Comprehensive user requirements engineering methodology for secure and interoperable health data exchange

BackgroundIncreased digitalization of healthcare comes along with the cost of cybercrime proliferation. This results to patients’ and healthcare providers' skepticism to adopt Health Information Technologies (HIT). In Europe, this shortcoming hampers efficient cross-border health data exchange, which requires a holistic, secure and interoperable framework. This study aimed to provide the foundations for designing a secure and interoperable toolkit for cross-border health data exchange within the European Union (EU), conducted in the scope of the KONFIDO project. Particularly, we present our user requirements engineering methodology and the obtained results, driving the technical design of the KONFIDO toolkit.MethodsOur methodology relied on four pillars: (a) a gap analysis study, reviewing a range of relevant projects/initiatives, technologies as well as cybersecurity strategies for HIT interoperability and cybersecurity; (b) the definition of user scenarios with major focus on cross-border health data exchange in the three pilot countries of the project; (c) a user requirements elicitation phase containing a threat analysis of the business processes entailed in the user scenarios, and (d) surveying and discussing with key stakeholders, aiming to validate the obtained outcomes and identify barriers and facilitators for HIT adoption linked with cybersecurity and interoperability.ResultsAccording to the gap analysis outcomes, full adherence with information security standards is currently not universally met. Sustainability plans shall be defined for adapting existing/evolving frameworks to the state-of-the-art. Overall, lack of integration in a holistic security approach was clearly identified. For each user scenario, we concluded with a comprehensive workflow, highlighting challenges and open issues for their application in our pilot sites. The threat analysis resulted in a set of 30 user goals in total, documented in detail. Finally, indicative barriers of HIT acceptance include lack of awareness regarding HIT risks and legislations, lack of a security-oriented culture and management commitment, as well as usability constraints, while important facilitators concern the adoption of standards and current efforts for a common EU legislation framework.ConclusionsOur study provides important insights to address secure and interoperable health data exchange, while our methodological framework constitutes a paradigm for investigating diverse cybersecurity-related risks in the health sector.

[1]  Shai Halevi,et al.  Homomorphic Encryption , 2017, Tutorials on the Foundations of Cryptography.

[2]  Richard M. Schneider,et al.  A comparison of information security risk analysis in the context of e-government to criminological threat assessment techniques , 2010, InfoSecCD.

[3]  Gareth Niblett Threats and Countermeasures , 2012 .

[4]  Ilídio Castro Oliveira,et al.  OpenNCP: a novel framework to foster cross-border e-Health services , 2015, MIE.

[5]  A. Tubaishat,et al.  Perceived usefulness and perceived ease of use of electronic health records among nurses: Application of Technology Acceptance Model , 2018, Informatics for health & social care.

[6]  Vassilis Koutkias,et al.  Identification of Barriers and Facilitators for eHealth Acceptance: The KONFIDO Study , 2017, BHI 2017.

[7]  Samuel Fricker,et al.  Requirements Engineering: Best Practice , 2015 .

[8]  Pratyusa K. Manadhata,et al.  The Operational Role of Security Information and Event Management Systems , 2014, IEEE Security & Privacy.

[9]  Gerd Stefan Brost,et al.  Identifying Security Requirements and Privacy Concerns in Digital Health Applications , 2015 .

[10]  Vassilis Koutkias,et al.  Gap Analysis for Information Security in Interoperable Solutions at a Systemic Level: The KONFIDO Approach , 2018 .

[11]  Leonid Kof Requirements Analysis: Concept Extraction and Translation of Textual Specifications to Executable Models , 2009, NLDB.

[12]  Mojca Volk,et al.  How to Elicit, Analyse and Validate Requirements for a Digital Health Solution , 2015 .

[13]  Vassilis Koutkias,et al.  An OpenNCP-based Solution for Secure eHealth Data Exchange , 2018, J. Netw. Comput. Appl..

[14]  Henry L. Roediger,et al.  Research Methods in Psychology , 1985 .

[15]  Lenis R. Wong,et al.  A SYSTEMATIC LITERATURE REVIEW ABOUT SOFTWARE REQUIREMENTS ELICITATION , 2017 .

[16]  L. Jean Camp,et al.  Threat analysis of online health information system , 2010, PETRA '10.

[17]  Dimitris Syvridis,et al.  Physical Unclonable Function based on a Multi-Mode Optical Waveguide , 2018, Scientific Reports.

[18]  Tiago Oliveira,et al.  Electronic Health Record Portal Adoption: a cross country analysis , 2017, BMC Medical Informatics and Decision Making.

[19]  H. Krumholz,et al.  Blockchain Technology: Applications in Health Care , 2017, Circulation. Cardiovascular quality and outcomes.

[20]  J.A. Adam Data security-threats and countermeasures , 1992, IEEE Spectrum.

[21]  Paul Voigt,et al.  The EU General Data Protection Regulation (GDPR) , 2017 .

[22]  Luigi Coppolino,et al.  KONFIDO Project: A Secure Infrastructure Increasing Interoperability on a Systemic Level Among eHealth Services Across Europe , 2017, 2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData).

[23]  Robert Wille,et al.  Automated and quality-driven requirements engineering , 2014, 2014 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[24]  Jang-Eui Hong,et al.  Deriving use cases from business processes: a goal-oriented transformational approach , 2017, SAC.