Encyclopedia
Please note this is a comparison between Version 1 by Parisasadat Shojaei and Version 2 by Mona Zou.
Health information systems (HISs) have immense value for healthcare institutions, as they provide secure storage, efficient retrieval, insightful analysis, seamless exchange, and collaborative sharing of patient health information. HISs are implemented to meet patient needs, as well as to ensure the security and privacy of medical data, including confidentiality, integrity, and availability, which are necessary to achieve high-quality healthcare services.
- health information systems
- healthcare
- medical data
- security
- privacy
1. Introduction
Described as comprehensive, technology-based systems, health information systems (HISs) are designed to manage and organize health data and information. These systems assist healthcare organizations in storing, retrieving, analyzing, and exchanging patient health information, thereby supporting clinical decision-making and enhancing patient care and outcomes. HISs typically include a range of software applications and tools for electronic health records (EHRs), health information exchange, clinical decision support (CDS), and administrative functions. These systems are versatile, being used in various settings such as hospitals, clinics, long-term care facilities, public health agencies, and even at home. HISs also play a pivotal role in enhancing data security and privacy, supporting compliance with regulations like the Health Insurance Portability and Accountability Act (HIPAA) [1].
The increase in digitalization of patient health information through electronic health records and personal health records has created new and serious threats to patient information security and privacy [2]. Medical data containing sensitive information about a patient’s health and personal life, including medical history, diagnoses, treatments, and personal identifying information, are vulnerable to breaches. Such breaches can lead to serious consequences, including identity theft, fraud, and medical malpractice [3]. The security of patient data encourages individuals to share their personal health information for current or future care [3]. Furthermore, if healthcare professionals cannot trust an organization to protect records, they may be reluctant to record all information collected from patients [4]. Therefore, it is essential that HISs are designed and implemented with privacy and security as core considerations [4]. This includes using secure technologies for storing and transmitting data, implementing access controls, and providing training to healthcare professionals on best practices for ensuring patient security and privacy. Moreover, ensuring the security and privacy of medical data, including confidentiality, integrity, and availability, is necessary to achieve high-quality healthcare services [3][4][3,4].
Table 1. Overview of various health information systems.
| Health Information System | Security Technologies |
Privacy Technologies |
Advantages | Disadvantages |
|---|---|---|---|---|
| Electronic Health Records (EHRs) | Encryption, Access Control, Auditing | Data Masking, Patient Consent Mechanisms | Improved data integrity, Efficient access control | Complex implementation, High initial setup costs, Privacy concerns, Concerns over data breaches |
| Health Information Exchange (HIE) | Secure Data Transmission Protocols, Identity Management | Anonymization Techniques, Consent Management Systems | Enhanced interoperability and data sharing | Concerns over data breaches during exchange, Consent management challenges |
| Clinical Trial Management Systems | Secure Data Storage, Blockchain for Auditing | De-identification Methods, Informed Consent Platforms | Enhanced traceability, Immutable data records | Limited scalability, Ethical concerns related to consent |
2. Mobile Health Application
Mobile devices play an important role in the management of medical data in health information science. However, organizations must ensure that appropriate security and privacy measures are in place to protect sensitive information from unauthorized access or theft. These privacy and security measures align with the proposals of Ref. [5][7], who suggest threat modelling to identify potential threats and possible mitigations. By integrating security policies, defining sensitivity levels of form fields, and corresponding security mechanisms, data security can be catered to as early as the design phase. In addition, articles [6][7][8][9][8,16,17,18] implement secure models to strengthen the privacy and security of medical data within mHealth applications. These models aim to protect sensitive health information throughout its lifecycle, from collection and transmission to storage and access. For instance, Ref. [7][16] suggests a lightweight security framework for securing mHealth data collection systems, relying on lightweight and low-cost mechanisms to secure data exchanged with servers. These findings emphasize the importance of implementing strong encryption techniques for both data in transit and data at rest. This includes encrypting communication channels between devices and servers, as well as storing medical data on mobile devices and in the cloud [6][8]. For example, Ref. [6][8] proposes a scheme called an Efficient and Provable Secure Certificate-Based Combined Signature, Encryption, and Signcryption (CBCSES) scheme. This scheme not only provides encryption and signcryption but also offers an encryption or signature model when needed.
Moreover, mHealth applications can be designed using a secure framework for data collection, minimizing the risk of unauthorized access or theft of information. This contributes to securing the data exchanged with the server and includes key features such as tolerance to delays and lack of connectivity [5][7][7,16]. A previous study identified the need to use secure cloud storage for storing data, which can provide additional backup and security measures [8][17]. The system proposed in [8][17] offers salient features including efficient key management, privacy-preserving data storage and retrieval—particularly effective in emergency situations—and auditability to prevent misuse of health data. Furthermore, an approach presented in [9][18] utilized privacy-aware anomaly detection methods. These prioritize the security of health data by identifying abnormal patterns and ensuring the privacy of individual users, thus helping to maintain the confidentiality and integrity of sensitive health information [9][18].
3. IoT
The Internet of Things (IoT) has the potential to transform healthcare by enabling data collection and exchange from various devices and sensors. IoT devices feature built-in security measures, including encryption and authentication, to protect data in transit and storage while ensuring access is restricted to authorized parties [10][28].
IoT devices can store and organize medical data, simplifying access and analysis for healthcare professionals [11][19]. A new shared, agnostic, and permissioned decentralized data layer enhances data availability. This architecture has been implemented in a real-world Internet of Medical Things (IoMT) application [11][19], effectively handling sensitive data by preserving privacy and ensuring data availability without third-party reliance. Additionally, the IoT enhances data security and privacy through encryption, robust authentication, and access control, ensuring that sensitive health data are accessible only to authorized parties, thereby making unauthorized access more challenging [12][13][14][15][16][20,21,22,23,24].
It is important to note that IoT applications in healthcare offer cost reduction and efficiency benefits. These applications streamline operations, minimize errors and waste, and reduce system costs [13][21]. The focus in [13][21] was on avoiding the key escrow problem and establishing a new session key between servers and personal digital assistants (PDAs) for future communication, enhancing cost-effectiveness, and security against various attacks. Remote monitoring contributes to shorter hospital stays and fewer readmissions, improving treatment outcomes and reducing healthcare costs [13][17][21,25]. Furthermore, Ref. [17][25] discusses using an edge server to compute data authenticators to verify data integrity, significantly reducing computational costs and the management burden on third-party verifiers.
4. Blockchain
Extensive research has established that blockchain technology offers a secure, transparent, and tamper-proof method for storing and sharing medical data, which is crucial for maintaining patient privacy and security within HISs. Operating on a decentralized network, blockchain technology lacks a central authority controlling the data. This approach mitigates the risk of a single point of failure or a single entity accessing sensitive information, addressing potential security issues inherent in centralized storage systems [10][28]. Additionally, Ref. [10][28] discovered that blockchain technology can overcome challenges related to interoperability, security, confidentiality, privacy protection, and secure storage. Similarly, Ref. [18][27] integrated two decentralized technologies, the Solid ecosystem and blockchain, using solidity-based smart contracts to resolve security issues, thereby providing a secure, patient-centric design for complex, developing electronic health record (EHR) data exchange.
Blockchain technology can also create secure private networks for sharing sensitive medical data (transferred and distributed) exclusively among authorized parties [19][20][33,49]. For example, Ref. [19][33] proposes a permissioned blockchain-based system for EHR data sharing and integration, employing public key infrastructure-based asymmetric encryption and digital signatures to secure EHR data. This system ensures patient privacy protection and adheres to healthcare data management requirements, including the access control policy specified by the patient. Similarly, Ref. [21][32] introduced a privacy-preserving medical data-sharing scheme that balances the need for privacy with the necessity of data sharing. This perspective aligns with Ref. [20][49], who utilized a blockchain-based secure data sharing mechanism for the safe uploading and sharing of health data. The study by Ref. [22][31] developed a blockchain-based system with a secure data storage architecture to tackle cybersecurity storage challenges, employing private data collection to ensure privacy and decentralizing nodes in the network to prevent storage complications. This method also addresses other security challenges typically associated with centralized systems. Furthermore, blockchain technology enables the creation of smart contracts that automate data sharing under predefined conditions, ensuring that data are only shared with authorized parties. In line with this, Ref. [23][30] developed an access control framework based on smart contracts, which is built on a distributed ledger (blockchain), to secure the sharing of electronic medical records among various entities in the smart healthcare system.
In the context of blockchain applications in HISs, patient autonomy is a central theme, allowing individuals to have ownership and control over their personal health data. This empowerment is crucial, yet it poses challenges, particularly when patients are cognitively impaired or unable to manage their data. In such cases, the use of advanced directives or legally authorized representatives could be integrated into blockchain systems to ensure responsible data management [24][26]. Moreover, blockchain’s decentralized nature and cryptographic techniques provide robust security for health data [18][27]. However, challenges arise in maintaining consistent permissions, especially in emergency situations where swift access to patient data is crucial. Smart contracts and cryptographic keys within blockchain networks can be employed to manage permissions seamlessly, ensuring healthcare professionals have necessary access while maintaining patient privacy and data integrity [23][30].
Furthermore, the legal implications of using blockchain in HISs under different jurisdictions, such as the potential access by the U.S. government to cloud-stored data under U.S. law, raise significant privacy concerns. While blockchain offers many benefits for healthcare data security, its integration into existing healthcare systems must be approached with caution, ensuring adherence to regulations like the HIPAA and addressing potential privacy issues related to decentralized data storage. This necessitates a careful balance between technological innovation and compliance with legal and regulatory standards.
5. Cloud Computing
Cloud computing offers multiple advantages for ensuring the security and privacy of medical data in HISs. By adopting cloud-based solutions, healthcare organizations benefit from strong security controls, encryption, access controls, redundancy, and compliance certifications, all aimed at safeguarding patient data. These include multi-factor authentication and role-based access control, ensuring that only authorized personnel can access sensitive medical data, thereby enhancing security measures [25][26][36,38].
Moreover, cloud computing can be more cost-effective compared to maintaining an on-premises IT infrastructure. This efficiency comes from eliminating the need for expensive hardware and software, allowing healthcare organizations to reduce costs and improve their overall financial performance [25][36]. Cloud computing also guarantees data recovery following a disaster, further bolstering data security and privacy [8][27][17,37]. For instance, a study by Ref. [27][37] describes a secure encryption algorithm (SE) combined with fragmentation and dispersion for storage. This method is designed to protect data even if both the key and the public fragment of EHR data on clouds are compromised. This aligns with other research demonstrating that storing EHR in the cloud significantly enhances security and protects patient information from unauthorized access [28][50].
6. Other Technologies
In addition to the technologies mentioned earlier, several studies have examined methods that employ a variety of technologies to enhance the security and privacy of medical data. Table 25 presents an overview of these technologies.
Table 25. Overview of other technologies used in HISs.
| Reference | Technology Name | Security and Privacy Features |
Primary Functions | Advantages |
|---|---|---|---|---|
| [29][39] | Multi-agent-based systems (user interface agent, authentication agent, connection establishment agent, and connection management agent) | Security Privacy |
These intelligent agents make ease of use and effective communication between patients/users and the e-service providers. | Simple and efficient access control mechanism based on the agents’ functionalities, Provides effective and secure e-health security services |
| [30][40] | Log of round value-based elliptic curve cryptography (LR-ECC) Herding genetic algorithm-based deep learning neural network (EHGA-DLNN) |
Security Privacy |
Enhance the security level during data transfer after the initial authentication phase | High security and accuracy |
| [31][41] | Hash-based BBS (HBBS) | Security | For integrity purposes, the hash value is generated using secure hash algorithm SHA-256 and is hidden in the least significant bit (LSB) of the extracted pseudo-random bits for the purpose of generating multiple keystreams. | Has high security and good efficiency |
| [32][42] | Decentralized federated learning-based convolutional neural network | Security Privacy |
Presents a privacy-friendly and secure EHR scheme for medical cyber-physical systems. | Securing valuable hospital biomedical data useful for clinical research organizations, Suitable for promoting a secure and privacy-friendly environment for sharing data with clinical research centers for biomedical research |
| [33][43] | Ordered binary decision diagram (OBDD) |
Security | Achieves immediate attribute/user revocation, collusion resistance, forward security, backward security, efficiency, and expressiveness | The efficiency of the scheme can be attributed to the use of prime-order groups, minimized hashing operations, and reduced amount of exponentiation operations. |
| [34][44] | Elliptic curve cryptography (ECC) operations Physically unclonable function (PUF) |
Security | Improve security and efficiency at the same time, Strict formal security proof is provided to demonstrate the proposed scheme meets the security and reliability requirements |
Meets more security and usability requirements and takes less computational and communication costs than related protocols proposed recently |
| [35][45] | Lightweight encryption scheme Message authentication code (MAC) generation scheme |
Security Privacy |
Secures the communication between medical sensors and data servers | Achieves data confidentiality, authenticity, and integrity between each medical sensor and each data server |
| [36][46] | Subprotocols as building blocks, such as PPC, PPCC, PPSS, and PPSU protocols | Privacy | It first designs secure and privacy-preserving several subprotocols to ensure privacy in the e-healthcare system, then it adopts the greedy algorithm in a secure manner to perform the query and the min-heap technology to improve efficiency. | Practical and efficient in terms of computational cost and communication overhead |
| [37][47] | Near-field communication (NFC) authentication mechanism | Privacy | To generate a trustworthy source of visit records, the article uses a system that supplies concrete evidence that healthcare personnel visited a patient’s residence. | Using the NFC tag enhances the workflow of users and integrates it into a seamless access control process. It helps improve user interaction by eliminating user input tasks. |
| [38][48] | Spring Framework services for sensitive data (TSD) Hypertext Transfer Protocol (HTTP (H)) |
Security | Providing secure hosting and operation of application services, collection, storage, processing, and provisioning of data | A key element of Spring is application-level infrastructure support. It effectively protects the application programming interface (API) and personal health data. |
| [20][49] | Edge cloud blockchain |
Security | The edge cloud performs context-aware health situation identification and utilizes a blockchain-based secure data sharing mechanism to facilitate secure uploading and sharing of health data. | It identifies the health situation based on a similarity measure in the edge cloud. A blockchain-based securing data sharing mechanism is used to achieve secure sharing of health data among patients and health service providers. |
The study by Ref. [38][48] developed a hybrid security solution using the Spring Framework, services for sensitive data (TSD) as a service platform, and Hypertext Transfer Protocol (HTTP) security methods. This solution provides secure hosting and operation of application services, as well as the collection, storage, processing, and provisioning of data. The results demonstrate that the adopted digital solution effectively protects APIs and personal health data. Another study by Ref. [31][41] presents a new hash-based BBS (HBBS) pseudo-random bit generator to ensure the integrity and security of data, making it suitable for smart health applications and telemedicine. This study also proposes an encryption technique aimed at achieving robust security during the transmission of medical data. Furthermore, Ref. [34][44] introduces a secure and lightweight approach using fewer elliptic curve cryptography (ECC) operations and a physically unclonable function (PUF), improving security and efficiency with lower computational and communication costs. The study by Ref. [35][45] proposes a privacy-preserving encryption approach that incorporates an innovative data collection protocol. This method involves dividing patient data into three parts and storing them across three data servers to maintain privacy.
Additionally, Ref. [36][46] designed several secure and privacy-preserving subprotocols to ensure privacy in an e-healthcare system, adopting a secure greedy algorithm for query performance and min-heap technology to enhance efficiency. The method in [37][47] offers an architecture that improves the reliability of data exchange between healthcare personnel by providing a security layer that supports accountability through context-aware services, enabling appropriate data access for users. Ref. [30][40] proposes a secure method for preserving privacy in healthcare data, specifically for disease prediction in modern healthcare systems. This system uses cryptography during data transfer and allows authorized healthcare staff to securely access patient data for disease prediction using a herding genetic algorithm-based deep learning neural network. Ref. [33][43] suggests a secure, expressive, and efficient access control scheme with immediate attribute/user revocation in collaborative e-health systems, based on the ordered binary decision diagram (OBDD) access structure. It binds user keys to user identities, therefore creating resistance to collusion attacks. Additionally, Ref. [29][39] highlights a model based on a multi-agent system comprising various intelligent agents such as a user interface agent, authentication agent, connection establishment agent, and connection management agent. This model provides effective and secure e-health security services, facilitating ease of use and effective communication between users and e-service providers.
Various studies have demonstrated the relationship between secure solutions for storing and sharing sensitive health information and ensuring the security and privacy of data in HISs. For instance, Ref. [32][42] proposed a secure scheme using a decentralized federated learning-based convolutional neural network, private and public interplanetary file systems (IPFS), a consortium blockchain network, and smart contracts. This scheme is ideal for promoting a secure and privacy-friendly environment for data sharing. In a study by Ref. [20][49], a framework for 5G-secure smart healthcare monitoring (5GSS) was employed for fast and accurate identification of context-aware health situations, along with a blockchain-based secure data sharing mechanism and low-latency services for emergent patients.
