- Email: [email protected]
Towards a GDPR compliant way to secure European cross border Healthcare Industry 4.0
Computer Standards & Interfaces 69 (2020) 103408
Contents lists available at ScienceDirect
Computer Standards & Interfaces journal homepage: www.elsevier.com/locate/csi
Towards a GDPR compliant way to secure European cross border Healthcare Industry 4.0
T
⁎
Xabier Larruceaa,c, , Micha Moffieb, Sigal Asafb, Izaskun Santamariaa Tecnalia, Parque Tecnológico de Bizkaia. Edificio 700. E-48160 Derio – Bizkaia, Spain IBM Research-Haifa, Haifa University Campus, Haifa, Israel c University of the Basque Country. Vitoria-Gasteiz, Spain a
b
A R T I C LE I N FO
A B S T R A C T
Index Terms: Health information management Industrial communication Data security Privacy Data processing
The Health sector is gaining momentum within the Industry 4.0. National Health Systems are tightly connected to different complex systems, and a wide set of devices. NHSs are processing and managing patients’ data, and they are exchanging sensitive information cross different countries. This paper takes into account legal aspects such as GDPR and it extends the Healthcare Industry architecture reference model, with a set of tools dealing with consent management and data hiding tools A case study illustrates the use of the reference architectural model.
1. Introduction Healthcare industry 4.0 is being considered as a relevant topic within the Industry 4.0 [6]. The Industry 4.0 paradigm was coined in 2011 [20], and traditionally it refers to manufacturing or production processes. However, the role of this paradigm in the medical field [13] is gaining momentum, and there are initial integrations of healthcare systems into Industry 4.0 [4]. In this sense, Industry 4.0 and healthcare services [1] are complementary approaches and their integration is becoming a need. According to [19], Industry 4.0 is spilling out from manufacturing to healthcare, and the increase of digitally networked and data-intensive are pushing forward the smarter production concept and, thus, the industry 4.0 concept. In fact, Internet of Things (IoT), cloud/fog/edge computing, big data analytics, artificial intelligence, and robotics are being used to create digitalized healthcare products and digitalized healthcare services. The integration of Cloud based and IoT approaches with healthcare systems and its applications is representing a major challenge integrating diverse applications, devices, and people managing patients health records [8]. In this sense, fog computing and healthcare are being integrated. However, in the context of national healthcare systems there are still some challenges to be tackled, such as the exchange of electronic health records [11] which is still not solved. In this sense, the OpenNCP [9] is an environment connecting National Health Systems (NHS) cross
⁎
European countries (Fig. 1), and it is being promoted and recommended by the European Commission. Each country is connected throughout a Virtual Machine (VM) and it is used to connect different NHS in order to create a network for sharing patient's health records. Each NHS has a complex architecture and may be connected to Industry 4.0 technologies and/or IoT based architectures. It has been shown that VMs can be altered with vulnerable code and can give the control to potential cybercriminals, or can cause unpredicted behaviours, or fatal errors. In fact, there are several vulnerabilities used by hackers such as service hijacking, data scavenging, customer-data manipulation, or even malicious VM creation. At the same time, a federated healthcare industry 4.0 system involving different countries requires the implementation of technologies, overcoming interoperability problems cross systems and an assessment of legal aspects such as the General Data Protection Regulation (GDPR) [29]. Security and privacy of personal data including transfers of personal data to third countries or international organizations are major subjects within this European law, and mechanisms must be set up for assuring security and privacy, especially when managing patient's health records [30]. In addition, Cloud Virtualization (CV) introduces some new security problems especially in federated and multi-cloud environment, and malicious software is one of the of the core tools used by the cybercriminals to compromise information systems. In the healthcare sector a special attention is dedicated to data security [2], and therefore more security checks are recommended. Therefore, such a complex scenario – connecting a vast number of
Corresponding author. E-mail address: [email protected] (X. Larrucea).
https://doi.org/10.1016/j.csi.2019.103408 Received 3 December 2019; Received in revised form 22 December 2019; Accepted 24 December 2019 Available online 25 December 2019 0920-5489/ © 2019 Published by Elsevier B.V.
Computer Standards & Interfaces 69 (2020) 103408
X. Larrucea, et al.
IoT systems are being integrated with NHS, and there are some IoT system architectures well designed to support specific applications for emerging healthcare industry [18]. The backbone for exchanging patient's health records cross European countries is the OpenNCP platform [9]. This platform is supported by the European Commission providing a common network and an infrastructure to connect different national healthcare systems. It was originally created by the epSOS project [32], and its being promoted, evolved and enhanced through the eHealth Digital Service Infrastructure (DSI) Operations [10]. The eHealth DSI (eHDSI) is the initial deployment and operation of services for cross-border health data exchange under the Connecting Europe Facility (CEF). Each National Contact Points for eHealth (NCPeH) is deployed in a VM which connects the others VM. Literature reflects some experiences such as [28] In its turn, each member state has a complex and different infrastructure connecting the OpenNCP. Several research works have been published related to this platform such as [15]. Concerning Industry 4.0, communications is a central part of the industry 4.0 such as defined by [26], and it's a relevant layer within the reference architectural framework [26]. According to [25], there are “several ways to improve security in electronic communications. The years since 2013 have shown an increasing willingness on the part of companies to implement more secure encryption. However, governments seem reluctant to give up their acquired data sources to re-establish the state of law”.
Fig. 1. National Healthcare Systems connected throughout the OpenNCP network for sharing patient's health records. Each cloud is a complex architecture which interoperates with other NHSs through the OpenNCP.
technologies and architectures to manage sensitive information – must be safeguarded, and address current cybersecurity challenges in Industry 4.0 [16]. In fact, as stated by the industry analysis carried out [16], healthcare is one of the major concerns in industry 4.0, and not only manufacturing processes. This paper contributes with the following:
2.2. GDPR, eHealth records and consent The General Data Protection Regulation (GDPR) [29] is a European directive (law) where security aspects related to personal data must be enhanced. In addition, transfers of personal data to third countries or international organizations are being considered as one of the main challenges or topics to be addressed. In this context, consent management is a key aspect. This law stresses the role of the patient and the role of its consent given by the patient for data processing. According to this law, Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation [29]. And this consent must be also exchange among different member states when a patient is being assisted by a doctor in other country. Other research works related to GDPR such as [22] are dealing with this recent regulation. Privacy regulation such as GDPR and privacy rules related to collection, sharing and transferring of personal and sensitive information is significantly impacting governments and businesses. These rules and limitations will impact both new and existing applications and may require significant modifications to existing systems and data flows. Another European directive is related to the management of patient's health records [30]. These records should be connected to medical devices, hospitals records, and so on. Medical doctors require as much information as possible, and patients’ information used to be spread over the network The aforementioned two European directives stress and emphasize the consent management concept. Traditionally, the consent is captured and represented in a piece of paper, and until now this is the best situation. In the worst situations, there is no evidence of the explicit consent. Healthcare systems require to capture the informed consent from patients in an explicit way that it cannot be a simple signed piece of paper. Consent management systems must define a specific consent architecture [12].
• Adoption of the healthcare industry 4.0 architectural model • Integration of different tools for assuring security and privacy over •
the Healthcare Industry architecture reference model. Specifically, we identify a set of potential threats and the security measures for data security and privacy A case study illustrates the use of the architecture and the use of its related tools.
