Skip to main content
SpringerLink
Log in

Operationalization of Privacy and Security Requirements for eHealth IoT Applications in the Context of GDPR and CSL

  • Conference paper
  • First Online:
Privacy Technologies and Policy (APF 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12121))

Included in the following conference series:

  • 1002 Accesses

Abstract

The Fourth Industrial Revolution imposes a number of unprecedented societal challenges and these are increasingly being addressed through regulation. This, in turn, lays the burden to adopt and implement the different concepts and principles (such as privacy-by-design) with practitioners. However, these concepts and principles are formulated by legal experts in a way that does not allow their direct usage by software engineers and developers, and the practical implications are thus not always obvious nor clear-cut. Furthermore, many complementary regulatory frameworks exist to which compliance should, in some cases, be reached simultaneously.

In this paper, we address this generic problem by transforming the legal requirements imposed by the EU’s General Data Protection Regulation (GDPR) and the China’s Cybersecurity Law (CSL) into technical requirements for an exemplar case study of a generic eHealth IoT system. The derived requirements result from an interdisciplinary collaboration between technical and legal experts and are representative of the types of trade-off decisions made in such a compliance process. By means of this exemplar case study, we propose a set of generic requirement-driven elements that can be applied to similar IoT-based architectures and thereby reduce the role of supervision from a legal point of view in the development of such architectures.

O. Tomashchuk and Y. Li—The authors contributed equally.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Five systems constitute the Cybersecurity Law: (1) Cybersecurity Multi-Level Protection Scheme – specific security measures need to be met according to the level of the activities that would affect the public, scaled from 1 the least risky to 5 the most risky; (2) Critical Information Infrastructure Security Protection System (Chapter 3); (3) Personal Information and Important Data Protection System (Chapter 4), which focuses on the scope of personal information protection and the according protection standard; (4) Network Products and Services Management – network products that are used in critical information infrastructure (see number 3) are required to go through a cybersecurity assessment; and (5) Cybersecurity Incident Management System – guidelines and measures are provided to be activated in response to cybersecurity incidents.

  2. 2.

    All the appendices can be found online: http://bit.ly/39bGd8I.

  3. 3.

    Within China, national standards play an important role in implementing higher-level laws and legislations. They are better understood as a quasi-regulation rather than a technical specification or voluntary frameworks typically presented in Western context. Although they are not legally binding, the competent authorities often refer to them when conducting assessments and approvals. The bundle of standards under the umbrella of the CSL in practice will function as a form of regulation where auditing and certification of the entities will be conducted based on the criteria. Up to date, over 240 national standards related to the field have been issued since 2010.

References

  1. HEalth related Activity Recognition system based on IoT. http://heart-itn.eu/

  2. APEC Privacy Framework, Asia-Pacific Economic Cooperation, Electronic Commerce Steering Group (ECSG) (2005)

    Google Scholar 

  3. Consumer data privacy in a networked world: a framework for protecting privacy and promoting innovation in the global digital economy (2012)

    Google Scholar 

  4. OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (2013)

    Google Scholar 

  5. Handbook on European data protection law, European Union Agency for Fundamental Rights and Council of Europe (2018)

    Google Scholar 

  6. Ayala-Rivera, V., Pasquale, L.: The grace period has ended: An approach to operationalize GDPR requirements. In: Proceedings of 26th International Requirements Engineering Conference (RE). IEEE, Banff, August 2018

    Google Scholar 

  7. Farahani, B., Firouzi, F., Chang, V., Badaroglu, M., Constant, N., Mankodiya, K.: Towards fog-driven IoT eHealth: promises and challenges of IoT in medicine and healthcare. Future Gener. Comput. Syst. 78, 659–676 (2018)

    Article  Google Scholar 

  8. Bisztray, T., Gruschka, N.: Privacy impact assessment: comparing methodologies with a focus on practicality. In: Askarov, A., Hansen, R.R., Rafnsson, W. (eds.) NordSec 2019. LNCS, vol. 11875, pp. 3–19. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-35055-0_1

    Chapter  Google Scholar 

  9. Brodin, M.: A framework for GDPR compliance for small and medium-sized enterprises. Eur. J. Secur. Res. 4(2), 243–264 (2019)

    Article  Google Scholar 

  10. Ekdahl, A., Nyman, L.: A methodology to validate compliance to the GDPR. Master’s thesis, Department of Computer Science and Engineering, Chalmer University of Technology, University of Gothenburg, Gothenburg, Sweden (2018)

    Google Scholar 

  11. Erickson, A.: Comparative analysis of the EU’s GDPR and Brazil’s LGPD: enforcement challenges with the LGPD. Brooklyn J. Int. Law 44, 859–888 (2019)

    Google Scholar 

  12. Secretary General of the Council of Europe: Convention for the protection of individuals with regard to automatic processing of personal data (1981)

    Google Scholar 

  13. Fernandes, M., da Silva, A.R., Gonçalves, A.: Specification of personal data protection requirements: analysis of legal requirements based on the GDPR regulation (2018)

    Google Scholar 

  14. Graham Greenleaf, S.L.: China’s New Cybersecurity Law - Also a Data Privacy Law? (2016)

    Google Scholar 

  15. Greenleaf, G.: Asian Data Privacy Laws. Oxford University Press, United Kingdom (2014)

    Book  Google Scholar 

  16. Habib, K., Leister, W.: Threats identification for the smart internet of things in ehealth and adaptive security countermeasures. In: Proceedings of the 7th International Conference on New Technologies, Mobility and Security (NTMS), vol. 555. IEEE, Nashville, Tennessee (2015)

