Disclosing verifiable partial information of signed CDA documents using generalized redactable signatures

Digital signatures are an invaluable tool to provide a means for verifying the integrity and authenticity of digital medical documents. Since these documents may be used by several parties in medical treatment processes, the aforementioned properties are essential. However, the general principle of digital signatures is all or nothing. This means, that given a digital signature it is only possible to verify whether it is valid for the entire document or not. Nevertheless, often there is a necessity that only a part of a already signed medical document is relevant in a subsequent process, e.g. in case of second opinions. Another scenario is the anonymization of medical documents for clinical studies, where the holder of a document solely wants to disclose parts of the document, i.e. for privacy reasons. Consequently, the original signature cannot be used to verify the integrity and authenticity of the ?redacted? document anymore. Hence, the receiver of this redacted document needs to fully trust the content of the document. In this paper we propose a novel concept to solve the aforementioned problem. It is based on so called redactable signatures, which were recently introduced, and allow parties to remove certain parts of a document while preserving the property of verifiability. However, when dealing with documents based on the clinical document architecture (CDA), all existing redactable signatures fail to be really practical. To overcome the problems and shortcomings of existing redactable signatures we propose a novel concept of generalized redactable signatures which is especially applicable for structured documents, e.g. XML documents. Additionally, we will show that our solution can be used to sign partial information of CDA documents, which cannot be realized efficiently with existing solutions (e.g. XML signatures), when the redacted information can be chosen arbitrarily. Finally, the proposed concept provides a solution to an unsolved problem in context of- secure eHealth architectures that are based on anonymization.