Stefanos Gritzalis,Costas Lambrinoudakis,Dimitrios Lekkas,Spyros Deftereos

DOI: https://doi.org/10.1109/titb.2005.847498

Abstract:Raising awareness and providing guidance to on-line data protection is undoubtedly a crucial issue worldwide. Equally important is the issue of applying privacy-related legislation in a coherent and coordinated way. Both these topics gain extra attention when referring to medical environments and, thus, to the protection of patients' privacy and medical data. Electronic medical transactions require the transmission of personal and medical information over insecure communication channels like the Internet. It is, therefore, a rather straightforward task to capture the electronic medical behavior of a patient, thus constructing "patient profiles," or reveal sensitive information related to a patient's medical history. The consequence is clearly a potential violation of the patient's privacy. We performed a risk analysis study for a Greek shared care environment for the treatment of patients suffering from beta-thalassemia, an empirically embedded scenario that is representative of many other electronic medical environments; we capitalized on its results to provide an assessment of the associated risks, focusing on the description of countermeasures, in the form of technical guidelines that can be employed in such medical environments for protecting the privacy of personal and medical information.

Silvia Rodríguez-Mejías,Sara Degli-Esposti,Sara González-García,Carlos Luis Parra-Calderón

DOI: https://doi.org/10.1016/j.jbi.2024.104670

Abstract:Background: Art. 50 of the proposal for a Regulation on the European Health Data Space (EHDS) states that "health data access bodies shall provide access to electronic health data only through a secure processing environment, with technical and organizational measures and security and interoperability requirements". Objective: To identify specific security measures that nodes participating in health data spaces shall implement based on the results of the IMPaCT-Data project, whose goal is to facilitate the exchange of electronic health records (EHR) between public entities based in Spain and the secondary use of this information for precision medicine research in compliance with the General Data Protection Regulation (GDPR). Data and methods: This article presents an analysis of 24 out of a list of 72 security measures identified in the Spanish National Security Scheme (ENS) and adopted by members of the federated data infrastructure developed during the IMPaCT-Data project. Results: The IMPaCT-Data case helps clarify roles and responsibilities of entities willing to participate in the EHDS by reconciling technical system notions with the legal terminology. Most relevant security measures for Data Space Gatekeepers, Enablers and Prosumers are identified and explained. Conclusion: The EHDS can only be viable as long as the fiduciary duty of care of public health authorities is preserved; this implies that the secondary use of personal data shall contribute to the public interest and/or to protect the vital interests of the data subjects. This condition can only be met if all nodes participating in a health data space adopt the appropriate organizational and technical security measures necessary to fulfill their role.

Megha M. Moncy,Sadia Afreen,Saptarshi Purkayastha

2023-11-07

Abstract:This research examines the pivotal role of human behavior in the realm of healthcare data management, situated at the confluence of technological advancements and human conduct. An in-depth analysis of security breaches in the United States from 2009 to the present elucidates the dominance of human-induced security breaches. While technological weak points are certainly a concern, our study highlights that a significant proportion of breaches are precipitated by human errors and practices, thus pinpointing a conspicuous deficiency in training, awareness, and organizational architecture. In spite of stringent federal mandates, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, breaches persist, emphasizing the indispensable role of human factors within this domain. Such oversights not only jeopardize patient data confidentiality but also undermine the foundational trust inherent in the healthcare infrastructure. By probing the socio-technical facets of healthcare security infringements, this article advocates for an integrated, dynamic, and holistic approach to healthcare data security. The findings underscore the imperative of augmenting technological defenses while concurrently elevating human conduct and institutional ethos, thereby cultivating a robust and impervious healthcare data management environment.

Computers and Society,Cryptography and Security

Isabel Maria Lopes,Teresa Guarda,Pedro Oliveira

DOI: https://doi.org/10.1007/s10916-020-1521-0

IF: 4.92

2020-01-10

Journal of Medical Systems

Abstract:The focus on personal data has merited the EU concerns and attention, resulting in the legislative change regarding privacy and the protection of personal data. The General Data Protection Regulation (GDPR) aims to reform existing measures on the protection of personal data of European Union citizens, with a strong impact on the rights and freedoms of individuals in establishing rules for the processing of personal data. The GDPR considers a special category of personal data, the health data, being these considered as sensitive data and subject to special conditions regarding treatment and access by third parties. This work presents the evolution of the applicability of the Regulation (EU) 2016/679 six months after its application in Portuguese health clinics. The results of the present study are discussed in the light of future literature and work are identified.

