ArticlePDF Available

Compliance with HIPAA and GDPR in blockchain-based electronic health record

DOI:10.1016/j.matpr.2021.03.059
Authors:
Mohammed Shuaib at Jazan University
Mohammed Shuaib
Shadab Alam at Jazan University
Shadab Alam
Mohammad Shabbir Alam at Jazan University
Mohammad Shabbir Alam
Mohammad Shahnawaz Nasir
Mohammad Shahnawaz Nasir
Mohammad Shahnawaz Nasir
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

A massive amount of clinical data is generated daily. Advancement in ICT technologies has enabled the healthcare providers to store them digitally and referred to as Electronic Health Record (EHR). These records are shared with various stakeholders, like doctors, nursing staff, and healthcare providers. These health records are also accessible to government agencies, pharmacies, laboratories, insurance agencies with consent or some time without consent. These personal health details recorded in EHR systems are sensitive information and can cause financial, social, and health issues if leaked. Blockchain technology has emerged as an immutable and reliable ledger that can maintain anonymity and immutability in EHR systems. There are many regional and international regulations to guide the safety and privacy of sensitive health records. Prominent among these regulations are the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR). This paper analyses Blockchain-based EHR system compliance with HIPAA and GDPR and further areas of improvement.
Figures - uploaded by Mohammed Shuaib
Author content
All figure content in this area was uploaded by Mohammed Shuaib
Content may be subject to copyright.
Content uploaded by Mohammed Shuaib
Author content
All content in this area was uploaded by Mohammed Shuaib on Aug 13, 2021
Content may be subject to copyright.
Compliance with HIPAA and GDPR in blockchain-based electronic health
record
Mohammed Shuaib
a,b
, Shadab Alam
b,
, Mohammad Shabbir Alam
b
, Mohammad Shahnawaz Nasir
b
a
Razak Faculty of Technology and Informatics, University Teknologi Malaysia, Malaysia
b
Department of Computer Science, College of C.S. & IT, Jazan University, Jazan, Saudi Arabia
article info
Article history:
Available online xxxx
Keywords:
EHR
HIPAA GDPR
Privacy
Blockchain
abstract
A massive amount of clinical data is generated daily. Advancement in ICT technologies has enabled the
healthcare providers to store them digitally and referred to as Electronic Health Record (EHR). These
records are shared with various stakeholders, like doctors, nursing staff, and healthcare providers.
These health records are also accessible to government agencies, pharmacies, laboratories, insurance
agencies with consent or some time without consent. These personal health details recorded in EHR sys-
tems are sensitive information and can cause financial, social, and health issues if leaked. Blockchain
technology has emerged as an immutable and reliable ledger that can maintain anonymity and
immutability in EHR systems. There are many regional and international regulations to guide the safety
and privacy of sensitive health records. Prominent among these regulations are the Health Insurance
Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR). This paper
analyses Blockchain-based EHR system compliance with HIPAA and GDPR and further areas of
improvement.
Ó2021 Elsevier Ltd. All rights reserved.
Selection and peer-review under responsibility of the scientific committee of the International Virtual
Conference on Sustainable Materials (IVCSM-2k20).
1. Introduction
Clinical information is produced by current patient clinical test-
ing. These services are typically performed in pathology labs, hos-
pitals, or clinics through different tests and radiology reports.
These instruments generate large amounts of clinical data world-
wide, and their volumes are growing exponentially. Clinical data
is projected to rise sharply [1]. Clinical Data produced in regular
clinical tests are stored in a paper based format in most developing
countries. Medical professionals follow this strategy, as it is easy
and does not need advanced ICT knowledge. However, keeping
paper-based patient information is not helpful for patients and
cannot offer reliable and timely health care. Other problems
related to paper-based medical records are:
1. Records may be modified simply and are loss prone that is a
serious problem.
2. Healthcare professionals may prescribe incorrect medicines
(due to changes in paper-based medical records) or may not
recommend correct medications during patient visits without
a proper history of records.
3. Not always possible for a patient to bring cumbersome manual
paper health records for discussion with the doctor during
appointments or explain medical history if a doctor or hospital
changes.
4. Updating and analyzing paper records is a lengthy process for
new doctors or medical personnel in case of change of hospitals
or doctor.
Health organizations use procedures to digitize medical records
to solve the problems described above [2]. Currently, patient clin-
ical data are kept as EHR. EHR is computerized health records of
patients containing complete patient information and treatment
records in a design (described in Fig. 1) which is easily shareable
or retrieved by various health care providers via other linked sites
as required [3].
The use of EHR has many advantages over conventional paper-
based mechanism. For instance:
https://doi.org/10.1016/j.matpr.2021.03.059
2214-7853/Ó2021 Elsevier Ltd. All rights reserved.
Selection and peer-review under responsibility of the scientific committee of the International Virtual Conference on Sustainable Materials (IVCSM-2k20).
Corresponding author.
E-mail address: s4shadab@gmail.com (S. Alam).
Materials Today: Proceedings xxx (xxxx) xxx
Contents lists available at ScienceDirect
Materials Today: Proceedings
journal homepage: www.elsevier.com/locate/matpr
Please cite this article as: M. Shuaib, S. Alam, M. Shabbir Alam et al., Compliance with HIPAA and GDPR in blockchain-based electronic health record, Mate-
rials Today: Proceedings, https://doi.org/10.1016/j.matpr.2021.03.059
1. EHR can store structured, encrypted and detailed patient health
history [4].
2. EHR provides a base for medical decision support system (DSS)
to regularly monitor the patient’s health status and enhance
healthcare quality [5]. DSS facilitates decision-making by
automating data analysis [6].
3. EHR acts as centralized storage for tracking and billing patients,
maintaining quality and facilitating patient-sensitive decision
making.
4. Records stored in EHRs can be used by different collaborating
parties at different locations readily. Hence, supplying data to
interested physicians across multiple locations to provide effi-
cient and quality health facilities.
