February 11 – 14 , 2009, Dagstuhl Seminar 09073

Model-Based Design of Trustworthy Health Information Systems


Ruth Breu (Universität Innsbruck, AT)
John C. Mitchell (Stanford University, US)
Janos Sztipanovits (Vanderbilt University, US)
Alfred Winter (Universität Leipzig, DE)

For support, please contact

Dagstuhl Service Team


Dagstuhl Seminar Proceedings DROPS
List of Participants
Dagstuhl Seminar Schedule [pdf]

Press Room

Press Review


New technologies for Health Information Systems (HIS) offer a revolutionary new way for the interaction between medical patients and Healthcare providers. Although healthcare like other information-intensive industries has developed and deployed standards-based, secure information infrastructures it is still dependent upon paper records and fragmented, error-prone approaches to service delivery. Thus healthcare has been characterized as a ‘trillion dollar cottage industry’. One of the main concerns is security and privacy that needs to be organically integrated into HIS architectures. Widely cited reports of the U.S. Institute of Medicine and National Research Council have documented weaknesses in information security related to healthcare, the costs and impact of medical errors (a substantial proportion of which involve a component of information mismanagement), lack of a systems approach to complex, team-oriented interdisciplinary care, and the unrealized potential of using the Internet to improve the quality and availability of healthcare services.

How can Health Information Systems help?

Complementing the recognition of the weaknesses are three major drivers that push the healthcare industry towards radical change: (1) the dramatic increase of genetic information and the opening opportunity to provide personalized healthcare, (2) the economic pressures to move healthcare from institutions toward homes, and (3) the rapidly increasing use of Internet and information appliances in society. This fundamental change will be enabled by advanced information technology, including ubiquitous communication and sensing, extensive use of web portals as a central point of access for communication and documentation of health care efficiency. Quality of patient specificity will be achieved via extensive use of clinical decision support systems combined with automated event monitors.

What are the key challenges?

HIS shall support patients and also doctors, nurses, paramedicals and other health care providers in diagnosing, treating and supporting patients. Health care is not only a health but also a life and death issue. In this existential situation patients have to trust on caregivers and both patients and caregivers depend on the trustworthiness of the information systems used. Not only the highly delicate relation between caregivers and patients but also the data related to this situation need particular protection from misuse. But unfortunately privacy and security requirements are frequently expressed in vague, contradictory and complex laws and regulations; it is a major concern that requires new approaches in systems design. Trustworthy HIS need to provide effective, high quality support for providing the best care for patients but without compromising their privacy, security and safety.

How to solve these challenges?

End-to-end architecture modeling integrated with privacy and security models offer new opportunities for system designers and end users. Model-based approaches to HIS are investigated extensively in Europe and in the US. While initial results show promise, many fundamental problems remained unsolved, such as modeling of privacy and security policies, and verification of their consistency, and compliance to requirements. HIS requires new architectures that are sufficiently flexible to support personalized health care without causing harm and can be adapted to changing policies.

Goals and Expected Results

The goal of this seminar was to help the computer science community understanding the unique challenges of this field and offer insight for HIS developers in the state of the art in model-based design technologies. The objective was to understand the challenges and promising approaches in HIS design as the intersection of five major areas: health information systems, model-based software and systems design, reliability, security and privacy science, enterprise information systems and legal policy. The seminar combined presentations with discussions in groups and in the plenary.


  • Modelling / Simulation
  • Security / Cryptography
  • Sw-engineering
  • Interdisciplinary With Non-informatics-topic: Health Information Systems


  • Trustworthy systems
  • Health information systems
  • Model-based design
  • Security policies
  • Service oriented architecture


In the series Dagstuhl Reports each Dagstuhl Seminar and Dagstuhl Perspectives Workshop is documented. The seminar organizers, in cooperation with the collector, prepare a report that includes contributions from the participants' talks together with a summary of the seminar.


Download overview leaflet (PDF).

Dagstuhl's Impact

Please inform us when a publication was published as a result from your seminar. These publications are listed in the category Dagstuhl's Impact and are presented on a special shelf on the ground floor of the library.


Furthermore, a comprehensive peer-reviewed collection of research papers can be published in the series Dagstuhl Follow-Ups.