Roger Clarke's Web-Site


© Xamax Consultancy Pty Ltd,  1995-2016

Roger Clarke's 'e-Health Research'

Research Challenges in Emergent e-Health Technologies

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Notes to accompany a Panel Session on 'Research Challenges in Emergent e-Health Technologies', with Joan Cooper (Chair), Carole Alcock, Lois Burgess and Tanya Castleman, at the IFIP TC8 Conference on 'Developing a dynamic, integrative, multi-disciplinary research agenda in E-Commerce / E-Business', Salzburg, 22-23 June 2001

Version of 6 July 2001

© Xamax Consultancy Pty Ltd, 2001

This document is at


The focus of this Panel Session was on information technologies applied to health care. In addition to the long-promised health care smart-card, current initiatives include electronic health records (EHR), and unique patient identifiers (UPI). These are expected to provide greater accessibility to personal health care data. They tend to assume the consolidation of data from many sources into a single unified scheme (whether the data is stored centrally, or stored in dispersed databases but within an integrative architecture), or at least into a smaller number of schemes than exists at present.

The comments in this document address the following points:

The Potential Benefits of e-Health

There are potentials for the quality of health care to be enhanced through appropriate applications of information technology. Examples include the very prompt availability to carers in emergency settings of important information such as chronic conditions, blood group and allergies; more rapid access to relevant information in a variety of clinical settings; and on-line access to distant records.

On the other hand, there is a great deal of convenient mythology surrounding the importance of access to consolidated health care data. There is serious doubt about the proposition that doctors carefully consult all available historical information. Health carers, like all human beings, have a limited capacity to absorb information, and tend to focus on a few key sources that their experience or training cause them to consider the most important. Moreover, there are enormous dangers in information overload, especially in diagnosis and treatment contexts.

There are also many health carers whose qualifications do not prepare them to make full use of all information. This applies not only to nurses and para-professionals, but also to general practitioners (who have limited capacity to interpret the comments of specialists) and even specialists (in relation to comments by other specialists).

On balance, it is likely that patients have something to gain from such e-health initiatives as EHR and UPI; but not as much as might be suggested by the technologies' proponents. What's more, consultations across a range of health consumer groups indicate that there is interest in these technologies being used to make emergency data more readily available, and to enable access to medication information and the results of diagnostic tests; but that scepticism exists about their use for detailed event summaries, let alone full health care records.

Third parties, on the other hand, have a great deal to gain from the consolidation of patient data. In particular:

In short, the benefits of e-health arise to only a very limited extent in the area of enhancements of health care for patients. The primary purposes are resource-efficiency and social control.

The Risks Inherent in e-Health

The benefits of e-health initiatives accrue mostly to organisations rather than patients. Where do the negative impacts fall?

A fundamental question is whether EHRs will actually work. Consolidation of data into one or a few electronic records increases the scale and complexity of data storage and data processing systems. This greatly exacerbates the risk that the systems will not function effectively, and may even collapse. Rather than assuming that 'bigger is better' and that the competence of centralised schemes is better than that of dispersed services, consideration needs to be given to the risk of diseconomies of scale setting in. If the current myriad medium-sized systems suffer problems, perhaps larger systems will suffer even greater deficiencies.

Risks arise from e-health technologies that affect health carers and health care organisations. For example, evidence of negligence, improper behaviour and defamation more readily comes to light. The majority of the risks, however, impinge on patients. Patient risks are of a variety of kinds, including the following:

An important derivative risk is that, in order to avoid information going into an inherently insecure and increasingly consolidated and accessible record, individuals will leave conditions untreated, or stimulate the expansion of black and grey markets in health care services. Such developments would represent a serious reduction in the quality of health care of individuals; and, in such cases as serious communicable diseases, exacerbate threats to public health.

The public generally regards all health care data as being sensitive. Some categories of data, however, are of especiall concern. The following are important examples of highly sensitive health care data:

The degree of risk arising from the situations outlined in this section varies a great deal. One factor is the cultural context of the individual and the health carers. Another is the personal context. There is a range of categories of individuals, usefully summarised as persons at risk, who face especial dangers. These include:

For an introduction to privacy and dataveillance, see Clarke (1997), and for a deeper analysis see Clarke (1988).

Possible Solutions to the Problems

The concerns identified in the preceding sections would dissolve if the security of patient health care data could be guaranteed. This is, unfortunately, not feasible. A wide array of individuals need access to the data under a wide array of circumstances, including the ability to over-ride protections in emergencies. Hence any practical scheme involves the scope for substantial leakage of data. In addition, security is costly, both in monetary terms and in the inconvenience it imposes on health carers and the patient. For a background to information security, see Clarke (2001).

A means that is often suggested to address the problems is patient control over their own health care data. This would involve data being stored on the patient's own device rather than on devices under the control of health care organisations. This is usually envisaged as being a smart card carried by the patient. For a brief introduction to smart cards, see Clarke (1993), and for a fuller background document, see Clarke (1998).

There is a wide variety of difficulties with this idea. They include the following:

Another approach is dispersion of patient health care data. Physical dispersion involves maintaining data about particular conditions, episodes, procedures, medications, etc., in physically separate records, and ensuring that there are barriers that make it difficult for the data to be consolidated or even inter-related. The manner in which patient data is presently stored is only one of the many possible variants.

Despite the attractions of consolidation and inter-relatability of personal health care data, it may be necessary to abandon these ideas, recognise that the availability of health care data is one (albeit important) objective among many, and compromise the nirvana of a single electronic health record in order to satisfice the multiple aims rather than maximising one. Alternatively, it may be feasible to devise a scheme that features dispersion different from the present arrangements, but which provides improvements to health care and/or to health care administration without creating as many risks to the patient.

Another possibility is to conceive of segmented health care data, with each segment accessible only by particular categories of user. A dispersed record-segment relating to, say, a particular condition could be managed separately from each other segment. This idea has proven difficult to articulate, however, because of the high degree of complexity and inter-relationship involved in health care. A considerable proportion of each person's data would need to be in a common segment, accessible to all health carers who deal with that patient.

A further approach is to embed pseudonymity within the system. Few health care administrators appear to have codified the approach adopted to dealing with people who are at risk of excessive media attention, or of physical harm from third parties. There are, however, techniques used within health care organisations, and among medical records administrators, which protect the identities of some patients. These inevitablty involve the use of pseudo-identifiers (or 'nyms'). There may be an index that links the nym to a specific person. If so, the index has to be subject to substantial technical, organisational and legal protections.

Where a person has a single nym, the idea of a UPI can be sustained in its simplistic form of a single identifier for each person. A more effective protection is afforded where individuals adopt multiple nyms. This enables them to partition their lives, and permit access to their data in a controlled manner. Such schemes already function in such areas as discreet clinics for the treatment of sexually-transmitted diseases and drug-dependency. Extending these capabilities to additional functions would be of great value to patient privacy. There would be an apparent compromise to the quality of patient care, but this would need to be balanced against the other risks. That choice should rest with the patient.

Despite its importance, access to health care is subject to many qualifications, such as rights of residence, and evidence of health insurance. Constraints of this nature can seriously compromise privacy, and can undermine pseudonymity. The current mania for identity authentication needs to be replaced by schemes oriented towards attribute authentication, such that checking of the person's eligibility is undertaken, but without recording, and indeed without even requiring declaration of, the person's identity.

A study of human identification is in Clarke (1994). Pseudonymity and attribute authentication are addressed in some detail in Clarke (1999).


Increasing attention is being paid to the need for patient consent both to the performance of procedures and to use of data about them. This is particularly critical in such emergent environments as those in which the data is stored remotely from the point of capture (e.g. in consolidated records as is commonly the case with EHR and UPI), and in which a broad range of people may have access to the data (e.g. in coordination care settings).

It is vital that schemes be devised that can record the patient's consent, in a manner that enables access to be permitted within the terms of the consent, but also constrained by those terms. This is a challenging area in need of design-work and experimentation. Preliminary studies have made clear that an e-consent object needs to be devised; that it needs to reflect a hierarchy of consents and denials, each of which must be able to be expressed in relation to a particular health care professional, category of health care professionals, condition, medication, etc.; and that practical means for signifying consent need to be available in each primary care setting.

For an introduction to e-consent, see Clarke (2000).

Research Challenges

The purpose of this Panel was to consider the research challenges in emergent e-health technologies. For an introduction to research methods on information systems, see Clarke (1996).

The review conducted in the preceding sections has identified a range of difficulties arising, relating in part to quality of health care, but primarily to patient privacy. Each of these factors presents challenges to the researcher. This final section considers two additional issues.

The health care sector is enormously complex, and highly inter-connected. This makes it very difficult to segment the research domain and focus on a single, limited and manageable case. Relativelty small research projects are therefore at risk of artificially segmenting the domain and failing to control for important confounding variables.

A further consideration is the variety of vested interests involved in the health care sector, and the power that they wield. Health care professionals, especially doctors, control access to information, and in many cases they believe strongly in what they are doing and in the rectitude of how they are doing it. So too do hospital administrators; and researchers, investigators and insurers. There is ample opportunity for the hiding and the colouring of information and processes. Information collection must therefore be performed carefully, it is essential that multiple sources be used in order to achieve triangulation, and analysis of the data must be performed with a critical eye.


The quality of health care is very important. The purposes of e-health initiatives are in most cases oriented towards health care administration rather than health care. This creates serious risks that patient interests will be compromised in the interests of resource efficiency and social control. Research in this area is fraught with difficulties, but despite the challenges it is important that it be conducted.


Clarke R. (1988) 'Information Technology and Dataveillance' Commun. ACM 31,5 (May 1988) Re-published in C. Dunlop and R. Kling (Eds.), 'Controversies in Computing', Academic Press, 1991, at

Clarke R. (1993) 'Introduction to Chip-Cards and Smart Cards', 1993, at

Clarke R. (1994) 'Human Identification in Information Systems: Management Challenges and Public Policy Issues' Info. Technology & People 7,4 (December 1994). At

Clarke R. (1996) 'Appropriate Research Methods for Electronic Commerce', June 1996, at

Clarke R. (1997) 'Introduction to Dataveillance and Information Privacy, and Definitions of Terms', August 1997, at

Clarke R. (1998) 'Smart Card Technical Issues Starter Kit', Centrelink, April 1998, at

Clarke R. (1999) 'Anonymous, Pseudonymous and Identified Transactions: The Spectrum of Choice', Proc. IFIP User Identification & Privacy Protection Conference, Stockholm, June 1999, at

Clarke R. (2000) 'E-Consent: A Key Issue in the New E-Context', May 2000, at

Clarke R. (2001) 'Introduction to Information Security', February 2001, at

xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.

Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 24 June 2001 - Last Amended: 9 July 2001 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2013   -    Privacy Policy