5. EHR decreases the risk of medical data processing errors by
storing full medical records, thereby reducing healthcare costs
[7].
With the advantages of the use of EHR in healthcare, various
specific issues are also identified. The most pertinent issue is
record security and privacy of the patient. If EHR data is somehow
accessed in an unauthorized way, it can be dangerously misused
like drug or treatment changes unsafe for patients and can result
in serious problems or cause patient death [8]. Therefore, it is nec-
essary to protect patient information from the wrong people’s
unwanted hands in the central database. Patient information
may also be stolen when transmitted across the network to several
other networks or stored in distributed cloud servers [9 10 11].
EHR can also be used for various secondary purposes like clini-
cal studies, health insurance, clinical audit, and government
decision-making support. Additionally, it can be used for preven-
tion campaigns, national standards audits, national forecasts,
future service planning, resource allocations, etc. [12]. Patients
may not disclose their health information for benefit; it only shares
their personal health data for treatment and not other secondary
uses. The use of patient personal data for various secondary activ-
ities without their consent would significantly disturb patient
privacy.
To protect the privacy of the patient; the various privacy stan-
dards followed in different regions are GDPR in Europe [10] and
HIPAA in the United States [13]. This paper reviews the HIPAA
and GDPR privacy standards and identified its challenges to pro-
vide data privacy for the growing EHR information. Further, the
paper is organized as follows: Section II provides an outline of
EHR and various EHR standards. Section III summarises the
requirements for HIPAA and GDPR compliance. Section IV
describes the proposed solutions for HIPAA and GDPR compliance
in EHR. Finally, in Section V, conclude the paper.
2. Electronic health record (HER) standards
The EHR data must be shared among various interconnected
sites, such as dispensaries, hospitals, pharmacies, diagnostic labs
etc., for effective use [14] shown in Fig. 1. Sharing data at numer-
ous locations ensure flexible and effective patient treatment by
identifying the essential needs like care, support, safety, timeliness,
and monitoring needs. It supports professionals (physicists, nurses,
etc.) in making the right decisions based on symptoms [15 16 17].
Data accessibility is further improved if EHR data are connected to
different clinical databases and decision support systems (DSS).
CDSS are automatic medical data analysis platform that recom-
mends more care interventions and generates warnings through
Fig. 1. A conceptual overview of EHR Systems.
M. Shuaib, S. Alam, M. Shabbir Alam et al. Materials Today: Proceedings xxx (xxxx) xxx
2
data analysis predicting future conditions/trends. Physicians can
make wise decisions easily and virtually [18].
EHR data sharing across multiple locations is complicated.
Without a health information exchange and privacy standard.
Healthcare providers encountered the same problem when sharing
EHR data and various DSSs, as there was no standard for privacy
and sharing health information. It s a key factor behind the low
adoption rate for EHR in healthcare organizations, although EHR’s
introduction in healthcare is very beneficial [19].
2.1. Health level seven (HL7) standard
In March 1987, the HL7 organization was founded in the U.S. to
providing accurate, common Hospital Information System (HIS)
standards. This organization-defined HL7 hospital Document
Architecture (HL7 HDA) as the communication standard for easy
integration, exchange, sharing and retrieval of information through
various health information systems. HL7 enables various health-
care institutions to share patient data through encrypted data ex-
change. It offers information syntax for various health information
systems to conveniently exchange information using EHR [20].
HL7 CDA describes the structure and syntax of EHR data ele-
ments, such as discharge files, registration summaries, progress
reports and procedures, and shares with different stakeholders.
XML encrypts HL7 CDA clinical data and exchanges HL7 messages
and other transfer solutions.
2.2. Fast healthcare interoperability resources (FHIR)
HL7 has published periodic versions to enhance interoperability
and knowledge sharing. Version 2 of HL7 was published in 1988 to
improve and streamline the information-sharing mechanisms/pro-
cedures that a large hospital can use [21]. However, this version
exposed numerous shortcomings, such as a complicated creation
process and a lack of adequate recognition capability of recogniz-
ing communication and interface techniques [22]. Version 2 was
planned in 1995 to fix the shortcomings. While HL7 version 3 fixed
several of the drawbacks of earlier versions but failed to solve the
incompatibility problem due to various subversions [23]. Another
new requirement for interoperability, i.e. to develop the HL7 spec-
ifications further. In 2011, HL7 introduced Fast Healthcare Interop-
erability Tools (FHIR) [24]. FHIR standards are essential for
adaptation, scalability and robust design. Such standards would
enable workflows in small devices such as mobile phones [13].
3. Prevalent data protection regulations and their challenges
Authorities have enforced data protection regulations in certain
parts of the world to secure personal health records from various
security threats and attacks. A most prevalent data protection reg-
ulations are the GDPR [25], and HIPAA [13].
In this paper, we critically reviewed these regulations, including
how to preserve patient privacy and enforce data security. The
GDPR came into force in all E.U. countries on May 26, 2018, remov-
ing its previous Data Protection regulations in 1995 [26]. GDPR is a
regulation that became E.U. law and needed to be followed by all E.
U. members. This integration of E.U. law includes all personal infor-
mation, including health data, stored, exchanged and used. The
handling of health data by E.U. citizens is likely to cost and benefit
healthcare practitioners and health analysts.
3.1. General provisions of the GDPR
The GDPR defines ‘‘personal data” as a ‘‘data subject” that
include all information to identify an individual. Theoretically,
GDPR applies to all ‘‘controllers” and ‘‘processors” dealing with
the personal data irrespective of their location [2728]. Judicial
duties of controllers and processors are similar, but the controller
has primary access to the sensitive data subjects [26].
While processing depends on consent, the user should be cap-
able of withholding consent at any moment, and the process
should be as simple as giving consent. Controllers are responsible
for proving consent. Parental consent is generally required for
underage subjects [29].
