Available online at www.sciencedirect.

com
Available online at www.sciencedirect.com

ScienceDirect
ScienceDirect
Procedia online
Available Computer
at Science 00 (2023) 000–000
www.sciencedirect.com
Procedia Computer Science 00 (2023) 000–000
www.elsevier.com/locate/procedia
www.elsevier.com/locate/procedia
ScienceDirect
Procedia Computer Science 239 (2024) 1784–1791

CENTERIS – International Conference on ENTERprise Information Systems / ProjMAN –

CENTERIS – Conference
International InternationalonConference on ENTERprise
Project MANagement Information
/ HCist Systems
– International / ProjMANon–
Conference
International Conference on Project MANagement / HCist – International Conference
Health and Social Care Information Systems and Technologies 2023 on
Health and Social Care Information Systems and Technologies 2023
Electronic
Electronic health
health record
record authentication
authentication and
and authorization
authorization using
using
Blockchain
Blockchain and
and QR
QR codes
codes
Dragoș Dobreaa, Andrei Vasilățeanua,a, *
Dragoș Dobre , Andrei Vasilățeanu *
a
NationalUniversity of Science and Technology Politehnica Bucuresti, Department of Engineering in Foreign Languages
a
National University of Science and Technology Politehnica Bucuresti, Department of Engineering in Foreign Languages

Abstract
Abstract
One of the most important, from the privacy point of view, interactions of patients with the healthcare system is giving access to
One of the
medical most important,
information. from the
This paper privacy
presents point of view, interactions
a proof-of-concept for a systemof patients with the
that allows healthcare
selectively system
sharing is giving
medical access to
information
medical
from information.
electronic healthThis paper
records presents
using a proof-of-concept
Blockchain technologies for
andaQR system
codes.that
Thisallows selectively
is aligned sharing
to current medical
medical information
paradigms that
fromthe
put electronic health
patient in recordsofusing
the center Blockchain
the healthcare technologies
process and passandtheQR codes.ofThis
control the is aligneddata
medical to current medical
from doctors to paradigms that
patients. Such
put the patient in the center of the healthcare process and pass the control
decentralized systems are very good candidates for Blockchain-based implementation. of the medical data from doctors to patients. Such
decentralized systems Published
© 2023 The Authors. are very good candidates B.V.
by ELSEVIER for Blockchain-based implementation.
© 2023
This is The
an Authors.
open access Published
article by ELSEVIER
under the CC B.V.
BY-NC-ND license (https://creativecommons.org/licenses/by-nc-nd/4.0)
© 2024
This The
is an Authors.
open access Published by Elsevier
article under B.V.
the scientific
CC BY-NC-ND license (https://creativecommons.org/licenses/by-nc-nd/4.0)
Peer-review
This is an under
open responsibility
access article of the
under the CC committee
BY-NC-ND of the
license CENTERIS – International Conference on ENTERprise
(https://creativecommons.org/licenses/by-nc-nd/4.0)
Peer-review
Information under responsibility
Systems / ProjMAN of
- the scientificConference
International committee on
of the CENTERIS
Project MANagement– International
/ HCist -Conference onConference
International ENTERprise on
Peer-review
Information under
Systemsresponsibility
/ ProjMAN of
- the scientific
International committee
Conference of
on the CENTERIS
Project MANagement/ ProjMAN
/ HCist/ HCist
- 2023
International Conference on
Health and Social Care Information Systems and Technologies 2023
Health andehr;
Keywords: Social Care Information
blockchain; e-health Systems and Technologies 2023
Keywords: ehr; blockchain; e-health

1. Introduction
1. Introduction
The main objective of this research is to provide a safe way, that enforces privacy, to provide access to electronic
The main objective of this research is to provide a safe way, that enforces privacy, to provide access to electronic
health records (EHR) to formal carers, on a need-to-know basis. There are many standards and approaches for
health records (EHR) to formal carers, on a need-to-know basis. There are many standards and approaches for

* Corresponding author.
* Corresponding
E-mail address:author.
[email protected]
E-mail address: [email protected]

1877-0509 © 2023 The Authors. Published by ELSEVIER B.V.

