Nothing Special   »   [go: up one dir, main page]

skip to main content
10.1145/1839294.1839331acmotherconferencesArticle/Chapter ViewAbstractPublication PagespetraConference Proceedingsconference-collections
research-article

Threat analysis of online health information system

Published: 23 June 2010 Publication History

Abstract

Electronic health records are increasingly used to enhance availability, recovery, and transfer of health records. Newly developed online health systems such as Google-Health create new security and privacy risks. In this paper, we elucidate a clear threat model for online health information systems. We distinguish between privacy and security threats. In response to these risks, we propose a traitor-tracing solution, which embeds proof to trace an attacker who leaks data from a repository. We argue that the application of traitor-tracing techniques to online health systems can align incentives and decrease risks.

References

[1]
J. Argyrakis, S. Gritzalis, and C. Kioulafas, "Privacy enhancing technologies: a review," pp. 282--287, 2004.
[2]
A. Becker. A. Arnah, and M. Semi, "Assessing privacy criteria for drm using eu privacy legislation," in Proc. of the 8th ACM workshop on DRM, pp. 77--86, 2008.
[3]
E. Diehl, "A Four-Layer model for security of digital rights management," in Proc. of the 8th ACM workshop on DRM, pp. 19--28, 2008.
[4]
S. Kenny, and L. Korba,"Applying digital rights management systems to privacy rights management," Computer and security, vol. 21, no. 7, pp. 648--664, 2002.
[5]
A. Cooper and A. Martin." Towards an open, trusted digital rights management platform," in Proc. of the ACM workshop on DRM, pp 79--88, 2006.
[6]
B. Chor, A. Fait, and M. Naor, "Traitor-tracing," in Proc. of Crypto 94, pp. 257--270, 1994.
[7]
A. Fiat and T. Tassa, "Dynamic traitor-tracing," J. of Cryptology, vol. 14, pp. 211--223, 2001.
[8]
J M. Noar and B. Pin kas, "Threshold traitor-tracing," in Proc. of the 18th Annual int. cryptology on advances in cryptology, pp. 502--517, 1998.
[9]
R. Safavi-Naini and Y. wing, "Sequential traitor-tracing," in Proc. of the 20th annual int. cryptology on advances in cryptalogy, pp. 316--332, 2003.
[10]
E. Young Choi, J. Ycon Hwang and D. Moon Lee, "An anonymous asymmetric public key traitor-tracing scheme," E-Commerce and Web technologies, pp. 104--114, 2003.
[11]
E. Magkos, P. Kotzanikolaou, and V. Chrissikopoulos, "An asymmetric traceability scheme for copyright protection without trust assumptions," in Proc. of the 2end int. Conf. on Electronic Commerce and Web Technologies, pp. 186- I 95. 2001.
[12]
C. Dwork, J. Lotspiech. and M. Naor. "Digital signets: self-enforcing protection of digital information," The 28 annual ACM symp. on theory of computing, pp. 489--498, 1996.
[13]
H. Komaki, Y. Watanabe, G. Hanaoka, and H. mai, "Efficient asymmetric self-enforcement scheme with public traceability," LNCS public key cryptography, pp. 225--239, 2000.
[14]
M. H. Johnson, "Data hemorrhages in the health-cart sector," forth coming in financial cryptography and data security, 2009.
[15]
HIPAA of 1996, Public Law 104--191, 104th Congress.
[16]
O. Gostin, "National health information privacy, regulations under the health insurance portability trod acccaintithility act," J. of the American medical association, vol. 285, no. 23. pp. 3015--3621, 2001.
[17]
S. Hoffman and A. Podgurski, "In sickness, health, and cyberspace: protecting the security of electronic private health information," Case legal studies research paper, pp. 06--15, 2006.
[18]
R. Krishna, K. Kelleher, and E Stahl berg, "Health policy and ethics: patient confidentiality in the research use of clinical medical databases," American J. of public health, vol 97, no. 4, 2007.
[19]
O. Ateniese, R. Curtmola, B. Medeiros, and D. Davis, "Medical information privacy assurance: cryptographic and system aspects," Lecture note in security in communication network, pp. 199--218, 2003.
[20]
E. Bertino, B. C. Ooi, Y. Yang, and R. H. Deng. "Privacy and ownership preserving of out-sourced medical data," in Proc. of 21st int. data engineering, pp. 521--532, 2005.
[21]
I. Sweeney, "Computational disclosure control for medical microdata: The datally system," in record linkage techniques workshop, National Academy Press, pp. 442--453, 1999.
[22]
R. Wash and J. Mackie-Mason, "Incentive-centered design for information security," DIMAC workshop on information security economics, 2007.
[23]
R. Anderson, F. Bozek, T. Longstaff, W. Meitzler, M. Skroch, and K. V. Wyk, "Research on Mitigating the Insider Threat to Information Systems," 2000.
[24]
T. Moore and R. Clayton, "The impact of incentives on notice and take-down," 7th Workshop on economics of information security, pp. 25--28, 2008.
[25]
B. Kobayashi, "Private versus social incentives in cybersecurity," pp 13--28.
[26]
A. Acquisti and I. Grossklags, "Losses, gains, and hyperbolic discounting: an experimental approach to information security attitudes and behaviors," Second workshop on the economics of information security, 2003.
[27]
J. Grossklags and A. Acquisti, "When 25 cents is too much: an experiment on willingness-to-sell and willingness-to-protect personal information," 6th workshop on economics of information security, 2007.
[28]
S. Romanosky, R. Telang, and A. Acquisti, "Do data breach disclosure laws reduce identity theft?," Economics of information security, 2008.
[29]
D. K. Mulligan, "Information disclosure as a light-weight regulatory mechanism," DIMACS workshop on information security economics, 2007.
[30]
L. A. Gordon, "An economics perspective on the sharing of information related to security breaches: concepts and empirical evidence," workshop on the economics of information security, 2002.
[31]
E. Gal and A. Ghose, "The economic consequences of sharing security information," Economics of Information Security, pp. 95--104, 2006.
[32]
J. P. Choi, C. Fershiman, and N. Gandal, "Network security: vulnerabilities and disclosure policy," Economics of information security, 2007.
[33]
A. Arora, C. M. Forman, A. Nandkumar and R. Telang, "Competitive and strategic effects in the timing of patch release," 5th workshop on the economics of information security, 2006.
[34]
B. A. Huberman. E. Mar, and L. R. Fine, "Valuating privacy," 4th workshop on the economics of information security, 2005
[35]
H. Varian, F. Wallenberg, and G. Woroch, "Who signed up for the do-not-call list?," 3rd workshop on the economics of information security, 2004.
[36]
R. Bohme and S. Kohlc, "On the viability of privacy-enhancing technologies in a self- regulated business-to-consumer market: will privacy remain a luxury good?," 6th workshop on economics of information security, 2007.
[37]
B. Edelman, "Adverse selection in online trust certifications," 5th workshop on the economics of information security, 2006.
[38]
J. H. Saltier and M. D. Schroeder, "The protection of information in computer systems," in Proc. of the IEEE. vol. 63, no. 9, pp. 1278--1308, Sept 1975.
[39]
B. Hsieh, H. Sun. and T. Hwang. "On the security of some password authentication protocols:' J. of informatica. no 2, pp. 195--204, 2003.
[40]
A. Kitiyias and M. Yung, "Breaking and repairing asymmetric public-key traitor-tracing," LNCS digital rights management, pp. 32--50, 2003.
[41]
D. Boneh, G. Crescenzo, R. Ostrovsky, and G. Persiano, "Public Key Encryption with Keyword Search," Advances in Cryptology, pp. 506--522, 2004.
[42]
J. Brassil, S. Low, N. Maxemchuk, and L. O'Gorman, "Electronic marking and identification techniques to discourage document copying," in Proc. of IEEE INFOCOM, 1994, 3, pp. 1278--1287.
[43]
J. Brassil, S. Low, N. Maxemchuk, and L. O'Gorman, "Hiding information in document images," in Proc. of the 29th Annual Conference on Information Sciences and Systems, 1995, pp. 482--489.

