Skip to main content
SpringerLink
Log in

A Case Study on Data Protection for a Cloud- and AI-Based Homecare Medical Device

  • Chapter
  • First Online:
Transactions on Petri Nets and Other Models of Concurrency XVII

Part of the book series: Lecture Notes in Computer Science ((TOPNOC,volume 14150))

Abstract

To improve the treatment of many diseases, continuous monitoring of the patient at home with the ability of doctors to interact with individual cases demands an increasing number of medical devices connected to the cloud. To support the doctor’s duties, such devices may benefit from AI-based diagnosis routines. In order for such devices to be approved and placed on the market, they need to comply with various legal, regulatory, economic, and social requirements. An integral part of these requirements is the protection of the patients’ data.

In this paper, based on a current use case, we describe a workflow on how to identify risks and address their mitigations. To this end, we recall the relevant legal, regulatory, economic, and social data protection requirements. We pursue our findings on a Homecare OCT device that is intended to be used by elderly patients on a daily basis, by taking images of their eyes and sending them for further analysis to a cloud- and AI-based system. The patient’s ophthalmologist gets notified for further dedicated treatment depending on the result. We then compare the Homecare OCT device with a clinical OCT System in regard to various risks to patient data which arise when a medical system is used outside of a secure hospital environment.

To perform the risk management, we describe (i) the architecture of both systems, (ii) analyze their data flow, (iii) discuss several vectors of attack, (iv) propose ways to mitigate the risks, and (v) discuss the handling of potential data breaches.

This work has been conducted in the project “ICT programme” which was supported by the European Union through the European Social Fund.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Apte, R.S.: Age-related macular degeneration. N. Engl. J. Med. 385(6), 539–547 (2021)

    Article  Google Scholar 

  2. Bende, P., Vovk, O., Caraveo, D., Pechmann, L., Leucker, M.: A case study on data protection for a cloud- and AI-based homecare medical device. In: Lamo, Y., Rutle, A. (eds.) The International Health Data Workshop HEDA 2022. CEUR Workshop Proceedings (CEUR-WS.org) (2022)

    Google Scholar 

  3. BMWI: orientierungshilfe zum gesundheitsdatenschutz (2018). https://www.bmwi.de/Redaktion/DE/Downloads/M-O/orientierungshilfe-gesundheitsdatenschutz.pdf?__blob=publicationFile &v=16. Accessed 15 Feb 2022

  4. Consulting, M.: GSPR: general safety and performance requirements for medical devices in the EU (2023). https://mdrc-consulting.com/gspr-en/. Accessed 09 May 2023

  5. Datenschutz-Grundverordnung: verordnung (eu) 2016/679 des europäischen parlaments und des rates zum schutz natürlicher personen bei der verarbeitung personenbezogener daten, zum freien datenverkehr und zur aufhebung der richtlinie 95/46/eg (datenschutz-grundverordnung) (2016). https://eur-lex.europa.eu/eli/reg/2016/679/oj?locale=de. Accessed 16 Feb 2022

  6. Domenech, M.C., Comunello, E., Wangham, M.S.: Identity management in e-health: a case study of web of things application using OpenID connect. In: 2014 IEEE 16th International Conference on e-Health Networking, Applications and Services (Healthcom), pp. 219–224 (2014)

    Google Scholar 

  7. Eidel, O.: Template: risk management plan and risk acceptance matrix (2020). https://openregulatory.com/risk-management-plan-risk-acceptance-matrix-template-iso-14971/. Accessed 26 Apr 2023

  8. ENISA: pseudonymisation techniques and best practices (2019). https://www.enisa.europa.eu/publications/pseudonymisation-techniques-and-best-practices. Accessed 11 Feb 2022

  9. European Commission: article 29 working party opinion 05/2014 on anonymisation techniques (2014)

    Google Scholar 

  10. Fujimoto, J.G., Pitris, C., Boppart, S.A., Brezinski, M.E.: Optical coherence tomography: an emerging technology for biomedical imaging and optical biopsy. Neoplasia 2(1–2), 9–25 (2000)

    Article  Google Scholar 

  11. GDPR: regulation (eu) 2016/ 679 of the European parliament and of the council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/ec (2016). https://eur-lex.europa.eu/eli/reg/2016/679/oj. Accessed 01 Feb 2022

