Zhou Tian-shu,Li Peng-fei,Li Jing-song

DOI: https://doi.org/10.2991/ccis-13.2013.56

2013-01-01

Abstract:Since the health information exchange (HIE) becomes more and more important and numerous systems have been implemented among medical institutions and regions, there also grows the concern of data security and privacy protection. In the prior work, we have designed and developed an international clinical data exchange system named Global Dolphin, technically achieving the goal of health information exchange between China and Japan. However, to put the system into practical use, we have to take the different privacy protection rules into account. In the clinical data exchange implementation, we tried to conform to the stricter privacy protection standards and designed a protected health information (PHI) de-identification system to keep the personal information secure from third parties. Since China and Japan do not yet have detailed rules and guidelines such as the safe harbor method in Health Insurance Portability and Accountability Act (HIPAA), thus we have referenced some of the HIPAA rules and guidelines about PHI, and used a dictionary and regular expressions pattern matching de-identification means to protect personal privacy.

Timothy Judson,Mark Haas,Tara Lagu

DOI: https://doi.org/10.1016/s1553-7250(14)40038-2

Abstract:Background: Medical identity theft refers to the misuse of another individual's identifying medical information to receive medical care. Beyond the financial burden on patients, hospitals, health insurance companies, and government insurance programs, undetected cases pose major patient safety challenges. Inaccuracies in the medical record may persist even after the theft has been identified because of restrictions imposed by patient privacy laws. Massachusetts General Hospital (MGH; Boston) has conducted initiatives to prevent medical identity theft and to better identify and respond to cases when they occur. Methods: Since 2007, MGH has used a notification tree to standardize reporting of red flag incidents (warning signs of identity theft, such as suspicious personal identifiers or account activity). A Data Integrity Dashboard allows for tracking and reviewing of all potential incidents of medical identity theft to detect trends and targets for mitigation. An identity-checking policy, VERI-(Verify Everyone's Identity) Safe Patient Care, requires photo identification at every visit and follow-up if it is not provided. Results: Data from MGH suggest that an estimated 120 duplicate medical records are created each month, 25 patient encounters are likely tied to identity theft or fraud each quarter, and 14 patients are treated under the wrong medical record number each year. As of December 2013, 80%-85% of patients were showing photo identification at appointments. Conclusion: Although an organization's policy changes and educational campaigns can improve detection and reconciliation of medical identity theft cases, national policies should be implemented to streamline the process of correcting errors in medical records, reduce the financial disincentive for hospitals to detect and report cases, and create a single point of entry to reduce the burden on individuals and providers to reconcile cases.

Amalia R Miller,Catherine E Tucker

DOI: https://doi.org/10.1002/pam.20590

Abstract:Fast-paced IT advances have made it increasingly possible and useful for firms to collect data on their customers on an unprecedented scale. One downside of this is that firms can experience negative publicity and financial damage if their data are breached. This is particularly the case in the medical sector, where we find empirical evidence that increased digitization of patient data is associated with more data breaches. The encryption of customer data is often presented as a potential solution, because encryption acts as a disincentive for potential malicious hackers, and can minimize the risk of breached data being put to malicious use. However, encryption both requires careful data management policies to be successful and does not ward off the insider threat. Indeed, we find no empirical evidence of a decrease in publicized instances of data loss associated with the use of encryption. Instead, there are actually increases in the cases of publicized data loss due to internal fraud or loss of computer equipment.