Cited By

View all
  • (2022)Cloud computing approaches in health careMaterials Today: Proceedings10.1016/j.matpr.2021.07.21051(1217-1223)Online publication date: 2022
  • (2019)Business continuity-inspired fuzzy risk assessment framework for hospital information systemsEnterprise Information Systems10.1080/17517575.2019.168665714:7(1027-1060)Online publication date: 13-Nov-2019
  • (2019)Requirements elicitation for secure and interoperable cross-border health data exchange: the KONFIDO studyIET Software10.1049/iet-sen.2018.5292Online publication date: 1-Feb-2019
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences
PETRA '10: Proceedings of the 3rd International Conference on PErvasive Technologies Related to Assistive Environments
June 2010
452 pages
ISBN:9781450300711
DOI:10.1145/1839294
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 June 2010

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. information health systems
  2. legal aspects
  3. privacy
  4. traitor-tracing schemes

Qualifiers

  • Research-article

Conference

PETRA '10

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)3
  • Downloads (Last 6 weeks)0
Reflects downloads up to 22 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2022)Cloud computing approaches in health careMaterials Today: Proceedings10.1016/j.matpr.2021.07.21051(1217-1223)Online publication date: 2022
  • (2019)Business continuity-inspired fuzzy risk assessment framework for hospital information systemsEnterprise Information Systems10.1080/17517575.2019.168665714:7(1027-1060)Online publication date: 13-Nov-2019
  • (2019)Requirements elicitation for secure and interoperable cross-border health data exchange: the KONFIDO studyIET Software10.1049/iet-sen.2018.5292Online publication date: 1-Feb-2019
  • (2018)Comprehensive user requirements engineering methodology for secure and interoperable health data exchangeBMC Medical Informatics and Decision Making10.1186/s12911-018-0664-018:1Online publication date: 16-Oct-2018
  • (2018)Removing Software Vulnerabilities During Design2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC)10.1109/COMPSAC.2018.10284(504-509)Online publication date: Jul-2018
  • (2017)Model for reducing risks to private or sensitive dataProceedings of the 9th International Workshop on Modelling in Software Engineering10.5555/3104068.3104076(19-25)Online publication date: 20-May-2017
  • (2017)Model for Reducing Risks to Private or Sensitive Data2017 IEEE/ACM 9th International Workshop on Modelling in Software Engineering (MiSE)10.1109/MiSE.2017.6(19-25)Online publication date: May-2017
  • (2014)Combating Abuse of Health Data in the Age of eHealth ExchangeProceedings of the 2014 IEEE International Conference on Healthcare Informatics10.1109/ICHI.2014.22(109-118)Online publication date: 15-Sep-2014

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media