Conference PaperPDF Available

SOK: Evaluating Privacy and Security Vulnerabilities of Patients’ Data in Healthcare

Authors:

Abstract and Figures

Interactions in the Healthcare systems, by necessity, involve sharing sensitive information that must be protected. Thus, to understand the existing privacy and security research conducted in the context of healthcare organizations, we conducted a systematic literature review of N=205 papers that examines the security and privacy of patient data. We found that current research focuses heavily on the technological solutions, which are presented to benefit large-scale medical facilities such as hospitals, but generally ignore the unique security challenges of smaller private practices which might not have the resources to protect patient data. Additionally, only 18 (<9%) papers have conducted user studies to understand the patient and staff's risk perception of healthcare data. We conclude by identifying research gaps and provide potential solutions to enable robust data security for sensitive patient data.
Content may be subject to copyright.
SOK: Evaluating Privacy and Security
Vulnerabilities of Patients’ Data in Healthcare
Faiza Tazi1[0000000197812694] , Josiah Dykstra2[0000000234552562] ,
Prashanth Rajivan3[000000018596085X], and Sanchari
Das1[0000000312997867]
1University of Denver, Denver CO 80208, USA {Faiza.Tazi,sandas}@du.edu
2Designer Security, LLC. Severn MD 21144, USA josiah@designersecurity.com
3University of Washington, Seattle WA, USA prajivan@uw.edu
Abstract. Interactions in healthcare systems, by necessity, involve shar-
ing sensitive information that must be protected. Thus, to understand
the existing privacy and security research conducted in the context of
healthcare organizations, we conducted a systematic literature review of
N= 205 papers that examine the security and privacy of patient data .
We found that current research focuses heavily on the technological solu-
tions, which are presented to benefit large-scale medical facilities such as
hospitals, but generally ignore the unique security challenges of smaller
private practices which might not have the resources to protect patient
data. Additionally, only 18 (<9%) papers have conducted user studies
to understand the patient and staff’s risk perception of healthcare data.
We conclude by identifying research gaps and provide potential solutions
to enable robust data security for sensitive patient data.
Keywords: Literature Review·Healthcare Data Privacy and Security.
1 Introduction
With increased digitization in the healthcare sector, privacy risks and security
concerns about data storage, access, and transfer among healthcare providers
and patients have subsequently increased as well [55,174]. Thus, information
security has become an ongoing challenge in the healthcare sector with critical
data breaches exposing sensitive records of millions of patients [10]. One such
major data breach occurred in 2015 when a phishing scam exploited the creden-
tials of five employees at Anthem, a health insurance organization, compromising
the Personally Identifiable Information (PII) of 80 million individuals [194]. Data
breaches in healthcare could occur for a variety of reasons, including a lack of em-
ployee awareness about data security, technological shortcomings, and the dearth
of technological implementations [53]. Despite the proliferation of data security
focused research in the community, the field lacks a comprehensive synthesis and
analysis of the body of healthcare privacy and security research especially from
the user 4perspective [14].
4Throughout this work, we will refer to all individuals with access and responsibility
for protecting healthcare data, including patients and healthcare workers, as users.
2 Tazi et al.
Towards this, we conducted a systematic literature review to provide a holis-
tic overview and a basis for the research undertaken in this area which has been
proven to be helpful in other domains [125]. We collected 2,903 research articles
on data security and privacy preservation in healthcare organizations. There-
after, we did a thematic analysis on a selected set of N= 205 papers. From the
N= 205 papers, we further discuss insights from n1 = 97 papers that focused
on the technological implementation. Finally, we present an in-depth analysis of
n2 = 18 papers that are focused on the human (user) factors. We found that the
majority of the security research done in healthcare focused on the technologies
with a severe lack of focus on understanding and improving the human factor
aspect. Furthermore, even among the work focused on technologies, we observed
a gap in the research with applications to private practice healthcare organiza-
tions. The disparity is noteworthy.
Our contributions through this work are as follows:
While other Systematizations of Knowledge (SoKs) have been published on
specific technologies related to healthcare, ours is among the first to perform
a systematic approach for structuring existing knowledge on security and
privacy in healthcare organizations.
In this SoK we make a holistic observation on security and privacy in health-
care and point out gaps that remain to protect patients’ health data.
To the best of our knowledge, our SoK is the first paper to focus on an
overview of privacy and security research of patient data from a human
perspective.
Our study concludes that the technological solutions are outpacing the foun-
dational analysis of the ways the healthcare workforce is using and defending
patient data today. Moreover, the existing research focuses on a narrow scope of
medical settings which neglects the large population of patients and healthcare
workers engaged in private healthcare practices.
2 Method
Our systematic literature review includes a corpus of 205 papers published till
February 14, 2021, collected from different digital libraries. The literature review
comprised of six steps: (i) database search, (ii) title screening, (iii) abstract
screening, (iv) full-text screening, (v) data extraction, and (vi) thematic analysis.
Inclusion Criteria: Papers were included if they were: (1) Published in a
peer-reviewed publication including journals and conferences; (2) Written and
available in English; and (3) Focused on the security and privacy of data in
healthcare organizations. We contacted publication venues and authors to obtain
papers that were not available for public access, and obtained all the papers in
our list.
Exclusion Criteria: Papers were excluded if: (1) Papers were presented as
a work-in-progress (posters, extended abstracts, etc.); (2) The content analysis
SOK: Evaluating Healthcare Privacy and Security 3
showed that the research was not directly related to patient/consumer health-
related data security and/or privacy in healthcare organizations; and (3) The
collected articles were part of patents or book chapters.
Figure 1 details all the steps carried out throughout this analysis.
Fig. 1. A Snapshot of the Data Collection, Screening, and Analysis Methodology Along
with the number of Papers Screened in Each Stage of the Literature Review.
2.1 Database and Keyword-Based Search
We conducted our search by exploring seven digital technology and medical
databases: ACM DL, Google Scholar, SSRN, ScienceDirect, IEEE Xplore, PubMed,
and MEDLINE. We specifically searched healthcare-focused journals in MED-
LINE but were not able to find any relevant papers based on our topic of research,
so we removed it from our database list. Our selection process was based on an
iterative evaluation. We started by defining appropriate keywords for our subject
matter. This was followed by filtering the results to meet our requirements. Sub-
sequently, a systematic analysis was conducted on the final collection of research
articles. This procedure was adapted from prior literature reviews by Stowell et
al. [185], Das et al. [51, 52], and other related works [139, 123, 127].
After the initial search to obtain the keywords we collected the papers through
a keyword-based search as mentioned above, using the Publish or Perish 5soft-
ware for retrieving articles from Google Scholar. Thereafter, we explored indi-
vidual digital libraries to collect papers relevant to this research. Boolean search
5https://harzing.com/resources/publish-or-perish
4 Tazi et al.
strings were developed for searching databases including up to 88 AND/OR oper-
ators and 17 NOT operators across the following keyword terms: Healthcare Data
Security, Healthcare Data Breach, Healthcare Data Theft, Medical Data Theft,
Medical Data Security, Medical Data Breach, Patient Data Security, Patient
Data Theft, and Patient Data Breach. Our initial database and keyword-based
search resulted in a total of 2903 papers.
2.2 Title Screening: Google Scholar
We noticed that every other digital library except Google Scholar has a limited
number of papers. Thus, we avoided title-based screening for these digital li-
braries. We conducted a title-based search with the above-mentioned keywords
in Google Scholar. We also removed any patents or citation options from Google
Scholar. In the title-based search we looked for the keywords in the title itself
to emphasize on the relevance, resulting in a total of 352 papers.
2.3 Duplicate and Work-in-Progress Removal
In the next phase, we conducted the step of duplicate removal. We removed 72
duplicate articles, which left us with 280 papers. We also removed any papers
which were a work in progress such as posters, extended abstracts, etc. We
screened out self-identified work-in-progress papers or reviewed the paper to see
if the papers were works-in-progress. Due to the varying nature of publication of
these works we could not demarcate the papers based on their page numbers with
an assumption that work-in-progress papers are short. However, we removed any
papers which were shorter than four pages. After this procedure, we were left
with a data set of 231 papers.
2.4 Abstract and Full-Text Screening
Each individual research paper was assessed to determine its relevance to the
topic of our research by reviewing the abstract and full-text. To do this, two
researchers trained in qualitative coding determined the relevance of the indi-
vidual papers to the research by analyzing the abstract and full-text. If there
were any discrepancies with determining the relevance to the research then a
third researcher was introduced to resolve the issue. Thus, 26 papers were ex-
cluded in this phase. After this screening, there remained a total of N= 205
papers on which we conducted our detailed thematic analysis [51].
2.5 Analysis
Our final set of data included a total of N= 205 papers on which we conducted
detailed analysis in two parts. First, a thematic analysis was conducted to eval-
uate specific aspects of the papers including technical applications and policies.
Thereafter, a detailed analysis of the user studies was conducted to understand
more about the user issues as per the goal of this work.
SOK: Evaluating Healthcare Privacy and Security 5
Themes No. of Papers
Technological Solutions 97 (47.32%)
Healthcare Frameworks 34 (16.58%)
User Studies 18 (8.78%)
Data Storage & Management 18 (8.78%)
Overviews 16 (7.80%)
Ethical and Legal Implications 10 (4.89%)
Case Studies - Data Breaches 6 (2.93%)
Systematic Literature Reviews 6 (2.93%)
Table 1. Distribution of the Number of Papers Based on the Thematic Analysis
Thematic Analysis: To perform a thematic analysis, we reviewed the ab-
stract, methods, results, discussion, and conclusion of the 205 collected papers
obtained from full-text screening. Two researchers evaluated this collection of
papers by first reviewing 20 randomly selected papers to generate the codebook.
The codebook consisted of 119 open codes which were themed into eight overar-
ching themes including: technological solutions proposed, evaluation of current
model with privacy frameworks, systematic literature reviews, evaluation of pa-
tient data focusing on the big data storage and management, ethical and legal
implications of research, author notes and overview of the current healthcare
practices to protect user data, case studies on particular incidents occurred as
in data breaches, and finally the user studies.
Table 1 shows the distribution of the papers as per the categorization of all
of the 205 papers. This can be further examined in Figure 2. Any paper that
included any form of user study, even if that was not the paper’s primary theme,
was marked in the user study category. This was specified given the user-focused
aspect of the paper. After conducting the first set of analysis, we performed
another set of thematic analysis to categorize the papers which studied tech-
nological solutions to address healthcare privacy and security challenges. Given
the large number of technical solution-focused papers, we have detailed them in
Table 2 to explore more on what type of technical solutions were proposed by
the prior works.
User Study Analysis: After the two phases of thematic analysis, we conducted
a detailed user study analysis where we focused on the n2 = 18 user studies.
We extracted the quantitative and qualitative findings to assess what user and
technical perspectives of the healthcare-focused research was conducted by the
prior studies. We have provided details of both the technical solutions analyzed
in this work and the user studies in the following section.
Out of the 18 user-focused studies, four were qualitative [99, 1, 24, 48], 12
were quantitative [170, 71, 69, 143, 177, 23, 49, 36, 162, 43, 140, 80], and two were
mixed-methods studies [28, 133]. The quantitative studies included works which
implemented nine survey-based studies [170, 71, 69, 143, 177, 23, 49, 162, 80], one
cross-sectional studies [36], one in-lab simulation-based study [43], and one ran-
domized control experiment [140]. For qualitative studies, they included three
6 Tazi et al.
Fig. 2. A Snapshot of the Themes Discussed Throughout the Analysis
interview-based studies [1, 24, 48] and one field-based research [99]. In the quali-
tative study, Baker et al. also performed observation evaluations on their studied
participants for the interview [24]. For mixed methods, there were two studies,
where one study which had a combination of online survey and did content
analysis [133], the second study did a semi-structured interview with 16 care
managers at 12 health centers in three states participated [28].
3 Findings and Discussions
As described earlier, we first started with the thematic analysis of the collected
papers where we found eight overarching themes. Thereafter, we detailed the
technical solutions provided by the papers, and finally performed a detailed
literature analysis on the small subset of user studies identified. In this section,
we will first provide details of the thematic analysis and thereafter, we will
provide details and evaluation of the user studies.
3.1 Thematic Analysis
For each of the 205 papers, we collected details about the methods, results, analy-
sis, discussion, and implications. Thereafter, we analyzed the data collected, and
categorized them into eight themes as shown in Table 1. For this we particu-
larly looked into the methods, results, and discussions of the mentioned papers.
We then performed a detailed analysis on the technical solutions and the user
studies, which will be discussed in the later subsections.