1877-0509 © 2023
This is an open The article
access Authors. Published
under the CCby ELSEVIERlicense
BY-NC-ND B.V. (https://creativecommons.org/licenses/by-nc-nd/4.0)
This is an open
Peer-review underaccess article under
responsibility the CC BY-NC-ND
of the scientific committee license (https://creativecommons.org/licenses/by-nc-nd/4.0)
of the CENTERIS – International Conference on ENTERprise Information Systems /
Peer-review under responsibility
ProjMAN - International of the
Conference onscientific committee of the
Project MANagement CENTERIS
/ HCist – International
- International Conference
Conference on Healthonand
ENTERprise
Social CareInformation
InformationSystems
Systems/
ProjMAN - International
and Technologies 2023 Conference on Project MANagement / HCist - International Conference on Health and Social Care Information Systems
and Technologies 2023

1877-0509 © 2024 The Authors. Published by Elsevier B.V.

This is an open access article under the CC BY-NC-ND license (https://creativecommons.org/licenses/by-nc-nd/4.0)
Peer-review under responsibility of the scientific committee of the CENTERIS / ProjMAN / HCist 2023
10.1016/j.procs.2024.06.358
 Dragoș Dobre et al. / Procedia Computer Science 239 (2024) 1784–1791 1785
2 Dragos Dobre et al. / Procedia Computer Science 00 (2023) 000–000

regulating access to EHRs, but various factors coming both from patients and healthcare institutions or providers are
usually making this a difficult process.
First, there are privacy concerns regarding medical data, and various legislations like the General Data Protection
Regulation in Europe or Health Insurance Portability and Accountability Act in USA, which must be taken into
consideration when such a system is developed. A key issue that is presented within the GDPR is “Privacy by
Design”. Systems that store sensitive user data like medical records should be designed to keep this data safe since a
breach could negatively impact real persons lives. Moreover, by respecting users’ privacy and building a secure
environment for their medical records, the software solution can gain trust and grow into being adopted at higher
scales by multiple medical centers, patients, and medical care providers. [1][9]
On the other hand, healthcare organizations can have data with commercial value stored along the medical
records. This means that they will choose to be careful with the locations where their data is stored and alter it in
case, they don’t trust the host. A solution to this problem would be to store all the electronic records in a
decentralized manner where each party is responsible for the security of data, but most importantly they all agree
upon a unitary authorization system. [2]
Another concern when it comes to electronic health records, is their reliability and fault tolerance. Accidents
happen, from fires due to human error to natural disasters like earthquakes and hurricanes. These are just some of
the events that can put digital records at risk if they are stored in a single location so a better solution must be
considered for a system that is going to handle vital records about medical histories. A decentralized system might
bring various benefits from fault tolerance to security and trust by the medical centres who are involved in storing
the medical records.
An ongoing concern among clinics and medical institutions in healthcare revolves around the storage of patient
records in remote locations, leading to apprehension about the reliability of such surroundings. The inherent
necessity for a dependable and secure platform to store these vital digital documents has motivated the investigation
of novel solutions.
A possible way to address this difficulty is the creation of a shared environment in which numerous healthcare
facilities store and handle patient data collectively. This collaborative architecture attempts to increase trust among
participating entities while also preserving the integrity and confidentiality of stored information. [3]
Various systems that offer personal health records storage have emerged from big corporations such as Apple and
Google. Apple's solution, [4] for example, is a complexly developed program that allows clinicians to securely save
patient data, categorize it for easy future retrieval, and provide meaningful visualizations and statistics about a
patient's health condition.
This research aims to investigate various proposed solutions to address the following challenges:
• Lack of trust in medical institutions by third parties using the commercial value of Electronic Health
Records (EHR) in their own interests.
• Giving patient’s the control over their own medical records for extended adoption of the solution.
• Difficulties in exchanging medical records between different software systems due to a lack of
standardization.
• The imperative of creating a user experience that promotes easy adoption and reduces disruption of existing
workflows.
One of the most important, from the privacy point of view, interactions of patients with the healthcare system, is
giving access to medical information. Our research targets this interaction, for which we propose a proof-of-concept
that allows the safe and intuitive sharing of sections of the EHR to authenticated formal carers, using Blockchain
and QR codes.
In the following we present the existing state-of-art in commercial EHR systems and in using Blockchain for
facilitating access to medical data. Then we present the design and implementation of our prototype and finally
conclusions.

