This page gives an overview of the overall architecture and some security issues in the Dutch National Electronic Patient Record System (EPD).
A detailed technical description of the system and the security analysis can be found in Technical Report UVA-SNE-2010-01 More information here.
The Dutch Electronic Patient Record (EPD) System is a Dutch Nation-wide system for exchanging medical records, which is introduced in 2009-2010. The Dutch senate is currently preparing a decision on a law that regulates and mandates the use of the EPD for exchanging patient information in the Netherlands.
The EPD is generally characterized as a decentralized system. Patient records are stored in the systems used by the care professional(s) - i.e., the responsibility for managing and storing these records remains with the care professionals; records are not stored a central database as in, for example, the SPINE system used by the U.K. National Health Service.
The system's core is the National Switching Point (LSP in Dutch). This system contains a reference index which stores references (pointers) to patient records. Patient records are indexed using a unique identifier for patients (BSN, the former Dutch social security number) and an information type. Access control takes place centrally in the LSP, based on authorization of the care professional for a given information category (e.g., GP record or pharmacy record). The patient records in the EPD will in most cases be professional summaries created by physicians for the purpose of sharing information with collegues.
The decentral information systems that care professionals store their records in and which are connected to the LSP are termed well-managed care systems (GBZ systems). Only systems who adhere to the requirements for GBZ systems can connect to the LSP.
Above, a figure showing the LSP in relation to GBZ systems is shown. The central role of the LSP is clearly visible. To the right, GBZ systems (belonging to different organizations) are shown which registered patient information in the LSP. Clients (physicians or mandated employees in a GBZ, left) can access the central reference index in the LSP to find relevant records, or they can construct a query to let the LSP find and retrieve relevant records. All access is mediated by the LSP. In reality, GBZ systems will contain client as well as server functionality.
GBZ systems may be small (e.g., GP systems) or very large - including hospitals containing many different systems that contribute information to the EPD, or from which requests are made. For more details, please refer to the paper.
In fact, assumed consent has already been applied; CSC, the organization which implements and deploys the LSP, has reported in a presentation which I attended, that batch jobs were run -for those patients that have not opted out- to register medical records from a hospital pharmacy in the LSP.