This paper is structured as follows. First, a background overview on healthcare, OpenNCP and GDPR, is provided. Second, a proposed healthcare industry 4.0 architecture is proposed. Next, we use a case study to illustrate the approach. In section Five, we draw conclusions and outline future steps. 2. Background 2.1. Healthcare information systems, OpenNCP and Industry4.0 Security is one of the main challenges in healthcare systems because there are both technical and non-technical aspects. From a technical point of view, there are several technical barriers such as the integration of National Healthcare Systems (NHS) in order to share patients’ information and patients’ health records for improving diagnosis and treatments. In fact, NHSs are differently managed and implemented within the European Union, and even regions within each country have different healthcare systems. Therefore, if we want to enable the exchange of health records among states we need to provide the means for its interoperability. This integration of these different healthcare systems is a major challenge especially in an industry 4.0 environment. From a non-technical point of view, security awareness is one of the main topics to be addressed in healthcare systems. Technologies are evolving and eHealth cloud [21] is being considered as well. Privacy of the patient must be safeguarded within this kind of environments, especially when there is an increasing number of connected devices and systems sharing information. For example, scanners’ results used to include some patients’ identification and the exchange of these results can identify patients.
3. Enhanced Healthcare Industry 4.0 3.1. Healthcare industry 4.0 Architecture The proposed architecture (Fig. 2) extends the IoT architecture [17] and the Reference Architectural Model Industry 4.0 [26] in order to support a healthcare industry 4.0 reference architecture. Basically, we 2
Computer Standards & Interfaces 69 (2020) 103408
X. Larrucea, et al.
based on consent decisions). The hiding tool main interface is a single method called process. This method received the payload, policy and a few more additional arguments (e.g. the predicates) and provides as a result the processed payload (e.g. masked/unmasked). How does the Data Sensitivity work? The process of identifying sensitive data is a necessary step to be able to address EU GDPR regulation. The first step is to discover the personal data in the organization datastores, categorize the data, and finally apply appropriate methods to protect the data. Given a category, the organization can adhere to a specific GDPR requirements. For example, the GDPR defines special categories such as racial and health data. A company must have a legitimate and lawful reason for collecting, storing, transmitting, or processing these special categories. The Data Sensitivity Analysis Tool addresses the first step. It finds the sensitive/personal data in relational databases. The tool is provided with DB tables for analysis and a configuration. The configuration allows us to customize the tool and select relevant predefined classifiers. In addition, the tool provides the ability to define custom classifiers. The tool analyses each one of the tables and provides the table categories as well as specific information for each column. This information includes the column categories and sub-categories, each attached with a corresponding confidence score. Internally, the tool utilizes several methods to identify categories. These include: regular expression, dictionaries and methods to check complex restrictions such as Luhn checksum. In addition, the tool uses statistical analysis. It checks the percent of values that satisfy a specific category such as email address or personal nationality identifier and provides a corresponding score. Moreover, we developed advanced classifiers that support differentiating between domain overlap categories.
Fig. 2. Reference Architectural Model Industry 4.0 [26]. adopted for the healthcare industry 4.0.
are using the same layered stack, including the following:
• Business Processes: this layer involves the interaction among the •
• • • •
different stakeholders to provide an added value to the healthcare industry 4.0 stakeholders. This paper considers the consent management process to illustrate how it works since consent has a relevant role within the current regulations such as the GDPR. Functions: to implement consent management functionalities, we need to develop and set up processes to (1) identify the sensitive data elements and (2) enforce the consent decision – in addition to the consent management tool per se. In particular, during interaction among different healthcare systems as well as the explicit consent stated by patients. Data: tightly related to the above layers, data layer is related with the required data required by the OpenNCP architecture. This layer deals with the format of the data, and the identification of the data,. Communication: we are using the OpenNCP as a communication channel for sharing patients’ information such as eHealth records. We extend the OpenNCP to include all different healthcare systems. Digitalization: health records are represented using HL7 () and following the International Patient Summary guidelines. Scanners and other medical results such as blood analysis are digitalized. Physical Things: Mobile devices can access to health records by using encrypted channels. This aspect is not addressed in this paper due to space limitations.
3.2.2. Business processes layer This layer is concerned with the upper layer of the architecture. We have defined the architecture for supporting the consent management because it is one of the two major issues [3] in healthcare systems. Occasionally, a kind of remote consent is required when patients are not physically present, and they want to capture and represent semantic models for consent management. Sometimes, consent requires the access to patient data [7], and physicians must deal with ethics aspects. The data processing of health information among different actors (e.g. peer to peer) [31] is the other major issue [3], and this is especially relevant in emergency contexts [27] or even in the IoT (Internet of Things). Consent and policies are tightly related between them. In fact, according to [24]:
3.2. Security and privacy mechanisms As stated previously, the security and privacy mechanisms included in our architecture acts over the stack defined in Fig. 2. It is essential to specify how the data layer works for identifying sensitive information with health records, and to hide this information.
“the patient's consent has a pivotal role in granting or removing access rights to subjects accessing patient's medical data. Depending on the context in which the access is being executed, different consent policies can be applied.” Policy frameworks such as [14] are useful to enhance and provide trust to users. In this sense, our approach based on [5] is to provide an integrated set of tools that supports and enables the creation of a formal structure for abstraction, governance and implementation of trust relationships and security policies. Working across multiple disparate organisations and technologies, it provides a standardized trusted mechanism between all parties for sharing data, whilst maintaining strict conformance to the strongly defined trust framework. Fig. 3 summarizes the workflow over two countries, and how the consent and the data hiding tool are used. Consent manager reads the patient's health records, and it defines a set of rules representing the desire of the patient. Then the data hiding tool masks the appropriate data. This masked data is the information patient does not want to share. Afterwards all this information is exchanged and sent to the requested country by using the extended OpenNCP.
3.2.1. Data layer How does the Data hiding tool work? The data hiding tool aims at addressing privacy rules related to personal sensitive information sharing and storing – while providing a solution for real-world applications and data flows. The hiding tool addresses stringent requirements on the performance of the tool as well as on the format of the hidden information in the payload and provides multiple masking/unmasking operations (e.g. redact, tokenize, encrypt, format preserving encryption etc.). In addition, the tool supports a wide array of mechanisms to identify, select (sensitive) and modify data elements within different types of payloads including structured, unstructured and composite documents. Lastly, the tool provides the user with a policy allowing her to specify the exact data elements to process, what operation to perform on each of those elements and provides a mechanism to specify predicated processing of select data items (e.g. 3
Computer Standards & Interfaces 69 (2020) 103408
X. Larrucea, et al.
Fig. 3. Business process flow and the interaction among the integrated tools for enhancing security and privacy. Fig. 5. A UK patient traveling to SPAIN, medical doctor and patient agreement for exchanging data.
4. Case study 4.1. Research method
This case study (Fig. 5) is also based on the case studies reflected in [15] where they use the same situation as a testing example. In this case, a UK citizen travelling to Spain (Fig. 5) incurs a stroke and is taken to the nearest Spanish hospital. While receiving first aid from the Emergency Medical Services (EMS), the coordination center informs the EMS in which hospital the patient should be taken to. At the same time a message is sent to a workstation located in the emergency department of the hospital responsible for alerting the first-aid unit. As soon as the message is received a medical team is created for the stroke assistance. To ensure the best assistance, the medical staff wishes to check the patient's electronic health records (EHR) to know their medical history (e.g. their epSOS patient summary). From a technical point of view, Fig. 6 represents the solution where different National Health Systems are interconnected [32]. Fig. 6 includes the two members of the European Union that are connected by using OpenNCP. Each national OpenNCP installation plays a relevant role within the consent management. This business process involves different OpenNCP nodes and each node includes a set of functionalities in order to strength data security and privacy. Security is a chain and it is as strong as its weakest link and all these NHSs are connected by using this platform. Each national contact point has the same set of tools for managing consent, for hiding sensitive data, and for secure monitoring (Fig. 6).
