Secure provision of patient-centered health information technology services in public networks—leveraging security and privacy features provided by the German nationwide health information technology infrastructure

Abstract

Patient-centered health information technology services (PHS) provide personalized electronic health services to patients. Since provision of PHS entails handling sensitive medical information, a special focus on information security and privacy aspects is required. We present information security and privacy requirements for PHS and examine how security features of large-scale, inter-organizational health information technology networks, like the German health information technology infrastructure (HTI), can be used for ensuring information security and privacy of PHS. Moreover, we illustrate additional security measures that complement the HTI security measures and introduce a guideline for provision of PHS while ensuring information security and privacy. Our elaborations lead to the conclusion that security features of health information technology networks can be used to create a solid foundation for protecting information security and privacy in patient-centered health information technology services offered in public networks like the Internet.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2

References

  1. Abraham, C., Nishihara, E., & Akiyama, M. (2011). Transforming healthcare with information technology in Japan: a review of policy, people, and progress. International Journal of Medical Informatics, 80(3), 157–170.

    Article  Google Scholar 

  2. Ahern, D. K., Woods, S. S., Lightowler, M. C., Finley, S. W., & Houston, T. K. (2011). Promise of and potential for patient-facing technologies to enable meaningful use. American Journal of Preventive Medicine, 40(5 Suppl 2), 162–172. doi:10.1016/j.amepre.2011.01.005.

    Article  Google Scholar 

  3. Appari, A., & Johnson, M. E. (2010). Information security and privacy in healthcare: current state of research. International Journal of Internet and Enterprise Management, 6(4), 279–314. doi:10.1504/IJIEM.2010.035624.

    Article  Google Scholar 

  4. Appelbaum, P. S. (2002). Privacy in psychiatric treatment: threats and responses. The American Journal of Psychiatry, 159(11), 1809–1818.

    Article  Google Scholar 

  5. Barrows, R. C., & Clayton, P. D. (1996). Privacy, confidentiality, and electronic medical records. Journal of the American Medical Informatics Associations, 3(2), 139–148.

    Article  Google Scholar 

  6. Bélanger, F., & Crossler, R. E. (2011). Privacy in the digital age: a review of information privacy research in information systems. MIS Quarterly, 35(4), 1017–A36.

    Google Scholar 

  7. Blechman, E. A., Raich, P., Raghupathi, W., & Blass, S. (2012). Strategic value of an unbound, interoperable PHR platform for rights-managed care coordination. Communications of the Association for Information Systems, 30(1). Article 6.

    Google Scholar 

  8. Calvillo, J., Román, I., & Roa, L. M. (2013). Empowering citizens with access control mechanisms to their personal health resources. International Journal of Medical Informatics, 82(1), 58–72. doi:10.1016/j.ijmedinf.2012.02.006.

    Article  Google Scholar 

  9. Carrión, I., Aleman, J. L. F., & Toval, A. (2012). Personal health records: new means to safely handle health data? Computer, 45(11), 27–33. doi:10.1109/MC.2012.285.

    Article  Google Scholar 

  10. Chan, A. T. S., Cao, J., Chan, H., & Young, G. (2001). A web-enabled framework for smart card applications in health services. Communications of the ACM, 44(9), 76–82. doi:10.1145/383694.383710.

    Article  Google Scholar 

  11. D’ Heureuse, N., Huici, F., Arumaithurai, M., Ahmed, M., Papagiannaki, K., & Niccolini, S. (2012). What’s App?: a wide-scale measurement study of smart phone markets. SIGMOBILE Mobile Computing and Communications Review, 16(2), 16–27. doi:10.1145/2396756.2396759.

    Article  Google Scholar 

  12. Dehling, T., & Sunyaev, A. (2012a). Architecture and design of a patient-friendly eHealth web application: patient information leaflets and supplementary services. Proceedings of the 18th Americas Conference on Information Systems (paper 5). Seattle, WA: AIS.

  13. Dehling, T., & Sunyaev, A. (2012b). Information security of patient-centred services utilising the German nationwide health information technology infrastructure. Proceedings of the 3rd USENIX Workshop on Health Security and Privacy (paper 6–6). Bellevue, WA: USENIX.

  14. Dehling, T., & Sunyaev, A. (2013). Improved medication compliance through health IT: design and mixed methods evaluation of the ePill application. Proceedings of the 34th International Conference on Information Systems (paper 6). Milan: AIS.

  15. Dehling, T., & Sunyaev, A. (2014). Information security and privacy of patient-centered health IT services: What needs to be done? Proceedings of the 47th Hawaii International Conference on System Sciences. Big Island, HI: IEEE.

  16. Delgado, M. (2011). The evolution of health care IT: are current U.S. privacy policies ready for the clouds? 2011 IEEE. World Congress on Services (pp. 371–378). Washington, DC.

