Discuss the approach taken by a published paper related to Big Data Security and/or Privacy – Summarize the approaches in the paper : Discuss the Pros and Cons of the papers discussed in se

ScienceDirect

Available online at www.sciencedirect.com

Procedia Computer Science 113 (2017) 73–80

1877-0509 © 2017 The Authors. Published by Elsevier B.V. Peer-review under responsibility of the Conference Program Chairs. 10.1016/j.procs.2017.08.292

10.1016/j.procs.2017.08.292

© 2017 The Authors. Published by Elsevier B.V. Peer-review under responsibility of the Conference Program Chairs.

1877-0509

Available online at www.sciencedirect.com

ScienceDirect Procedia Computer Science 00 (2017) 000–000

www.elsevier.com/locate/procedia

1877-0509 © 2017 The Authors. Published by Elsevier B.V. Peer-review under responsibility of the Conference Program Chairs.

The 8th International Conference on Emerging Ubiquitous Systems and Pervasive Networks (EUSPN 2017)

Big data security and privacy in healthcare: A Review

Karim ABOUELMEHDIa 1, Abderrahim BENI-HSSANEa, Hayat KHALOUFIa, Mostafa SAADIb

aDepartment of computer science Laboratory LAMAPI and LAROSERI Chouaib doukali University El Jadida Morocco

bEcole Nationale des Sciences Appliquée(ENSA) de Khouribga laboratry IPOSI Université Hassan 1er – Settat, Morocco

Abstract

The ever-increasing integration of highly diverse enabled data generating technologies in medical, biomedical and healthcare fields and the growing availability of data at the central location that can be used in need of any organization from pharmaceutical manufacturers to health insurance companies to hospitals have primarily make healthcare organizations and all its sub-sectors in face of a flood of big data as never before experienced. While this data is being hailed as the key to improving health outcomes, gain valuable insights and lowering costs, the security and privacy issues are so overwhelming that healthcare industry is unable to take full advantage of it with its current resources. Managing and harnessing the analytical power of big data, however, is vital to the success of all healthcare organizations. It is in this context that this paper aims to present the state- of-the-art security and privacy issues in big data as applied to healthcare industry and discuss some available data privacy, data security, users' accessing mechanisms and strategies.

© 2017 The Authors. Published by Elsevier B.V.

Peer-review under responsibility of the Conference Program Chairs.

Keywords: Big Data, Privacy and security , Big data in healthcare , privacy preserving

1Corresponding author [email protected]

Available online at www.sciencedirect.com

ScienceDirect Procedia Computer Science 00 (2017) 000–000

www.elsevier.com/locate/procedia

1877-0509 © 2017 The Authors. Published by Elsevier B.V. Peer-review under responsibility of the Conference Program Chairs.

The 8th International Conference on Emerging Ubiquitous Systems and Pervasive Networks (EUSPN 2017)

Big data security and privacy in healthcare: A Review

Karim ABOUELMEHDIa 1, Abderrahim BENI-HSSANEa, Hayat KHALOUFIa, Mostafa SAADIb

aDepartment of computer science Laboratory LAMAPI and LAROSERI Chouaib doukali University El Jadida Morocco

bEcole Nationale des Sciences Appliquée(ENSA) de Khouribga laboratry IPOSI Université Hassan 1er – Settat, Morocco

Abstract

The ever-increasing integration of highly diverse enabled data generating technologies in medical, biomedical and healthcare fields and the growing availability of data at the central location that can be used in need of any organization from pharmaceutical manufacturers to health insurance companies to hospitals have primarily make healthcare organizations and all its sub-sectors in face of a flood of big data as never before experienced. While this data is being hailed as the key to improving health outcomes, gain valuable insights and lowering costs, the security and privacy issues are so overwhelming that healthcare industry is unable to take full advantage of it with its current resources. Managing and harnessing the analytical power of big data, however, is vital to the success of all healthcare organizations. It is in this context that this paper aims to present the state- of-the-art security and privacy issues in big data as applied to healthcare industry and discuss some available data privacy, data security, users' accessing mechanisms and strategies.

© 2017 The Authors. Published by Elsevier B.V.

Peer-review under responsibility of the Conference Program Chairs.