The purpose of this section is to report a case study. According to [23] there are different research methodologies for case studies. Our primary objective is exploratory, and the primary data used is qualitative. Our purpose is to analyze a specific situation where a citizen travels from one country to another and there is a need for health data exchange. This situation requires the use of a healthcare industry reference architecture. The layers of this architecture are described in previous section. Basically, this exploratory process is based on a general overview, and the description of the healthcare industry reference architecture layers. These descriptions are illustrated with an example. 4.2. General overview The following figure (Fig. 4) summarizes the case study we are using. We are connecting three different countries, and each country has its own NHS, and their data is represented However in order to simplify the scenario we are illustrating just two countries in the following Fig. 5. 4.3. Business processes layer This layer deals with the consent management in a healthcare industry 4.0 context where 2 different countries must collaborate and share patient's health records for assisting a patient travelling from one country to another.
4.4. Data layer As this layer is central aspect of our resulting platform, we show in Fig. 7 the main UI for data hiding tool. The UI allows the user to create, manage and test the hiding policies. Note, during runtime the data hiding tools’ ‘process’ API is called with the policy id and relevant payload. Obviously, there are several connections among different tools such as the consent manager, the data hiding tool and the extended OpenNCP, but we just want to highlight the tool we have developed and used for supporting the approach. Although Fig. 7 is small, one can see the two main functionalities of the tools’ UI: creation and management on the left side, testing on the right. In the following paragraphs we provide an example of the outcomes of this tool. Example of an eHealth record masked The data hiding tool was used to hide specific data in a Psychiatry Discharge Report (XML based) and was configured to account for the consent provided by the user and hide only the non-consented information. Fig. 8 and Fig. 9 shows the original xml before and after the masking tool was invoked. Note, in this case the tool encrypted all attributes and text in the relevant section (shown). Example of a Data Sensitivity work We run the Data Sensitivity Analysis tool on consultation table with our case study NHS DB. This table contains patient info including many Direct and Indirect (Quasi) Personal Identifier information such as
Fig. 4. Reference Architectural Model Industry 4.0 adopted for the healthcare industry 4.0. 4
Computer Standards & Interfaces 69 (2020) 103408
X. Larrucea, et al.
Fig. 6. Reference Architectural Model Industry 4.0 adopted for the healthcare industry.
Fig. 7. Data Masking toolkit for the Reference Architectural Model Industry 4.0 adopted for the healthcare industry 4.0.
Fig. 9. An example of the XML masked.
name, phone, national id and birth date. The purpose was to categorize correctly each of the table columns. The tool found that the table contains both Direct and Indirect (Quasi) Personal Identifiers. In addition, for each column it provides its category and sub categories. Fig. 10 displays part of the JSON result for the consultation table. As illustrated, the consultation table contains both Direct Identifier and Quasi Identifier columns. The HCP_ID column is identified as a Quasi Identifier and the results show a high likely-hood (confidence score of 0.9) that it contains personal region information.
4.5. GDPR articles Fig. 8. An example of the XML unmasked.
GDPR specification and adoption imply a set of legal requirements 5
Computer Standards & Interfaces 69 (2020) 103408
X. Larrucea, et al.
Our case study illustrates some of the real world complexities and how the approach we took can address those complexities. This includes identifying and categorizing the information that is subject to GDPR and consent, integrating the consent manager and data hiding tool within the data flow while providing the user fined grained control over his personal data. As a future work, we are working on the exchange of patients’ data stemming from mobile devices, and on how to integrate them into NHS, and on how to prevent data breaches within this complex scenario. CRediT authorship contribution statement Xabier Larrucea: Conceptualization, Methodology, Validation. Micha Moffie: Methodology, Software, Validation. Sigal Asaf: Methodology, Software, Validation. Izaskun Santamaria: Conceptualization, Supervision. Declaration of Competing Interest Fig. 10. JSON result for the consultation table.
None Acknowledgement
to be fulfilled. This case study is analyzed from the GDPR perspective because it has a new kind of impact on systems for health data exchange. GDPR is applicable to any organization in the world that purchases or uses applications, services, products processing data, and they have a commercial presence in Europe. This directive is directly effective in all Member States of the European Union and thereby unifying legal obligations that are currently defined at national level. The assessment of GDPR within this case study is a complex process, and probably it requires further and more in-depth analysis by analyzing the general legal and the fundamental-rights requirements. Basically, this case study includes tools dealing with the GDPR's article 5 “Principles relating to processing of personal data”, and particularly health records, In fact, the real application of the OpenNCP requires the application of this directive, and the adoption of different methods and tools. The GDPR's Article 6 Lawfulness of processing Therefore, the reference architecture described in this paper deals with not only data sensitivity analysis and data hiding tools, but also with consent management (GDPR's Article 7 Conditions for consent) and the use of OpenNCP as an interoperability channel for assuring data portability (GDPR article 20 Right to data portability).
This paper has been partially funded by the SHiELD project, (H2020 Framework Contract No. GA 727301) References [1] Mohamed Alloghani, Dhiya Al-Jumeily, Abir Hussain, Ahmed J. Aljaaf, Jamila Mustafina, E. Petrov, Healthcare services innovations based on the state of the art technology trend industry 4.0, 2018 11th International Conference on Developments in eSystems Engineering (DeSE), Cambridge, United Kingdom, IEEE, 2018, pp. 64–70, , https://doi.org/10.1109/DeSE.2018.00016. [2] R. Anitha, Saswati Mukherjee, Data security in cloud for health care applications, in: Hwa Young Jeong, Mohammad S. Obaidat, Neil Y. Yen, James J. Park (Eds.), Advances in Computer Science and Its Applications, Springer, Berlin Heidelberg, Berlin, Heidelberg, 2014, pp. 1201–1209, , https://doi.org/10.1007/978-3-64241674-3_167. [3] Muhammad Rizwan Asghar, TzeHowe Lee, Mirza Mansoor Baig, Ehsan Ullah, Giovanni Russello, Gillian Dobbie, A Review of Privacy and Consent Management in Healthcare: A Focus On Emerging Data Sources, IEEE, 2017, pp. 518–522, https:// doi.org/10.1109/eScience.2017.84. [4] Adel Badri, Bryan Boudreau-Trudel, Ahmed Saâdeddine Souissi, Occupational health and safety in the industry 4.0 era: a cause for major concern? Saf. Sci. 109 (2018) 403–411, https://doi.org/10.1016/j.ssci.2018.06.012 November 2018. [5] William J. Buchanan, Omair Uthmani, Lu Fan, Niall Burns, Owen Lo, Alistair Lawson, James Varga, Cassie Anderson, Modelling of integrated trust, governance and access, in: Massimo Felici (Ed.), Cyber Security and Privacy, Springer, Berlin Heidelberg, Berlin, Heidelberg, 2013, pp. 91–101, , https://doi. org/10.1007/978-3-642-41205-9_8. [6] A. Celesti, O. Amft, M. Villari, Guest editorial special section on cloud computing, edge computing, internet of things, and big data analytics applications for healthcare industry 4.0, IEEE Trans. Industr. Inf. 15 (1) (2019) 454–456, https://doi.org/ 10.1109/TII.2018.2883315 January 2019. [7] Margarida David, Fernando Rosa, Pedro Pereira Rodrigues, Need and Requirements Elicitation For Electronic Access to Patient's Medication History in the Emergency Department, IEEE, 2014, pp. 497–498, https://doi.org/10.1109/CBMS.2014.108. [8] Mohamed Elhoseny, Ahmed Abdelaziz, Ahmed S. Salama, A.M. Riad, Khan Muhammad, Arun Kumar Sangaiah, A hybrid model of internet of things and cloud computing to manage big data in health services applications, Future Gener. Comput. Syst. 86 (2018) 1383–1394, https://doi.org/10.1016/j.future.2018.03. 005 September 2018. [9] European Commission. OpenNCP. Retrieved October 1, 2018 fromhttps://ec. europa.eu/cefdigital/wiki/display/EHNCP. [10] European Commission. eHealth DSI Operations. Retrieved July 29, 2018 fromhttps://ec.europa.eu/cefdigital/wiki/display/EHOPERATIONS/eHealth+DSI +Operations+Home. [11] Jigna J Hathaliya, Sudeep Tanwar, Sudhanshu Tyagi, Neeraj Kumar, Securing electronics healthcare records in Healthcare 4.0 : a biometric-based approach, Comput. Electr. Eng. 76 (2019) 398–410, https://doi.org/10.1016/j.compeleceng. 2019.04.017 June 2019. [12] Oliver Heinze, Markus Birkle, Lennart Köster, Björn Bergh, Architecture of a consent management suite and integration into IHE-based regional health information networks, BMC Med. Inform. Decis. Mak. 11 (1) (2011), https://doi.org/10.1186/ 1472-6947-11-58 December 2011. [13] Mohd Javaid, Abid Haleem, Industry 4.0 applications in medical field: a brief review, Current Med. Res. Pract. (2019), https://doi.org/10.1016/j.cmrp.2019.04.