GDPR gives individuals many significant privileges, including:
Right to know the collection of data.
The Right to access to information.
Right portability of data;
Right to object to storage;
Right to resolve incorrect data;
Highly controversial (particularly in the context of the Right to
free speech) rights to forget’ when data is no longer preserved.
E.U. Data Protection Authorities may fines offenders up to 4% of
gross revenue, and individuals can have private legal rights
against controllers and processors [3031].
3.2. Applying GDPR in healthcare
GDPR has many criteria for health data and scientific study.
Overall, data collection, use, and transmission for health and scien-
tific purposes are becoming more regulated, strengthening the
DPD’s rules patchwork. Specific rules are complex and typically
more burdensome than previous laws. Specific rules apply to
health and personal genetic data, deemed ‘‘sensitive.” Many speci-
fic guidelines and conditions need to be followed before processing
any such information [32]. The Condition included that ‘‘explicit”
consent has been granted to the data subject if:
Securing a data subject for patients unable to give consent like
an unconscious patient’s medical emergency;
When it is essential to offer health care as if one doctor needs
data from other doctor or healthcare provider;
To address health needs, such as protection from cross- border
health threats or preserving health safety.
4. Health insurance portability and Accountability Act (HIPAA)
4.1. General provisions of HIPAA
HIPAA regulates U.S. protected health information (PHI) usage
and disclosure. HIPAA describes PHI as providing information
about a per- son’s mental or physical health. HIPAA refers only to
a sub-set of organizations—health care plans, health care payment
systems; (i.e., business associates). HIPAA includes protected orga-
nizations and associations to provide security and privacy to PHI.
Generally, protected organizations and business associates cannot
disclose or use PHI without prior patient approval unless an excep-
tion exists [33]. HIPAA provides for reasonably broad exemptions
to this general rule [3435].
4.2. Applying HIPAA in healthcare
HIPAA also regulates whether to use PHI for research purposes.
Researchers can acquire, create, use or disclose PHI during
research. However, typically covered organizations have underly-
ing data researchers [36]. The covered organizations must either
have the patient’s permission to reveal such information for
research work or have recorded approval from the Institutional
Review Board (IRB) or the Privacy Board to reveal such information
M. Shuaib, S. Alam, M. Shabbir Alam et al. Materials Today: Proceedings xxx (xxxx) xxx
3
without patient permission [37] disclose such information to
researchers.
Since IRB endorsement of relinquishment for patient authoriza-
tion can be a complex process, most researchers opt for patient
authorization if they agree to the study. Protected organizations
can also provide information [38].
5. Requirements for HIPAA and the GDPR compliance solution
To collect and use health data alone in the USA for research,
medical or any other related purposes remains controlled by HIPAA
(and in some cases applicable state law) and is not affected by
GDPR. However, the GDPR must be complied with in every ‘‘pro-
cessing” like collection, application, or retention of personal infor-
mation identifiable for an individual in the E.U. Similarly, entities
which obtain health data from EU-based individuals will have to
meet strict GDPR requirements for whatever reason. Organizations
that transfer U.S. health-related data to the European Union must
comply with both rules.
Despite conceptual parallels and some similarities — such as
excluding the anonymous data from reportage — HIPAA and the
Common Law standards are not equivalent, on the one hand, and
GDPR, on the other. Consequently, none is assumed to cooperate
to ensure complete conformity with the healthcare system. There
are some main functional differences:
1. The Institutional Review Board (IRB) does not guarantee that
GDPR consent provisions have complied. IRB approvals are car-
ried out separately. Nevertheless, GDPR demands will seldom
be waived if the consent-based processing of health data within
an institution in the E.U. starts with the need for the GDPR and
guarantees that the U.S. informed consent records meet the
standard.
2. The rights of EU GDPR data subjects go well beyond the stan-
dard of an informed U.S. Consent agreement — GDPR access,
corrections and erasure rights, for example. Organizations gath-
ering or otherwise processing E.U. data should first become
familiar with these rights. Again, the approval and compliance
of the US IRB may be insufficient.
3. The GDPR one-stop shopping law simplified in almost every
case. It also imposes conditions that cannot be ignored, includ-
ing the naming of a delegate to the chosen E.U. country’s data
protection authority.
4. The transfer of data from E.U. members to the U.S. based mem-
bers is most is often the most complex part. The guidelines are
precise and normally uncompromising, but it is possible, mainly
by consensus, so this is a different problem that needs to be
tackled in every international health data project design
process.
6. Proposed HIPAA and GDPR compliance solution for
healthcare
HIPAA and GDPR also require effective technical measures,
namely pseudonymization and encryption, to secure health data.
It’s not easy to implement these correctly, and it will require exten-
sive development resources. Fig. 2 shows the HIPAA and GDPR
compliance requirements for healthcare.
1. The technological requirements remain organizational respon-
sibility. Further measures, such as adequate encryption and
audit records, are required. There is no level of security you
need to add to AWS, Azure, etc. These requirements, however,
are difficult to implement and ultimately require a professional
development team.
2. Organization’s cloud provider typically manages firewalls, load
balancing systems, etc. Also, these should be mounted properly.
3. Administrative requirements can be allocated to attorneys. But
they cannot still complete documents such as DPIAs or BAAs.
6.1. Encryption
Data encryption protects data using cryptography. There are
various encryption methods. Many cloud providers also provide
encryption, as well. However, there’s not enough for GDPR or
HIPAA. Individuals can display or process health data using
application-level encryption. End-to-end encryption could be use-
ful for securing physician-patient conversations.
Data can be encrypted in many ways, but three approaches are
suitable for health data. None of the cloud providers offers these
methods by default.
1. Encryption at the database level: the whole database has been
encrypted as a group. Its solution is not very safe and can be
opened immediately.
2. Application-level encryption: Each patient record is encrypted
individually. It’s also a good choice over database-level encryp-
tion, as every key unlocks only one record.
