spsymposium-paper26
TRANSCRIPT
7/27/2019 SPsymposium-paper26
http://slidepdf.com/reader/full/spsymposium-paper26 1/2
Current Status of Information Security forElectronic Health Record Services in India
Pulkit MehndirattaJaypee Institute of Information TechnologySector-128 Noida, Uttar Pradesh , India
Shelly SachdevaJaypee Institute of Information TechnologySector-128 Noida, Uttar Pradesh , India
ABSTRACTWith the recent developments in information and communi-cation technology, healthcare is constantly undergoing changes,with new medical technologies, business models and researchfindings. It has evolved as a new data-centric, more precise,productive, accurate and timely system which can make thedifference of life and death in acute situations known as Elec-tronic Health Records (EHRs). The requirements for secu-
rity and privacy are also very critical and very difficult tosatisfy in case of EHRs data as compared to any other data.This is due to the conflicting needs of clinicians (who de-mand open and easy access to EHRs) and the patients (whoprefer closed and private access to EHRs). The potentialand capabilities of IT and its influence on the Indian health-care has been much talked about. Thus, this study examinesthe current status security and privacy of various EHRs im-plemented in India. Also, based on the various findings wepropose a model to protect the security and privacy of thedata sub jects (patients).
Categories and Subject DescriptorsH.4 [Information Systems Applications]: Miscellaneous;
K.6.5.a [Management of Computing and InformationSystems]: Security and Privacy
General TermsSecurity and Privacy, Electronic Health Records, InferenceControl, Developing Country, India
1. INTRODUCTIONElectronic Health Records (EHRs) are the paperless solutionto a disconnected healthcare world that runs on a chain of paper files. They provides new opportunities, improves pro-ductivity, reduces the administrative burdens, reduce costand medical errors. These become cavillous in the case of
an emergency where the patient may be unable to commu-nicate this information. These provide doctors with moretimely access to potentially life-saving information at the
point of care while diminishing the paper trail. In general, anEHR includes clinical statements such as observations, lab-oratory tests, diagnostic imaging reports, treatments, ther-apies, drugs administered, and allergies.”As more of our medical records are stored electronically, the threats to our security and privacy increase”.[1]. Electronichealth records form an integral part of the healthcare systemand it is imparitive that EHR’s are safe because there is ev-
idence that breaches in security have an impact on patientshealth care. Thus, unless privacy and security problems areresolved, EHRs will not be widely adopted.
2. MOTIVATIONRecent trends in healthcare are adopting standardized EHRs.In developing countries like India, the conventional systemof medication is still restricted to paper and pen.EHRs rep-resent lifelong documentation of medical history for any pa-tient. So, an efficient protocol and architecture is requiredwhich is not standardized yet [9,10]. Thus, it is utmost im-portant to provide doctors and patients with modern facili-ties like computer and mobile based medical solution. Thiswill ease the work of practitioners and make it more effective
and productive. But, at the same time security and privacyof the data has to be maintained in the system. Few of thesecurity and privacy breaches that occurred in past six toeight months around the globe [4] are due to lack of securityand privacy measures and it effected the lives of patients.ISO/TS 18308 standard gives the definitions of security andprivacy issue for EHRs [2]. According to recent reports, themaximum civil fine for violating Health Insurance Portabil-ity and Accountability Act (HIPAA) [3] privacy regulationswill increase and become 60 times higher (per provision)from the current $25,000 under an interim final rule pub-lished by Health and Human Services in United States.This poster contributes to the current status of EHRs inIndia and what are the various security and privacy issues.
It throws light on, whether various EHRs implemented inIndia are in compliance with any standard act like HIPAAAct or HITECH Act.
