See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/380930353

Data Privacy and Security in Healthcare Systems

Research · May 2024

DOI: 10.13140/RG.2.2.35998.55363

CITATIONS READS

0 406

1 author:

Aleksi Haapalainen
Lappeenranta – Lahti University of Technology LUT
1 PUBLICATION 0 CITATIONS

SEE PROFILE

All content following this page was uploaded by Aleksi Haapalainen on 28 May 2024.

The user has requested enhancement of the downloaded file.

 Data Privacy and Security in Healthcare Systems

Aleksi Haapalainen

28.05.2024

1 Introduction

Within the ongoing era of digitalization, every service and system are evolving to become more digitalized and
more accessible. Even the most traditional industries are rapidly digitalizing (Kortelainen et al., 2019). During
the 2000s every public service gradually started transitioning into a digitalized system. Later on, in the 2010s,
formerly every digitalized system started to transform into an online system accessible from home computers
and later on from mobile phones. The transition from a paper archived system to a fully online digital system
has been fast and revolutionary. As formerly one needed to walk into a bank to pay bills, today he can very
conveniently use a mobile application in his smartphone to perform this operation. This paper aims to explore
further the digitalization of healthcare systems and more specifically data security and privacy in current
healthcare systems. The topic is somewhat topical right now, since many Finnish wellbeing services counties
are currently in transition to one unified system instead of many different systems that may be in use in different
municipalities. This subject has been comprehensively studied over the decades of transition because of the
personal aspect of the data and its ethical nature.
After the massive wave of digitalization in the public sector, there have been many variations of different
systems and technical solutions over the years to resolve the desired fluent system to cover the healthcare
sector. This kind of system is not straight forward implemented, or even defined. A healthcare system is a kind
of system which contains highly sensitive patient information, which must be preserved securely and correctly.
According to Zhang and Liu, healthcare systems mainly consist of three concepts which are electronic health
records (EHR), electronic medical records (EMR) and personal health records (PHR). These three concepts are
the most critically sensitive personal information which is handled in healthcare systems. It is important to
process this kind of information correctly, so that the sensitive information does not end up in wrong hands.
(Zhang and Liu, 2010)
While software engineering is evolving quickly, hackers and cyber criminals are developing new techniques
all the time to gain access to restricted systems and break different software. Cyber security attacks are
continuously increasing worldwide and have become an extensive problem in the field of industrial system
integrations and system protecting contexts. Recent studies have shown that attackers are more likely targeting
public sector and critical infrastructure systems. This includes healthcare systems. According to Hautamäki
and Kokkonen, the healthcare industry is one of the most targeted sectors for cyber-attacks. This argument is
also supported by the study introduced by Johnson and He in their paper “Generic security cases for information
system security in healthcare systems”, which indicates that healthcare sector accounts for 43% of all reported
data breaches. Therefore, it is critical for the systems to be kept in line with current trends and guidelines of
cyber security. The problem with healthcare systems is that the entirety of the system is concluded from
multiple different sub sectors of healthcare and from their systems from different providers. Also, healthcare
industry includes multiple medical devices which can be connected to internet and therefore become part of
the risk of being vulnerable to cyber security attacks. (Hautamaki and Kokkonen, 2020; Johnson and He, 2012)
The main problem of the healthcare systems is the complexity of different systems and different software
manufacturers. The entirety of the systems becomes a large and complex net of different systems and data
pipelines across different organizations, which often includes healthcare sectors but also third-party companies
that are providing the software and servers. Cloud computing has also brought a new aspect of the systems.
Cloud computing has been adopted as a new option for local servers to store and run the healthcare systems in
order to cut down the costs of the systems but also to simplify the wholesomeness of the systems. This creates
a new schema of the security since now the data is stored in a third-party cloud server which can be located all
over the world. The cloud computing aspect offers a solid layer of security to the system and data against cyber
security attacks, but it raises another issue which is internal accessing and restrictions of the data, since the
