Patient-centered health information technology services (PHS) provide personalized electronic health services to patients. Since provision of PHS entails handling sensitive medical information, a special focus on information security and privacy aspects is required. We present information security and privacy requirements for PHS and examine how security features of large-scale, inter-organizational health information technology networks, like the German health information technology infrastructure (HTI), can be used for ensuring information security and privacy of PHS. Moreover, we illustrate additional security measures that complement the HTI security measures and introduce a guideline for provision of PHS while ensuring information security and privacy. Our elaborations lead to the conclusion that security features of health information technology networks can be used to create a solid foundation for protecting information security and privacy in patient-centered health information technology services offered in public networks like the Internet.
This is a preview of subscription content, access via your institution.
Buy single article
Instant access to the full article PDF.
Tax calculation will be finalised during checkout.
Subscribe to journal
Immediate online access to all issues from 2019. Subscription will auto renew annually.
Tax calculation will be finalised during checkout.
Abraham, C., Nishihara, E., & Akiyama, M. (2011). Transforming healthcare with information technology in Japan: a review of policy, people, and progress. International Journal of Medical Informatics, 80(3), 157–170.
Ahern, D. K., Woods, S. S., Lightowler, M. C., Finley, S. W., & Houston, T. K. (2011). Promise of and potential for patient-facing technologies to enable meaningful use. American Journal of Preventive Medicine, 40(5 Suppl 2), 162–172. doi:10.1016/j.amepre.2011.01.005.
Appari, A., & Johnson, M. E. (2010). Information security and privacy in healthcare: current state of research. International Journal of Internet and Enterprise Management, 6(4), 279–314. doi:10.1504/IJIEM.2010.035624.
Appelbaum, P. S. (2002). Privacy in psychiatric treatment: threats and responses. The American Journal of Psychiatry, 159(11), 1809–1818.
Barrows, R. C., & Clayton, P. D. (1996). Privacy, confidentiality, and electronic medical records. Journal of the American Medical Informatics Associations, 3(2), 139–148.
Bélanger, F., & Crossler, R. E. (2011). Privacy in the digital age: a review of information privacy research in information systems. MIS Quarterly, 35(4), 1017–A36.
Blechman, E. A., Raich, P., Raghupathi, W., & Blass, S. (2012). Strategic value of an unbound, interoperable PHR platform for rights-managed care coordination. Communications of the Association for Information Systems, 30(1). Article 6.
Calvillo, J., Román, I., & Roa, L. M. (2013). Empowering citizens with access control mechanisms to their personal health resources. International Journal of Medical Informatics, 82(1), 58–72. doi:10.1016/j.ijmedinf.2012.02.006.
Carrión, I., Aleman, J. L. F., & Toval, A. (2012). Personal health records: new means to safely handle health data? Computer, 45(11), 27–33. doi:10.1109/MC.2012.285.
Chan, A. T. S., Cao, J., Chan, H., & Young, G. (2001). A web-enabled framework for smart card applications in health services. Communications of the ACM, 44(9), 76–82. doi:10.1145/383694.383710.
D’ Heureuse, N., Huici, F., Arumaithurai, M., Ahmed, M., Papagiannaki, K., & Niccolini, S. (2012). What’s App?: a wide-scale measurement study of smart phone markets. SIGMOBILE Mobile Computing and Communications Review, 16(2), 16–27. doi:10.1145/2396756.2396759.
Dehling, T., & Sunyaev, A. (2012a). Architecture and design of a patient-friendly eHealth web application: patient information leaflets and supplementary services. Proceedings of the 18th Americas Conference on Information Systems (paper 5). Seattle, WA: AIS.
Dehling, T., & Sunyaev, A. (2012b). Information security of patient-centred services utilising the German nationwide health information technology infrastructure. Proceedings of the 3rd USENIX Workshop on Health Security and Privacy (paper 6–6). Bellevue, WA: USENIX.
Dehling, T., & Sunyaev, A. (2013). Improved medication compliance through health IT: design and mixed methods evaluation of the ePill application. Proceedings of the 34th International Conference on Information Systems (paper 6). Milan: AIS.
Dehling, T., & Sunyaev, A. (2014). Information security and privacy of patient-centered health IT services: What needs to be done? Proceedings of the 47th Hawaii International Conference on System Sciences. Big Island, HI: IEEE.
