Professional Documents
Culture Documents
Abstract – Health informatics has been reported to be a for data (data, information, and knowledge) management, in
vital sector for the last decade. Many efforts have been healthcare sector. [1][2]. Health informatics relies on the use
implemented to better utilize advancements in health of health records and managing them using technology. The
informatics in real life. Educational institutions have management includes processing a health record, storing it,
worked hard to enhance their programs to develop or and sending it over a network, each of them is considered to
incorporate health informatics. However, in Palestine, be a state of the health record. Electronic Health Records
this field is not widely deployed in health care delivery (EHRs) improve quality of health care services while
institution or in educational institutions. One key reducing their cost. It also enhances user mobility and makes
element of Health Informatics is electronic health the health care system more reliable [3],.
records, for which privacy and security are very Like any other critical information system, EHRs convey
important factors. The paper proposes a case based very sensitive data about both patients and users of the
learning method in teaching privacy and security issues systems. The transition process from paper-based model to
for Information Technology students. The paper an electronic health record model in health informatics
proposes the use of mini case studies instead of a single raised many challenges including privacy, and security [4].
cases study, each of the mini cases studies concentrates According to [5], addressing privacy issues in electronic
on a set of learning outcomes. Hence, these mini case health records is critical to clinical care, public health, and
studies will enable us to better fulfill learning outcomes. health research. Privacy breaches of electronic health
The paper firstly describes the selected mini case studies records have economic, social, ethical, and legal
for Privacy and Security issues in health informatics, implications and consequences. [6][7].
then, it deeply details the development of a complete case This paper presents a case-study based model to teach
study called applying data security techniques over addressing privacy issues in health care institutions, and how
sensitive Drug management/traceability data, which to follow standard guidelines – in this case: ISO TS_25237
enables students to gain essential skills to protect the privacy standard for Health records - to protect the privacy
privacy of patients and security of drug data. These case of affected persons in health care institutions – in this case:
studies will be evaluated once they are implemented and diabetes healthcare delivery centre -.
results will be reported after that. The rest of the paper is organized as follows: a background
is provided in section 2. Section 3 describes case study
development. A discussion is provided in section 4 and the
Index Terms – Privacy, Security, Health Informatics. paper is concluded in section 5.
1. INTRODUCTION
Health Informatics (sometimes called healthcare informatics
or medical informatics) includes a set of methodologies used
However, teaching privacy and security and their specific ISO 27799:2016 specifies detailed controls for managing
technical concepts for health informatics can be challenging, Health Informatics security and best practice guidelines [10].
and may not be easily comprehended and applied in complex It specifies which data to be protected and shows how and
health environments by interdisciplinary-degree students what Information Security Management System ISMS
using traditional teaching and learning techniques. . Thus to should be composed of. Besides, it addresses the steps of
teach privacy and security for heath informatics, in IT and establishing, operating, maintaining and improving the
health courses or curricula effectively, case studies, ISMS. The case study aims to answer the following
designed at suitable-level, must be coherently integrated at questions:
appropriate teaching points that enable students to digest and 1. Are Colorectal cancer treatment Healthcare centres
practice complex concepts. In this work, we propose the use required to employ data security?
of several mini case studies, opposed to fewer large case 2. Do they deploy ISO 27799:2016 or any similar
studies, to be carried out by IT students in the course of standard?
security and privacy for health informatics. The inclusion of 3. If the previous answer is No, are they planning to
several, in this case four, short mini case studies would help implement such a standard
better achieve the learning outcomes of the above noted
subtopics more effectively.
Drug management/traceability case study
Drug management/traceability data conveys very sensitive
3. CASE STUDY DEVELOPMENT data that might invade the privacy of related entities. Such
data should be well secured to protect the privacy of related
As mentioned in section 2, four case studies were developed entities. Due to the sensitivity of the data and its huge
to enrich students’ knowledge and enhance their skills in the influence on corresponding patients, the drug management
aim of achieving the objectives of the selected topic. The and traceability system must be highly secured to maintain
following subsections detail the mini case studies approach the proper function of drug delivery system and the trust of
and fully describe the development of one of the four case the people in that system. The case study aims to answer the
studies, called the Drug management/traceability data. following questions:
1. Are drug management centre /pharmacy required to
employ data security?
2. Do they deploy policies and techniques according
to standards?
3.1. OVERVIEW OF THE CASE STUDIES 3. If the previous answer is No, are they planning to
implement a security standard?