software is in hands of a third-party vendors. Within the cloud computing solution in healthcare industry, Zhang
and Liu are arguing that three main concepts of security in this matter are that all medical records should be
guarded through ownership-controlled encryption, which would eliminate the possibility of third-party worker
to gain access to the medical data itself. Second principle would be that the records themselves should contain
authenticity and integrity throughout the integration process. Third principle is that the data pipeline in the
system should contain end-to-end verification through signatures and certification processes against
unauthorized access and change in the healthcare data. Johnson and He share somewhat similar view of the
main features which have led to data breach incidents. According to their study three key features were common
in different data breach cases: 1. Sensitive data were not properly encrypted; 2. Security policies and procedures
were not correctly implemented and communicated; 3. Incidence handling and response were delayed. These
features mentioned in both studies would have had great impact in past data breach cases and should not be
taken lightly. (Johnson and He, 2012; Zhang and Liu, 2010)
In Finland the Vastaamo case is widely known and unique cyber security breach case. In general,
psychotherapy center Vastaamo had negligently designed healthcare system, which suffered from severe
security flaws. In 2019 attackers found these vulnerabilities and exploited them. The attackers gained access
to the whole patient information database which contained highly sensitive and personal information. The
Vastaamo organization found out about the breach, but instead of reporting the incident to authorities and
patients, they decided to try covering it. When attackers started to blackmail the patients by publishing their
personal data to internet, the whole case was revealed to the public. Unfortunately, the attackers did spread the
whole database to open internet, allegedly accidentally. Afterwards when authorities started to investigate the
case, it was revealed that the developers of the system had raised the concern about the security, but the
management of the company chose not to pay any attention to these concerns. There was never a dedicated
cyber security expert hired to analyze the system if it was secure, which should always be done when dealing
with as sensitive data as EHR, EMR and PHR. (“”Jotain osaan tietokoneella tehdä” – Vastaamo-epäilty kertoi
kuulustelussa, ettei hallitse ohjelmointia - Kotimaa | HS.fi,” n.d.; “Vastaamon entinen IT-työntekijä: ‘Jos jotain
ei tehty kunnolla, niin se oli tietoturva’ - MTVuutiset.fi,” n.d.)
The case Vastaamo is first of its kind in Finland and an example of that now at the latest it is extremely
important to start paying attention to cyber security in critical and sensitive systems and infrastructure. In this
particular case there can be identified multiple key features mentioned before which led to the unfortunate
actions of case Vastaamo. Two main features are that the security policies were practically nonexistent but also
so-called disaster recovery plan was not initiated. In addition to these, the data was not encrypted in their
system and integrity of the system was never measured. During the evolution of software engineering, there
have been multiple security solutions and techniques developed such as Anti-virus software, threat analysis
tools, security standards and security best practices to name a few. The main problem in the industry comes
from the wholesomeness as mentioned before. When the systems become large and complex and also linked
to other systems, it becomes difficult for the management to ensure that they are covering every section needed
and implemented coherent countermeasures. The diversity of the products and tools also creates an imminent
need for experts to implement and analyze needed operations, which naturally brings extra costs for the
projects. (Johnson and He, 2012)
In addition to substantial cyber security actions, healthcare organizations and third-party vendors have also
proliferated internal security guidance, policies, procedures, and audit requirements. These documented
processes might be over hundreds of pages long, which leads to the situation where staff often fail to read and
understand the policies and procedures correctly. This can affect the cyber security section and how to apply
some policies to the IT infrastructure. When these processes are chained in multiple different organizations,
which all are connected to the process of developing and maintaining the healthcare system, the overview of
the security management systems and procedures become complex and difficult to understand. As seen from
the past data breach incidents in the healthcare industry, most of the cases follow somewhat same pattern and
could have been prevented with correct policies and procedures as mentioned before. (Johnson and He, 2012)
2 Related research

