ABSTRACT
Health care institutions gather and store sensitive information from patients with the goal of providing the best care. The medical history of a patient is essential to guarantee that the right diagnosis is achieved and help the clinical staff act in the shortest time possible. This information is highly sensitive and must be kept private for the responsible staff only. At the same time, the medical records should be accessible by any health care institution to ensure that a patient can be attended anywhere. To guarantee data availability, health care institutions rely on data repositories accessible through the internet. This exposes a threat since patient data can be accessed by unauthorized personnel. It is also extremely difficult to manage access to data using standard access control mechanisms due to the vast amount of users, groups and patients and the constant adjustment in privileges that must be done to maintain confidentiality.
This paper proposes a solution to the difficulty that is managing user access control to a complex universe of user data and guarantee confidentiality while using cloud computing services to store medical records.
- {n. d.}. Projecto Pegasus. http://www.cartaodecidadao.pt. ({n. d.}). Accessed: 2016-01-30.Google Scholar
- Sanjay P Ahuja, Sindhu Mani, and Jesus Zambrano. 2012. A survey of the state of cloud computing in healthcare. Network and Communication Technologies 1, 2 (2012), 12.Google Scholar
- Alysson Bessani, Miguel Correia, Bruno Quaresma, Fernando André, and Paulo Sousa. 2013. DepSky: dependable and secure storage in a cloud-of-clouds. ACM Transactions on Storage (TOS) 9, 4 (2013), 12. Google ScholarDigital Library
- Alysson Bessani, João Sousa, and Eduardo EP Alchieri. 2014. State machine replication for the masses with BFT-SMaRt. In Dependable Systems and Networks (DSN), 2014 44th Annual IEEE/IFIP International Conference on. IEEE, 355--362. Google ScholarDigital Library
- Alysson Neves Bessani, Eduardo Pelison Alchieri, Miguel Correia, and Joni Silva Fraga. 2008. DepSpace: a Byzantine fault-tolerant coordination service. In ACM SIGOPS Operating Systems Review, Vol. 42. ACM, 163--176. Google ScholarDigital Library
- Matt Blaze, Joan Feigenbaum, and Jack Lacy. 1996. Decentralized trust management. In Security and Privacy, 1996. Proceedings., 1996 IEEE Symposium on. IEEE, 164--173. Google ScholarDigital Library
- Air Force Studies Board. 1983. Committee on Multilevel Data Management Security, Multilevel Data Management Security. National Academy Press 1 (1983), 983.Google Scholar
- Christian Cachin and Stefano Tessaro. 2006. Optimal resilience for erasure-coded Byzantine distributed storage. In Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks. 115--124. Google ScholarDigital Library
- Byung-Gon Chun, Petros Maniatis, Scott Shenker, and John Kubiatowicz. 2007. Attested append-only memory: Making adversaries stick to their word. In ACM SIGOPS Operating Systems Review, Vol. 41. ACM, 189--204. Google ScholarDigital Library
- Dorothy E Denning. 1976. A lattice model of secure information flow. Commun. ACM 19, 5 (1976), 236--243. Google ScholarDigital Library
- Gary Dickinson, Linda Fischetti, and Sam Heard. 2004. HL7 EHR System Functional Model Draft Standard for Trial Use. Health Level 7 (2004).Google Scholar
- E.Amoroso. 1994. Fundamentals of Computer Security Technology. Prentice Hall. Google ScholarDigital Library
- David Ferraiolo, Janet Cugini, and D Richard Kuhn. 1995. Role-based access control (RBAC): Features and motivations. In Proceedings of 11th annual computer security application conference. 241--48.Google Scholar
- Sudhakar Govindavajhala and Andrew W Appel. 2006. Windows access control demystified. Princeton university (2006).Google Scholar
- Andreas Grünbacher. 2003. POSIX Access Control Lists on Linux.. In USENIX Annual Technical Conference, FREENIX Track. 259--272.Google Scholar
- R. Halalai, P. Felber, A. M. Kermarrec, and F. TaÃŕani. 2017. Agar: A Caching System for Erasure-Coded Data. In Proceedings of the IEEE 37th International Conference on Distributed Computing Systems. 23--33.Google Scholar
- James Hendricks, Gregory R. Ganger, and Michael K. Reiter. 2007. Low-overhead Byzantine fault-tolerant storage. In Proceedings of 21st ACM SIGOPS Symposium on Operating Systems Principles. 73--86. Google ScholarDigital Library
- P. Hunt, M. Konar, F. P. Junqueira, and B. Reed. 2010. ZooKeeper: wait-free coordination for Internet-scale systems. In USENIX Annual Technical Conference. Google ScholarDigital Library
- H. Krawczyk. 1993. Secret sharing made short. Proceedings of the 13th International Cryptology Conference -- CRYPTOâĂŹ93 (1993), 136--146. Google ScholarDigital Library
- Hugo Krawczyk. 1993. Secret sharing made short. In Advances in CryptologyâĂŤCRYPTOâĂŹ93. Springer, 136--146. Google ScholarDigital Library
- Ming Li, Shucheng Yu, Kui Ren, and Wenjing Lou. 2010. Securing personal health records in cloud computing: Patient-centric and fine-grained data access control in multi-owner settings. In Security and Privacy in Communication Networks. Springer, 89--106.Google Scholar
- Hans Löhr, Ahmad-Reza Sadeghi, and Marcel Winandy. 2010. Securing the e-health cloud. In Proceedings of the 1st ACM International Health Informatics Symposium. ACM, 220--229. Google ScholarDigital Library
- Mr Ian Mann. 2012. Hacking the human: social engineering techniques and security countermeasures. Gower Publishing, Ltd.Google Scholar
- Adam Meyerson and Ryan Williams. 2004. On the complexity of optimal k-anonymity. In Proceedings of the twenty-third ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems. ACM, 223--228. Google ScholarDigital Library
- Kai Rannenberg. 2001. Multilateral security a concept and examples for balanced security. In Proceedings of the 2000 workshop on New security paradigms. ACM, 151--162. Google ScholarDigital Library
- Hsiao-Hsien Rau, Chien-Yeh Hsu, Yen-Liang Lee, Wei Chen, and Wen-Shan Jian. 2010. Developing electronic health records in Taiwan. IT Professional Magazine 12, 2 (2010), 17. Google ScholarDigital Library
- Pierangela Samarati and Latanya Sweeney. 1998. Generalizing data to provide anonymity when disclosing information. In PODS, Vol. 98. 188. Google ScholarDigital Library
- Ravi S Sandhu and Pierangela Samarati. 1994. Access control: principle and practice. Communications Magazine, IEEE 32, 9 (1994), 40--48. Google ScholarDigital Library
- Thomas Schabetsberger, Elske Ammenwerth, Stefan Andreatta, Gordon Gratl, Reinhold Haux, Georg Lechleitner, Klaus Schindelwig, Christian Stark, Raimund Vogl, Immanuel Wilhelmy, et al. 2006. From a paper-based transmission of discharge summaries to electronic communication in health care regions. International journal of medical informatics 75, 3 (2006), 209--215.Google Scholar
- B. Schoenmakers. 1999. A simple publicly verifiable secret sharing scheme and its application to electronic voting. Proceedings of the 19th International Cryptology Conference (1999), 148--164. Google ScholarDigital Library
- Latanya Sweeney. 1997. Guaranteeing anonymity when sharing medical data, the Datafly System.. In Proceedings of the AMIA Annual Fall Symposium. American Medical Informatics Association, 51.Google Scholar
- Latanya Sweeney. 2002. Achieving k-anonymity privacy protection using generalization and suppression. International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems 10, 05 (2002), 571--588. Google ScholarDigital Library
- Thilo Weichert. 2004. Die elektronische Gesundheitskarte. Datenschutz und Datensicherheit 28, 7 (2004), 391--403.Google Scholar
- Ira S Winkler and Brian Dealy. 1995. Information Security Technology? Don't Rely on It. A Case Study in Social Engineering.. In USENIX Security. Google ScholarDigital Library
Index Terms
Securing Electronic Health Records in the Cloud
Recommendations
Securing the e-health cloud
IHI '10: Proceedings of the 1st ACM International Health Informatics SymposiumModern information technology is increasingly used in healthcare with the goal to improve and enhance medical services and to reduce costs. In this context, the outsourcing of computation and storage resources to general IT providers (cloud computing) ...
Consent Mechanisms for Electronic Health Record Systems: A Simple Yet Unresolved Issue
Electronic health record (EHR) systems are now in widespread use in healthcare institutions worldwide. EHRs include sensitive health information and if they are integrated among healthcare providers, data can be accessible from many different sources. ...
From electronic health records to personal health records: emerging legal issues in the Italian regulation of e-health
In 2012, the Italian Legislator has provided an appropriate legal framework for the realisation of the national Electronic Health Records EHR system, in which the patient plays a pivotal role: with the implementation of the Fascicolo sanitario ...
Comments