    Google Scholar 

  17. Han, S.W., Munir, A.B.: Information security technology - personal information security specification: China’s version of the GDPR. Eur. Data Protect. Law Rev. (EDPL) 4, 535–541 (2018)

    Article  Google Scholar 

  18. Hintze, M., LaFever, G.: Meeting upcoming GDPR requirements while maximizing the full value of data analytics (2017)

    Google Scholar 

  19. Huth, D., Matthes, F.: Appropriate technical and organizational measures: identifying privacy engineering approaches to meet GDPR requirements. In: Proceedings of 25th Americas Conference on Information Systems (2019)

    Google Scholar 

  20. Sion, L., Dewitte, P., Van Landuyt D., Wuyts, K., Emanuilov, I., Valcke, P., Joosen, W.: An architectural view for data protection by design. In: Proceedings of the 2019 IEEE International Conference on Software Architecture (ICSA). IEEE, Hamburg, Germany (2019)

    Google Scholar 

  21. Loren Kohnfelder, P.G.: The threats to our products. Microsoft Interface, April 1999

    Google Scholar 

  22. Maribel Fernandez, J.J., Thuraisingham, B.: Privacy-preserving architecture for Cloud-IoT platforms. In: Proceedings of the International Conference on Web Services (ICWS), vol. 555. IEEE (2019)

    Google Scholar 

  23. Deng, M., Wuyts, K., Scandariato, R., Preneel, B., Joosen, W.: A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requirements Eng. J. 16, 3–32 (2011)

    Article  Google Scholar 

  24. European Parliament Council: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1995)

    Google Scholar 

  25. Dewitte, P., Wuyts, K., Sion, L., Van Landuyt, D., Emanuilov, I., Valcke, P., Joosen, W.: A comparison of system description models for data protection by design. In: SAC 2019: Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing, pp. 1512–1515 (2019)

    Google Scholar 

  26. Ringmann, S.D., Langweg, H., Waldvogel, M.: Requirements for legally compliant software based on the GDPR. In: Panetto, H., Debruyne, C., Proper, H.A., Ardagna, C.A., Roman, D., Meersman, R. (eds.) OTM 2018. LNCS, vol. 11230, pp. 258–276. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-02671-4_15

    Chapter  Google Scholar 

  27. El-Sappagh, S., Ali, F., Hendawi, A., Jang, J.-H., Kwak, K.S.: A mobile health monitoring-and-treatment system based on integration of the SSN sensor ontology and the HL7 FHIR standard. BMC Med. Inform. Decis. Mak. 19, 97 (2019)

    Article  Google Scholar 

  28. Standing Committee of the People’s Congress: Cybersecurity Law (2016)

    Google Scholar 

  29. Tovino, S.A.: The HIPAA privacy rule and the EU GDPR: illustrative comparisons. Seton Hall Law Rev. 47(4), 973–993 (2017)

    Google Scholar 

  30. European Union: Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal of the EU (L 119), 1–88, May 2016

    Google Scholar 

  31. Voigt, P., von dem Bussche, A.: The EU General Data Protection Regulation (GDPR). Springer, Cham (2017). https://doi.org/10.1007/978-3-319-57959-7

  32. Wang Han, S., Munir, A.: Practitioner’s corner information security technology - personal information security specification: China’s version of the GDPR? Eur. Data Protect. Law Re. 4, 535–541 (2018)

    Article  Google Scholar 

  33. Zeadally, S., Perez, A.J.: Privacy issues and solutions for consumer wearables. IT Prof. 20, 46–56 (2018)

    Google Scholar 

Download references

Acknowledgements

This research is funded by Philips Research, Research Fund KU Leuven, and the HEART project (www.heart-itn.eu). This project has received funding from the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No 766139. This publication reflects only the authors’ view and the REA is not responsible for any use that may be made of the information it contains.

Author information

Authors and Affiliations

  1. Philips Research, Eindhoven, The Netherlands

    Oleksandr Tomashchuk

  2. University of Macerata, Macerata, Italy

    Yuan Li

  3. imec-DistriNet, KU Leuven, Heverlee, Belgium

    Oleksandr Tomashchuk, Dimitri Van Landuyt & Wouter Joosen

Authors
  1. Oleksandr Tomashchuk
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yuan Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dimitri Van Landuyt
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Wouter Joosen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Oleksandr Tomashchuk .

Editor information

Editors and Affiliations

  1. University of Porto, Porto, Portugal

    Luís Antunes

  2. LUMSA University, Rome, Italy

    Maurizio Naldi

  3. LUISS, Rome, Italy

    Giuseppe F. Italiano

  4. Goethe University Frankfurt, Frankfurt am Main, Germany

    Kai Rannenberg

  5. ENISA, Athens, Greece

    Prokopios Drogkaris

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Tomashchuk, O., Li, Y., Van Landuyt, D., Joosen, W. (2020). Operationalization of Privacy and Security Requirements for eHealth IoT Applications in the Context of GDPR and CSL. In: Antunes, L., Naldi, M., Italiano, G., Rannenberg, K., Drogkaris, P. (eds) Privacy Technologies and Policy. APF 2020. Lecture Notes in Computer Science(), vol 12121. Springer, Cham. https://doi.org/10.1007/978-3-030-55196-4_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-55196-4_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-55195-7

  • Online ISBN: 978-3-030-55196-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation