Comprehensive user requirements engineering methodology for secure and interoperable health data exchange

Background

Increased digitalization of healthcare comes along with the cost of cybercrime proliferation. This results to patients’ and healthcare providers' skepticism to adopt Health Information Technologies (HIT). In Europe, this shortcoming hampers efficient cross-border health data exchange, which requires a holistic, secure and interoperable framework. This study aimed to provide the foundations for designing a secure and interoperable toolkit for cross-border health data exchange within the European Union (EU), conducted in the scope of the KONFIDO project. Particularly, we present our user requirements engineering methodology and the obtained results, driving the technical design of the KONFIDO toolkit.

Methods

Our methodology relied on four pillars: (a) a gap analysis study, reviewing a range of relevant projects/initiatives, technologies as well as cybersecurity strategies for HIT interoperability and cybersecurity; (b) the definition of user scenarios with major focus on cross-border health data exchange in the three pilot countries of the project; (c) a user requirements elicitation phase containing a threat analysis of the business processes entailed in the user scenarios, and (d) surveying and discussing with key stakeholders, aiming to validate the obtained outcomes and identify barriers and facilitators for HIT adoption linked with cybersecurity and interoperability.

Results

According to the gap analysis outcomes, full adherence with information security standards is currently not universally met. Sustainability plans shall be defined for adapting existing/evolving frameworks to the state-of-the-art. Overall, lack of integration in a holistic security approach was clearly identified. For each user scenario, we concluded with a comprehensive workflow, highlighting challenges and open issues for their application in our pilot sites. The threat analysis resulted in a set of 30 user goals in total, documented in detail. Finally, indicative barriers of HIT acceptance include lack of awareness regarding HIT risks and legislations, lack of a security-oriented culture and management commitment, as well as usability constraints, while important facilitators concern the adoption of standards and current efforts for a common EU legislation framework.

Conclusions

Our study provides important insights to address secure and interoperable health data exchange, while our methodological framework constitutes a paradigm for investigating diverse cybersecurity-related risks in the health sector.

Advances in Health Information Technologies (HIT) and digital health are transforming healthcare delivery. However, the constantly increasing digitalization and the inherent use of sensitive health data come along with the cost of cybercrime proliferation. Lack of adequate security measures result in patients’ and healthcare providers' (HCPs) unwillingness to adopt HIT, as well as investors’ skepticism to fund such activities. In the European context, as the number of citizens who travel across Europe for education, training, work and tourism constantly increases, the need for cross-border health data exchange becomes imperative. Especially, people suffering from chronic diseases are facing obstacles in travelling either within or outside their country of residence, due to the lack of an established, systematic and secure framework for data exchange among healthcare organizations across Europe.

KONFIDO is a European Union (EU) funded project [1], which aims to leverage novel approaches and cutting-edge technologies, such as homomorphic encryption [2], photonic Physical Unclonable Functions (p-PUF) [3], a Security Information and Event Management (SIEM) system [4], and blockchain-based auditing [5], in order to develop a holistic paradigm for secure, cross-border exchange, storage and overall handling of health data. It builds its solution upon existing/evolving European frameworks, such as OpenNCP (Open-source and reference version of the NCP software) [6], which is the open-source National Contact Point (NCP) software implementation of its predecessor project named epSOS (European Partners – Smart Open Services) [7], and eIDAS (electronic IDentification, Authentication and trust Services) [8], which stands for the EU regulation on electronic identification and trust services for electronic transactions in the internal market. An overview of the KONFIDO technical solution and its links with the abovementioned frameworks is presented in [9]. Overall, KONFIDO aims to advance the state-of-the-art of HIT along the four key dimensions of digital security, i.e. data preservation, data access and modification, data exchange, and interoperability and compliance. To this end, KONFIDO is organized in four complementary phases, namely, ‘User requirements analysis; ‘Design’; ‘Technology development’; and ‘Integration, testing and validation’. The current study focuses on the former phase.