5. Conclusions The medical field is gaining momentum within the Industry 4.0. and we cannot be on the sidelines of the incipient irruption of the health sector within this paradigm. NHSs are processing and managing patients’ data, and they are starting to exchange eHealth records among different countries. In addition, the health sector is including and developing medical devices, and they are being connected to the NHS in order to support medical doctor's activities such as prescriptions, treatments and so forth. This aspect involves technical challenges and legal implications. Therefore, our contributions are aligned to support this scenario and to overcome interoperability problems cross systems. From a legal point of view, our approach to strengthen security and privacy of personal data including transfers of personal data to third countries promote by the General Data Protection Regulation (GDPR) [29]. This paper contributes with the definition of a healthcare industry 4.0 architectural model based on a RAMI4.0. We have defined and used consent manager and the data hiding tool for sharing health records. Another relevant contribution is related to the integration of different tools for assuring security and privacy over the Healthcare Industry architecture reference model. In this sense we identify a set of potential threats and the security measures for data security and privacy 6
Computer Standards & Interfaces 69 (2020) 103408
X. Larrucea, et al.
001 April 2019. [14] J. Karat, C.-.M. Karat, E. Bertino, N. Li, Q. Ni, C. Brodie, J. Lobo, S.B. Calo, L.F. Cranor, P. Kumaraguru, R.W. Reeder, Policy framework for security and privacy management, IBM J. Res. Dev. 53 (2) (2009), https://doi.org/10.1147/ JRD.2009.5429046 March 20094:1-4:14. [15] Xabier Larrucea, Izaskun Santamaria, Ricardo Colomo-Palacios, Assessing source code vulnerabilities in a cloud-based system for health systems: OpenNCP, IET Softw. 13 (3) (2019) 195–202, https://doi.org/10.1049/iet-sen.2018.5294 June 2019. [16] Marianna Lezzi, Mariangela Lazoi, Angelo Corallo, Cybersecurity for Industry 4.0 in the current literature: a reference framework, Comput. Ind. 103 (2018) 97–110, https://doi.org/10.1016/j.compind.2018.09.004 December 2018. [17] Shancang Li, Li Da Xu, Shanshan Zhao, The internet of things: a survey, Inf. Syst. Front. 17 (2) (2015) 243–259, https://doi.org/10.1007/s10796-014-9492-7 April 2015. [18] Pasquale Pace, Gianluca Aloi, Raffaele Gravina, Giuseppe Caliciuri, Giancarlo Fortino, Antonio Liotta, An edge-based architecture to support efficient applications for healthcare industry 4.0, IEEE Trans. Ind. Inf. 15 (1) (2019) 481–489, https://doi.org/10.1109/TII.2018.2843169 January 2019. [19] Zhibo Pang, Geng Yang, Ridha Khedri, Yuan-Ting Zhang, Introduction to the special section: convergence of automation technology, biomedical engineering, and health informatics toward the healthcare 4.0, IEEE Rev. Biomed. Eng. 11 (2018) 249–259, https://doi.org/10.1109/RBME.2018.2848518 2018. [20] Sabine Pfeiffer, The vision of “Industrie 4.0” in the making—a case of future told, tamed, and traded, Nanoethics 11 (1) (2017) 107–121, https://doi.org/10.1007/ s11569-016-0280-3 April 2017. [21] F. Ramalho, A. Neto, K. Santos, J.B. Filho, N. Agoulmine, Enhancing eHealth smart applications: a fog-enabled approach, 2015 17th International Conference on Ehealth Networking, Application & Services (HealthCom), Boston, MA, USA, IEEE, 2015, pp. 323–328, , https://doi.org/10.1109/HealthCom.2015.7454519. [22] Erkuden Rios, Eider Iturbe, Xabier Larrucea, Massimiliano Rak, Wissam Mallouli, Jacek Dominiak, Victor Muntés, Peter Matthews, Luis Gonzalez, Service level agreement-based GDPR compliance and security assurance in (multi)Cloud-based systems, IET Software (2019), https://doi.org/10.1049/iet-sen.2018.5293 February 2019. [23] Per Runeson, Martin Höst, Guidelines for conducting and reporting case study
[24]
[25]
[26]
[27]
[28]
[29]
[30]
[31]
[32]
7
research in software engineering, Empirical Softw. Eng. 14 (2) (2009) 131–164, https://doi.org/10.1007/s10664-008-9102-8 April 2009. Giovanni Russello, Changyu Dong, Naranker Dulay, Consent-Based Workflows for Healthcare Management, IEEE, 2008, pp. 153–161, https://doi.org/10.1109/ POLICY.2008.22. Stefan Schuster, M. van denBerg, X. Larrucea, T. Slewe, P. Ide-Kostic, Mass surveillance and technological policy options: improving security of private communications, Comput. Stand. Interfaces 50 (2017) 76–82, https://doi.org/10.1016/j. csi.2016.09.011 February 2017. Karsten Schweichhart. Reference architectural model industrie 4.0 (RAMI 4.0). Retrieved fromhttps://ec.europa.eu/futurium/en/system/files/ged/a2schweichhart-reference_architectural_model_industrie_4.0_rami_4.0.pdf. Jason S. Shapiro, Diana Crowley, Shkelzen Hoxhaj, James Langabeer, Brian Panik, Todd B. Taylor, Arlo Weltge, Jeffrey A. Nielson, Health information exchange in emergency medicine, Ann. Emerg. Med. 67 (2) (2016) 216–226, https://doi.org/10. 1016/j.annemergmed.2015.06.018 February 2016. Mariacarla Staffa, Luigi Sgaglione, Giovanni Mazzeo, Luigi Coppolino, Salvatore D'Antonio, Luigi Romano, Erol Gelenbe, Oana Stan, Sergiu Carpov, Evangelos Grivas, Paolo Campegiani, Luigi Castaldo, Konstantinos Votis, Vassilis Koutkias, Ioannis Komnios, An OpenNCP-based solution for secure eHealth data exchange, J. Netw. Comput. Appl. 116 (2018) 65–85, https://doi.org/10. 1016/j.jnca.2018.05.012 August 2018. THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. 2016. Directive 95/46/EC (General data protection regulation). Retrieved June 25, 2019 fromhttps://eur-lex. europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679. THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION. Directive 2011/24/EU of the European Parliament and of the council of 9 march 2011 on the application of patients’ rights in cross-border healthcare. Retrieved June 25, 2019 fromhttps://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX %3A32011L0024. Jens H. Weber-Jahnke, Christina Obry, Protecting privacy during peer-to-peer exchange of medical documents, Inf. Syst. Frontiers 14 (1) (2012) 87–104, https:// doi.org/10.1007/s10796-011-9304-2 March 2012. Smart Open Services for European Patients (epSOS). Retrieved July 29, 2018fromhttps://www.itu.int/net4/wsis/stocktaking/projects/Project/Details? projectId=1399467257.
