Cloud Computing and EU Data Privacy Regulations

The European Union’s Data Protection Directive has been its major legislative instrument for handling consumer data. While the Directive hasn’t been revised since its passage in 1995, there have been dramatic changes in the ways personal data is accessed, stored, processed, transmitted, shared, and used. Cloud computing’s evolution is among the most influential forces to reshape and modify EU regulations

A CROSS-COUNTRY STUDY OF CLOUD COMPUTING POLICY AND REGULATION IN HEALTHCARE

International health IT policy currently supports the move towards cloud computing. Governments, industry leaders and advocacy groups are keen to build confidence among health professionals to adopt cloud-based solutions in healthcare. However, the potential benefits from cloud computing need to be evaluated against the risks. This research is a comparative study on U.S and EU health professionals´ views on the potential benefits and risks from cloud computing. The results from surveying healthcare organizations in the U.S and five EU countries (France, Germany, the Netherlands, Sweden and the UK) identify differences across countries in health IT policy, incentives for adoption, privacy and security, and trust in third party suppliers. Our findings show that privacy and security are important issus for healthcare organizations, yet differences exist between the U.S and across EU Member States in how these concepts are viewed. U.S laws and EU Directives on data protection are more advanced than other international regulatory systems. Our study provides insights on cross-jurisdictional approaches to personal data and privacy, regulations and rules on health data export, how countries interpret and implement different data protection regulations and rules, and the practical implementation of regulatory rules using a comparative research method. \

INSTITUTIONAL EFFECTS OF COMPARATIVE GOVERNMENT REGULATION FOR THE PROTECTION AND PRIVACY OF HEALTH DATA IN THE CLOUD

This research is a comparative study of the institutional effects of regulatory and compliance issues surrounding cloud computing in healthcare. Our focus is on health care organizations and the IT industry, and how these two important stakeholders interpret and apply the privacy and security rules from the U.S. and EU. As an institutional environment, healthcare is experiencing coercive, normative and mimetic isomorphic pressures on macro, meso and micro levels. International governments are seeking ways to build capacity in the cloud computing market, yet they are faced with difficult issues in relation to privacy and security of personal data. Our findings suggest that regulatory and compliance is being developed ‘in response to’ rather than ‘in anticipation of’ technical change. Normative pressures to encourage healthcare organizations to develop effective data protection and privacy policies to comply with new regulatory change are further complicated in an environment where cloud data may be transferred across different legal and regulatory jurisdictions. Our findings show that healthcare organizations and cloud providers need to work more closely together as business associates. However, translating HIPAA and EU rules and regulations into practice is thwarted by a lack of legal and regulatory knowledge, particularly in the smaller organizations

Towards Tracking Data Flows in Cloud Architectures

As cloud services become central in an increasing number of applications, they process and store more personal and business-critical data. At the same time, privacy and compliance regulations such as GDPR, the EU ePrivacy regulation, PCI, and the upcoming EU Cybersecurity Act raise the bar for secure processing and traceability of critical data. Especially the demand to provide information about existing data records of an individual and the ability to delete them on demand is central in privacy regulations. Common to these requirements is that cloud providers must be able to track data as it flows across the different services to ensure that it never moves outside of the legitimate realm, and it is known at all times where a specific copy of a record that belongs to a specific individual or business process is located. However, current cloud architectures do neither provide the means to holistically track data flows across different services nor to enforce policies on data flows. In this paper, we point out the deficits in the data flow tracking functionalities of major cloud providers by means of a set of practical experiments. We then generalize from these experiments introducing a generic architecture that aims at solving the problem of cloud-wide data flow tracking and show how it can be built in a Kubernetes-based prototype implementation.Comment: 11 pages, 5 figures, 2020 IEEE 13th International Conference on Cloud Computing (CLOUD

