Towards HIPAA-compliant healthcare systems

In healthcare domain, there is a gap between healthcare systems and government regulations such as the Health In-surance Portability and Accountability Act (HIPAA). The violations of HIPAA not only may cause the disclosure of patients ’ sensitive information, but also can bring about tremendous economic loss and reputation damage to health-care providers. Taking effective measures to address this gap has become a critical requirement for all healthcare entities. However, the complexity of HIPAA regulations makes it dif-ficult to achieve this requirement. In this paper, we propose a framework to bridge such a critical gap between healthcare systems and HIPAA regulations. Our framework supports compliance-oriented analysis to determine whether a health-care system is complied with HIPAA regulations. We also describe our evaluation results to demonstrate the feasibility and effectiveness of our approach

A systematic literature review of cloud computing in eHealth

Cloud computing in eHealth is an emerging area for only few years. There needs to identify the state of the art and pinpoint challenges and possible directions for researchers and applications developers. Based on this need, we have conducted a systematic review of cloud computing in eHealth. We searched ACM Digital Library, IEEE Xplore, Inspec, ISI Web of Science and Springer as well as relevant open-access journals for relevant articles. A total of 237 studies were first searched, of which 44 papers met the Include Criteria. The studies identified three types of studied areas about cloud computing in eHealth, namely (1) cloud-based eHealth framework design (n=13); (2) applications of cloud computing (n=17); and (3) security or privacy control mechanisms of healthcare data in the cloud (n=14). Most of the studies in the review were about designs and concept-proof. Only very few studies have evaluated their research in the real world, which may indicate that the application of cloud computing in eHealth is still very immature. However, our presented review could pinpoint that a hybrid cloud platform with mixed access control and security protection mechanisms will be a main research area for developing citizen centred home-based healthcare applications

Privacy-Preserving Deep Learning Model for Covid-19 Disease Detection

Recent studies demonstrated that X-ray radiography showed higher accuracy than Polymerase Chain Reaction (PCR) testing for COVID-19 detection. Therefore, applying deep learning models to X-rays and radiography images increases the speed and accuracy of determining COVID-19 cases. However, due to Health Insurance Portability and Accountability (HIPAA) compliance, the hospitals were unwilling to share patient data due to privacy concerns. To maintain privacy, we propose differential private deep learning models to secure the patients' private information. The dataset from the Kaggle website is used to evaluate the designed model for COVID-19 detection. The EfficientNet model version was selected according to its highest test accuracy. The injection of differential privacy constraints into the best-obtained model was made to evaluate performance. The accuracy is noted by varying the trainable layers, privacy loss, and limiting information from each sample. We obtained 84\% accuracy with a privacy loss of 10 during the fine-tuning process

Security aspects in healthcare information systems: A systematic mapping

The security of patient’s data is the most overbearing barrier to access when considering the adoption of Healthcare Information Systems (HIS) in the healthcare industry. Recently, several studies were conducted to address security risks, and a series of solutions were proposed to enable data and privacy protection. In this paper we conduct the systematic mapping review to know more about security aspects in HIS. Our study provides a comprehensive review of the literature on the evaluation and implementation of HIS security, detailing the challenges and recommendations for implementers and adopters alike. The purpose of this paper is to analyse the security perspective and some of the important concerns that need to be considered to successfully use information systems in healthcare.publishedVersio

An Intelligent Technique for Framework and Security Issues Association in Multi Cloud Environment

Abstract-Cloud Computing is a recent technology which rapidly developing in area of information technology has the concern of the network. It provides a huge change in technology that Internet based computing, by which software, information and shared resources are provided to computers and the strategy on demand, like the grid of the electricity. Cloud computing is the product of the synthesis of traditional computing technology and network technology like parallel computing, distributed computing. The main goal of cloud computing is to construct a perfect system with powerful computing capability through a large number of relatively low cost computing entity using the advanced business models like SaaS, PaaS, IaaS to distribute the powerful computing capability to end users. Developers, Administrators, and Users have to make a decision about which environment is best suited for them. When we trying to compare such frameworks it is difficult because either users do not have access to all of them or they are comparing the performance of such systems on different resources that make it difficult to obtain objective comparisons. Hence virtualization of resources such as memory, network, processors and storage ensures scalability and high availability of computing capability. However clouds can dynamically provision these virtual resources to hosted applications or to clients that use them to develop their own applications or to store data. The rapid provisioning and dynamic reconfiguration of resources help to handle with variable demand and ensure optimum resource utilization. Proposed proxy-based multicloud computing framework allows dynamic, resource sharing and on the fly collaborations among cloud based services, policy and privacy issues, and addressing trust without pre established collaboration agreements

Handling confidentiality and privacy on cloud-based health information systems

Health-related data include not only the patient’s personal information, but also specific information about the patient health problems, supplementary diagnostic examination results, and much more. All this information is extremely sensitive and should only be accessed by the proper entities and actors, for special specific purposes. Described herein is an approach to address security and privacy of health-related data based on rights management technologies, with an architecture to minimize security risks and privacy conerns. This approach consists of the reutilisation of an open-source and open-specifications rights management system, and designing and adapting the necessary components to address the specific security and privacy requirements that must be faced when managing health and patient data.info:eu-repo/semantics/acceptedVersio

