2014 IEEE International Congress on Big Data

Big data security and privacy issues in healthcare

Nanthealth

Harsh Kupwade Patil and Ravi Seshadri

Nanthealth
Dallas, US
E-mail: hkupwade@nanthealth.com

Abstract—With the ever-increasing cost for healthcare and With the increasing cost for healthcare services and
increased health insurance premiums, there is a need for increased health insurance premiums, there is a need for
proactive healthcare and wellness. In addition, the new wave of proactive healthcare management and wellness. This shift
digitizing medical records has seen a paradigm shift in the from reactive to proactive healthcare can result in improved
healthcare industry. As a result, the healthcare industry is
quality of care, decrease in healthcare costs, and eventually
witnessing an increase in sheer volume of data in terms of
complexity, diversity and timeliness. As healthcare experts lead to economic growth. In recent times, technological
look for every possible way to lower costs while improving care breakthroughs have played a significant role in empowering
process, delivery and management, big data emerges as a proactive healthcare. For instance, real-time remote
plausible solution with the promise to transform the healthcare monitoring of vital signs through embedded sensors
industry. This paradigm shift from reactive to proactive (attached to patients) allows health care providers to be
healthcare can result in an overall decrease in healthcare costs alerted in case of an anomaly. Furthermore, healthcare
and eventually lead to economic growth. While the healthcare digitization with integrated analytics is one of the next big
industry harnesses the power of big data, security and privacy waves in healthcare Information Technology (IT) with
issues are at the focal point as emerging threats and
Electronic Health Records (EHRs) being a crucial building
vulnerabilities continue to grow. In this paper, we present the
state-of-the-art security and privacy issues in big data as block for this vision. With the introduction of EHR
applied to healthcare industry. incentive programs [2], healthcare organizations recognized
EHR’s value proposition to facilitate better access to
Keywords; healthcare; big data security; privacy; security complete, accurate and sharable healthcare data, that
analytics eventually lead to improved patient care.
As healthcare industry explores myriad ways of applying
I. INTRODUCTION
big data analysis from diagnosis, to treatment, to population

T HE new wave of digitizing medical records has seen a

paradigm shift in the healthcare industry. As a result,
healthcare industry is witnessing an increase in sheer
health management, and eventually capital and strategic
planning, the opportunities are endless. Furthermore, as
healthcare leaders move from a volume-based to a value-
volume of data in terms of complexity, diversity and based business model (value refers to the association
timeliness. The term “big data” refers to the agglomeration between quality of care and costs), data will play a pivotal
of large and complex data sets, which exceeds existing role in the transition [3]. As the healthcare industry
computational, storage and communication capabilities of witnesses large volumes of data, the first step will involve
conventional methods or systems. In healthcare, several governance and linking accurate and actionable data in real-
factors provide the necessary impetus to harness the power time. In this age of connectivity, integrating health systems
of big data. For example, in the last two decades, healthcare with large amounts of clinical, financial, genomic, social
costs have increased at an alarming rate and healthcare and environmental data will be crucial for real-time
expenses are now estimated at 17.6 percent of GDP. As analytics and patient care. The goal is to understand
healthcare experts look for every possible way to lower population health for disease control and predictive analysis.
costs while improving care process, delivery and For instance, predictive analysis can help understand
management, big data emerges as a plausible solution with aggravating health conditions and could prevent adverse
the promise to transform the healthcare industry. The health events from occurring (e.g. chronic diseases such as
McKinsey Global Institute estimates a $100 billion increase diabetes). Hence, collecting, linking and analyzing multi-
in profits annually, if big data strategies are leveraged to the dimensional data in real-time becomes imperative. A logical
fullest potential [1]. For instance, harnessing the power of next step in a patient-centric model would be a new all-
big data analysis and genomic research with real-time inclusive scale for measuring the health and wellness of a
access to patient records could allow doctors to make patient by including, but not limiting to clinical, physical,
informed decisions on treatments. Furthermore, big data will social, psychological, environmental and genomic data
compel insurers to reassess their predictive models. pertaining to a patient. Fig. 1 shows a need for a real-time

