A systematic literature review on security and privacy of electronic health record systems: Technical perspectives

Health Information Management Journal

Volumn 44, Issue 3, 2015, Pages 23-38

  Rezaeibagha, Fatemeh ^a   Win, Khin Than ^a   Susilo, Willy ^a  

^a UNIVERSITY OF WOLLONGONG   (Australia)

Author keywords

Data security; Electronic health records; Privacy; Review; Standards; Systematic

Indexed keywords

ADULT; ARTICLE; ELECTRONIC HEALTH RECORD; FEMALE; HUMAN; INFORMATION SECURITY; INTERNATIONAL ORGANIZATION FOR STANDARDIZATION; MALE; MEDICAL INFORMATION SYSTEM; PRIVACY; SYSTEMATIC REVIEW; ACCESS TO INFORMATION; COMPUTER SECURITY; CONFIDENTIALITY; META ANALYSIS; PROTOCOL COMPLIANCE; STANDARDS; NORMAL HUMAN; STANDARDIZATION;

ACCESS TO INFORMATION; COMPUTER SECURITY; CONFIDENTIALITY; ELECTRONIC HEALTH RECORDS; GUIDELINE ADHERENCE; HUMANS;

EID: 84947710116     PISSN: 18333583     EISSN: 18333575     Source Type: Journal    
DOI: 10.1177/183335831504400304     Document Type: Review

References (79)