Christine M O'Keefe,Donald B Rubin,Christine M. O'Keefe,Donald B. Rubin

DOI: https://doi.org/10.1002/sim.6543

2015-06-05

Statistics in Medicine

Abstract:Health and medical data are increasingly being generated, collected, and stored in electronic form in healthcare facilities and administrative agencies. Such data hold a wealth of information vital to effective health policy development and evaluation, as well as to enhanced clinical care through evidence-based practice and safety and quality monitoring. These initiatives are aimed at improving individuals' health and well-being. Nevertheless, analyses of health data archives must be conducted in such a way that individuals' privacy is not compromised. One important aspect of protecting individuals' privacy is protecting the confidentiality of their data. It is the purpose of this paper to provide a review of a number of approaches to reducing disclosure risk when making data available for research, and to present a taxonomy for such approaches. Some of these methods are widely used, whereas others are still in development. It is important to have a range of methods available because there is also a range of data-use scenarios, and it is important to be able to choose between methods suited to differing scenarios. In practice, it is necessary to find a balance between allowing the use of health and medical data for research and protecting confidentiality. This balance is often presented as a trade-off between disclosure risk and data utility, because methods that reduce disclosure risk, in general, also reduce data utility.

public, environmental & occupational health,medicine, research & experimental,medical informatics,mathematical & computational biology,statistics & probability

Jennifer Skarda-McCann

2006-06-22

Abstract:I. INTRODUCTION Using personal medical and financial information to blackmail unsuspecting individuals may sound like the plotline to a conspiracy theory movie. In reality, it may also be a consequence of the practice of outsourcing electronic data to foreign countries for business processing. Since the fall of 2003, major newspapers have reported at least two instances of threats by foreign medical record transcriptionists to release patients' medical information via the Internet. (1) On October 7, 2003, a medical transcriptionist in Karachi, Pakistan, sent an email message to the University of California San Francisco Medical Center ("UCSF"), demanding payment for her work, with patient files attached. (2) In a similar incident only a few weeks later, Heartland Information Services ("Heartland"), an Ohio-based company, received an email message from its own employees in Bangalore, India, who attempted to extort money by threatening to reveal confidential material. (3) The average patient would not normally know if her medical information was transmitted abroad following a hospital visit. Transcription of medical records generally is classified as one of the operations for which health care providers can disclose individuals' information without meeting the statutory requirement of obtaining consent. (4) Sometimes medical records awaiting transcription are forwarded, without the knowledge of the health care provider, to several different individuals through subcontracted relationships. For example, in the UCSF incident, the medical center had outsourced its medical record transcription to a California-based company, which in turn had subcontracted with an individual in Florida. (5) Against the terms of her original contract with the California-based firm, the subcontractor in Florida had subcontracted work to an individual in Texas, who, unbeknownst to her, had solicited work from the freelance transcriptionist in Karachi. (6) On the other hand, some health care providers knowingly outsource their records transcription to companies that use overseas employees to complete the work. (7) Heartland's extortion threat is perhaps more alarming than the UCSF incident because, while its clients knew their work was being sent overseas, the company never informed them of this incident. (8) Moreover, the company's representative failed to mention the incident during his appearance at a hearing before state legislators in California on the subject of industry safeguards to protect outsourced information. (9) Although the Supreme Court has implied that it might recognize a right to privacy of personal information, (10) the current legal environment provides limited remedies to those whose privacy rights are transgressed. (11) In the face of a technological world advancing at a rapid rate, legislative action is the only way to guarantee individuals protection of their private information. However, legislators fear that adequate privacy protections will only be implemented as a result of some future scandal. (12) Privacy rights experts warn that just such a scandal is on the horizon. (13) This article addresses the threat of disclosure to consumers' private, personal information due to the increasing practice of outsourcing business processes to foreign companies. By way of introduction, it examines the trend of outsourcing: what jobs are commonly outsourced, in which industries, and the reasons why the practice has become increasingly common in the global economy. The article continues by describing the kinds of personal information that are commonly shared in outsourcing practices and examines two industries in depth: Internet-based loan processing and medical record transcription. To analyze consumer rights and remedies in this context, the article considers the notion of a right to privacy in one's personal information, and then discusses federal statutes and case law which may enable such a right, in particular, the Health Insurance Portability and Accountability Act of 1996 (14) and the Gramm Leach-Bliley Act. …

