11. – 14. Februar 2009, Dagstuhl-Seminar 09073

Model-Based Design of Trustworthy Health Information Systems


Ruth Breu (Universität Innsbruck, AT)
John C. Mitchell (Stanford University, US)
Janos Sztipanovits (Vanderbilt University, US)
Alfred Winter (Universität Leipzig, DE)

Auskunft zu diesem Dagstuhl-Seminar erteilt

Dagstuhl Service Team


Dagstuhl Seminar Proceedings DROPS
Programm des Dagstuhl-Seminars [pdf]

Press Room

Press Review


New technologies for Health Information Systems (HIS) offer a revolutionary new way for the interaction between medical patients and Healthcare providers. Although healthcare like other information-intensive industries has developed and deployed standards-based, secure information infrastructures it is still dependent upon paper records and fragmented, error-prone approaches to service delivery. Thus healthcare has been characterized as a ‘trillion dollar cottage industry’. One of the main concerns is security and privacy that needs to be organically integrated into HIS architectures. Widely cited reports of the U.S. Institute of Medicine and National Research Council have documented weaknesses in information security related to healthcare, the costs and impact of medical errors (a substantial proportion of which involve a component of information mismanagement), lack of a systems approach to complex, team-oriented interdisciplinary care, and the unrealized potential of using the Internet to improve the quality and availability of healthcare services.

How can Health Information Systems help?

Complementing the recognition of the weaknesses are three major drivers that push the healthcare industry towards radical change: (1) the dramatic increase of genetic information and the opening opportunity to provide personalized healthcare, (2) the economic pressures to move healthcare from institutions toward homes, and (3) the rapidly increasing use of Internet and information appliances in society. This fundamental change will be enabled by advanced information technology, including ubiquitous communication and sensing, extensive use of web portals as a central point of access for communication and documentation of health care efficiency. Quality of patient specificity will be achieved via extensive use of clinical decision support systems combined with automated event monitors.

What are the key challenges?

HIS shall support patients and also doctors, nurses, paramedicals and other health care providers in diagnosing, treating and supporting patients. Health care is not only a health but also a life and death issue. In this existential situation patients have to trust on caregivers and both patients and caregivers depend on the trustworthiness of the information systems used. Not only the highly delicate relation between caregivers and patients but also the data related to this situation need particular protection from misuse. But unfortunately privacy and security requirements are frequently expressed in vague, contradictory and complex laws and regulations; it is a major concern that requires new approaches in systems design. Trustworthy HIS need to provide effective, high quality support for providing the best care for patients but without compromising their privacy, security and safety.

How to solve these challenges?

End-to-end architecture modeling integrated with privacy and security models offer new opportunities for system designers and end users. Model-based approaches to HIS are investigated extensively in Europe and in the US. While initial results show promise, many fundamental problems remained unsolved, such as modeling of privacy and security policies, and verification of their consistency, and compliance to requirements. HIS requires new architectures that are sufficiently flexible to support personalized health care without causing harm and can be adapted to changing policies.

Goals and Expected Results

The goal of this seminar was to help the computer science community understanding the unique challenges of this field and offer insight for HIS developers in the state of the art in model-based design technologies. The objective was to understand the challenges and promising approaches in HIS design as the intersection of five major areas: health information systems, model-based software and systems design, reliability, security and privacy science, enterprise information systems and legal policy. The seminar combined presentations with discussions in groups and in the plenary.


  • Modelling / Simulation
  • Security / Cryptography
  • Sw-engineering
  • Interdisciplinary With Non-informatics-topic: Health Information Systems


  • Trustworthy systems
  • Health information systems
  • Model-based design
  • Security policies
  • Service oriented architecture


In der Reihe Dagstuhl Reports werden alle Dagstuhl-Seminare und Dagstuhl-Perspektiven-Workshops dokumentiert. Die Organisatoren stellen zusammen mit dem Collector des Seminars einen Bericht zusammen, der die Beiträge der Autoren zusammenfasst und um eine Zusammenfassung ergänzt.


Download Übersichtsflyer (PDF).

Dagstuhl's Impact

Bitte informieren Sie uns, wenn eine Veröffentlichung ausgehend von Ihrem Seminar entsteht. Derartige Veröffentlichungen werden von uns in der Rubrik Dagstuhl's Impact separat aufgelistet  und im Erdgeschoss der Bibliothek präsentiert.


Es besteht weiterhin die Möglichkeit, eine umfassende Kollektion begutachteter Arbeiten in der Reihe Dagstuhl Follow-Ups zu publizieren.