scholarly journals Usability Study of a Tool for Patients’ Access Control to Their Health Data

2019 ◽  
Author(s):  
Sandra Reis ◽  
Ana Ferreira ◽  
Pedro Vieira-Marques ◽  
Ricardo Cruz-Correia
Keyword(s):  
Access Control ◽  
Health Data ◽  
Usability Study

Exploring Type-and-Identity-Based Proxy Re-Encryption Scheme to Securely Manage Personal Health Records

2010 ◽  
Vol 1 (2) ◽  
pp. 1-21
Author(s):  
Luan Ibraimi ◽  
Qiang Tang ◽  
Pieter Hartel ◽  
Willem Jonker
Keyword(s):  
Access Control ◽  
Health Data ◽  
Third Party ◽  
Personal Health ◽  
Encryption Scheme ◽  
Health Records ◽  
Web Based ◽  
The Third ◽  
Access Control Policies ◽  
Identity Based

Commercial Web-based Personal-Health Record (PHR) systems can help patients to share their personal health records (PHRs) anytime from anywhere. PHRs are very sensitive data and an inappropriate disclosure may cause serious problems to an individual. Therefore commercial Web-based PHR systems have to ensure that the patient health data is secured using state-of-the-art mechanisms. In current commercial PHR systems, even though patients have the power to define the access control policy on who can access their data, patients have to trust entirely the access-control manager of the commercial PHR system to properly enforce these policies. Therefore patients hesitate to upload their health data to these systems as the data is processed unencrypted on untrusted platforms. Recent proposals on enforcing access control policies exploit the use of encryption techniques to enforce access control policies. In such systems, information is stored in an encrypted form by the third party and there is no need for an access control manager. This implies that data remains confidential even if the database maintained by the third party is compromised. In this paper we propose a new encryption technique called a type-and-identity-based proxy re-encryption scheme which is suitable to be used in the healthcare setting. The proposed scheme allows users (patients) to securely store their PHRs on commercial Web-based PHRs, and securely share their PHRs with other users (doctors).

scholarly journals Assessing Access Control Risk for mHealth: A Delphi Study to Categorize Security of Health Data and Provide Risk Assessment for Mobile Apps

2020 ◽  
Vol 2020 ◽  
pp. 1-14
Author(s):  
Pedro Moura ◽  
Paulo Fazendeiro ◽  
Pedro R. M. Inácio ◽  
Pedro Vieira-Marques ◽  
Ana Ferreira
Keyword(s):  
Risk Factors ◽  
Risk Assessment ◽  
Access Control ◽  
Delphi Study ◽  
Mobile Apps ◽  
Real Life ◽  
Health Data ◽  
Security And Privacy ◽  
Risk Level ◽  
Healthcare Data

Background. Smartphones can tackle healthcare stakeholders’ diverse needs. Nonetheless, the risk of data disclosure/breach can be higher when using such devices, due to the lack of adequate security and the fact that a medical record has a significant higher financial value when compared with other records. Means to assess those risks are required for every mHealth application interaction, dependent and independent of its goals/content. Objective. To present a risk assessment feature integration into the SoTRAACE (Socio-Technical Risk-Adaptable Access Control) model, as well as the operationalization of the related mobile health decision policies. Methods. Since there is still a lack of a definition for health data security categorization, a Delphi study with security experts was performed for this purpose, to reflect the knowledge of security experts and to be closer to real-life situations and their associated risks. Results. The Delphi study allowed a consensus to be reached on eleven risk factors of information security related to mobile applications that can easily be adapted into the described SoTRAACE prototype. Within those risk factors, the most significant five, as assessed by the experts, and in descending order of risk level, are as follows: (1) security in the communication (e.g., used security protocols), (2) behavioural differences (e.g., different or outlier patterns of behaviour detected for a user), (3) type of wireless connection and respective encryption, (4) resource sensitivity, and (5) device threat level (e.g., known vulnerabilities associated to a device or its operating system). Conclusions. Building adaptable, risk-aware resilient access control models into the most generalized technology used nowadays (e.g., smartphones) is crucial to fulfil both the goals of users as well as security and privacy requirements for healthcare data.

scholarly journals Securing E-health Data using Ciphertext-Policy Attribute-Based Encryption with Dynamic User Revocation