Technical Solutions Discussed: Nearly half of the collection, n1 = 97 (47.32%)
out of N= 205 papers, focused on proposing a technology-based solution for
the privacy and security issues of the healthcare sector. To understand further,
SOK: Evaluating Healthcare Privacy and Security 7
we classified the technical solutions proposed by the authors. Table 2 as well as
Figure 3 show the distribution of the papers based on the several types of tech-
nological solutions proposed by the authors to enhance the privacy and security
of the data transferred and accessed in the healthcare sector. Many of the papers
use a combination of the technical solutions, for example using cryptography for
authentication or using encryption to do image processing. However, here we
used mutually exclusive codes to focus on the primary solution proposed by the
paper after going through the full-text.
Themes No. of papers
Data Encryption 32 (32.99%)
Blockchain 12 (12.37%)
Image Protection 12 (12.37%)
Watermarking 8 (8.25%)
Access Control and Authentication 7 (7.22%)
Mathematical Modelling 5 (5.15%)
Network-based Solutions 5 (5.15%)
Artificial Intelligence and Machine Learning 4 (4.12%)
Web-based Solution 4 (4.12%)
Cloud-Based Technologies 4 (4.12%)
Edge Computing 3 (3.1%)
Treatment Continuity 1 (1.03%)
Table 2. Distribution of the Papers Providing Technical Solutions out of the n1 = 97
Papers which Proposed Privacy and Security Solutions of the Healthcare Organization
Data Encryption: Out of the n1 = 97 technology-focused papers, nearly half
of the papers discussed the encryption techniques to protect the data. A to-
tal of 32.99% of the papers discussed how patient data can be encrypted and
anonymized for robust security of health-related data [195,166, 167, 25, 209, 189,
29, 92, 120, 159, 161, 17, 147, 86, 31, 210, 188, 103, 42, 96, 201, 16, 6, 57, 197, 30, 211, 153].
For example, Sudha and Ganesan while discussing the lack of security of Elec-
tronic Medical Records (EMR) propose a Pervasive Mobile Healthcare where
multimedia medical record are protected using an Elliptical Curve Cryptogra-
phy algorithm [186]. Gupta and Metha discuss the importance of transmission
of medical data over unsecured networks, and propose a chaos-based encryption
scheme to secure medical images [76].
Blockchain: Another important focus on the technological solution found
in our collected sample was on blockchain technology [72, 33, 155, 8, 149, 75, 13,
154, 50, 181, 112, 38]. These papers explore the peer-to-peer network topology of
the blockchain, which implements a distributed ledger technology focusing on
the transparency of the network [141]. For example, Brunese et al. propose a
blockchain-based technology aimed to protect information exchanges in hospital
networks, with particular regard to magnetic resonance images by implementing
formal equivalence checking to validate the network of the transiting data [38].
8 Tazi et al.
Fig. 3. A Snapshot of Different Technology Based Solutions for Healthcare Data Pri-
vacy and Security
Image Protection: As discussed previously, there are papers which discussed
how encryption and blockchain can be used to protect medical data in the form
of images. However, we found 12 papers which explored the different technical
implementations to specifically protect medical images [102, 42, 114, 62, 27, 173,
18, 182, 21, 97, 40, 171]. For example, Kumar et al. propose embedding patient
information into a medical image through data hiding to improve security and
confidentiality for diffusion of medical information system [114]. Their proposal
was interesting and effective as they not only discussed embedding the text into
images, but also the importance of protecting these images.
Watermarking: A particular aspect of image protection was digital water-
marking. There were eight papers which focused on the watermarking aspect of
medical image protection [165, 200, 66, 98, 137, 65, 182, 22]. Vidya and Padmaja
focused on enhancing the security of Electronic Patient Record (EPR) data
which enable tele-diagnosis. They propose watermarking by embedding EPR
into the facial photograph of the patient and discussed implementing a Photo-
plethysmography signal from the forefinger tip of the patient for authentication
which had a success rate of 98% against security breaches [200].
Access Control and Authentication: Seven papers focused on making the se-
curity protocols of the healthcare system robust by addressing the access control
and authentication particularly [20, 85, 73, 73, 105, 157, 172]. Izza et al. focused on
Internet of Things-based E-healthcare and radio frequency identification (RFID)
authentication scheme for Wireless Body Area Network (WBANs). In their pro-
tocol, which they mention to be effective against digital threats implements
elliptic curve digital signature with message recovery [85].
Mathematical Modeling: We found that five of the collected papers utilized
statistical and other mathematical models to provide solutions to the security
SOK: Evaluating Healthcare Privacy and Security 9
threats of the healthcare organization [44, 192, 121, 122, 124]. Chaudhury et al.
discusses the Supervisory Control And Data Acquisition (SCADA) systems used
for medical data transfer and how Impulsive Statistical Fingerprinting (ISF) can
be implemented to substantiate the conversion of sensitive health data through
the ISF into a secure Health Level 7 (HL7) format [44].
Network-based Solutions: Five (5.15%) of the papers discussed network-based
solutions to resolve the privacy and security complexities of healthcare sys-
tems [106, 206, 213, 26, 88]. For example, Wang et al. details the WBAN and
introduces the key technologies and characteristics of wireless sensor networks
emphasizing node localization. They emphasize the importance of network local-
ization algorithms and performance evaluation indicators on wearable 3D node
localization algorithms to protect healthcare data of the patients [206].
AI and ML-based Solutions: Out of n1 = 97 papers we found that four
(4.12%) papers discussed artificial intelligence and machine learning-based solu-
tion to address the privacy and security issues of the healthcare sector [156, 183,
45, 95]. PraveenKumar proposes health and temperature sensors to monitor the
patient health data that gets transmitted to a microcontroller. The real time
data is then monitored and analyzed using k-means clustering and can guide
both patient and doctor knowledge [156].
Web-based Solutions: Web-based solutions were proposed in four papers in
our collection, where any form of web-based technical solutions to improve pri-
vacy and security of the sensitive data of the patients was discussed [191, 117,
207, 19]. Tian et al. looked into clinical prognosis prediction models based on
electronic health record data and developed a web service based on multi-center
clinical data called POPCORN. The PrognOsis Prediction based on multi-center
clinical data CollabORatioN (POPCORN) focused on the standardization of
clinical data expression, the preservation of patient privacy during model train-
ing using a multivariable meta-analysis, and a Bayesian framework [191].
Cloud-based Solutions: Four out of 205 papers discussed cloud-based solutions
to address the privacy and security issues of patient data protection [12, 58, 134,
101]. Khan et al. presents a secure cloud-based mobile healthcare framework us-
ing WBANs where the framework tries to secure the inter-sensor communication
by multi-biometric-based key generation scheme [101].
Edge Computing-based Solutions: Several prior papers have discussed edge
computing, but we found three papers which focused on edge-computing-based
solutions [9, 119, 7]. Edge computing is a distributed, open IT architecture that
features decentralised processing by the device itself or by a local computer or
server, rather than being transmitted to a data center [175].
Treatment Continuity: An interesting paper by Zhang et al. [214] pointed out
a scary aftermath of cybersecurity breaches, which is pausing or preventing con-
tinuous treatment of patients suffering from critical ailments. Their proposed so-
lution to address this focuses on automatic retrieval of essential information from
the clinical radiation oncology information systems for each under-treatment pa-
tient periodically and providing backup through secondary data servers in the
event of an attack to one of the servers [214].
10 Tazi et al.
Healthcare Frameworks: Of the 205 papers collected, 34 (16.58%) papers
studied or introduced new healthcare data management frameworks. A paper
was considered under the theme of healthcare frameworks if the main subject of
its study is a security, privacy, or design frameworks [84, 11, 126,90, 145,164, 208,
116, 180, 198, 128, 39, 60, 110, 135, 5, 15, 150, 37, 152, 67, 83, 70, 35, 118, 160, 132, 115,
178, 113]. These papers particularly describe methods to design a secure and pri-
vate technology for healthcare data usage. One such paper “A Security Frame-
work for Mobile Health Applications” introduced a security framework for
healthcare mobile applications, taking usability and security into considera-
tion [190]. Ibrahim et al. introduced a framework for securely sharing elec-
tronic health records over the cloud between different healthcare providers. This
framework ensures the confidentiality, integrity, authenticity, availability, and
auditability of the electronic health records [82].
Data Storage and Management: Papers were classified as data storage and
management if the research done was related to healthcare data access, ma-
nipulation, or the different technologies allowing for medical data storage. We
found 18 (8.78%) such papers in our corpus [77, 108, 54, 202, 109, 151, 32, 129,
205, 179, 94, 81, 168, 74, 163, 107, 138, 68]. In particular, Duque et al. introduce a
distributed data management architecture with a focus on the healthcare data
security and high performance requirements [54]. On the other hand, Petkovi´c
was concerned about the reliability of data transmitted through remote patient
monitoring systems, since the data is collected by patients with no medical su-
pervision [151]. Petrovi´c addresses this issue by proposing several approaches
that minimize the risks and ensure high information reliability.
Overviews: Overview papers include works which consolidate the prior work on
healthcare privacy and security by adding details of the current state of privacy
and security in the organizations and also adding details of the new technologies
implemented. Of the 205 papers, 16 papers (7.80%) discuss or review the health-
care privacy and security domain [144, 100, 204, 59, 142, 3, 100, 2, 4, 187, 196, 158,
148, 130, 41]. Of these, Paksuniemi et al. gives an overview of the wireless tech-
nologies devices and reveal the importance of implementing security measures
in these technologies to enable secure patient monitoring [144]. Moreover, Wang
provides an overview of the security threats imposed by smart devices which
monitor the patients through internet-connected technologies. Wang details two
primary security related issues for Internet-based tele-medicine systems that
need to be addressed: (1) medical data protection needs; and (2) system design
issues [204].
Ethical and Legal Implications: Of the 205 papers, ten (4.89%) papers stud-
ied the ethical and legal ramifications of data leaks occurring due to healthcare
data breaches [78, 169, 72, 63, 199, 104, 193, 91, 131, 79]. These papers particularly
explore violations in U.S. healthcare standards, including the Health Informa-
tion Technology for Economic and Clinical Health (HITECH) Act [79] which
SOK: Evaluating Healthcare Privacy and Security 11
proposes the meaningful use of interoperable electronic health records through-
out the U.S. healthcare delivery system as a critical national goal. Hollis also
discusses how beyond medical data security, healthcare staff are ethically re-
quired to anonymize the data so other staff are unable to uniquely identify a
patient through their stored data [78].
Case Studies and Data Breaches: Case studies and data breaches both doc-
ument real-world outcomes including common violations of security and privacy.
Both are insightful to illuminate contemporary issues and research should seek
to help develop proactive defenses that decrease the prevalence and impact of
incidents and data breaches. We found that six (2.93%) of the 205 corpus pa-
pers were case studies and data breaches, classified as such when authors stud-
ied a particular organization, data protection practices, or particular incidents
of data breaches. Some of these case studies chose different countries for their
analysis [136, 34, 61, 212, 46, 176]. The organizations which were studied spanned
global geography including India [176], United States [46], Saudi Arabia [34],
and Morocco [136].
Yesmin and Carter created an evaluation framework for automated privacy
auditing and found that 98.09% of 55,000 accesses of protected health informa-
tion by staff in a hospital were identified as appropriate and the tool was unable
to identify the remaining 1.91% of accesses [212]. Choi et al.’s work estimated
changes in health information technology investments by tracking spending by
U.S. hospitals between 2012 and 2016. Their results found that health infor-
mation technology spending increased by 26.0% in one year after a breach [46].
These studies have been critical to understanding the real world but do not men-
tion the stakeholders who were responsible or whose data were breached and how
that may impact patients’ lives.
Systematic Literature Reviews: Of the 205 papers analyzed, six (2.93%)
were systematic literature reviews [203, 89, 146, 87, 93,47]. These studies gave an
overview of the current standards and practices followed in the healthcare sec-
tors while mentioning the importance of the focus on the healthcare privacy and
security. However, these studies did not focus or explore the user perspective.
For example, Walker et al. implemented a mixed-method systematic review by
analyzing about 300,000 papers and found evidence of high heterogeneity across
crude data indicating that the effectiveness of security measures varies signifi-
cantly in healthcare but concluded without a solution for insiders attack [203].
3.2 Analysis of User Studies
In addition to our analysis of the technical solutions proposed in the collection,
we performed a detailed analysis of the user studies (n= 18). Our goal was to
understand and assess the studies which evaluated user perception towards the
privacy and security of their healthcare-related data. We performed a thorough
analysis of the user studies and analyzed certain aspects of the study such as
type of study conducted, study populations, duration, and medical settings.