Delgado, M. (2011). The evolution of health care IT: are current U.S. privacy policies ready for the clouds? 2011 IEEE. World Congress on Services (pp. 371–378). Washington, DC.
Dünnebeil, S., Köbler, F., Koene, P., Leimeister, J. M., & Krcmar, H. (2011). Encrypted NFC emergency tags based on the German telematics infrastructure. Proceedings of the 2011 Third International Workshop on Near Field Communication (pp. 50–55). Hagenberg: IEEE.
Ekonomou, E., Fan, L., Buchanan, W., & Thüemmler, C. (2011). An integrated cloud-based healthcare infrastructure. Proceedings of the 3rd IEEE International Conference on Cloud Computing Technology and Science (pp. 532–536). Athens: IEEE.
Fan, L., Buchanan, W., Thümmler, C., Lo, O., Khedim, A., Uthmani, O., Lawson, A., et al. (2011). DACAR platform for eHealth services cloud. Proceedings of the 2011 IEEE. 4th International Conference on Cloud Computing (pp. 219–226). Washington, DC: IEEE.
Forkner-Dunn, J. (2003). Internet-based patient self-care: the next generation of health care delivery. Journal of Medical Internet Research, 5(2), e8.
Garber, L. (2012). The challenges of securing the virtualized environment. Computer, 45(1), 17–20.
Gritzalis, D. A. (1998). Enhancing security and improving interoperability in healthcare information systems. Informatics for Health and Social Care, 23(4), 309–323. doi:10.3109/14639239809025367.
Istepanian, R. S. H., Jovanov, E., & Zhang, Y. T. (2004). Guest editorial introduction to the special section on M-Health: beyond seamless mobility and global wireless health-care connectivity. IEEE Transactions on Information Technology in Biomedicine, 8(4), 405–414.
Johnson, M. E. (2009). Data hemorrhages in the health-care sector. In R. Dingledine & P. Golle (Eds.), Financial cryptography and data security, LNCS 5628 (pp. 71–89). Berlin: Springer-Verlag.
Kaletsch, A., & Sunyaev, A. (2011). Privacy engineering: personal health records in cloud computing environments. Proceedings of the 32nd International Conference on Information Systems (paper 2). Shanghai: AIS.
Kotz, D. (2011). A threat taxonomy for mHealth privacy. Proceedings of the Third International Conference on Communication Systems and Networks (pp. 1–6). Bangalore: IEEE.
Landry, J. P., Pardue, J. H., Johnsten, T., Campbell, M., & Patidar, P. (2011). A threat tree for health information security and privacy. In V. Sambamurthy & M. Tanniru (Eds.), Proceedings of the 17th Americas Conference on Information Systems. Detroit: AIS.
Lansing, J., Schneider, S., & Sunyaev, A. (2013). Cloud service certifications: measuring consumers’ preferences for assurances. Proceedings of the 27th European Conference on Information Systems (paper 181). Utrecht, Netherlands.
Lunshof, J. E., Chadwick, R., Vorhaus, D. B., & Church, G. M. (2008). From genetic privacy to open consent. Nature Reviews Genetics, 9(5), 406–411.
Mandl, K. D., Mandel, J. C., Murphy, S. N., Bernstam, E. V., Ramoni, R. L., Kreda, D. A., McCoy, J. M., et al. (2012). The SMART platform: early experience enabling substitutable applications for electronic health records. Journal of the American Medical Informatics Association, 19(4), 597–603.
Mell, P., & Grance, T. (2011). The NIST definition of cloud computing. Retrieved August 22, 2012, from csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf.
Nuseibeh, B., & Easterbrook, S. (2000). Requirements engineering: a roadmap. Proceedings of the Conference on The Future of Software Engineering (pp. 35–46). New York, NY: ACM. doi:10.1145/336512.336523.
Ozdemir, Z., Barron, J., & Bandyopadhyay, S. (2011). An analysis of the adoption of digital health records under switching costs. Information Systems Research, 22(3), 491–503.
Pagliari, C. (2007). Design and evaluation in eHealth: challenges and implications for an interdisciplinary field. Journal of Medical Internet Research, 9(2), e15. doi:10.2196/jmir.9.2.e15.
Pyper, C., Amery, J., Watson, M., & Crook, C. (2004). Access to electronic health records in primary care - a survey of patients’ views. Medical Science Monitor, 10(11), SR17–SR22.