3. End-to-end encryption: E2E encryption. Records are encrypted
at the end of the device using private keys. It’s a safe approach
if you don’t even need access to the backend info.
6.2. Pseudonymization
Pseudonymisation is the process of replacing all your personal
data (or personal identity Information) with random pseudonyms.
The mapping between pseudonyms and data must be stored
securely and separately. The key advantage of pseudonymization
will be that you can store your sensitive data (e.g. health data) in
an easily accessible location, so you can easily create new applica-
tions using this data. It is important to note, that GDPR considers
such data as personal data as indirect identifiers can re-identify a
user.
Pseudonymisation can be used when stored securely but still
available (e.g., searching). It’s known as a secure GDPR and HIPAA
technique.
The explanation of how pseudonymous work in health care is
discussed below.
1. Initial patient health record: full details in the original form.
2. Distinct health records from personal data: personal informa-
tion about each patient is extracted from their health records
and stored elsewhere.
3. Randomly generate pseudonyms: a unique identification code
is created to connect individuals.
4. Keep a nickname for each health record: personal information
and health records are stored with the same identification code.
6.3. Anonymisation
Anonymisation requires the complete deletion of personal data
and then handling the remaining data to delete indirect identifiers.
The goal is to ensure that the remaining data cannot be re-
identified by a person. The standard anonymization strategy is a
generalization, flipping disruption, aggregation. Right anonymiza-
tion is extremely difficult, as Netflix discovered early in 2008.
The problem is, the specification differs depending on how special
the data is. For example, if you have a group of 20 patients, but only
one is over 50, rounding the ages to the nearest whole number is
ineffective. Significant research has been carried out on initiatives
to ensure anonymous data, e.g. k-anonymity.
M. Shuaib, S. Alam, M. Shabbir Alam et al. Materials Today: Proceedings xxx (xxxx) xxx
4
There are no privacy laws to cover anonymized data, and ana-
lytical data may be used or shared with others. But anonymization
privileges are difficult. Anonymisation rights are difficult.
The explanation of how anonymization work in health care is
discussed below.
1. Numerous initial health records: the original full data in the
original format
2. Effectively damaged personal identifiers: simple personal data
is deleted and cannot be recovered later.
3. Health data are modified to avoid re-identification: this can be
achieved in several different ways, through masking, random
sampling, generalization and noise-adding.
4. Analysis-ready data: data can be studied or transmitted without
the risk of identifying patients.
7. Conclusion
EHR systems are storing essential and sensitive health informa-
tion that need secure and privacy, preserving solution. Blockchain-
based EHR systems are a possible solution to fulfil these needs. For
providing privacy and security needs the GDPR and HIPAA regula-
tions guide principle, but implementing them in EHR systems is
difficult. This paper has reviewed the compliance of Blockchain-
based EHR systems on compliance with GDPR and HIPAA require-
ments. Blockchain-based EHR systems support encrypted, pseudo-
nymized anonymous record storage essential for GDPR and HIPAA
compliance. Hence it has been reviewed, and it is ascertained that
these systems can comply with the GDPR and HIPAA guidelines if
they follow the described physical, technical and administrative
requirements.
Declaration of Competing Interest
The authors declare that they have no known competing finan-
cial interests or personal relationships that could have appeared
to influence the work reported in this paper.
References
[1] P. K. D. Pramanik, S. Pal, and M. Mukhopadhyay, ‘‘Healthcare Big Data,” in: igi-
global.com, 2018, pp. 72–100.
[2] Ben-Assuli, ‘‘Electronic health records, adoption, quality of care, legal and
privacy issues and their implementation in emergency departments,” Health
Policy (New. York)., 119(3), pp. 287–297, Mar. 2015, doi: 10.1016/j.
healthpol.2014.11.014.
[3] C. Spiranovic, A. Matthews, J. Scanlan, K.C. Kirkby, Increasing knowledge of
mental illness through secondary research of electronic health records:
opportunities and challenges, Adv. Ment. Heal. 14 (1) (2016) 14–25, https://
doi.org/10.1080/18387357.2015.1063635.
[4] D.F. Lobach, D.E. Detmer, Research challenges for electronic health records,
Am. J. Prev. Med. 32 (5) (2007) S104–S111, https://doi.org/10.1016/j.
amepre.2007.01.018.
[5] P.J. O’Connor, J.M. Sperl-Hillen, W.A. Rush, P.E. Johnson, G.H. Amundson, S.E.
Asche, H.L. Ekstrom, T.P. Gilmer, Impact of electronic health record clinical
decision support on diabetes care: a randomized trial, Ann. Fam. Med. 9 (1)
(2011) 12–21, https://doi.org/10.1370/afm.1196.
[6] A. Temko, W. Marnane, G. Boylan, G. Lightbody, Clinical implementation of a
neonatal seizure detection algorithm, Decis. Support Syst. 70 (2015) 86–96,
https://doi.org/10.1016/j.dss.2014.12.006.
[7] N. Menachemi and Collum, ‘‘Benefits and drawbacks of electronic health
record systems,” Risk Manag. Healthc. Policy, 4, p. 47, May 2011, doi: 10.2147/
RMHP.S12985.
[8] J. Wang, Z. Zhang, K. Xu, Y. Yin, and P. Guo, ‘‘A research on security and privacy
issues for patient related data in medical organization system,” Int. J. Secur. its
Appl., 7(4), pp. 287–298, 2013, Accessed: Jan. 22, 2021. [Online]. Available:
https://pdfs.semanticscholar.org/205b/
a04d17ace6f175c744a8163adae4ba7633ed.pdf.
[9] M. Shuaib, S. Alam, S. Mohd, and S. Ahmad, ‘‘Blockchain-Based Initiatives in
Social Security Sector,” in: EAI 2nd International Conference on ICT for Digital,
Smart, and Sustainable Development (ICIDSSD), 2020, p. 8.