Keywords: Big Data, Privacy and security , Big data in healthcare , privacy preserving

1Corresponding author [email protected]

74 Karim Abouelmehdi et al. / Procedia Computer Science 113 (2017) 73–80 ABOUELMEHDI KARIM/ Procedia Computer Science 00 (2015) 000–000 2

1. Introduction

The current trend toward digitizing healthcare workflows and moving to electronic patient records has seen a paradigm shift in the healthcare industry. The quantity of clinical data that are available electronically will be then dramatically increased in terms of complexity, diversity and timeliness, resulting what is known as big data. Driven by mandatory requirements and the potential to improve care, save lives and lower costs, big data hold the promise of supporting a wide range of unprecedented opportunities and use cases, including these key examples: clinical decision support, health insurance, disease surveillance, population health management, adverse events monitoring, and treatment optimization for diseases affecting multiple organ systems1,2

Even though the adoption of big data technologies in healthcare sector carries many benefits and promises, it raises also some barriers and challenges. Indeed, the concerns over the sensitive information security and privacy are increased year by year because of several growing trends in healthcare, such as clinician mobility and wireless networking, health information exchange, cloud computing and so on. Moreover, healthcare organizations found that a reactive, bottom-up, technology-centric approach to determining security and privacy requirements is not adequate to protect the organization and its patients 3.

To prevent breaches of sensitive information and other types of security incidents, a proactive, preventive approach and measures must be taken by every healthcare organization with attention to future security and privacy needs.

In this paper, we will discuss some successful and interesting related works. We will also present risks to the security of health data and discuss some newer technologies and redressal of these risks using new techniques. Then, we will focus on the privacy issue in healthcare, and mention various laws and regulations established by different regulatory bodies as well as some feasible methods and techniques used to ensure the patient’s privacy. Finally, we will present some limitations of the proposed techniques and approaches to deal with security and privacy risks before concluding the paper and highlighting the future work that we plan to carry on.

2. Related works

Seamless integration of highly diverse big data technologies in healthcare can facilitate faster and safer throughput of patients, enable to gain deeper insights into the clinical and organizational processes, create greater efficiencies and help improve patient flow, safety, quality of care and the overall patient experience meanwhile contain costs.

Such was the case with the UNC Health Care (UNCHC), which is a not-for-profit integrated healthcare system in North Carolina that has implemented a new system allowing clinicians to rapidly access and analyze unstructured patient data using natural-language processing. In fact, UNCHC has accessed and analyzed huge quantities of unstructured content contained in patient medical records to extract insights and predictors of readmission risk for timely intervention and providing safer care for high-risk patients and reduce re-admissions. 4

An other example in United States is the Indiana Health Information Exchange, which is a non-profit organization, provides a secure and robust technology network of health information linking more than 90 hospitals, community health clinics, rehabilitation centers and other healthcare providers in Indiana. It allows medical information to follow the patient hosted in one doctor office or only in a hospital system. 5

One more example, is Kaiser Permanente medical network based in California, which has more than 9 million members, estimated to manage large volumes of data ranging from 26,5 Petabytes to 44 Petabytes. 6

Big data analytics is used also in Canada, e.g. the infant hospital of Toronto. This hospital succeeded to improve the outcomes for newborns prone to serious hospital infections.

In Europe this time, exactly in Italy, the Italian Medicines agency collects and analyzes a large amount of clinical data concerning expensive new medicines as part of a national profitability program. Based on the results, it may reassess the medicines prices and market access terms. 7

After Europe, Canada, Australia, Russia, and Latin America, Sophia Genetics 8, global leader in Data-Driven Medicine,announced at the recent 2017 Annual Meeting of the American College of Medical Genetics and Genomics (ACMG) that its artificial intelligence has been adopted by African hospitals to advance patient care across the continent.

In Morocco for instance, PharmaProcess in Casablanca, ImmCell, The Al Azhar Oncology Center and The Riad Biology Center in Rabat are some medical institutions at the forefront of innovation that have started integrating Sophia to speed and analyze genomic data to identify disease-causing mutations in patients’ genomic profiles, and decide on the most effective care. As new users of SOPHiA, they become part of a larger network of 260 hospitals in 46 countries

Karim Abouelmehdi et al. / Procedia Computer Science 113 (2017) 73–80 75 ABOUELMEHDI KARIM/ Procedia Computer Science 00 (2015) 000–000 3

that share clinical insights across patient cases and patient populations, which feeds a knowledge-base of biomedical findings to accelerate diagnostics and care 9.

While the automations have lead to improved patient care workflow and reduced costs, it is also rising healthcare data to increased probability of security and privacy breaches. In 2016, CynergisTek has released the Redspin’s 7th annual Breach Report: Protected Health Information (PHI)10 in which it has reported that hacking attacks on healthcare providers was increased 320% in 2016, and that 81% of records breached in 2016 resulted from hacking attacks specifically. Additionally, ransomware, defined as a type of malware that encrypts data and holds it hostage until a ransom demand is met, has identified as the most prominent Threat to Hospitals.