This chapter covers the related research on the subject and discusses the potential solutions suggested over the
years in different studies. Because the field of privacy and security is quite extensive, this paper examines four
different problems and potential solutions regarding privacy and security in the healthcare sector. These four
topics are information sharing, privacy-preserving frameworks, digitalization of healthcare environments and
role of big data in healthcare sector. Since healthcare industry is highly sensitive and confidential sector of
public services, researchers have conducted comprehensive research on the subject. The transition of the
systems to more digital and unified system across different healthcare actors have raised the concerns of the
security aspect of the systems and privacy of the data. The studies have shown multiple different potential
solutions and improvements for the processes, but none have risen to serve as one universal standard or solution
to fix all problems. It is also important to acknowledge that there is not one simple and unequivocal problem,
nor solution for security aspect in healthcare industry. The problem has multiple different aspects which need
to be addressed and inspected individually.

2.1 Presented solutions

Information sharing models

Information sharing has become an essential part of the healthcare industry. While healthcare infrastructure
has transitioned as a digitalized systems and software, many different factors of the industry have been
outsourced to different third-party vendors and under different organizations inside the industry. This has
created a situation where communication between different healthcare sectors has become difficult requiring
complex integrations between different systems. For example, in Finland before the wellbeing services counties
were formed, a city might have had a functional pipeline within their communal healthcare services from
patient system to invoicing system. These municipal systems were only integrated with the national Kanta
service. After the refactoring of the social and healthcare organizations, every city and municipality needed to
integrate their systems between each other’s and therefore one wellbeing services county might involve
multiple systems from different vendors. This leads to complex situation where the wholesomeness is difficult
to understand, and information is not shared effectively enough between systems and processes.
Hautamäki and Kokkonen are presenting a functional model for information sharing across different
organizations. In their study they are indicating that in highly digitalized domains such as healthcare sector,
situational awareness is demanded to avoid security issues. Also, clear decision making requires knowledge
and understanding of the situation. Cyber security information is often classified, and especially in healthcare
systems mostly information and procedures between systems is classified. This complicates the process of
defining and implementing security procedures and policies. The information sharing model introduced in the
study is combining two traditional and well-known information sharing models Hub and spoke model, and
Peer to Peer model. The model presented is not dependent on the hub, which causes delays and time-sensitivity
from the process. The model is also not limited to peer sharing, but capable of sharing information flexibly
between multiple factors. The model is utilizing Dijkstra algorithm to determine the data sharing path. This
kind of data sharing model could possibly simplify the information sharing in the complex network of
healthcare systems but requires more in-depth study in security aspects. (Hautamaki and Kokkonen, 2020)

Privacy-preserving framework for healthcare data sharing

Continuing within the data sharing aspect in the healthcare industry, not only cyber security, but also medical
records sharing becomes an essential part of the information sharing. The ability to share medical records
across organizations can greatly improve the medical treatment, but also scientific research. Medical records
are personal and highly sensitive data, which must be addressed accordingly. According to the study of privacy-
preserving healthcare data sharing, most of the approaches developed for data sharing are focusing on a small
scope of the problem with only singular theory (Lei Chen et al., 2012). In their study Chen, Yang, Wang and
Niu are introducing a framework for privacy-preserving data sharing. The framework is utilizing a more
practical view of the application in a more comprehensive way. It is focused on three key problems of privacy
protection, which are privacy definition and detection, privacy protection policy management and privacy
preserving healthcare data sharing. This paper does not cover the key problems and solutions profoundly, but
the main concept of the framework is based on three different layers, which contains components such as
anonymization, user management, privacy detection and policy management. The framework does not
significantly delay the process of sharing information, but makes it more secure and preserves privacy within
the shared information. (Lei Chen et al., 2012)