1. Acharya, S., Coats, B., Saluja, A. and Fuller, D. (2013). Secure electronic health record exchange: achieving the meaningful use objectives. 46th Hawaii International Conference on System Sciences. Wailea, Hawaii, USA, 2555-2564. Available at: http://www.computer.org/csdl/proceedings/hicss/2013/4892/00/4892c555.pdf (accessed 23 August 2013).
2. Afzal, M., Hussain, M., Ahmad, M. and Anwar, Z. (2011). Trusted framework for health information exchange. Frontiers of Information Technology, Islamabad. Available at: http://www.computer.org/csdl/proceedings/fit/2011/4625/00/4625a308.pdf (accessed 23 August 2013).
3. Aljarullah, A. and El-Masri, S. (2012). A novel system architecture for the national integration of electronic health records: a semi-centralized approach. Journal of Medical Systems 37(4): 9953.
4. Bakers, D.B. and Masys, D.R. (1999). PCASSO: a design for secure communication of personal health information via the internet. International Journal of Medical Informatics 54(2): 97-104.
5. Baldas, V., Giokas, K. and Koutsouris, D. (2010). Multilevel access control in hospital information systems. IFMBE Proceedings: XII Mediterranean Conference on Medical and Biological Engineering and Computing, Berlin. Available at: http://link.springer.com/search?query=Multilevel+accesssearch-within=Bookfacet-book-doi=10.1007%2F978-3-642-13039-7 (accessed 23 August 2013).
6. Barber, B. (1998). Patient data and security: an overview. International Journal of Medical Informatics 49(1): 19-30.
7. Blobel, B. (2000). Advanced tool kits for EPR security. International Journal of Medical Informatics, 60(2):169-175.
8. Blobel, B. and Roger-France, F. (2001). A systematic approach for analysis and design of secure health information systems. International Journal of Medical Informatics 62(1): 51-78.
9. Blobel, B. (2004). Authorization and access control for electronic health record systems. International Journal of Medical Informatics 73(3):251-257.
10. Blobel, B. and Pharow, P. (2007). A model driven approach for the German health telematics architectural framework and security infrastructure. International Journal of Medical Informatics 76(2-3): 169-175.
11. Blobel, B. and Pharow, P. (2006). Formal policies for flexible EHR security. Studies in Health Technology and Informatics 121: 307-316.
12. Blythe, M.J. et al. (2012). Standards for health information technology to ensure adolescent privacy. Pediatrics 130(5): 987-990.
13. Bouhaddou, O., Cromwell, T., Davis, M., Maulden, S., Hsing, N., Carlson, D., Cockle, J., Hoang, C. and Fischetti, L. (2012). Translating standards into practice: experience and lessons learned at the Department of Veterans Affairs. Journal of Biomedical Informatics 45(4): 813-823.
14. Botella, F., Alarcon, E. and Penalver, A. (2013). A new proposal for improving heuristic evaluation reports performed by novice evaluators. 72-75, Chile. Available at: http://dl.acm.org/results.cfm?h=1cfid=647993084cftoken=61477287 (accessed 20 March 2013).
15. Burton, B., Cothran, C., Davis, N., Dooling, J., Dunn, R., Jensen, J., Odia, G., Rose, A. D. and Twiggs, M. (2013). The privacy and security of occupational health records. Journal of AHIMA/American Health Information Management Association 84(4): 52-56.
16. Chen, Y.Y., Lu, J.C. and Jan, J.K. (2012). A secure EHR system based on hybrid clouds. Journal of Medical Systems 36(5): 3375-3384.
17. Chen, T.S., Liu, C.H., Chen, T.L., Chen, C.S., Bau, J.G. and Lin, T.C. (2012). Secure dynamic access control scheme of PHR in cloud computing. Journal of Medical Systems 36(6): 4005-4020.
18. Coleman, J. (2013). Segmenting data privacy. Cross-industry initiative aims to piece out privacy within the health record. Journal of AHIMA/ American Health Information Management Association 84(2): 34-38.
19. CORE (2012). The CORE Conference Ranking Exercise. Available at: www.core.edu.au/coreportal (accessed 8 December 2013).
20. CWTS Journal Indicators (2012). SNIP indicator. Available at: http://www.journalindicators.com (accessed 8 December 2013).
21. Deeks, J., Higgins, J., and Altman, D. (2003). Cochrane Reviewers’ Handbook 4.2.1. The Cochrane Library. Chichester, John Wiley Sons Ltd.