2. State of the art

Several initiatives have been launched to address the difficulty of converting physical medical records to digital
format, using a variety of techniques. Each such undertaking is significant because it allows for a study of the
1786 Dragoș Dobre et al. / Procedia Computer Science 239 (2024) 1784–1791
Dragos Dobre et al. / Procedia Computer Science 00 (2023) 000–000 3

various methodologies and allows for comparative analysis to determine optimal features from each while
systematically correcting their flaws.
There are many widely accepted advantages of using electronic health records like the fact that they provide
accurate and useful data about patients to their doctors, allowing treatments to start more quickly and be more
efficient, for example in the case of diabetes. [5] Furthermore, care providers can help more patients since the time
dedicated to find the underlying cause of patient’s symptoms is significantly decreased. On the administrative side,
costs and errors can be reduced through digitally stored data and safety measures applied over it. [6]
Care Studio from Google is a software product which focuses on storing data about patients in a structured way
and allows doctors navigate seamlessly between records, filtering through various characteristics to easily discover
possible issues and causes of patient’s discomfort. Google’s software is characterized by user friendly interface,
highly advanced search system powered by their own search engine and the ability of generating a short and useful
description of each patient based on their conditions using machine learning.
On the other hand, this solution presents a series of potential drawbacks:
• Lack of trust in Google as a third party by healthcare institutions.
• It does not provide the ability to migrate data easily towards other formats.
• Patients have limited control over their own medical records.
There’s no easy way in which patients can manage what data will be shared with their health provider.
Another solution, OmniPHR, is not a product, but an architectural model that introduces blockchain technology
for handling personal health records. At the core of this architecture is the principle of storing EHR data as blocks
inside a blockchain. [7] The proposed model aims to use blockchain technology to distribute medical records
between the nodes of the system. Patient data is recorded on ledgers validated by these nodes, and it is also
encrypted for an added level of security. They are also focusing on the way each source of data is identified, by
having a digital signature for each data origin which can be a laboratory, certified health professional, and sensor
data that can come from various wearables the patient is using like their smartphone, sprots bracelet or smartwatch.
By eliminating the need of a third-party involvement in the flow of medical records, healthcare institutions can
accept the system more easily, and become responsible of the data they generate and present. Further application
development can be based on this mode, mainly because it is a well-documented project, and many implementation
aspects are described in detail.
Some disadvantages of OmniPHR would be:
• Limited control of the patient over their medical records.
• Already existent medical records should be adapted to be integrated with an OmniPHR solution.
Apple’s Health app come installed on any iOS and already offers a large range of functions which help people
track their health status. Additionally, this app allows users to store electronic health records, gather them from
healthcare providers and easily share them with their doctors. Similarly, to how Google Care Studio, health records
are categorized for creating a better user experience while using the app. This time, patients have full access to their
data, and can easily share it with other medical care providers.
Another important feature is that this app can make use of the SMART Health Cards framework to present
verifiable data about previous medical procedures. [8] This proved to be a useful specification during the Covid-19
vaccinations were a requirement for accessing different areas during the pandemic.
Apple designed this solution while having the patient in the center of attention. Data is securely stored on their
devices and this time, users have much more control over the way their data is being handled, and who has access to
it.
Storing the electronic health records on patient’s own devices coming from a single smartphone producer comes
with its own set of disadvantages:
• Data is at risk if the patient loses access to their Apple ID.
• Patients must enter Apple’s enclosed ecosystem if they want to access this app.
• Most data sharing functionalities are limited to the United States only.
More examples of EHR systems using Blockchain can be found in systematic reviews such as [10]. Compared to
existing approaches, the main novelty brought by our system is the focus on a seamless experience, on usability,
such as using QR codes for easier interactions.
 Dragoș Dobre et al. / Procedia Computer Science 239 (2024) 1784–1791 1787
4 Dragos Dobre et al. / Procedia Computer Science 00 (2023) 000–000

