TY - JOUR AU - Riou, Christine AU - El Azzouzi, Mohamed AU - Hespel, Anne AU - Guillou, Emeric AU - Coatrieux, Gouenou AU - Cuggia, Marc PY - 2025/4/17 TI - Ensuring General Data Protection Regulation Compliance and Security in a Clinical Data Warehouse From a University Hospital: Implementation Study JO - JMIR Med Inform SP - e63754 VL - 13 KW - clinical data warehouse KW - privacy KW - personal data protection KW - legislation KW - security KW - compliance KW - personal data KW - applicability KW - experiential analysis KW - university hospitals KW - French KW - France KW - data hub KW - operational challenge N2 - Background: The European Union?s General Data Protection Regulation (GDPR) has profoundly influenced health data management, with significant implications for clinical data warehouses (CDWs). In 2021, France pioneered a national framework for GDPR-compliant CDW implementation, established by its data protection authority (Commission Nationale de l?Informatique et des Libertés). This framework provides detailed guidelines for health care institutions, offering a unique opportunity to assess practical GDPR implementation in health data management. Objective: This study evaluates the real-world applicability of France?s CDW framework through its implementation at a major university hospital. It identifies practical challenges for its implementation by health institutions and proposes adaptations relevant to regulatory authorities in order to facilitate research in secondary use data domains. Methods: A systematic assessment was conducted in May 2023 at the University Hospital of Rennes, which manages data for over 2 million patients through the eHOP CDW system. The evaluation examined 116 criteria across 13 categories using a dual-assessment approach validated by information security and data protection officers. Compliance was rated as met, unmet, or not applicable, with criteria classified as software-related (n=25) or institution-related (n=91). Results: Software-related criteria showed 60% (n=15) compliance, with 28% (n=7) noncompliant or partially compliant and 12% (n=3) not applicable. Institution-related criteria achieved 72% (n=28) compliance for security requirements. Key challenges included managing genetic data, implementing automated archiving, and controlling data exports. The findings revealed effective privacy protection measures but also highlighted areas requiring regulatory adjustments to better support research. Conclusions: This first empirical assessment of a national CDW compliance framework offers valuable insights for health care institutions implementing GDPR requirements. While the framework establishes robust privacy protections, certain provisions may overly constrain research activities. The study identifies opportunities for framework evolution, balancing data protection with research imperatives. UR - https://medinform.jmir.org/2025/1/e63754 UR - http://dx.doi.org/10.2196/63754 ID - info:doi/10.2196/63754 ER - TY - JOUR AU - Avery, Atiya AU - Baker, White Elizabeth AU - Wright, Brittany AU - Avery, Ishmael AU - Gomez, Dream PY - 2025/4/8 TI - Media Framing and Portrayals of Ransomware Impacts on Informatics, Employees, and Patients: Systematic Media Literature Review JO - J Med Internet Res SP - e59231 VL - 27 KW - cybersecurity KW - media frames KW - medical informatics KW - practitioners KW - health care provider KW - systematic review KW - employees KW - patient KW - mortality KW - morbidity KW - news media KW - ransomware KW - health information system KW - database KW - health care service N2 - Background: Ransomware attacks on health care provider information systems have the potential to impact patient mortality and morbidity, and event details are relayed publicly through news stories. Despite this, little research exists on how these events are depicted in the media and the subsequent impacts of these events. Objective: This study used collaborative qualitative analysis to understand how news media frames and portrays the impacts of ransomware attacks on health informatic systems, employees, and patients. Methods: We developed and implemented a systematic search protocol across academic news databases, which included (1) the Associated Press Newswires, (2) Newspaper Source, and (3) Access World News (Newsbank), using the search string ?(hospital OR healthcare OR clinic OR medical) AND (ransomware OR denial of service OR cybersecurity).? In total, 4 inclusion and 4 exclusion criteria were applied as part of the search protocol. For articles included in the study, we performed an inductive and deductive analysis of the news articles, which included their article characteristics, impact portrayals, media framings, and discussions of the core functions outlined in the National Institute of Standards and Technologies (NIST) Cybersecurity Framework 2.0. Results: The search returned 2195 articles, among which 48 news articles published from 2009 to 2023 were included in the study. First, an analysis of the geographic prevalence showed that the United States (34/48, 71%), followed to a lesser extent by India (4/48, 8%) and Canada (3/48, 6%), featured more prominently in our sample. Second, there were no apparent year-to-year patterns in the occurrence of reported events of ransomware attacks on health care provider information systems. Third, ransomware attacks on health care provider information systems appeared to cascade from a single point of failure. Fourth, media frames regarding ?human interest? and ?responsibility? were equally representative in the sample. The ?response? function of the NIST Cybersecurity Framework 2.0 was noted in 36 of the 48 (75%) articles. Finally, we noted that 17 (14%) of the articles assessed for eligibility were excluded from this study as they promoted a product or service or spoke hypothetically about ransomware events among health care providers. Conclusions: Organizational response represented a substantial aspect of the news articles in our corpus. To address the perception of health care providers? management of ransomware attacks, they should take measures to influence perceptions of (1) health care service continuity, despite a lack of availability of health informatics; (2) responsibility for the patient experience; and (3) acknowledgment of the strain on health care practitioners and patients through a public declaration of support and gratitude. Furthermore, the media portrayals revealed a prevalence of single points of failure in the health informatics system, thus providing guidance for the implementation of safety protocols that could significantly reduce cascading impacts. UR - https://www.jmir.org/2025/1/e59231 UR - http://dx.doi.org/10.2196/59231 UR - http://www.ncbi.nlm.nih.gov/pubmed/ ID - info:doi/10.2196/59231 ER - TY - JOUR AU - Ng, Y. Madelena AU - Halpern, Jodi AU - Shane, Olivia AU - Teng, Tina AU - Nguy?n, Michael AU - Alt, Ryan Casey AU - Leite, Barthe Anaïs AU - Moss-Pultz, Sean AU - Lyles, R. Courtney AU - Cheshire, Coye PY - 2025/3/25 TI - Participant Evaluation of Blockchain-Enhanced Women?s Health Research Apps: Mixed Methods Experimental Study JO - JMIR Mhealth Uhealth SP - e65747 VL - 13 KW - blockchain technology KW - privacy KW - trust KW - data control KW - data ownership KW - digital health study KW - user-centered design KW - user experience KW - mHealth KW - mobile health KW - women?s health KW - reproductive health KW - data sharing KW - research participation KW - bioethics N2 - Background: Blockchain technology has capabilities that can transform how sensitive personal health data are safeguarded, shared, and accessed in digital health research. Women?s health data are considered especially sensitive, given the privacy and safety risks associated with their unauthorized disclosure. These risks may affect research participation. Using a privacy-by-design approach, we developed 2 app-based women?s health research study prototypes for user evaluation and assessed how blockchain may impact participation. Objective: This study aims to seek the perspectives of women to understand whether applications of blockchain technology in app-based digital research would affect their decision to participate and contribute sensitive personal health data. Methods: A convergent, mixed methods, experimental design was used to evaluate participant perceptions and attitudes toward using 2 app-based women?s health research study prototypes with blockchain features. Prototype A was based on the status quo ResearchKit framework and had extensive electronic informed consent, while prototype B minimized study onboarding requirements and had no informed consent; the mechanisms of how the contributed data flowed and were made pseudonymous were the same. User evaluations were carried out in February and March 2021 and consisted of a think-aloud protocol, a perception survey, and a semistructured interview. Findings were mapped to the technology acceptance model to guide interpretation. Results: We recruited 16 representative female participants from 175 respondents. User evaluations revealed that while participants considered prototype B easier to use on intuitive navigation (theme 1) of specified tasks and comprehension (theme 2) of research procedures, prototype A trended toward being perceived more favorably than prototype B across most perception survey constructs, with an overall lower level of privacy concern (mean [SD]: 2.22 [1.10] vs 2.95 [1.29]) and perceived privacy risk (2.92 [1.46] vs 3.64 [1.73]) and higher level of perceived privacy (5.21 [1.26] vs 4.79 [1.47]), trust (5.46 [1.19] vs 4.76 [1.27]), and usability (67.81 [21.77] vs 64.84 [23.69]). Prototype B was perceived more favorably than prototype A with perceived control (4.92 [1.32] vs 4.89 [1.29]) and perceived ownership (5.18 [0.59] vs 5.01 [0.96]). These constructs, except for perceived ownership, were significantly correlated with behavioral intention to use the app (P<.05). Participants perceived the usefulness of these prototypes in relation to the value of research study to women?s health field (theme 3), the value of research study to self (theme 4), and the value of blockchain features for participation (theme 5). Conclusions: This study provides nuanced insights into how blockchain applications in app-based research remain secondary in value to participants? expectations of health research, and hence their intention to participate and contribute data. However, with impending data privacy and security concerns, it remains prudent to understand how to best integrate blockchain technology in digital health research infrastructure. UR - https://mhealth.jmir.org/2025/1/e65747 UR - http://dx.doi.org/10.2196/65747 UR - http://www.ncbi.nlm.nih.gov/pubmed/40131317 ID - info:doi/10.2196/65747 ER - TY - JOUR AU - Marino, Antonio Carlos AU - Diaz Paz, Claudia PY - 2025/1/31 TI - Smart Contracts and Shared Platforms in Sustainable Health Care: Systematic Review JO - JMIR Med Inform SP - e58575 VL - 13 KW - health care KW - smart contracts KW - blockchain KW - security KW - privacy KW - supply chain KW - patient centricity KW - system trust KW - stakeholders N2 - Background: The benefits of smart contracts (SCs) for sustainable health care are a relatively recent topic that has gathered attention given its relationship with trust and the advantages of decentralization, immutability, and traceability introduced in health care. Nevertheless, more studies need to explore the role of SCs in this sector based on the frameworks propounded in the literature that reflect business logic that has been customized, automatized, and prioritized, as well as system trust. This study addressed this lacuna. Objective: This study aimed to provide a comprehensive understanding of SCs in health care based on reviewing the frameworks propounded in the literature. Methods: A structured literature review was performed based on the PRISMA (Preferred Reporting Items for Systematic Reviews and Meta-Analyses) principles. One database?Web of Science (WoS)?was selected to avoid bias generated by database differences and data wrangling. A quantitative assessment of the studies based on machine learning and data reduction methodologies was complemented with a qualitative, in-depth, detailed review of the frameworks propounded in the literature. Results: A total of 70 studies, which constituted 18.7% (70/374) of the studies on this subject, met the selection criteria and were analyzed. A multiple correspondence analysis?with 74.44% of the inertia?produced 3 factors describing the advances in the topic. Two of them referred to the leading roles of SCs: (1) health care process enhancement and (2) assurance of patients? privacy protection. The first role included 6 themes, and the second one included 3 themes. The third factor encompassed the technical features that improve system efficiency. The in-depth review of these 3 factors and the identification of stakeholders allowed us to characterize the system trust in health care SCs. We assessed the risk of coverage bias, and good percentages of overlap were obtained?66% (49/74) of PubMed articles were also in WoS, and 88.3% (181/205) of WoS articles also appeared in Scopus. Conclusions: This comprehensive review allows us to understand the relevance of SCs and the potentiality of their use in patient-centric health care that considers more than technical aspects. It also provides insights for further research based on specific stakeholders, locations, and behaviors. UR - https://medinform.jmir.org/2025/1/e58575 UR - http://dx.doi.org/10.2196/58575 UR - http://www.ncbi.nlm.nih.gov/pubmed/ ID - info:doi/10.2196/58575 ER - TY - JOUR AU - Ivanova, Julia AU - Cummins, R. Mollie AU - Ong, Triton AU - Soni, Hiral AU - Barrera, Janelle AU - Wilczewski, Hattie AU - Welch, Brandon AU - Bunnell, Brian PY - 2025/1/23 TI - Regulation and Compliance in Telemedicine: Viewpoint JO - J Med Internet Res SP - e53558 VL - 27 KW - telemedicine KW - telehealth KW - policy KW - COVID-19 KW - PHE KW - rules and regulations KW - compliance KW - privacy and security KW - regulation KW - rule KW - public health KW - US KW - United States KW - implementation KW - regulatory KW - professional KW - organizational KW - ethical KW - concern KW - privacy KW - security KW - government literature KW - law KW - health care KW - patient UR - https://www.jmir.org/2025/1/e53558 UR - http://dx.doi.org/10.2196/53558 UR - http://www.ncbi.nlm.nih.gov/pubmed/39847413 ID - info:doi/10.2196/53558 ER - TY - JOUR AU - Ruby, Emma AU - Ramlawi, Serine AU - Bowie, Clare Alexa AU - Boyd, Stephanie AU - Dingwall-Harvey, Alysha AU - Rennicks White, Ruth AU - El-Chaâr, Darine AU - Walker, Mark PY - 2025/1/20 TI - Identifying Fraudulent Responses in a Study Exploring Delivery Options for Pregnancies Impacted by Gestational Diabetes: Lessons Learned From a Web-Based Survey JO - J Med Internet Res SP - e58450 VL - 27 KW - research fraud KW - anonymous online research KW - data integrity KW - fraudulent responses KW - web-based survey KW - internet research KW - perinatal health KW - social media KW - patient participation KW - provider participation KW - fraudulent KW - fraud KW - pregnancy KW - gestational diabetes KW - diabetes KW - data analysis KW - survey KW - diabetes mellitus KW - patient KW - evidence-based UR - https://www.jmir.org/2025/1/e58450 UR - http://dx.doi.org/10.2196/58450 UR - http://www.ncbi.nlm.nih.gov/pubmed/ ID - info:doi/10.2196/58450 ER - TY - JOUR AU - Kraushaar, Judith AU - Bohnet-Joschko, Sabine PY - 2025/1/7 TI - The Role of the Organization in Promoting Information Security?Related Behavior Among Resident Physicians in Hospitals in Germany: Cross-Sectional Questionnaire Study JO - J Med Internet Res SP - e46257 VL - 27 KW - information security KW - compliance KW - work engagement KW - awareness KW - leadership KW - communication KW - education and training KW - security KW - privacy KW - structural equation modeling KW - resident KW - fellow KW - medical education KW - continuing education KW - professional development N2 - Background: Nowadays, optimal patient care should be based on data-driven decisions. In the course of digitization, hospitals, in particular, are becoming complex organizations with an enormously high density of digital information. Ensuring information security is, therefore, essential and has become a major challenge. Researchers have shown that?in addition to technological and regulatory measures?it is also necessary for all employees to follow security policies and consciously use information technology (compliance), because noncompliance can lead to security breaches with far-reaching consequences for the organization. There is little empirical research on information security?related behavior in hospitals and its organizational antecedents. Objective: This study aimed to explore the impact of specific job demands and resources on resident physicians? information security?related compliance in hospitals through the mediating role of work engagement and information security?related awareness. Methods: We used a cross-sectional, survey-based study design to collect relevant data from our target population, namely resident physicians in hospitals. For data analysis, we applied structural equation modeling. Our research model consisted of a total of 7 job demands and resources as exogenous variables, 2 mediators, and information security?related compliance as the endogenous variable. Results: Overall, data from 281 participating physicians were included in the analyses. Both mediators?work engagement and awareness?had a significant positive effect on information security?related compliance (?=.208, P=.001 vs ?=.552, P<.001). Quality of leadership was found to be the only resource with a significant indirect effect on physicians? compliance, mediated by work engagement (?=.086, P=.03). Furthermore, awareness mediated the relationships between information security?related communication and information security?related compliance (?=.192, P<.001), as well as between further education and training and the endogenous variable (?=.096, P=.02). Contrary to our hypothesis, IT resources had a negative effect on compliance, mediated by awareness (?=?.114, P=.02). Conclusions: This study provides new insights into how a high standard of information security compliance among resident physicians could be achieved through strengthening physicians? security work engagement and awareness. Hospital management is required to establish an information security culture that is informative and motivating and that raises awareness. Particular attention should be paid to the quality of leadership, further education and training, as well as clear communication. UR - https://www.jmir.org/2025/1/e46257 UR - http://dx.doi.org/10.2196/46257 UR - http://www.ncbi.nlm.nih.gov/pubmed/ ID - info:doi/10.2196/46257 ER - TY - JOUR AU - Wang, Zhong AU - Hu, Fangru AU - Su, Jie AU - Lin, Yuyao PY - 2024/12/10 TI - Information Source Characteristics of Personal Data Leakage During the COVID-19 Pandemic in China: Observational Study JO - JMIR Med Inform SP - e51219 VL - 12 KW - public health emergency KW - privacy leakage KW - characteristics of information sources KW - COVID-19 KW - China KW - information source KW - data privacy KW - public health KW - leakage N2 - Background: During the COVID-19 pandemic, in the period of preventing and controlling the spread of the virus, a large amount of personal data was collected in China, and privacy leakage incidents occurred. Objective: We aimed to examine the information source characteristics of personal data leakage during the COVID-19 pandemic in China. Methods: We extracted information source characteristics of 40 personal data leakage cases using open coding and analyzed the data with 1D and 2D matrices. Results: In terms of organizational characteristics, data leakage cases mainly occurred in government agencies below the prefecture level, while few occurred in the medical system or in high-level government organizations. The majority of leakers were regular employees or junior staff members rather than temporary workers or senior managers. Family WeChat groups were the primary route for disclosure; the forwarding of documents was the main method of divulgence, while taking screenshots and pictures made up a comparatively smaller portion. Conclusions: We propose the following suggestions: restricting the authority of nonmedical institutions and low-level government agencies to collect data, strengthening training for low-level employees on privacy protection, and restricting the flow of data on social media through technical measures. UR - https://medinform.jmir.org/2024/1/e51219 UR - http://dx.doi.org/10.2196/51219 ID - info:doi/10.2196/51219 ER - TY - JOUR AU - Bialke, Martin AU - Stahl, Dana AU - Leddig, Torsten AU - Hoffmann, Wolfgang PY - 2024/11/29 TI - The University Medicine Greifswald?s Trusted Third Party Dispatcher: State-of-the-Art Perspective Into Comprehensive Architectures and Complex Research Workflows JO - JMIR Med Inform SP - e65784 VL - 12 KW - architecture KW - scalability KW - trusted third party KW - application KW - security KW - consent KW - identifying data KW - infrastructure KW - modular KW - software KW - implementation KW - user interface KW - health platform KW - data management KW - data privacy KW - health record KW - electronic health record KW - EHR KW - pseudonymization UR - https://medinform.jmir.org/2024/1/e65784 UR - http://dx.doi.org/10.2196/65784 ID - info:doi/10.2196/65784 ER - TY - JOUR AU - Wündisch, Eric AU - Hufnagl, Peter AU - Brunecker, Peter AU - Meier zu Ummeln, Sophie AU - Träger, Sarah AU - Prasser, Fabian AU - Weber, Joachim PY - 2024/11/29 TI - Authors? Reply: The University Medicine Greifswald?s Trusted Third Party Dispatcher: State-of-the-Art Perspective Into Comprehensive Architectures and Complex Research Workflows JO - JMIR Med Inform SP - e67429 VL - 12 KW - architecture KW - scalability KW - trusted third party KW - application KW - security KW - consent KW - identifying data KW - infrastructure KW - modular KW - software KW - implementation KW - user interface KW - health platform KW - data management KW - data privacy KW - health record KW - electronic health record KW - EHR KW - pseudonymization UR - https://medinform.jmir.org/2024/1/e67429 UR - http://dx.doi.org/10.2196/67429 ID - info:doi/10.2196/67429 ER - TY - JOUR AU - Hasegawa, Kaede AU - O'Brien, Niki AU - Prendergast, Mabel AU - Ajah, Agape Chris AU - Neves, Luisa Ana AU - Ghafur, Saira PY - 2024/11/20 TI - Cybersecurity Interventions in Health Care Organizations in Low- and Middle-Income Countries: Scoping Review JO - J Med Internet Res SP - e47311 VL - 26 KW - computer security KW - internet security KW - network security KW - digital health KW - digital health technology KW - cybersecurity KW - health data KW - global health KW - security KW - data science KW - LMIC KW - low income KW - low resource KW - scoping review KW - review methodology KW - implementation KW - barrier KW - facilitator N2 - Background: Health care organizations globally have seen a significant increase in the frequency of cyberattacks in recent years. Cyberattacks cause massive disruptions to health service delivery and directly impact patient safety through disruption and treatment delays. Given the increasing number of cyberattacks in low- and middle-income countries (LMICs), there is a need to explore the interventions put in place to plan for cyberattacks and develop cyber resilience. Objective: This study aimed to describe cybersecurity interventions, defined as any intervention to improve cybersecurity in a health care organization, including but not limited to organizational strategy(ies); policy(ies); protocol(s), incident plan(s), or assessment process(es); framework(s) or guidelines; and emergency planning, implemented in LMICs to date and to evaluate their impact on the likelihood and impact of attacks. The secondary objective was to describe the main barriers and facilitators for the implementation of such interventions, where reported. Methods: A systematic search of the literature published between January 2017 and July 2024 was performed on Ovid Medline, Embase, Global Health, and Scopus using a combination of controlled terms and free text. A search of the gray literature within the same time parameters was undertaken on the websites of relevant stakeholder organizations to identify possible additional studies that met the inclusion criteria. Findings from included papers were mapped against the dimensions of the Essentials of Cybersecurity in Health Care Organizations (ECHO) framework and presented as a narrative synthesis. Results: We included 20 studies in this review. The sample size of the majority of studies (13/20, 65%) was 1 facility to 5 facilities, and the studies were conducted in 14 countries. Studies were categorized into the thematic dimensions of the ECHO framework, including context; governance; organizational strategy; risk management; awareness, education, and training; and technical capabilities. Few studies (6/20, 30%) discussed cybersecurity intervention(s) as the primary focus of the paper; therefore, information on intervention(s) implemented had to be deduced. There was no attempt to report on the impact and outcomes in all papers except one. Facilitators and barriers identified were grouped and presented across national or regional, organizational, and individual staff levels. Conclusions: This scoping review?s findings highlight the limited body of research published on cybersecurity interventions implemented in health care organizations in LMICs and large heterogeneity across existing studies in interventions, research objectives, methods, and outcome measures used. Although complex and challenging, future research should specifically focus on the evaluation of cybersecurity interventions and their impact in order to build a robust evidence base to inform evidence-based policy and practice. UR - https://www.jmir.org/2024/1/e47311 UR - http://dx.doi.org/10.2196/47311 UR - http://www.ncbi.nlm.nih.gov/pubmed/ ID - info:doi/10.2196/47311 ER - TY - JOUR AU - Gebeyew, Sisay Ayenew AU - Wordofa, Regasa Zegeye AU - Muluneh, Alebachew Ayana AU - Shibabaw, Ambachew Adamu AU - Walle, Damtew Agmasie AU - Tizie, Birhanu Sefefe AU - Mengistie, Belachew Muluken AU - Takillo, Kassaw Mitiku AU - Assaye, Tilahun Bayou AU - Senishaw, Fentahun Adualem AU - Hailye, Gizaw AU - Shimie, Worku Aynadis AU - Butta, Wake Fikadu PY - 2024/11/6 TI - Attitudes of Health Professionals Toward Digital Health Data Security in Northwest Ethiopia: Cross-Sectional Study JO - Online J Public Health Inform SP - e57764 VL - 16 KW - health KW - profession KW - digital KW - attitude KW - security KW - data N2 - Background: Digital health is a new health field initiative. Health professionals require security in digital places because cybercriminals target health care professionals. Therefore, millions of medical records have been breached for money. Regarding digital security, there is a gap in studies in limited-resource countries. Therefore, surveying health professionals? attitudes toward digital health data security has a significant purpose for interventions. Objective: This study aimed to assess the attitudes of health professionals toward digital health data security and their associated factors in a resource-limited country. Methods: A cross-sectional study was conducted to measure health professionals? attitudes toward digital health data security. The sample size was calculated using a single population. A pretest was conducted to measure consistency. Binary logistic regression was used to identify associated factors. For multivariable logistic analysis, a P value ?.20 was selected using Stata software (version 16; StataCorp LP). Results: Of the total sample, 95% (402/423) of health professionals participated in the study. Of all participants, 63.2% (254/402) were male, and the mean age of the respondents was 34.5 (SD 5.87) years. The proportion of health professionals who had a favorable attitude toward digital health data security at specialized teaching hospitals was 60.9% (95% CI 56.0%?65.6%). Educational status (adjusted odds ratio [AOR] 3.292, 95% CI 1.16?9.34), basic computer skills (AOR 1.807, 95% CI 1.11?2.938), knowledge (AOR 3.238, 95% CI 2.0?5.218), and perceived usefulness (AOR 1.965, 95% CI 1.063?3.632) were factors associated with attitudes toward digital health data security. Conclusions: This study aimed to assess health professionals? attitudes toward digital health data security. Interventions on educational status, basic computer skills, knowledge, and perceived usefulness are important for improving health professionals? attitudes. Improving the attitudes of health professionals related to digital data security is necessary for digitalization in the health care arena. UR - https://ojphi.jmir.org/2024/1/e57764 