  12. Gurfinkel, A.: Fault, error, and failure (2019). https://ece.uwaterloo.ca/~agurfink/stqam.w19/assets/pdf/W01P2-FaultErrorFailure.pdf. Accessed 01 May 2023

  13. Hardt, D.: The oauth 2.0 authorization framework. RFC 6749, RFC Editor (2012). https://www.rfc-editor.org/rfc/rfc6749.txt

  14. Hwang, J., Aziz, A., Sung, N., Ahmad, A., Gall, F.L., Song, J.: AUTOCON-IoT: automated and scalable online conformance testing for IoT applications. IEEE Access 8, 43111–43121 (2020)

    Article  Google Scholar 

  15. IBM: IBM report: Compromised employee accounts led to most expensive data breaches over past year (2020). https://newsroom.ibm.com/2020-07-29-IBM-Report-Compromised-Employee-Accounts-Led-to-Most-Expensive-Data-Breaches-Over-Past-Year. Accessed 24 Mar 2022

  16. IEEE: Standard glossary of software engineering terminology. IEEE Std 610.12-1990, pp. 1–84 (1990). https://doi.org/10.1109/IEEESTD.1990.101064

  17. Interessengemeinschaft der Benannten Stellen für Medizinprodukte in Deutschland: questionnaire artificial intelligence in medical devices (2022). https://www.ig-nb.de/veroeffentlichungen/. Accessed 09 May 2023

  18. ISO/IEC 27001: Information security management systems requirements. International Organization for Standardization, Vernier, Geneva, Switzerland (2022). https://www.iso.org/standard/27001

  19. Johner, C.: ISO 14971 and risk management (2015). https://www.johner-institute.com/articles/risk-management-iso-14971/. Accessed 29 Mar 2022

  20. Johner, C.: Risk assessment, risk acceptance matrix (2015). https://www.johner-institute.com/articles/risk-management-iso-14971/risk-acceptance/. Accessed 26 Apr 2023

  21. Johner, C.: Datenschutz im gesundheitswesen bei medizinischen daten (2020). https://www.johner-institut.de/blog/regulatory-affairs/datenschutz-bei-medizinischen-daten/. Accessed 25 Mar 2022

  22. Kumar, M., Rossbory, M., Moser, B.A., Freudenthaler, B.: Deriving an optimal noise adding mechanism for privacy-preserving machine learning. In: Anderst-Kotsis, G., et al. (eds.) DEXA 2019. CCIS, vol. 1062, pp. 108–118. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-27684-3_15

    Chapter  Google Scholar 

  23. Lewis, J.E.: Web single sign-on authentication using SAML. IJCSI Int. J. Comput. Sci. Issues 2 (2009)

    Google Scholar 

  24. Lodderstedt, T., Bradley, J., Labunets, A., Fett, D.: OAuth 2.0 security best current practice. Internet-Draft draft-ietf-oauth-security-topics-19, Internet Engineering Task Force (2021). https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19

  25. Medical Device Coordination Group: Guidance on cybersecurity for medical devices (2020). https://health.ec.europa.eu/system/files/2022-01/md_cybersecurity_en.pdf. Accessed 09 May 2023

  26. Naik, N., Jenkins, P.: Securing digital identities in the cloud by selecting an apposite federated identity management from SAML, OAuth and OpenID connect. In: 2017 11th International Conference on Research Challenges in Information Science (RCIS), pp. 163–174 (2017)

    Google Scholar 

  27. Okada, M., Kandasamy, R., Chong, E.W.T., McGuiness, M.B., Guymer, R.H.: The treat-and-extend injection regimen versus alternate dosing strategies in age-related macular degeneration: a systematic review and meta-analysis. Am. J. Ophthalmol. 192, 184–197 (2018)

    Article  Google Scholar 

  28. Qiu, H., Qiu, M., Liu, M., Memmi, G.: Secure health data sharing for medical cyber-physical systems for the healthcare 4.0. IEEE J. Biomed. Health Inf. 24(9), 2499–2505 (2020)

    Article  Google Scholar 

  29. Rigaki, M., Garcia, S.: A survey of privacy attacks in machine learning. CoRR abs/2007.07646 https://arxiv.org/abs/2007.07646 (2020)

  30. Rigaki, M., Garcia, S.: A Survey of privacy attacks in machine learning. arXiv:2007.07646 (2021)

  31. Sabaliauskaite, G., Adepu, S.: Integrating six-step model with information flow diagrams for comprehensive analysis of cyber-physical system safety and security. In: 2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE), pp. 41–48 (2017)

    Google Scholar 

  32. Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Mortimore, C.: OpenID connect 1.0 specification (2014). https://openid.net/specs/openid-connect-core-1_0.html. Accessed 30 Mar 2022

  33. Schneeberger, D., Stöger, K., Holzinger, A.: The European legal framework for medical AI. In: International Cross-Domain Conference for Machine Learning and Knowledge Extraction, pp. 209–226 (2020)

    Google Scholar 

  34. Seeck, A.: Post-market surveillance und Überwachung der produkte im markt (2022). https://www.johner-institut.de/blog/regulatory-affairs/post-market-surveillance/. Accessed 17 Nov 2022

  35. Seifermann, S., Heinrich, R., Werle, D., Reussner, R.: Detecting violations of access control and information flow policies in data flow diagrams. J. Syst. Softw. 184, 111138 (2022)

    Article  Google Scholar 

  36. Sloane, E.B., J. Silva, R.: Chapter 83 - artificial intelligence in medical devices and clinical decision support systems. In: Iadanza, E. (ed.) Clinical Engineering Handbook (Second Edition), pp. 556–568. Academic Press, second edition edn. (2020)

    Google Scholar 

  37. Union, E.: Regulation (eu) 2017/745 of the European parliament and of the council of 5 April 2017 on medical devices, amending directive 2001/83/ec, regulation (ec) no 178/2002 and regulation (ec) no 1223/2009 and repealing council directives 90/385/eec and 93/42/eec (text with eea relevance. ) (2017). https://lexparency.org/eu/32017R0745/. Accessed 17 Nov 2022

  38. Vovk, O., Piho, G., Ross, P.: Anonymization methods of structured health care data: a literature review. In: Attiogbé, C., Ben Yahia, S. (eds.) MEDI 2021. LNCS, vol. 12732, pp. 175–189. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-78428-7_14

    Chapter  Google Scholar 

  39. Zhou, S., et al.: A retrospective study on the effectiveness of artificial intelligence-based clinical decision support system (AI-CDSS) to improve the incidence of hospital-related venous thromboembolism (VTE). Ann. Transl. Med. 9(6), 491 (2021)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute for Software Engineering and Programming Languages, University of Lübeck, Lübeck, Germany

    Philipp Bende, David Caraveo & Martin Leucker

  2. School of Information Technologies, Department of Health Technologies, Tallinn University of Technology, Tallinn, Estonia

    Olga Vovk

  3. UniTransferKlinik Lübeck GmbH, Lübeck, Germany

    David Caraveo, Ludwig Pechmann & Martin Leucker

Authors
  1. Philipp Bende
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Olga Vovk
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. David Caraveo
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ludwig Pechmann
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Martin Leucker
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Olga Vovk .

Editor information

Editors and Affiliations

  1. School of Computing Science, Newcastle University, Newcastle upon Tyne, UK

    Maciej Koutny

  2. Fakultät Zentralbereich, FernUniversität in Hagen, Hagen, Nordrhein-Westfalen, Germany

    Robin Bergenthum

  3. Dept of Computer Science, Iowa State University, Ames, IA, USA

    Gianfranco Ciardo

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer-Verlag GmbH, DE, part of Springer Nature

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Bende, P., Vovk, O., Caraveo, D., Pechmann, L., Leucker, M. (2024). A Case Study on Data Protection for a Cloud- and AI-Based Homecare Medical Device. In: Koutny, M., Bergenthum, R., Ciardo, G. (eds) Transactions on Petri Nets and Other Models of Concurrency XVII. Lecture Notes in Computer Science(), vol 14150. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-68191-6_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-68191-6_6

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-68190-9

  • Online ISBN: 978-3-662-68191-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation