Privacy preserving access control in e-healthcare environment

Abstract

e-Healthcare promises to be the next big thing in healthcare. It offers all the advantages and benefits that can be imagined as possible by the patient as well as user: it allows for enhanced simplicity, efficiency, accuracy, access and transparency. However, current e-Healthcare systems are far from developed and mature, thus lack the required degree of confidentiality, integrity, privacy and user trust in order for them to be globally implemented. As with most information systems in their early stages of development and deployment, they lack the required degree of sophistication and completeness to be adopted as a replacement for existing, in place and practiced technologies and services. Two primary aspects of any operational healthcare enterprise are quality of healthcare service and patient and user trust over healthcare enterprise. Use of modern technology and ICT means that quality of e-healthcare is better than current, traditional healthcare services around the globe. E-Healthcare addresses all performance issues of the legacy healthcare approach. Apart from enhanced overall speed, it also allows for better diagnosis, treatment and record keeping and sharing. Other less defined but equally important aspect of a successful healthcare enterprise is trust. This is the grey area for modern e-healthcare as it fails to dedicate sufficient resources, effort and attention to this. Trust is intertwined with handling of issues like confidentiality, integrity, accountability, authenticity, identity and data management to name a few. Trust, by the patient as well as the user has to be a part of e-healthcare’s every aspect in order for it to acceptable and implementable. Privacy remains one of the biggest obstacles to be overcome in e-healthcare in order to ensure its success in winning patient trust as it indirectly covers most of security concerns. Privacy has become of more and more importance to people due to recent events (data breaches, unauthorized information sharing and usage) and it is taken as an integral part of all things technological and using one’s personal information. Addressing privacy concerns imply addressing security issues like access control, authentication, non-repudiation, accountability etc. because end to end privacy cannot be ensured without these. Achieving privacy from sensors end (WSN) incorporating IoT to communication link to data storage and access is a huge undertaking and requires extensive work. Privacy requirement is further compounded by the fact that data being handled in this enterprise is of extreme personal and private nature and its mismanagement either intentionally or unintentionally could seriously hurt a patient along with future prospects of e-Healthcare enterprise. To top it all off, legal and compliance requirements vary from place to place, and most of the time are mandatory for e-healthcare providers to comply with in order to handle personal healthcare/identifiable information. These legal and compliance requirements are meant to streamline, standardize e-healthcare industry along with ensuring that sensitive information possessed by these service providers is properly secured, processed, stored, transmitted and shared. This is a huge undertaking for any service provider to be compliant but being in line with these requirements boast patient and user trust which in the end is amongst the most important things for e-healthcare enterprise. Research carried out in order to address privacy concerns is not of truly homogenous nature. It focuses on certain parts of e-Healthcare enterprise failing to fully address all aspects of privacy. There is surprisingly low amount of research seeing into the effectiveness of controls and requirements put forward in legal and compliance requirements (HIPAA, HITECH etc.). In the middle of this ongoing research and implementation, a gradual shift has been seen in shifting of e-Healthcare enterprise controls from organization controlled towards patient controlled. This is intended at giving patient more control and authority over decision making regarding his/her PHI/EHR. A lot of work and effort needs to be put in order to better assess this change and its feasibility in the e-Healthcare enterprise. Research carried out can be divided based on technique being used for ensuring privacy of personal information. These include data anonymization/ pseudonymizing and access control mechanisms primarily for stored data privacy among other techniques. This however results in certain privacy requirements being given a back seat (accountability, integrity, non-repudiation, identity management). This paper reviews research carried out in this regard. It explores whether this research offers any viable solutions to patient privacy requirements for e-Healthcare and how all privacy concerns of its user (technical as well as psychological) can be addressed. Reviewing research carried out in this regard, an access control model is being presented that aims to provide with the suitable solution to privacy concerns that have been identified in currently presented privacy preservation models.