Pekka Ruotsalainen

Privacy and security in teleradiology

Teleradiology is probably the most successful eHealth service available today. Its business model is based on the remote transmission of radiological images (e.g. X-ray and CT-images) over electronic networks, and on the interpretation of the transmitted images for diagnostic purpose. Two basic service models are commonly used teleradiology today. The most common approach is based on the message paradigm (off-line model), but more developed teleradiology systems are based on the interactive use of PACS/RIS systems. Modern teleradiology is also more and more cross-organisational or even cross-border service between service providers having different jurisdictions and security policies. This paper defines the requirements needed to make different teleradiology models trusted. Those requirements include a common security policy that covers all partners and entities, common security and privacy protection principles and requirements, controlled contracts between partners, and the use of security controls and tools that supporting the common security policy. The security and privacy protection of any teleradiology system must be planned in advance, and the necessary security and privacy enhancing tools should be selected (e.g. strong authentication, data encryption, non-repudiation services and audit-logs) based on the risk analysis and requirements set by the legislation. In any case the teleradiology system should fulfil ethical and regulatory requirements. Certification of the whole teleradiology service system including security and privacy is also proposed. In the future, teleradiology services will be an integrated part of pervasive eHealth. Security requirements for this environment including dynamic and context aware security services are also discussed in this paper.

A Conceptual Framework and Principles for Trusted Pervasive Health

Background Ubiquitous computing technology, sensor networks, wireless communication and the latest developments of the Internet have enabled the rise of a new concept—pervasive health—which takes place in an open, unsecure, and highly dynamic environment (ie, in the information space). To be successful, pervasive health requires implementable principles for privacy and trustworthiness. Objective This research has two interconnected objectives. The first is to define pervasive health as a system and to understand its trust and privacy challenges. The second goal is to build a conceptual model for pervasive health and use it to develop principles and polices which can make pervasive health trustworthy. Methods In this study, a five-step system analysis method is used. Pervasive health is defined using a metaphor of digital bubbles. A conceptual framework model focused on trustworthiness and privacy is then developed for pervasive health. On that model, principles and rules for trusted information management in pervasive health are defined. Results In the first phase of this study, a new definition of pervasive health was created. Using this model, differences between pervasive health and health care are stated. Reviewed publications demonstrate that the widely used principles of predefined and static trust cannot guarantee trustworthiness and privacy in pervasive health. Instead, such an environment requires personal dynamic and context-aware policies, awareness, and transparency. A conceptual framework model focused on information processing in pervasive health is developed. Using features of pervasive health and relations from the framework model, new principles for trusted pervasive health have been developed. The principles propose that personal health data should be under control of the data subject. The person shall have the right to verify the level of trust of any system which collects or processes his or her health information. Principles require that any stakeholder or system collecting or processing health data must support transparency and shall publish its trust and privacy attributes and even its domain specific policies. Conclusions The developed principles enable trustworthiness and guarantee privacy in pervasive health. The implementation of principles requires new infrastructural services such as trust verification and policy conflict resolution. After implementation, the accuracy and usability of principles should be analyzed.

A notary archive model for secure preservation and distribution of electrically signed patient documents

The healthcare industry is moving from paper-based documentation into the digital era. Electronic health records (EHR) are playing a major role in this development. Electronic health records will not only to be shared among a growing number of healthcare providers but they have also to be archived over long periods of time. The required life cycle depends of national regulations, but typically the preservation time of patient data varies between 20 and 100 years. Availability, integrity, confidentiality and non-repudiation of stored data over these lengthy preservation periods needs to be fully proven, both to preclude loss and also ensure the ability to read and understand content is maintained. This document describes a co-operative trusted notary archive (TNA) which receives granular health data from different EHR-systems, stores data together with associated meta-information for long periods and distributes granular EHR-data objects. TNA communicates with EHR-systems and external users via archive request and distribution messages. TNA can store objects in XML-format and prove the non-repudiation and integrity of stored data with the help of event records, Time-stamps and archive e-signatures.

Trust information-based privacy architecture for ubiquitous health.

Background Ubiquitous health is defined as a dynamic network of interconnected systems that offers health services independent of time and location to a data subject (DS). The network takes place in open and unsecure information space. It is created and managed by the DS who sets rules that regulate the way personal health information is collected and used. Compared to health care, it is impossible in ubiquitous health to assume the existence of a priori trust between the DS and service providers and to produce privacy using static security services. In ubiquitous health features, business goals and regulations systems followed often remain unknown. Furthermore, health care-specific regulations do not rule the ways health data is processed and shared. To be successful, ubiquitous health requires novel privacy architecture. Objective The goal of this study was to develop a privacy management architecture that helps the DS to create and dynamically manage the network and to maintain information privacy. The architecture should enable the DS to dynamically define service and system-specific rules that regulate the way subject data is processed. The architecture should provide to the DS reliable trust information about systems and assist in the formulation of privacy policies. Furthermore, the architecture should give feedback upon how systems follow the policies of DS and offer protection against privacy and trust threats existing in ubiquitous environments. Methods A sequential method that combines methodologies used in system theory, systems engineering, requirement analysis, and system design was used in the study. In the first phase, principles, trust and privacy models, and viewpoints were selected. Thereafter, functional requirements and services were developed on the basis of a careful analysis of existing research published in journals and conference proceedings. Based on principles, models, and requirements, architectural components and their interconnections were developed using system analysis. Results The architecture mimics the way humans use trust information in decision making, and enables the DS to design system-specific privacy policies using computational trust information that is based on systems’ measured features. The trust attributes that were developed describe the level systems for support awareness and transparency, and how they follow general and domain-specific regulations and laws. The monitoring component of the architecture offers dynamic feedback concerning how the system enforces the polices of DS. Conclusions The privacy management architecture developed in this study enables the DS to dynamically manage information privacy in ubiquitous health and to define individual policies for all systems considering their trust value and corresponding attributes. The DS can also set policies for secondary use and reuse of health information. The architecture offers protection against privacy threats existing in ubiquitous environments. Although the architecture is targeted to ubiquitous health, it can easily be modified to other ubiquitous applications.

