Comprehensive user requirements engineering methodology for secure and interoperable health data exchange

Pantelis Natsiavas,Jan Petersen,David Marí,Fabrizio Clemente,Oana Stan,Luigi Coppolino,Paolo Campegiani,Evangelos Grivas,Luigi Romano,Jens Rasmussen ,Erol Gelenbe,Konstantinos Votis ,Giuliana Faiella,Marco Nalin,Isaac Cano,Maja Voss-Knude,Jos Dumortier,Dimitrios Tzovaras,Ioannis Komnios

doi:10.1186/s12911-018-0664-0

Abstract

BackgroundIncreased digitalization of healthcare comes along with the cost of cybercrime proliferation. This results to patients’ and healthcare providers' skepticism to adopt Health Information Technologies (HIT). In Europe, this shortcoming hampers efficient cross-border health data exchange, which requires a holistic, secure and interoperable framework. This study aimed to provide the foundations for designing a secure and interoperable toolkit for cross-border health data exchange within the European Union (EU), conducted in the scope of the KONFIDO project. Particularly, we present our user requirements engineering methodology and the obtained results, driving the technical design of the KONFIDO toolkit.MethodsOur methodology relied on four pillars: (a) a gap analysis study, reviewing a range of relevant projects/initiatives, technologies as well as cybersecurity strategies for HIT interoperability and cybersecurity; (b) the definition of user scenarios with major focus on cross-border health data exchange in the three pilot countries of the project; (c) a user requirements elicitation phase containing a threat analysis of the business processes entailed in the user scenarios, and (d) surveying and discussing with key stakeholders, aiming to validate the obtained outcomes and identify barriers and facilitators for HIT adoption linked with cybersecurity and interoperability.ResultsAccording to the gap analysis outcomes, full adherence with information security standards is currently not universally met. Sustainability plans shall be defined for adapting existing/evolving frameworks to the state-of-the-art. Overall, lack of integration in a holistic security approach was clearly identified. For each user scenario, we concluded with a comprehensive workflow, highlighting challenges and open issues for their application in our pilot sites. The threat analysis resulted in a set of 30 user goals in total, documented in detail. Finally, indicative barriers of HIT acceptance include lack of awareness regarding HIT risks and legislations, lack of a security-oriented culture and management commitment, as well as usability constraints, while important facilitators concern the adoption of standards and current efforts for a common EU legislation framework.ConclusionsOur study provides important insights to address secure and interoperable health data exchange, while our methodological framework constitutes a paradigm for investigating diverse cybersecurity-related risks in the health sector.

Highlights

Increased digitalization of healthcare comes along with the cost of cybercrime proliferation
KONFIDO is a European Union (EU) funded project [1], which aims to leverage novel approaches and cutting-edge technologies, such as homomorphic encryption [2], photonic Physical Unclonable Functions (p-PUF) [3], a Security Information and Event Management (SIEM) system [4], and blockchain-based auditing [5], in order to develop a holistic paradigm for secure, cross-border exchange, storage and overall handling of health data. It builds its solution upon existing/evolving European frameworks, such as OpenNCP (Open-source and reference version of the NCP software) [6], which is the open-source National Contact Point (NCP) software implementation of its predecessor project named epSOS (European Partners – Smart Open Services) [7], and electronic IDentification (eIDAS) [8], which stands for the EU regulation on electronic identification and trust services for electronic transactions in the internal market
In order to illustrate the user goals definition process, we present the analysis of BP2: “Access

Summary

Introduction

Increased digitalization of healthcare comes along with the cost of cybercrime proliferation. KONFIDO is a European Union (EU) funded project [1], which aims to leverage novel approaches and cutting-edge technologies, such as homomorphic encryption [2], photonic Physical Unclonable Functions (p-PUF) [3], a Security Information and Event Management (SIEM) system [4], and blockchain-based auditing [5], in order to develop a holistic paradigm for secure, cross-border exchange, storage and overall handling of health data.

Objectives

Methods

Results

Discussion

Conclusion