[10] M. Shuaib, S.M. Daud, S. Alam, W.Z. Khan, ‘‘Blockchain-based framework for
secure and reliable land registry system, TELKOMNIKA Telecommunication
Comput Electron. Control. 18 (5) (2020) 2560, https://doi.org/10.12928/
telkomnika.v18i510.12928/telkomnika.v18i5.15787.
[11] M. Shuaib, S. Alam, S.M. Daud, Improving the Authenticity of Real Estate Land
Transaction Data Using Blockchain-Based Security Scheme, Springer,
Singapore, 2021, pp. 3–10.
[12] S. Teasdale, D. Bates, K. Kmetik, J. Suzewits, M. Bainbridge, Secondary uses of
clinical data in primary care, J. Innov. Heal. Informatics 15 (3) (2007) 157–166,
https://doi.org/10.14236/jhi.v15i3.654.
[13] R.M. Caplan, HIPAA. Health Insurance Portability and Accountability Act of
1996, Dent. Assist. 72 (2) (2003) 6–8, https://doi.org/10.4135/9781452234243.
n359.
[14] K. Häyrinen, K. Saranto, P. Nykänen, Definition, structure, content, use and
impacts of electronic health records: a review of the research literature, Int. J.
Medical Inf. 77 (5) (2008) 291–304, https://doi.org/10.1016/j.
ijmedinf.2007.09.001.
[15] S. Alam, S. T. Siddiqui, A. Ahmad, R. Ahmad, and M. Shuaib, ‘‘Internet of Things
(IoT) Enabling Technologies, Requirements, and Security Challenges,” in:
Lecture Notes in Networks and Systems, vol. 94, 2020, pp. 119–126.
[16] S. T. Siddiqui, M. Shuaib, and B. Mohammad.Ubaidullah, ‘‘Web Based
Requirements Management Tools for Software Development: A Study,” Proc.
12th INDIACom; INDIACom-2018; IEEE, no. February 2019, pp. 10–15, 2018.
[17] M. Shuaib, A. Samad, S. Alam, and S. T. Siddiqui, ‘‘Why Adopting Cloud Is Still a
Challenge?—A Review on Issues and Challenges for Cloud Migration in
Organizations,” in: Advances in Intelligent Systems and Computing, vol. 904,
2019, pp. 387–399.
[18] C. Castaneda, K. Nalley, C. Mannion, P. Bhattacharyya, P. Blake, A. Pecora, A.
Goy, K.S. Suh, Clinical decision support systems for improving diagnostic
accuracy and achieving precision medicine, J. Clin. Bioinforma 5 (1) (2015),
https://doi.org/10.1186/s13336-015-0019-3.
[19] A. Boonstra, M. Broekhuis, Barriers to the acceptance of electronic medical
records by physicians from systematic review to taxonomy and interventions,
BMC Health Serv. Res. 10 (1) (2010) 231, https://doi.org/10.1186/1472-6963-
10-231.
[20] K.R. Simpson, Electronic health records, MCN Am. J. Matern. Nurs. 40 (1)
(2015) 68, https://doi.org/10.1097/NMC.0000000000000089.
[21] T. Benson and G. Grieve, ‘‘The Health Information Revolution,” 2021, pp. 3–19.
[22] G. W. Beeler, ‘‘HL7 Version 3—An object-oriented methodology for
collaborative standards development1Presented at the International Medical
Informatics Association Working Group 16 Conference on Standardisation in
Medical Informatics—Towards International Consensus and C,” Int. J. Med.
Inform., 48(1–3), pp. 151–161, Feb. 1998, doi: 10.1016/S1386-5056(97)00121-
4.
[23] T. Al-Enazi, S. El-Masri, HL7 engine module for healthcare information
systems, J. Med. Syst. 37 (6) (2013) 9986, https://doi.org/10.1007/s10916-
013-9986-8.
Fig. 2. Requirement of HIPAA and GDPR compliance in healthcare [39].
M. Shuaib, S. Alam, M. Shabbir Alam et al. Materials Today: Proceedings xxx (xxxx) xxx
5
[24] D. Bender, K. Sartipi, HL7 FHIR: An agile and RESTful approach to healthcare
information exchange, in: Proceedings of CBMS 2013–26th IEEE International
Symposium on Computer-Based Medical Systems, 2013, pp. 326–331, https://
doi.org/10.1109/CBMS.2013.6627810.
[25] C.F. Mondschein, C. Monda, The eu’s general data protection regulation (GDPR)
in a research context, in: Fundamentals of Clinical Data Science, Springer
International Publishing, Cham, 2018, pp. 55–71.
[26] E. Politou, A. Michota, E. Alepis, M. Pocs, C. Patsakis, Backups and the right to
be forgotten in the GDPR: an uneasy relationship, Comput. Law Secur. Rev. 34
(6) (2018) 1247–1257, https://doi.org/10.1016/j.clsr.2018.08.006.
[27] M. Goddard, The EU General Data Protection Regulation (GDPR): European
Regulation that has a Global Impact, Int. J. Mark. Res. 59 (6) (2017) 703–705,
https://doi.org/10.2501/IJMR-2017-050.
[28] M.J. Taylor, M. Prictor, Insight or intrusion? Correlating routinely collected
employee data with health risk, Soc. Sci. 8 (10) (2019) 291, https://doi.org/
10.3390/socsci8100291.
[29] C. Tankard, What the GDPR means for businesses, Netw. Secur. 2016 (6) (2016)
5–8, https://doi.org/10.1016/S1353-4858(16)30056-3.
[30] P. Voigt, A. von dem Bussche, Scope of Application of the GDPR, in: P. Voigt, A.
von dem Bussche (Eds.), The EU General Data Protection Regulation (GDPR),
Springer International Publishing, Cham, 2017, pp. 9–30, https://doi.org/
10.1007/978-3-319-57959-7_2.
[31] I.S. Rubinstein, Big data: the end of privacy or a new beginning?, Int Data Priv.