Engineering,Law

Stephen J Tipton,Sara Forkey,Young B Choi

DOI: https://doi.org/10.1007/s10916-016-0465-x

Abstract:This paper examines various methods encompassing the authentication of users in accessing Electronic Medical Records (EMRs). From a methodological perspective, multiple authentication methods have been researched from both a desktop and mobile accessibility perspective. Each method is investigated at a high level, along with comparative analyses, as well as real world examples. The projected outcome of this examination is a better understanding of the sophistication required in protecting the vital privacy constraints of an individual's Protected Health Information (PHI). In understanding the implications of protecting healthcare data in today's technological world, the scope of this paper is to grasp an overview of confidentiality as it pertains to information security. In addressing this topic, a high level overview of the three goals of information security are examined; in particular, the goal of confidentiality is the primary focus. Expanding upon the goal of confidentiality, healthcare accessibility legal aspects are considered, with a focus upon the Health Insurance Portability and Accountability Act of 1996 (HIPAA). With the primary focus of this examination being access to EMRs, the paper will consider two types of accessibility of concern: access from a physician, or group of physicians; and access from an individual patient.

Raul Luna,Emily Rhine,Matthew Myhra,Ross Sullivan,Clemens Scott Kruse

DOI: https://doi.org/10.3233/THC-151102

Abstract:Background: Recent legislation empowering providers to embrace the electronic exchange of health information leaves the healthcare industry increasingly vulnerable to cybercrime. The objective of this systematic review is to identify the biggest threats to healthcare via cybercrime. Objective: The rationale behind this systematic review is to provide a framework for future research by identifying themes and trends of cybercrime in the healthcare industry. Methods: The authors conducted a systematic search through the CINAHL, Academic Search Complete, PubMed, and ScienceDirect databases to gather literature relative to cyber threats in healthcare. All authors reviewed the articles collected and excluded literature that did not focus on the objective. Results: Researchers selected and examined 19 articles for common themes. The most prevalent cyber-criminal activity in healthcare is identity theft through data breach. Other concepts identified are internal threats, external threats, cyber-squatting, and cyberterrorism. Conclusions: The industry has now come to rely heavily on digital technologies, which increase risks such as denial of service and data breaches. Current healthcare cyber-security systems do not rival the capabilities of cyber criminals. Security of information is a costly resource and therefore many HCOs may hesitate to invest what is required to protect sensitive information.

Joseph E Chasteen,Gretchen Murphy,Arden Forrey,David Heid

2004-08-15

Abstract:This article reviews the issues related to the Health Insurance Portability & Accountability Act (HIPAA) security rule that apply to dental practice. The security rule specifically addresses individually identifiable health information that is transmitted or maintained in electronic media. System security must be applied to the entire technical infrastructure for the practice environment as well as to the work culture on a daily basis and must be thought of as an enterprise asset. Security refers to all of the policies, procedures, tools, and techniques used to assure that privacy and confidentiality are adequately addressed in a healthcare system. HIPAA requires all covered entities that transmit or maintain electronic health information perform, and document, a risk assessment for security and develop a security plan to address major areas of concern. A self-assessment tool is provided in this article.

Kimmarie Donahue,Shawon Rahman

DOI: https://doi.org/10.48550/arXiv.1512.01731

2015-11-30

Cryptography and Security

Abstract:Healthcare Information Technology (IT) has made great advances over the past few years and while these advances have enable healthcare professionals to provide higher quality healthcare to a larger number of individuals it also provides the criminal element more opportunities to access sensitive information, such as patient protected health information (PHI) and Personal identification Information (PII). Having an Information Assurance (IA) programallows for the protection of information and information systems and ensures the organization is in compliance with all requires regulations, laws and directive is essential. While most organizations have such a policy in place, often it is inadequate to ensure the proper protection to prevent security breaches. The increase of data breaches in the last few years demonstrates the importance of an effective IA program. To ensure an effective IA policy, the policy must manage the operational risk, including identifying risks, assessment and mitigation of identified risks and ongoing monitoring to ensure compliance