12 Tazi et al.
Qual Quant Mixed-
Studies Studies Methods
(n=4) (n=12) (n=2)
Population
Urban 25% (1) 41.67% (5) 0% (0)
Suburban 0% (0) 0% (0) 0% (0)
Rural 25% (1) 0% (0) 0% (0)
Mixed 0% (0) 8.33% (1) 50% (1)
Other 0% (0) 0% (0) 0% (0)
Not reported 50% (2) 50% (6) 50% (1)
Study Population Setting
Healthcare Providers 75% (3) 33.33% (4) 100% (2)
Healthcare Students 0% (0) 25% (3) 0% (0)
Patients 0% (0) 8.33% (1) 0% (0)
Mixed 25% (1) 16.66% (2) 0% (0)
General Population 0% (0) 16.66% (2) 0% (0)
Study Location
USA 25% (1) 16.66% (2) 50% (1)
Europe 25% (1) 25% (3) 50% (1)
Europe and USA 0% (0) 8.33% (1) 0% (0)
Asia 0% (0) 25% (3) 0% (0)
Middle East 25% (1) 8.33% (1) 0% (0)
Nigeria 25% (1) 8.33% (1) 0% (0)
Turkey 0% (0) 8.33% (1) 0% (0)
Table 3. % of and Number of Studies in Settings with Various Population Densities
Along with Details About the User Study Durations.
Study Method: Of the 18 user studies in our corpus, 66.66% (12) were quanti-
tative studies. From the quantitative perspective, 50% (9) were surveys [170, 69,
177, 71, 143, 23, 49, 162, 80], 5.56% (1) quantitative descriptive study [36], 5.56%
(1) simulation-based study for a quantitative sample [43], 5.56% (1) random-
ized controlled trials [140]. Of other studies, 11.1% (2) were mixed-methods
survey [133, 28] with open-ended questions with a smaller population sample,
5.56% (1) field study [99], and 16.66% (3) qualitative interview-based studies [1,
24, 48]. Among the 18 user studies, only one assessed a proposed technological
intervention. This evaluation involved the efficiency and convenience of a mobile
app for managing diabetes [1]. Participants noted that one advantage of it was
compliance with hospital regulations for patient data security.
Study Duration: For the majority of the studies, the time taken for the com-
pletion of the study primarily occurred in a single session (Table 3) [170, 71,
143, 69, 177, 133, 23, 49]. However, an evaluation of a diabetes management app
occurred over 12 weeks [1], the randomized controlled trial of telehealth occurred
over a 12 month period [140]. Also, a survey of public perception mobile phones’
effect on healthcare was repeated in 2013 and 2014 [162], and a field study in
Nigeria was conducted over four weeks [99]. Such longitudinal studies are partic-
SOK: Evaluating Healthcare Privacy and Security 13
ularly important to understand users’ privacy and security perspective and how
user perspectives can change (or do not change) over time.
Population Distribution: As shown in Table 3, many of the 18 papers did
not report population distribution of the participants (44.44%, 8) [143, 69, 177,
23, 49, 28, 99]. Most of the remainder studies were conducted in urban settings
(37.5%, 6) [170, 1, 36, 43, 140, 80], except one (5.56%) which was conducted in a
rural setting [24]. No papers reported on suburban population settings.
Qual Quant Mixed-
Studies Studies Methods
(n=4) (n=12) (n=2)
Studied Medical Facilities
Home 0% (0) 16.67% (2) 0% (0)
Hospital 25% (1) 25% (3) 0% (0)
Private Practice 25% (1) 0% (0) 0% (0)
Mixed 0% (0) 16.67% (2) 0% (0)
Other Medical 50% (2) 41.67% (5) 50% (1)
Not reported 0% (0) 0% (0) 50% (1)
Num Participants
>0, 100 75% (3) 0% (0) 50% (1)
>100, 500 0% (0) 50% (6) 50% (1)
>500, 1000 0% (0) 14.67% (5) 0% (0)
>1000, 5000 0% (0) 8.33% (1) 0% (0)
>5000 0% (0) 0% (0) 0% (0)
Not reported 25% (1) 0% (0) 0% (0)
Table 4. % and Number of Studies Conducted in Various Healthcare Facilities Along
with the Number of Study Participants for Different User Studies.
Study Population Setting: Of nine of the 18 user-focused papers which stud-
ied healthcare providers [48, 99, 24, 28, 49, 133, 177, 69, 71], only one studied the
patients exclusively [170]. Three papers studied a mixed population of patients
and healthcare providers [23, 1, 140]. Mixed method studies studies focused only
on healthcare providers; similarly, 75% of qualitative studies were focused on
healthcare providers.
Study Geographical Location: Out of the 18 studies, four were conducted
in the USA [24, 28, 140, 162] and five in the European Union [133, 177, 71, 69,
48], and one was conducted in both Europe and USA [49]. One paper that
conducted their study with participants in Europe included 30 countries [177]
and one included 24 European countries [133]. Only one study was conducted
in Turkey [36], two in Africa (both in Nigeria) [99, 23], and two in the Mid-
dle East [170, 1]. Three quantitative studies were conducted in Asia specifically
India, Malaysia, and Hong Kong [143, 43, 80].
14 Tazi et al.
Study Context: Two qualitative studies were conducted in medical settings
other than hospitals and private practice [99,1]; one was conducted in private
practices [24] and one in three different hospitals [48]. (Table 4). Quantitative
studies reported settings including hospitals [71, 69, 177], medical settings not
including hospitals and private practice such as medical schools [143, 49, 36, 43,
80], patients’ home environments [170, 162], and mixed settings [23, 140]. No
papers focused on private practice settings. This is again interesting, as privacy
and security of medical data is critical irrespective of the setting. Thus, studies
focusing on more diverse medical settings are critical.
Number of Participants: One of the 4 qualitative studies did not report the
sample size. The most participants reported in one study is 50 participants, the
other two studies reported the same number of participants, 14. All the quanti-
tative studies and the mixed method studies reported the sample size. A total
of 94 participants were in qualitative studies, 5,856 (Median=429, IQR=581,
Range=50-1242) were in quantitative studies, and 117 (Median=58.5, IQR=42.5,
Range=16-101) in mixed studies.
4 Implications
We acknowledge the contribution of these previous works towards enhancing
the privacy and security of sensitive patient data. However, we note that more
research is needed to fully understand the challenges to healthcare security and
privacy.
4.1 Holistic Security Approach
When security or privacy are a secondary goal of the users, research is needed
to understand the motivations behind the circumvention of controls. From our
analysis of the user studies, we have identified three major themes pertaining to
the human factors of information security in healthcare, namely: inconsistent ac-
cess controls, non-compliant and insecure communication modes, and disruptive
update and backup policies. The majority of the past security research involving
people in healthcare has focused on understanding how providers may circum-
vent authentication [184], including the discovery that providers often share login
credentials with each other due to inconsistencies in access control policies [24,
48].
Access controls and privileges in healthcare are often designed without con-
sidering the individual provider’s needs or the multitude of tasks conducted by
them on a day-to-day basis. Rather, it is often designed in a tiered manner
where senior doctors have the most privileges and junior doctors and nurses
are assigned limited privileges [69, 24, 48]. Therefore whenever a provider (e.g.,
nurse or junior doctor) needs immediate access to a certain system or patient
record for providing critical care, but don’t have the necessary privileges, cre-
dentials are shared, usually by the senior doctors in these settings. This type
SOK: Evaluating Healthcare Privacy and Security 15
of credential sharing also occurs when someone needs access at a critical time
but has not completed the necessary training [47]. In addition to this, past re-
search also discusses other general, known issues associated with password usage
such as using insecure passwords, task interruptions, disabling authentication or
keeping machines unlocked for a long periods of time. Access control cards are
used to counter these password usage issues, but still do not address the security
circumvention issues discussed earlier [177].
The other dominant theme involved secure communication between providers
and patients, or lack thereof. Few papers noted that providers often used non-
HIPAA compliant messaging software to share test results with the patients
and also with each other [1, 48]. For example, providers have been known to
share images of scan reports with patients using WhatsApp, a popular messag-
ing platform from Facebook. Providers may be placing inappropriate trust on
these messaging platforms based on the end-to-end encryption claims made by
these platforms. More research is necessary to understand the challenges involv-
ing the use of recognized, HIPAA compliant message systems (e.g., American
Messaging System or AS) for communicating securely between providers and
between providers and patients.
The final theme that emerged from our analysis was regarding the issue
of applying security updates and automatic backups. Providers report updates
and backups appearing at inappropriate times such as while engaging with pa-
tients [48]. More research is necessary to determine the timing of updates that are
reasonably quick and non-disruptive to the workflow of the providers. Unsurpris-
ingly, technologies including encryption, blockchain, cloud, and access controls
were popular topics in the research literature. While technology represents an
important area for future opportunities and threats in healthcare, they remain
distant and disconnected from real-world needs today. Their over-representation
in the literature, therefore, overshadows the analysis of security and privacy
practices today.
The rollout of any new technology in healthcare is slow given strict legal and
compliance constraints. Despite these new technologies, other technical solutions
were notably missing that may hold promise for healthcare security and privacy.
For example, continuous authentication may aid healthcare workers by using
biometrics or hardware tokens to lock and unlock computers when an autho-
rized user is in physical proximity. The user studies of security circumvention
suggest that automated security features may be helpful, building on the effec-
tiveness of features such as automated software updates. Additionally, despite
the popularity of machine learning solutions in various fields, we were surprised
that these solutions were not prominent in our healthcare corpus.
4.2 Focus on Private Practice Healthcare
The studies we analyzed focused heavily on hospitals and other large medical
settings despite the fact that those represent a narrow view of all healthcare
workplace settings. Hospitals are atypical because they are among the most
well-resourced settings for controlling, implementing, and enforcing security and
16 Tazi et al.
privacy controls. Those resources enable higher than average investment in secu-
rity and privacy solutions, technical support, and organizational security culture.
The problems that manifest in hospitals, and solutions for them, should not be
assumed to generalize to other medical settings.
The literature appears to emphasize that improving health is the primary
objective in healthcare, with security and privacy among secondary goals. A
small businesses may have slimmer margins to apply to those non-primary goals.
They need help to prioritize spending and implementation of privacy and security
controls and the research community should prioritize the most impactful needs
first. In a study of private practice audiology clinics, Dykstra et al. found that
expertise, time, and money were reported as the primary limitations of better
cybersecurity [56]. While these limitations are not unique to healthcare, they
must be more explicitly acknowledged when proposing new security and privacy
mitigation measures. For example, one might imagine that a doctor in a single-
provider clinic may circumvent a compliant telehealth solution and revert to a
non-compliant personal device given a hardware failure in the practice. Thus,
a focus on studies reviewing such nuances will be critical especially for private
practice and other resource-constrained healthcare organizations.
4.3 Studies in Rural Setting and Developing Nations
Along these lines, we observed scarce security and privacy research related to
rural settings and developing nations. The resource limitations of the settings
demand a dedicated study of the population and appropriate technological miti-
gation techniques. The healthcare sector and research communities alike require
the insights of economics. None of the papers in our survey offered a robust
analysis of the probability of various vulnerabilities that would aid resource-
limited organizations in prioritizing solutions. Economic models, such as the
Gordon-Loeb model, may be effective in suggesting investment strategies [64].
Economics research may also wish to explore the costs and benefits of cybersecu-
rity policy decisions in medical settings, insights about attacker motivations, and
oppositional human factors to disrupt attacker cognition and decision making.
4.4 Understanding the Patient’s Perspective
Among the user studies we analyzed, the majority have focused on understand-
ing the security behaviors of healthcare workers. However, patients’ perspectives
appears to be largely overlooked. Security and privacy requirements should be in-
formed and driven primarily from the desires of patients about their own data.
Patients as voting citizens influence healthcare laws and regulations in their
choice of elected officials. Patients are also the most directly impacted by se-
curity breaches. More research is necessary to understand the gaps in patients’
understanding about the implications of a security breach to their personal data.
Research is also necessary to understand how much (or how little) trust patients
place in their healthcare organizations in protecting their personal data [111].
SOK: Evaluating Healthcare Privacy and Security 17
5 Limitations and Future Work
Healthcare is a broad and diverse sector with many niche journals and publi-
cations. Despite our best efforts, we may have missed important contributions
reported in publications for medical sub-specialities published in paid venues or
otherwise excluded by our search criteria. Future work is needed to understand
when, how, and why healthcare workers circumvent compliant workflows and
tools. Prior work has been focused primarily on authentication-related circum-
vention and usability and a broader examination is warranted. Further, past
research has drawn heavily from surveys so in-situ data would provide further
grounding and accuracy.
6 Conclusion
As the healthcare sector is increasingly digitized, privacy risks and security con-
cerns about data storage, access, and transfer have greatly increased. However,
the question remains about how the research community is addressing these
concerns from the technical and user perspective. To this aid, we conducted a
detailed systematic literature review after collecting 2,903 papers and themat-
ically analyzing N= 205 of them. These peer-reviewed research articles were
published and available over seven digital spaces: ACM DL, Google Scholar,
SSRN, ScienceDirect, IEEE Xplore, PubMed, and MEDLINE. We examined the
security and privacy of patient data in healthcare organizations as studied by
prior literature. We found that current research focuses primarily on data en-
cryption and frameworks while understudying the user risk perceptive of privacy
and security. Along the socio-technical component of healthcare privacy and se-
curity, it was concerning to note that <9% of the papers conducted any user
studies. Among those, the studies were influenced by survey designs rather than
in-depth, longitudinal user-focused studies. Additionally, these studies focused
primarily on larger settings by severely ignoring the organizations with limited
resources such as the private healthcare sector. We conclude with actionable rec-
ommendations from the rich literature we studied that can enhance the privacy
and security aspects of the healthcare sector.
7 Acknowledgments
We would like to thank the Inclusive Security and Privacy-focused Innovative
Research in Information Technology (InSPIRIT) Laboratory at the University of
Denver. We would also like to thank Salman Hosain for their initial contribution
in this research and Alisa Zezulak for helping with the proofreading of this paper.
Any opinions, findings, and conclusions or recommendations expressed in this
material are solely those of the authors and do not necessarily reflect the views
of the University of Denver, the University of Washington, and the Designer
Security.
18 Tazi et al.
References
1. Abd-alrazaq, A.A., Suleiman, N., Baagar, K., Jandali, N., Alhuwail, D., Abdal-
hakam, I., Shahbal, S., Abou-Samra, A.B., Househ, M.: Patients and healthcare
workers experience with a mobile application for self-management of diabetes in
Qatar: A qualitative study. Computer Methods and Programs in Biomedicine
Update p. 100002 (2021)
2. Abouelmehdi, K., Beni-Hessane, A., Khaloufi, H.: Big healthcare data: preserving
security and privacy. Journal of Big Data 5(1), 1 (2018)
3. Abouelmehdi, K., Beni-Hssane, A., Khaloufi, H., Saadi, M.: Big data security and
privacy in healthcare: A review. Procedia Computer Science 113, 73–80 (2017)
4. Abraham, C., Chatterjee, D., Sims, R.R.: Muddling through cybersecurity: In-
sights from the us healthcare industry. Business horizons 62(4), 539–548 (2019)
5. Acharya, S., Susai, G., Pillai, M.: Patient portals: Anytime, anywhere pp. 779–781
(2015)
6. Aiswarya, R., Divya, R., Sangeetha, D., Vaidehi, V.: Harnessing healthcare data
security in cloud pp. 482–488 (2013)
7. Al Hamid, H.A., Rahman, S.M.M., Hossain, M.S., Almogren, A., Alamri, A.: A
security model for preserving the privacy of medical big data in a healthcare cloud
using a fog computing facility with pairing-based cryptography. IEEE Access 5,
22313–22328 (2017)
8. Al-Karaki, J.N., Gawanmeh, A., Ayache, M., Mashaleh, A.: Dass-care: A decen-
tralized, accessible, scalable, and secure healthcare framework using blockchain
pp. 330–335 (2019). https://doi.org/10.1109/IWCMC.2019.8766714
9. Alam, M.G.R., Munir, M.S., Uddin, M.Z., Alam, M.S., Dang, T.N., Hong, C.S.:
Edge-of-things computing framework for cost-effective provisioning of healthcare
data. Journal of Parallel and Distributed Computing 123, 54–60 (2019)
10. Albarrak, A.I.: Information security behavior among nurses in an academic hos-
pital. Health Med 6(7), 2349–2354 (2012)
11. Alboaie, S., Nita, L., Stefanescu, C.: Executable choreographies for med-
ical systems integration and data leaks prevention pp. 1–4 (2015).
https://doi.org/10.1109/EHB.2015.7391612
12. Almehmadi, T., Alshehri, S., Tahir, S.: A secure fog-cloud based architecture for
miot pp. 1–6 (2019). https://doi.org/10.1109/CAIS.2019.8769524
13. Alshalali, T., M’Bale, K., Josyula, D.: Security and privacy of elec-
tronic health records sharing using hyperledger fabric pp. 760–763 (2018).
https://doi.org/10.1109/CSCI46756.2018.00152
14. Altunta¸s, G., Semerci¨oz, F., Eregez, H.: Linking strategic and market orienta-
tions to organizational performance: the role of innovation in private healthcare
organizations. Procedia-Social and Behavioral Sciences 99, 413–419 (2013)
15. Alyami, H., Feng, J.L., Hilal, A., Basir, O.: On-
demand key distribution for body area networks for emer-
gency case (2014). https://doi.org/10.1145/2642668.2642684,
https://doi.org/10.1145/2642668.2642684
16. Anghelescu, P.: Encryption of multimedia medical content using programmable
cellular automata pp. 11–16 (2012)
17. Anghelescu, P., Ionita, S., Sofron, E.: Block encryption using hybrid additive
cellular automata pp. 132–137 (2007)
18. Arumugham, S., Rajagopalan, S., Rayappan, J.B.B., Amirtharajan, R.: Net-
worked medical data sharing on secure medium–a web publishing mode for dicom
SOK: Evaluating Healthcare Privacy and Security 19
viewer with three layer authentication. Journal of biomedical informatics 86, 90–
105 (2018)
19. Asija, R., Nallusamy, R.: Data model to enhance the security and pri-
vacy of healthcare data pp. 237–244 (2014). https://doi.org/10.1109/GHTC-
SAS.2014.6967590
20. Aski, V., Dhaka, V.S., Kumar, S., Parashar, A., Ladagi, A.: A multi-factor ac-
cess control and ownership transfer framework for future generation healthcare
systems pp. 93–98 (2020). https://doi.org/10.1109/PDGC50313.2020.9315840
21. Ayad, H., Khalil, M.: A semi-blind information hiding technique using dwt-svd
and qam-16 for medical images pp. 1–7 (2017)
22. Ayad, H., Khalil, M.: A semi-blind information hiding technique using dwt-svd
and qam-16 for medical images (2017). https://doi.org/10.1145/3090354.3090433,
https://doi.org/10.1145/3090354.3090433
23. Ayanlade, O., Oyebisi, T., Kolawole, B.: Health information technology accep-
tance framework for diabetes management. Heliyon 5(5), e01735 (2019)
24. Baker, A., Vega, L., DeHart, T., Harrison, S.: Healthcare and security: Under-
standing and evaluating the risks pp. 99–108 (2011)
25. Balamurugan, G., Joseph, K.S., Arulalan, V.: An iris based reversible watermark-
ing system for the security of teleradiology pp. 1–6
26. Bao, S.D., Chen, M., Yang, G.Z.: A method of signal scrambling to secure data
storage for healthcare applications. IEEE Journal of Biomedical and Health In-
formatics 21(6), 1487–1494 (2017). https://doi.org/10.1109/JBHI.2017.2679979
27. Basavegowda, R., Seenappa, S.: Electronic medical report security using visual
secret sharing scheme pp. 78–83 (2013)
28. Bechtel, J.M., Lepoire, E., Bauer, A.M., Bowen, D.J., Fortney, J.C.: Care manager
perspectives on integrating an mhealth app system into clinical workflows: A
mixed methods study. General Hospital Psychiatry 68, 38–45 (2021)
29. Besher, K.M., Subah, Z., Ali, M.Z.: Iot sensor initiated healthcare data security.
IEEE Sensors Journal (2020)
30. Bharghavi, G., Kumar, P.S., Geetha, K., Sasikala Devi, N.: An implementation
of slice algorithm to enforce security for medical images using dna approach pp.
0984–0988 (2018). https://doi.org/10.1109/ICCSP.2018.8524413
31. Bharghavi, G., Kumar, P.S., Geetha, K., Devi, N.S.: An implementation of slice
algorithm to enforce security for medical images using dna approach pp. 0984–
0988 (2018)
32. Bhola, J., Soni, S., Cheema, G.K.: Recent trends for security applications in
wireless sensor networks–a technical review pp. 707–712 (2019)
33. Bhuiyan, M.Z.A., Zaman, A., Wang, T., Wang, G., Tao, H., Hassan, M.M.:
Blockchain and big data to transform the healthcare pp. 62–68 (2018)
34. Binobaid, S., Fan, I.S., Almeziny, M.: Investigation Interoperability Problems
in Pharmacy Automation: A Case Study in Saudi Arabia. Procedia Computer
Science 100, 329–338 (2016)
35. Boddy, A., Hurst, W., Mackay, M., El Rhalibi, A.: A study into detecting anoma-
lous behaviours within healthcare infrastructures pp. 111–117 (2016)
36. Bodur, G., Gumus, S., Gursoy, N.G.: Perceptions of Turkish health professional
students toward the effects of the internet of things (IOT) technology in the
future. Nurse education today 79, 98–104 (2019)
37. Branley-Bell, D., Coventry, L., Sillence, E., Magalini, S., Mari, P., Magkanaraki,
A., Kalliopi, A.: Your hospital needs you: Eliciting positive cybersecurity be-
haviours from healthcare staff using the aide approach. Annals of Disaster Risk
Sciences 3(1), 1–16 (2020)
20 Tazi et al.
38. Brunese, L., Mercaldo, F., Reginelli, A., Santone, A.: A blockchain based proposal
for protecting healthcare systems through formal methods. Procedia Computer
Science 159, 1787–1794 (2019)
39. Brunese, L., Mercaldo, F., Reginelli, A., Santone, A.: Formal modeling for mag-
netic resonance images tamper mitigation. Procedia Computer Science 159, 1803–
1810 (2019)
40. Brunese, L., Mercaldo, F., Reginelli, A., Santone, A.: Radiomic features for medi-
cal images tamper detection by equivalence checking. Procedia Computer Science
159, 1795–1802 (2019)
41. Burke, W., Oseni, T., Jolfaei, A., Gondal, I.: Cybersecurity indexes for ehealth
pp. 1–8 (2019)
42. Cao, F., Huang, H.K., Zhou, X.: Medical image security in a hipaa mandated
pacs environment. Computerized medical imaging and graphics 27(2-3), 185–196
(2003)
43. Chan, K.G., Pawi, S., Ong, M.F., Kowitlawakul, Y., Goy, S.C.: Simulated elec-
tronic health documentation: A cross-sectional exploration of factors influencing
nursing students’ intention to use. Nurse education in practice 48, 102864 (2020)
44. Chaudhry, J., Qidwai, U., Miraz, M.H.: Securing big data from eavesdropping
attacks in scada/ics network data streams through impulsive statistical finger-
printing pp. 77–89 (2019)
45. Chen, Y., Chen, W.: Finger ecg-based authentication for healthcare data security
using artificial neural network pp. 1–6 (2017)
46. Choi, S.J., Johnson, M.E., Lee, J.: An event study of data breaches and hospital
IT spending. Health Policy and Technology 9(3), 372–378 (2020)
47. Coventry, L., Branley, D.: Cybersecurity in healthcare: a narrative review of
trends, threats and ways forward. Maturitas 113, 48–52 (2018)
48. Coventry, L., Branley-Bell, D., Sillence, E., Magalini, S., Mari, P., Magkanaraki,
A., Anastasopoulou, K.: Cyber-risk in healthcare: Exploring facilitators and bar-
riers to secure behaviour pp. 105–122 (2020)
49. Currie, W.: Health organizations’ adoption and use of mobile technology in france,
the usa and uk. Procedia Computer Science 98, 413–418 (2016)
50. Dagher, G.G., Mohler, J., Milojkovic, M., Marella, P.B.: Ancile: Privacy-
preserving framework for access control and interoperability of electronic health
records using blockchain technology. Sustainable cities and society 39, 283–297
(2018)
51. Das, S., Kim, A., Tingle, Z., Nippert-Eng, C.: All about phishing: Exploring user
research through a systematic literature review. arXiv preprint arXiv:1908.05897
(2019)
52. Das, S., Wang, B., Tingle, Z., Camp, L.J.: Evaluating user perception of multi-
factor authentication: A systematic review. In: Proceedings of the Thirteenth
International Symposium on Human Aspects of Information Security & Assurance
(HAISA 2019) (2019)
53. Demjaha, A., Caulfield, T., Sasse, M.A., Pym, D.: 2 fast 2 secure: A case study
of post-breach security changes pp. 192–201 (2019)
54. Duque, H., Montagnat, J., Pierson, J.M., Brunie, L., Magnin, I.: Dm2: A dis-
tributed medical data manager for grids pp. 138–147 (2003)
55. Dwivedi, A.D., Srivastava, G., Dhar, S., Singh, R.: A decentralized privacy-
preserving healthcare blockchain for IoT. Sensors 19(2), 326 (2019)
56. Dykstra, J., Mathur, R., Spoor, A.: Cybersecurity in Medical Pri-
vate Practice: Results of a Survey in Audiology pp. 169–176 (2020).
https://doi.org/10.1109/CIC50333.2020.00029
SOK: Evaluating Healthcare Privacy and Security 21
57. El Bouchti, A., Bahsani, S., Nahhal, T.: Encryption as a service for data health-
care cloud security pp. 48–54 (2016)
58. Elmogazy, H., Bamasak, O.: Towards healthcare data security in cloud computing
pp. 363–368 (2013)
59. Esposito, C., Castiglione, A.: Cloud-based management of healthcare data: secu-
rity and privacy concerns and a promising solution
60. Essa, Y.M., Hemdan, E.E.D., El-Mahalawy, A., Attiya, G., El-Sayed, A.: Ifhds:
intelligent framework for securing healthcare bigdata. Journal of medical systems
43(5)
61. Garner, S.A., Kim, J.: The Privacy Risks of Direct-to-Consumer Genetic Testing:
A Case Study of 23andMe and Ancestry. Wash. UL Rev. 96, 1219 (2018)
62. Geetha, R., Geetha, S.: Efficient high capacity technique to embed epr information
and to detect tampering in medical images. Journal of medical engineering &
technology 44(2), 55–68 (2020)
63. Georgiou, D., Lambrinoudakis, C.: Compatibility of a security policy for a cloud-
based healthcare system with the eu general data protection regulation (gdpr).
Information 11(12), 586 (2020)
64. Gordon, L.A., Loeb, M.P., Zhou, L., et al.: Investing in cybersecurity: Insights
from the gordon-loeb model. Journal of Information Security 7(02), 49 (2016)
65. Goudar, V., Potkonjak, M.: Addressing biosignal data sharing
security issues with robust watermarking pp. 618–626 (2014).
https://doi.org/10.1109/SAHCN.2014.6990402
66. Goudar, V., Potkonjak, M.: On admitting sensor fault tolerance
while achieving secure biosignal data sharing pp. 266–275 (2014).
https://doi.org/10.1109/ICHI.2014.44
67. Goudar, V., Potkonjak, M.: A robust watermarking technique for secure sharing
of basn generated medical data pp. 162–170 (2014)
68. Gritzalis, D.: A baseline security policy for distributed healthcare information
systems. Computers & Security 16(8), 709–719 (1997)
69. Gritzalis, D., Katsikas, S., Keklikoglou, J., Tomaras, A.: Determining access rights
for medical information systems. Computers & Security 11(2), 149–161 (1992)
70. Gritzalis, D., Lambrinoudakis, C.: A security architecture for interconnecting
health information systems. International Journal of Medical Informatics 73(3),
305–309 (2004)
71. Gritzalis, D., Tomaras, A., Katsikas, S., Keklikoglou, J.: Data security in medical
information systems: The greek case. Computers & Security 10(2), 141–159 (1991)
72. Gross, M.S., Miller Jr, R.C.: Ethical implementation of the learning healthcare
system with blockchain technology. Blockchain in Healthcare Today, Forthcoming
(2019)
73. Guennoun, M., El-Khatib, K.: Securing medical data in smart homes pp. 104–107
(2009). https://doi.org/10.1109/MEMEA.2009.5167964
74. Guizani, K., Guizani, S.: Iot healthcare monitoring systems overview for elderly
population pp. 2005–2009 (2020)
75. Gupta, A., Bansiya, A.: Utilizing cloud computing for stronger healthcare data
security. International Journal of Scientific Research & Engineering Trends 6,
2384 (2020)
76. Gupta, V., Metha, G.: Medical data security using cryptography pp. 866–869
(2018)
77. Hammouchi, H., Cherqi, O., Mezzour, G., Ghogho, M., El Koutbi, M.: Digging
deeper into data breaches: An exploratory data analysis of hacking breaches over
time. Procedia Computer Science 151, 1004–1009 (2019)
22 Tazi et al.
78. Hollis, K.F.: To share or not to share: ethical acquisition and use of medical data.
AMIA Summits on Translational Science Proceedings 2016, 420 (2016)
79. Holmgren, A.J., Adler-Milstein, J.: Health Information Exchange in US Hospitals:
The Current Landscape and a Path to Improved Information Sharing. Journal of
hospital medicine 12(3), 193–198 (2017)
80. Hsu, W.W.Q., Chan, E.W.Y., Zhang, Z.J., Lin, Z.X., Bian, Z.X., Wong, I.C.K.:
Chinese medicine students’ views on electronic prescribing: A survey in hong kong.
European Journal of Integrative Medicine 7(1), 47–54 (2015)
81. Huang, C.D., Behara, R.S., Goo, J.: Optimal information security investment
in a healthcare information exchange: An economic analysis. Decision Support
Systems 61, 1–11 (2014)
82. Ibrahim, A., Mahmood, B., Singhal, M.: A secure framework
for sharing electronic health records over clouds pp. 1–8 (2016).
https://doi.org/10.1109/SeGAH.2016.7586273
83. Ibrahim, A., Mahmood, B., Singhal, M.: A secure framework for sharing electronic
health records over clouds pp. 1–8 (2016)
84. Ivscu, T., Frˆıncu, M., Negru, V.: Considerations towards security and pri-
vacy in internet of things based ehealth applications pp. 275–280 (2016).
https://doi.org/10.1109/SISY.2016.7601512
85. Izza, S., Benssalah, M., Drouiche, K.: An enhanced scalable and secure rfid au-
thentication protocol for wban within an iot environment. Journal of Information
Security and Applications 58, 102705 (2021)
86. Jabeen, T., Ashraf, H., Khatoon, A., Band, S.S., Mosavi, A.: A lightweight genetic
based algorithm for data security in wireless body area networks. IEEE Access 8,
183460–183469 (2020)
87. Jabeen, T., Ashraf, H., Ullah, A.: A survey on healthcare data security in wireless
body area networks. Journal of Ambient Intelligence and Humanized Computing
pp. 1–14 (2021)
88. Jaigirdar, F.T.: Trust based security solution for internet of things healthcare
solution: an end-to-end trustworthy architecture pp. 1757–1760 (2018)
89. Jalali, M.S., Razak, S., Gordon, W., Perakslis, E., Madnick, S.: Health care and
cybersecurity: bibliometric analysis of the literature. Journal of medical Internet
research 21(2), e12644 (2019)
90. Janjic, V., Bowles, J., Vermeulen, A.F., Silvina, A., Belk, M., Fidas, C., Pitsillides,
A., Kumar, M., Rossbory, M., Vinov, M., et al.: The serums tool-chain: Ensuring
security and privacy of medical data in smart patient-centric healthcare systems
pp. 2726–2735 (2019)
91. Jayanthilladevi, A., Sangeetha, K., Balamurugan, E.: Healthcare biometrics secu-
rity and regulations: Biometrics data security and regulations governing phi and
hipaa act for patient privacy pp. 244–247 (2020)
92. Joshitta, R.S.M., Arockiam, L., Malarchelvi, P.S.K.: Security analysis of sat jo
lightweight block cipher for data security in healthcare iot pp. 111–116 (2019)
93. Kamoun, F., Nicho, M.: Human and organizational factors of healthcare data
breaches: The swiss cheese model of data breach causation and prevention. In-
ternational Journal of Healthcare Information Systems and Informatics (IJHISI)
9(1), 42–60 (2014)
94. Karthick, R., Ramkumar, R., Akram, M., Kumar, M.V.: Overcome the chal-
lenges in bio-medical instruments using iot–a review. Materials Today: Proceed-
ings (2020)
SOK: Evaluating Healthcare Privacy and Security 23
95. Kaur, J., Khan, A.I., Abushark, Y.B., Alam, M.M., Khan, S.A., Agrawal, A.,
Kumar, R., Khan, R.A.: Security risk assessment of healthcare web application
through adaptive neuro-fuzzy inference system: A design perspective. Risk Man-
agement and Healthcare Policy 13, 355 (2020)
96. Kausar, F.: Iris based cancelable biometric cryptosystem for secure healthcare
smart card. Egyptian Informatics Journal (2021)
97. Kaw, J.A., Loan, N.A., Parah, S.A., Muhammad, K., Sheikh, J.A., Bhat, G.M.:
A reversible and secure patient information hiding system for iot driven e-health.
International Journal of Information Management 45, 262–275 (2019)
98. Kelkar, V., Tuckley, K.: Reversible watermarking for medical im-
ages with added security using chaos theory pp. 84–87 (2018).
https://doi.org/10.1109/CESYS.2018.8724039
99. Kenny, G., O’Connor, Y., Eze, E., Ndibuagu, E., Heavin, C.: A ground-up ap-
proach to mHealth in Nigeria: a study of primary healthcare workers’ attitude to
mHealth adoption. Procedia computer science 121, 809–816 (2017)
100. Khaloufi, H., Abouelmehdi, K., Beni-hssane, A., Saadi, M.: Security model for
big healthcare data lifecycle. Procedia Computer Science 141, 294–301 (2018)
101. Khan, F.A., Ali, A., Abbas, H., Haldar, N.A.H.: A cloud-based healthcare frame-
work for security and patients’ data privacy using wireless body area networks.
Procedia Computer Science 34, 511–517 (2014)
102. Khan, J., Li, J., Haq, A.U., Parveen, S., Khan, G.A., Shahid, M., Monday, H.N.,
Ullah, S., Ruinan, S.: Medical image encryption into smart healthcare iot system
pp. 378–382 (2019). https://doi.org/10.1109/ICCWAMTIP47768.2019.9067592
103. Khan, J., Li, J., Haq, A.U., Parveen, S., Khan, G.A., Shahid, M., Monday, H.N.,
Ullah, S., Ruinan, S.: Medical image encryption into smart healthcare iot system
pp. 378–382 (2019)
104. Kierkegaard, P.: Medical data breaches: Notification delayed is notification denied.
Computer Law & Security Review 28(2), 163–183 (2012)
105. Kim, J., Feng, D.D., Cai, T.W., Eberl, S.: Integrated multimedia medical data
agent in e-health. In: Proceedings of the Pan-Sydney area workshop on Visual
information processing-Volume 11. pp. 11–15 (2001)
106. Kiourtis, A., Mavrogiorgou, A., Kyriazis, D., Graziani, A., Torelli, F.: Improving
health information exchange through wireless communication protocols pp. 32–39
(2020). https://doi.org/10.1109/WiMob50308.2020.9253374
107. Kiruba, W.M., Vijayalakshmi, M.: Implementation and analysis of data security
in a real time iot based healthcare application pp. 1460–1465 (2018)
108. Ko, J., Lu, C., Srivastava, M.B., Stankovic, J.A., Terzis, A., Welsh, M.: Wireless
sensor networks for healthcare. Proceedings of the IEEE 98(11), 1947–1960 (2010)
109. Kondawar, S.S., Gawali, D.H.: Security algorithms for wireless medical data pp. 1–
6 (2016)
110. Krishna, R., Kelleher, K., Stahlberg, E.: Patient confidentiality in the research use
of clinical medical databases. American journal of public health 97(4), 654–658
(2007)
111. Krombholz, K., Busse, K., Pfeffer, K., Smith, M., von Zezschwitz, E.: if https
were secure, i wouldn’t need 2fa”-end user and administrator mental models of
https pp. 246–263 (2019)
112. Kumar, M., Chand, S.: Medhypchain: A patient-centered interoperability
hyperledger-based medical healthcare system: Regulation in covid-19 pandemic.
Journal of Network and Computer Applications 179, 102975 (2021)
113. Kumar, S., Namdeo, V.: Enabling privacy and security of healthcare-related data
in the cloud
24 Tazi et al.
114. Kumar, V.N., Rochan, M., Hariharan, S., Rajamani, K.: Data hiding scheme for
medical images using lossless code for mobile hims pp. 1–4 (2011)
115. Kuo, M.H., Chrimes, D., Moa, B., Hu, W.: Design and construction of a big data
analytics framework for health applications pp. 631–636 (2015)
116. Lee, C.Y., Ibrahim, H., Othman, M., Yaakob, R.: Reconciling semantic conflicts
in electronic patient data exchange pp. 390–394 (2009)
117. Lees, P.J., Chronaki, C.E., Simantirakis, E.N., Kostomanolakis, S.G., Or-
phanoudakis, S.C., Vardas, P.E.: Remote access to medical records via the in-
ternet: feasibility, security and multilingual considerations pp. 89–92 (1999).
https://doi.org/10.1109/CIC.1999.825913
118. Li, P., Xu, C., Luo, Y., Cao, Y., Mathew, J., Ma, Y.: Carenet: Building regulation-
compliant home-based healthcare services with software-defined infrastructure pp.
373–382 (2017)
119. Li, X., Huang, X., Li, C., Yu, R., Shu, L.: Edgecare: leveraging edge computing
for collaborative data management in mobile healthcare systems. IEEE Access 7,
22011–22025 (2019)
120. Liu, H., Kadir, A., Liu, J.: Color pathological image encryption algorithm using
arithmetic over galois field and coupled hyper chaotic system. Optics and Lasers
in Engineering 122, 123–133 (2019)
121. Lohiya, S., Ragha, L.: Privacy preserving in data mining using hybrid approach
pp. 743–746 (2012). https://doi.org/10.1109/CICN.2012.166
122. Lomotey, R.K., Pry, J., Sriramoju, S.: Wearable iot data stream traceability in
a distributed health information system. Pervasive and Mobile Computing 40,
692–707 (2017)
123. M Jones, J., Duezguen, R., Mayer, P., Volkamer, M., Das, S.: A literature review
on virtual reality authentication. In: Proceedings of the Fifteenth International
Symposium on Human Aspects of Information Security & Assurance (HAISA
2021)-Virtual Conference (2021)
124. Mahima, K.T.Y., Ginige, T.: A secured healthcare system using blockchain and
graph theory (2020), https://doi.org/10.1145/3440084.3441217
125. Majam, T., Theron, F.: The purpose and relevance of a scientific literature review:
A holistic approach to research. Journal of public administration 41(3), 603–615
(2006)
126. Maji, A.K., Mukhoty, A., Majumdar, A.K., Mukhopadhyay, J., Sural, S., Paul, S.,
Majumdar, B.: Security analysis and implementation of web-based telemedicine
services with a four-tier architecture pp. 46–54 (2008)
127. Majumdar, R., Das, S.: Sok: An evaluation of quantum authentication through
systematic literature review. In: Proceedings of the Workshop on Usable Security
and Privacy (USEC) (2021)
128. Mashima, D., Ahamad, M.: Enhancing accountability of
electronic health record usage via patient-centric mon-
itoring (2012). https://doi.org/10.1145/2110363.2110410,
https://doi.org/10.1145/2110363.2110410
129. Masood, I., Wang, Y., Daud, A., Aljohani, N.R., Dawood, H.: Privacy manage-
ment of patient physiological parameters. Telematics and Informatics 35(4), 677–
701 (2018)
130. Masood, I., Wang, Y., Daud, A., Aljohani, N.R., Dawood, H.: Towards smart
healthcare: patient data privacy and security in sensor-cloud infrastructure. Wire-
less Communications and Mobile Computing 2018 (2018)
SOK: Evaluating Healthcare Privacy and Security 25
131. Mbonihankuye, S., Nkunzimana, A., Ndagijimana, A.: Healthcare data security
technology: Hipaa compliance. Wireless Communications and Mobile Computing
2019 (2019)
132. McLeod, A., Dolezel, D.: Cyber-analytics: Modeling factors associated with
healthcare data breaches. Decision Support Systems 108, 57–68 (2018)
133. Melchiorre, M.G., Papa, R., Rijken, M., van Ginneken, E., Hujala, A., Barbabella,
F.: eHealth in integrated care programs for people with multimorbidity in Europe:
Insights from the ICARE4EU project. Health policy 122(1), 53–63 (2018)
134. Miah, S.J., Hasan, J., Gammack, J.G.: On-cloud healthcare clinic: an e-health
consultancy approach for remote communities in a developing country. Telematics
and Informatics 34(1), 311–322 (2017)
135. Mirto, M., Cafaro, M., Aloisio, G.: Peer-to-peer data discovery in health centers
pp. 343–348 (2013)
136. Mounia, B., Habiba, C.: Big data privacy in healthcare moroccan context. Pro-
cedia Computer Science 63, 575–580 (2015)
137. Naseem, M.T., Qureshi, I.M., Muzaffar, M.Z., et al.: Robust watermark-
ing for medical images resistant to geometric attacks pp. 224–228 (2012).
https://doi.org/10.1109/INMIC.2012.6511496
138. Nausheen, F., Begum, S.H.: Healthcare iot: benefits, vulnerabilities and solutions
pp. 517–522 (2018)
139. Noah, N., Das, S.: Exploring evolution of augmented and virtual reality education
space in 2020 through systematic literature review. Computer Animation and
Virtual Worlds p. e2020 (2021)
140. Noel, K., Yagudayev, S., Messina, C., Schoenfeld, E., Hou, W., Kelly, G.: Tele-
transitions of care. a 12-month, parallel-group, superiority randomized controlled
trial protocol, evaluating the use of telehealth versus standard transitions of care
in the prevention of avoidable hospital readmissions. Contemporary clinical trials
communications 12, 9–16 (2018)
141. Nofer, M., Gomber, P., Hinz, O., Schiereck, D.: Blockchain. Business & Informa-
tion Systems Engineering 59(3), 183–187 (2017)
142. Olaronke, I., Oluwaseun, O.: Big data in healthcare: Prospects, challenges and
resolutions pp. 1152–1157 (2016)
143. Pai, R.R., Alathur, S.: Determinants of mobile health application awareness and
use in india: an empirical analysis pp. 576–584 (2020)
144. Paksuniemi, M., Sorvoja, H., Alasaarela, E., Myllyla, R.: Wireless sensor and data
transmission needs and technologies for patient monitoring in the operating room
and intensive care unit pp. 5182–5185 (2006)
145. Palta, J.R., Frouhar, V.A., Dempsey, J.F.: Web-based submission, archive, and
review of radiotherapy data for clinical quality assurance: a new paradigm. In-
ternational Journal of Radiation Oncology* Biology* Physics 57(5), 1427–1436
(2003)
146. Pandey, A.K., Khan, A.I., Abushark, Y.B., Alam, M.M., Agrawal, A., Kumar,
R., Khan, R.A.: Key issues in healthcare data integrity: Analysis and recommen-
dations. IEEE Access 8, 40612–40628 (2020)
147. Pandey, H.M.: Secure medical data transmission using a fusion of bit mask ori-
ented genetic algorithm, encryption and steganography. Future Generation Com-
puter Systems 111, 213–225 (2020)
148. Parameswari, R., Latha, R.: Analysis of wavelet transform approach for healthcare
data security in cloud framework. International journal of scientific research in
science, engineering and technology 2, 241–246 (2016)
26 Tazi et al.
149. Parmar, M., Shah, S.: Reinforcing security of medical data using blockchain pp.
1233–1239 (2019). https://doi.org/10.1109/ICCS45141.2019.9065830
150. Perumal, A.M., Nadar, E.R.S.: Architectural framework of a group key man-
agement system for enhancing e-healthcare data security. Healthcare Technology
Letters 7(1), 13–17 (2020)
151. Petkovi´c, M.: Remote patient monitoring: Information reliability challenges pp.
295–301 (2009)
152. Pirbhulal, S., Samuel, O.W., Wu, W., Sangaiah, A.K., Li, G.: A joint resource-
aware and medical data security framework for wearable healthcare systems. Fu-
ture Generation Computer Systems 95, 382–391 (2019)
153. Pirbhulal, S., Shang, P., Wu, W., Sangaiah, A.K., Samuel, O.W., Li, G.: Fuzzy
vault-based biometric security method for tele-health monitoring systems. Com-
puters & Electrical Engineering 71, 546–557 (2018)
154. Po lap, D., Srivastava, G., Yu, K.: Agent architecture of an intelligent medical
system based on federated learning and blockchain technology. Journal of Infor-
mation Security and Applications 58, 102748 (2021)
155. Po lap, D., Srivastava, G., Jolfaei, A., Parizi, R.M.: Blockchain technology
and neural networks for the internet of medical things pp. 508–513 (2020).
https://doi.org/10.1109/INFOCOMWKSHPS50562.2020.9162735
156. PraveenKumar, R., Divya, P.: Medical data processing and prediction of future
health condition using sensors data mining techniques and r programming. Inter-
national Journal of Scientific Research and Engineering Development 3(4) (2020)
157. Psarra, E., Patiniotakis, I., Verginadis, Y., Apostolou, D., Mentzas, G.: Securing
access to healthcare data with context-aware policies pp. 1–6 (2020)
158. Qazi, U., Haq, M., Rashad, N., Rashid, K., Ullah, S., Raza, U.: Availability and
use of in-patient electronic health records in low resource setting. Computer meth-
ods and programs in biomedicine 164, 23–29 (2018)
159. Rajagopalan, S., Dhamodaran, B., Ramji, A., Francis, C., Venkatraman, S.,
Amirtharajan, R.: Confusion and diffusion on fpga—onchip solution for medi-
cal image security pp. 1–6 (2017)
160. Reni, G., Molteni, M., Arlotti, S., Pinciroli, F.: Chief medical officer actions on
information security in an italian rehabilitation centre. International journal of
medical informatics 73(3), 271–279 (2004)
161. del Rey, A.M., Pastora, J.H., anchez, G.R.: 3d medical data security protection.
Expert Systems with Applications 54, 379–386 (2016)
162. Richardson, J.E., Ancker, J.S.: Public Perspectives of Mobile Phones’ Effects on
Healthcare Quality and Medical Data Security and Privacy: A 2-Year Nationwide
Survey 2015, 1076 (2015)
163. Rocha, A., Martins, A., Junior, J.C.F., Boulos, M.N.K., Vicente, M.E., Feld, R.,
van de Ven, P., Nelson, J., Bourke, A., ´
OLaighin, G., et al.: Innovations in health
care services: The caalyx system. International journal of medical informatics
82(11), e307–e320 (2013)
164. Rodrigues, H.A.M., Antunes, L., Correia, M.E.: Proposal of a secure electronic
prescription system pp. 165–168 (2013)
165. Rodriguez-Colin, R., Claudia, F., d. J. Trinidad-Blas, G.:
Data hiding scheme for medical images pp. 32–32 (2007).
https://doi.org/10.1109/CONIELECOMP.2007.14
166. Safkhani, M., Rostampour, S., Bendavid, Y., Bagheri, N.: Iot in medical & phar-
maceutical: Designing lightweight rfid security protocols for ensuring supply chain
integrity. Computer Networks 181, 107558 (2020)
SOK: Evaluating Healthcare Privacy and Security 27
167. Sammoud, A., Chalouf, M.A., Hamdi, O., Montavont, N., Bouallegue, A.: A new
biometrics-based key establishment protocol in wban: Energy efficiency and se-
curity robustness analysis. Computers & Security 96, 101838 (2020)
168. Sartipi, K., Yarmand, M.H., Down, D.G.: Mined-knowledge and decision support
services in electronic health pp. 1–6 (2007)
169. Schmeelk, S.: Where is the risk? analysis of government reported patient medical
data breaches pp. 269–272 (2019)
170. Shaarani, I., Berjaoui, H., Daher, A., Khalil, M., Al Rifai, A.E.R., Saati, R.,
Antoun, J.: Attitudes of patients towards digital information retrieval by their
physician at point of care in an ambulatory setting. International journal of med-
ical informatics 130, 103936 (2019)
171. Shahbaz, S., Mahmood, A., Anwar, Z.: Soad: Securing oncology emr by anonymiz-
ing dicom images pp. 125–130 (2013). https://doi.org/10.1109/FIT.2013.30
172. Shakil, K.A., Zareen, F.J., Alam, M., Jabin, S.: Bamhealthcloud: A biometric
authentication and data management system for healthcare data in cloud. Journal
of King Saud University-Computer and Information Sciences 32(1), 57–64 (2020)
173. Shen, H., Ma, D., Zhao, Y., Sun, H., Sun, S., Ye, R., Huang, L., Lang, B., Sun,
Y.: Miaps: A web-based system for remotely accessing and presenting medical
images. Computer methods and programs in biomedicine 113(1), 266–283 (2014)
174. Shere, A.R., Nurse, J.R., Flechais, I.: “security should be there by default ”:
Investigating how journalists perceive and respond to risks from the internet of
things pp. 240–249 (2020)
175. Shi, W., Dustdar, S.: The promise of edge computing. Computer 49(5), 78–81
(2016)
176. Shrivastava, S., Srikanth, T., VS, D.: e-Governance for healthcare service delivery
in India: challenges and opportunities in security and privacy pp. 180–183 (2020)
177. Shrivastava, U., Song, J., Han, B.T., Dietzman, D.: Do data security measures,
privacy regulations, and communication standards impact the interoperability of
patient health information? a cross-country investigation. International Journal
of Medical Informatics p. 104401 (2021)
178. da Silva Etges, A.P.B., Grenon, V., Lu, M., Cardoso, R.B., de Souza, J.S., Neto,
F.J.K., Felix, E.A.: Development of an enterprise risk inventory for healthcare.
BMC health services research 18(1), 1–16 (2018)
179. Sim˜oes, A., Maia, M., Greg´orio, J., Couto, I., Asfeldt, A., Simonsen, G., ovoa, P.,
Viveiros, M., Lap˜ao, L.: Participatory implementation of an antibiotic stewardship
programme supported by an innovative surveillance and clinical decision-support
system. Journal of Hospital Infection 100(3), 257–264 (2018)
180. Simplicio, M.A., Iwaya, L.H., Barros, B.M., Carvalho, T.C., aslund, M.: Sec-
ourhealth: a delay-tolerant security framework for mobile health data collection.
IEEE journal of biomedical and health informatics 19(2), 761–772 (2014)
181. Sosu, R.N.A., Quist-Aphetsi, K., Nana, L.: A decentralized cryptographic
blockchain approach for health information system pp. 120–1204 (2019).
https://doi.org/10.1109/ICCMA.2019.00027
182. Soualmi, A., Alti, A., Laouamer, L.: A blind image watermark-
ing method for personal medical data security pp. 1–5 (2019).
https://doi.org/10.1109/ICNAS.2019.8807442
183. Sreeji, S., Shiji, S., Vysagh, M., Amma, T.A.: Security and privacy preserving deep
learning framework that protect healthcare data breaches. International Journal
of Research in Engineering, Science and Management 3(7), 148–152 (2020)
184. Stobert, E., Barrera, D., Homier, V., Kollek, D.: Understanding cybersecurity
practices in emergency departments pp. 1–8 (2020)
28 Tazi et al.
185. Stowell, E., Lyson, M.C., Saksono, H., Wurth, R.C., Jimison, H., Pavel, M.,
Parker, A.G.: Designing and evaluating mhealth interventions for vulnerable pop-
ulations: A systematic review pp. 1–17 (2018)
186. Sudha, G., Ganesan, R.: Secure transmission medical data for pervasive healthcare
system using android pp. 433–436 (2013)
187. Sutton, L.N.: PACS and diagnostic imaging service delivery—A UK perspective.
European journal of radiology 78(2), 243–249 (2011)
188. Tan, C.C., Wang, H., Zhong, S., Li, Q.: Body sensor network security: an identity-
based cryptography approach pp. 148–153 (2008)
189. Tan, C.C., Wang, H., Zhong, S., Li, Q.: Ibe-lite: A lightweight identity-based
cryptography for body sensor networks. IEEE Transactions on Information Tech-
nology in Biomedicine 13(6), 926–932 (2009)
190. Thamilarasu, G., Lakin, C.: A security framework for mobile health applications
pp. 221–226 (2017). https://doi.org/10.1109/FiCloudW.2017.96
191. Tian, Y., Shang, Y., Tong, D.Y., Chi, S.Q., Li, J., Kong, X.X., Ding, K.F., Li,
J.S.: Popcorn: a web service for individual prognosis prediction based on multi-
center clinical data collaboration without patient-level data sharing. Journal of
biomedical informatics 86, 1–14 (2018)
192. Tolba, A., Al-Makhadmeh, Z.: Predictive data analysis approach for securing med-
ical data in smart grid healthcare systems. Future Generation Computer Systems
117, 87–96 (2021)
193. Tyler, J.L.: The healthcare information technology context: a framework for view-
ing legal aspects of telemedicine and teleradiology pp. 1–10 (2001)
194. U.S. Department of Health & Human Services: Anthem pays OCR $16 Mil-
lion in record HIPAA settlement following largest health data breach in history
- October 15, 2018. https://www.hhs.gov/hipaa/for-professionals/compliance-
enforcement/agreements/anthem/index.html (Oct 2018)
195. Usman, M.A., Usman, M.R.: Using image steganography for
providing enhanced medical data security pp. 1–4 (2018).
https://doi.org/10.1109/CCNC.2018.8319263
196. Uy, R.C.Y., Kury, F.S., Fontelo, P.: Wireless networks, physician handhelds use,
and medical devices in us hospitals pp. 1–6 (2015)
197. Vallathan, G., Rajamani, V., Harinee, M.P.: Enhanced medical data se-
curity and perceptual quality for healthcare services pp. 1–6 (2020).
https://doi.org/10.1109/ICSCAN49426.2020.9262309
198. Vassis, D., Belsis, P., Skourlas, C.: Secure management of medical data in wireless
environments pp. 427–432 (2012)
199. eliz, C.: Not the doctor’s business: Privacy, personal responsibility and data
rights in medical settings. Bioethics 34(7), 712–718 (2020)
200. Vidya, M., Padmaja, K.: Enhancing security of electronic patient record using
watermarking technique. Materials Today: Proceedings 5(4), 10660–10664 (2018)
201. Vijayalakshmi, A.V., Arockiam, L.: Hybrid security techniques to protect sensitive
data in e-healthcare systems pp. 39–43 (2018)
202. Wagner, P.: Third party breaches-a survey of threats and recommendations. Avail-
able at SSRN 3782822 (2021)
203. Walker-Roberts, S., Hammoudeh, M., Dehghantanha, A.: A systematic review of
the availability and efficacy of countermeasures to internal threats in healthcare
critical infrastructure. IEEE Access 6, 25167–25177 (2018)
204. Wang, C.X.: Security issues to tele-medicine system design pp. 106–109 (1999)
205. Wang, D., Kale, S.D., O’Neill, J.: Please call the specialism: Using wechat to
support patient care in china pp. 1–13 (2020)
SOK: Evaluating Healthcare Privacy and Security 29
206. Wang, D., Huang, Q., Chen, X., Ji, L.: Location of three-dimensional movement
for a human using a wearable multi-node instrument implemented by wireless
body area networks. Computer Communications 153, 34–41 (2020)
207. Weaver, A.C., Dwyer, S.J., Snyder, A.M., Van Dyke, J., Hu, J., Chen, X., Mulhol-
land, T., Marshall, A.: Federated, secure trust networks for distributed healthcare
it services pp. 162–169 (2003). https://doi.org/10.1109/INDIN.2003.1300264
208. Yaghmai, V., Salehi, S.A., Kuppuswami, S., Berlin, J.W.: Rapid wireless trans-
mission of head ct images to a personal digital assistant for remote consultation1.
Academic radiology 11(11), 1291–1293 (2004)
209. Yang, W., Wang, S., Hu, J., Zheng, G., Chaudhry, J., Adi, E., Valli, C.: Se-
curing mobile healthcare data: a smart card based cancelable finger-vein bio-
cryptosystem. IEEE Access 6, 36939–36947 (2018)
210. Yang, Y., Xiao, X., Cai, X., Zhang, W.: A secure and high visual-quality frame-
work for medical images by contrast-enhancement reversible data hiding and ho-
momorphic encryption. IEEE Access 7, 96900–96911 (2019)
211. Yang, Y., Xiao, X., Cai, X., Zhang, W.: A secure and high visual-quality
framework for medical images by contrast-enhancement reversible data hid-
ing and homomorphic encryption. IEEE Access 7, 96900–96911 (2019).
https://doi.org/10.1109/ACCESS.2019.2929298
212. Yesmin, T., Carter, M.W.: Evaluation framework for automatic privacy auditing
tools for hospital data breach detections: A case study. International journal of
medical informatics 138, 104123 (2020)
213. Zatout, Y., Campo, E., Llibre, J.F.: Toward hybrid
wsn architectures for monitoring people at home pp.
308–314 (2009). https://doi.org/10.1145/1643823.1643880,
https://doi.org/10.1145/1643823.1643880
214. Zhang, B., Chen, S., Nichols, E., D’Souza, W., Prado, K., Yi, B.: A practical
cyberattack contingency plan for radiation oncology. Journal of applied clinical
medical physics 21(7), 181–186 (2020)
... However, the rapid development and adoption of such technology raise significant concerns about the privacy of personal health information [40]. Issues such as inadequate compliance with privacy policies [11], [34], [47], [49], and improper data handling highlight the need to assess the efficacy and compliance of app privacy policies to ensure adequate protection of older adults' health information [2], [24], [33], [48], yet remain understudied. To address this, we evaluated the privacy policies of 28 healthcare apps predominantly used by older adults by creating the Privacy Risk Assessment Framework (PRAF). ...
Preprint
Full-text available
The widespread adoption of telehealth systems has led to a significant increase in the use of healthcare apps among older adults, but this rapid growth has also heightened concerns about the privacy of their health information. While HIPAA in the US and GDPR in the EU establish essential privacy protections for health information, limited research exists on the effectiveness of healthcare app privacy policies, particularly those used predominantly by older adults. To address this, we evaluated 28 healthcare apps across multiple dimensions, including regulatory compliance, data handling practices, and privacy-focused usability. To do this, we created a Privacy Risk Assessment Framework (PRAF) and used it to evaluate the privacy risks associated with these healthcare apps designed for older adults. Our analysis revealed significant gaps in compliance with privacy standards to such, only 25% of apps explicitly state compliance with HIPAA, and only 18% mention GDPR. Surprisingly, 79% of these applications lack breach protocols, putting older adults at risk in the event of a data breach.
... However, the rapid development and adoption of such technology raise significant concerns about the privacy of personal health information [40]. Issues such as inadequate compliance with privacy policies [11], [34], [47], [49], and improper data handling highlight the need to assess the efficacy and compliance of app privacy policies to ensure adequate protection of older adults' health information [2], [24], [33], [48], yet remain understudied. To address this, we evaluated the privacy policies of 28 healthcare apps predominantly used by older adults by creating the Privacy Risk Assessment Framework (PRAF). ...
Conference Paper
The widespread adoption of telehealth systems has led to a significant increase in the use of healthcare apps among older adults, but this rapid growth has also heightened concerns about the privacy of their health information. While HIPAA in the US and GDPR in the EU establish essential privacy protections for health information, limited research exists on the effectiveness of healthcare app privacy policies, particularly those used predominantly by older adults. To address this, we evaluated 28 healthcare apps across multiple dimensions, including regulatory compliance, data handling practices, and privacy-focused usability. To do this, we created a Privacy Risk Assessment Framework (PRAF) and used it to evaluate the privacy risks associated with these healthcare apps designed for older adults. Our analysis revealed significant gaps in compliance with privacy standards to such, only 25% of apps explicitly state compliance with HIPAA, and only 18% mention GDPR. Surprisingly, 79% of these applications lack breach protocols, putting older adults at risk in the event of a data breach.
... Prashanth Rajivan, who studies how human behavior affects security and privacy, described how a literature survey shows that most research is focused on technology, not human factors. 7 In preliminary research interviewing healthcare professionals, Ph.D. student Faizi Tazi, whose primary research focus is enhancingprivacy and security protocols of telehealth ervices for private practices, found that Zoom has been a dominant telehealth platform, and participants perceive the need to internalize risk perception and awareness. ...
Article
Dek Multidisciplinary experts’ perspectives on how to strengthen protection of patients’ health information in telehealth designs and workflows.
... Medical professionals play critical roles in healthcare, yet research on their privacy and security perspectives is limited, particularly in private practice telehealth (Tazi et al., 2022). Audiology and speech-language pathology represent two important components of allied healthcare where telehealth has the potential to revolutionize service delivery. ...
Preprint
Full-text available
The COVID-19 pandemic has significantly transformed the healthcare sector, with telehealth services being among the most prominent changes. The adoption of telehealth services, however, has raised new challenges, particularly in the areas of security and privacy. To better comprehend the telehealth needs and concerns of medical professionals, particularly those in private practice, we conducted a study comprised of 20 semi-structured interviews with telehealth practitioners in audiology and speech therapy. Our findings indicate that private telehealth practitioners encounter difficult choices when it comes to balancing security, privacy, usability, and accessibility, particularly while caring for vulnerable populations. Additionally, the study revealed that practitioners face challenges in ensuring HIPAA compliance due to inadequate resources and a lack of technological comprehension. Policymakers and healthcare providers should take proactive measures to address these challenges, including offering resources and training to ensure HIPAA compliance and enhancing technology infrastructure to support secure and accessible telehealth.
... Medical professionals play critical roles in healthcare, yet research on their privacy and security perspectives is limited, particularly in private practice telehealth (Tazi et al., 2022). Audiology and speech-language pathology represent two important components of allied healthcare where telehealth has the potential to revolutionize service delivery. ...
Poster
The COVID-19 pandemic has significantly transformed the healthcare sector, with telehealth services being among the most prominent changes. The adoption of telehealth services, however, has raised new challenges, particularly in the areas of security and privacy. To better comprehend the telehealth needs and concerns of medical professionals, particularly those in private practice, we conducted a study comprised of 20 semi-structured interviews with telehealth practitioners in audiology and speech therapy. Our findings indicate that private telehealth practitioners encounter difficult choices when it comes to balancing security, privacy, usability, and accessibility, particularly while caring for vulnerable populations. Additionally, the study revealed that practitioners face challenges in ensuring HIPAA compliance due to inadequate resources and a lack of technological comprehension. Policymakers and healthcare providers should take proactive measures to address these challenges, including offering resources and training to ensure HIPAA compliance and enhancing technology infrastructure to support secure and accessible telehealth.
... As discussed earlier, we will conduct the literature review to understand state of the art in this space. Co-PI Das has already completed several SoKs in the field of privacy, and cybersecurity [2,3,6,16,17], and one of the works is on the literature review about privacy and security aspects of AR/VR first in the education space [13] and the other for authentication for this domain [1,10]. Therefore, we will follow the methodological structure used in the previous works to perform the literature review. ...
Conference Paper
Immersive art installations require active user participation and thus often capture private information from viewers/participants through cameras and sensors. We propose a new line of research to examine the security and privacy postures of immersive artworks and build privacy-preserving, secure, and accessible software for individuals working in media arts. In our pilot user study, we will interview practitioners in the field about their security and privacy practices and needs, then create a list of parameters. In the future, we plan to utilize these parameters to develop software in response to those needs and then host an art exhibition of immersive artworks utilizing the platform. We plan to utilize this workshop to further understand the interdisciplinary opportunities of this research.
... The exclusion criteria includes: (1) The technology discussed in the research work was not used primarily by people with disabilities, (2) The papers did not include a direct discussion of the privacy and security of users with disabilities for web services, (3) The paper was an abstract, poster, work-in-progress, or otherwise not a full paper, (4) The full-text of the papers were not available even after searching through multiple databases or after contacting the authors. Our methodology was adapted from prior works by Stowell et al. [48], Das et al. [49], Tazi et al. [50,51], Noah and Das [52], and Shrestha et al. [53,54]. ...
Preprint
Full-text available
The online privacy and security of the disabled community is a complex field that has implications for every user who navigates web services. While many disciplines have separately researched the disabled population and their online privacy and security concerns, the overlap between the two is very high but under-researched. Moreover, a complex relationship exists between the disabled population and web services where the interaction depends on several web service developmental factors, including usability and accessibility. To this aid, we explored this intersection of privacy and security of web services as perceived by the disabled community through previous studies by conducting a detailed systematic literature review and analysis of 63 articles. Our findings encompassed several topics, including how the disabled population navigates around authentication interfaces, online privacy concerns, universal design practices, and how security methods such as CAPTCHAs can be improved to become more accessible and usable for people of all needs and abilities. We further discuss the gap in the current research, including solutions such as the universal implementation of inclusive privacy and security tools and protocols.
... The exclusion criteria includes: (1) The technology discussed in the research work was not used primarily by people with disabilities, (2) The papers did not include a direct discussion of the privacy and security of users with disabilities for web services, (3) The paper was an abstract, poster, work-in-progress, or otherwise not a full paper, (4) The full-text of the papers were not available even after searching through multiple databases or after contacting the authors. Our methodology was adapted from prior works by Stowell et al. [48], Das et al. [49], Tazi et al. [50], [51], Noah and Das [52], and Shrestha et al. [53], [54]. ...
Conference Paper
The online privacy and security of the disabled community is a complex field that has implications for every user who navigates web services. While many disciplines have separately researched the disabled population and their online privacy and security concerns, the overlap between the two is very high but under-researched. Moreover, a complex relationship exists between the disabled population and web services where the interaction depends on several web service developmental factors, including usability and accessibility. To this aid, we explored this intersection of privacy and security of web services as perceived by the disabled community through previous studies by conducting a detailed systematic literature review and analysis of 63 articles. Our findings encompassed several topics, including how the disabled population navigates around authentication interfaces, online privacy concerns, universal design practices, and how security methods such as CAPTCHAs can be improved to become more accessible and usable for people of all needs and abilities. We further discuss the gap in the current research, including solutions such as the universal implementation of inclusive privacy and security tools and protocols.
Article
Moving operations to the cloud has become a way of life for many educational institutions. Much of the information these institutions store in the cloud is protected by Family Educational Rights and Privacy Act (FERPA), which was last amended in 2002, well before cloud computing became ubiquitous. The application of a 1974 law to 21st-century technology presents a plethora of legal and technical questions. In this article, we present an interdisciplinary analysis of these issues. We examine both existing statutes and case law and contemporary research into cloud security, focusing on the impact of the latter on the former. We find that FERPA excludes information that students and faculty often believe is protected and that lower-court decisions have created further ambiguity. We additionally find that given current technology, the statute is no longer sufficient to protect student data, and we present recommendations for revisions.
Article
Full-text available
Health related information of an individual is very sensitive and demands a high level of security and privacy. Healthcare providers have the responsibility to ensure that patient information is secure and accessible only to authorized users. Healthcare systems are using biometrics since long for authentication and/or access control purposes. Biometrics can also be used for healthcare data security and privacy. This paper proposes an iris based cancelable biometric cryptosystem to securely store the healthcare data of patients on the smart card. It employs symmetric key cryptography to encrypt the healthcare data and store it on the smart card in encrypted form. We use the fuzzy commitment scheme to bind the secret encryption key with the cancelable iris template of the patient. Our proposed scheme provides user authentication as well as the decryption of healthcare data when needed by using the iris template of the owner of the healthcare smart card. The implementation results show that our proposed scheme provides better performance as compared to other schemes. It can generate an encryption key of a maximum of 252 bits from the input iris template with a false acceptance rate (FAR) of 0 and a false rejection rate (FRR) of 0.07. The generated key can be used for encrypting the health care data of patients using a symmetric encryption algorithm, e.g. Advance Encryption Standard (AES), International Data Encryption Algorithm (IDEA), Blowfish, etc. As compared to a conventional encryption system where the security of the system depends on keeping the key secret, our proposed scheme binds the encryption key with the iris - template of the patient impeccably without the need to store it securely. The security analysis demonstrates that it is not possible for an attacker to retrieve the secret key or healthcare data of the patient from the stolen healthcare card.
Article
Full-text available
Background Diabetes mellitus (DM) is highly prevalent in the Middle East and North Africa (MENA) region. Mobile health (m-health) can improve communications between diabetic patients and medical teams, and this, in turn, may enhance engagement and self-management. Droobi is a multi-language mobile application designed to support self-management of patients with DM. Objective The study aimed to explore experiences of patients and educators about their communication before and after implementation of Droobi, a diabetes management app. Methods We interviewed a convenience sample consisting of 9 patients and 5 nurse educators. Before interviews, Droobi was downloaded to participants’ mobile phone, and their profile on the application was created. To ensure optimum usage experience, all participants received education on how to use Droobi. Participants used Droobi for 6 to 12 weeks. All interviews were audio recorded, transcribed by professionals, and thematically analyzed. Results Two main themes were generated from participants’ responses. The first theme relates to experiences of patients and educators about their communication before Droobi and consists of 3 sub-themes: (1) how patients communicated with medical team before Droobi (previous methods), (2) adoption of previous communication methods, and (3) shortcomings of previous communication methods. The second theme relates to experiences of patients and educators about their communication after Droobi and consists of 4 sub-themes: (1) adoption of Droobi, (2) advantages of Droobi, (3) shortcomings of Droobi, and (4) improvements suggested by educators and patients. Conclusions Our findings suggest that Droobi provided a more efficient and convenient way for communication between health workers and patients, yet multiple shortcomings and several suggestions for improvements were noted. Future work should continue evaluating the Droobi app, they should include a number of different stakeholders when developing the upcoming Droobi version taking into account the limitations and suggestions put forth by the end-users.
Article
Research is increasingly being conducted to identify the benefits provided by the latest developments in the AR/VR domain, which has seen an increase in interest as a result of the stay‐at‐home phenomena in 2020. Of particular interest is the application of AR/VR to education, a discipline that has seen a rapid shift to online modules in 2020. To better understand the advancements in AR/VR enabled education, we conducted a systematic literature review consisting of papers published in the year 2020 that focused on AR/VR in the education sector. We particularly focused on papers where studies have evaluated user perceptions in different countries, academic fields, and at varied educational levels. We found that while most papers conducted user studies and evaluated the technical applications of AR/VR, user perceptions, impact, and awareness were not explored in detail. Our findings highlight trends that can drive critically needed innovations through AR/VR especially to help a globalized digital evolution in the education sector. In the educational sector, AR/VR has undoubtedly brought about innovative changes, especially with the onset of 2020 and the sudden yet necessary shift to online education. Our research provided a systematic literature review of papers focused on AR/VR in the educational sector to identify trends. A detailed thematic analysis found out that most researches did not include knowledge retention post‐test, and there is an increasing number of AR/VR development on mobile which plays a role in its adoption due to its affordability. We also indicated gaps in the review papers, including a need for more in‐depth reporting of study characteristics.
Conference Paper
As virtual reality (VR) sees an increase in use in several domains such as retail, education, military; a secure authentication scheme for VR devices is necessary to keep users' personal information safe. A smaller section of research focuses on the authentication schemes of VR devices. To further the understanding of this topic, we conducted a detailed literature review of VR authentication by exploring papers published till October 2020. A total of N = 29 papers were found. While many papers evaluate the accuracy of authentication methods, few conduct detailed user studies. In the user studies done, we found a lack of focus on diverse populations such as the elderly, with the mean age of the participants being 25.11. Our findings from the literature review give a detailed overview of VR-based authentication schemes and highlight trends as well as current research gaps. These findings drive future research direction to create robust and usable authentication strategies.
Conference Paper
In the rapid growth of information technology(IT) the internet of things (IoT) devices, cloud services, and smart devices play a major role in the healthcare sector and they have led a digital transformation in the présent healthcare services. Digital healthcare services have paved the way for easier and more accessible treatments, and making humans lives far more comfortable. However, in the present healthcare sector, two major focuses must be addressed. They are data security and data ownership. Currently, the number of data breaches compromising confidential healthcare data is on the rise. Recently large no of patients are impacted by data breaches. Moreover, the average cost of healthcare data breaches is going high. As a solution for this, authors suggest a well-secured data transformation and storing method that is able to minimize this issue. In this research authors propose a Blockchain and Graph theory-based system to manage digital healthcare services. Since blockchains are secured because of its transparency in the proposed solution blockchain technology is used to share the data. Moreover, the health care sector is one of the massive big data generating fields. Therefore to make the processes efficient and secure the data, the authors propose a graph-related data storing method. The main objective of this research is to secure health care data and minimize data breaches in both data sharing and data storing components.
Article
Nowadays, Internet of Things (IoT)-based E-healthcare represents an emergent research field due to the fast development of wireless technologies and cloud computing. Radio Frequency Identification (RFID) is an integral technology in IoT thanks to its low cost and autonomous data collection and transfer. These features made it useful in Wireless Body Area Network (WBAN) for healthcare applications. However, data security and patient privacy remain major challenges in WBANs. In this context, many authentication protocols have been designed trying to satisfy both security and implementation requirements. Most recently, Naeem et al. have proposed an RFID authentication scheme for IoT which is claimed to be secure and provides scalability. Unfortunately, we have found that their protocol does not provide authentication and anonymity and it is vulnerable to numerous attacks. To overcome these security issues, we propose, in this paper, an efficient extended and improved IoT-based RFID authentication scheme for WBANs. Our proposed protocol could resist to various attacks and ensure mutual authentication from the tag to the medical server, in addition to patients data security. For this, elliptic curve cryptography (ECC) encryption mechanism and elliptic curve digital signature with message recovery (ECDSMR) have been adopted. Formal and informal analysis have proved that our proposed protocol succeeded to provide many security features and offer reliable data security with a considerably small computational and storage cost compared to existing schemes.
Article
Multi-agent systems enable the division of complicated tasks into individual objects that can cooperate. Such architecture can be useful in building solutions in the Internet of Medical Things (IoMT). In this paper, we propose an architecture of such a system that ensures the security of private data, as well as allows the addition and/or modification of the used classification methods. The main advantages of the proposed system are based on the implementation of blockchain technology elements and threaded federated learning. The individual elements are located on the agents who exchange information. Additionally, we propose building an agent with a consortium mechanism for classification results from many machine learning solutions. This proposal offers a new model of agents that can be implemented as a system for processing medical data in real-time. Our proposition was described and tested to present advantages over other, existing state-of-the-art methods. We show, that this proposition can improve the Internet of Medical Thing solutions by presenting a new idea of a multi-agent system that can separate different tasks like security, or classification and as a result minimize operation time and increase accuracy.
Article
Background The lack of interoperability is one of the biggest obstacles to the complete digitalization of patient health information in electronic medical records (EMR). The high volume of data breaches has put pressure on care providers to adopt data protection measures to remain compliant with legal requirements. Extreme data protection measures can impede information flow, but they also instill confidence in secure information sharing. This study investigates how the adoption of security measures, privacy regulations, and communication standards has impacted patient health information interoperability at technical (TI), semantic (SI), and organizational (OI) levels within the hospitals. Methods The study utilizes a quasi-experimental research design to probe the relationships of interest. Secondary data from a survey of randomly selected 773 hospitals conducted by the European Commission in over 30 countries in Europe is used to understand the relationships. The study counters selection bias and accounts for systematic differences in adopting treatments of interest in the hospitals using the propensity score-based approaches for the observational data. Results The empirical models that account for selection bias explain more observational data variations than those that did not. Access control measures on workstations are linked to 44% lesser odds of experiencing TI problems. However, hospitals with regional and organizational level privacy regulations have 85% and 76% higher odds of experiencing SI and OI problems, respectively. On the other hand, hospitals with a single hospital-wide EMR are 53% and 43% less likely to experience TI and SI problems, respectively, in comparison to those with multiple EMR systems. Conclusion The study highlights the differential impacts of data protection measures on the hospitals' three key types of interoperability problems (i.e., TI, SI, and OI). Homogenous EMR systems type and substantial investment in technology are critical to supporting health information interoperability within the hospitals. The study findings inform policy considerations for improving specific aspects of health information's interoperability while preserving patient data privacy and security.