Development of personal wellness information model for pervasive healthcare

Copyright

Migration from Regional to a National eHealth Network

Finland is being transformed into a knowledge economy driven by information and communication technologies - 96 % of primary care health centres, 95 % of hospital districts and 89 % of private sector service providers use an electronic patient record (EPR). The governance and funding of the Finnish health care system is very decentralized and the lack of standards has led to a broad spectrum of one-off systems with little technical interoperability. National strategies to overcome this challenge has created sharable electronic health records (EHR) by supporting a collection of federated interoperable repositories with regional middleware services. In the Hospital District of Helsinki and Uusimaa an established regional eHealth network (RHIN) connects 24 public hospitals, 29 municipal health centers (primary care) and two private health care clinics. There are 6.000 end-users, information from 1,4 million citizens and 12 million links to EPRs. Migration to a national eHealth network (NHIN) and centralized eArchive providing a platform that delivers a longitudinal view of a patients relevant health records (core data set) is currently underway and plans for coordinated architecture and transformation from regional to national sharing of health care information and ePrescription are drawn.

Research on Trusted Personal Health and Wellness Information in Ubiquitous Health Information Space

Information structures of current electronic pa- tient record systems (EHRs) are based on the traditional pa- per-based documentation systems. The semantic interoperabil- ity of these systems is limited and security aspects are static. The usability and usefulness of these systems to citizen-based care model is very limited. In this research we identify the shift to pervasive health care where any type of health and welfare related data can be collected and linked at a personal basis. In this research context aware information model for the lifelong personal wellness record (LPWR) and a new security architec- ture will be developed. These will enable access, use and shar- ing of multi-source heterogeneous health and wellness related data and information dynamically in a trusted way in a ubiqui- tous health information space. Research outline, current state and expected outcomes are presented in this paper.

Feasibility analysis of the privacy attributes of the personal wellness information model.

A feasibility analysis has been performed to study the applicability of privacy attributes with a developed wellness information model. Information privacy concerns specifically access to individually identifiable personal information and ones ability to control information about oneself. We carried out a user scenario walk-through of the privacy attributes related to the wellness components. The walk-through showed a need to relate self-regulating privacy policies to the pervasive context so that during various trust-building processes, a person is aware and can control the use, disclosure and even secondary use of his personal, private wellness information.

The recommendations from the 2009 SiHIS working conference in Hiroshima—Issues on trustworthiness of health information and patient safety

Held on 21st to 23rd November 2009 in Hiroshima, the SiHIS working conference aimed at finding solutions to approach to an idealistic society where (1) the individual can trust information with full understanding and responsibility, (2) the individual can allow the use of information backed by sound legitimated environment, (3) information can play its role for better healthcare and the improvement of medicine. The purpose of this paper is to propose recommendations from this working conference.

Privacy-Related Context Information for Ubiquitous Health

Background Ubiquitous health has been defined as a dynamic network of interconnected systems. A system is composed of one or more information systems, their stakeholders, and the environment. These systems offer health services to individuals and thus implement ubiquitous computing. Privacy is the key challenge for ubiquitous health because of autonomous processing, rich contextual metadata, lack of predefined trust among participants, and the business objectives. Additionally, regulations and policies of stakeholders may be unknown to the individual. Context-sensitive privacy policies are needed to regulate information processing. Objective Our goal was to analyze privacy-related context information and to define the corresponding components and their properties that support privacy management in ubiquitous health. These properties should describe the privacy issues of information processing. With components and their properties, individuals can define context-aware privacy policies and set their privacy preferences that can change in different information-processing situations. Methods Scenarios and user stories are used to analyze typical activities in ubiquitous health to identify main actors, goals, tasks, and stakeholders. Context arises from an activity and, therefore, we can determine different situations, services, and systems to identify properties for privacy-related context information in information-processing situations. Results Privacy-related context information components are situation, environment, individual, information technology system, service, and stakeholder. Combining our analyses and previously identified characteristics of ubiquitous health, more detailed properties for the components are defined. Properties define explicitly what context information for different components is needed to create context-aware privacy policies that can control, limit, and constrain information processing. With properties, we can define, for example, how data can be processed or how components are regulated or in what kind of environment data can be processed. Conclusions This study added to the vision of ubiquitous health by analyzing information processing from the viewpoint of an individual’s privacy. We learned that health and wellness-related activities may happen in several environments and situations with multiple stakeholders, services, and systems. We have provided new knowledge regarding privacy-related context information and corresponding components by analyzing typical activities in ubiquitous health. With the identified components and their properties, individuals can define their personal preferences on information processing based on situational information, and privacy services can capture privacy-related context of the information-processing situation.