UR - http://dx.doi.org/10.2196/57764 ID - info:doi/10.2196/57764 ER - TY - JOUR AU - Subramanian, Hemang AU - Sengupta, Arijit AU - Xu, Yilin PY - 2024/11/6 TI - Patient Health Record Protection Beyond the Health Insurance Portability and Accountability Act: Mixed Methods Study JO - J Med Internet Res SP - e59674 VL - 26 KW - security KW - privacy KW - security breach KW - breach report KW - health care KW - health care infrastructure KW - regulatory KW - law enforcement KW - Omnibus Rule KW - qualitative analysis KW - AI-generated data KW - artificial intelligence KW - difference-in-differences KW - best practice KW - data privacy KW - safe practice N2 - Background: The security and privacy of health care information are crucial for maintaining the societal value of health care as a public good. However, governance over electronic health care data has proven inefficient, despite robust enforcement efforts. Both federal (HIPAA [Health Insurance Portability and Accountability Act]) and state regulations, along with the ombudsman rule, have not effectively reduced the frequency or impact of data breaches in the US health care system. While legal frameworks have bolstered data security, recent years have seen a concerning increase in breach incidents. This paper investigates common breach types and proposes best practices derived from the data as potential solutions. Objective: The primary aim of this study is to analyze health care and hospital breach data, comparing it against HIPAA compliance levels across states (spatial analysis) and the impact of the Omnibus Rule over time (temporal analysis). The goal is to establish guidelines for best practices in handling sensitive information within hospitals and clinical environments. Methods: The study used data from the Department of Health and Human Services on reported breaches, assessing the severity and impact of each breach type. We then analyzed secondary data to examine whether HIPAA?s storage and retention rule amendments have influenced security and privacy incidents across all 50 states. Finally, we conducted a qualitative analysis of textual data from vulnerability and breach reports to identify actionable best practices for health care settings. Results: Our findings indicate that hacking or IT incidents have the most significant impact on the number of individuals affected, highlighting this as a primary breach category. The overall difference-in-differences trend reveals no significant reduction in breach rates (P=.50), despite state-level regulations exceeding HIPAA requirements and the introduction of the ombudsman rule. This persistence in breach trends implies that even strengthened protections and additional guidelines have not effectively curbed the rising number of affected individuals. Through qualitative analysis, we identified 15 unique values and associated best practices from industry standards. Conclusions: Combining quantitative and qualitative insights, we propose the ?SecureSphere framework? to enhance data security in health care institutions. This framework presents key security values structured in concentric circles: core values at the center and peripheral values around them. The core values include employee management, policy, procedures, and IT management. Peripheral values encompass the remaining security attributes that support these core elements. This structured approach provides a comprehensive security strategy for protecting patient health information and is designed to help health care organizations develop sustainable practices for data security. UR - https://www.jmir.org/2024/1/e59674 UR - http://dx.doi.org/10.2196/59674 UR - http://www.ncbi.nlm.nih.gov/pubmed/ ID - info:doi/10.2196/59674 ER - TY - JOUR AU - Liang, Xueping AU - Alam, Nabid AU - Sultana, Tahmina AU - Bandara, Eranga AU - Shetty, Sachin PY - 2024/9/25 TI - Designing A Blockchain-Empowered Telehealth Artifact for Decentralized Identity Management and Trustworthy Communication: Interdisciplinary Approach JO - J Med Internet Res SP - e46556 VL - 26 KW - telehealth KW - blockchain KW - security KW - software KW - proof of concept KW - implementation KW - privacy N2 - Background: Telehealth played a critical role during the COVID-19 pandemic and continues to function as an essential component of health care. Existing platforms cannot ensure privacy and prevent cyberattacks. Objective: The main objectives of this study are to understand existing cybersecurity issues in identity management and trustworthy communication processes in telehealth platforms and to design a software architecture integrated with blockchain to improve security and trustworthiness with acceptable performance. Methods: We improved personal information security in existing telehealth platforms by adopting an innovative interdisciplinary approach combining design science, social science, and computer science in the health care domain, with prototype implementation. We used the design science research methodology to implement our overall design. We innovated over existing telehealth platforms with blockchain integration that improves health care delivery services in terms of security, privacy, and efficiency. We adopted a user-centric design approach and started with user requirement collection, followed by system functionality development. Overall system implementation facilitates user requirements, thus promoting user behavior for the adoption of the telehealth platform with decentralized identity management and an access control mechanism. Results: Our investigation identified key challenges to identity management and trustworthy communication processes in telehealth platforms used in the current health care domain. By adopting distributed ledger technology, we proposed a decentralized telehealth platform to support identity management and a trustworthy communication process. Our design and prototype implementation using a smart contract?driven telehealth platform to provide decentralized identity management and trustworthy communication with token-based access control addressed several security challenges. This was substantiated by testing with 10,000 simulated transactions across 5 peers in the Rahasak blockchain network. The proposed design provides resistance to common attacks while maintaining a linear time overhead, demonstrating improved security and efficiency in telehealth services. We evaluated the performance in terms of transaction throughput, smart contract execution time, and block generation time. To create a block with 10,000 transactions, it takes 8 seconds on average, which is an acceptable overhead for blockchain-based applications. Conclusions: We identified technical limitations in current telehealth platforms. We presented several design innovations using blockchain to prototype a system. We also presented the implementation details of a unique distributed architecture for a trustworthy communication system. We illustrated how this design can overcome privacy, security, and scalability limitations. Moreover, we illustrated how improving these factors sets the stage for improving and standardizing the application and for the wide adoption of blockchain-enabled telehealth platforms. UR - https://www.jmir.org/2024/1/e46556 UR - http://dx.doi.org/10.2196/46556 UR - http://www.ncbi.nlm.nih.gov/pubmed/39320943 ID - info:doi/10.2196/46556 ER - TY - JOUR AU - Suh, Jungyo AU - Lee, Garam AU - Kim, Woo Jung AU - Shin, Junbum AU - Kim, Yi-Jun AU - Lee, Sang-Wook AU - Kim, Sulgi PY - 2024/7/5 TI - Privacy-Preserving Prediction of Postoperative Mortality in Multi-Institutional Data: Development and Usability Study JO - JMIR Med Inform SP - e56893 VL - 12 KW - machine learning KW - privacy KW - in-hospital mortality KW - homomorphic encryption KW - multi-institutional system N2 - Background: To circumvent regulatory barriers that limit medical data exchange due to personal information security concerns, we use homomorphic encryption (HE) technology, enabling computation on encrypted data and enhancing privacy. Objective: This study explores whether using HE to integrate encrypted multi-institutional data enhances predictive power in research, focusing on the integration feasibility across institutions and determining the optimal size of hospital data sets for improved prediction models. Methods: We used data from 341,007 individuals aged 18 years and older who underwent noncardiac surgeries across 3 medical institutions. The study focused on predicting in-hospital mortality within 30 days postoperatively, using secure logistic regression based on HE as the prediction model. We compared the predictive performance of this model using plaintext data from a single institution against a model using encrypted data from multiple institutions. Results: The predictive model using encrypted data from all 3 institutions exhibited the best performance based on area under the receiver operating characteristic curve (0.941); the model combining Asan Medical Center (AMC) and Seoul National University Hospital (SNUH) data exhibited the best predictive performance based on area under the precision-recall curve (0.132). Both Ewha Womans University Medical Center and SNUH demonstrated improvement in predictive power for their own institutions upon their respective data?s addition to the AMC data. Conclusions: Prediction models using multi-institutional data sets processed with HE outperformed those using single-institution data sets, especially when our model adaptation approach was applied, which was further validated on a smaller host hospital with a limited data set. UR - https://medinform.jmir.org/2024/1/e56893 UR - http://dx.doi.org/10.2196/56893 UR - http://www.ncbi.nlm.nih.gov/pubmed/ ID - info:doi/10.2196/56893 ER - TY - JOUR AU - Ewoh, Pius AU - Vartiainen, Tero PY - 2024/5/31 TI - Vulnerability to Cyberattacks and Sociotechnical Solutions for Health Care Systems: Systematic Review JO - J Med Internet Res SP - e46904 VL - 26 KW - health care systems KW - cybersecurity KW - sociotechnical KW - medical device KW - secure systems development KW - training KW - ransomware KW - data breaches KW - protected health information KW - patient safety N2 - Background: Health care organizations worldwide are faced with an increasing number of cyberattacks and threats to their critical infrastructure. These cyberattacks cause significant data breaches in digital health information systems, which threaten patient safety and privacy. Objective: From a sociotechnical perspective, this paper explores why digital health care systems are vulnerable to cyberattacks and provides sociotechnical solutions through a systematic literature review (SLR). Methods: An SLR using the PRISMA (Preferred Reporting Items for Systematic Reviews and Meta-Analyses) was conducted by searching 6 databases (PubMed, Web of Science, ScienceDirect, Scopus, Institute of Electrical and Electronics Engineers, and Springer) and a journal (Management Information Systems Quarterly) for articles published between 2012 and 2022 and indexed using the following keywords: ?(cybersecurity OR cybercrime OR ransomware) AND (healthcare) OR (cybersecurity in healthcare).? Reports, review articles, and industry white papers that focused on cybersecurity and health care challenges and solutions were included. Only articles published in English were selected for the review. Results: In total, 5 themes were identified: human error, lack of investment, complex network-connected end-point devices, old legacy systems, and technology advancement (digitalization). We also found that knowledge applications for solving vulnerabilities in health care systems between 2012 to 2022 were inconsistent. Conclusions: This SLR provides a clear understanding of why health care systems are vulnerable to cyberattacks and proposes interventions from a new sociotechnical perspective. These solutions can serve as a guide for health care organizations in their efforts to prevent breaches and address vulnerabilities. To bridge the gap, we recommend that health care organizations, in partnership with educational institutions, develop and implement a cybersecurity curriculum for health care and intelligence information sharing through collaborations; training; awareness campaigns; and knowledge application areas such as secure design processes, phase-out of legacy systems, and improved investment. Additional studies are needed to create a sociotechnical framework that will support cybersecurity in health care systems and connect technology, people, and processes in an integrated manner. UR - https://www.jmir.org/2024/1/e46904 UR - http://dx.doi.org/10.2196/46904 UR - http://www.ncbi.nlm.nih.gov/pubmed/38820579 ID - info:doi/10.2196/46904 ER - TY - JOUR AU - Wang, Guanyi AU - Chen, Chen AU - Jiang, Ziyu AU - Li, Gang AU - Wu, Can AU - Li, Sheng PY - 2024/5/28 TI - Efficient Use of Biological Data in the Web 3.0 Era by Applying Nonfungible Token Technology JO - J Med Internet Res SP - e46160 VL - 26 KW - NFTs KW - biobanks KW - blockchains KW - health care KW - medical big data KW - sustainability KW - blockchain platform KW - platform KW - tracing KW - virtual KW - biomedical data KW - transformation KW - development KW - promoted UR - https://www.jmir.org/2024/1/e46160 UR - http://dx.doi.org/10.2196/46160 UR - http://www.ncbi.nlm.nih.gov/pubmed/38805706 ID - info:doi/10.2196/46160 ER - TY - JOUR AU - Harris, Daniel AU - Delcher, Chris PY - 2024/5/21 TI - Geospatial Imprecision With Constraints for Precision Public Health: Algorithm Development and Validation JO - Online J Public Health Inform SP - e54958 VL - 16 KW - social determinants of health KW - geocoding KW - privacy KW - poverty KW - obfuscation KW - security KW - confidentiality KW - low income KW - geography KW - geographic KW - location KW - locations KW - spatial KW - geospatial KW - precision N2 - Background: Location and environmental social determinants of health are increasingly important factors in both an individual?s health and the monitoring of community-level public health issues. Objective: We aimed to measure the extent to which location obfuscation techniques, designed to protect an individual?s privacy, can unintentionally shift geographical coordinates into neighborhoods with significantly different socioeconomic demographics, which limits the precision of findings for public health stakeholders. Methods: Point obfuscation techniques intentionally blur geographic coordinates to conceal the