Contents lists available at ScienceDirect
Computer Standards & Interfaces journal homepage: www.elsevier.com/locate/csi
Towards a GDPR compliant way to secure European cross border Healthcare Industry 4.0
T
⁎
Xabier Larruceaa,c, , Micha Moffieb, Sigal Asafb, Izaskun Santamariaa Tecnalia, Parque Tecnológico de Bizkaia. Edificio 700. E-48160 Derio – Bizkaia, Spain IBM Research-Haifa, Haifa University Campus, Haifa, Israel c University of the Basque Country. Vitoria-Gasteiz, Spain a
b
A R T I C LE I N FO
A B S T R A C T
Index Terms: Health information management Industrial communication Data security Privacy Data processing
The Health sector is gaining momentum within the Industry 4.0. National Health Systems are tightly connected to different complex systems, and a wide set of devices. NHSs are processing and managing patients’ data, and they are exchanging sensitive information cross different countries. This paper takes into account legal aspects such as GDPR and it extends the Healthcare Industry architecture reference model, with a set of tools dealing with consent management and data hiding tools A case study illustrates the use of the reference architectural model.
1. Introduction Healthcare industry 4.0 is being considered as a relevant topic within the Industry 4.0 [6]. The Industry 4.0 paradigm was coined in 2011 [20], and traditionally it refers to manufacturing or production processes. However, the role of this paradigm in the medical field [13] is gaining momentum, and there are initial integrations of healthcare systems into Industry 4.0 [4]. In this sense, Industry 4.0 and healthcare services [1] are complementary approaches and their integration is becoming a need. According to [19], Industry 4.0 is spilling out from manufacturing to healthcare, and the increase of digitally networked and data-intensive are pushing forward the smarter production concept and, thus, the industry 4.0 concept. In fact, Internet of Things (IoT), cloud/fog/edge computing, big data analytics, artificial intelligence, and robotics are being used to create digitalized healthcare products and digitalized healthcare services. The integration of Cloud based and IoT approaches with healthcare systems and its applications is representing a major challenge integrating diverse applications, devices, and people managing patients health records [8]. In this sense, fog computing and healthcare are being integrated. However, in the context of national healthcare systems there are still some challenges to be tackled, such as the exchange of electronic health records [11] which is still not solved. In this sense, the OpenNCP [9] is an environment connecting National Health Systems (NHS) cross
⁎
European countries (Fig. 1), and it is being promoted and recommended by the European Commission. Each country is connected throughout a Virtual Machine (VM) and it is used to connect different NHS in order to create a network for sharing patient's health records. Each NHS has a complex architecture and may be connected to Industry 4.0 technologies and/or IoT based architectures. It has been shown that VMs can be altered with vulnerable code and can give the control to potential cybercriminals, or can cause unpredicted behaviours, or fatal errors. In fact, there are several vulnerabilities used by hackers such as service hijacking, data scavenging, customer-data manipulation, or even malicious VM creation. At the same time, a federated healthcare industry 4.0 system involving different countries requires the implementation of technologies, overcoming interoperability problems cross systems and an assessment of legal aspects such as the General Data Protection Regulation (GDPR) [29]. Security and privacy of personal data including transfers of personal data to third countries or international organizations are major subjects within this European law, and mechanisms must be set up for assuring security and privacy, especially when managing patient's health records [30]. In addition, Cloud Virtualization (CV) introduces some new security problems especially in federated and multi-cloud environment, and malicious software is one of the of the core tools used by the cybercriminals to compromise information systems. In the healthcare sector a special attention is dedicated to data security [2], and therefore more security checks are recommended. Therefore, such a complex scenario – connecting a vast number of
Corresponding author. E-mail address: [email protected] (X. Larrucea).
https://doi.org/10.1016/j.csi.2019.103408 Received 3 December 2019; Received in revised form 22 December 2019; Accepted 24 December 2019 Available online 25 December 2019 0920-5489/ © 2019 Published by Elsevier B.V.
Computer Standards & Interfaces 69 (2020) 103408
X. Larrucea, et al.
IoT systems are being integrated with NHS, and there are some IoT system architectures well designed to support specific applications for emerging healthcare industry [18]. The backbone for exchanging patient's health records cross European countries is the OpenNCP platform [9]. This platform is supported by the European Commission providing a common network and an infrastructure to connect different national healthcare systems. It was originally created by the epSOS project [32], and its being promoted, evolved and enhanced through the eHealth Digital Service Infrastructure (DSI) Operations [10]. The eHealth DSI (eHDSI) is the initial deployment and operation of services for cross-border health data exchange under the Connecting Europe Facility (CEF). Each National Contact Points for eHealth (NCPeH) is deployed in a VM which connects the others VM. Literature reflects some experiences such as [28] In its turn, each member state has a complex and different infrastructure connecting the OpenNCP. Several research works have been published related to this platform such as [15]. Concerning Industry 4.0, communications is a central part of the industry 4.0 such as defined by [26], and it's a relevant layer within the reference architectural framework [26]. According to [25], there are “several ways to improve security in electronic communications. The years since 2013 have shown an increasing willingness on the part of companies to implement more secure encryption. However, governments seem reluctant to give up their acquired data sources to re-establish the state of law”.
Fig. 1. National Healthcare Systems connected throughout the OpenNCP network for sharing patient's health records. Each cloud is a complex architecture which interoperates with other NHSs through the OpenNCP.
technologies and architectures to manage sensitive information – must be safeguarded, and address current cybersecurity challenges in Industry 4.0 [16]. In fact, as stated by the industry analysis carried out [16], healthcare is one of the major concerns in industry 4.0, and not only manufacturing processes. This paper contributes with the following:
2.2. GDPR, eHealth records and consent The General Data Protection Regulation (GDPR) [29] is a European directive (law) where security aspects related to personal data must be enhanced. In addition, transfers of personal data to third countries or international organizations are being considered as one of the main challenges or topics to be addressed. In this context, consent management is a key aspect. This law stresses the role of the patient and the role of its consent given by the patient for data processing. According to this law, Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation [29]. And this consent must be also exchange among different member states when a patient is being assisted by a doctor in other country. Other research works related to GDPR such as [22] are dealing with this recent regulation. Privacy regulation such as GDPR and privacy rules related to collection, sharing and transferring of personal and sensitive information is significantly impacting governments and businesses. These rules and limitations will impact both new and existing applications and may require significant modifications to existing systems and data flows. Another European directive is related to the management of patient's health records [30]. These records should be connected to medical devices, hospitals records, and so on. Medical doctors require as much information as possible, and patients’ information used to be spread over the network The aforementioned two European directives stress and emphasize the consent management concept. Traditionally, the consent is captured and represented in a piece of paper, and until now this is the best situation. In the worst situations, there is no evidence of the explicit consent. Healthcare systems require to capture the informed consent from patients in an explicit way that it cannot be a simple signed piece of paper. Consent management systems must define a specific consent architecture [12].
• Adoption of the healthcare industry 4.0 architectural model • Integration of different tools for assuring security and privacy over •
the Healthcare Industry architecture reference model. Specifically, we identify a set of potential threats and the security measures for data security and privacy A case study illustrates the use of the architecture and the use of its related tools.