e-Healthcare environments
During the 21st century, the transition of healthcare systems and infrastructure has been mainly going towards
the kind of system as banking systems today. Banking systems have been one of the first systems that has fully
transformed to e-banking. This means that the user is able to fully control their data and take actions through
their own device. For example, user can pay bills or request a loan through a banking application on a mobile
phone. In healthcare industry the end goal has been similar to the banking sector so that the patient would be
in control of their own data at any given time and place. Also, it would become possible to gain remote patient
assessment or consultation through e-Healthcare system. (Sahi et al., 2018)
In the healthcare industry the e-Healthcare environment is not as linear as in the banking sector. In the
healthcare sector the data is likely needed to be shared through different organizations or healthcare sectors.
Ideally the e-Healthcare environment would work so that the user could have access and control to their own
data continuously through the e-Healthcare environment and they would be able to track all the actions
concerning their own data. This would increase the privacy and transparency of medical records. This kind of
environment would need to be standardized so that every third-party system vendor would be obligated to
integrate into the e-Healthcare environment. Given the size and complexity of the system, the architectural
aspect should be so comprehensive that it would cover the privacy and security of the system. The system
would be connecting all healthcare services and records to one application for the user, which must not leave
any room for security vulnerabilities. The key factor providing described system, is that individual protocols
are not sufficient for the security aspect for the system. The patients’ records need to be divided into
components based on privacy and access requirements. Therefore, different sections of data are secured in
different layers with different protocols. This would give control for the user which data would be restricted to
view or write for different parties, and components would be supported to use multiple protocols to ensure data
safety. (Sahi et al., 2018)

Role of “Big Data” in healthcare industry

During the past 20 years, big data has been seen to emerge in the healthcare industry. While the systems and
infrastructure have digitalized and grown to become large and complex systems, big data has become
standardized form of data to be stored and shared. According to Komlan, Mireku and Zhang, big data is
described as follows: “Represents the progress of the human cognitive processes, usually includes data sets
with sizes beyond the ability of current technology, method and theory to capture, manage, and process the
data within a tolerable elapsed time.” In healthcare industry, big data is a concept which requires a need for
improved infrastructure which is able to process and analyze big mass data that is produced in the healthcare
process. It is a new concept of data which is complex, enormously large, and slow to analyze and benefit. As
stated before, even though healthcare data is highly sensitive and demands extra layers of privacy protection,
it still can be beneficial to share the data between healthcare organizations and actors in order to enhance the
treatment. The complexity of the data comes from the purpose of its use and storing regarding the privacy
aspect. It is often forgotten that the owner of the data is the patient themselves. This means that the patient
should be consulted about the usage of their data, but when the data is processed and analyzed as mass data it
becomes very inconvenient to have every patient acknowledged of these actions. The other difficulty regarding
big data is the efficient and beneficial use of it. The two main purposes for the data are to seamlessly transmit
the unique healthcare data from one healthcare actor to another in order to enhance the treatment throughout
the treatment period, and anonymously utilize the data for research and study. (Kupwade Patil and Seshadri,
2014; Mireku and Komlan, 2017)
The benefits of big data could shift the healthcare industry into a more proactive way. In order to achieve this,
the data needs to be analyzed and visualized in a way so that data analytics and healthcare professionals can
leverage the full potential of the data. Modern visualization tools could be used in the process of analyzing big
data. Combining modern visualization and analysis tools, like attribute overlapping rate algorithm, point of
care devices, and many modern data analytic tool such as Python Pandas, Scikit-Learn, and Matplotlib it is
possible to gain desired benefits efficiently from big data. The computing and analyzing the data does need a
lot of resources but current technology such as cloud computing or blockchain technology can potentially
satisfy the needs. (Wang and Jones, 2019)