22. De Oliveira, K.S. and Soares, M.S. (2012). A systematic review on aspects in software architecture design. International Conference of the Chilean Computer Science Society, 21-28, Valparaiso. Available: http://www.computer.org/csdl/proceedings/sccc/2012/2938/00/2937a021.pdf (accessed 20 March 2013).
23. Dos Santos, A.C.C, Delamaro, M.E. and Nunes, F.L.S. (2013). The relationship between requirements engineering and virtual reality systems: A systematic literature review. XV Symposium on Virtual and Augmented Reality: 53-62. Cuiaba. Available at: http://dl.acm.org/citation.cfm?id=2511560 (accessed 20 March 2013).
24. Fernández-Alemán, J. L., Señor, I. C., Lozoya, P. T. O. and Toval, A. (2013). Security and privacy in electronic health records: a systematic literature review. Journal of Biomedical Informatics 46(3): 541-562.
25. Flores Zuniga, A.E., Win, K.T. and Susilo, W. (2010). Functionalities of free and open electronic health record systems. International Journal of Technology Assessment in Health Care 26(4): 382-389.
26. Guo L, Liu X, Fang Y and Li X. (2012).User-centric private matching for eHealth networks - a social perspective. Globecom 2012 IEEE - Communication and Information System Security Symposium, Anaheim, California. Available at: IEEE Xplore,http://www.ieee.org (accessed 23 August 2013).
27. Higgins, J., Altman, D.G. and Sterne, J.A.C. (Eds) (2011). Chapter 8: Assessing risk of bias in included studies. In: Cochrane Handbook for Systematic Reviews of Interventions Version 5.1.0 [updated March 2011]. J. Higgins S. Green (Eds). Available at: http://www.cochrane-handbook.org (accessed 13 April 2015).
28. Health Level Seven International (HL7) (2013). Introduction to HL7standards. Available at: http://www.hl7.org/implement/standards/ (accessed 5 January 2014).
29. Hsiao, T.C., Wu, Z.Y., Chung, Y.F., Chen, T.S. and Horng, G.B. (2012). A secure integrated medical information system. Journal of Medical Systems 36(5): 3103-3113.
30. Hsieh, G. and Chen, R.J. (2012). Design for a secure interoperable cloud-based Personal Health Record service. IEEE 4th International Conference on Cloud Computing Technology and Science, Taipei. Available at: IEEE Xplore,http://www.ieee.org (accessed 23 Aug. 2013).
31. Huang, C., Lee, H. and Lee, D.H. (2012). A privacy-strengthened scheme for e-healthcare monitoring systems. Journal of Medical Systems 36(5): 2959-2971.
32. Huang, J., Sharaf, M. and Huang, C.T. (2013). A hierarchical framework for secure and scalable EHR sharing and access control in multi-cloud. 41st International Conference on Parallel Processing Workshops, Pittsburgh, Pennsylvania, USA. Available at: IEEE Xplore,http://www.ieee.org (accessed 23 August 2013).
33. Hunter, E.S. (2013). Electronic health records in an occupational health setting - Part I. A global overview. Workplace Health and Safety 61(2): 57-60.
34. ISO (2013). ISO/IEC 27002 Information technology — Security techniques — Code of practice for information security controls. Available at: http://www.iso.org/iso/home.html (accessed 2 December 2013)
35. ISO (2011). ISO/IEC 29100 Information technology — Security techniques — Privacy framework, Available at: http://www.iso.org/iso/home.html (accessed 2 December 2013).
36. ISO (2008). ISO 27799 Information security management in health using ISO/IEC 27002, Available at: http://www. iso.org/iso/home.html (accessed 15 March 2013).
37. Khansa, L., Forcade, J., Nambari, G., Parasuraman, S. and Cox, P. (2012). Proposing an intelligent cloud-based electronic health record system. International Journal of Business Data Communications and Networking 8(3): 57-71.
38. Khan, M.F.F. and Sakamura, K. (2012). Security in healthcare informatics: design and implementation of a robust authentication and a hybrid access control mechanism. The 5th International Conference on Communications, Computers and Applications (MIC-CCA2012), Istanbul, Turkey. Available at: IEEE Xplore,http://www.ieee.org (accessed 23 August 2013).
39. Khan, K. S., Ter Riet, G., Glanville, J., Sowden, A. J. and Kleijnen, J. (2001). Undertaking systematic reviews of research on effectiveness: CRD’s guidance for carrying out or commissioning reviews No. 4 (2nd ed.). NHS Centre for Reviews and Dissemination.
40. Kitchenham, B.A., Pearl Brereton, O., Budgen, D., Turner, M., Bailey, J. and Linkman, S. (2009). Systematic literature reviews in software engineering: a systematic literature review. Information and Software Technology 51(1): 7-15.