2019 ◽  
Vol 8 (3) ◽  
pp. 7244-7250
Keyword(s):  
Access Control ◽  
Service Providers ◽  
Health Data ◽  
Security And Privacy ◽  
Unique Identifier ◽  
Fine Grained ◽  
Attribute Based Encryption ◽  
User Revocation ◽  
Role Based ◽  
Ciphertext Policy

E-health systems hold a massive amount of medical data that is stored and shared across healthcare service providers to deliver health facilities. However, security and privacy worries increase when sharing this data over distributed settings. As a result, Cryptography techniques have been considered to secure e-health data from unauthorized access. The Ciphertext Policy Attribute-Based Encryption (CP-ABE) is commonly utilized in such a setting, which provides role-based and fine-grained access control over encrypted data. The CP-ABE suffers from the problem of user revocation where the entire policy must be changed even when only one user is revoked or removed from the policy. In this paper, we proposed a CP-ABE based access control model to support user revocation efficiently. Specifically, the proposed model associates a unique identifier to each user. This identifier is added to the policy attributes and removed dynamically when the user is added/revoked. A tree structure (PolicyPathTree) is designed specifically for our model. It can facilitate fast access to policy's attributes during the verification process; The model is analyzed using Information Theory Tools. Results show that our model outperforms other notable work in terms of computational overheads.,

scholarly journals A Mobile App for Assisting Users to Make Informed Selections in Security Settings for Protecting Personal Health Data: Development and Feasibility Study (Preprint)

2018 ◽  
Author(s):  
Leming Zhou ◽  
Bambang Parmanto ◽  
Zakiy Alfikri ◽  
Jie Bao
Keyword(s):  
Access Control ◽  
Mobile Apps ◽  
Health Data ◽  
Mobile App ◽  
Security And Privacy ◽  
Personal Health ◽  
Security Measures ◽  
Security Education ◽  
Study Results ◽  
Before And After

BACKGROUND On many websites and mobile apps for personal health data collection and management, there are security features and privacy policies available for users. Users sometimes are given an opportunity to make selections in a security setting page; however, it is challenging to make informed selections in these settings for users who do not have much education in information security as they may not precisely know the meaning of certain terms mentioned in the privacy policy or understand the consequences of their selections in the security and privacy settings. OBJECTIVE The aim of this study was to demonstrate several commonly used security features such as encryption, user authentication, and access control in a mobile app and to determine whether this brief security education is effective in encouraging users to choose stronger security measures to protect their personal health data. METHODS A mobile app named SecSim (Security Simulator) was created to demonstrate the consequences of choosing different options in security settings. A group of study participants was recruited to conduct the study. These participants were asked to make selections in the security settings before and after they viewed the consequences of security features. At the end of the study, a brief interview was conducted to determine the reason for their selections in the security settings. Their selections before and after the security education were compared in order to determine the effectiveness of the security education. The usability of the app was also evaluated. RESULTS In total, 66 participants finished the study and provided their answers in the app and during a brief interview. The comparison between the pre- and postsecurity education selection in security settings indicated that 21% (14/66) to 32% (21/66) participants chose a stronger security measure in text encryption, access control, and image encryption; 0% (0/66) to 2% (1/66) participants chose a weaker measure in these 3 security features; and the remainder kept their original selections. Several demographic characteristics such as marital status, years of experience using mobile devices, income, employment, and health status showed an impact on the setting changes. The usability of the app was good. CONCLUSIONS The study results indicate that a significant percentage of users (21%-32%) need guidance to make informed selection in security settings. If websites and mobile apps can provide embedded security education for users to understand the consequences of their security feature selection and the meaning of commonly used security features, it may help users to make the best choices in terms of security settings. Our mobile app, SecSim, offers a unique approach for mobile app users to understand commonly used security features. This app may be incorporated into other apps or be used before users make selections in their security settings.

scholarly journals A Simulated Graphical Interface for Integrating Patient-Generated Health Data From Smartwatches With Electronic Health Records: Usability Study

