research-article

Security and Privacy Requirements for Electronic Consent: A Systematic Literature Review

Authors:

Wouter JoosenAuthors Info & Claims

ACM Transactions on Computing for Healthcare , Volume 2, Issue 2

Article No.: 16, Pages 1 - 24

https://doi.org/10.1145/3433995

Published: 22 March 2021 Publication History

Abstract

Electronic consent (e-consent) has the potential to solve many paper-based consent approaches. Existing approaches, however, face challenges regarding privacy and security. This literature review aims to provide an overview of privacy and security challenges and requirements proposed by papers discussing e-consent implementations, as well as the manner in which state-of-the-art solutions address them. We conducted a systematic literature search using ACM Digital Library, IEEE Xplore, and PubMed Central. We included papers providing comprehensive discussions of one or more technical aspects of e-consent systems. Thirty-one papers met our inclusion criteria. Two distinct topics were identified, the first being discussions of e-consent representations and the second being implementations of e-consent in data sharing systems. The main challenge for e-consent representations is gathering the requirements for a “valid” consent. For the implementation papers, many provided some requirements but none provided a comprehensive overview. Blockchain is identified as a solution to transparency and trust issues in traditional client-server systems, but several challenges hinder it from being applied in practice. E-consent has the potential to grant data subjects control over their data. However, there is no agreed-upon set of security and privacy requirements that must be addressed by an e-consent platform. Therefore, security- and privacy-by-design techniques should be an essential part of the development lifecycle for such a platform.

References

[1]

Intersoft Consulting. n.d. General Data Protection Regulation GDPR—Official Legal Text. Retrieved February 1, 2021 from https://gdpr-info.eu/.

[2]

Andrea Akkad, Clare Jackson, Sara Kenyon, Mary Dixon-Woods, Nick Taub, and Marwan Habiba. 2006. Patients’ perceptions of written consent: Questionnaire study. BMJ 333, 7567 (Sept. 2006), 528.

[3]

Amanda Anderberg, Elena Andonova, Mario Bellia, Ludovic Calès, Andreia Inamorato Dos Santos, Ioannis Kounelis, Igor Nai Fovino, et al. 2019. Blockchain Now and Tomorrow. Publications Office of the European Union, Luxembourg.

[4]

Rekha Bhatia and Manpreet Singh. 2014. Formal specification of a privacy aware access control framework in web services paradigm using z notation. In Proceedings of the 2014 International Conference on Information and Communication Technology for Competitive Strategies (ICTCS ’14). ACM, New York, NY, 1--5.

Digital Library

[5]

Antje Brandner, Bjorn Schreiweis, Lakshmi S. Aguduri, Tobias Bronsch, Aline Kunz, Peter Pensold, Katharina E. Stein, et al. 2016. The patient portal of the personal cross-enterprise electronic health record (PEHR) in the Rhine-Neckar-Region. Studies in Health Technology and Informatics 228 (2016), 157--161.

[6]

Achim D. Brucker, Lukas Brügger, Paul Kearney, and Burkhart Wolff. 2011. An approach to modular and testable security models of real-world health-care applications. In Proceedings of the 16th ACM Symposium on Access Control Models and Technologies (SACMAT’11). ACM, New York, NY, 133--142. Innsbruck, Austria.

Digital Library

[7]

Isabelle Budin-Ljosne, Harriet J. A. Teare, Jane Kaye, Stephan Beck, Heidi Beate Bentzen, Luciana Caenazzo, Clive Collett, et al. 2017. Dynamic consent: A potential solution to some of the challenges of modern biomedical research. BMC Medical Ethics 18, 1 (Jan. 2017), 4.

[8]

Ozgu Can. 2013. A semantic model for personal consent management. In Metadata and Semantics Research. Communications in Computer and Information Science, Vol. 390. Springer, 146--151.

[9]

Stevan Coroller, Sophie Chabridon, Maryline Laurent, Denis Conan, and Jean Leneutre. 2018. Position paper: Towards end-to-end privacy for publish/subscribe architectures in the Internet of Things. In Proceedings of the 5th Workshop on Middleware and Applications for the Internet of Things (M4IoT’18). ACM, New York, NY, 35--40.

[10]

Maryam Davari and Elisa Bertino. 2019. Access control model extensions to support data privacy protection based on GDPR. In Proceedings of the 2019 IEEE International Conference on Big Data (Big Data’19). 4017--4024.

[11]

R. H. Dolin, L. Alschuler, C. Beebe, P. V. Biron, S. L. Boyer, D. Essin, E. Kimber, T. Lincoln, and J. E. Mattison. 2001. The HL7 clinical document architecture. Journal of the American Medical Informatics Association 8, 6 (Dec. 2001), 552--569.

