Abstract
Background Smartphones can tackle healthcare stakeholders' diverse needs. Nonetheless, the risk of data disclosure/breach can be higher when using such devices, due to the lack of adequate security and the fact that a medical record has a significant higher financial value when compared with other records. Means to assess those risks are required for every mHealth application interaction, dependent and independent of its goals/content. Objective To present a risk assessment feature integration into the SoTRAACE (Socio-Technical Risk-Adaptable Access Control) model, as well as the operationalization of the related mobile health decision policies. Methods Since there is still a lack of a definition for health data security categorization, a Delphi study with security experts was performed for this purpose, to reflect the knowledge of security experts and to be closer to real-life situations and their associated risks. Results The Delphi study allowed a consensus to be reached on eleven risk factors of information security related to mobile applications that can easily be adapted into the described SoTRAACE prototype. Within those risk factors, the most significant five, as assessed by the experts, and in descending order of risk level, are as follows: (1) security in the communication (e.g., used security protocols), (2) behavioural differences (e.g., different or outlier patterns of behaviour detected for a user), (3) type of wireless connection and respective encryption, (4) resource sensitivity, and (5) device threat level (e.g., known vulnerabilities associated to a device or its operating system). Conclusions Building adaptable, risk-aware resilient access control models into the most generalized technology used nowadays (e.g., smartphones) is crucial to fulfil both the goals of users as well as security and privacy requirements for healthcare data.
Highlights
Since that search emphasized a lack of definition of security data categorization, especially in the heterogeneous domain of healthcare, a Delphi study was performed to allow the first definition of such categorization to be used within the mHealth SoTRAACE prototype in terms of quantitative risk. e Delphi method [36] is a structured communication method, which relies on a panel of experts in the specific research domain to answer a questionnaire in a structured, systematic, iterative, and anonymous way
We present results from the architecture, requirements, and implementation of risk assessment into the SoTRAACE prototype, as well as the description of patient use cases and how this can reflect into an mHealth application
For the SoTRAACE model, risk assessment features were included within the Adaptable Access Control Policy (AACP) component, see Figure 1
Summary
Health information systems can empower the performance and maintenance of health services, but the processing and storage of highly sensitive data raises serious concerns regarding privacy and safety of patients [1]. e healthcare industry is a prime target for medical information theft due to the systematic unpreparedness in dealing with cyber threats menacing vital data [2]. ere is the need to increase the awareness and understanding that, in healthcare, the risk associated with patient data is not just about such data, but about patient care delivery, and potentially, even about the mental and physical health of the patient [3].But risk, as the by-product of the likelihood of a vulnerability being exploited by a threat and the negative impact this can cause [4], is very difficult to calculate and maintain, especially in such a heterogeneous and high turnover environment. e risks can increase considerably when personal health-related data can be collected, processed, and stored by many types of different devices (e.g., smartphones, smartwatches, or other IoT sensors) and associated vulnerabilities, anytime and anywhere [5]. is situation is bound to be more and more frequent regarding the pressure put by the constant increase of aged population worldwide in need of health-related ambient assisted living products [6] and the empowerment that currentJournal of Healthcare Engineering legislation and regulation on personal data protection offers individuals [7, 8].In the healthcare domain, smartphones can bring many advantages to tackle diverse needs of stakeholders. The risk of data disclosure/breach can be higher when using such devices, due to the lack of adequate security and the fact that a medical record has a significant higher financial value when compared with other records Means to assess those risks are required for every mHealth application interaction, dependent and independent of its goals/content. E Delphi study allowed a consensus to be reached on eleven risk factors of information security related to mobile applications that can be adapted into the described SoTRAACE prototype Within those risk factors, the most significant five, as assessed by the experts, and in descending order of risk level, are as follows: (1) security in the communication (e.g., used security protocols), (2) behavioural differences (e.g., different or outlier patterns of behaviour detected for a user), (3) type of wireless connection and respective encryption, (4) resource sensitivity, and (5) device threat level (e.g., known vulnerabilities associated to a device or its operating system). Risk-aware resilient access control models into the most generalized technology used nowadays (e.g., smartphones) is crucial to fulfil both the goals of users as well as security and privacy requirements for healthcare data
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