10.2196/19769 ◽  
2020 ◽  
Vol 7 (4) ◽  
pp. e19769
Author(s):  
Jordan M Alpert ◽  
Naga S Prabhakar Kota ◽  
Sanjay Ranka ◽  
Tonatiuh V Mendoza ◽  
Laurence M Solberg ◽  
...  
Keyword(s):  
Health Care ◽  
Electronic Health Records ◽  
Health Care Professionals ◽  
Health Data ◽  
Graphical Interface ◽  
Usability Study ◽  
Health Records ◽  
Information Navigation ◽  
Key Stakeholders ◽  
Electronic Health

Background Wearable technology, such as smartwatches, can capture valuable patient-generated data and help inform patient care. Electronic health records provide logical and practical platforms for including such data, but it is necessary to evaluate the way the data are presented and visualized. Objective The aim of this study is to evaluate a graphical interface that displays patients’ health data from smartwatches, mimicking the integration within the environment of electronic health records. Methods A total of 12 health care professionals evaluated a simulated interface using a usability scale questionnaire, testing the clarity of the interface, colors, usefulness of information, navigation, and readability of text. Results The interface was positively received, with 14 out of the 16 questions generating a score of 5 or greater among at least 75% of participants (9/12). On an 8-point Likert scale, the highest rated features of the interface were quick turnaround times (mean score 7.1), readability of the text (mean score 6.8), and use of terminology/abbreviations (mean score 6.75). Conclusions Collaborating with health care professionals to develop and refine a graphical interface for visualizing patients’ health data from smartwatches revealed that the key elements of the interface were acceptable. The implementation of such data from smartwatches and other mobile devices within electronic health records should consider the opinions of key stakeholders as the development of this platform progresses.

Managing Privacy and Effectiveness of Patient-Administered Authorization Policies

2012 ◽  
Vol 3 (2) ◽  
pp. 43-62
Author(s):  
Thomas Trojer ◽  
Basel Katt ◽  
Ruth Breu ◽  
Thomas Schabetsberger ◽  
Richard Mair
Keyword(s):  
Health Care ◽  
Information System ◽  
Access Control ◽  
Data Privacy ◽  
Evaluation Criteria ◽  
Control Policy ◽  
Health Data ◽  
Personal Health ◽  
Access Control Policy ◽  
Authorization Policies

A central building block of data privacy is the individual right of information self-determination. Following from that when dealing with shared electronic health records (SEHR), citizens, as the identified individuals of such records, have to be enabled to decide what medical data can be used in which way by medical professionals. In this context individual preferences of privacy have to be reflected by authorization policies to control access to personal health data. There are two potential challenges when enabling patient-controlled access control policy authoring: First, an ordinary citizen neither can be considered a security expert, nor does she or he have the expertise to fully understand typical activities and workflows within the health-care domain. Thus, a citizen is not necessarily aware of implications her or his access control settings have with regards to the protection of personal health data. Both privacy of citizen’s health-data and the overall effectiveness of a health-care information system are at risk if inadequate access control settings are in place. This paper refers to scenarios of a case study previously conducted and shows how privacy and information system effectiveness can be defined and evaluated in the context of SEHR. The paper describes an access control policy analysis method which evaluates a patient-administered access control policy by considering the mentioned evaluation criteria.

Exploring Type-and-Identity-Based Proxy Re-Encryption Scheme to Securely Manage Personal Health Records

2011 ◽  
pp. 391-411 ◽  
Author(s):  
Luan Ibraimi ◽  
Qiang Tang ◽  
Pieter Hartel ◽  
Willem Jonker
Keyword(s):  
Access Control ◽  
Health Data ◽  
Personal Health Records ◽  
Third Party ◽  
Personal Health ◽  
Encryption Scheme ◽  
Web Based ◽  
The Third ◽  
Access Control Policies ◽  
Identity Based

Commercial Web-based Personal-Health Record (PHR) systems can help patients to share their personal health records (PHRs) anytime from anywhere. PHRs are very sensitive data and an inappropriate disclosure may cause serious problems to an individual. Therefore commercial Web-based PHR systems have to ensure that the patient health data is secured using state-of-the-art mechanisms. In current commercial PHR systems, even though patients have the power to define the access control policy on who can access their data, patients have to trust entirely the access-control manager of the commercial PHR system to properly enforce these policies. Therefore patients hesitate to upload their health data to these systems as the data is processed unencrypted on untrusted platforms. Recent proposals on enforcing access control policies exploit the use of encryption techniques to enforce access control policies. In such systems, information is stored in an encrypted form by the third party and there is no need for an access control manager. This implies that data remains confidential even if the database maintained by the third party is compromised. In this paper we propose a new encryption technique called a type-and-identity-based proxy re-encryption scheme which is suitable to be used in the healthcare setting. The proposed scheme allows users (patients) to securely store their PHRs on commercial Web-based PHRs, and securely share their PHRs with other users (doctors).

