Privacy and information security risks in a technology platform for home-based chronic disease rehabilitation and education

BackgroundPrivacy and information security are important for all healthcare services, including home-based services. We have designed and implemented a prototype technology platform for providing home-based healthcare services. It supports a personal electronic health diary and enables secure and reliable communication and interaction with peers and healthcare personnel. The platform runs on a small computer with a dedicated remote control. It is connected to the patient’s TV and to a broadband Internet. The platform has been tested with home-based rehabilitation and education programs for chronic obstructive pulmonary disease and diabetes. As part of our work, a risk assessment of privacy and security aspects has been performed, to reveal actual risks and to ensure adequate information security in this technical platform.MethodsRisk assessment was performed in an iterative manner during the development process. Thus, security solutions have been incorporated into the design from an early stage instead of being included as an add-on to a nearly completed system. We have adapted existing risk management methods to our own environment, thus creating our own method. Our method conforms to ISO’s standard for information security risk management.ResultsA total of approximately 50 threats and possible unwanted incidents were identified and analysed. Among the threats to the four information security aspects: confidentiality, integrity, availability, and quality; confidentiality threats were identified as most serious, with one threat given an unacceptable level of High risk. This is because health-related personal information is regarded as sensitive. Availability threats were analysed as low risk, as the aim of the home programmes is to provide education and rehabilitation services; not for use in acute situations or for continuous health monitoring.ConclusionsMost of the identified threats are applicable for healthcare services intended for patients or citizens in their own homes. Confidentiality risks in home are different from in a more controlled environment such as a hospital; and electronic equipment located in private homes and communicating via Internet, is more exposed to unauthorised access. By implementing the proposed measures, it has been possible to design a home-based service which ensures the necessary level of information security and privacy.

[1]  Luis Fernández-Luque,et al.  An Analysis of Personal Medical Information Disclosed in YouTube Videos Created by Patients with Multiple Sclerosis , 2009, MIE.

[2]  E H Wagner,et al.  Improving the quality of health care for chronic conditions , 2004, Quality and Safety in Health Care.

[3]  Per Hasvold,et al.  Risk analysis of information security in a mobile instant messaging and presence system for healthcare , 2007, Int. J. Medical Informatics.

[4]  Njål T. Borch,et al.  An Easy to Use and Affordable Home-Based Personal eHealth System for Chronic Disease Management Based on Free Open Source Software , 2008, MIE.

[5]  Nineta Polemi,et al.  Towards a Systematic Approach for Improving Information Security Risk Management Methods , 2007, 2007 IEEE 18th International Symposium on Personal, Indoor and Mobile Radio Communications.

[6]  A. Policy Review of the 2002 Department of Health and Human Service Notice of Proposed Rule Making for The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Regulations , 2002 .

[7]  Lynn A. Karoly,et al.  Health Insurance Portability and Accountability Act of 1996 (HIPAA) Administrative Simplification , 2010, Practice Management Consultant.

[8]  Felix Redmill,et al.  Towards System Safety , 1999, Springer London.

[9]  Lars Kristian Vognild,et al.  Internet-enabled pulmonary rehabilitation and diabetes education in group settings at home: a preliminary study of patient acceptability , 2013, BMC Medical Informatics and Decision Making.

[10]  Dag Wiese Schartum Lov om behandling av personopplysninger , 2000 .

[11]  Ibrahim Sogukpinar,et al.  ISRAM: information security risk analysis method , 2005, Comput. Secur..

[12]  J. Epping-Jordan,et al.  Preparing the 21st century global healthcare workforce , 2005, BMJ : British Medical Journal.

[13]  Luis Fernandez Luque,et al.  The MyHealthService approach for chronic disease management based on free open source software and low cost components , 2009, 2009 Annual International Conference of the IEEE Engineering in Medicine and Biology Society.

[14]  David A. Hoffman,et al.  Remote home health care technologies: how to ensure privacy? Build it in: Privacy by Design , 2010 .

[15]  Helse og omsorgsdepartementet The Act of 2 July 1999 No. 63 relating to Patients’ Rights , 2009 .

[16]  Stephen N. Luko,et al.  Risk Management Principles and Guidelines , 2013 .

[17]  Beni Gómez-Zúñiga,et al.  ePatients on YouTube: Analysis of Four Experiences From the Patients' Perspective , 2012, Medicine 2.0.

[18]  Gary McGraw,et al.  Risk Analysis in Software Design , 2004, IEEE Secur. Priv..

[19]  Per Hasvold,et al.  Video calls from lay bystanders to dispatch centers - risk assessment of information security , 2011, BMC health services research.

[20]  Monika Alise Johansen,et al.  Threats to Information Security of Real-Time Disease Surveillance Systems , 2009, MIE.

[21]  Felix Redmill,et al.  System Safety: HAZOP and Software HAZOP , 1999 .

[22]  Helse og omsorgsdepartementet Act of 2 July 1999 No. 64 relating to Health Personnel etc. , 2002 .