Raymond, E. S. (2003). The art of UNIX programming (1st ed.). Boston: Addison-Wesley.
Rindfleisch, T. C. (1997). Privacy, information technology, and health care. Communications of the ACM, 40(8), 92–100.
Rohm, A. J., & Milne, G. R. (2004). Just what the doctor ordered: the role of information sensitivity and trust in reducing medical information privacy concern. Managing the Future of Health Care Delivery, 57(9), 1000–1011. doi:10.1016/S0148-2963(02)00345-4.
Rothstein, M. A., & Talbott, M. K. (2007). Compelled authorizations for disclosure of health records: magnitude and implications. The American Journal of Bioethics, 7(3), 38–45. doi:10.1080/15265160601171887.
Shahri, A. B., & Ismail, Z. (2012). A tree model for identification of threats as the first stage of risk assessment in HIS. Journal of Information Security, 3(2), 169–176.
Shea, S. (1994). Security versus access: trade-offs are only part of the story. Journal of the American Medical Informatics Association, 1(4), 314–315.
Simon, S. R., Evans, J. S., Benjamin, A., Delano, D., & Bates, D. W. (2009). Patients’ attitudes toward electronic health information exchange: qualitative study. Journal of Medical Internet Research, 11(9), e30.
Slamanig, D., & Stingl, C. (2008). Privacy aspects of eHealth. Proceedings of the 2008 Third International Conference on Availability, Reliability and Security (pp. 1226–1233). Washington, DC: IEEE. doi:10.1109/ARES.2008.115.
Song, D., Shi, E., & Fischer, I. (2012). Cloud data protection for the masses. Computer, 45(1), 39–45.
Subashini, S., & Kavitha, V. (2011). A survey on security issues in service delivery models of cloud computing. Journal of Network and Computer Applications, 34(1), 1–11. doi:10.1016/j.jnca.2010.07.006.
Sunyaev, A., & Chornyi, D. (2012). Supporting chronic disease care quality: design and implementation of a health service and its integration with electronic health records. ACM Journal of Data and Information Quality, 3(2), 3:1–3:21.
Sunyaev, A., & Schneider, S. (2013). Cloud services certification. Communications of the ACM, 56(2), 33–36. doi:10.1145/2408776.2408789.
Sunyaev, A., Chornyi, D., Mauro, C., & Krcmar, H. (2010). Evaluation framework for personal health records: Microsoft health vault vs. Google health. Proceedings of the Hawaii International Conference on System Sciences. Kauai, HI: IEEE.
Sunyaev, A., Leimeister, J. M., & Krcmar, H. (2010). Open security issues in German healthcare telematics. Proceedings of the 3rd International Conference on Health Informatics (pp. 187–194). Valencia, Spain.
Tuffs, A. (2010). Germany puts universal health e-card on hold. British Medical Journal, 340(1), c171.
van der Linden, H., Kalra, D., Hasman, A., & Talmon, J. (2009). Inter-organizational future proof EHR systems: a review of the security and privacy related issues. International Journal of Medical Informatics, 78(3), 141–160. doi:10.1016/j.ijmedinf.2008.06.013.
Wainer, J., Campos, C. J. R., Salinas, M. D. U., & Sigulem, D. (2008). Security requirements for a lifelong electronic health record system: an opinion. Open Medical Informatics Journal, 2, 160–165.
Wilson, E. V. (2009). In E. V. Wilson (Ed.), Patient-centered E-health. Hershey, PA: IGI Publications.
Yau, S. S., & An, H. G. (2011). Software engineering meets services and cloud computing. Computer, 44(10), 47–53.
Zhang, R., & Liu, L. (2010). Security models and requirements for healthcare application clouds. Proceedings of the 2010 IEEE. 3rd International Conference on Cloud Computing (pp. 268–275). Miami, FL: IEEE.
Zhang, L., Gupta, D., & Mohapatra, P. (2012). How expensive are free Smartphone Apps? SIGMOBILE Mobile Computing and Communications Review, 16(3), 21–32. doi:10.1145/2412096.2412100.
Responsible Editors: Sven Wohlgemuth and A Min Tjoa
About this article
Cite this article
Dehling, T., Sunyaev, A. Secure provision of patient-centered health information technology services in public networks—leveraging security and privacy features provided by the German nationwide health information technology infrastructure. Electron Markets 24, 89–99 (2014). https://doi.org/10.1007/s12525-013-0150-6
- Health information technology