Megha M. Moncy,Sadia Afreen,Saptarshi Purkayastha

2023-11-07

Abstract:This research examines the pivotal role of human behavior in the realm of healthcare data management, situated at the confluence of technological advancements and human conduct. An in-depth analysis of security breaches in the United States from 2009 to the present elucidates the dominance of human-induced security breaches. While technological weak points are certainly a concern, our study highlights that a significant proportion of breaches are precipitated by human errors and practices, thus pinpointing a conspicuous deficiency in training, awareness, and organizational architecture. In spite of stringent federal mandates, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, breaches persist, emphasizing the indispensable role of human factors within this domain. Such oversights not only jeopardize patient data confidentiality but also undermine the foundational trust inherent in the healthcare infrastructure. By probing the socio-technical facets of healthcare security infringements, this article advocates for an integrated, dynamic, and holistic approach to healthcare data security. The findings underscore the imperative of augmenting technological defenses while concurrently elevating human conduct and institutional ethos, thereby cultivating a robust and impervious healthcare data management environment.

Computers and Society,Cryptography and Security

Mitchell G. Goldenberg,Teodor P. Grantcharov

DOI: https://doi.org/10.1007/978-3-319-61446-5_17

2018-01-01

Health Informatics

Abstract:Patient confidentiality has remained a central issue in the current “big data” era of healthcare. Protections such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) exist to ensure that digital personal health information (PHI) are legally secure from threats and breaches that would threaten confidentiality. To be compliant with HIPAA regulations, steps must be taken by health care providers and digital health platforms, and these fall under the Privacy Rule, which outlines appropriate uses and disclosures of PHI, and the Security Rule, which lays out with granularity the steps that must be taken to adhere to the HIPAA regulations. Through deliberate design of secure digital health platforms, we can use technological advances in the collection, measurement, and delivery of health care to advance care and improve patient safety. Renewed efforts to optimize and standardize health care delivery has facilitated the implementation of electronic and digital health solutions that benefit medical and surgical training and efficiency while minimizing harm to patients. Cross-industry innovations such as the OR Black Box® will allow us to accomplish these lofty goals. Finally, we must strive to include patients in this digital health movement, as now more than ever we can create knowledge translation solutions that ensure that patients understand their health in a meaningful way.

D Y Dodek,A Dodek

1997-03-15

CMAJ

Abstract:Although patient confidentiality has been a fundamental ethical principle since the Hippocratic Oath, it is under increasing threat. The main area of confidentiality is patient records. Physicians must be able to store and dispose of medical records securely. Patients should be asked whether some information should be kept out of the record or withheld if information is released. Patient identity should be kept secret during peer review of medical records. Provincial legislation outlines circumstances in which confidential information must be divulged. Because of the "team approach" to care, hospital records may be seen by many health care and administrative personnel. All hospital workers must respect confidentiality, especially when giving out information about patients by telephone or to the media. Research based on medical-record review also creates challenges for confidentiality. Electronic technology and communications are potential major sources of breaches of confidentiality. Computer records must be carefully protected from casual browsing or from unauthorized access. Fax machines and cordless and cellular telephones can allow unauthorized people to see or overhear confidential information. Confidentiality is also a concern in clinical settings, including physicians' offices and hospitals. Conversations among hospital personnel in elevators or public cafeterias can result in breaches of confidentiality. Patient confidentiality is a right that must be safeguarded by all health care personnel.

Stefanos Gritzalis,Costas Lambrinoudakis,Dimitrios Lekkas,Spyros Deftereos

DOI: https://doi.org/10.1109/titb.2005.847498

Abstract:Raising awareness and providing guidance to on-line data protection is undoubtedly a crucial issue worldwide. Equally important is the issue of applying privacy-related legislation in a coherent and coordinated way. Both these topics gain extra attention when referring to medical environments and, thus, to the protection of patients' privacy and medical data. Electronic medical transactions require the transmission of personal and medical information over insecure communication channels like the Internet. It is, therefore, a rather straightforward task to capture the electronic medical behavior of a patient, thus constructing "patient profiles," or reveal sensitive information related to a patient's medical history. The consequence is clearly a potential violation of the patient's privacy. We performed a risk analysis study for a Greek shared care environment for the treatment of patients suffering from beta-thalassemia, an empirically embedded scenario that is representative of many other electronic medical environments; we capitalized on its results to provide an assessment of the associated risks, focusing on the description of countermeasures, in the form of technical guidelines that can be employed in such medical environments for protecting the privacy of personal and medical information.