3 Discussion

The presented solutions highlight the multidimensional complexity of the challenges in information sharing,
privacy preservation and the improving aspect of e-Healthcare environments within the healthcare industry.
These solutions offer perspective into dealing with the issues regarding data security, privacy and flexibility
when dealing with sensitive healthcare data. These solutions are not only relevant for preserving but also
improving and optimizing the processes of healthcare industry and enhancing the treatment and experience of
the patient.
The first solution presented is kind of a trendsetter for the upcoming improvements of the healthcare industry.
Most of the solutions underline the transition of the data across different parties and express a concern or
opinion regarding the safety and efficiency of the data transmission. The solution presented by Hautamäki and
Kokkonen is a concrete model of how the data sharing could be improved and therefore other solutions which
also are regarding the safety of the data should be build up around a concrete model as the one presented. The
model offers a promise of simplified process of exchanging information but ensuring the safety and fluency of
the processing.
The second solution presented by Chen, Yang, Wang and Niu, is more of an abstraction of something which
could intensify a concrete model such as the information sharing model. A comprehensive framework
addressing concerns such as privacy definition, detection, and policy management with addition of
anonymization techniques, user access control, and privacy violation detection, should be standardized across
industries to serve as a universal privacy standard. This kind of framework combined with the actual model
could improve the security and privacy even though the data would be streamed through several parties for
different purposes.
The third solution, presenting e-Healthcare environment, would be a significant step towards a fluent working
system as the banking systems have shown. The e-Healthcare environment could potentially be the key factor
to bring the data and its processing closer to the owner of the data, the patient. Within a system like e-
Healthcare, the patient would be in control of the data, but also would have the transparency offered to show
what happens to their data. This way the patient’s privacy rights would be thoroughly safeguarded and
preserved.
In the last presented issue and solution, the role of big data has become extensively remarkable in the healthcare
industry. The concept of big data has shifted the industry into a more data-driven way, which makes it
extremely important that the potential of the data can be harnessed to a beneficial use to improve the whole
industry. There will always be privacy and security concerns while dealing with as sensitive concept as big
data in healthcare, but when combining all of the solutions presented earlier, the utilization of big data could
revolutionize the healthcare industry.

4 Conclusions

As stated in the beginning of chapter two, these difficulties concerning privacy and security of healthcare
systems and sensitive patient data and healthcare records are not unambiguous and simple problems. There are
many aspects to the topic, and it needs to be inspected thoroughly as a wholesomeness. The solution could
come from combining multiple presented solutions. These solutions presented have a lot in common since all
of the solutions are identifying the problem in the lifecycle of the healthcare data when it is collected, preserved,
and passed on to the next factor of the industry. The whole process is seen incomplete, but at the same time all
of the solutions are presenting a solution from a different aspect. Therefore, solutions would certainly serve
better when supporting one another. For example, the information sharing model presented by Hautamäki and
Kokkonen, is very convenient, but combining it with a privacy preserving framework it could work even more
efficiently. In the same way the e-Healthcare environment could potentially be a part of the solutions for the
big data handling. After analyzing and visualizing the big data, the e-Healthcare environment offers a potential
platform for distributing personated healthcare information.
These solutions presented do not serve as ready solutions but give a solid groundwork for future improvements.
Even though currently there is a lot of debate about harnessing use of AI in many industries including healthcare
sector, the fact is that few have even set their basis to the cloud computing yet. This indicates how slowly
changes and improvements are adopted in a massive public industry and infrastructure as healthcare. Many
modern technical improvements and solution costs a lot. Public sector rarely can-do remarkable improvements
once, but rather adopts a few improvements over time.
As a conclusion, there is a lot to improve regarding privacy and security in the healthcare industry. Within the
current changing world every action and change should be considered with security aspect before taking
actions. As the history has shown, the healthcare industry is at high risk of attacks and breaches, and therefore
improvements should be made with caution.