Law 3 (2) (2013) 74–87, https://doi.org/10.1093/idpl/ips036.
[32] C. Tikkinen-Piri, A. Rohunen, J. Markkula, EU General Data Protection
Regulation: changes and implications for personal data collecting
companies, Comput. Law Secur. Rev. 34 (1) (2018) 134–153, https://doi.org/
10.1016/j.clsr.2017.05.015.
[33] N. Yaraghi and Ram d gopal, ‘‘The Role of HIPAA Omnibus Rules in Reducing
the Frequency of Medical Data Breaches: Insights From an Empirical Study,”
Milbank Q., 96(1), pp. 144–166, Mar. 2018, doi: 10.1111/1468-0009.12314.
[34] W. Moore and S. Frye, ‘‘Review of HIPAA, Part 1: History, protected health
information, and privacy and security rules,” J. Nucl. Med. Technol., 47(4), pp.
269–272, Dec. 2019, doi: 10.2967/JNMT.119.227819.
[35] C.J. Wang, D.J. Huang, The HIPAA Conundrum in the Era of Mobile Health and
Communications, JAMA 310 (11) (2013) 1121, https://doi.org/
10.1001/jama.2013.219869.
[36] C.T. Lye, H.P. Forman, J.G. Daniel, H.M. Krumholz, The 21st Century Cures Act
and electronic health records one year later: will patients see the benefits?, J.
Am. Med. Informatics Assoc. 25 (9) (2018) 1218–1220, https://doi.org/
10.1093/jamia/ocy065.
[37] D. Mohammed, ‘‘U.S. Healthcare Industry: Cybersecurity Regulatory and
Compliance Issues,” J. Res. Business, Econ. Manag., vol. 9, no. 5, pp. 1771–
1776, 2017, Accessed: Jan. 22, 2021. [Online]. Available: https://core.ac.
uk/download/pdf/267833341.pdf.
[38] S.M. Ahmed, A. Rajput, Threats to patients’ privacy in smart healthcare
environment, in: Innovation in Health Informatics, Elsevier, 2020, pp. 375–
393.
[39] Chino.io, ‘‘GDPR and HIPAA Compliance for health applications,” Oct. 01, 2020.
https://www.chino.io/compliance/gdpr-hipaa-health-application-compliance
(accessed Jan. 18, 2021).
M. Shuaib, S. Alam, M. Shabbir Alam et al. Materials Today: Proceedings xxx (xxxx) xxx
6
... Privacy laws in Europe, such as the drafted DGPR health regulations, enforce service providers to provide a report on the request of users and provide all the data in a readable format on a computer [242]. A conceptual e-health framework based on cloud and BC technology efficiently shares health data with authorized users and complies with regulations, such as GDPR [243]. The technological solution of BC can solve current storage methods, such as conventional cloud IoT-enabled healthcare systems and electronic health records (EHR) for health data that is sensitive to data attacks, to be more secure and effective. ...
Towards Secure and Intelligent Internet of Health Things: A Survey of Enabling Technologies and Applications
Article
Full-text available
  • Jun 2022
With the growth of computing and communication technologies, the information processing paradigm of the healthcare environment is evolving. The patient information is stored electronically , making it convenient to store and retrieve patient information remotely when needed. However, evolving the healthcare systems into smart healthcare environments comes with challenges and additional pressures. Internet of Things (IoT) connects things, such as computing devices , through wired or wireless mediums to form a network. There are numerous security vulner-abilities and risks in the existing IoT-based systems due to the lack of intrinsic security technologies. For example, patient medical data, data privacy, data sharing, and convenience are considered imperative for collecting and storing electronic health records (EHR). However, the traditional IoT-based EHR systems cannot deal with these paradigms because of inconsistent security policies and data access structures. Blockchain (BC) technology is a decentralized and distributed ledger that comes in handy in storing patient data and encountering data integrity and confidentiality challenges. Therefore, it is a viable solution for addressing existing IoT data security and privacy challenges. BC paves a tremendous path to revolutionize traditional IoT systems by enhancing data security, privacy, and transparency. The scientific community has shown a variety of healthcare applications based on artificial intelligence (AI) that improve health diagnosis and monitoring practices. Moreover, technology companies and startups are revolutionizing healthcare with AI and related technologies. This study illustrates the implication of integrated technologies based on BC, IoT, and AI to meet growing healthcare challenges. This research study examines the integration of BC technology with IoT and analyzes the advancements of these innovative paradigms in the healthcare sector. In addition, our research study presents a detailed survey on enabling technologies for the futuristic, intelligent, and secure internet of health things (IoHT). Furthermore, this study comprehensively studies the peculiarities of the IoHT environment and the security, performance , and progression of the enabling technologies. First, the research gaps are identified by mapping security and performance benefits inferred by the BC technologies. Secondly, practical issues related to the integration process of BC and IoT devices are discussed. Third, the healthcare applications integrating IoT, BC, and ML in healthcare environments are discussed. Finally, the research gaps, future directions, and limitations of the enabling technologies are discussed.
... Interplanetary File System and StorJ or local resource servers) [180] or a data manager. The latter could include functions in the contract to limit internal data access after a time interval, introducing hashing and encrypting techniques to anonymise the stored data [181]. ...