Exploring Type-and-Identity-Based Proxy Re-Encryption Scheme to Securely Manage Personal Health Records

2012 ◽  
pp. 73-93
Author(s):  
Luan Ibraimi ◽  
Qiang Tang ◽  
Pieter Hartel ◽  
Willem Jonker
Keyword(s):  
Access Control ◽  
Health Data ◽  
Personal Health Records ◽  
Third Party ◽  
Personal Health ◽  
Encryption Scheme ◽  
Web Based ◽  
The Third ◽  
Access Control Policies ◽  
Identity Based

Commercial Web-based Personal-Health Record (PHR) systems can help patients to share their personal health records (PHRs) anytime from anywhere. PHRs are very sensitive data and an inappropriate disclosure may cause serious problems to an individual. Therefore commercial Web-based PHR systems have to ensure that the patient health data is secured using state-of-the-art mechanisms. In current commercial PHR systems, even though patients have the power to define the access control policy on who can access their data, patients have to trust entirely the access-control manager of the commercial PHR system to properly enforce these policies. Therefore patients hesitate to upload their health data to these systems as the data is processed unencrypted on untrusted platforms. Recent proposals on enforcing access control policies exploit the use of encryption techniques to enforce access control policies. In such systems, information is stored in an encrypted form by the third party and there is no need for an access control manager. This implies that data remains confidential even if the database maintained by the third party is compromised. In this paper we propose a new encryption technique called a type-and-identity-based proxy re-encryption scheme which is suitable to be used in the healthcare setting. The proposed scheme allows users (patients) to securely store their PHRs on commercial Web-based PHRs, and securely share their PHRs with other users (doctors).

scholarly journals Developments in Privacy and Data Ownership in Mobile Health Technologies, 2016-2019

2020 ◽  
Vol 29 (01) ◽  
pp. 032-043 ◽  
Author(s):  
Hannah K. Galvin ◽  
Paul R. DeMuro
Keyword(s):  
Access Control ◽  
Data Storage ◽  
Mobile Health ◽  
Data Privacy ◽  
Relevant Literature ◽  
Personal Data ◽  
Health Data ◽  
Human Right ◽  
Health Technologies ◽  
Data Ownership

Objectives: To survey international regulatory frameworks that serve to protect privacy of personal data as a human right as well as to review the literature regarding privacy protections and data ownership in mobile health (mHealth) technologies between January 1, 2016 and June 1, 2019 in order to identify common themes. Methods: We performed a review of relevant literature available in English published between January 1, 2016 and June 1, 2019 from databases including PubMed, Google Scholar, and Web of Science, as well as relevant legislative background material. Articles out of scope (as detailed below) were eliminated. We categorized the remaining pool of articles and discrete themes were identified, specifically: concerns around data transmission and storage, including data ownership and the ability to re-identify previously de-identified data; issues with user consent (including the availability of appropriate privacy policies) and access control; and the changing culture and variable global attitudes toward privacy of health data. Results: Recent literature demonstrates that the security of mHealth data storage and transmission remains of wide concern, and aggregated data that were previously considered “de-identified” have now been demonstrated to be re-identifiable. Consumer-informed consent may be lacking with regard to mHealth applications due to the absence of a privacy policy and/or to text that is too complex and lengthy for most users to comprehend. The literature surveyed emphasizes improved access control strategies. This survey also illustrates a wide variety of global user perceptions regarding health data privacy. Conclusion: The international regulatory framework that serves to protect privacy of personal data as a human right is diverse. Given the challenges legislators face to keep up with rapidly advancing technology, we introduce the concept of a “healthcare fiduciary” to serve the best interest of data subjects in the current environment.

Sign in / Sign up

Export Citation Format

Share Document