Current Status of Information Security for Electronic Health Record Services in India

Pulkit Mehndiratta
Jaypee Institute of Information Technology Sector-128 Noida, Uttar Pradesh , India

Shelly Sachdeva
Jaypee Institute of Information Technology Sector-128 Noida, Uttar Pradesh , India

pulkit.mehndiratta@jiit.ac.in

shelly.sachdeva@jiit.ac.in

ABSTRACT
With the recent developments in information and communication technology, healthcare is constantly undergoing changes, with new medical technologies, business models and research ndings. It has evolved as a new data-centric, more precise, productive, accurate and timely system which can make the dierence of life and death in acute situations known as Electronic Health Records (EHRs). The requirements for security and privacy are also very critical and very dicult to satisfy in case of EHRs data as compared to any other data. This is due to the conicting needs of clinicians (who demand open and easy access to EHRs) and the patients (who prefer closed and private access to EHRs). The potential and capabilities of IT and its inuence on the Indian healthcare has been much talked about. Thus, this study examines the current status security and privacy of various EHRs implemented in India. Also, based on the various ndings we propose a model to protect the security and privacy of the data subjects (patients).

point of care while diminishing the paper trail. In general, an EHR includes clinical statements such as observations, laboratory tests, diagnostic imaging reports, treatments, therapies, drugs administered, and allergies. As more of our medical records are stored electronically, the threats to our security and privacy increase.[1]. Electronic health records form an integral part of the healthcare system and it is imparitive that EHRs are safe because there is evidence that breaches in security have an impact on patients health care. Thus, unless privacy and security problems are resolved, EHRs will not be widely adopted.

2.

MOTIVATION

Categories and Subject Descriptors

H.4 [Information Systems Applications]: Miscellaneous; K.6.5.a [Management of Computing and Information Systems]: Security and Privacy

General Terms
Security and Privacy, Electronic Health Records, Inference Control, Developing Country, India

1.

INTRODUCTION

Electronic Health Records (EHRs) are the paperless solution to a disconnected healthcare world that runs on a chain of paper les. They provides new opportunities, improves productivity, reduces the administrative burdens, reduce cost and medical errors. These become cavillous in the case of an emergency where the patient may be unable to communicate this information. These provide doctors with more timely access to potentially life-saving information at the

Recent trends in healthcare are adopting standardized EHRs. In developing countries like India, the conventional system of medication is still restricted to paper and pen.EHRs represent lifelong documentation of medical history for any patient. So, an ecient protocol and architecture is required which is not standardized yet [9,10]. Thus, it is utmost important to provide doctors and patients with modern facilities like computer and mobile based medical solution. This will ease the work of practitioners and make it more eective and productive. But, at the same time security and privacy of the data has to be maintained in the system. Few of the security and privacy breaches that occurred in past six to eight months around the globe [4] are due to lack of security and privacy measures and it eected the lives of patients. ISO/TS 18308 standard gives the denitions of security and privacy issue for EHRs [2]. According to recent reports, the maximum civil ne for violating Health Insurance Portability and Accountability Act (HIPAA) [3] privacy regulations will increase and become 60 times higher (per provision) from the current $25,000 under an interim nal rule published by Health and Human Services in United States. This poster contributes to the current status of EHRs in India and what are the various security and privacy issues. It throws light on, whether various EHRs implemented in India are in compliance with any standard act like HIPAA Act or HITECH Act.

3.