3. Design and implementation

For addressing some of the issues that are present in the previously presented implementations for storing and
sharing electronic health records, we propose to implement a prototype showcasing a scenario for sharing medical
information based on Blockchain and QR codes. The users of this application will be doctors and patients. The
patient will have authority over the own EHR data and will be able to decide what categories of data will be shared
with a doctor, and they must set a determined period in which the doctor will have access upon this data.
Analyzing the proposed use cases for this software system the following functional requirements are identified:
• Registration: create an account
• Sign In: get an authentication token based on credentials.
• Authentication: access a resource or endpoint based on permissions according to the authentication
token
• View EHR: view a list of a category of medical data.
• Filter EHR: filter received data based on relevant criteria.
• Add EHR: doctors can add new medical records.
• Request authorization: doctors can ask for extended authorization over a patient’s medical data.
• Share authorization: allow doctors access to specific categories of heath records.
The architecture of the application can be viewed in Fig.1. Each of the three main components of the application
can be deployed independently on a server. There is also the possibility of adding the build of the front-end
application inside the bundle of the back-end application but, deploying them independently allows for an easier
maintenance in the future, as new versions can be released separately without affecting other pieces of the web
application.

Fig. 1. Software architecture of the solution

The first important feature of the web application handling EHR authorization is making sure that users are
authenticated to interact with the application. At first the user will create an account by registering, which will
automatically create an Ethereum account on behalf of the user. This account will be later used for signing
transactions which will add authorization tokens to the smart contract managing that manages EHR authorization.
After authentication, a patient or a doctor can access health records that they need. Another key feature is the ability
of patients to share data easily and securely with their physicians. For this, they can complete a short form by
selecting the categories they wish to share and an expiration date after which the care provider won’t be able to
access their history anymore.
1788 Dragoș Dobre et al. / Procedia Computer Science 239 (2024) 1784–1791
Dragos Dobre et al. / Procedia Computer Science 00 (2023) 000–000 5

In Fig. 2(a) the short authorization form can be seen along with a QR code generated to share this data with a
doctor.

Fig. 2. (a) Authorization form (b) Scanning QR code

The QR code has a complex pattern since it stores a JWT containing the signature of the patient, the categories
that the doctor will be allowed to access and the expiration date. Additionally, this QR code is short-lived so it will
expire in a couple of minutes after generation to prevent other parties from getting authorized over the sensitive
medical information. On the other side, a physician will have an additional option to their account called “Scan QR
code” which will prompt a screen on which they could scan the code provided by a patient. Patients are supposed to
simply show the QR code generated on their smartphones such that care providers can scan them and gain access in
a matter of minutes as illustrated in Fig. 2(b). The QR code is detected, and a red square is drawn around it on the
camera view. This detail is not important in practice, since QR code decoding will instantly trigger a request to the
server and the response will appear in a matter of seconds.

The authorization sequence is presented in Fig 3.

Fig. 3. Authorization sequence

6 Dragos Dobre
Dragoș et al. et
Dobre / Procedia Computer
al. / Procedia Science
Computer 00 (2023)
Science 000–000
239 (2024) 1784–1791 1789