This paper is structured as follows. First, a background overview on healthcare, OpenNCP and GDPR, is provided. Second, a proposed healthcare industry 4.0 architecture is proposed. Next, we use a case study to illustrate the approach. In section Five, we draw conclusions and outline future steps. 2. Background 2.1. Healthcare information systems, OpenNCP and Industry4.0 Security is one of the main challenges in healthcare systems because there are both technical and non-technical aspects. From a technical point of view, there are several technical barriers such as the integration of National Healthcare Systems (NHS) in order to share patients’ information and patients’ health records for improving diagnosis and treatments. In fact, NHSs are differently managed and implemented within the European Union, and even regions within each country have different healthcare systems. Therefore, if we want to enable the exchange of health records among states we need to provide the means for its interoperability. This integration of these different healthcare systems is a major challenge especially in an industry 4.0 environment. From a non-technical point of view, security awareness is one of the main topics to be addressed in healthcare systems. Technologies are evolving and eHealth cloud [21] is being considered as well. Privacy of the patient must be safeguarded within this kind of environments, especially when there is an increasing number of connected devices and systems sharing information. For example, scanners’ results used to include some patients’ identification and the exchange of these results can identify patients.
3. Enhanced Healthcare Industry 4.0 3.1. Healthcare industry 4.0 Architecture The proposed architecture (Fig. 2) extends the IoT architecture [17] and the Reference Architectural Model Industry 4.0 [26] in order to support a healthcare industry 4.0 reference architecture. Basically, we 2
Computer Standards & Interfaces 69 (2020) 103408
X. Larrucea, et al.
based on consent decisions). The hiding tool main interface is a single method called process. This method received the payload, policy and a few more additional arguments (e.g. the predicates) and provides as a result the processed payload (e.g. masked/unmasked). How does the Data Sensitivity work? The process of identifying sensitive data is a necessary step to be able to address EU GDPR regulation. The first step is to discover the personal data in the organization datastores, categorize the data, and finally apply appropriate methods to protect the data. Given a category, the organization can adhere to a specific GDPR requirements. For example, the GDPR defines special categories such as racial and health data. A company must have a legitimate and lawful reason for collecting, storing, transmitting, or processing these special categories. The Data Sensitivity Analysis Tool addresses the first step. It finds the sensitive/personal data in relational databases. The tool is provided with DB tables for analysis and a configuration. The configuration allows us to customize the tool and select relevant predefined classifiers. In addition, the tool provides the ability to define custom classifiers. The tool analyses each one of the tables and provides the table categories as well as specific information for each column. This information includes the column categories and sub-categories, each attached with a corresponding confidence score. Internally, the tool utilizes several methods to identify categories. These include: regular expression, dictionaries and methods to check complex restrictions such as Luhn checksum. In addition, the tool uses statistical analysis. It checks the percent of values that satisfy a specific category such as email address or personal nationality identifier and provides a corresponding score. Moreover, we developed advanced classifiers that support differentiating between domain overlap categories.
Fig. 2. Reference Architectural Model Industry 4.0 [26]. adopted for the healthcare industry 4.0.
are using the same layered stack, including the following:
• Business Processes: this layer involves the interaction among the •
• • • •
different stakeholders to provide an added value to the healthcare industry 4.0 stakeholders. This paper considers the consent management process to illustrate how it works since consent has a relevant role within the current regulations such as the GDPR. Functions: to implement consent management functionalities, we need to develop and set up processes to (1) identify the sensitive data elements and (2) enforce the consent decision – in addition to the consent management tool per se. In particular, during interaction among different healthcare systems as well as the explicit consent stated by patients. Data: tightly related to the above layers, data layer is related with the required data required by the OpenNCP architecture. This layer deals with the format of the data, and the identification of the data,. Communication: we are using the OpenNCP as a communication channel for sharing patients’ information such as eHealth records. We extend the OpenNCP to include all different healthcare systems. Digitalization: health records are represented using HL7 () and following the International Patient Summary guidelines. Scanners and other medical results such as blood analysis are digitalized. Physical Things: Mobile devices can access to health records by using encrypted channels. This aspect is not addressed in this paper due to space limitations.
3.2.2. Business processes layer This layer is concerned with the upper layer of the architecture. We have defined the architecture for supporting the consent management because it is one of the two major issues [3] in healthcare systems. Occasionally, a kind of remote consent is required when patients are not physically present, and they want to capture and represent semantic models for consent management. Sometimes, consent requires the access to patient data [7], and physicians must deal with ethics aspects. The data processing of health information among different actors (e.g. peer to peer) [31] is the other major issue [3], and this is especially relevant in emergency contexts [27] or even in the IoT (Internet of Things). Consent and policies are tightly related between them. In fact, according to [24]:
3.2. Security and privacy mechanisms As stated previously, the security and privacy mechanisms included in our architecture acts over the stack defined in Fig. 2. It is essential to specify how the data layer works for identifying sensitive information with health records, and to hide this information.
“the patient's consent has a pivotal role in granting or removing access rights to subjects accessing patient's medical data. Depending on the context in which the access is being executed, different consent policies can be applied.” Policy frameworks such as [14] are useful to enhance and provide trust to users. In this sense, our approach based on [5] is to provide an integrated set of tools that supports and enables the creation of a formal structure for abstraction, governance and implementation of trust relationships and security policies. Working across multiple disparate organisations and technologies, it provides a standardized trusted mechanism between all parties for sharing data, whilst maintaining strict conformance to the strongly defined trust framework. Fig. 3 summarizes the workflow over two countries, and how the consent and the data hiding tool are used. Consent manager reads the patient's health records, and it defines a set of rules representing the desire of the patient. Then the data hiding tool masks the appropriate data. This masked data is the information patient does not want to share. Afterwards all this information is exchanged and sent to the requested country by using the extended OpenNCP.
3.2.1. Data layer How does the Data hiding tool work? The data hiding tool aims at addressing privacy rules related to personal sensitive information sharing and storing – while providing a solution for real-world applications and data flows. The hiding tool addresses stringent requirements on the performance of the tool as well as on the format of the hidden information in the payload and provides multiple masking/unmasking operations (e.g. redact, tokenize, encrypt, format preserving encryption etc.). In addition, the tool supports a wide array of mechanisms to identify, select (sensitive) and modify data elements within different types of payloads including structured, unstructured and composite documents. Lastly, the tool provides the user with a policy allowing her to specify the exact data elements to process, what operation to perform on each of those elements and provides a mechanism to specify predicated processing of select data items (e.g. 3
Computer Standards & Interfaces 69 (2020) 103408
X. Larrucea, et al.
Fig. 3. Business process flow and the interaction among the integrated tools for enhancing security and privacy. Fig. 5. A UK patient traveling to SPAIN, medical doctor and patient agreement for exchanging data.
4. Case study 4.1. Research method
This case study (Fig. 5) is also based on the case studies reflected in [15] where they use the same situation as a testing example. In this case, a UK citizen travelling to Spain (Fig. 5) incurs a stroke and is taken to the nearest Spanish hospital. While receiving first aid from the Emergency Medical Services (EMS), the coordination center informs the EMS in which hospital the patient should be taken to. At the same time a message is sent to a workstation located in the emergency department of the hospital responsible for alerting the first-aid unit. As soon as the message is received a medical team is created for the stroke assistance. To ensure the best assistance, the medical staff wishes to check the patient's electronic health records (EHR) to know their medical history (e.g. their epSOS patient summary). From a technical point of view, Fig. 6 represents the solution where different National Health Systems are interconnected [32]. Fig. 6 includes the two members of the European Union that are connected by using OpenNCP. Each national OpenNCP installation plays a relevant role within the consent management. This business process involves different OpenNCP nodes and each node includes a set of functionalities in order to strength data security and privacy. Security is a chain and it is as strong as its weakest link and all these NHSs are connected by using this platform. Each national contact point has the same set of tools for managing consent, for hiding sensitive data, and for secure monitoring (Fig. 6).
