 343-354. ACM.
  16. Riedl, B., Grascher, V., and Neubauer, T. (2008). A Secure e-Health Architecture based on the Appliance of Pseudonymization. Journal of Software, 3(2):23-32.
  17. Samarati, P. (2001). Protecting Respondents' Identities in Microdata Release. IEEE Trans. Knowl. Data Eng., 13(6):1010-1027.
  18. Samarati, P. and Sweeney, L. (1998). Generalizing Data to Provide Anonymity when Disclosing Information (Abstract). In PODS' 98, page 188. ACM Press.
  19. Slamanig, D. and Stingl, C. (2009). Disclosing Verifiable Partial Information of Signed CDA Documents using Generalized Redactable Signatures. In IEEE Healthcom 2009. IEEE Communications Society.
  20. Steinfeld, R., Bull, L., and Zheng, Y. (2001). Content Extraction Signatures. In ICISC 2001, volume 2288 of LNCS, pages 285-304. Springer.
  21. Sweeney, L. (2000). Uniqueness of simple demographics in the u.s. population. Technical report, Carnegie Mellon University.
  22. Sweeney, L. (2002). k-Anonymity: a Model for Protecting Privacy. Int. J. Uncertain. Fuzziness Knowl.-Based Syst., 10(5):557-570.

Paper Citation

in Harvard Style

Slamanig D. and Stingl C. (2010). k-ANONYMITY IN CONTEXT OF DIGITALLY SIGNED CDA DOCUMENTS . In Proceedings of the Third International Conference on Health Informatics - Volume 1: HEALTHINF, (BIOSTEC 2010) ISBN 978-989-674-016-0, pages 62-69. DOI: 10.5220/0002731700620069

in Bibtex Style

author={Daniel Slamanig and Christian Stingl},
booktitle={Proceedings of the Third International Conference on Health Informatics - Volume 1: HEALTHINF, (BIOSTEC 2010)},

in EndNote Style

JO - Proceedings of the Third International Conference on Health Informatics - Volume 1: HEALTHINF, (BIOSTEC 2010)
SN - 978-989-674-016-0
AU - Slamanig D.
AU - Stingl C.
PY - 2010
SP - 62
EP - 69
DO - 10.5220/0002731700620069