978-1-4799-5057-7/14 $31.00 © 2014 IEEE 775

762
DOI 10.1109/BigData.Congress.2014.112
holistic model for healthcare, with an emphasis on of the largest non-profit healthcare providers in US) notified
parameters from different domains affecting the condition of its 49,000 patients that their health information had been
a patient. For example, a patient’s vital signs can be normal, compromised due to theft of an unencrypted USB flash
but his/her psychological and environmental factors can drive containing patient records [7]. In 2012, Verizon’s data
have dire consequences, (factors not considered as part of breach investigation report stated that its forensic
the prognosis). investigation and security division compiled data from
47,000 reported security incidents and found 621 confirmed
data breaches [8]. Furthermore, a study on patient privacy
and data security showed that 94% of hospitals had at least
one security breach in the past two years [9]. In most cases,
the attacks were from an insider rather than external. In
addition, the study stated that the external attacks originated
from China, US and Eastern Europe (Romania recording the
Clinical
Social highest number of external attacks).
Psychology
With the ever-changing risk environment and
introduction of new emerging threats and vulnerabilities,
Physical
security violations are expected to grow in the coming
years. Moreover, the Affordable Care Act will lead to more
Genomic enrollments for health insurance [10], making it an attractive
focal point for hackers and opening a floodgate of
healthcare breaches in the coming years. Security breaches
of EHR can risk patient privacy and violate the Health
Insurance Portability and Accountability Act (HIPAA) and
the Health Information Technology for Economic and
Clinical Health (HITECH) Act in the United States [11],
[12]. Hence, EHR security must be a high priority to ensure
patient safety.
II. SECURITY AND PRIVACY IN HEALTHCARE
Adoption of big data in healthcare significantly increases
Figure 1. Real-time holistic model for healthcare security and patient privacy concerns. At the outset, patient
information is stored in data centers with varying levels of
security. Moreover, most healthcare data centers have
The explosion of the Internet of Things (IoT) and its HIPAA certification, but that certification does not
ability to provide real-time monitoring and expedited access guarantee patient record safety. The reason being, HIPAA is
to care is one of the driving factors for its adoption in more focused on ensuring security policies and procedures
healthcare. Gartner estimates 26 billion IoT devices will be than on implementing them. Furthermore, the inflow of
functional by 2020 and the amount of traffic generated by large data sets from diverse sources places an extra burden
such devices will be large enough to place it in the category on storage, processing and communication. Fig. 2 portrays a
of big data [4]. Several definitions for IoT exist but big data healthcare cloud that hosts clinical, financial,
currently the focus is primarily on low-cost, low-powered social, genomic, physical and psychological data pertaining
resource constrained (storage, computation and bandwidth) to patients.
devices [5]. In addition, with the introduction of Body
Sensor Networks (BSN) and their direct application to
healthcare [6], care providers will be able to monitor vital
parameters, medication effectiveness, and predict an
epidemic. Body sensors generate massive data, and linking
such healthcare data from disparate resource-constrained
networks will be crucial for driving healthcare analytics.
Hence, healthcare providers have enormous opportunities to
revolutionize healthcare by harnessing the power of big
data. Nevertheless, such gains will be realized only if
security and patient privacy are at the core of any product
design and development.
The past decade has seen a steady increase in security
breaches in healthcare IT. In 2013, Kaiser Permanente (one

763
776
 Clinical continue to grow more complex with the increase in the
Social Financial
number of IoT devices [14]. For instance, conventional
symmetric and asymmetric key distribution and revocation
schemes cannot be extended to a billion IoT devices. Hence,
new scalable key management solutions leading to seamless
inter-operability between disparate networks (e.g. IoT and
Big data legacy IP networks) is crucial for IoT’s integration of big
healthcare cloud data in a cloud environment.
As healthcare industry leverages on emerging big data
technologies to make better-informed decisions, security
analytics will be at the core of any design for the cloud
based SaaS solution hosting Protected Health Information
Psychological (PHI). Additionally, real-time security intelligence will steer
Physical Genomic new directions in risk management. Consequently,
healthcare IT providers can monitor risks in real-time and
Figure 2. Big data healthcare cloud. take preemptive measures before affecting the healthcare
business.
C. Privacy-preserving analytics
Traditional security solutions cannot be directly applied
Invasion of patient privacy is a growing concern in the
to large and inherently diverse data sets. With the increase
domain of big data analytics. An incident reported in the
in popularity of healthcare cloud solutions, complexity in
Forbes magazine raises an alarm over patient privacy [15].
securing massive distributed Software as a Service (SaaS)
In the report, it mentioned that Target Corporation sent baby
solutions increases with varying data sources and formats.
care coupons to a teen-age girl unbeknown to her parents.
Hence, big data governance is necessary prior to exposing
This incident impels big data to consider privacy for
data to analytics.
analytics. For instance, data anonymization prior to
A. Data governance analytics could protect patient identity. Furthermore,
As the healthcare industry moves towards a value-based privacy- preserving encryption schemes that allow running
business model leveraging healthcare analytics, data prediction algorithms on encrypted data while protecting the
governance will be the first step in regulating and managing identity of a patient is essential for driving healthcare
healthcare data. The goal is to have a common data analytics. As the industry leverages on IoT devices to
representation that encompasses industry standards (e.g. transmit vitals to healthcare clouds, there is a need for
LOINC, ICD, SNOMED, CPT, etc.) and local and regional processing and analyzing data in an ad-hoc decentralized
standards. Currently, data generated by BSN is diverse in manner. However, performing resource-exhausting
nature and would require normalization, standardization and operations (required for analytics) while preserving privacy
governance prior to analysis. is a challenge in a resource-constrained environment.
Additionally, as healthcare analytics gains popularity, new
B. Real-time security analytics privacy laws need to be drafted to protect patient privacy.
Analyzing security risks and predicting threat sources in For instance, “informed consent” from patients is required
real-time is of utmost need in the burgeoning healthcare prior to performing any analytics on patient data, and new
industry. At present, healthcare industry is witnessing a laws need to be drafted to clearly illustrate all processes
deluge of sophisticated attacks ranging from Distributed involved in performing big data analytics on patient data.
Denial of Service (DDoS) to stealthy malware. Furthermore,
social engineering attacks are on the rise and the risks
associated with such attacks are difficult to predict without III. CONCLUSION
considering human cognitive behavior. Cognitive bias, for As big data transforms healthcare, security and patient
example, can come into play, especially in the case of privacy is paramount in driving such technologies. As
elderly patients. “Cognitive bias is a pattern of deviation in healthcare clouds with big data become prominent, hosting
judgment, whereby influences about other people and companies will be more reluctant to share massive
situations may be drawn in an illogical manner” [13]. For healthcare data for centralized processing. Hence, we
example, a man-in-the-middle attack can be effected envision distributed processing across disparate clouds and
perhaps by coaxing an elderly patient to accept a digital leveraging on collective intelligence. Secure patient data
X.509 certificate. Such scenarios must be taken into account management is inevitable as healthcare clouds aggregate
when designing an end-to-end authentication solution. and link large amounts of data from disparate networks.
In the IoT environment, implementing security in Additionally, secure and privacy preserving real-time
resource-constrained networks has been a challenge and will analytics will propel proactive healthcare and wellness. In