41. Kitchenham, B.A. (2004). Procedures for performing systematic reviews. Technical Report TR/SE-0401. Keele, UK, Keele University NICTA Technical Report 0400011T.1.
42. Kitchenham, B.A. and Brereton, P. (2013). A systematic review of systematic review process research in software engineering. Information and Software Technology 55(12): 2049-2075.
43. Liberati, A., Altman, D. G., Tetzlaff, J., Mulrow, C., Gøtzsche, P. C., Ioannidis, J. P., et al. (2009). The PRISMA statement for reporting systematic reviews and meta-analyses of studies that evaluate health care interventions: explanation and elaboration. Annals of Internal Medicine 151(4): W-65-W-94.
44. Liu, C.H., Chung, Y.F., Chen, T.S. and Wang, S.D. (2012). The enhancement of security in healthcare information systems. Journal of Medical Systems 36(3): 1673-1688.
45. Li, J. S., Zhou, T. S., Chu, J., Araki, K. and Yoshihara, H. (2011). Design and development of an international clinical data exchange system: the international layer function of the Dolphin Project. Journal of the American Medical Informatics Association 18(5): 683-689.
46. Lee, T.F., Chang, I.-P. and Wang, C.C. (2013). Simple group password-based authenticated key agreements for the integrated EPR information system. Journal of Medical Systems 37(2).
47. Li, M., Yu, S., Zheng, Y., Ren, K. and Lou, W. (2013). Scalable and secure sharing of personal health records in cloud computing using attribute-based encryption. IEEE Transactions on Parallel and Distributed Systems 24(1): 131-143. Available at: IEEE Xplore,http://www.ieee.org (accessed 23 August 2013).
48. Mackenzie, I.S., Mantay, B.J., McDonnell, P. G., Wei, L. and Macdonald, T. M. (2011). Managing security and privacy concerns over data storage in healthcare research. Pharmacoepidemiology and Drug Safety 20(8): 885-893.
49. Martínez, S., Sánchez, D. and Valls, A. (2013). A semantic framework to protect the privacy of electronic health records with non-numerical attributes. Journal of Biomedical Informatics 46(2): 294-303.
50. Matteucci, I., Mori, P., Petrocchi, M. and Wiegand, L. (2011). Controlled data sharing in e-health. 1st Workshop on Socio-Technical Aspects in Security and Trust (STAST), Milan. Available at: IEEE Xplore,http://www.ieee.org (accessed 23 August 2013).
51. Moher D., Liberati A., Tetzlaff J. and Altman D.G. (2009). The PRISMA Group. Preferred Reporting Items for Systematic Reviews and Meta-Analyses: The PRISMA Statement. PLoS Med 6(6): e1000097. doi:10.1371/journal.pmed1000097.
52. Murray, T.L., Calhoun, M. and Philipsen, N.C. (2011). Privacy, confidentiality, HIPAA, and HITECH: Implications for the health care practitioner. Journal for Nurse Practitioners 7(9): 747-752.
53. Murphy, S.N., Gainer, V., Mendis, M., Churchill, S. and Kohane, I. (2011). Strategies for maintaining patient privacy in i2b2. Journal of the American Medical Informatics Association 18(1): 103-108.
54. Neubauer, T. and Heurix, J. (2011). A methodology for the pseudonymization of medical data. International Journal of Medical Informatics 80(3): 190-204.
55. Pantazos, K., Lauesen, S. and Lippert, S. (2011). De-identifying an EHR database-anonymity, correctness and readability of the medical record. Studies in health technology and informatics 169: 862-6.
56. Riedl, B. and Grascher, V. (2010). Assuring integrity and confidentiality for pseudonymized health data. International conference on Electrical Engineering/ Electronics Computer Telecommunications and Information Technology (ECTI-CON), Chiang Mai, Thailand. Available at: IEEE Xplore,http://www.ieee.org (accessed 23 August 2013).
57. Rodrigues, J.J.P.C., De La Torre, I., Fernández, G. and López-Coronado, M. (2013). Analysis of the security and privacy requirements of cloud-based electronic health records systems. Journal of Medical Internet Research 15(8): e186.
58. Safran, C. and Goldberg, H. (2000) Electronic patient records and the impact of the Internet. International Journal of Medical Informatics 60(2): 77-83.
59. Sahama T. and Miller, E. (2011). Informed use of patients’ records on trusted health care services. International Perspectives in Health Informatics, Victoria, British Columbia, Canada.