METHODOLOGY

In India, apart from C-DAC (Center for Development of Advanced Computing) no other agency is working in the area of Health Informatics and Electronic Health Records (EHRs). C-DAC has developed various solutions such as E-Sushrut [5], DIGHT [6], Mercury, E-Sanjeevni, Tejhas, Ayusoft etc. Most of these solutions are indigenously developed and managed by C-DAC only. We have done an extensive study of

Figure 1: Reference model for the Standardized Electronic Health Records Database systems with privacy and security measures at each layer.

and privacy measure for the system and the user information. Some have mentioned to take security and user privacy into consideration are not in compliance with international act or standardized policy set like HIPAA or HITECH Act. Thus, their is a need for imposing very stringent and security policies and procedures. Security issues such as authentication, availability, condentiality, integrity, access control, data ownership, data protection policies, user proles and standard model need to be taken into consideration for EHRs. Techniques like k-anonymity [7] and L-diversity [8] should be used to make data more private and anonymous to disable the inferences from the databases. Incorporating security measures and privacy preserving techniques, organizations can benet from increased user condence, convenience, and speed of access to information. A very high level of security and privacy is required for the front-end user application and the back-end database. Thus, in future we will try to come up with an architecture for Standardized EHRs which is in compliance to international standards and protect user privacy and system security.

5.
the architecture of all the products and solutions developed and tried to evaluate the security and privacy component in it. Among these, E-Sushrut [5] is the most comprehensive and widely deployed Health Information System. This system incorporates an integrated computerized clinical information system for improved hospital administration and patient health care. The real time version streamlines the ow of patients and simultaneously empowers workow to perform to their peak ability, but the security and privacy of the patients data is only limited to the user-level access control mechanism. No attention has been paid to the data encryption and anonymity which could lead to inference control. The system also lacks in various measures to protect it from network attacks. Thus, very critical and highly condential information can easily be compromised due to lack of proper measures. Project DIGHT (Distributed Infrastructure for Global eHr Technology) [6] proposed to have a separate module for security and privacy which will provide secure storage and access of EHRs, along with privacy to the user. But, till date no such module has been developed/implemented for India to suce the purpose.

REFERENCES

3.1

Proposal for Secure Architecture of EHRs

All the product designed and developed by C-DAC are lacking in security and privacy component. Thus, we come up with a proposal for the architecture shown in g. 1, to provide security and privacy to the user (data subjects). This shows the function wise reference layer model of the EHR system. The goal is, how we can include security and privacy techniques on each layer of this reference model of electronic health record database systems to give maximum security as well as state of the art privacy to the data subjects.

4.

RESULTS AND FUTURE SCOPE

[1] State of the Union 1999. Address of William J. Clinton, USA January 19, 1999. [2] ISO/TS 13606 2012 http://www.iso.org/iso/catalogue detail.html (Last accessed on Nov 10, 2012). [3] HIPAA 2012 Health Privacy Rule Act: http://www.hhs.gov/ocr/privacy/hipaa/understanding /index.html (Last accessed on Nov 21, 2012). [4] Top 10 Data Security Breaches in 2012 2012 http://www.healthcarenancenews.com/news/top-10data-security-breaches-in-2012 (Last accessed on Dec 24, 2012) [5] E-Sushrut 2012 http://www.cdacnoida.in/healthcare.asp (Last accessed on December 06, 2012) [6] DIGHT Distributed Infrastructure for Global eHr Technology 22012 http://dight.sics.se/?q=node/3 (Last accessed on December 06, 2012) [7] Sweeney L 2002 k-Anonymity: A model for protecting privacy, International Journal on Uncertainty ,Fuzziness and Knowledge based systems, 2002. [8] A.Machanavajjhala, J. Gehrke, and D. Kifer. 2006 L-diversity: Privacy beyond k-anonymity Proceedings of the 22nd International Conference on Data Engineering, 3-8 April 2006, Atlanta, GA, USA. [9] R. Addas, N. Zhang 2011 Support Access to Distributed EHRs with Three levels of Identity Privacy Preservation. Proceedings of Sixth International Conference on Availability, Relaibility and Security, 22-26 Aug 2011, Vienna, Austria [10] M.N. Huda, S.Yamada, N. Sonehara 2009 Privacy-aware access to patient-controlled Personal Health Records in emergency situations. In Proceedings of third International Conference on Pervaisve Health, 1-3 April, London, UK.

We surveyed the problem of security and privacy for various Electronic Health Records (EHRs) already implemented and under development in India. Our ndings implicate that most of the current systems are lacking in the proper security