Smart contracts in energy systems: A systematic review of fundamental approaches and implementations
Article
Full-text available
Given the ongoing transition towards a more decentralised and adaptive energy system, the potential of blockchain-enabled smart contracts for the energy sector is being increasingly recognised. Due to their self-executing, customisable and tamper-proof nature, they are seen as a key technology for enabling the transition to a more efficient, transparent and transactive energy market. The applications of smart contracts include coordination of smart electric vehicle charging, automated demand-side response, peer-to-peer energy trading and allocation of the control duties amongst the network operators. Nevertheless, their use in the energy sector is still in its early stages as there are many open challenges related to security, privacy, scalability and billing. In this paper, we systematically review 178 peer-reviewed publications and 13 innovation projects, providing a thorough analysis of the strengths and weaknesses of smart contracts used in the energy sector. This work offers a broad perspective on the opportunities and challenges that stakeholders using this technology face, in both current and emergent markets, such as peer-to-peer energy trading platforms. To provide a roadmap for researchers and practitioners interested in the technology, we propose a systematic model of the smart contracting process, by developing a novel 6-layer architecture, as well as presenting a sample energy contract in pseudocode form and as open-source code. Our analysis focuses on the two mainstream application areas we identify for smart contract use in this area: energy and flexibility trading, and distributed control. The paper concludes with a comprehensive, critical discussion of the advantages and challenges that must be addressed in the area of smart contracts and blockchains in energy, and a set of recommendations that researchers and developers should consider when applying smart contracts to energy system settings.
... The implementation of the GDPR has become a problem for all information systems that can contain data from citizens of different states. Researchers from different countries are still looking for ways to implement GDPR in various information systems [16][17]. ...
GDPR implementation as the main reason for the regional fragmentation in the online mediasphere
Article
Full-text available
  • Jan 2021
The EU’s General Data Protection Regulation (GDPR) applies not only to the territory of the European Union, but also to all information systems containing data of EU’s citizens around the world. Misusing or carelessly handling personal data bring fines of up to 20 million euros or 4% of the annual turnover of the offending company. This article analyzes the main trends in the global implementation of the GDPR. Authors considered and analyzed results of personal data protection measures in nineteen regions: The USA, Canada, China, France, Germany, India, Kazakhstan, Nigeria, Russia, South Korea and Thailand, as well as the European Union and a handful of other. This allowed identifying a direct pattern between the global tightening of EU’s citizens personal data protection and the fragmentation of the global mediasphere into separate national segments. As a result of the study, the authors conclude that GDPR has finally slowed down the globalization of the online mediasphere, playing a main role in its regional fragmentation.
... The article [23]presented the case of HIPAA under which the covered entities are responsible for providing accessibility to the individuals, but this only occurs upon the requests generated by the individual. However, there isa particular exception, like the psychotherapy notes are excluded from the information [24]. Though organizational Health Information Management offices have generally handled this, the accessibility to the electronic data has now been heavily regulated inMeaningful Use. ...
BLOCKCHAIN AND INTEROPERABLE STANDARDS FOR EHR -A COMPREHENSIVE REVIEW
Article
Full-text available
  • May 2021
The focus has remained on determining and reviewing the interoperable standards in electronic health records (EHR) while determining which standard is best for interoperability. For this purpose, the research identified that the current state of interoperability is not up to the required standard, so numerous issues are experienced in managing electronic health records. In addition, the research identified numerous standards being used for interoperability, including OpenEHR, OpenEMR, OpenMRS, GNU Health and OSHERA VistA. It can be argued that the use of HL7 and its different versions can play an instrumental role in the integration of the healthcare environment. It can be further advanced by harmonizing different standards in reference to Information Communication Technology and advanced technologies like Blockchain to ensure integration between healthcare systems and their respective applications. It will prove to be beneficial in the transparent exchange of healthcare information.
... The deficiency of standardization and regulation of sharing files endures creating EHR interoperability that is a critical issue to be considered by healthcare administrations. Divergence and discrepancy in the usage of standards in health IT renders several administrations powerless for swapping records among dissimilar EHR solutions [17]. Practices of Hospitals, medical administrations, and clinicians are required to select a method that can satisfy their requirements. ...
Interoperability Challenges in Healthcare Blockchain System -A Systematic Review
Article
Full-text available
  • Apr 2021
EHR is the digital record of the medical history of the patient. It has solved many issues related to data handling and its security. A detailed study is required to implement this technology under modern technology and standards to minimize errors in integration. Present solutions lack interoperability and blockchain; therefore, they must undergo further discussion and research related to it. This research aims to examine the interoperability challenges and issues of blockchain EHR frameworks as per the national and international standards of EHR. It will follow the interoperability standards in the EHR framework in terms of medical data distribution, sharing, and data dependability. The research is based on a systematic review of previous researches; 156 articles were excluded as they were based purely on blockchain and had little or no part of EHR, and 11 articles were selected based on the keywords selected in this research. Innovative interoperability framework and blockchain-based framework found to be successful in solving the current challenges in EHR. However, the issues of EHR can be resolved by bringing advancement in EHR. The research has contributed to highlighting the related challenges and solution in EHR implementation and presented a solution that will help to manage the data, security of information related to the patient and the benefits of blockchain and interoperability of EHR
... Blockchain technology may provide a critical solution for the healthcare providers that have implementations in healthcare management, demographic healthcare history, electronic insurance claims settlement and remote patient patients medical data sharing. It will provide user-oriented medical investigation, stop counterfeit products & medicines, and manage clinical trial data [18]. In specific, Blockchain alongwith Smart Contracts, may solve issues such as clinical trial outcomes' scientific credibility and patient informed consent [19]. ...
A Blockchain-based framework for secure Educational Credentials
Article
Full-text available
  • Apr 2021
Blockchain provides a creative approach to storing information, executing transactions, conducting tasks, and building trust. Some see Blockchain as a revolutionary technology for cryptography and cybersecurity, with applications ranging from cryptocurrency to healthcare, smart contracts, Internet of Things, smart grids governance, supply-chain etc. This research work would offer a detailed analysis of blockchain Security, Privacy and Trust. It further studies the applications of blockchain technology in the domain of education and involved challenges. Finally, it proposes a blockchain-based framework for secure and reliable student's record management.