These findings point to a pressing need for providers to take a much more proactive and comprehensive approach to protecting their information assets and combating the growing threat that cyber attacks present to healthcare.

3. Big data security in healthcare

Healthcare organizations store, maintain and transmit huge amounts of data to support the delivery of efficient and proper care. Nevertheless, securing these data has been a daunting requirement for decades. Complicating matters, the healthcare industry continues to be one of the most susceptible to publicly disclosed data breaches. In fact, attackers can use data mining methods and procedures to find out sensitive data and release it to public and thus data breach happens. While implementing security measures remains a complex process, the stakes are continually raised as the ways to defeat security controls become more sophisticated. As a result, it is crucial that organizations implement healthcare data security solutions that will protect important assets while also satisfying healthcare compliance mandates. Technologies in use Various technologies are in use for protecting the security and privacy of healthcare data. Most widely used technologies are: 1) Authentication: Authentication is the act of establishing or confirming claims made by or about the subject are true and authentic. It serves a vital function within any organization: securing access to corporate networks, protecting the identities of users, and ensuring that a user is who he claims to be. Most cryptographic protocols include some form of endpoint authentication specifically to prevent man-in-the-middle (MITM) attacks. For instance,11 Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide security for communications over networks such as the Internet. TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end. Several versions of the protocols are in widespread use in applications like web browsing, electronic mail, Internet faxing, instant messaging and voice- over-IP (VoIP). One can use SSL or TLS to authenticate the server using a mutually trusted certification authority. Additionally, Bull Eye algorithm can be used for monitoring all sensitive information in 360° . This algorithm has been used to make sure data security and manage relations between original data and replicated data. It is also allowed only authorized person to read or write critical data. Paper 24 proposes a novel and a simple authentication model using one time pad algorithm. It provides removing the communication of passwords between the servers. In a healthcare system, both healthcare information offered by providers and identities of consumers should be verified at the entry of every access. 2) Encryption: Data encryption is an efficient means of preventing unauthorized access of sensitive data. Its solutions protect and maintain ownership of data throughout its lifecycle — from the data center to the endpoint (including mobile devices used by physicians, clinicians, and administrators) and into the cloud. Encryption is useful to avoid exposure to breaches such as packet sniffing and theft of storage devices. Healthcare organizations or providers must ensure that encryption scheme is efficient, easy to use by both patients and healthcare professionals, and easily extensible to include new electronic health records. Furthermore, the number of keys hold by each party should be minimized. Although various encryption algorithms have been developed and deployed relatively well (RSA, Rijndael, AES and RC6 20, 22, 23 , DES, 3DES,RC4 21, IDEA, Blowfish …), the proper selection of suitable encryption algorithms to enforce secure storage remains a difficult problem. 3) Data Masking: Masking replaces sensitive data elements with an unidentifiable value, but is not truly an encryption technique so the original value cannot be returned from the masked value. It uses a strategy of de-identifying the data sets or masking personal identifiers such as name, social security number and suppressing or generalizing quasi-

ABOUELMEHDI KARIM/ Procedia Computer Science 00 (2015) 000–000 2

1. Introduction

The current trend toward digitizing healthcare workflows and moving to electronic patient records has seen a paradigm shift in the healthcare industry. The quantity of clinical data that are available electronically will be then dramatically increased in terms of complexity, diversity and timeliness, resulting what is known as big data. Driven by mandatory requirements and the potential to improve care, save lives and lower costs, big data hold the promise of supporting a wide range of unprecedented opportunities and use cases, including these key examples: clinical decision support, health insurance, disease surveillance, population health management, adverse events monitoring, and treatment optimization for diseases affecting multiple organ systems1,2

Even though the adoption of big data technologies in healthcare sector carries many benefits and promises, it raises also some barriers and challenges. Indeed, the concerns over the sensitive information security and privacy are increased year by year because of several growing trends in healthcare, such as clinician mobility and wireless networking, health information exchange, cloud computing and so on. Moreover, healthcare organizations found that a reactive, bottom-up, technology-centric approach to determining security and privacy requirements is not adequate to protect the organization and its patients 3.

To prevent breaches of sensitive information and other types of security incidents, a proactive, preventive approach and measures must be taken by every healthcare organization with attention to future security and privacy needs.