  17. Dünnebeil, S., Köbler, F., Koene, P., Leimeister, J. M., & Krcmar, H. (2011). Encrypted NFC emergency tags based on the German telematics infrastructure. Proceedings of the 2011 Third International Workshop on Near Field Communication (pp. 50–55). Hagenberg: IEEE.

  18. Ekonomou, E., Fan, L., Buchanan, W., & Thüemmler, C. (2011). An integrated cloud-based healthcare infrastructure. Proceedings of the 3rd IEEE International Conference on Cloud Computing Technology and Science (pp. 532–536). Athens: IEEE.

  19. Fan, L., Buchanan, W., Thümmler, C., Lo, O., Khedim, A., Uthmani, O., Lawson, A., et al. (2011). DACAR platform for eHealth services cloud. Proceedings of the 2011 IEEE. 4th International Conference on Cloud Computing (pp. 219–226). Washington, DC: IEEE.

  20. Forkner-Dunn, J. (2003). Internet-based patient self-care: the next generation of health care delivery. Journal of Medical Internet Research, 5(2), e8.

    Article  Google Scholar 

  21. Garber, L. (2012). The challenges of securing the virtualized environment. Computer, 45(1), 17–20.

    Article  Google Scholar 

  22. Gritzalis, D. A. (1998). Enhancing security and improving interoperability in healthcare information systems. Informatics for Health and Social Care, 23(4), 309–323. doi:10.3109/14639239809025367.

    Article  Google Scholar 

  23. Istepanian, R. S. H., Jovanov, E., & Zhang, Y. T. (2004). Guest editorial introduction to the special section on M-Health: beyond seamless mobility and global wireless health-care connectivity. IEEE Transactions on Information Technology in Biomedicine, 8(4), 405–414.

    Article  Google Scholar 

  24. Johnson, M. E. (2009). Data hemorrhages in the health-care sector. In R. Dingledine & P. Golle (Eds.), Financial cryptography and data security, LNCS 5628 (pp. 71–89). Berlin: Springer-Verlag.

    Google Scholar 

  25. Kaletsch, A., & Sunyaev, A. (2011). Privacy engineering: personal health records in cloud computing environments. Proceedings of the 32nd International Conference on Information Systems (paper 2). Shanghai: AIS.

  26. Kotz, D. (2011). A threat taxonomy for mHealth privacy. Proceedings of the Third International Conference on Communication Systems and Networks (pp. 1–6). Bangalore: IEEE.

  27. Landry, J. P., Pardue, J. H., Johnsten, T., Campbell, M., & Patidar, P. (2011). A threat tree for health information security and privacy. In V. Sambamurthy & M. Tanniru (Eds.), Proceedings of the 17th Americas Conference on Information Systems. Detroit: AIS.

    Google Scholar 

  28. Lansing, J., Schneider, S., & Sunyaev, A. (2013). Cloud service certifications: measuring consumers’ preferences for assurances. Proceedings of the 27th European Conference on Information Systems (paper 181). Utrecht, Netherlands.

  29. Lunshof, J. E., Chadwick, R., Vorhaus, D. B., & Church, G. M. (2008). From genetic privacy to open consent. Nature Reviews Genetics, 9(5), 406–411.

    Article  Google Scholar 

  30. Mandl, K. D., Mandel, J. C., Murphy, S. N., Bernstam, E. V., Ramoni, R. L., Kreda, D. A., McCoy, J. M., et al. (2012). The SMART platform: early experience enabling substitutable applications for electronic health records. Journal of the American Medical Informatics Association, 19(4), 597–603.

    Article  Google Scholar 

  31. Mell, P., & Grance, T. (2011). The NIST definition of cloud computing. Retrieved August 22, 2012, from csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf.

  32. Nuseibeh, B., & Easterbrook, S. (2000). Requirements engineering: a roadmap. Proceedings of the Conference on The Future of Software Engineering (pp. 35–46). New York, NY: ACM. doi:10.1145/336512.336523.

  33. Ozdemir, Z., Barron, J., & Bandyopadhyay, S. (2011). An analysis of the adoption of digital health records under switching costs. Information Systems Research, 22(3), 491–503.

    Article  Google Scholar 

  34. Pagliari, C. (2007). Design and evaluation in eHealth: challenges and implications for an interdisciplinary field. Journal of Medical Internet Research, 9(2), e15. doi:10.2196/jmir.9.2.e15.

    Article  Google Scholar 

  35. Pyper, C., Amery, J., Watson, M., & Crook, C. (2004). Access to electronic health records in primary care - a survey of patients’ views. Medical Science Monitor, 10(11), SR17–SR22.

    Google Scholar 

  36. Raymond, E. S. (2003). The art of UNIX programming (1st ed.). Boston: Addison-Wesley.

    Google Scholar 

  37. Rindfleisch, T. C. (1997). Privacy, information technology, and health care. Communications of the ACM, 40(8), 92–100.

    Article  Google Scholar 

  38. Rohm, A. J., & Milne, G. R. (2004). Just what the doctor ordered: the role of information sensitivity and trust in reducing medical information privacy concern. Managing the Future of Health Care Delivery, 57(9), 1000–1011. doi:10.1016/S0148-2963(02)00345-4.

    Google Scholar 

  39. Rothstein, M. A., & Talbott, M. K. (2007). Compelled authorizations for disclosure of health records: magnitude and implications. The American Journal of Bioethics, 7(3), 38–45. doi:10.1080/15265160601171887.

    Article  Google Scholar 

  40. Shahri, A. B., & Ismail, Z. (2012). A tree model for identification of threats as the first stage of risk assessment in HIS. Journal of Information Security, 3(2), 169–176.

    Article  Google Scholar 

  41. Shea, S. (1994). Security versus access: trade-offs are only part of the story. Journal of the American Medical Informatics Association, 1(4), 314–315.

    Article  Google Scholar 

  42. Simon, S. R., Evans, J. S., Benjamin, A., Delano, D., & Bates, D. W. (2009). Patients’ attitudes toward electronic health information exchange: qualitative study. Journal of Medical Internet Research, 11(9), e30.

    Article  Google Scholar 

  43. Slamanig, D., & Stingl, C. (2008). Privacy aspects of eHealth. Proceedings of the 2008 Third International Conference on Availability, Reliability and Security (pp. 1226–1233). Washington, DC: IEEE. doi:10.1109/ARES.2008.115.

  44. Song, D., Shi, E., & Fischer, I. (2012). Cloud data protection for the masses. Computer, 45(1), 39–45.

    Article  Google Scholar 

  45. Subashini, S., & Kavitha, V. (2011). A survey on security issues in service delivery models of cloud computing. Journal of Network and Computer Applications, 34(1), 1–11. doi:10.1016/j.jnca.2010.07.006.

    Article  Google Scholar 

  46. Sunyaev, A., & Chornyi, D. (2012). Supporting chronic disease care quality: design and implementation of a health service and its integration with electronic health records. ACM Journal of Data and Information Quality, 3(2), 3:1–3:21.

    Google Scholar 

  47. Sunyaev, A., & Schneider, S. (2013). Cloud services certification. Communications of the ACM, 56(2), 33–36. doi:10.1145/2408776.2408789.

    Article  Google Scholar 

  48. Sunyaev, A., Chornyi, D., Mauro, C., & Krcmar, H. (2010). Evaluation framework for personal health records: Microsoft health vault vs. Google health. Proceedings of the Hawaii International Conference on System Sciences. Kauai, HI: IEEE.

  49. Sunyaev, A., Leimeister, J. M., & Krcmar, H. (2010). Open security issues in German healthcare telematics. Proceedings of the 3rd International Conference on Health Informatics (pp. 187–194). Valencia, Spain.

  50. Tuffs, A. (2010). Germany puts universal health e-card on hold. British Medical Journal, 340(1), c171.

    Article  Google Scholar 

  51. van der Linden, H., Kalra, D., Hasman, A., & Talmon, J. (2009). Inter-organizational future proof EHR systems: a review of the security and privacy related issues. International Journal of Medical Informatics, 78(3), 141–160. doi:10.1016/j.ijmedinf.2008.06.013.

    Article  Google Scholar 

  52. Wainer, J., Campos, C. J. R., Salinas, M. D. U., & Sigulem, D. (2008). Security requirements for a lifelong electronic health record system: an opinion. Open Medical Informatics Journal, 2, 160–165.

    Article  Google Scholar 

  53. Wilson, E. V. (2009). In E. V. Wilson (Ed.), Patient-centered E-health. Hershey, PA: IGI Publications.

    Google Scholar 

  54. Yau, S. S., & An, H. G. (2011). Software engineering meets services and cloud computing. Computer, 44(10), 47–53.

    Article  Google Scholar 

  55. Zhang, R., & Liu, L. (2010). Security models and requirements for healthcare application clouds. Proceedings of the 2010 IEEE. 3rd International Conference on Cloud Computing (pp. 268–275). Miami, FL: IEEE.

  56. Zhang, L., Gupta, D., & Mohapatra, P. (2012). How expensive are free Smartphone Apps? SIGMOBILE Mobile Computing and Communications Review, 16(3), 21–32. doi:10.1145/2412096.2412100.

    Article  Google Scholar 

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to Ali Sunyaev.

Additional information

Responsible Editors: Sven Wohlgemuth and A Min Tjoa

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Dehling, T., Sunyaev, A. Secure provision of patient-centered health information technology services in public networks—leveraging security and privacy features provided by the German nationwide health information technology infrastructure. Electron Markets 24, 89–99 (2014). https://doi.org/10.1007/s12525-013-0150-6

Download citation

Keywords

  • Health information technology
  • Security
  • Privacy
  • Patient-centered
  • eHealth
  • Infrastructure

JEL classification

  • L86