Jeffrey CL Looi,Richard CH Looi,Paul A Maguire,Steve Kisely,Tarun Bastiampillai,Stephen Allison

DOI: https://doi.org/10.1177/10398562241230816

2024-01-30

Australasian Psychiatry

Abstract:Australasian Psychiatry, Ahead of Print. ObjectiveTo update psychiatrists and trainees on the realised risks of electronic health record data breaches.MethodsThis is a selective narrative review and commentary regarding electronic health record data breaches.ResultsRecent events such as the Medibank and Australian Clinical Labs data breaches demonstrate the realised risks for electronic health records. If stolen identity data is publicly released, patients and doctors may be subject to blackmail, fraud, identity theft and targeted scams. Medical diagnoses of psychiatric illness and substance use disorder may be released in blackmail attempts.ConclusionsPsychiatrists, trainees and their patients need to understand the inevitability of electronic health record data breaches. This understanding should inform a minimised collection of personal information in the health record to avoid exposure of confidential information and identity theft. Governmental regulation of electronic health record privacy and security is needed.

psychiatry

Marek Tiits,Tarmo Kalvet,David McBee

2024-12-10

Abstract:This paper addresses critical questions surrounding the security of government-issued identity documents and their potential misuse, with an emphasis on understanding the perspectives of ordinary citizens across Europe and the United States of America. Drawing upon research on technology acceptance and diffusion, the research focuses on understanding the factors that influence users' adoption of novel identity management solutions. Our methodology includes a comprehensive, census-representative survey spanning citizens from France, Germany, Italy, Spain, the United Kingdom, and the USA. The paper's findings underscore a robust confidence in government-issued identity documents, contrasted by a lower trust in private sector services, including social media platforms and email accounts. The adoption of artificial intelligence for identity verification remains contested, with a significant percentage of respondents undecided, indicating a need for explicit explanation and transparency about its implementation and related risks. Public sentiment leans towards acceptance of government data collection for identification purposes; however, the sharing of this data with private entities elicits more apprehension.

Computers and Society

Jahnavi Reddy,Nelly Elsayed,Zag ElSayed,Murat Ozer

DOI: https://doi.org/10.48550/arXiv.2111.00582

2022-08-31

Abstract:Providing security to Health Information is considered to be the topmost priority when compared to any other field. After the digitalization of the patient's records in the medical field, the healthcare/medical field has become a victim of several internal and external cyberattacks. Data breaches in the healthcare industry have been increasing rapidly. Despite having security standards such as HIPAA (Health Insurance Portability and Accountability Act), data breaches still happen on a daily basis. All various types of data breaches have the same harmful impact on healthcare data, especially on patients' privacy. The main objective of this paper is to analyze why healthcare data breaches occur and what is the impact of these breaches. The paper also presents the possible improvements that can be made in the current standards, such as HIPAA, to increase security in the healthcare field.

Cryptography and Security

Robert L McCarthy

DOI: https://doi.org/10.1331/JAPhA.2008.07144

Abstract:Objective: To provide a brief introduction to the ethical and, to some extent, the legal issues surrounding patient privacy and confidentiality. Data synthesis: The privacy of patient medical records and patient confidentiality has moved to the forefront of ethical and legal issues in health care. Technological advances, the growth and expansion of managed care, the emergence of consumerism, and the dramatic increase in the number of individuals and organizations with access to or a need to access patient medical information have all contributed to patient concerns about who has access to their records and for what purposes. Conclusion: Questions of patient privacy and confidentiality are likely to remain at the forefront of health care ethics and law in the coming years. Health professionals, including pharmacists, have a greater responsibility than ever before to ensure that safeguards exist to prevent inappropriate access to patient information.