In this paper, we will discuss some successful and interesting related works. We will also present risks to the security of health data and discuss some newer technologies and redressal of these risks using new techniques. Then, we will focus on the privacy issue in healthcare, and mention various laws and regulations established by different regulatory bodies as well as some feasible methods and techniques used to ensure the patient’s privacy. Finally, we will present some limitations of the proposed techniques and approaches to deal with security and privacy risks before concluding the paper and highlighting the future work that we plan to carry on.

2. Related works

Seamless integration of highly diverse big data technologies in healthcare can facilitate faster and safer throughput of patients, enable to gain deeper insights into the clinical and organizational processes, create greater efficiencies and help improve patient flow, safety, quality of care and the overall patient experience meanwhile contain costs.

Such was the case with the UNC Health Care (UNCHC), which is a not-for-profit integrated healthcare system in North Carolina that has implemented a new system allowing clinicians to rapidly access and analyze unstructured patient data using natural-language processing. In fact, UNCHC has accessed and analyzed huge quantities of unstructured content contained in patient medical records to extract insights and predictors of readmission risk for timely intervention and providing safer care for high-risk patients and reduce re-admissions. 4

An other example in United States is the Indiana Health Information Exchange, which is a non-profit organization, provides a secure and robust technology network of health information linking more than 90 hospitals, community health clinics, rehabilitation centers and other healthcare providers in Indiana. It allows medical information to follow the patient hosted in one doctor office or only in a hospital system. 5

One more example, is Kaiser Permanente medical network based in California, which has more than 9 million members, estimated to manage large volumes of data ranging from 26,5 Petabytes to 44 Petabytes. 6

Big data analytics is used also in Canada, e.g. the infant hospital of Toronto. This hospital succeeded to improve the outcomes for newborns prone to serious hospital infections.

In Europe this time, exactly in Italy, the Italian Medicines agency collects and analyzes a large amount of clinical data concerning expensive new medicines as part of a national profitability program. Based on the results, it may reassess the medicines prices and market access terms. 7

After Europe, Canada, Australia, Russia, and Latin America, Sophia Genetics 8, global leader in Data-Driven Medicine,announced at the recent 2017 Annual Meeting of the American College of Medical Genetics and Genomics (ACMG) that its artificial intelligence has been adopted by African hospitals to advance patient care across the continent.

In Morocco for instance, PharmaProcess in Casablanca, ImmCell, The Al Azhar Oncology Center and The Riad Biology Center in Rabat are some medical institutions at the forefront of innovation that have started integrating Sophia to speed and analyze genomic data to identify disease-causing mutations in patients’ genomic profiles, and decide on the most effective care. As new users of SOPHiA, they become part of a larger network of 260 hospitals in 46 countries

76 Karim Abouelmehdi et al. / Procedia Computer Science 113 (2017) 73–80 ABOUELMEHDI KARIM/ Procedia Computer Science 00 (2015) 000–000 4

identifiers like data-of-birth and zip-codes. Thus, data masking is one of the most popular approach to live data anonymization. k-anonymity first proposed by Swaney and Samrati 12,13 protects against identity disclosure but failed to protect against attribute disclosure. Truta et al.14 have presented p-sensitive anonymity that protects against both identity and attribute disclosure. Other anonymization methods fall into the classes of adding noise to the data, swapping cells within columns and replacing groups of k records with k copies of a single representative. These methods have a common problem of difficulty in anonimyzing high dimensional data sets 15 , 16. A significant benefit of this technique is that the cost of securing a big data deployment is reduced. As secure data is migrated from a secure source into the platform, masking reduces the need for applying additional security controls on that data while it resides in the platform. 4) Access Control: Once authenticated, the users can enter an information system but their access will still be governed by an access control policy which is typically based on the privilege and right of each practitioner authorized by patient or a trusted third party. It is then, a powerful and flexible mechanism to grant permissions for users. It provide sophisticated authorization controls to ensure that users can perform only the activities for which they have permissions, such as data access, job submission, cluster administration, etc. A number of solutions have been proposed to address the security and access control concerns. Role-Based Access Control (RBAC) 17 and Attribute-Based Access Control (ABAC)18,19 are the most popular models for EHR. RBAC and ABAC have shown some limitations when they are used alone in medical system. Paper 25 proposes also a cloud- oriented storage efficient dynamic access control scheme cipher text based on the CP-ABE and symmetric encryption algorithm (such as AES). To satisfy requirements of fine-grained access control yet security and privacy preserving, we suggest adopting technologies conjunction of other security techniques, e.g. encryption, and access control method. 4. Big data privacy in healthcare Recent years have seen the emergence of advanced persistent threats, targeted attacks against information systems, whose main purpose is to smuggle recoverable data by the attacker. Therefore, invasion of patient privacy is considered as a growing concern in the domain of big data analytics, which make organizations in challenge to address these different complementary and critical problems. In fact, data security governs access to data throughout the data lifecycle while data privacy sets this access based on privacy policies and laws which determine, for example, who can view personal data, financial, medical or confidential information. An incident reported in the Forbes magazine raises an alarm over patient privacy 26. In the report, it mentioned that Target Corporation sent baby care coupons to a teen-age girl unbeknown to her parents. This incident impels big data to consider privacy for analytics and developers should be able to verify that their applications conform to privacy agreements and that sensitive information is kept private regardless of changes in the applications and/or privacy regulations. Privacy of medical data is then an important factor which must be seriously considered. Data protection laws More than ever it is crucial that healthcare organizations manage and safeguard personal information and address their risks and legal responsibilities in relation to processing personal data, to address the growing thicket of applicable data protection legislation. Different countries have different policies and laws for data privacy. Data protection regulations and laws in some of the countries along with salient features are listed in the Table below. Table 1: Data protection laws in some of the countries