Analysis of Cybersecurity Standard and Framework Components

Satisfactory cybersecurity protection, encompassing all data security solutions, can only be achieved by adopting a cybersecurity framework that provides a structure and methodology for protecting critical digital assets. In addition, security experts recommend using cybersecurity standards which consist of a collection of best practices to protect organizations from cyber threats. However, many organizations, companies and governments lack experienced personnel in the cybersecurity domain, so they have difficulty adopting a standard approach or cybersecurity framework. Protecting organizations from cyber threats while demonstrating compliance with laws and standards is seen as extremely complex due to the difficulty on choosing the appropriate standard to be used. Moreover, lack of knowledge on the elements needed that offered by the standard is lead to the problem on identifying the started point where the protection will be began.  Therefore, in this paper, a literature and the analysis is presented in identifying the elements of cybersecurity standard and framework that can be facilitate the organization or government on choosing the appropriate standard and framework to be used and utilized. The literature review was carried out to understand the various types of cybersecurity standards and frameworks and the analysis is conducted to identify the elements in each of them. In this paper, eight steps are presented and include the types of international standards, which are general, local regulation, as well as specific standards used in the industrial sector, to conclude the findings of the analysis. Furthermore, a relation map is presented using Writing a Literature Review release 2.0 approach to show the relationship between the literature review and future research

Exploring the Effectiveness of the Psychiatric Emergency Response Team at a Washington State Hospital

Patient-to-staff assaults have become a barrier to workplace safety at U.S. psychiatric hospitals. Assaults on staff result in loss of productive social service for the mentally ill; increases in labor, industrial, and medical costs from claims; and psychological scars, such as posttraumatic stress disorder, that may never completely heal. The purpose of this quantitative study was to explore the effectiveness of the Psychiatric Emergency Response Team (PERT) at the Washington state hospital in reducing patient assaults on staff. There is very little research to substantiate the effectiveness of the PERT program as a conduit of workplace safety in psychiatric institutional care and none demonstrating that PERT is a useful program at the Washington state hospital. The theoretical approach in the current study for examining how organizations function with cohesiveness under certain organizational equilibrium constraints was Bandura’s social learning theory. A quantitative archival analysis design was used to determine relationship between several levels of an independent variable (time) and the dependent variable (number of assaults) via a time-series procedure, the one-way within subjects ANOVA. Results showed that there was an increase in assaults in the 6 months post-PERT implementation compared to the 6 months before but a reduction of work loss. Decreased work loss after assaults could lead to less severe injuries due to the PERT response to incidents. Reducing injuries could lead to positive social change by affecting the psychological and physical well-being of patients and staff. For patients, it could promote healing and recovery as they discharge from the hospital and re-enter society

PRIVACY-PRESERVING QUERY PROCESSING ON OUTSOURCED DATABASES IN CLOUD COMPUTING

Database-as-a-Service (DBaaS) is a category of cloud computing services that enables IT providers to deliver database functionality as a service. In this model, a third party service provider known as a cloud server hosts a database and provides the associated software and hardware supports. Database outsourcing reduces the workload of the data owner in answering queries by delegating the tasks to powerful third-party servers with large computational and network resources. Despite the economic and technical benefits, privacy is the primary challenge posed by this category of services. By using these services, the data owners will lose the control of their databases. Moreover, the privacy of clients may be compromised since a curious cloud operator can follow the queries of a client and infer what the client is after. The challenge is to fulfill the main privacy goals of both the data owner and the clients without undermining the ability of the cloud server to return the correct query results. This thesis considers the design of protocols that protect the privacy of the clients and the data owners in the DBaaS model. Such protocols must protect the privacy of the clients so that the data owner and the cloud server cannot infer the constants contained in the query predicate as well as the query result. Moreover, the data owner privacy should be preserved by ensuring that the sensitive information in the database is not leaked to the cloud server and nothing beyond the query result is revealed to the clients. The results of the complexity and performance analysis indicates that the proposed protocols incur reasonable communication and computation overhead on the client and the data owner, considering the added advantage of being able to perform the symmetrically-private database search

Adding Privacy Protection to Policy Based Authorisation Systems

An authorisation system determines who is authorised to do what i.e. it assigns privileges to users and provides a decision on whether someone is allowed to perform a requested action on a resource. A traditional authorisation decision system, which is simply called authorisation system or system in the rest of the thesis, provides the decision based on a policy which is usually written by the system administrator. Such a traditional authorisation system is not sufficient to protect privacy of personal data, since users (the data subjects) are usually given a take it or leave it choice to accept the controlling organisation’s policy. Privacy is the ability of the owners or subjects of personal data to control the flow of data about themselves, according to their own preferences. This thesis describes the design of an authorisation system that will provide privacy for personal data by including sticky authorisation policies from the issuers and data subjects, to supplement the authorisation policy of the controlling organisation. As personal data moves from controlling system to controlling system, the sticky policies travel with the data. A number of data protection laws and regulations have been formulated to protect the privacy of individuals. The rights and prohibitions provided by the law need to be enforced by the authorisation system. Hence, the designed authorisation system also includes the authorisation rules from the legislation. This thesis describes the conversion of rules from the EU Data Protection Directive into machine executable rules. Due to the nature of the legislative rules, not all of them could be converted into deterministic machine executable rules, as in several cases human intervention or human judgement is required. This is catered for by allowing the machine rules to be configurable. Since the system includes independent policies from various authorities (law, issuer, data subject and controller) conflicts may arise among the decisions provided by them. Consequently, this thesis describes a dynamic, automated conflict resolution mechanism. Different conflict resolution algorithms are chosen based on the request contexts. As the EU Data Protection Directive allows processing of personal data based on contracts, we designed and implemented a component, Contract Validation Service (ConVS) that can validate an XML based digital contract to allow processing of personal data based on a contract. The authorisation system has been implemented as a web service and the performance of the system is measured, by first deploying it in a single computer and then in a cloud server. Finally the validity of the design and implementation are tested against a number of use cases based on scenarios involving accessing medical data in a health service provider’s system and accessing personal data such as CVs and degree certificates in an employment service provider’s system. The machine computed authorisation decisions are compared to the theoretical decisions to ensure that the system returns the correct decisions