R. Pandey,Saurabh Pandey

Abstract:— Big data is one the most promising, essential and modern computing era around the world. Big data is most commonly described as huge amount of un-structured data or we can say semi-structured data. The processing, storage, and analysis of such huge sets of data with the help of classical processing or database approaches or tools are insufficient, it requires advanced processing tools with real-time analysis. Healthcare (medical) is one of the important sector that produces big data because today, healthcare switches paper-based medical records into electronic platform to store, manage, analysis and process in the form of Electronic Medical Record (EMR) or Electronic Healthcare Record (EHR) with the help of internet..Due to vast digitization of medical big data(records) or we can say the use of technologies to transform healthcare industry into electronically available data to consumers, there are various security and privacy risks associated with the use of such technologies must be addressed in order to provide better and safe access of records online and make the system acceptable worldwide with the contribution of healthy economic growth. In this paper, we explore various security and privacy concerns surrounding medical (healthcare) big data.

Medicine,Computer Science

jinyuan sun,xiaoyan zhu,chi zhang,yuguang fang

DOI: https://doi.org/10.1016/B978-0-12-415815-3.00027-3

2012-01-01

Abstract:Fast and secure access to patients’ records helps to save lives with timely treatment in emergency situations. Therefore, anywhere-anytimeaccessible online health-care or medical systems play a vital role in daily life. Advances in (wireless) communications and computing technologies have lent great forces to migrating health-care systems from the paper based to the EHR (electronic health record) based, giving rise to increased efficiency in human operations, reduced storage costs and medical errors, improved data availability and sharing, etc. Unfortunately, such convenience also comes with concerns, which should be carefully addressed. For example, medical or health record privacy is a major concern to the patients and becomes the major barrier in the deployment of the EHR-based health-care systems. It is observed that privacy and security breaches have already penetrated every aspect of our activities and living environment including health care, financial, voting, e-commerce, military, etc. Thus, there is an urgent need for the development of architectures assuring privacy and security that are imperative to safeguarding confidential information wherever it digitally resides. Despite the paramount importance, little progress has been introduced by researchers in the design of security and privacy architectures for the EHR-based health-care system. In particular, two extremely critical issues are rarely touched in the research realm: health information privacy and sharing. Health information privacy (or medical record privacy) refers to the confidentiality and access restrictions of patients’ protected health information (PHI) which contains sensitive and personal information such as disease history and undergoing treatment. There are good reasons for keeping the records private and limiting the access to only minimum-necessary information: an employer may decide not to hire someone with psychological issues, an insurance company may refuse to provide life insurance when aware of the disease history of a patient, a person with certain types of disease may be discriminated by the health-care provider, and so on. However, fundamental developments of health-care systems have threatened the confidentiality of medical records and patient privacy [1], one of which is the exponential increase in the use of computers and automated information systems for health records. Computers (connected to a network) are now commonly used by the health-care providers to store and retrieve patients’ electronic health records (EHRs).

Tasha Glenn,Scott Monteith

DOI: https://doi.org/10.1007/s11920-014-0494-4

Abstract:Increasing quantities of medical and health data are being created outside of HIPAA protection, primarily by patients. Data sources are varied, including the use of credit cards for physician visit and medication co-pays, Internet searches, email content, social media, support groups, and mobile health apps. Most medical and health data not covered by HIPAA are controlled by third party data brokers and Internet companies. These companies combine this data with a wide range of personal information about consumer daily activities, transactions, movements, and demographics. The combined data are used for predictive profiling of individual health status, and often sold for advertising and other purposes. The rapid expansion of medical and health data outside of HIPAA protection is encroaching on privacy and the doctor-patient relationship, and is of particular concern for psychiatry. Detailed discussion of the appropriate handling of this medical and health data is needed by individuals with a wide variety of expertise.