The purpose of this section is to report a case study. According to [23] there are different research methodologies for case studies. Our primary objective is exploratory, and the primary data used is qualitative. Our purpose is to analyze a specific situation where a citizen travels from one country to another and there is a need for health data exchange. This situation requires the use of a healthcare industry reference architecture. The layers of this architecture are described in previous section. Basically, this exploratory process is based on a general overview, and the description of the healthcare industry reference architecture layers. These descriptions are illustrated with an example. 4.2. General overview The following figure (Fig. 4) summarizes the case study we are using. We are connecting three different countries, and each country has its own NHS, and their data is represented However in order to simplify the scenario we are illustrating just two countries in the following Fig. 5. 4.3. Business processes layer This layer deals with the consent management in a healthcare industry 4.0 context where 2 different countries must collaborate and share patient's health records for assisting a patient travelling from one country to another.
4.4. Data layer As this layer is central aspect of our resulting platform, we show in Fig. 7 the main UI for data hiding tool. The UI allows the user to create, manage and test the hiding policies. Note, during runtime the data hiding tools’ ‘process’ API is called with the policy id and relevant payload. Obviously, there are several connections among different tools such as the consent manager, the data hiding tool and the extended OpenNCP, but we just want to highlight the tool we have developed and used for supporting the approach. Although Fig. 7 is small, one can see the two main functionalities of the tools’ UI: creation and management on the left side, testing on the right. In the following paragraphs we provide an example of the outcomes of this tool. Example of an eHealth record masked The data hiding tool was used to hide specific data in a Psychiatry Discharge Report (XML based) and was configured to account for the consent provided by the user and hide only the non-consented information. Fig. 8 and Fig. 9 shows the original xml before and after the masking tool was invoked. Note, in this case the tool encrypted all attributes and text in the relevant section (shown). Example of a Data Sensitivity work We run the Data Sensitivity Analysis tool on consultation table with our case study NHS DB. This table contains patient info including many Direct and Indirect (Quasi) Personal Identifier information such as
Fig. 4. Reference Architectural Model Industry 4.0 adopted for the healthcare industry 4.0. 4
Computer Standards & Interfaces 69 (2020) 103408
X. Larrucea, et al.
Fig. 6. Reference Architectural Model Industry 4.0 adopted for the healthcare industry.
Fig. 7. Data Masking toolkit for the Reference Architectural Model Industry 4.0 adopted for the healthcare industry 4.0.
Fig. 9. An example of the XML masked.
name, phone, national id and birth date. The purpose was to categorize correctly each of the table columns. The tool found that the table contains both Direct and Indirect (Quasi) Personal Identifiers. In addition, for each column it provides its category and sub categories. Fig. 10 displays part of the JSON result for the consultation table. As illustrated, the consultation table contains both Direct Identifier and Quasi Identifier columns. The HCP_ID column is identified as a Quasi Identifier and the results show a high likely-hood (confidence score of 0.9) that it contains personal region information.
4.5. GDPR articles Fig. 8. An example of the XML unmasked.
GDPR specification and adoption imply a set of legal requirements 5
Computer Standards & Interfaces 69 (2020) 103408
X. Larrucea, et al.
Our case study illustrates some of the real world complexities and how the approach we took can address those complexities. This includes identifying and categorizing the information that is subject to GDPR and consent, integrating the consent manager and data hiding tool within the data flow while providing the user fined grained control over his personal data. As a future work, we are working on the exchange of patients’ data stemming from mobile devices, and on how to integrate them into NHS, and on how to prevent data breaches within this complex scenario. CRediT authorship contribution statement Xabier Larrucea: Conceptualization, Methodology, Validation. Micha Moffie: Methodology, Software, Validation. Sigal Asaf: Methodology, Software, Validation. Izaskun Santamaria: Conceptualization, Supervision. Declaration of Competing Interest Fig. 10. JSON result for the consultation table.
None Acknowledgement
to be fulfilled. This case study is analyzed from the GDPR perspective because it has a new kind of impact on systems for health data exchange. GDPR is applicable to any organization in the world that purchases or uses applications, services, products processing data, and they have a commercial presence in Europe. This directive is directly effective in all Member States of the European Union and thereby unifying legal obligations that are currently defined at national level. The assessment of GDPR within this case study is a complex process, and probably it requires further and more in-depth analysis by analyzing the general legal and the fundamental-rights requirements. Basically, this case study includes tools dealing with the GDPR's article 5 “Principles relating to processing of personal data”, and particularly health records, In fact, the real application of the OpenNCP requires the application of this directive, and the adoption of different methods and tools. The GDPR's Article 6 Lawfulness of processing Therefore, the reference architecture described in this paper deals with not only data sensitivity analysis and data hiding tools, but also with consent management (GDPR's Article 7 Conditions for consent) and the use of OpenNCP as an interoperability channel for assuring data portability (GDPR article 20 Right to data portability).
This paper has been partially funded by the SHiELD project, (H2020 Framework Contract No. GA 727301) References [1] Mohamed Alloghani, Dhiya Al-Jumeily, Abir Hussain, Ahmed J. Aljaaf, Jamila Mustafina, E. Petrov, Healthcare services innovations based on the state of the art technology trend industry 4.0, 2018 11th International Conference on Developments in eSystems Engineering (DeSE), Cambridge, United Kingdom, IEEE, 2018, pp. 64–70, , https://doi.org/10.1109/DeSE.2018.00016. [2] R. Anitha, Saswati Mukherjee, Data security in cloud for health care applications, in: Hwa Young Jeong, Mohammad S. Obaidat, Neil Y. Yen, James J. Park (Eds.), Advances in Computer Science and Its Applications, Springer, Berlin Heidelberg, Berlin, Heidelberg, 2014, pp. 1201–1209, , https://doi.org/10.1007/978-3-64241674-3_167. [3] Muhammad Rizwan Asghar, TzeHowe Lee, Mirza Mansoor Baig, Ehsan Ullah, Giovanni Russello, Gillian Dobbie, A Review of Privacy and Consent Management in Healthcare: A Focus On Emerging Data Sources, IEEE, 2017, pp. 518–522, https:// doi.org/10.1109/eScience.2017.84. [4] Adel Badri, Bryan Boudreau-Trudel, Ahmed Saâdeddine Souissi, Occupational health and safety in the industry 4.0 era: a cause for major concern? Saf. Sci. 109 (2018) 403–411, https://doi.org/10.1016/j.ssci.2018.06.012 November 2018. [5] William J. Buchanan, Omair Uthmani, Lu Fan, Niall Burns, Owen Lo, Alistair Lawson, James Varga, Cassie Anderson, Modelling of integrated trust, governance and access, in: Massimo Felici (Ed.), Cyber Security and Privacy, Springer, Berlin Heidelberg, Berlin, Heidelberg, 2013, pp. 91–101, , https://doi. org/10.1007/978-3-642-41205-9_8. [6] A. Celesti, O. Amft, M. Villari, Guest editorial special section on cloud computing, edge computing, internet of things, and big data analytics applications for healthcare industry 4.0, IEEE Trans. Industr. Inf. 15 (1) (2019) 454–456, https://doi.org/ 10.1109/TII.2018.2883315 January 2019. [7] Margarida David, Fernando Rosa, Pedro Pereira Rodrigues, Need and Requirements Elicitation For Electronic Access to Patient's Medication History in the Emergency Department, IEEE, 2014, pp. 497–498, https://doi.org/10.1109/CBMS.2014.108. [8] Mohamed Elhoseny, Ahmed Abdelaziz, Ahmed S. Salama, A.M. Riad, Khan Muhammad, Arun Kumar Sangaiah, A hybrid model of internet of things and cloud computing to manage big data in health services applications, Future Gener. Comput. Syst. 86 (2018) 1383–1394, https://doi.org/10.1016/j.future.2018.03. 005 September 2018. [9] European Commission. OpenNCP. Retrieved October 1, 2018 fromhttps://ec. europa.eu/cefdigital/wiki/display/EHNCP. [10] European Commission. eHealth DSI Operations. Retrieved July 29, 2018 fromhttps://ec.europa.eu/cefdigital/wiki/display/EHOPERATIONS/eHealth+DSI +Operations+Home. [11] Jigna J Hathaliya, Sudeep Tanwar, Sudhanshu Tyagi, Neeraj Kumar, Securing electronics healthcare records in Healthcare 4.0 : a biometric-based approach, Comput. Electr. Eng. 76 (2019) 398–410, https://doi.org/10.1016/j.compeleceng. 2019.04.017 June 2019. [12] Oliver Heinze, Markus Birkle, Lennart Köster, Björn Bergh, Architecture of a consent management suite and integration into IHE-based regional health information networks, BMC Med. Inform. Decis. Mak. 11 (1) (2011), https://doi.org/10.1186/ 1472-6947-11-58 December 2011. [13] Mohd Javaid, Abid Haleem, Industry 4.0 applications in medical field: a brief review, Current Med. Res. Pract. (2019), https://doi.org/10.1016/j.cmrp.2019.04.