60. Santos, J., Pedrosa, T., Costa, C. and Oliveira, J. (2010). Modeling a portable personal health record. Proceedings of the Third International Conference on Health Informatics, 20-23 January 2010, Valencia, Spain.
61. Santos, C., Pedrosa, T., Costa, C. and Oliveira, J. L. (2011). On the use of openEHR in a portable PHR. HEALTHINF-Proceedings of the International Conference on Health Informatics, Rome, Italy. Available at: BibSonomy, http://www.bibsonomy.org (accessed 23 August 2013).
62. SCImago (2012). SJR — SCImago Journal Country Rank. Available at: http://www.scimagojr.com (accessed 8 December2013).
63. Singh, R., Gupta, V. and Mohan, K. (2013). Dynamic federation in identity management for securing and sharing personal health records in a patient centric model in cloud. International Journal of Engineering and Technology 5(3): 2201-2209.
64. Standards Australia (2013). Health Level 7 (HL7) Available at: http://www.ehealth.standards.org.au/StandardsOrganisations/HealthLevel7.aspx (accessed 2 January 2014).
65. Stauch, M., Forgó, N. and Krügel, T. (2013). Using EHRs to design drug repositioning trials: A devolved approach to data protection. International Review of Law, Computers and Technology, 01 July 2013.
66. Stingl, C. and Slamanig, D. (2011). Health records and the cloud computing paradigm from a privacy perspective. Journal of Healthcare Engineering 2(4): 487-508.
67. Sun, J., Zhu, X., Zhang, C. and Fang, Y. (2011). HCPP: Cryptography based secure EHR system for patient privacy and emergency healthcare. 31st International Conference on Distributed Computing Systems, Minneapolis, MN. Available at: IEEE Xplore,http://www.ieee.org (accessed 23 August 2013).
68. Tharaud, J., Wohlgemuth, S., Echizen, I., Sonehara, N., Müller, G. and Lafourcade, P. (2010). Privacy by data provenance with digital watermarking: A proof-of-concept implementation for medical services with electronic health records. Sixth International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIH-MSP), Darmstadt. Available: IEEE Xplore,http://www.ieee.org (accessed: 23 August 2013).
69. Toh, S., Platt, R., Steiner, J.F. and Brown, J.S. (2011). Comparative-effectiveness research in distributed health data networks. Clinical Pharmacology and Therapeutics 90(6): 883-887.
70. Tsai, F.S. (2010). Security issues in e-healthcare. Journal of Medical and Biological Engineering 30(4): 209-214.
71. van der Haak, M., Wolff, A.C., Brandner, R., Drings, P., Wannenmacher, M. and Wetter, Th. (2003). Data security and protection in cross-institutional electronic patient records. International Journal of Medical Informatics 70(2-3): 117-130.
72. Von Laszewski, G., Dayal, J. and Wang, L. (2011). EMOLST: A documentation flow for distributed health informatics. Concurrency and Computation: Practice and Experience 23(16): 1857-1867.
73. Wickboldt, A.K. and Piramuthu, S. (2012). Patient safety through RFID: Vulnerabilities in recently proposed grouping protocols. Journal of Medical Systems 36(2): 431-435.
74. Win K.T. and Fulcher J. (2007), Consent mechanisms for electronic health record systems: a simple yet unresolved issue. Journal of Medical Systems 31(2): 91-96.
75. Win K.T. (2005). A review of security of electronic health record systems. Health Information Management Journal 34(1): 13-18.
76. Wu, C.H., Hwang, J.J. and Zhuang, Z.Y. (2013). A trusted and efficient cloud computing service with personal health record. International Conference on Information Science and Applications (ICISA) Suwon, Korea (South). Available at: IEEE Xplore,http://www.ieee.org (accessed 23 August 2013).
77. Wu, R., Ahn, G.J. and Hu, H. (2012). Secure sharing of electronic health records in clouds. 8th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom), Pittsburgh, Pennsylvania. Available at: IEEE Xplore,http://www.ieee.org (accessed 23 August 2013).
78. Zhang R. and Liu, L. (2010). Security models and requirements for healthcare application clouds. IEEE 3rd International Conference on Cloud Computing, Miami, Florida. Available at: IEEE Xplore,http://www.ieee.org (accessed 23 August 2013).
79. Zhang, R., Liu, J., Han, Z. and Liu, L. (2011). RBTBAC: Secure access and management of EHR data. International Conference on Information Society (i-Society), London. Available at: IEEE Xplore,http://www.ieee.org (accessed 23 August 2013).