To best achieve the goals of the topic, four case studies are
introduced to students. Each case study is provided within
Healthcare delivery case study
the subtopics after acquiring the required knowledge
necessary to carry out the case study. These cases studies are
Healthcare delivery systems gather data about healthcare
briefly described below:
services. This data contains very sensitive information about
patients and other healthcare delivery users. On the other
hand, this data might be very useful for research purpose,
Diabetes case study which might lead to a significant contribution to the human
being wellness. The case study aims to answer the following
ISO-TS_25237-2008 is a standard for privacy-preserving for
questions:
Health informatics [8]. The standard addresses principles
1. How can we measure the privacy level of a dataset?
and requirements for privacy protection of electronic health
2. Once we decide to use k-anonymity, how to apply
records using pseudonymization. Following such a standard
k-anonymity over the dataset?
is a must for institutions to protect the privacy of their
3. In case we need to apply l-diversity over the data
customers. It is worth mentioning that health data contain
what steps should be taken?
very sensitive information about patients and thus must be
4. Which privacy metric should we use, k-anonymity
protected accordingly. The case study aims to answer the
or l-diversity?
following questions:
1. Are Diabetes Healthcare centres required to protect
patient’s privacy? 3.2. DESIGN AND DEVELOPMENT OF DRUG
2. Do they deploy ISO-TS_25237-2008 or any similar MANAGEMENT CASE STUDY
standard?
3. If the previous answer is No, are they planning to This subsection details the design and development of one of
implement such a standard? the four mini case studies called Drug
management/traceability data. The development includes a 3.2.2. DUTY OF THE TEAM
scenario, the duty of the team, status report, and case study
problems: After discussing the scenario with students, they are ready to
understand what are their duties for this case study, these are
listed below. It is worth mentioning here that students are
3.2.1. SCENARIO familiar with ISO 27799:2016 standard as it is introduced in
one of their lectures, and extra details are left to students to
A drug dispensing company with only one dispensing centre study and understand related aspect of the standard by their
called PharmaWorld is willing to establish centres in all own:
Palestinian cities. They want all these centres to work 1. Study the security situation at PharmaWorld centre.
together with the aim of the benefit of PharmaWorld. All 2. Analyse to what extent do they apply security and
centre in cities must work in accordance with the regulation privacy preserving techniques
of the centralized centre. To avoid any conflicts in 3. Study the ability to deploy a better security
establishing new centres, PharmaWorld would first make architecture according to (1)
sure that the central centre meets the requirements of drug 4. Report their findings in a formal technical report
dispensing centres including the regulation of drug 5. The duties in this case study assist to achieve the
management and traceability. They use an electronic system course objectives, specifically objectives 2, 3, and 8
to manage drugs in their centres. The system traces the listed in Section 1.
amounts of drugs in the store and some other data related to To achieve that, students will be asked to conduct one or
the drugs. more visits to a drug management store (PharmaWorld) to
gather the following information:
PharmaWorld received a generalization letter from 1. Are employees aware of security issues related to
authorities indicating that dispensing centres should also drug management data
keep track of the owner of the drug after dispensing. This 2. Does PharmaWorld have policies regarding the
requires that PharmaWorld tocollect information about security of data?
clients and the drugs they buy and store data in their system. 3. Does PharmaWorld apply security techniques to
preserve data security?
PharmaWorld knows that collecting such data might have 4. Does the Pharma World follow a security standard?
privacy issues for their customers, hence they planned to 5. Are they willing to apply better security
design a secure and privacy-preserving system to handle all techniques?
these issues. Therefore, they referred to an academic 6. What problems might arise when applying security
institution – in this case, Hebron University – for techniques at PharmaWorld
consultation purposes. Hebron University established a team Based on the answers to the above-mentioned questions, a
from the IT department who are experts in security. The complete view of security as a matter of fact for
architecture of their company is shown in Fig 1. PharmaWorld will be described. And the challenges of
applying /enhancing security techniques can then be
addressed
Pharma Pharma
World World 3.2.3. CASE STUDY PROBLEM:
Branch Branch
Pharma Based on their visit(s) to the drug management centre and
World the information students gathered by interviews and
Central observation, and after reading and understanding the
Branch scenario of our case study, students have to address the
following points:
1) Whether they found any security flaw in the
workflow of PharmaWorld centre?
Pharma Pharma 2) If a security flaw was found, show how can you
World World mitigate this flaw by following the guidelines
Branch Branch provided in ISO 27799:2016 and ISO TS_25237.