Fig. 4. EHR Authorization smart contract source code

Since Ethereum blockchain is being used for the current implementation, a smart contract written in Solidity will
facilitate the authorization procedures using blockchain technology. For developing the smart contract presented in
Fig. 4, the Remix integrated development environment has been used.
A smart contract written in Solidity has elementary types like unsigned integers, integers, and booleans. An
important data type is the address which is used to store account addresses. These elementary types along with some
more complex ones like strings and AuthorizationToken structure, and mappings are all the necessary elements to
build a blockchain based authorization system. All that is stored in the blockchain is a mapping of doctor addresses
that reference to a new mapping of patient addresses for which an AuthorizationToken is associated. The token is
comprised of an unsigned integer of 32 bytes where the timestamp of the expiration date and time are to be stored.
The other component of the token is a mapping between strings representing categories of medical data and a
Boolean value which specifies if the doctor is authorized over that category.
Two functions enable the interaction with the smart contract. The first one writes data to the blockchain and is
used to add a new token when a patient grants authorization to a healthcare provider, and the other one is used to
determine if the physician is authorized over the specified electronic health data category. The function that checks
for access is a view one, in terms of state mutability which means that it does not apply changes over the storage, but
only reads the value of the authorization’s variable.
In Fig. 5 the database structure is shown. The structure of the medical file is simplified, as the focus of this stage
of research was implementing the access using Blockchain.
1790 Dragos Dobre
Dragoș et al.et/ al.
Dobre Procedia Computer
/ Procedia Science
Computer 00 (2023)
Science 000–000
239 (2024) 1784–1791 7

Fig.5. Entity Relationship Diagram

4. Conclusion

We have presented a proof-of-concept for a workflow and application that eases the management of medical
information by the patient, allowing sharing selected sections of the EHR to authenticated formal carers. This is
aligned to current medical paradigms that put the patient in the center of the healthcare process and pass the control
of the medical data from doctors to patients. Such decentralized systems are very good candidates for Blockchain-
based implementation, and in this case, we use Blockchain, together with intuitive interactions, based on QR-codes
to easily and securely share medical data.

References

[1] “Privacy by Design - General Data Protection Regulation (GDPR).” https://gdpr-info.eu/issues/privacy-by-design/ (accessed Jun. 07, 2023).
[2] Fan, Kai, Shangyang Wang, Yanhui Ren, Hui Li, and Yintang Yang. (2018) "Medblock: Efficient and secure medical data sharing via
blockchain." Journal of medical systems 42, 1-11.
[3] Chen, Yi, Shuai Ding, Zheng Xu, Handong Zheng, and Shanlin Yang. (2019) "Blockchain-based medical records secure storage and medical
service framework." Journal of medical systems 43, 1-9.
[4] Rolnick, Joshua, Robin Ward, Gordon Tait, and Neha Patel. (2022) "Early adopters of apple health records at a large academic medical center:
cross-sectional survey of users." Journal of Medical Internet Research 24(1).
 Dragoș Dobre et al. / Procedia Computer Science 239 (2024) 1784–1791 1791
8 Dragos Dobre et al. / Procedia Computer Science 00 (2023) 000–000

[5] Marian, Constantin Viorel. (2021) "Artificial Intelligence Expert System Based on Continuous Glucose Monitoring (CGM) Data for Auto-
Adaptive Adjustment Therapy Protocol–How to Make Sensors and Patients to Think Forward and Work Together?." 2021 International
Conference on e-Health and Bioengineering (EHB). IEEE.
[6] “What are the advantages of electronic health records? | HealthIT.gov.” https://www.healthit.gov/faq/what-are-advantages-electronic-health-
records (accessed Jun. 02, 2023).
[7] Roehrs, Alex, Cristiano André Da Costa, and Rodrigo da Rosa Righi. (2017) "OmniPHR: A distributed architecture model to integrate
personal health records." Journal of biomedical informatics 71. 70-81.
[8] “SMART Health Cards Framework.” https://spec.smarthealth.cards/ (accessed Jun. 03, 2023).
[9] “Health Insurance Portability and Accountability Act of 1996 (HIPAA) | CDC.” https://www.cdc.gov/phlp/publications/topic/hipaa.html
(accessed Jun. 15, 2023).
[10]Mayer, A. H., da Costa, C. A., & Righi, R. D. R. (2020). Electronic health records in a Blockchain: A systematic review. Health informatics
journal, 26(2), 1273-1288.