3. METHODOLOGYIn India, apart from C-DAC (Center for Development of Ad-vanced Computing) no other agency is working in the area of Health Informatics and Electronic Health Records (EHRs).C-DAC has developed various solutions such as E-Sushrut [5], DIGHT [6], Mercury, E-Sanjeevni, Tejhas, Ayusoft etc.Most of these solutions are indigenously developed and man-aged by C-DAC only. We have done an extensive study of
7/27/2019 SPsymposium-paper26
http://slidepdf.com/reader/full/spsymposium-paper26 2/2
Figure 1: Reference model for the Standardized
Electronic Health Records Database systems with
privacy and security measures at each layer.
the architecture of all the products and solutions developedand tried to evaluate the security and privacy componentin it. Among these, E-Sushrut [5] is the most comprehen-sive and widely deployed Health Information System. Thissystem incorporates an integrated computerized clinical in-formation system for improved hospital administration andpatient health care. The real time version streamlines theflow of patients and simultaneously empowers workflow toperform to their peak ability, but the security and privacyof the patients data is only limited to the user-level accesscontrol mechanism. No attention has been paid to the dataencryption and anonymity which could lead to inference con-trol. The system also lacks in various measures to protectit from network attacks. Thus, very critical and highly con-fidential information can easily be compromised due to lackof proper measures.Project DIGHT (Distributed Infrastructure for Global eHrTechnology) [6] proposed to have a separate module for secu-rity and privacy which will provide secure storage and accessof EHRs, along with privacy to the user. But, till date nosuch module has been developed/implemented for India tosuffice the purpose.
3.1 Proposal for Secure Architecture of EHRsAll the product designed and developed by C-DAC are lack-ing in security and privacy component. Thus, we come upwith a proposal for the architecture shown in fig. 1, to pro-
vide security and privacy to the user (data subjects). Thisshows the function wise reference layer model of the EHRsystem. The goal is, how we can include security and privacytechniques on each layer of this reference model of electronichealth record database systems to give maximum security aswell as state of the art privacy to the data subjects.
4. RESULTS AND FUTURE SCOPEWe surveyed the problem of security and privacy for vari-ous Electronic Health Records (EHRs) already implementedand under development in India. Our findings implicate thatmost of the current systems are lacking in the proper security
and privacy measure for the system and the user informa-tion. Some have mentioned to take security and user privacyinto consideration are not in compliance with internationalact or standardized policy set like HIPAA or HITECH Act.Thus, their is a need for imposing very stringent and secu-rity policies and procedures. Security issues such as authen-tication, availability, confidentiality, integrity, access con-trol, data ownership, data protection policies, user profiles
and standard model need to be taken into consideration forEHRs. Techniques like k-anonymity [7] and L-diversity [8]should be used to make data more private and anonymousto disable the inferences from the databases. Incorporatingsecurity measures and privacy preserving techniques, orga-nizations can benefit from increased user confidence, conve-nience, and speed of access to information.A very high level of security and privacy is required for thefront-end user application and the back-end database. Thus,in future we will try to come up with an architecture forStandardized EHRs which is in compliance to internationalstandards and protect user privacy and system security.
5. REFERENCES
[1] State of the Union 1999. Address of William J.Clinton, USA January 19, 1999 .
[2] ISO/TS 13606 2012http://www.iso.org/iso/catalogue detail.html (Lastaccessed on Nov 10, 2012).
[3] HIPAA 2012 Health Privacy Rule Act:http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html (Last accessed on Nov 21, 2012).
[4] Top 10 Data Security Breaches in 2012 2012http://www.healthcarefinancenews.com/news/top-10-data-security-breaches-in-2012 (Last accessed on Dec24, 2012)
[5] E-Sushrut 2012http://www.cdacnoida.in/healthcare.asp (Last accessed
on December 06, 2012)[6] DIGHT Distributed Infrastructure for Global eHr
Technology 22012 http://dight.sics.se/?q=node/3(Last accessed on December 06, 2012)
[7] Sweeney L 2002 k-Anonymity: A model forprotecting privacy, International Journal on Uncertainty ,Fuzziness and Knowledge based systems,2002.
[8] A.Machanavajjhala, J. Gehrke, and D. Kifer.2006 ”L-diversity: Privacy beyond k-anonymity”Proceedings of the 22nd International Conference on Data Engineering, 3-8 April 2006, Atlanta, GA, USA.
[9] R. Addas, N. Zhang 2011 ”Support Access toDistributed EHR’s with Three levels of Identity Privacy
Preservation.” Proceedings of Sixth International Conference on Availability, Relaibility and Security,22-26 Aug 2011, Vienna, Austria
[10] M.N. Huda, S.Yamada, N. Sonehara 2009”Privacy-aware access to patient-controlled PersonalHealth Records in emergency situations.” In Proceedings of third International Conference on Pervaisve Health, 1-3 April, London, UK.