Secure Information Systems in the Age of Cloud Computing

Recent revelations by Edward Snowden speak volumes about the need to protect sensitive data to comply with privacy regulations worldwide. The Cloud Computing paradigm in which servers, storage and applications are delivered to an organization’s computers and devices through the Internet is here to stay. The benefits of this mode is that it enables data centres to be accessed and shared as virtual resources in a secure and scalable manner. For businesses, this is a very attractive model as services can expand or shrink as needs change. For information systems stored in the cloud to comply with EU data protection and privacy regulations, both the stored data and the connection between provider and customer need to be adequately protected against all known security risks. Recent reports indicate that 82% of cloud providers encrypt data in transit, protecting against man-in-the-middle attacks as data are transmitted. However, only 9.4% of cloud providers encrypt data once stored in the cloud, for file sharing convenience. This is a serious issue leaving the cloud vulnerable to data breaches and unauthorized access. In this paper, we will review security threats to cloud computing and present a solution based on our unique patented compression-encryption method. We focus on threat prevention through cryptographic methods that, when properly implemented, are virtually impossible to break directly. Our solution compresses data in a unique way tackling security, performance, data protection, privacy and cost issues. A unique, data-dependent symmetric key is generated as a side effect to the compression method. Without the key, the data cannot be decompressed. It is also important to realise that not all data in the cloud need to be encrypted, and not all data should be encrypted in the same way. For instance, images and video may be encrypted by a lossy method while text and other documents need to be lossless. Our algorithms cover both lossless and lossy requirements giving the user full control over what and where it is compressed-encrypted, either at the local machine or in the cloud. We highlight the benefits of the solution concerning less bandwidth requirements, faster data transmission and response times, less storage space, and less energy consumption. Finally, we consider that data protection and privacy legislations are not similar across the globe. It is demonstrated that our solution addresses security and privacy concerns according to current European legislation on data protection whether the servers are located or not in the EU

Presence metadata in the Internet of Things challenges and opportunities

The Internet of Things is an emerging computing paradigm that promises to revolutionise society. The widespread capture and aggregation of data from sensors and smart devices combined with processing using machine learning in cloud computing platforms provides unrivalled insights into our environment. In addition to the numerous benefits (smart healthcare, cities, transportation, etc.) such insights potentially jeopardise the privacy of individuals, organisations, and society as whole. This is despite UK and EU regulations attempting to mitigate the risk of individuals’ data exposure and the impact of it on their security. To demonstrate the exploitation of metadata and its threat to privacy, this paper presents Meta-Blue, a Bluetooth Low Energy metadata capture, analysis, and visualisation tool. The results of a case study are combined with an overview of literature on IoT privacy to provide a holistic overview of the challenges and opportunities presented by IoT metadata

Advanced Cloud Privacy Threat Modeling

Privacy-preservation for sensitive data has become a challenging issue in cloud computing. Threat modeling as a part of requirements engineering in secure software development provides a structured approach for identifying attacks and proposing countermeasures against the exploitation of vulnerabilities in a system . This paper describes an extension of Cloud Privacy Threat Modeling (CPTM) methodology for privacy threat modeling in relation to processing sensitive data in cloud computing environments. It describes the modeling methodology that involved applying Method Engineering to specify characteristics of a cloud privacy threat modeling methodology, different steps in the proposed methodology and corresponding products. We believe that the extended methodology facilitates the application of a privacy-preserving cloud software development approach from requirements engineering to design

Online privacy: towards informational self-determination on the internet : report from Dagstuhl Perspectives Workshop 11061

The Dagstuhl Perspectives Workshop "Online Privacy: Towards Informational Self-Determination on the Internet" (11061) has been held in February 6-11, 2011 at Schloss Dagstuhl. 30 participants from academia, public sector, and industry have identified the current status-of-the-art of and challenges for online privacy as well as derived recommendations for improving online privacy. Whereas the Dagstuhl Manifesto of this workshop concludes the results of the working groups and panel discussions, this article presents the talks of this workshop by their abstracts