(Students may not apply the standard, just provide
FIGURE 1 general guidelines on how to mitigate the problem.)
STRUCTURE OF PHARMAWORLD WITH DISTRIBUTED BRANCHES
The scenario above is discussed with students and they are 3.2.4. STATUS REPORT
now ready to have their duties.
Based on the above, and following a decision-making
process, a solution based on the challenges and findings may
be proposed for PharmaWorld by students, drawn from ISO training that should be done on different levels of health
27799:2016 [10] and ISO-TS_25237-2008 [9]. informatics system usage and roles of the participants.
Universities – as part of stakeholders – are required to
Options might include: develop their curricula and prepare their students ( health
• Enhance some security techniques on part of and IT students ) well to better use and develop health
sensitive data informatics tools. In this work, the process of designing case
• Apply some security techniques on part of sensitive studies as part of the topic called privacy and security issues
data in health informatics has been proposed. A detailed case
• Completely apply a new secure drug management study named Drug management/traceability data that aims to
system provide the student with practical skills required to secure
the data and leverage the privacy of related persons.
The preferred solution would depend on the privacy and
As a future work, the implementation of case studies will
security findings of PharmaWorld made by students, and
consider additional issues including roles of students and
according to the common way and procedures used in drug
evaluation criteria. In addition, challenges that may face
dispensing companies in Palestine. Students may propose a
students during conducting the case study and how to avoid
complete re-engineering process for all assets and
them for larger scale will be considered. Feedback from
procedures in the drug management centre where security is
students and health institutions must also be addressed.
considered relevant in each procedure.
4. DISCUSSION ACKNOWLEDGMENT
According to our literature survey, it was obvious that a This study, part of the HiCure project, has been funded with
health informatics course development requires sharing support from the European Commission. This paper reflects
responsibilities from different stakeholders of the domain as the views only of the authors, and the Commission cannot be
well as conducting specialized training for all participants in held responsible for any use which may be made of the
the field. information contained therein. The authors would like to
Having this in mind, and being aware of the importance of thank the HiCure members who contributed to this study.
security and privacy in the health sector, as well as taking REFERENCES
the healthcare situation in general. The proposed approach of
using mini-case studies to teach the topics of privacy and
security issues in health informatics, would provide a more [1] Shortliffe EH, Cimino JJ: Biomedical informatics: computer
applications in health care and biomedicine. 2006, New York, NY:
effective teaching approach for students to comprehend Springer, 3
difficult concepts of both privacy and security in complex
health environments. This approach will also make it easier [2] Collen MF: The origins of informatics. J Am Med Inform Assoc.
1994, 1: 91-107.
to implement and integrate at different teaching points
within a course. [3] Kumar, M. & Wambugu, S. (2015). A primer on the security, privacy,
and confidentiality of electronic health records. Chapel Hill, NC:
The design of several mini case studies aimed to better MEASURE Evaluation, University of North Carolina.
prepare the IT student for the best practices of privacy and [4] Fernandez-Aleman, J. L., Senor, I. C., Lozoya, P. A., and Toval, A. 2013.
security in health sector. By several mini or short case “Security and Privacy in Electronic Health Records: A Systematic Literature
Review.” Journal of Biomedical Informatics, 46(3), 541-562.
studies, students will be develop sufficient awareness of
challenges and related issues in the health sector and will be [5] Harman, L. B., Flite, C. A., and Bond, K. 2012. “Electronic Health Records:
Privacy, Confidentiality, and Security.” The Virtual Mentor: VM, 14(9), 712-
able to tackle these problems especially in privacy and 719.
security. [6] Zou, X., Liu, P., and Chen, J. Y. 2011. “New Threats to Health Data Privacy.”
BMC Bioinformatics, 12 Suppl 12, S7-2105-12-S12-S7.
Employing more complex case studies may generate several
issues, especially in implementation, particularly in non- [7] Baker, Dixie B. 2010. “Privacy and Security in Public Health: Maintaining the
Delicate Balance between Personal Privacy and Population Safety.” Chicago,
mature and health informatics less developed health IL: Healthcare Information and Management Systems Society (HIMSS).
environments, e.g. Palestine, where learners may not be able Available at:
http://www.himss.org/ResourceLibrary/ResourceDetail.aspx?ItemNumber=7506
to realise or perform sophisticated case studies.
[8] Iron Mountain. n.d. “Electronic Health Records Security and Privacy Concerns.”
5. CONCLUSION AND FUTURE WORK Available at: http://www.ironmountain.com/Knowledge-Center/