original location. The pinwheel obfuscation method is an existing technique in which a point is moved along a pinwheel-like path given a randomly chosen angle and a maximum radius; we evaluate the impact of this technique using 2 data sets by comparing the demographics of the original point and the resulting shifted point by cross-referencing data from the United States Census Bureau. Results: Using poverty measures showed that points from regions of low poverty may be shifted to regions of high poverty; similarly, points in regions with high poverty may be shifted into regions of low poverty. We varied the maximum allowable obfuscation radius; the mean difference in poverty rate before and after obfuscation ranged from 6.5% to 11.7%. Additionally, obfuscation inadvertently caused false hot spots for deaths by suicide in Cook County, Illinois. Conclusions: Privacy concerns require patient locations to be imprecise to protect against risk of identification; precision public health requires accuracy. We propose a modified obfuscation technique that is constrained to generate a new point within a specified census-designated region to preserve both privacy and analytical accuracy by avoiding demographic shifts. UR - https://ojphi.jmir.org/2024/1/e54958 UR - http://dx.doi.org/10.2196/54958 UR - http://www.ncbi.nlm.nih.gov/pubmed/38772021 ID - info:doi/10.2196/54958 ER - TY - JOUR AU - Karimian Sichani, Elnaz AU - Smith, Aaron AU - El Emam, Khaled AU - Mosquera, Lucy PY - 2024/4/22 TI - Creating High-Quality Synthetic Health Data: Framework for Model Development and Validation JO - JMIR Form Res SP - e53241 VL - 8 KW - synthetic data KW - tensor decomposition KW - data sharing KW - data utility KW - data privacy KW - electronic health record KW - longitudinal KW - model development KW - model validation KW - generative models N2 - Background: Electronic health records are a valuable source of patient information that must be properly deidentified before being shared with researchers. This process requires expertise and time. In addition, synthetic data have considerably reduced the restrictions on the use and sharing of real data, allowing researchers to access it more rapidly with far fewer privacy constraints. Therefore, there has been a growing interest in establishing a method to generate synthetic data that protects patients? privacy while properly reflecting the data. Objective: This study aims to develop and validate a model that generates valuable synthetic longitudinal health data while protecting the privacy of the patients whose data are collected. Methods: We investigated the best model for generating synthetic health data, with a focus on longitudinal observations. We developed a generative model that relies on the generalized canonical polyadic (GCP) tensor decomposition. This model also involves sampling from a latent factor matrix of GCP decomposition, which contains patient factors, using sequential decision trees, copula, and Hamiltonian Monte Carlo methods. We applied the proposed model to samples from the MIMIC-III (version 1.4) data set. Numerous analyses and experiments were conducted with different data structures and scenarios. We assessed the similarity between our synthetic data and the real data by conducting utility assessments. These assessments evaluate the structure and general patterns present in the data, such as dependency structure, descriptive statistics, and marginal distributions. Regarding privacy disclosure, our model preserves privacy by preventing the direct sharing of patient information and eliminating the one-to-one link between the observed and model tensor records. This was achieved by simulating and modeling a latent factor matrix of GCP decomposition associated with patients. Results: The findings show that our model is a promising method for generating synthetic longitudinal health data that is similar enough to real data. It can preserve the utility and privacy of the original data while also handling various data structures and scenarios. In certain experiments, all simulation methods used in the model produced the same high level of performance. Our model is also capable of addressing the challenge of sampling patients from electronic health records. This means that we can simulate a variety of patients in the synthetic data set, which may differ in number from the patients in the original data. Conclusions: We have presented a generative model for producing synthetic longitudinal health data. The model is formulated by applying the GCP tensor decomposition. We have provided 3 approaches for the synthesis and simulation of a latent factor matrix following the process of factorization. In brief, we have reduced the challenge of synthesizing massive longitudinal health data to synthesizing a nonlongitudinal and significantly smaller data set. UR - https://formative.jmir.org/2024/1/e53241 UR - http://dx.doi.org/10.2196/53241 UR - http://www.ncbi.nlm.nih.gov/pubmed/38648097 ID - info:doi/10.2196/53241 ER - TY - JOUR AU - Wündisch, Eric AU - Hufnagl, Peter AU - Brunecker, Peter AU - Meier zu Ummeln, Sophie AU - Träger, Sarah AU - Kopp, Marcus AU - Prasser, Fabian AU - Weber, Joachim PY - 2024/4/17 TI - Development of a Trusted Third Party at a Large University Hospital: Design and Implementation Study JO - JMIR Med Inform SP - e53075 VL - 12 KW - pseudonymisation KW - architecture KW - scalability KW - trusted third party KW - application KW - security KW - consent KW - identifying data KW - infrastructure KW - modular KW - software KW - implementation KW - user interface KW - health platform KW - data management KW - data privacy KW - health record KW - electronic health record KW - EHR KW - pseudonymization N2 - Background: Pseudonymization has become a best practice to securely manage the identities of patients and study participants in medical research projects and data sharing initiatives. This method offers the advantage of not requiring the direct identification of data to support various research processes while still allowing for advanced processing activities, such as data linkage. Often, pseudonymization and related functionalities are bundled in specific technical and organization units known as trusted third parties (TTPs). However, pseudonymization can significantly increase the complexity of data management and research workflows, necessitating adequate tool support. Common tasks of TTPs include supporting the secure registration and pseudonymization of patient and sample identities as well as managing consent. Objective: Despite the challenges involved, little has been published about successful architectures and functional tools for implementing TTPs in large university hospitals. The aim of this paper is to fill this research gap by describing the software architecture and tool set developed and deployed as part of a TTP established at Charité ? Universitätsmedizin Berlin. Methods: The infrastructure for the TTP was designed to provide a modular structure while keeping maintenance requirements low. Basic functionalities were realized with the free MOSAIC tools. However, supporting common study processes requires implementing workflows that span different basic services, such as patient registration, followed by pseudonym generation and concluded by consent collection. To achieve this, an integration layer was developed to provide a unified Representational state transfer (REST) application programming interface (API) as a basis for more complex workflows. Based on this API, a unified graphical user interface was also implemented, providing an integrated view of information objects and workflows supported by the TTP. The API was implemented using Java and Spring Boot, while the graphical user interface was implemented in PHP and Laravel. Both services use a shared Keycloak instance as a unified management system for roles and rights. Results: By the end of 2022, the TTP has already supported more than 10 research projects since its launch in December 2019. Within these projects, more than 3000 identities were stored, more than 30,000 pseudonyms were generated, and more than 1500 consent forms were submitted. In total, more than 150 people regularly work with the software platform. By implementing the integration layer and the unified user interface, together with comprehensive roles and rights management, the effort for operating the TTP could be significantly reduced, as personnel of the supported research projects can use many functionalities independently. Conclusions: With the architecture and components described, we created a user-friendly and compliant environment for supporting research projects. We believe that the insights into the design and implementation of our TTP can help other institutions to efficiently and effectively set up corresponding structures. UR - https://medinform.jmir.org/2024/1/e53075 UR - http://dx.doi.org/10.2196/53075 ID - info:doi/10.2196/53075 ER - TY - JOUR AU - Zandesh, Zahra PY - 2024/2/12 TI - Privacy, Security, and Legal Issues in the Health Cloud: Structured Review for Taxonomy Development JO - JMIR Form Res SP - e38372 VL - 8 KW - taxonomy KW - privacy KW - security KW - legal KW - cloud computing N2 - Background: Privacy in our digital world is a very complicated topic, especially when meeting cloud computing technological achievements with its multidimensional context. Here, privacy is an extended concept that is sometimes referred to as legal, philosophical, or even technical. Consequently, there is a need to harmonize it with other aspects in health care in order to provide a new ecosystem. This new ecosystem can lead to a paradigm shift involving the reconstruction and redesign of some of the most important and essential requirements like privacy concepts, legal issues, and security services. Cloud computing in the health domain has markedly contributed to other technologies, such as mobile health, health Internet of Things, and wireless body area networks, with their increasing numbers of embedded applications. Other dependent applications, which are usually used in health businesses like social networks, or some newly introduced applications have issues regarding privacy transparency boundaries and privacy-preserving principles, which have made policy making difficult in the field. Objective: One way to overcome this challenge is to develop a taxonomy to identify all relevant factors. A taxonomy serves to bring conceptual clarity to the set of alternatives in in-person health care delivery. This study aimed to construct a comprehensive taxonomy for privacy in the health cloud, which also provides a prospective landscape for privacy in related technologies. Methods: A search was performed for relevant published English papers in databases, including Web of Science, IEEE Digital Library, Google Scholar, Scopus, and PubMed. A total of 2042 papers were related to the health cloud privacy concept according to predefined keywords and search strings. Taxonomy designing was performed using the deductive methodology. Results: This taxonomy has 3 layers. The first layer has 4 main dimensions, including cloud, data, device, and legal. The second layer has 15 components, and the final layer has related subcategories (n=57). This taxonomy covers some related concepts, such as privacy, security, confidentiality, and legal issues, which are categorized here and defined by their expansion and distinctive boundaries. The main merits of this taxonomy are its ability to clarify privacy terms for different scenarios and signalize the privacy multidisciplinary objectification in eHealth. Conclusions: This taxonomy can cover health industry requirements with its specifications like health data and scenarios, which are considered as the most complicated among businesses and industries. Therefore, the use of this taxonomy could be generalized and customized to other domains and businesses that have less complications. Moreover, this taxonomy has different stockholders, including people, organizations, and systems. If the antecedent effort in the taxonomy is proven, subject matter experts could enhance the extent of privacy in the health cloud by verifying, evaluating, and revising this taxonomy. UR - https://formative.jmir.org/2024/1/e38372 UR - http://dx.doi.org/10.2196/38372 UR - http://www.ncbi.nlm.nih.gov/pubmed/38345858 ID - info:doi/10.2196/38372 ER - TY - JOUR AU - Dart, Martin AU - Ahmed, Mohiuddin PY - 2023/10/4 TI - Evaluating Staff Attitudes, Intentions, and Behaviors Related to Cyber Security in Large Australian Health Care Environments: Mixed Methods Study JO - JMIR Hum Factors SP - e48220 VL - 10 KW - computer security KW - cyber security KW - surveys KW - governance KW - mixed methods KW - Australia KW - delivery of health care N2 - Background: Previous studies have identified that the effective management of cyber security in large health care environments is likely to be significantly impacted by human and social factors, as well as by technical controls. However, there have been limited attempts to confirm this by using measured and integrated studies to identify specific user motivations and behaviors that can be managed to achieve improved outcomes. Objective: This study aims to document and analyze survey and interview data from a diverse range of health care staff members, to determine the primary motivations and behaviors that influence their acceptance and application of cyber security messaging and controls. By identifying these issues, recommendations can be made to positively influence future cyber security governance in health care. Methods: An explanatory sequential mixed methods approach was undertaken to analyze quantitative data from a web-based staff survey (N=103), with a concurrent qualitative investigation applied to data gathered via in-depth staff interviews (N=9). Data from both stages of this methodology were mapped to descriptive variables based on a modified version of the Technology Acceptance Model (TAM; TAM2). After normalization, the quantitative data were verified and analyzed using descriptive statistics, distribution and linearity measures, and a bivariate correlation of the TAM variables to identify the Pearson coefficient (r) and significance (P) values. Finally, after confirming Cronbach ?, the determinant score for multicollinearity, and the Kaiser-Meyer-Olkin measure, and applying the Bartlett test of sphericity (?2), an exploratory factor analysis (EFA) was conducted to identify the primary factors with an eigenvalue (?) >1.0. Comments captured during the qualitative interviews were coded using NVivo software (QSR International) to create an emic-to-etic understanding, which was subsequently integrated with the quantitative results to produce verified conclusions. Results: Using the explanatory sequential methodology, this study showed that the perceived usefulness of security controls emerged as the most significant factor influencing staff beliefs and behaviors. This variable represented 24% of all the variances measured in the EFA and was also the most common category identified across all coded interviews (281/692, 40.6%). The word frequency analysis showed that systems, patients, and people represented the top 3 recurring themes reported by the interviewees. Conclusions: To improve cyber security governance in large health care environments, efforts should be focused on demonstrating how confidentiality, integrity, availability, policies, and cloud or vendor-based controls (the main contributors of usefulness measured by the EFA) can directly improve outcomes for systems, staff, and patients. Further consideration also needs to be given to how clinicians should share data and collaborate on patient care, with tools and processes provided to support and manage data sharing securely and to achieve a consistent baseline of secure and normalized behaviors. UR - https://humanfactors.jmir.org/2023/1/e48220 UR - http://dx.doi.org/10.2196/48220 UR - http://www.ncbi.nlm.nih.gov/pubmed/37792450 ID - info:doi/10.2196/48220 ER - TY - JOUR AU - Sari, Kencana Puspita AU - Handayani, Wuri Putu AU - Hidayanto, Nizar Achmad PY - 2023/8/24 TI - Demographic Comparison of Information Security Behavior Toward Health Information System Protection: Survey Study JO - JMIR Form Res SP - e49439 VL - 7 KW - behavioral research KW - health information system KW - human activities KW - information security KW - mobile security N2 - Background: The health information system (HIS) functions are getting wider with more diverse users. Information security in the health industry is crucial because it involves comprehensive and strategic information that might harm human life. The human factor is one of the biggest security threats to HIS. Objective: This study aims to investigate the information security behavior (ISB) of HIS users using a comprehensive assessment scale suited to the information security concerns in health care. Patients are increasingly being asked to submit their own data into HIS systems. As a result, this study examines the security behavior of health workers and patients, as well as their demographic variables. Methods: We used a quantitative approach using surveys of health workers and patients. We created a research instrument from 4 existing measurement scales to measure prosecurity and antisecurity behavior. We analyzed statistical differences to test the hypotheses, that is, the Kruskal-Wallis test and the Mann-Whitney test. The descriptive analysis was used to determine whether the group exhibited exemplary behavior when processing the survey results. A correlational test using the Spearman correlation coefficient was performed to establish the significance of the relationship between ISB and age as well as level of education. Results: We analyzed 421 responses from the survey. According to demographic factors, the hypotheses tested for full and partial security behavior reveal substantial differences. Education levels most significantly affect security behavior differences, followed by user type, gender, and age. The health workers? ISB is higher than that of the patients. Women are more likely than men to engage in prosecurity actions while avoiding antisecurity behaviors. The older the HIS user, the more likely it is that they will participate in prosecurity behavior and the less probable it is that they will engage in antisecurity behavior. According to this study, differences in prosecurity behavior are mostly impacted by education level. Higher education, on the other hand, does not guarantee improved ISB for HIS users. All demographic characteristics, particularly concerning user type, show discrepancies that are caused mainly by antisecurity behavior rather than prosecurity behavior. Conclusions: Since patients engage in antisecurity behavior more frequently than health workers and may pose security risks, health care facilities should start to consider information security education for patients. More comprehensive research on ISB in health care facilities is required to better understand the patient?s perspective, which is currently understudied. UR - https://formative.jmir.org/2023/1/e49439 UR - http://dx.doi.org/10.2196/49439 UR - http://www.ncbi.nlm.nih.gov/pubmed/37616025 ID - info:doi/10.2196/49439 ER - TY - JOUR AU - Esmaeilzadeh, Pouyan AU - Mirzaei, Tala PY - 2023/8/18 TI - Role of Incentives in the Use of Blockchain-Based Platforms for Sharing Sensitive Health Data: Experimental Study JO - J Med Internet Res SP - e41805 VL - 25 KW - blockchain technology KW - data sharing KW - health data KW - clinical research KW - incentive mechanisms N2 - Background: Blockchain is an emerging technology that enables secure and decentralized approaches to reduce technical risks and governance challenges associated with sharing data. Although blockchain-based solutions have been suggested for sharing health information, it is still unclear whether a suitable incentive mechanism (intrinsic or extrinsic) can be identified to encourage individuals to share their sensitive data for research purposes. Objective: This study aimed to investigate how important extrinsic incentives are and what type of incentive is the best option in blockchain-based platforms designed for sharing sensitive health information. Methods: In this study, we conducted 3 experiments with 493 individuals to investigate the role of extrinsic incentives (ie, cryptocurrency, money, and recognition) in data sharing with research organizations. Results: The findings highlight that offering different incentives is insufficient to encourage individuals to use blockchain technology or to change their perceptions about the technology?s premise for sharing sensitive health data. The results demonstrate that individuals still attribute serious risks to blockchain-based platforms. Privacy and security concerns, trust issues, lack of knowledge about the technology, lack of public acceptance, and lack of regulations are reported as top risks. In terms of attracting people to use blockchain-based platforms for data sharing in health care, we show that the effects of extrinsic motivations (cryptoincentives, money, and status) are significantly overshadowed by inhibitors to technology use. Conclusions: We suggest that before emphasizing the use of various types of extrinsic incentives, the users must be educated about the capabilities and benefits offered by this technology. Thus, an essential first step for shifting from an institution-based data exchange to a patient-centric data exchange (using blockchain) is addressing technology inhibitors to promote patient-driven data access control. This study shows that extrinsic incentives alone are inadequate to change users? perceptions, increase their trust, or encourage them to use technology for sharing health data. UR - https://www.jmir.org/2023/1/e41805 UR - http://dx.doi.org/10.2196/41805 UR - http://www.ncbi.nlm.nih.gov/pubmed/37594783 ID - info:doi/10.2196/41805 ER - TY - JOUR AU - Kamdje Wabo, Gaetan AU - Prasser, Fabian AU - Gierend, Kerstin AU - Siegel, Fabian AU - Ganslandt, Thomas PY - 2023/8/11 TI - Data Quality? and Utility-Compliant Anonymization of Common Data Model?Harmonized Electronic Health Record Data: Protocol for a Scoping Review JO - JMIR Res Protoc SP - e46471 VL - 12 KW - EHR KW - electronic health record KW - data quality KW - common data model KW - data standard KW - data privacy models KW - data anonymization N2 - Background: The anonymization of Common Data Model (CDM)?converted EHR data is essential to ensure the data privacy in the use of harmonized health care data. However, applying data anonymization techniques can significantly affect many properties of the resulting data sets and thus biases research results. Few studies have reviewed these applications with a reflection of approaches to manage data utility and quality concerns in the context of CDM-formatted health care data. Objective: Our intended scoping review aims to identify and describe (1) how formal anonymization methods are carried out with CDM-converted health care data, (2) how data quality and utility concerns are considered, and (3) how the various CDMs differ in terms of their suitability for recording anonymized data. Methods: The planned scoping review is based on the framework of Arksey and O'Malley. By using this, only articles published in English will be included. The retrieval of literature items should be based on a literature search string combining keywords related to data anonymization, CDM standards, and data quality assessment. The proposed literature search query should be validated by a librarian, accompanied by manual searches to include further informal sources. Eligible articles will first undergo a deduplication step, followed by the screening of titles. Second, a full-text reading will allow the 2 reviewers involved to reach the final decision about article selection, while a domain expert will support the resolution of citation selection conflicts. Additionally, key information will be extracted, categorized, summarized, and analyzed by using a proposed template into an iterative process. Tabular and graphical analyses should be addressed in alignment with the PRISMA-ScR (Preferred Reporting Items for Systematic Reviews and Meta-Analyses Extension for Scoping Reviews) checklist. We also performed some tentative searches on Web of Science for estimating the feasibility of reaching eligible articles. Results: Tentative searches on Web of Science resulted in 507 nonduplicated matches, suggesting the availability of (potential) relevant articles. Further analysis and selection steps will allow us to derive a final literature set. Furthermore, the completion of this scoping review study is expected by the end of the fourth quarter of 2023. Conclusions: Outlining the approaches of applying formal anonymization methods on CDM-formatted health care data while taking into account data quality and utility concerns should provide useful insights to understand the existing approaches and future research direction based on identified gaps. This protocol describes a schedule to perform a scoping review, which should support the conduction of follow-up investigations. International Registered Report Identifier (IRRID): PRR1-10.2196/46471 UR - https://www.researchprotocols.org/2023/1/e46471 UR - http://dx.doi.org/10.2196/46471 UR - http://www.ncbi.nlm.nih.gov/pubmed/37566443 ID - info:doi/10.2196/46471 ER - TY - JOUR AU - Matschinske, Julian AU - Späth, Julian AU - Bakhtiari, Mohammad AU - Probul, Niklas AU - Kazemi Majdabadi, Mahdi Mohammad AU - Nasirigerdeh, Reza AU - Torkzadehmahani, Reihaneh AU - Hartebrodt, Anne AU - Orban, Balazs-Attila AU - Fejér, Sándor-József AU - Zolotareva, Olga AU - Das, Supratim AU - Baumbach, Linda AU - Pauling, K. Josch AU - Toma?evi?, Olivera AU - Bihari, Béla AU - Bloice, Marcus AU - Donner, C. Nina AU - Fdhila, Walid AU - Frisch, Tobias AU - Hauschild, Anne-Christin AU - Heider, Dominik AU - Holzinger, Andreas AU - Hötzendorfer, Walter AU - Hospes, Jan AU - Kacprowski, Tim AU - Kastelitz, Markus AU - List, Markus AU - Mayer, Rudolf AU - Moga, Mónika AU - Müller, Heimo AU - Pustozerova, Anastasia AU - Röttger, Richard AU - Saak, C. Christina AU - Saranti, Anna AU - Schmidt, W. Harald H. H. AU - Tschohl, Christof AU - Wenke, K. Nina AU - Baumbach, Jan PY - 2023/7/12 TI - The FeatureCloud Platform for Federated Learning in Biomedicine: Unified Approach JO - J Med Internet Res SP - e42621 VL - 25 KW - privacy-preserving machine learning KW - federated learning KW - interactive platform KW - artificial intelligence KW - AI store KW - privacy-enhancing technologies KW - additive secret sharing N2 - Background: Machine learning and artificial intelligence have shown promising results in many areas and are driven by the increasing amount of available data. However, these data are often distributed across different institutions and cannot be easily shared owing to strict privacy regulations. Federated learning (FL) allows the training of distributed machine learning models without sharing sensitive data. In addition, the implementation is time-consuming and requires advanced programming skills and complex technical infrastructures. Objective: Various tools and frameworks have been developed to simplify the development of FL algorithms and provide the necessary technical infrastructure. Although there are many high-quality frameworks, most focus only on a single application case or method. To our knowledge, there are no generic frameworks, meaning that the existing solutions are restricted to a particular type of algorithm or application field. Furthermore, most of these frameworks provide an application programming interface that needs programming knowledge. There is no collection of ready-to-use FL algorithms that are extendable and allow users (eg, researchers) without programming knowledge to apply FL. A central FL platform for both FL algorithm developers and users does not exist. This study aimed to address this gap and make FL available to everyone by developing FeatureCloud, an all-in-one platform for FL in biomedicine and beyond. Methods: The FeatureCloud platform consists of 3 main components: a global frontend, a global backend, and a local controller. Our platform uses a Docker to separate the local acting components of the platform from the sensitive data systems. We evaluated our platform using 4 different algorithms on 5 data sets for both accuracy and runtime. Results: FeatureCloud removes the complexity of distributed systems for developers and end users by providing a comprehensive platform for executing multi-institutional FL analyses and implementing FL algorithms. Through its integrated artificial intelligence store, federated algorithms can easily be published and reused by the community. To secure sensitive raw data, FeatureCloud supports privacy-enhancing technologies to secure the shared local models and assures high standards in data privacy to comply with the strict General Data Protection Regulation. Our evaluation shows that applications developed in FeatureCloud can produce highly similar results compared with centralized approaches and scale well for an increasing number of participating sites. Conclusions: FeatureCloud provides a ready-to-use platform that integrates the development and execution of FL algorithms while reducing the complexity to a minimum and removing the hurdles of federated infrastructure. Thus, we believe that it has the potential to greatly increase the accessibility of privacy-preserving and distributed data analyses in biomedicine and beyond. UR - https://www.jmir.org/2023/1/e42621 UR - http://dx.doi.org/10.2196/42621 UR - http://www.ncbi.nlm.nih.gov/pubmed/37436815 ID - info:doi/10.2196/42621 ER - TY - JOUR AU - Miyaji, Atsuko AU - Watanabe, Kaname AU - Takano, Yuuki AU - Nakasho, Kazuhisa AU - Nakamura, Sho AU - Wang, Yuntao AU - Narimatsu, Hiroto PY - 2022/12/30 TI - A Privacy-Preserving Distributed Medical Data Integration Security System for Accuracy Assessment of Cancer Screening: Development Study of Novel Data Integration System JO - JMIR Med Inform SP - e38922 VL - 10 IS - 12 KW - data linkage KW - data security KW - secure data integration KW - privacy-preserving linkage KW - secure matching privacy-preserving linkage KW - private set intersection KW - PSI KW - privacy-preserving distributed data integration KW - PDDI KW - big data KW - medical informatics KW - cancer prevention KW - cancer epidemiology KW - epidemiological survey N2 - Background: Big data useful for epidemiological research can be obtained by integrating data corresponding to individuals between databases managed by different institutions. Privacy information must be protected while performing efficient, high-level data matching. Objective: Privacy-preserving distributed data integration (PDDI) enables data matching between multiple databases without moving privacy information; however, its actual implementation requires matching security, accuracy, and performance. Moreover, identifying the optimal data item in the absence of a unique matching key is necessary. We aimed to conduct a basic matching experiment using a model to assess the accuracy of cancer screening. Methods: To experiment with actual data, we created a data set mimicking the cancer screening and registration data in Japan and conducted a matching experiment using a PDDI system between geographically distant institutions. Errors similar to those found empirically in data sets recorded in Japanese were artificially introduced into the data set. The matching-key error rate of the data common to both data sets was set sufficiently higher than expected in the actual database: 85.0% and 59.0% for the data simulating colorectal and breast cancers, respectively. Various combinations of name, gender, date of birth, and address were used for the matching key. To evaluate the matching accuracy, the matching sensitivity and specificity were calculated based on the number of cancer-screening data points, and the effect of matching accuracy on the sensitivity and specificity of cancer screening was estimated based on the obtained values. To evaluate the performance, we measured central processing unit use, memory use, and network traffic. Results: For combinations with a specificity ?99% and high sensitivity, the date of birth and first name were used in the data simulating colorectal cancer, and the matching sensitivity and specificity were 55.00% and 99.85%, respectively. In the data simulating breast cancer, the date of birth and family name were used, and the matching sensitivity and specificity were 88.71% and 99.98%, respectively. Assuming the sensitivity and specificity of cancer screening at 90%, the apparent values decreased to 74.90% and 89.93%, respectively. A trial calculation was performed using a combination with the same data set and 100% specificity. When the matching sensitivity was 82.26%, the apparent screening sensitivity was maintained at 90%, and the screening specificity decreased to 89.89%. For 214 data points, the execution time was 82 minutes and 26 seconds without parallelization and 11 minutes and 38 seconds with parallelization; 19.33% of the calculation time was for the data-holding institutions. Memory use was 3.4 GB for the PDDI server and 2.7 GB for the data-holding institutions. Conclusions: We demonstrated the rudimentary feasibility of introducing a PDDI system for cancer-screening accuracy assessment. We plan to conduct matching experiments based on actual data and compare them with the existing methods. UR - https://medinform.jmir.org/2022/12/e38922 UR - http://dx.doi.org/10.2196/38922 UR - http://www.ncbi.nlm.nih.gov/pubmed/36583931 ID - info:doi/10.2196/38922 ER - TY - JOUR AU - Joe, Byunggill AU - Park, Yonghyeon AU - Hamm, Jihun AU - Shin, Insik AU - Lee, Jiyeon PY - 2022/8/19 TI - Exploiting Missing Value Patterns for a Backdoor Attack on Machine Learning Models of Electronic Health Records: Development and Validation Study JO - JMIR Med Inform SP - e38440 VL - 10 IS - 8 KW - medical machine learning KW - neural network KW - mortality prediction KW - backdoor attack KW - electronic health record data KW - Medical Information Mart for Intensive Care-III KW - missing value KW - mask KW - meta-information KW - variational autoencoder N2 - Background: A backdoor attack controls the output of a machine learning model in 2 stages. First, the attacker poisons the training data set, introducing a back door into the victim?s trained model. Second, during test time, the attacker adds an imperceptible pattern called a trigger to the input values, which forces the victim?s model to output the attacker?s intended values instead of true predictions or decisions. While backdoor attacks pose a serious threat to the reliability of machine learning?based medical diagnostics, existing backdoor attacks that directly change the input values are detectable relatively easily. Objective: The goal of this study was to propose and study a robust backdoor attack on mortality-prediction machine learning models that use electronic health records. We showed that our backdoor attack grants attackers full control over classification outcomes for safety-critical tasks such as mortality prediction, highlighting the importance of undertaking safe artificial intelligence research in the medical field. Methods: We present a trigger generation method based on missing patterns in electronic health record data. Compared to existing approaches, which introduce noise into the medical record, the proposed backdoor attack makes it simple to construct backdoor triggers without prior knowledge. To effectively avoid detection by manual inspectors, we employ variational autoencoders to learn the missing patterns in normal electronic health record data and produce trigger data that appears similar to this data. Results: We experimented with the proposed backdoor attack on 4 machine learning models (linear regression, multilayer perceptron, long short-term memory, and gated recurrent units) that predict in-hospital mortality using a public electronic health record data set. The results showed that the proposed technique achieved a significant drop in the victim?s discrimination performance (reducing the area under the precision-recall curve by at most 0.45), with a low poisoning rate (2%) in the training data set. In addition, the impact of the attack on general classification performance was negligible (it reduced the area under the precision-recall curve by an average of 0.01025), which makes it difficult to detect the presence of poison. Conclusions: To the best of our knowledge, this is the first study to propose a backdoor attack that uses missing information from tabular data as a trigger. Through extensive experiments, we demonstrated that our backdoor attack can inflict severe damage on medical machine learning classifiers in practice. UR - https://medinform.jmir.org/2022/8/e38440 UR - http://dx.doi.org/10.2196/38440 UR - http://www.ncbi.nlm.nih.gov/pubmed/35984701 ID - info:doi/10.2196/38440 ER - TY - JOUR AU - Nguyen, N. Tam PY - 2022/4/20 TI - Toward Human Digital Twins for Cybersecurity Simulations on the Metaverse: Ontological and Network Science Approach JO - JMIRx Med SP - e33502 VL - 3 IS - 2 KW - human behavior modeling KW - cognitive twins KW - human digital twins KW - cybersecurity KW - cognitive systems KW - digital twins KW - Metaverse KW - artificial intelligence N2 - Background: Cyber defense is reactive and slow. On average, the time-to-remedy is hundreds of times larger than the time-to-compromise. In response, Human Digital Twins (HDTs) offer the capability of running massive simulations across multiple domains on the Metaverse. Simulated results may predict adversaries' behaviors and tactics, leading to more proactive cyber defense strategies. However, current HDTs? cognitive architectures are underdeveloped for such use. Objective: This paper aims to make a case for extending the current digital cognitive architectures as the first step toward more robust HDTs that are suitable for realistic Metaverse cybersecurity simulations. Methods: This study formally documented 108 psychology constructs and thousands of related paths based on 20 time-tested psychology theories, all of which were packaged as Cybonto?a novel ontology. Then, this study applied 20 network science centrality algorithms in ranking the Cybonto psychology constructs by their influences. Results: Out of 108 psychology constructs, the top 10 are Behavior, Arousal, Goals, Perception, Self-efficacy, Circumstances, Evaluating, Behavior-Controllability, Knowledge, and Intentional Modality. In this list, only Behaviors, Goals, Perception, Evaluating, and Knowledge are parts of existing digital cognitive architectures. Notably, some of the constructs are not explicitly implemented. Early usability tests demonstrate that Cybonto can also be useful for immediate uses such as manual analysis of hackers? behaviors and automatic analysis of behavioral cybersecurity knowledge texts. Conclusions: The results call for specific extensions of current digital cognitive architectures such as explicitly implementing more refined structures of Long-term Memory and Perception, placing a stronger focus on noncognitive yet influential constructs such as Arousal, and creating new capabilities for simulating, reasoning about, and selecting circumstances. UR - https://med.jmirx.org/2022/2/e33502 UR - http://dx.doi.org/10.2196/33502 UR - http://www.ncbi.nlm.nih.gov/pubmed/27666280 ID - info:doi/10.2196/33502 ER - TY - JOUR AU - Espinoza, Juan AU - Sikder, Taher Abu AU - Dickhoner, James AU - Lee, Thomas PY - 2021/12/8 TI - Assessing Health Data Security Risks in Global Health Partnerships: Development of a Conceptual Framework JO - JMIR Form Res SP - e25833 VL - 5 IS - 12 KW - health information technology KW - low- and middle-income countries KW - low income KW - conceptual framework analysis KW - framework method KW - data security KW - decision-making KW - database KW - information use KW - misuse KW - global health KW - security N2 - Background: Health care databases contain a wealth of information that can be used to develop programs and mature health care systems. There is concern that the sensitive nature of health data (eg, ethnicity, reproductive health, sexually transmitted infections, and lifestyle information) can have significant impact on individuals if misused, particularly among vulnerable and marginalized populations. As academic institutions, nongovernmental organizations, and international agencies begin to collaborate with low- and middle-income countries to develop and deploy health information technology (HIT), it is important to understand the technical and practical security implications of these initiatives. Objective: Our aim is to develop a conceptual framework for risk stratification of global health data partnerships and HIT projects. In addition to identifying key conceptual domains, we map each domain to a variety of publicly available indices that could be used to inform a quantitative model. Methods: We conducted an overview of the literature to identify relevant publications, position statements, white papers, and reports. The research team reviewed all sources and used the framework method and conceptual framework analysis to name and categorize key concepts, integrate them into domains, and synthesize them into an overarching conceptual framework. Once key domains were identified, public international data sources were searched for relevant structured indices to generate quantitative counterparts. Results: We identified 5 key domains to inform our conceptual framework: State of HIT, Economics of Health Care, Demographics and Equity, Societal Freedom and Safety, and Partnership and Trust. Each of these domains was mapped to a number of structured indices. Conclusions: There is a complex relationship among the legal, economic, and social domains of health care, which affects the state of HIT in low- and middle-income countries and associated data security risks. The strength of partnership and trust among collaborating organizations is an important moderating factor. Additional work is needed to formalize the assessment of partnership and trust and to develop a quantitative model of the conceptual framework that can help support organizational decision-making. UR - https://formative.jmir.org/2021/12/e25833 UR - http://dx.doi.org/10.2196/25833 UR - http://www.ncbi.nlm.nih.gov/pubmed/34889752 ID - info:doi/10.2196/25833 ER - TY - JOUR AU - Abdullahi Yari, Imrana AU - Dehling, Tobias AU - Kluge, Felix AU - Geck, Juergen AU - Sunyaev, Ali AU - Eskofier, Bjoern PY - 2021/11/15 TI - Security Engineering of Patient-Centered Health Care Information Systems in Peer-to-Peer Environments: Systematic Review JO - J Med Internet Res SP - e24460 VL - 23 IS - 11 KW - patient-centered KW - health care KW - information infrastructures KW - decentralization KW - mobile health KW - peer-to-peer KW - COVID-19 proximity trackers KW - edge computing KW - security KW - vulnerabilities KW - attacks KW - threats KW - mobile phone N2 - Background: Patient-centered health care information systems (PHSs) enable patients to take control and become knowledgeable about their own health, preferably in a secure environment. Current and emerging PHSs use either a centralized database, peer-to-peer (P2P) technology, or distributed ledger technology for PHS deployment. The evolving COVID-19 decentralized Bluetooth-based tracing systems are examples of disease-centric P2P PHSs. Although using P2P technology for the provision of PHSs can be flexible, scalable, resilient to a single point of failure, and inexpensive for patients, the use of health information on P2P networks poses major security issues as users must manage information security largely by themselves. Objective: This study aims to identify the inherent security issues for PHS deployment in P2P networks and how they can be overcome. In addition, this study reviews different P2P architectures and proposes a suitable architecture for P2P PHS deployment. Methods: A systematic literature review was conducted following PRISMA (Preferred Reporting Items for Systematic Reviews and Meta-Analyses) reporting guidelines. Thematic analysis was used for data analysis. We searched the following databases: IEEE Digital Library, PubMed, Science Direct, ACM Digital Library, Scopus, and Semantic Scholar. The search was conducted on articles published between 2008 and 2020. The Common Vulnerability Scoring System was used as a guide for rating security issues. Results: Our findings are consolidated into 8 key security issues associated with PHS implementation and deployment on P2P networks and 7 factors promoting them. Moreover, we propose a suitable architecture for P2P PHSs and guidelines for the provision of PHSs while maintaining information security. Conclusions: Despite the clear advantages of P2P PHSs, the absence of centralized controls and inconsistent views of the network on some P2P systems have profound adverse impacts in terms of security. The security issues identified in this study need to be addressed to increase patients? intention to use PHSs on P2P networks by making them safe to use. UR - https://www.jmir.org/2021/11/e24460 UR - http://dx.doi.org/10.2196/24460 UR - http://www.ncbi.nlm.nih.gov/pubmed/34779788 ID - info:doi/10.2196/24460 ER - TY - JOUR AU - Xie, Yi AU - Zhang, Jiayao AU - Wang, Honglin AU - Liu, Pengran AU - Liu, Songxiang AU - Huo, Tongtong AU - Duan, Yu-Yu AU - Dong, Zhe AU - Lu, Lin AU - Ye, Zhewei PY - 2021/10/28 TI - Applications of Blockchain in the Medical Field: Narrative Review JO - J Med Internet Res SP - e28613 VL - 23 IS - 10 KW - blockchain KW - smart health care KW - health care KW - health data KW - review KW - COVID-19 KW - electronic health records N2 - Background: As a distributed technology, blockchain has attracted increasing attention from stakeholders in the medical industry. Although previous studies have analyzed blockchain applications from the perspectives of technology, business, or patient care, few studies have focused on actual use-case scenarios of blockchain in health care. In particular, the outbreak of COVID-19 has led to some new ideas for the application of blockchain in medical practice. Objective: This paper aims to provide a systematic review of the current and projected uses of blockchain technology in health care, as well as directions for future research. In addition to the framework structure of blockchain and application scenarios, its integration with other emerging technologies in health care is discussed. Methods: We searched databases such as PubMed, EMBASE, Scopus, IEEE, and Springer using a combination of terms related to blockchain and health care. Potentially relevant papers were then compared to determine their relevance and reviewed independently for inclusion. Through a literature review, we summarize the key medical scenarios using blockchain technology. Results: We found a total of 1647 relevant studies, 60 of which were unique studies that were included in this review. These studies report a variety of uses for blockchain and their emphasis differs. According to the different technical characteristics and application scenarios of blockchain, we summarize some medical scenarios closely related to blockchain from the perspective of technical classification. Moreover, potential challenges are mentioned, including the confidentiality of privacy, the efficiency of the system, security issues, and regulatory policy. Conclusions: Blockchain technology can improve health care services in a decentralized, tamper-proof, transparent, and secure manner. With the development of this technology and its integration with other emerging technologies, blockchain has the potential to offer long-term benefits. Not only can it be a mechanism to secure electronic health records, but blockchain also provides a powerful tool that can empower users to control their own health data, enabling a foolproof health data history and establishing medical responsibility. UR - https://www.jmir.org/2021/10/e28613 UR - http://dx.doi.org/10.2196/28613 UR - http://www.ncbi.nlm.nih.gov/pubmed/34533470 ID - info:doi/10.2196/28613 ER - TY - JOUR AU - Lee, Jinhyung AU - Choi, J. Sung PY - 2021/7/6 TI - Hospital Productivity After Data Breaches: Difference-in-Differences Analysis JO - J Med Internet Res SP - e26157 VL - 23 IS - 7 KW - cybersecurity KW - data breach KW - health information technology KW - health information KW - hospital data breach KW - hospital productivity KW - information technology KW - privacy N2 - Background: Data breaches are an inevitable risk to hospitals operating with information technology. The financial costs associated with data breaches are also growing. The costs associated with a data breach may divert resources away from patient care, thus negatively affecting hospital productivity. Objective: After a data breach, the resulting regulatory enforcement and remediation are a shock to a hospital?s patient care delivery. Exploiting this shock, this study aimed to investigate the association between hospital data breaches and productivity by using a generalized difference-in-differences model with multiple prebreach and postbreach periods. Methods: The study analyzed the hospital financial data of the California Office of Statewide Health Planning and Development from 2012 to 2016. The study sample was an unbalanced panel of hospitals with 2610 unique hospital-year observations, including general acute care hospitals. California hospital data were merged with breach data published by the US Department of Health and Human Services. The dependent variable was hospital productivity measured as value added. The difference-in-differences model was estimated using fixed effects regression. Results: Hospital productivity did not significantly differ from the baseline for 3 years after a breach. Data breaches were not significantly associated with a reduction in hospital productivity. Before a breach, the productivity of hospitals that experienced a data breach maintained a parallel trend with control hospitals. Conclusions: Hospital productivity was resilient against the shocks from a data breach. Nonetheless, data breaches continue to threaten hospitals; therefore, health care workers should be trained in cybersecurity to mitigate disruptions. UR - https://www.jmir.org/2021/7/e26157 UR - http://dx.doi.org/10.2196/26157 UR - http://www.ncbi.nlm.nih.gov/pubmed/34255672 ID - info:doi/10.2196/26157 ER - TY - JOUR AU - Aljedaani, Bakheet AU - Babar, Ali M. PY - 2021/6/21 TI - Challenges With Developing Secure Mobile Health Applications: Systematic Review JO - JMIR Mhealth Uhealth SP - e15654 VL - 9 IS - 6 KW - systematic literature review KW - mHealth apps KW - secure apps KW - developers KW - security knowledge N2 - Background: Mobile health (mHealth) apps have gained significant popularity over the last few years due to their tremendous benefits, such as lowering health care costs and increasing patient awareness. However, the sensitivity of health care data makes the security of mHealth apps a serious concern. Poor security practices and lack of security knowledge on the developers? side can cause several vulnerabilities in mHealth apps. Objective: In this review paper, we aimed to identify and analyze the reported challenges concerning security that developers of mHealth apps face. Additionally, our study aimed to develop a conceptual framework with the challenges for developing secure apps faced by mHealth app development organizations. The knowledge of such challenges can help to reduce the risk of developing insecure mHealth apps. Methods: We followed the systematic literature review method for this review. We selected studies that were published between January 2008 and October 2020 since the major app stores launched in 2008. We selected 32 primary studies using predefined criteria and used a thematic analysis method for analyzing the extracted data. Results: Of the 1867 articles obtained, 32 were included in this review based on the predefined criteria. We identified 9 challenges that can affect the development of secure mHealth apps. These challenges include lack of security guidelines and regulations for developing secure mHealth apps (20/32, 63%), developers? lack of knowledge and expertise for secure mHealth app development (18/32, 56%), lack of stakeholders? involvement during mHealth app development (6/32, 19%), no/little developer attention towards the security of mHealth apps (5/32, 16%), lack of resources for developing a secure mHealth app (4/32, 13%), project constraints during the mHealth app development process (4/32, 13%), lack of security testing during mHealth app development (4/32, 13%), developers? lack of motivation and ethical considerations (3/32, 9%), and lack of security experts? engagement during mHealth app development (2/32, 6%). Based on our analysis, we have presented a conceptual framework that highlights the correlation between the identified challenges. Conclusions: While mHealth app development organizations might overlook security, we conclude that our findings can help them to identify the weaknesses and improve their security practices. Similarly, mHealth app developers can identify the challenges they face to develop mHealth apps that do not pose security risks for users. Our review is a step towards providing insights into the development of secure mHealth apps. Our proposed conceptual framework can act as a practice guideline for practitioners to enhance secure mHealth app development. UR - https://mhealth.jmir.org/2021/6/e15654 UR - http://dx.doi.org/10.2196/15654 UR - http://www.ncbi.nlm.nih.gov/pubmed/34152277 ID - info:doi/10.2196/15654 ER - TY - JOUR AU - Oh, SeHee AU - Sung, MinDong AU - Rhee, Yumie AU - Hong, Namki AU - Park, Rang Yu PY - 2021/5/31 TI - Evaluation of the Privacy Risks of Personal Health Identifiers and Quasi-Identifiers in a Distributed Research Network: Development and Validation Study JO - JMIR Med Inform SP - e24940 VL - 9 IS - 5 KW - distributed research network KW - Observational Medical Outcomes Partnership common data model KW - privacy risk quantification KW - personal health identifier KW - quasi-identifier N2 - Background: Privacy should be protected in medical data that include patient information. A distributed research network (DRN) is one of the challenges in privacy protection and in the encouragement of multi-institutional clinical research. A DRN standardizes multi-institutional data into a common structure and terminology called a common data model (CDM), and it only shares analysis results. It is necessary to measure how a DRN protects patient information privacy even without sharing data in practice. Objective: This study aimed to quantify the privacy risk of a DRN by comparing different deidentification levels focusing on personal health identifiers (PHIs) and quasi-identifiers (QIs). Methods: We detected PHIs and QIs in an Observational Medical Outcomes Partnership (OMOP) CDM as threatening privacy, based on 18 Health Insurance Portability and Accountability Act of 1996 (HIPPA) identifiers and previous studies. To compare the privacy risk according to the different privacy policies, we generated limited and safe harbor data sets based on 16 PHIs and 12 QIs as threatening privacy from the Synthetic Public Use File 5 Percent (SynPUF5PCT) data set, which is a public data set of the OMOP CDM. With minimum cell size and equivalence class methods, we measured the privacy risk reduction with a trust differential gap obtained by comparing the two data sets. We also measured the gap in randomly sampled records from the two data sets to adjust the number of PHI or QI records. Results: The gaps averaged 31.448% and 73.798% for PHIs and QIs, respectively, with a minimum cell size of one, which represents a unique record in a data set. Among PHIs, the national provider identifier had the highest gap of 71.236% (71.244% and 0.007% in the limited and safe harbor data sets, respectively). The maximum size of the equivalence class, which has the largest size of an indistinguishable set of records, averaged 771. In 1000 random samples of PHIs, Device_exposure_start_date had the highest gap of 33.730% (87.705% and 53.975% in the data sets). Among QIs, Death had the highest gap of 99.212% (99.997% and 0.784% in the data sets). In 1000, 10,000, and 100,000 random samples of QIs, Device_treatment had the highest gaps of 12.980% (99.980% and 87.000% in the data sets), 60.118% (99.831% and 39.713%), and 93.597% (98.805% and 5.207%), respectively, and in 1 million random samples, Death had the highest gap of 99.063% (99.998% and 0.934% in the data sets). Conclusions: In this study, we verified and quantified the privacy risk of PHIs and QIs in the DRN. Although this study used limited PHIs and QIs for verification, the privacy limitations found in this study could be used as a quality measurement index for deidentification of multi-institutional collaboration research, thereby increasing DRN safety. UR - https://medinform.jmir.org/2021/5/e24940 UR - http://dx.doi.org/10.2196/24940 UR - http://www.ncbi.nlm.nih.gov/pubmed/34057426 ID - info:doi/10.2196/24940 ER - TY - JOUR AU - Budimir, Sanja AU - Fontaine, J. Johnny R. AU - Huijts, A. Nicole M. AU - Haans, Antal AU - Loukas, George AU - Roesch, B. Etienne PY - 2021/5/12 TI - Emotional Reactions to Cybersecurity Breach Situations: Scenario-Based Survey Study JO - J Med Internet Res SP - e24879 VL - 23 IS - 5 KW - cybersecurity breach victims KW - emotions KW - personality KW - mental health KW - Internet of Things N2 - Background: With the ever-expanding interconnectedness of the internet and especially with the recent development of the Internet of Things, people are increasingly at risk for cybersecurity breaches that can have far-reaching consequences for their personal and professional lives, with psychological and mental health ramifications. Objective: We aimed to identify the dimensional structure of emotion processes triggered by one of the most emblematic scenarios of cybersecurity breach, the hacking of one?s smart security camera, and explore which personality characteristics systematically relate to these emotion dimensions. Methods: A total of 902 participants from the United Kingdom and the Netherlands reported their emotion processes triggered by a cybersecurity breach scenario. Moreover, they reported on their Big Five personality traits, as well as on key indicators for resilient, overcontrolling (internalizing problems), and undercontrolling (aggression) personality types. Results: Principal component analyses revealed a clear 3-dimensional structure of emotion processes: emotional intensity, proactive versus fight/flight reactions, and affective versus cognitive/motivational reactions. Regression analyses revealed that more internalizing problems (?=.33, P<.001), resilience (?=.22, P<.001), and agreeableness (?=.12, P<.001) and less emotional stability (?=?.25, P<.001) have significant predictive value for higher emotional intensity. More internalizing problems (?=.26, P<.001), aggression (?=.25, P<.001), and extraversion (?=.07, P=.01) and less resilience (?=?.19, P<.001), agreeableness (?=?.34, P<.001), consciousness (?=?.19, P<.001), and openness (?=?.22, P<.001) have significant predictive value for comparatively more fight/flight than proactive reactions. Less internalizing problems (?=?.32, P<.001) and more emotional stability (?=.14, P<.001) and aggression (?=.13, P<.001) have significant predictive value for a comparatively higher salience for cognitive/motivational than affective reactions. Conclusions: To adequately describe the emotion processes triggered by a cybersecurity breach, two more dimensions are needed over and above the general negative affectivity dimension. This multidimensional structure is further supported by the differential relationships of the emotion dimensions with personality characteristics. The discovered emotion structure could be used for consistent predictions about who is at risk to develop long-term mental well-being issues due to a cybersecurity breach experience. UR - https://www.jmir.org/2021/5/e24879 UR - http://dx.doi.org/10.2196/24879 UR - http://www.ncbi.nlm.nih.gov/pubmed/33978591 ID - info:doi/10.2196/24879 ER - TY - JOUR AU - Ferreira, Ana AU - Cruz-Correia, Ricardo PY - 2021/5/6 TI - COVID-19 and Cybersecurity: Finally, an Opportunity to Disrupt? JO - JMIRx Med SP - e21069 VL - 2 IS - 2 KW - COVID-19 KW - cybersecurity KW - challenges and disruption KW - data protection KW - privacy KW - health data UR - https://xmed.jmir.org/2021/2/e21069 UR - http://dx.doi.org/10.2196/21069 UR - http://www.ncbi.nlm.nih.gov/pubmed/34032816 ID - info:doi/10.2196/21069 ER - TY - JOUR AU - Zegers, L. Catharina M. AU - Witteveen, Annemieke AU - Schulte, J. Mieke H. AU - Henrich, F. Julia AU - Vermeij, Anouk AU - Klever, Brigit AU - Dekker, Andre PY - 2021/3/17 TI - Mind Your Data: Privacy and Legal Matters in eHealth JO - JMIR Form Res SP - e17456 VL - 5 IS - 3 KW - data KW - privacy KW - eHealth UR - https://formative.jmir.org/2021/3/e17456 UR - http://dx.doi.org/10.2196/17456 UR - http://www.ncbi.nlm.nih.gov/pubmed/33729163 ID - info:doi/10.2196/17456 ER - TY - JOUR AU - von Maltitz, Marcel AU - Ballhausen, Hendrik AU - Kaul, David AU - Fleischmann, F. Daniel AU - Niyazi, Maximilian AU - Belka, Claus AU - Carle, Georg PY - 2021/1/18 TI - A Privacy-Preserving Log-Rank Test for the Kaplan-Meier Estimator With Secure Multiparty Computation: Algorithm Development and Validation JO - JMIR Med Inform SP - e22158 VL - 9 IS - 1 KW - privacy KW - data protection KW - privacy preservation KW - multicentric studies KW - secure multiparty computation KW - cryptography N2 - Background: Patient data is considered particularly sensitive personal data. Privacy regulations strictly govern the use of patient data and restrict their exchange. However, medical research can benefit from multicentric studies in which patient data from different institutions are pooled and evaluated together. Thus, the goals of data utilization and data protection are in conflict. Secure multiparty computation (SMPC) solves this conflict because it allows direct computation on distributed proprietary data?held by different data owners?in a secure way without exchanging private data. Objective: The objective of this work was to provide a proof-of-principle of secure and privacy-preserving multicentric computation by SMPC with real-patient data over the free internet. A privacy-preserving log-rank test for the Kaplan-Meier estimator was implemented and tested in both an experimental setting and a real-world setting between two university hospitals. Methods: The domain of survival analysis is particularly relevant in clinical research. For the Kaplan-Meier estimator, we provided a secure version of the log-rank test. It was based on the SMPC realization SPDZ and implemented via the FRESCO framework in Java. The complexity of the algorithm was explored both for synthetic data and for real-patient data in a proof-of-principle over the internet between two clinical institutions located in Munich and Berlin, Germany. Results: We obtained a functional realization of an SMPC-based log-rank evaluation. This implementation was assessed with respect to performance and scaling behavior. We showed that network latency strongly influences execution time of our solution. Furthermore, we identified a lower bound of 2 Mbit/s for the transmission rate that has to be fulfilled for unimpeded communication. In contrast, performance of the participating parties have comparatively low influence on execution speed, since the peer-side processing is parallelized and the computational time only constitutes 30% to 50% even with optimal network settings. In the real-world setting, our computation between three parties over the internet, processing 100 items each, took approximately 20 minutes. Conclusions: We showed that SMPC is applicable in the medical domain. A secure version of commonly used evaluation methods for clinical studies is possible with current implementations of SMPC. Furthermore, we infer that its application is practically feasible in terms of execution time. UR - http://medinform.jmir.org/2021/1/e22158/ UR - http://dx.doi.org/10.2196/22158 UR - http://www.ncbi.nlm.nih.gov/pubmed/33459602 ID - info:doi/10.2196/22158 ER - TY - JOUR AU - Williams, Meilee Christina AU - Chaturvedi, Rahul AU - Chakravarthy, Krishnan PY - 2020/9/17 TI - Cybersecurity Risks in a Pandemic JO - J Med Internet Res SP - e23692 VL - 22 IS - 9 KW - cybersecurity KW - pandemic KW - COVID-19 KW - SARS-CoV-2 KW - risk KW - privacy KW - hack KW - patient data UR - http://www.jmir.org/2020/9/e23692/ UR - http://dx.doi.org/10.2196/23692 UR - http://www.ncbi.nlm.nih.gov/pubmed/32897869 ID - info:doi/10.2196/23692 ER - TY - JOUR AU - Rankin, Debbie AU - Black, Michaela AU - Bond, Raymond AU - Wallace, Jonathan AU - Mulvenna, Maurice AU - Epelde, Gorka PY - 2020/7/20 TI - Reliability of Supervised Machine Learning Using Synthetic Data in Health Care: Model to Preserve Privacy for Data Sharing JO - JMIR Med Inform SP - e18910 VL - 8 IS - 7 KW - synthetic data KW - supervised machine learning KW - data utility KW - health care KW - decision support KW - statistical disclosure control KW - privacy KW - open data KW - stochastic gradient descent KW - decision tree KW - k-nearest neighbors KW - random forest KW - support vector machine N2 - Background: The exploitation of synthetic data in health care is at an early stage. Synthetic data could unlock the potential within health care datasets that are too sensitive for release. Several synthetic data generators have been developed to date; however, studies evaluating their efficacy and generalizability are scarce. Objective: This work sets out to understand the difference in performance of supervised machine learning models trained on synthetic data compared with those trained on real data. Methods: A total of 19 open health datasets were selected for experimental work. Synthetic data were generated using three synthetic data generators that apply classification and regression trees, parametric, and Bayesian network approaches. Real and synthetic data were used (separately) to train five supervised machine learning models: stochastic gradient descent, decision tree, k-nearest neighbors, random forest, and support vector machine. Models were tested only on real data to determine whether a model developed by training on synthetic data can used to accurately classify new, real examples. The impact of statistical disclosure control on model performance was also assessed. Results: A total of 92% of models trained on synthetic data have lower accuracy than those trained on real data. Tree-based models trained on synthetic data have deviations in accuracy from models trained on real data of 0.177 (18%) to 0.193 (19%), while other models have lower deviations of 0.058 (6%) to 0.072 (7%). The winning classifier when trained and tested on real data versus models trained on synthetic data and tested on real data is the same in 26% (5/19) of cases for classification and regression tree and parametric synthetic data and in 21% (4/19) of cases for Bayesian network-generated synthetic data. Tree-based models perform best with real data and are the winning classifier in 95% (18/19) of cases. This is not the case for models trained on synthetic data. When tree-based models are not considered, the winning classifier for real and synthetic data is matched in 74% (14/19), 53% (10/19), and 68% (13/19) of cases for classification and regression tree, parametric, and Bayesian network synthetic data, respectively. Statistical disclosure control methods did not have a notable impact on data utility. Conclusions: The results of this study are promising with small decreases in accuracy observed in models trained with synthetic data compared with models trained with real data, where both are tested on real data. Such deviations are expected and manageable. Tree-based classifiers have some sensitivity to synthetic data, and the underlying cause requires further investigation. This study highlights the potential of synthetic data and the need for further evaluation of their robustness. Synthetic data must ensure individual privacy and data utility are preserved in order to instill confidence in health care departments when using such data to inform policy decision-making. UR - http://medinform.jmir.org/2020/7/e18910/ UR - http://dx.doi.org/10.2196/18910 UR - http://www.ncbi.nlm.nih.gov/pubmed/32501278 ID - info:doi/10.2196/18910 ER - TY - JOUR AU - Gaia, Joana AU - Wang, Xunyi AU - Yoo, Woo Chul AU - Sanders, Lawrence G. PY - 2020/7/20 TI - Good News and Bad News About Incentives to Violate the Health Insurance Portability and Accountability Act (HIPAA): Scenario-Based Questionnaire Study JO - JMIR Med Inform SP - e15880 VL - 8 IS - 7 KW - cyber security KW - data security KW - Health Insurance Portability and Accountability Act KW - motivation KW - economics of crime KW - rational choice theory N2 - Background: The health care industry has more insider breaches than any other industry. Soon-to-be graduates are the trusted insiders of tomorrow, and their knowledge can be used to compromise organizational security systems. Objective: The objective of this paper was to identify the role that monetary incentives play in violating the Health Insurance Portability and Accountability Act?s (HIPAA) regulations and privacy laws by the next generation of employees. The research model was developed using the economics of crime literature and rational choice theory. The primary research question was whether higher perceptions of being apprehended for violating HIPAA regulations were related to higher requirements for monetary incentives. Methods: Five scenarios were developed to determine if monetary incentives could be used to influence subjects to illegally obtain health care information and to release that information to individuals and media outlets. The subjects were also asked about the probability of getting caught for violating HIPAA laws. Correlation analysis was used to determine whether higher perceptions of being apprehended for violating HIPAA regulations were related to higher requirements for monetary incentives. Results: Many of the subjects believed there was a high probability of being caught. Nevertheless, many of them could be incentivized to violate HIPAA laws. In the nursing scenario, 45.9% (240/523) of the participants indicated that there is a price, ranging from US $1000 to over US $10 million, that is acceptable for violating HIPAA laws. In the doctors? scenario, 35.4% (185/523) of the participants indicated that there is a price, ranging from US $1000 to over US $10 million, for violating HIPAA laws. In the insurance agent scenario, 45.1% (236/523) of the participants indicated that there is a price, ranging from US $1000 to over US $10 million, for violating HIPAA laws. When a personal context is involved, the percentages substantially increase. In the scenario where an experimental treatment for the subject?s mother is needed, which is not covered by insurance, 78.4% (410/523) of the participants would accept US $100,000 from a media outlet for the medical records of a politician. In the scenario where US $50,000 is needed to obtain medical records about a famous reality star to help a friend in need of emergency medical transportation, 64.6% (338/523) of the participants would accept the money. Conclusions: A key finding of this study is that individuals perceiving a high probability of being caught are less likely to release private information. However, when the personal context involves a friend or family member, such as a mother, they will probably succumb to the incentive, regardless of the probability of being caught. The key to reducing noncompliance will be to implement organizational procedures and constantly monitor and develop educational and training programs to encourage HIPAA compliance. UR - https://medinform.jmir.org/2020/7/e15880 UR - http://dx.doi.org/10.2196/15880 UR - http://www.ncbi.nlm.nih.gov/pubmed/32706677 ID - info:doi/10.2196/15880 ER -