Country Law Salient Features

U.S.A HIPAA Act Patient Safety and Quality Improvement Act (PSQIA) HITECH Act

Requires the establishment of national standards for electronic health care transactions. Gives the right to privacy to individuals from age 12 through 18. Signed disclosure from the affected before giving out any information on provided health care to anyone, including parents. Patient Safety Work Product must not be disclosed 27. Individual violating the confidentiality provisions is subject to a civil penalty. Protect security and privacy of electronic health information.

Karim Abouelmehdi et al. / Procedia Computer Science 113 (2017) 73–80 77 ABOUELMEHDI KARIM/ Procedia Computer Science 00 (2015) 000–000 5

EU Data Protection Directive Protect people’s fundamental rights and freedoms and in particular their right to privacy with respect to the processing of personal data. 29

Canada Personal Information Protection and Electronic Documents Act (‘PIPEDA')

Individual is given the right to know the reasons for collection or use of personal information, so that organizations are required to protect this information in a reasonable and secure way.28

UK Data Protection Act (DPA) Provides a way for individuals to control information about themselves. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects.

Morocco The 09-08 act, dated on 18 February 2009

Protects the one’s privacy through the establishment of the CNDP authority by limiting the use of personal and sensitive data using the data controllers in any data processing operation. 30

Russia Russian Federal Law on Personal Data

Requires data operators to take “all the necessary organizational and technical measures required for protecting personal data against unlawful or accidental access”.

India IT Act and IT (Amendment) Act

Implement reasonable security practices for sensitive personal data or information. Provides for compensation to person affected by wrongful loss or wrongful gain. Provides for imprisonment and/or fine for a person who causes wrongful loss or wrongful gain by disclosing personal information of another person while providing services under the terms of lawful contract.

Brazil Constitution The intimacy, private life, honour and image of the people are inviolable, with assured right to indenization by material or moral damage resulting from its violation.

Angola Data Protection Law (Law no. 22/11of 17 June)

With respect to sensitive data processing, collection and processing is only allowed where there is a legal provision allowing such processing and prior authorization from the APD is obtained

5. Privacy preserving methods in big data

Few traditional methods for privacy preserving in big data is described in brief here. Although These techniques are used traditionally to ensure the patient’s privacy31,32,33, their demerits led to the advent of newer methods.

A. De-identification:

a traditional method to prohibit the disclosure of confidential information by rejecting any information that can identify the patient, either by the first method that requires the removal of specific identifiers of the patient or by the second statistical method where the patient verifies himself that enough identifiers are deleted. Nonetheless, an attacker can possibly get more external information assistance for de-identification in the big data. As a result, de-identification is not sufficient for protecting big data privacy. It could be more feasible if develop efficient privacy-preserving algorithms to help mitigate the risk of re-identification. The concepts of k-anonymity 34, 36, 37, l-diversity 35, 36, 38 and t-closeness 34, 38 have been introduced to enhance this traditional technique. • k-anonymity: In this technique, higher the value of k, lower will be the probability of re-identification. However, it

may lead to distortions of data and hence greater information loss due to k-anonymization. Furthermore, in k- anonymization, if the quasi-identifiers containing data are used to link with other publicly available data to identify individuals, then the sensitive attribute (like Disease) as one of the identifier will be revealed. Various measures

ABOUELMEHDI KARIM/ Procedia Computer Science 00 (2015) 000–000 4

identifiers like data-of-birth and zip-codes. Thus, data masking is one of the

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.