Creating and sharing knowledge for telecommunications

Analysis of the Security and Privacy Requirements of Cloud-Based

Rodrigues, J. R. ; de la Torre, I. T. ; Fernández-Cardeñosa, G. F. ; López-Coronado, M. L.

Journal of Medical Internet Research Vol. 15, Nº 8, pp. 1 - 9, August, 2013.

ISSN (print): 1438-8871
ISSN (online):

Journal Impact Factor: 3,768 (in 2012)

Digital Object Identifier: 10.2196/jmir.2494

Abstract
Background: E-health systems have the chance of improving their features and functionalities through the Cloud Computing paradigm. However, moving the patients’ medical information to the Cloud implies several risks in terms of security and privacy of sensitive information. In this paper the risks of hosting the Electronic Health Records (EHRs) in the servers of a third-party Cloud service provider are overviewed. So as to keep the confidentiality of the patients’ information and ease the process, some suggestions to be taken in mind by the Health Organisms or clinical centers are shown. Moreover, some security issues that a Cloud provider must deploy in his Cloud platforms are explained.
Objective: The main aim of this paper is to show that before moving the patients’ clinical information to the Cloud some security and privacy aspects must be considered by both parts of the process: Health Organisms and Cloud providers. Security terms of a generic Cloud provider will be analyzed.
Methods: To study the state of the art of these newly kind of Cloud-based solutions, Bibliographic material has been obtained mainly from Medline source. Furthermore, direct contact was performed with some Cloud providers.
Results: Some of security issues that should be considered by providers and the customers themselves of a Health Cloud are role based access, network security mechanisms, data encryption, digital signature, and accesses monitoring. Furthermore, to guarantee the safety of the information and accomplish with the privacy policies, the Cloud provider must be compliant with various certifications and third-party attestations, such as SAS70 Type II, PCI DSS Level 1, ISO 27001, and FISMA.
2
Conclusions: Moving sensitive information, like EHRs, to the Cloud means that several precautions must be considered in order to keep the safety and confidentiality of the data. Trusting on the Cloud provider is essential to get a transparent process. These providers must deploy all the security mechanisms needed to avoid unauthorized accesses and external attacks. Patients must be constantly informed of all the process that their data are suffering.