[12]

e-Estonia. 2018. Blockchain and Healthcare: The Estonian Experience. Retrieved February 1, 2021 from https://e-estonia.com/blockchain-healthcare-estonian-experience/.

[13]

Matthew E. Falagas, Ioanna P. Korbila, Konstantina P. Giannopoulou, Barbara K. Kondilis, and George Peppas. 2009. Informed consent: How much and what do patients understand? American Journal of Surgery 198, 3 (Sept. 2009), 420--435.

[14]

Anders T. Gjerdrum, Håvard D. Johansen, and Dag Johansen. 2016. Implementing informed consent as information-flow policies for secure analytics on ehealth data: Principles and practices. In Proceedings of the 2016 IEEE 1st International Conference on Connected Health: Applications, Systems, and Engineering Technologies (CHASE’16). 107--112.

[15]

Christine Grady, Steven R. Cummings, Michael C. Rowbotham, Michael V. McConnell, Euan A. Ashley, and Gagandeep Kang. 2017. Informed consent. New England Journal of Medicine 376, 9 (2017), 856--867.

[16]

D. Grunwell and T. Sahama. 2015. Information accountability and Health Big Data Analytics: A consent-based model. In Proceedings of the 2015 17th International Conference on E-health Networking, Application, and Services (HealthCom’15). 195--199.

[17]

Birger Haarbrandt, Bjorn Schreiweis, Sabine Rey, Ulrich Sax, Simone Scheithauer, Otto Rienhoff, Petra Knaup-Gregori, et al. 2018. HiGHmed—An open platform approach to enhance care and research across institutional boundaries. Methods of Information in Medicine 57, Suppl. 01 (July 2018), e66--e81.

[18]

Bente Hamnes, Yvonne van Eijk-Hustings, and Jette Primdahl. 2016. Readability of patient information and consent documents in rheumatological studies. BMC Medical Ethics 17, 1 (2016), 42.

[19]

Thomas Hardjono. 2019. Federated authorization over access to personal data for decentralized identity management. IEEE Communications Standards Magazine 3, 4 (Dec. 2019), 32--38.

[20]

Yuichi Hashi, Kazuyoshi Matsumoto, Yoshinori Seki, Masahiro Hiji, Toru Abe, and Takuo Suganuma. 2015. Data management scheme to enable efficient analysis of sensing data for smart community. In Proceedings of the 2015 IEEE 39th Annual Computer Software and Applications Conference, Vol. 3. 182--187.

[21]

Yuichi Hashi, Kazuyoshi Matsumoto, Yoshinori Seki, Masahiro Hiji, Toru Abe, and Takuo Suganuma. 2015. Design and implementation of data management scheme to enable efficient analysis of sensing data. In Proceedings of the 2015 IEEE International Conference on Autonomic Computing. 319--324.

Digital Library

[22]

Signant Health. 2020. State of eConsent Report 2020. Retrieved February 1, 2021 from https://discover.signanthealth.com/2020-eConsent-Survey.html.

[23]

Oliver Heinze, Markus Birkle, Lennart Köster, and Björn Bergh. 2011. Architecture of a consent management suite and integration into IHE-based regional health information networks. BMC Medical Informatics and Decision Making 11, 1 (Oct. 2011), 58.

[24]

Duncan Hull, Steve R. Pettifer, and Douglas B. Kell. 2008. Defrosting the digital library: Bibliographic tools for the next generation web. PLoS Computational Biology 4, 10 (Oct. 2008), e1000204.

[25]

N. Huynh, M. Frappier, H. Pooda, A. Mammar, and R. Laleau. 2016. SGAC: A patient-centered access control method. In Proceedings of the 2016 IEEE 10th International Conference on Research Challenges in Information Science (RCIS’16). 1--12.

[26]

N. Huynh, M. Frappier, H. Pooda, A. Mammar, and R. Laleau. 2019. SGAC: A multi-layered access control model with conflict resolution strategy. Computer Journal 62, 12 (2019), 1707--1733.

[27]

International Organization for Standardization. 2014. ISO 22600-1:2014. https://www.iso.org/cms/render/live/en/sites/isoorg/contents/data/standard/06/26/62653.html.

[28]

Michael Jefford and Rosemary Moore. 2008. Improvement of informed consent and the quality of consent documents. Lancet Oncology 9, 5 (May 2008), 485--493.

[29]

Joshua Joy, Minh Le, and Mario Gerla. 2016. LocationSafe: Granular location privacy for IoT devices. In Proceedings of the 8th Wireless of the Students, by the Students, and for the Students Workshop (S3’16). ACM, New York, NY, 39--41.

[30]

Jane Kaye, Liam Curren, Nick Anderson, Kelly Edwards, Stephanie M. Fullerton, Nadja Kanellopoulou, David Lund, et al. 2012. From patients to partners: Participant-centric initiatives in biomedical research. Nature Reviews: Genetics 13, 5 (April 2012), 371--376.

[31]

Atif Khan and Ian McKillop. 2013. Privacy-centric access control for distributed heterogeneous medical information systems. In Proceedings of the 2013 IEEE International Conference on Healthcare Informatics. 297--306. ISSN: null.

Digital Library

[32]

Barbara Kitchenham. 2004. Procedures for Performing Systematic Reviews. Technical Report TR/SE-0401. Keele University, Keele, UK.

[33]

S. Kiyomoto, M. S. Rahman, and A. Basu. 2017. On blockchain-based anonymized dataset distribution platform. In Proceedings of the 2017 IEEE 15th International Conference on Software Engineering Research, Management, and Applications (SERA’17). 85--92.

[34]

Paul Koster, Muhammad Asim, and Milan Petkovic. 2011. End-to-end security for personal telehealth. Studies in Health Technology and Informatics 169 (2011), 621--625.

[35]

C. S. Kouzinopoulos, K. M. Giannoutakis, K. Votis, D. Tzovaras, A. Collen, N. A. Nijdam, D. Konstantas, G. Spathoulas, P. Pandey, and S. Katsikas. 2018. Implementing a forms of consent smart contract on an IoT-based blockchain to promote user trust. In Proceedings of 2018 Innovations in Intelligent Systems and Applications (INISTA’18). 1--6.

[36]

Tsung-Ting Kuo, Hyeon-Eui Kim, and Lucila Ohno-Machado. 2017. Blockchain distributed ledger technologies for biomedical and health care applications. Journal of the American Medical Informatics Association 24, 6 (Nov. 2017), 1211--1220.

[37]

Gary Leeming, James Cunningham, and John Ainsworth. 2019. A ledger of me: Personalizing healthcare using blockchain technology. Frontiers in Medicine (Lausanne) 6 (2019), 171.

[38]

Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, and Aquinas Hobor. 2016. Making smart contracts smarter. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS’16). ACM, New York, NY, 254--269.

Digital Library

[39]

W. Ma and K. Sartipi. 2014. An agent-based infrastructure for secure medical imaging system integration. In Proceedings of the 2014 IEEE 27th International Symposium on Computer-Based Medical Systems. 72--77.

[40]

Weina Ma and Kamran Sartipi. 2014. An agent-based infrastructure for secure medical imaging system integration. In Proceedings of the 2014 IEEE 27th International Symposium on Computer-Based Medical Systems. 72--77.

Digital Library

[41]

Eve Maler. 2015. Extending the power of consent with user-managed access: A standard architecture for asynchronous, centralizable, Internet-scalable consent. In Proceedings of the 2015 IEEE Security and Privacy Workshops. 175--179.

[42]

Paul Malone, Mark McLaughlin, Ronald Leenes, Pierfranco Ferronato, Nick Lockett, Pedro Bueso Guillen, Thomas Heistracher, and Giovanni Russello. 2010. ENDORSE: A legal technical framework for privacy preserving data management. In Proceedings of the 2010 Workshop on Governance of Technology, Information, and Policies (GTIP’10). ACM, New York, NY, 27--34.

[43]

Pooya Mehregan and Philip W. L. Fong. 2016. Policy negotiation for co-owned resources in relationship-based access control. In Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies (SACMAT’16). ACM, New York, NY, 125--136.

[44]

David Moher. 2009. Preferred Reporting Items for Systematic Reviews and Meta-Analyses: The PRISMA statement. Annals of Internal Medicine 151, 4 (Aug. 2009), 264.

[45]

Wanda Montalvo and Elaine Larson. 2014. Participant comprehension of research for which they volunteer: A systematic review. Journal of Nursing Scholarship 46, 6 (Nov. 2014), 423--431.

[46]

Victor Morel, Mathieu Cunche, and Daniel Le Métayer. 2019. A generic information and consent framework for the IoT. In Proceedings of the 2019 18th IEEE International Conference on Trust, Security and Privacy in Computing and Communications and the 13th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE’19). 366--373.

[47]

A. Norta, D. Hawthorne, and S. L. Engel. 2018. A privacy-protecting data-exchange wallet with ownership- and monetization capabilities. In Proceedings of the 2018 International Joint Conference on Neural Networks (IJCNN’18). 1--8.

[48]

Hans-Ulrich Prokosch, Till Acker, Johannes Bernarding, Harald Binder, Martin Boeker, Melanie Boerries, Philipp Daumke, et al. 2018. MIRACUM: Medical informatics in research and care in university medicine. Methods of Information in Medicine 57, Suppl. 1 (July 2018), e82--e91.

[49]

C. Pruski. 2010. e-CRL: A rule-based language for expressing patient electronic consent. In Proceedings of the 2010 2nd International Conference on eHealth, Telemedicine, and Social Medicine. 141--146.

[50]

A. R. Rajput, Q. Li, M. Taleby Ahvanooey, and I. Masood. 2019. EACMS: Emergency access control management system for personal health record based on blockchain. IEEE Access 7 (2019), 84304--84317.

[51]

Fatemeh Rezaeibagha, Khin Than Win, and Willy Susilo. 2015. A systematic literature review on security and privacy of electronic health record systems: Technical perspectives. Health Information Management 44, 3 (Oct. 2015), 23--38.

[52]

Marco Robol, Travis D. Breaux, Elda Paja, and Paolo Giorgini. 2019. Consent verification under evolving privacy policies. In Proceedings of the 2019 IEEE 27th International Requirements Engineering Conference (RE’19). 422--427.

[53]

Ramkinker Singh and Vipra Gupta. 2013. Dynamic federation in identity management for securing and sharing personal health records in a patientcentric model in cloud. International Journal of Engineering and Technology 5, 3 (2013), 9.

[54]

Rudi Studer, V. Richard Benjamins, and Dieter Fensel. 1998. Knowledge engineering: Principles and methods. Data & Knowledge Engineering 25, 1 (March 1998), 161--197.

Digital Library

[55]

Integrating the Healthcare Enterprise. 2020. IHE IT Infrastructure ITI Technical Framework. 1. https://www.ihe.net/uploadedFiles/Documents/ITI/IHE_ITI_TF_Vol1.pdf.

[56]

Integrating the Healthcare Enterprise. n.d. Advanced Patient Privacy. Retrieved February 1, 2021 from https://wiki.ihe.net/index.php/Advanced_Patient_Privacy_Consents.

[57]

Integrating the Healthcare Enterprise. n.d. Audit Trail and Node Authentication. Retrieved February 1, 2021 from https://wiki.ihe.net/index.php/Audit_Trail_and_Node_Authentication.

[58]

Integrating the Healthcare Enterprise. n.d. Basic Patient Privacy Consents. Retrieved February 1, 2021 from https://wiki.ihe.net/index.php/Basic_Patient_Privacy_Consents.

[59]

Nguyen Binh Truong, Kai Sun, Gyu Myoung Lee, and Yike Guo. 2019. GDPR-Compliant personal data management: A blockchain-based solution. IEEE Transactions on Information Forensics and Security 15 (2019), 1746--1761.

Digital Library

[60]

Max-R. Ulbricht and Frank Pallas. 2016. CoMaFeDS: Consent management for federated data sources. In Proceedings of the 2016 IEEE International Conference on Cloud Engineering Workshop (IC2EW’16). 106--111.

[61]

J. Patrick Woolley, Emily Kirby, Josh Leslie, Francis Jeanson, Moran N. Cabili, Gregory Rushton, James G. Hazard, et al. 2018. Responsible sharing of biomedical data and biospecimens via the “Automatable Discovery and Access Matrix” (ADA-M). npj Genomic Medicine 3, 1 (July 2018), 1--6.

[62]

Bo Yu, Duminda Wijesekera, and Paulo C. G. Costa. 2014. An ontology for medical treatment consent. In Proceedings of the 9th International Conference on Semantic Technologies for Intelligence, Defense, and Security (STIDS’14). 72--79.

[63]

Lelethu Zazaza, H. S. Venter, and George Sibiya. 2019. The current state of electronic consent systems in e-health for privacy preservation. In Information Security. Communications in Computer and Information Science, Vol. 973. Springer, 76--88.

Cited By

Lee AKoo DKim ILee EYoo SLee H(2024)Opportunities and challenges of a dynamic consent-based application: personalized options for personal health data sharing and utilizationBMC Medical Ethics10.1186/s12910-024-01091-325:1Online publication date: 31-Aug-2024
https://doi.org/10.1186/s12910-024-01091-3
De Sutter EBorry PHuys IBarbier L(2023)Informing a European guidance framework on electronic informed consent in clinical research: a qualitative studyBMC Health Services Research10.1186/s12913-023-09173-523:1Online publication date: 21-Feb-2023
https://doi.org/10.1186/s12913-023-09173-5
Chimonas SLipitz-Snyderman AMatsoukas KKuperman G(2023)Electronic consent in clinical care: an international scoping reviewBMJ Health & Care Informatics Online10.1136/bmjhci-2022-10072630:1(e100726)Online publication date: 9-Jul-2023
https://doi.org/10.1136/bmjhci-2022-100726
Show More Cited By

Index Terms

Security and Privacy Requirements for Electronic Consent: A Systematic Literature Review
1. Security and privacy
  1. Security services
2. Software and its engineering
  1. Software creation and management
    1. Designing software
      1. Requirements analysis
      2. Software design engineering

Recommendations

Principled Electronic Consent Management: A Preliminary Research Framework
EST '10: Proceedings of the 2010 International Conference on Emerging Security Technologies

Consent is a multifaceted concept that has not received much attention in information systems literature. In this paper we categorise current electronic consent decision making systems into first generation, ex-post and principled Electronic Consent ...
Privacy requirements elicitation: a systematic literature review and perception analysis of IT practitioners
Abstract
During the software development process and throughout the software lifecycle, organizations must guarantee users’ privacy by protecting personal data. There are several studies in the literature proposing methodologies, techniques, and tools for ...
Designing Privacy-by-Design
APF 2012: Revised Selected Papers of the First Annual Privacy Forum on Privacy Technologies and Policy - Volume 8319

The proposal for a new privacy regulation d.d. January 25^th 2012 introduces sanctions of up to 2% of the annual turnover of enterprises. This elevates the importance of mitigation of privacy risks. This paper makes Privacy by Design more concrete, and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Computing for Healthcare

ACM Transactions on Computing for Healthcare Volume 2, Issue 2

April 2021

226 pages

EISSN:2637-8051

DOI:10.1145/3446675

Editors:
Insup Lee
University of Pennsylvania, USA
,
John A. Stankovic
University of Virginia, USA

Issue’s Table of Contents

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 March 2021

Accepted: 01 November 2020

Revised: 01 September 2020

Received: 01 April 2020

Published in HEALTH Volume 2, Issue 2

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

KU Leuven C2-ePIC project

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
674
Total Downloads

Downloads (Last 12 months)92
Downloads (Last 6 weeks)24

Reflects downloads up to 02 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Lee AKoo DKim ILee EYoo SLee H(2024)Opportunities and challenges of a dynamic consent-based application: personalized options for personal health data sharing and utilizationBMC Medical Ethics10.1186/s12910-024-01091-325:1Online publication date: 31-Aug-2024
https://doi.org/10.1186/s12910-024-01091-3
De Sutter EBorry PHuys IBarbier L(2023)Informing a European guidance framework on electronic informed consent in clinical research: a qualitative studyBMC Health Services Research10.1186/s12913-023-09173-523:1Online publication date: 21-Feb-2023
https://doi.org/10.1186/s12913-023-09173-5
Chimonas SLipitz-Snyderman AMatsoukas KKuperman G(2023)Electronic consent in clinical care: an international scoping reviewBMJ Health & Care Informatics Online10.1136/bmjhci-2022-10072630:1(e100726)Online publication date: 9-Jul-2023
https://doi.org/10.1136/bmjhci-2022-100726
Samad AIzani MRazak AMustaffa F(2023)Understanding Advertising in Virtual Worlds and Best Practices for Metaverse Advertising2023 Zooming Innovation in Consumer Technologies Conference (ZINC)10.1109/ZINC58345.2023.10174214(45-50)Online publication date: 29-May-2023
https://doi.org/10.1109/ZINC58345.2023.10174214
Van Assche DDelva THaesendonck GHeyvaert PDe Meester BDimou A(2023)Declarative RDF graph generation from heterogeneous (semi-)structured dataWeb Semantics: Science, Services and Agents on the World Wide Web10.1016/j.websem.2022.10075375:COnline publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1016/j.websem.2022.100753
Appenzeller AHornung MKadow TKrempel EBeyerer J(2022)Sovereign Digital Consent through Privacy Impact Quantification and Dynamic ConsentTechnologies10.3390/technologies1001003510:1(35)Online publication date: 21-Feb-2022
https://doi.org/10.3390/technologies10010035
De Sutter ELalova-Spinks TBorry PValcke PKindt ENegrouk AVerhenneman GDerèze JStorme RHuys I(2022)Rethinking informed consent in the time of COVID-19: An exploratory surveyFrontiers in Medicine10.3389/fmed.2022.9956889Online publication date: 27-Sep-2022
https://doi.org/10.3389/fmed.2022.995688

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Figures

Tables

Media

View Issue’s Table of Contents