Analysis of the Security and Privacy Requirements of Cloud-Based Electronic Health Records Systems

Background The Cloud Computing paradigm offers eHealth systems the opportunity to enhance the features and functionality that they offer. However, moving patients’ medical information to the Cloud implies several risks in terms of the security and privacy of sensitive health records. In this paper, the risks of hosting Electronic Health Records (EHRs) on the servers of third-party Cloud service providers are reviewed. To protect the confidentiality of patient information and facilitate the process, some suggestions for health care providers are made. Moreover, security issues that Cloud service providers should address in their platforms are considered. Objective To show that, before moving patient health records to the Cloud, security and privacy concerns must be considered by both health care providers and Cloud service providers. Security requirements of a generic Cloud service provider are analyzed. Methods To study the latest in Cloud-based computing solutions, bibliographic material was obtained mainly from Medline sources. Furthermore, direct contact was made with several Cloud service providers. Results Some of the security issues that should be considered by both Cloud service providers and their health care customers are role-based access, network security mechanisms, data encryption, digital signatures, and access monitoring. Furthermore, to guarantee the safety of the information and comply with privacy policies, the Cloud service provider must be compliant with various certifications and third-party requirements, such as SAS70 Type II, PCI DSS Level 1, ISO 27001, and the US Federal Information Security Management Act (FISMA). Conclusions Storing sensitive information such as EHRs in the Cloud means that precautions must be taken to ensure the safety and confidentiality of the data. A relationship built on trust with the Cloud service provider is essential to ensure a transparent process. Cloud service providers must make certain that all security mechanisms are in place to avoid unauthorized access and data breaches. Patients must be kept informed about how their data are being managed.

[1]  Chinyao Low,et al.  Criteria for the Evaluation of a Cloud-Based Hospital Information System Outsourcing Provider , 2012, Journal of Medical Systems.

[2]  Joel J. P. C. Rodrigues,et al.  Analysis of the Cloud Computing Paradigm on Mobile Health Records Systems , 2012, 2012 Sixth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing.

[3]  A. Kuo Opportunities and Challenges of Cloud Computing to Improve Health Care Services , 2011, Journal of medical Internet research.

[4]  P. Yellowlees,et al.  Standards-based, open-source electronic health record systems: a desirable future for the U.S. health industry. , 2008, Telemedicine journal and e-health : the official journal of the American Telemedicine Association.

[5]  James F. Brinkley,et al.  Issues in biomedical research data management and analysis: needs and barriers. , 2007, Journal of the American Medical Informatics Association : JAMIA.

[6]  Joel J. P. C. Rodrigues,et al.  Analysis of Cloud-Based Solutions on EHRs Systems in Different Scenarios , 2012, Journal of Medical Systems.

[7]  Joseph Reddington,et al.  Looking at clouds from both sides: The advantages and disadvantages of placing personal narratives in the cloud , 2011, Inf. Secur. Tech. Rep..

[8]  Francisco Javier Díaz Pernas,et al.  Analysis of the benefits and constraints for the implementation of Cloud Computing over an EHRs system , 2012, 2012 6th Euro American Conference on Telematics and Information Systems (EATIS).

[9]  Alex Bateman,et al.  Cloud computing , 2009, Bioinform..

[10]  Kevin D Blanchet Electronic health records: are consumers riding or driving the car? , 2008, Telemedicine journal and e-health : the official journal of the American Telemedicine Association.

[11]  Yuval Elovici,et al.  Google Android: A Comprehensive Security Assessment , 2010, IEEE Security & Privacy.

[12]  Ling Liu,et al.  Security Models and Requirements for Healthcare Application Clouds , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[13]  John S Hargreaves,et al.  Will electronic personal health records benefit providers and patients in rural America? , 2010, Telemedicine journal and e-health : the official journal of the American Telemedicine Association.

[14]  Martha Ganser,et al.  A preliminary study of a cloud-computing model for chronic illness self-care support in an underdeveloped country. , 2011, American journal of preventive medicine.

[15]  Randy H. Katz,et al.  A view of cloud computing , 2010, CACM.

[16]  Isabel de la Torre,et al.  Análisis de Aspectos de Interés sobre Privacidad y Seguridad en la Historia Clínica Electrónica , 2011 .

[17]  Roger Clarke,et al.  Privacy and consumer risks in cloud computing , 2010, Comput. Law Secur. Rev..

[18]  Yu-Yi Chen,et al.  A Secure EHR System Based on Hybrid Clouds , 2012, Journal of Medical Systems.

[19]  Mache Creeger,et al.  CTO Roundtable , 2009, Commun. ACM.

[20]  Rajkumar Buyya,et al.  Special section: Federated resource management in grid and cloud computing systems , 2010, Future Gener. Comput. Syst..

[21]  Flora Malamateniou,et al.  Emergency Healthcare Process Automation Using Mobile Computing and Cloud Services , 2012, Journal of Medical Systems.

[22]  Isabel de la Torre Díez,et al.  Advances and Current State of the Security and Privacy in Electronic Health Records: Survey from a Social Perspective , 2012, Journal of Medical Systems.