health care sciences & services,medical informatics

LI Fen-ling,ZHENG Qi-wen,YE Min

DOI: https://doi.org/10.3760/cma.j.issn.1673-4351.2011.06.062

2011-01-01

International Journal of Nursing

Abstract:Objective To investigate privacy awareness of the health physical examination person and strategy for the privacy protection in special health services within a comprehensive hospital of Shenzhen and discuss how to improve the privacy protection countermeasures.Methods Self-designed questionnaires were used to survey 180 health physical examination persons.Results The majority who were surveyed had certain knowledge of medical privacy protection, but some improper situations still existed in the privacy protection of medical care.Conclusions Medical personnel who supply the special medical service should learn more related knowledge of privacy protection, in order to improve the quality of the health physical examination in special medical services.

JG Zhang,XM Chen,J Zhuang,JR Jiang,XY Zhang,DQ Wu,HK Huang

DOI: https://doi.org/10.1117/12.480651

2003-01-01

Abstract:In this paper, we presented a new security approach to provide security measures and features in both healthcare information systems (PACS, RIS/HIS), and electronic patient record (EPR). We introduced two security components, certificate authoring (CA) system and patient record digital signature management (DSPR) system, as well as electronic envelope technology, into the current hospital healthcare information infrastructure to provide security measures and functions such as confidential or privacy, authenticity, integrity, reliability, non-repudiation, and authentication for in-house healthcare information systems daily operating, and EPR exchanging among the hospitals or healthcare providers. CA component keeps the information of user personnel identification, accessing rights, and their administration levels, and the DSPR component manages the All the digital signatures of patient medical records signed through using an-symmetry key encryption technologies. The electronic envelopes used for EPR exchanging are created based on the information of signers, digital signatures, and identifications of patient records stored in CAS and DSMS, as well as the destinations and the remote users. The CAS and DSMS were developed and integrated into a RIS-integrated PACS, and the integration of these new security components is seamless and painless. The electronic envelopes designed for EPR were used successfully in multimedia data transmission.

Israel Cole,Liswani Sibamba,Abdi Hilowle,Jaye Jallow

DOI: https://doi.org/10.48550/arXiv.1712.04560

2017-12-13

Abstract:Information security and privacy in the healthcare sector is an issue of growing importance. The adoption of digital patient records, increased regulation, provider consolidation and the increasing need for information exchange between patients, providers and payers, all point towards the need for better information security. We critically survey the literature on information security and privacy in healthcare, published in information systems journals as well as many other related disciplines including health informatics, public health, law, medicine, and the trade press and industry reports

Cryptography and Security

C Ilioudis,G Pangalos

DOI: https://doi.org/10.2196/jmir.3.2.e14

Abstract:Background: The Internet provides many advantages when used for interaction and data sharing among health care providers, patients, and researchers. However, the advantages provided by the Internet come with a significantly greater element of risk to the confidentiality, integrity, and availability of information. It is therefore essential that Health Care Establishments processing and exchanging medical data use an appropriate security policy. Objective: To develop a High Level Security Policy for the processing of medical data and their transmission through the Internet, which is a set of high-level statements intended to guide Health Care Establishment personnel who process and manage sensitive health care information. Methods: We developed the policy based on a detailed study of the existing framework in the EU countries, USA, and Canada, and on consultations with users in the context of the Intranet Health Clinic project. More specifically, this paper has taken into account the major directives, technical reports, law, and recommendations that are related to the protection of individuals with regard to the processing of personal data, and the protection of privacy and medical data on the Internet. Results: We present a High Level Security Policy for Health Care Establishments, which includes a set of 7 principles and 45 guidelines detailed in this paper. The proposed principles and guidelines have been made as generic and open to specific implementations as possible, to provide for maximum flexibility and adaptability to local environments. The High Level Security Policy establishes the basic security requirements that must be addressed to use the Internet to safely transmit patient and other sensitive health care information. Conclusions: The High Level Security Policy is primarily intended for large Health Care Establishments in Europe, USA, and Canada. It is clear however that the general framework presented here can only serve as reference material for developing an appropriate High Level Security Policy in a specific implementation environment. When implemented in specific environments, these principles and guidelines must also be complemented by measures, which are more specific. Even when a High Level Security Policy already exists in an institution, it is advisable that the management of the Health Care Establishment periodically revisits it to see whether it should be modified or augmented.