764
777
this paper, we review some of the security and privacy [9] P. Institute, "Third Annual Benchmark Study on Patient
issues in healthcare and foresee a need for technological Privacy and Data Security," Ponemon Institute LLC,
breakthroughs in computational, storage and communication 2012.
capabilities to meet the growing demand of securing [10] "Public Law 111 - 148 - Patient Protection and
healthcare data. Affordable Care Act," U.S. Government Printing Office
(GPO) , 2013.
IV. REFERENCES
[11] "Health Insurance Portability and Accountability Act,"
U.S. Government Printing Office, 1996. [Online].
[1] P. Groves, B. Kayyali, D. Knott and S. V. Kuiken, "The
Available: http://www.gpo.gov/fdsys/pkg/PLAW-
'big data' revolution in healthcare," McKinsey &
104publ191/html/PLAW-104publ191.htm.
Company, 2013.
[12] "Health Information Technology for Economic and
[2] "EHR incentive programs," 2014. [Online]. Available:
Clinical Health Act," 2009. [Online]. Available:
https://www.cms.gov/Regulations-and-
http://www.gpo.gov/fdsys/pkg/BILLS-
Guidance/Legislation/EHRIncentivePrograms/index.html.
111hr1enr/pdf/BILLS-111hr1enr.pdf.
[3] M. M. Brown, G. C. Brown, S. Sharma and J. Landy,
[13] M. G. Haselton, D. Nettle and P. W. Andrews, "The
"Health Care Economic Analyses and Value-Based
evolution of cognitive bias," in The Handbook of
Medicine," Survey of Ophthalmology, vol. 48, no. 2, pp.
Evolutionary Psychology, John Wiley & Sons Inc, 2005,
204-223, 2003.
pp. 724-746.
[4] P. Middleton , P. Kjeldsen and J. Tully, "Forecast: The [14] H. Kupwade Patil and T. M. Chen, "Wireless Sensor
Internet of Things, Worldwide," Gartner, 2013. Network Security," in Computer and Information Security
[5] L. Atzori, A. Iera and G. Morabito, "The Internet of , Morgan Kaufmann - Imprint of Elsevier, 2013, pp. 301-
Things: A survey," Computer Networks, vol. 54, no. 15, 322.
pp. 2787-2805, 2010.
[15] K. Hill, "How Target Figured Out A Teen Girl Was
[6] M. Hanson, H. Powell, A. Barth, K. Ringgenberg, B. Pregnant Before Her Father Did," Forbes, Inc., 2012.
Calhoun, J. Aylor and J. Lach, "Body Area Sensor [Online]. Available:
Networks: Challenges and Opportunities," Computer, pp. http://www.forbes.com/sites/kashmirhill/2012/02/16/how-
58-65, 2009. target-figured-out-a-teen-girl-was-pregnant-before-her-
[7] E. McCann, "Kaiser reports second fall data breach," father-did/.
Healthcare IT News, 2013.
[8] Verizon, "Data breach investigation report," Verizon,
2013.

765
778