Herbjørn Andresen

Reusable Security Requirements for Healthcare Applications

Healthcare information systems are currently being migrated from paper based journals to fully digitalised information platforms. Protecting patient privacy is thus becoming an increasingly complex task, where several national and international legal requirements must be met. These legal requirements present only high-level goals for privacy protection, leaving the details of security requirements engineering to the developers of electronic healthcare systems. Our objective has been to map legal requirements for sensitive personal information to a set of reusable technical information security requirements. This paper presents examples of such requirements extracted from legislation applicable to the healthcare domain.

Personal health information on display: balancing needs, usability and legislative requirements.

Large wall-mounted screens placed at locations where health personnel pass by will assist in self-coordination and improve utilisation of both resources and staff at hospitals. The sensitivity level of the information visible on these screens must be adapted to a close-to-public setting, as passers-by may not have the right or need to know anything about patients being treated. We have conducted six informal interviews with health personnel in order to map what kind of information they use when identifying their patients and their next tasks. We have compared their practice and needs to legislative requirements and conclude that it is difficult, if not impossible, to fulfil all requirements from all parties.

The Policy Debate on Pseudonymous Health Registers in Norway

Patient health data has a valuable potential for secondary use, such as decision support on a national level, reimbursement settlements, and research on public health or on the effects of various treatment methods. Unfortunately, extensive secondary use of data has disproportionate negative impact on the patients’ privacy. The Norwegian health data processing regulation prescribes four different ways of organizing health registers (anonymous, de-identified, pseudonymous or fully identified data subjects). Pseudonymity is the most innovative of these methods, and it has been available as a legitimate means to achieve extensive secondary use of accurate and detailed data since 2001. Up to now, two different national health registers have been organized this way. The evidence from these experiences should be encouraging: Pseudonymity works as intended. Yet, there is still discernible reluctance against extending the pseudonymity principle to encompass other national health registers as well.