I. V. Diorditsa,I. A. Kovalenko,O. M. Koval

DOI: https://doi.org/10.24144/2307-3322.2024.82.2.22

2024-05-23

Abstract:The growing number of breaches of the privacy and security of electronic data is raising outrage and concern among users and professionals in many industries, particularly in the medical field. Risks associated with insufficient security of medical data include the possibility of unauthorized access to personal medical information, its falsification, as well as the disclosure of confidential data without the consent of patients. This can have serious consequences for patients, including violations of their privacy, fear of losing confidential information, and even the possibility of inaccurate diagnosis or treatment due to falsification of medical records. Therefore, to protect medical data and ensure their confidentiality, it is necessary to pay special attention to the implementation of appropriate cyber security measures and compliance with relevant legal norms and standards. This includes the development of modern data encryption technologies, regular training of medical personnel on cyber security issues, as well as strict implementation of regulations on the protection of confidential information. Confidentiality of medical information in the field of health care must be considered in the context of a wide range of cultural, social and religious beliefs and traditions. Some medical data can be particularly sensitive and private, such as information about reproductive health, mental disorders, HIV/ AIDS treatment, and adolescent health services. According to the Law of Ukraine «On Protection of Personal Data» personal data is information or a set of information about a natural person who is identified or can be specifically identified. Article 2 of the 1981 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data defines personal data as any information relating to a specifically identified person or a person who can be specifically identified. This means that any information that allows or can allow the identification of a specific person is considered personal data and is subject to protection under this convention. This definition is a general standard used in many countries and international legal acts to ensure the protection of privacy and confidentiality of personal data. It covers a wide range of information, including name, address, phone number, email, health information, financial information, and much more.

Marialida Farah,Samar Helou,Elie Raad,Elie El Helou

DOI: https://doi.org/10.1016/j.ijmedinf.2024.105635

IF: 4.73

2024-09-20

International Journal of Medical Informatics

Abstract:Purpose Biomedical research is a pillar of every medical student's career. When collecting data, several regulations are established to ensure the protection of individuals. Most medical students are not compliant with the guidelines, and this is probably due to a lack of knowledge. The aim of our research is to evaluate the knowledge and behavior of medical students regarding these rules, then attempt to explain the results obtained. Methods This is a sequential explanatory mixed study including an initial quantitative section followed by an explanatory qualitative section. For the quantitative part, we administered a questionnaire based on the information security regulation and the GDPR to third- and fourth-year medical students. We evaluated their knowledge and behaviors and their correlation. For the qualitative part, we conducted semi-structured interviews with eight students followed by thematic analysis to explain the results. Results Most students have a lack of knowledge. A correlation was found between the non-compliant behavior of keeping the laptop unattended in a public place and a low level of knowledge. For the qualitative section, the thematic analysis represents three groups to explain non-compliant behavior: lack of knowledge, work overload, and consideration of the hospital as a safe place. Conclusion Data collection and information security rules are rarely followed by medical students. This is mainly due to lack of knowledge, work overload and assuming the hospital as a safe place. Future awareness interventions would be necessary to improve non-compliant behavior and subsequently ensure a more secure environment during medical research.

health care sciences & services,computer science, information systems,medical informatics

Yawen Xing,Huizhe Lu,Lifei Zhao,Shihua Cao

DOI: https://doi.org/10.1007/s11036-024-02299-8

2024-09-10

Mobile Networks and Applications

Abstract:Mobile Medical information systems MMIS or mHealth applications support personal health and potentially improve the health sector by offering a solution to significant problems faced by the healthcare system. While espousing these Mobile Medical Information Systems, sequestration and security issues arise. Due to advanced computing and different capabilities, data security and confidentiality come major enterprises with continuously expanding mHealth operations. European Union General Data Protection (GDPR) and California Consumer Sequestration Act (CCPA) raise mindfulness; still, they need to address developing a system that meets sequestration and security conditions. This paper deals with research literature to understand current privacy and security issues and possible solutions for patients and providers using mHealth applications. This is the reason for several threats, such as information harvesting, tracking patients, relaying attacks, and denial of service attacks, which affect the confidentiality and integrity of these devices. We discussed the challenges and risks associated with Mobile Medical information systems and emphasized the need to address these concerns for widespread adoption. Mitigation strategies include robust security measures, regulatory compliance, and user awareness. We discussed the impact of privacy and security issues on healthcare, including potential harm to patients and disruptions in system functioning, reviewing laws, conducting a literature review, and assessing mHealth system applications. We emphasize the need for comprehensive security measures and continuous evaluation of security practices in mHealth, which need to be addressed to achieve quality, continuity, and portability of health services. We offer a critical and methodical assessment of the state of the art in mHealth security and privacy and suggest a methodology for creating and executing MMIS that is safe and protects privacy.