5. Conclusions The medical field is gaining momentum within the Industry 4.0. and we cannot be on the sidelines of the incipient irruption of the health sector within this paradigm. NHSs are processing and managing patients’ data, and they are starting to exchange eHealth records among different countries. In addition, the health sector is including and developing medical devices, and they are being connected to the NHS in order to support medical doctor's activities such as prescriptions, treatments and so forth. This aspect involves technical challenges and legal implications. Therefore, our contributions are aligned to support this scenario and to overcome interoperability problems cross systems. From a legal point of view, our approach to strengthen security and privacy of personal data including transfers of personal data to third countries promote by the General Data Protection Regulation (GDPR) [29]. This paper contributes with the definition of a healthcare industry 4.0 architectural model based on a RAMI4.0. We have defined and used consent manager and the data hiding tool for sharing health records. Another relevant contribution is related to the integration of different tools for assuring security and privacy over the Healthcare Industry architecture reference model. In this sense we identify a set of potential threats and the security measures for data security and privacy 6
Computer Standards & Interfaces 69 (2020) 103408
X. Larrucea, et al.
001 April 2019. [14] J. Karat, C.-.M. Karat, E. Bertino, N. Li, Q. Ni, C. Brodie, J. Lobo, S.B. Calo, L.F. Cranor, P. Kumaraguru, R.W. Reeder, Policy framework for security and privacy management, IBM J. Res. Dev. 53 (2) (2009), https://doi.org/10.1147/ JRD.2009.5429046 March 20094:1-4:14. [15] Xabier Larrucea, Izaskun Santamaria, Ricardo Colomo-Palacios, Assessing source code vulnerabilities in a cloud-based system for health systems: OpenNCP, IET Softw. 13 (3) (2019) 195–202, https://doi.org/10.1049/iet-sen.2018.5294 June 2019. [16] Marianna Lezzi, Mariangela Lazoi, Angelo Corallo, Cybersecurity for Industry 4.0 in the current literature: a reference framework, Comput. Ind. 103 (2018) 97–110, https://doi.org/10.1016/j.compind.2018.09.004 December 2018. [17] Shancang Li, Li Da Xu, Shanshan Zhao, The internet of things: a survey, Inf. Syst. Front. 17 (2) (2015) 243–259, https://doi.org/10.1007/s10796-014-9492-7 April 2015. [18] Pasquale Pace, Gianluca Aloi, Raffaele Gravina, Giuseppe Caliciuri, Giancarlo Fortino, Antonio Liotta, An edge-based architecture to support efficient applications for healthcare industry 4.0, IEEE Trans. Ind. Inf. 15 (1) (2019) 481–489, https://doi.org/10.1109/TII.2018.2843169 January 2019. [19] Zhibo Pang, Geng Yang, Ridha Khedri, Yuan-Ting Zhang, Introduction to the special section: convergence of automation technology, biomedical engineering, and health informatics toward the healthcare 4.0, IEEE Rev. Biomed. Eng. 11 (2018) 249–259, https://doi.org/10.1109/RBME.2018.2848518 2018. [20] Sabine Pfeiffer, The vision of “Industrie 4.0” in the making—a case of future told, tamed, and traded, Nanoethics 11 (1) (2017) 107–121, https://doi.org/10.1007/ s11569-016-0280-3 April 2017. [21] F. Ramalho, A. Neto, K. Santos, J.B. Filho, N. Agoulmine, Enhancing eHealth smart applications: a fog-enabled approach, 2015 17th International Conference on Ehealth Networking, Application & Services (HealthCom), Boston, MA, USA, IEEE, 2015, pp. 323–328, , https://doi.org/10.1109/HealthCom.2015.7454519. [22] Erkuden Rios, Eider Iturbe, Xabier Larrucea, Massimiliano Rak, Wissam Mallouli, Jacek Dominiak, Victor Muntés, Peter Matthews, Luis Gonzalez, Service level agreement-based GDPR compliance and security assurance in (multi)Cloud-based systems, IET Software (2019), https://doi.org/10.1049/iet-sen.2018.5293 February 2019. [23] Per Runeson, Martin Höst, Guidelines for conducting and reporting case study
[24]
[25]
[26]
[27]
[28]
[29]
[30]
[31]
[32]
7
research in software engineering, Empirical Softw. Eng. 14 (2) (2009) 131–164, https://doi.org/10.1007/s10664-008-9102-8 April 2009. Giovanni Russello, Changyu Dong, Naranker Dulay, Consent-Based Workflows for Healthcare Management, IEEE, 2008, pp. 153–161, https://doi.org/10.1109/ POLICY.2008.22. Stefan Schuster, M. van denBerg, X. Larrucea, T. Slewe, P. Ide-Kostic, Mass surveillance and technological policy options: improving security of private communications, Comput. Stand. Interfaces 50 (2017) 76–82, https://doi.org/10.1016/j. csi.2016.09.011 February 2017. Karsten Schweichhart. Reference architectural model industrie 4.0 (RAMI 4.0). Retrieved fromhttps://ec.europa.eu/futurium/en/system/files/ged/a2schweichhart-reference_architectural_model_industrie_4.0_rami_4.0.pdf. Jason S. Shapiro, Diana Crowley, Shkelzen Hoxhaj, James Langabeer, Brian Panik, Todd B. Taylor, Arlo Weltge, Jeffrey A. Nielson, Health information exchange in emergency medicine, Ann. Emerg. Med. 67 (2) (2016) 216–226, https://doi.org/10. 1016/j.annemergmed.2015.06.018 February 2016. Mariacarla Staffa, Luigi Sgaglione, Giovanni Mazzeo, Luigi Coppolino, Salvatore D'Antonio, Luigi Romano, Erol Gelenbe, Oana Stan, Sergiu Carpov, Evangelos Grivas, Paolo Campegiani, Luigi Castaldo, Konstantinos Votis, Vassilis Koutkias, Ioannis Komnios, An OpenNCP-based solution for secure eHealth data exchange, J. Netw. Comput. Appl. 116 (2018) 65–85, https://doi.org/10. 1016/j.jnca.2018.05.012 August 2018. THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. 2016. Directive 95/46/EC (General data protection regulation). Retrieved June 25, 2019 fromhttps://eur-lex. europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679. THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION. Directive 2011/24/EU of the European Parliament and of the council of 9 march 2011 on the application of patients’ rights in cross-border healthcare. Retrieved June 25, 2019 fromhttps://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX %3A32011L0024. Jens H. Weber-Jahnke, Christina Obry, Protecting privacy during peer-to-peer exchange of medical documents, Inf. Syst. Frontiers 14 (1) (2012) 87–104, https:// doi.org/10.1007/s10796-011-9304-2 March 2012. Smart Open Services for European Patients (epSOS). Retrieved July 29, 2018fromhttps://www.itu.int/net4/wsis/stocktaking/projects/Project/Details? projectId=1399467257.