References

Hautamaki, J., Kokkonen, T., 2020. Model for Cyber Security Information Sharing in Healthcare Sector, in:
2020 International Conference on Electrical, Communication, and Computer Engineering
(ICECCE). Presented at the 2020 International Conference on Electrical, Communication, and
Computer Engineering (ICECCE), IEEE, Istanbul, Turkey, pp. 1–5.
https://doi.org/10.1109/ICECCE49384.2020.9179175
Johnson, C.W., He, Y., 2012. Generic security cases for information system security in healthcare systems,
in: 7th IET International Conference on System Safety, Incorporating the Cyber Security
Conference 2012. Presented at the 7th IET International Conference on System Safety,
incorporating the Cyber Security Conference 2012, Institution of Engineering and Technology,
Edinburgh, UK, pp. 21–21. https://doi.org/10.1049/cp.2012.1507
”Jotain osaan tietokoneella tehdä” – Vastaamo-epäilty kertoi kuulustelussa, ettei hallitse ohjelmointia -
Kotimaa | HS.fi [WWW Document], n.d. URL https://www.hs.fi/kotimaa/art-2000009944567.html
(accessed 4.9.24).
Kortelainen, H., Happonen, A., Hanski, J., 2019. From Asset Provider to Knowledge Company—
Transformation in the Digital Era, in: Mathew, J., Lim, C.W., Ma, L., Sands, D., Cholette, M.E.,
Borghesani, P. (Eds.), Asset Intelligence through Integration and Interoperability and Contemporary
Vibration Engineering Technologies, Lecture Notes in Mechanical Engineering. Springer
International Publishing, Cham, pp. 333–341. https://doi.org/10.1007/978-3-319-95711-1_33
Kupwade Patil, H., Seshadri, R., 2014. Big Data Security and Privacy Issues in Healthcare, in: 2014 IEEE
International Congress on Big Data. Presented at the 2014 IEEE International Congress on Big Data
(BigData Congress), IEEE, Anchorage, AK, pp. 762–765.
https://doi.org/10.1109/BigData.Congress.2014.112
Lei Chen, Ji-Jiang Yang, Qing Wang, Yu Niu, 2012. A framework for privacy-preserving healthcare data
sharing, in: 2012 IEEE 14th International Conference on E-Health Networking, Applications and
Services (Healthcom). Presented at the 2012 IEEE 14th International Conference on e-Health
Networking, Applications and Services (Healthcom 2012), IEEE, Beijing, China, pp. 341–346.
https://doi.org/10.1109/HealthCom.2012.6379433
Mireku, K., Komlan, G., 2017. Patient Knowledge and Data Privacy in Healthcare Records System.
Sahi, M.A., Abbas, H., Saleem, K., Yang, X., Derhab, A., Orgun, M.A., Iqbal, W., Rashid, I., Yaseen, A.,
2018. Privacy Preservation in e-Healthcare Environments: State of the Art and Future Directions.
IEEE Access 6, 464–478. https://doi.org/10.1109/ACCESS.2017.2767561
 Vastaamon entinen IT-työntekijä: “Jos jotain ei tehty kunnolla, niin se oli tietoturva” - MTVuutiset.fi [WWW
Document], n.d. URL https://www.mtvuutiset.fi/artikkeli/vastaamon-entinen-it-tyontekija-jos-
jotain-ei-tehty-kunnolla-niin-se-oli-tietoturva/8654000 (accessed 4.9.24).
Wang, L., Jones, R., 2019. Big Data, Cybersecurity, and Challenges in Healthcare, in: 2019 SoutheastCon.
Presented at the SoutheastCon 2019, IEEE, Huntsville, AL, USA, pp. 1–6.
https://doi.org/10.1109/SoutheastCon42311.2019.9020632
Zhang, R., Liu, L., 2010. Security Models and Requirements for Healthcare Application Clouds, in: 2010
IEEE 3rd International Conference on Cloud Computing. Presented at the 2010 IEEE International
Conference on Cloud Computing (CLOUD), IEEE, Miami, FL, USA, pp. 268–275.
https://doi.org/10.1109/CLOUD.2010.62

View publication stats