computer science, information systems,telecommunications, hardware & architecture

Joseph E Chasteen,Gretchen Murphy,Arden Forrey,David Heid

2004-08-15

Abstract:This article reviews the issues related to the Health Insurance Portability & Accountability Act (HIPAA) security rule that apply to dental practice. The security rule specifically addresses individually identifiable health information that is transmitted or maintained in electronic media. System security must be applied to the entire technical infrastructure for the practice environment as well as to the work culture on a daily basis and must be thought of as an enterprise asset. Security refers to all of the policies, procedures, tools, and techniques used to assure that privacy and confidentiality are adequately addressed in a healthcare system. HIPAA requires all covered entities that transmit or maintain electronic health information perform, and document, a risk assessment for security and develop a security plan to address major areas of concern. A self-assessment tool is provided in this article.

Enrique Pérez Morera,Isabel de la Torre Díez,Begoña Garcia-Zapirain,Miguel López-Coronado,Jon Arambarri

DOI: https://doi.org/10.1007/s10916-016-0513-6

Abstract:Being the third fastest-growing app category behind games and utilities, mHealth apps are changing the healthcare model, as medicine today involves the data they compile and analyse, information known as Big Data. However, the majority of apps are lacking in security when gathering and dealing with the information, which becomes a serious problem. This article presents a guide regarding security solution, intended to be of great use for developers of mHealth apps. In August 2015 current mobile health apps were sought out in virtual stores such as Android Google Play, Apple iTunes App Store etc., in order to classify them in terms of usefulness. After this search, the most widespread weaknesses in the field of security in the development of these mobile apps were examined, based on sources such as the "OWASP Mobile Security Project, the initiative recently launched by the Office of Civil Rights (OCR), and other articles of scientific interest. An informative, elemental guide has been created for the development of mHealth apps. It includes information about elements of security and its implementation on different levels for all types of mobile health apps based on the data that each app manipulates, the associated calculated risk as a result of the likelihood of occurrence and the threat level resulting from its vulnerabilities - high level (apps for monitoring, diagnosis, treatment and care) from 6 ≤ 9, medium level (calculator, localizer and alarm) from 3 ≤ 6 and low level (informative and educational apps) from 0 ≤ 3. The guide aims to guarantee and facilitate security measures in the development of mobile health applications by programmers unconnected to the ITC and professional health areas.

Alejandro Martínez-Arce,Alberto Bermejo-Cantarero,Laura Muñoz de Morales-Romero,Víctor Baladrón-González,Natalia Bejarano-Ramírez,Gema Verdugo-Moreno,María Antonia Montero-Gaspar,Francisco Javier Redondo-Calvo

DOI: https://doi.org/10.3390/nursrep14040221

2024-10-17

Abstract:In the transition to a professional learning environment, healthcare professionals in their first year of specialized postgraduate clinical training (known as residents in Spain) are suddenly required to handle confidential information with little or no prior training in the safe and appropriate use of digital media with respect to confidentiality issues. The aims of this study were: (1) to explore the usefulness of an advanced clinical simulation program for educating residents from different healthcare disciplines about confidentiality and the dissemination of clinical data or patient images; (2) to explore the use of social networks in healthcare settings; and (3) to explore participants' knowledge and attitudes on current regulations regarding confidentiality, image dissemination, and the use of social networks; Methods: This was a cross-sectional study. Data were collected from all 49 first-year residents of different health professions at a Spanish hospital between June and August 2022. High-fidelity clinical simulation sessions designed to address confidentiality and health information dissemination issues in hospital settings, including the use of social networks, were developed and implemented. Data were assessed using a 12-item ad hoc questionnaire on confidentiality and the use of social media in the healthcare setting. Descriptive of general data and chi-square test or Fisher's exact test were performed using the SPSS 25.0 software; Results: All the participants reported using the messaging application WhatsApp regularly during their working day. A total of 20.4% of the participants stated that they had taken photos of clinical data (radiographs, analyses, etc.) without permission, with 40.8% claiming that they were unaware of the legal consequences of improper access to clinical records. After the course, the participants reported intending to modify their behavior when sharing patient data without their consent and with respect to how patients are informed; Conclusions: The use of advanced simulation in the training of interprofessional teams of residents is as an effective tool for initiating attitudinal change and increasing knowledge related to patient privacy and confidentiality. Further follow-up studies are needed to see how these attitudes are incorporated into clinical practice.