Can blockchains and data privacy laws be reconciled?: a fundamental study of how privacy-aware blockchains are feasible
Conference Paper
  • Apr 2022
Blockchain-based framework for secure and reliable land registry system
Article
Full-text available
  • Oct 2020
The land registry system is one of the very important department in any governance system that stores the records of land ownership. There are various issues and loopholes in the existing system that give rise to corruption and disputes. This requires a significant chunk of valuable government resources from judiciary and law enforcement agencies in settling these issues. Blockchain technology has the potential to counter these loopholes and sort out the issues related with land registry system like tempering of records, trading of the same piece of land to more than one buyer. In this paper, a secure and reliable framework for land registry system using Blockchain has been proposed. The proposed framework uses the concept of smart contract at various stages of the land registry and gives an algorithm for pre-agreement. First, we describe the conventional land registry system and reviews the issues in it. Then, we outline the potential benefits of employing Blockchain technology in the land registry system and presented a framework. Finally, a number of case studies are presented.
Insight or Intrusion? Correlating Routinely Collected Employee Data with Health Risk
Article
Full-text available
The volume, variety and velocity of data available to companies about their employees is already significant and likely to increase. Employers hold data about employees that could be used to explore the relationship between workplace practice in their organisation and risks to employee health. However, there is significant uncertainty about whether employers subject to English law are permitted to use this data for this purpose, and even whether they may be under a legal obligation to do so. In this article, the question of whether employers are legally permitted or legally obliged to use employee data to identify associations between workplace practice and risk to employee health is answered through an analysis of two spheres of English Law: data protection law, and health and safety law. The authors establish a hypothetical case study concerning a company that wishes to use employee data in this way, to illuminate a set of detailed legal issues. In particular, the question of whether a reasonable and prudent employer is under an obligation under health and safety law to use the data and analytic tools at his or her disposal to assess risk and inform his or her actions is considered. Also addressed is the question of whether such processing would satisfy the data protection law principles of “lawful, fair, and transparent” processing and that of “purpose limitation”. A complex picture emerges. The analysis reveals that data protection legislation may not support a trend towards the re-use of employee data to enhance workplace health and safety; nor is there currently a clear mandate that responsible employers use data in this way. The line between useful insight into workplace practices and intrusion into employees’ privacy remains blurred.
Why Adopting Cloud Is Still a Challenge?—A Review on Issues and Challenges for Cloud Migration in Organizations
Chapter
Full-text available
  • Jan 2019
Threats to Patients' Privacy in Smart Healthcare Environment
Chapter
Full-text available
  • Mar 2019
The smart healthcare environment offers plenty of opportunities to help organizations and healthcare practitioners offer better services to the patients. The increasingly networked nature of the healthcare environment coupled with the introduction of Internet of Things (IoT) devices in the mix allow physicians to both deliver critical-care and preventive medicine services to their patients more effectively and efficiently. However, the smart healthcare environment exposes the patients’ data to various risks including exposure. The two biggest threats to patients’ data privacy are 1) Lack of understanding of various policies and regulations that are in place and how they affect the handling of patients’ data and 2) the threats that are posed by the hackers. A recent study indicated the lack of knowledge of general population as to how information is processed, transmitted and stored in a corporate environment. This chapter intends to educate the reader regarding various prevalent legislation and the threats that can potentially expose corporate digital assets and patients’ sensitive data.
Blockchain-Based Initiatives in Social Security Sector
Conference Paper
  • Mar 2021
Improving the Authenticity of Real Estate Land Transaction Data Using Blockchain-Based Security Scheme
Chapter
  • Feb 2021
Digital land registry systems have tried to resolve the issues of manual systems like delay in transaction, fraud, security and persistence of records. However, still, these systems are susceptible to various type of security threats due to the weaknesses of inherent issues in centralised or cloud-based systems. This paper reviews the different shortcoming with a focus on authentication threats in the traditional land registry system. Further, this research focuses on analysing how blockchain and blockchain-based authentication schemes can be applied to solve the issues related to land transaction and authentication. In last a blockchain-based authentication scheme for secure real estate and land transactions has been proposed.
The Health Information Revolution
Chapter
  • Jan 2021
This chapter describes some of the core problems and opportunities facing the digital healthcare sector. Healthcare is all about communication. Large investments in digital health have failed to live up to expectations, in part due to poor interoperability. Patient centered care requires a new approach, organized for patient benefit, not just for provider organizations. What matters most is what happens at the point of care, which is inevitably complex. Many lessons can be learnt from past experience, successes and failures.
Big data: The end of privacy or a new beginning?
Article
  • May 2013
Internet of Things (IoT) Enabling Technologies, Requirements, and Security Challenges
Chapter
  • Jan 2020
Internet of Things (IoT) is an emerging technique for connecting heterogeneous technologies related to our daily needs that can affect our lives tremendously. Many architectures and applications have been proposed and implemented using IoT platform from a simple supply chain to complex life support systems. There are many obvious benefits of such networks but these systems can cause great danger to finance and life if compromised. Such issues are hindering the mass adaptation of IoT. This requires a strong architecture that can provide strong user authentication, access control as well as privacy and trust to the users of the system. The IoT network is heterogeneous networks connecting many small hardware constraint devices also where traditional security architectures and techniques cannot be applied. Therefore requires a different set of specialized techniques and architecture to provide security to the IoT network. This paper focuses on the security requirements, current state of art as well as future directions in the field of IoT.
A Review of the HIPAA, Part 1: History, PHI, and Privacy and Security Rules
Article
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 has made an impact on the operation of healthcare organizations. HIPAA includes five titles and these regulations are complex. Many are familiar with the HIPAA aspects that address the protection of the privacy and security of patients' medical records. There are new rules to HIPAA that address the implementation of electronic medical records. HIPAA provides rules for protected health information (PHI) and what should be protected and secured. The privacy rule regulates the use and disclosure of PHI and sets standards that an entity working with health data must follow to protect patients' private medical information. The HIPAA security rule complements the privacy rule and requires entities to implement physical, technical, and administrative safeguards to protect the privacy of PHI. This article-part 1 of a 2-part series-is a refresher on the HIPAA, its history, its rules, its implications, and the role imaging professionals play.