Hsin-Ginn Hwang,Yun Lin

DOI: https://doi.org/10.1007/s10916-020-01579-6

2020-05-07

Abstract:To address the issue of rising expenditure of healthcare service and to fulfill the skyrocketing demand for quality healthcare, the electronic medical records (EMR) exchange has become a vital and indispensable solution for healthcare facilities in terms of being able to share medical information among healthcare providers. Hence, EMR exchange was expected to improve the quality of healthcare and reduce the cost of repetitive medical check-ups and unnecessary treatments. However, recent reports affirming EMR data leaks and compromises have ignited major worldwide privacy concerns over the security of the EMR systems. How to effectively diminish patients' concern for EMR privacy has thus become an important issue that healthcare institution managers/stakeholders have to address urgently. This study leverages the power-responsibility equilibrium perspective to investigate the antecedents and consequences of concerns for the EMR exchange. A survey using 391 responses collected from medical centers, regional and district hospitals in Taiwan was used to conduct this study. The results show that government regulations have a positive effect on hospital privacy policies. Furthermore, both government regulations and hospital privacy policy are negatively associated with concern for EMR information privacy. Additional reports gathered from this study also showed that concern for EMR information privacy could result in patients' protective responses including refusal to provide personal health information (PHI), removal of PHI, negative word of mouth, complaining directly to the hospital, or complaining indirectly to third-party organizations. These findings demonstrate the need for healthcare facilities to formulate robust privacy policies in order to alleviate patients' concern for EMR information privacy based on governmental regulations. This regulation is top-priority as the incapability of reducing patients' concern for EMR information privacy may lead to the collapse of the campaign for the full-adoption of EMR or possibly jeopardize the promotion and application of EMR among healthcare facilities.

Tafheem Ahmad Wani,Antonette Mendoza,Kathleen Gray

DOI: https://doi.org/10.1016/j.ijmedinf.2024.105606

2024-08-30

Abstract:Background/objective: The use of personal devices for work purposes (Bring-your-own-device) has increased in hospitals, as it facilitates productivity and mobility for clinicians. However, owing to increased risk of leaking patient information, and heavy reliance of patient data privacy on user actions, BYOD is a major challenge for hospitals. There has been a dearth of empirical research studying clinicians' BYOD security behaviour. Therefore, the study's aim was to attain subjective understanding of clinicians' attitudes and preferences towards protecting patient data on their devices through a qualitative study. Methods: 14 semi-structured interviews were conducted among Australian hospital-based clinicians. A hybrid thematic analysis was conducted using the framework method to explore socio-technical themes pertaining to the clinicians' BYOD security behavioural practices. Results: Limited use of secure tools like antivirus and passcodes, and inadequate separation of patient and personal data on BYOD devices was found. Key technology concerns included malware introduction into hospital network, inadvertent patient data sharing, and slow remote access. Hospitals lacked dedicated BYOD policies and training, resulting in unsafe practices. Participants also cited misalignment of BYOD policies with workflow needs, privacy maintenance challenges and fears of personal data breaches, while calling for improved communication between technical and clinical staff and a strong cybersecurity culture. Conclusion: This study provides a comprehensive understanding of BYOD related user behaviour and the usefulness of security controls used in time-sensitive and complex hospital environments. It can inform future policies or processes by advocating for secure and productive BYOD use.

Raza Nowrozy,Khandakar Ahmed,A.S.M. Kayes,Hua Wang,Timothy R. McIntosh

DOI: https://doi.org/10.1145/3653297

IF: 16.6

2024-03-19

ACM Computing Surveys

Abstract:Building a secure and privacy-preserving health data sharing framework is a topic of great interest in the healthcare sector, but its success is subject to ensuring the privacy of user data. We clarified the definitions of privacy, confidentiality and security (PCS) because these three terms have been used interchangeably in the literature. We found that researchers and developers must address the differences of these three terms when developing electronic health record (EHR) solutions. We surveyed 130 studies on EHRs, privacy-preserving techniques, and tools that were published between 2012 and 2022, aiming to preserve the privacy of EHRs. The observations and findings were summarized with the help of the identified studies framed along the survey questions addressed in the literature review. Our findings suggested that the usage of access control, blockchain, cloud-based, and cryptography techniques is common for EHR data sharing. We summarized the commonly used strategies for preserving privacy that are implemented by various EHR tools. Additionally, we collated a comprehensive list of differences and similarities between PCS. Finally, we summarized the findings in a tabular form for all EHR tools and techniques and proposed a fusion of techniques to better preserve the PCS of EHRs.

computer science, theory & methods

Rebecca Yoke Chan Ong,Sandy Sabapathy

DOI: https://doi.org/10.1177/1473779520914290

2020-03-01

Common Law World Review

Abstract:While it is true that the expanded use of health information and electronic health records (eHRs) can help deliver better healthcare, there remains the need to reconcile citizens’ legitimate concerns for privacy protection and confidentiality in the use of their personal health data, and the potential for violation of their privacy. Under the Hong Kong’s Electronic Health Record Sharing System (eHRSS), the eHR of the individual patient can be accessed and shared between healthcare providers for healthcare-related purposes. Although the Electronic Health Record Sharing System Ordinance (Cap 625) (the ‘eHRSSO’) and the Personal Data (Privacy) Ordinance (Cap 486) (the ‘PD(P)O’) provide protection for personal data and patients’ privacy, the eHRSS has come under greater scrutiny given the rise in data breaches experienced globally and in Hong Kong. The article’s objective is twofold. It first examines the eHRSS specifically with regard to some of the more pertinent provisions of the eHRSSO and the PD(P)O, to critically evaluate the extent to which these provisions ensure and protect patient privacy. Thence it offers suggestions and recommendations as to how protection for patient privacy can be enhanced and, indeed, altogether better ensured.

Wan-Tzu Su,Pei-Yu Lee,Hung-San Kuo,Chien-Lin Kuo

DOI: https://doi.org/10.6224/JN.202110_68(5).07

Abstract:Background: The aim of the Personal Data Protection Act (PDPA) is to regulate the collection, processing, and use of personal information; to avoid the infringement of personal rights; and to promote the reasonable use of personal information. Clinical nurses are frontline patient caregivers, and they are the most likely to have access to patients' personal information. If these nurses do not clearly understand the PDPA, they may violate the law and affect patients' rights. Purpose: The purpose of this study was to investigate the knowledge level of clinical nurses regarding the PDPA and related factors, with the findings intended to serve as a reference for continuing education. Methods: A cross-sectional research design was adopted. A purposive sample of nurses working at a regional hospital in southern Taiwan was selected. A self-administered survey incorporating the self-developed Nurses Knowledge Scale for Patient Personal Data Protection Act (NKSPPDPA) was used to collect data from May to June 2017. Results: A total of 269 valid responses were received (return rate: 89.67%). The mean score on the NKSPPDPA was 68.80 out of a total-possible 100 points. Knowledge related to patient privacy and penalties was relatively low. Moreover, working department, job title, and participation in PDPA-related on-the-job education were found to be significant predictors of NKSPPDPA score, while years of experience was found to have a low correlation only. Conclusions: The results suggest that clinical nurses have knowledge gaps regarding PDPA, especially in terms of privacy and penalties. Nurses should participate in continuing education to address these knowledge gaps.

George Pangalos

Abstract:Medical database security is a particularly important issue for all Healthcare establishments. Medical information systems are intended to support a wide range of pertinent health issues today, for example: assure the quality of care, support effective management of the health services institutions, monitor and contain the cost of care, implement technology into care without violating social values, ensure the equity and availability of care, preserve humanity despite the proliferation of technology etc.. In this context, medical database security aims primarily to support: high availability, accuracy and consistency of the stored data, the medical professional secrecy and confidentiality, and the protection of the privacy of the patient. These properties, though of technical nature, basically require that the system is actually helpful for medical care and not harmful to patients. These later properties require in turn not only that fundamental ethical principles are not violated by employing database systems, but instead, are effectively enforced by technical means. This document reviews the existing and emerging work on the security of medical database systems. It presents in detail the related problems and requirements related to medical database security. It addresses the problems of medical database security policies, secure design methodologies and implementation techniques. It also describes the current legal framework and regulatory requirements for medical database security. The issue of medical database security guidelines is also examined in detailed. The current national and international efforts in the area are studied. It also gives an overview of the research work in the area. The document also presents in detail the most complete to our knowledge set of security guidelines for the development and operation of medical database systems.