As part of the “User requirements analysis” phase, we first reviewed and mapped applicable technical and legal frameworks as well as ethical and social norms at the European level with a major focus on the KONFIDO pilot-site countries (i.e. Denmark, Italy and Spain). This entailed a gap analysis study for interoperable and secure solutions at the systemic level. We then defined and analyzed user scenarios with major emphasis on cross-border health data exchange and, based on these, we conducted a user requirements elicitation phase starting from the definition of the underlying business processes and proceeding to the identification of respective assets, threats and, ultimately, high-level user goals. Equally important, we pursued intense interaction with the wider healthcare community, in order to validate the methods and the outcomes of our approach, aiming also to identify key barriers and facilitators for HIT solutions acceptance linked with cybersecurity. Overall, HIT acceptance in the clinical environment has been identified as a challenge and has been investigated (mostly focusing on Electronic Health Record (EHR) systems [10, 11]), using models based on psychology, sociology, and consumer behavior. To this end, we conducted a survey targeting all possible relevant stakeholders (i.e. HCPs, hospital staff at IT departments, industrial HIT stakeholders, and patients/citizens), as well as an end-user Workshop.

In this paper, we present the overall methodology concerning the user requirements engineering phase of KONFIDO as well as the obtained outcomes. We conclude by consolidating these outcomes in terms of recommendations for the KONFIDO technical design and we argue about the usefulness of the proposed methodological framework for developing secure and interoperable health data exchange IT solutions.

The overall methodological framework adopted for user requirements engineering focuses on four pillars (Fig. 1). The methodological pillars are provided in the left-side of Fig. 1, along with the targeted outcomes in the right-side, while the arrows linking pillars illustrate their interrelations. A description of each methodological pillar is provided in the respective subsections below.

The user requirements engineering framework: methodological pillars and main outcomes

Full size image

Pillar 1: Gap analysis study

Generally, a gap analysis aims to identify “gaps”, i.e. the qualitative or quantitative differences, between the current and the target state of the analyzed subject (e.g. product, process, organization, market, etc.). Current state corresponds to the analysis subject’s present status (i.e. “where we are”) and target state defines the desired condition where the analysis subject would satisfy some specific criteria or goals (i.e. “where we want to be”). Such an analysis typically requires the comparison of current and target state across a range of criteria. For the current study, the conducted gap analysis aimed to identify how well our analysis subjects satisfy a set of requirements regarding HIT cybersecurity and interoperability.

The gap analysis subjects included several relevant European initiatives, projects and their outcomes, technological artifacts as well as end-user perspectives and policy strategies across four thematic areas, i.e.:

• HIT Interoperability Frameworks: epSOS [7], Antilope [12], the Joint Action to Support the eHealth Network (JASeHN) [13] and SemanticHealthNet [14].

• HIT Security Software Frameworks: DECIPHER [15], OpenNCP and STORK 2.0 [16].

• End-user perspectives across diverse settings in KONFIDO pilot countries: Santobono Pausilipon Hospital (Italy), Odense University Hospital & Svendborg Hospital (Denmark), and Hospital Clínic Barcelona (Spain).

• National cybersecurity strategies and reference reports: Documents regarding the currently applied cybersecurity strategies in the pilot countries and relevant reports (e.g. regarding guidelines or best practices) primarily provided by the European Union Agency for Network and Information Security (ENISA) [17, 18].

The analysis was assigned to Working Groups (WG) per thematic area within the KONFIDO Consortium. The analysis subjects were examined by topic experts in each WG against a gap analysis template (provided in Additional file 1). This gap analysis template defined an explicit set of analysis criteria (a.k.a. controls), mostly based on the ISO/IEC 27k information security standards family [19]. In the scope of the presented study, the following ISO standards were employed: (a) ISO/IEC 27002 [20]; (b) ISO/IEC 27010 [21]; (c) ISO/IEC 27040 [22]; (d) ISO 27799 [23]; (e) ISO 22857 [24], and (f) ISO/IEC 25010 [25].

The template was organized on 11 clauses, defining the template’s upper–level structure: Security policy; Organizing information security; Asset management; Human resources security; Physical and environmental security; Communications and operations management; Access Control; Information systems acquisition, development and maintenance; Information security incident management; Business continuity management; Compliance, and Usability. Instructions and relevant examples on how to use the template were given to the WGs. In addition, the respondents became aware that some questions contained in the template might not be relevant for their analysis, due to the specific scope and/or the varying information granularity of the considered analysis subjects. Finally, iterative teleconferences were conducted among WG members to discuss the plan, their progress, and finalize the results.

The gap analysis was mainly conducted via: (a) Desk research, by reviewing material regarding the analysis subject, e.g. project reports or deliverables, as well as papers published in scientific journals or conferences. (b) Interviews / discussions with experts related with the analysis subject (either directly involved in KONFIDO or not). The overall gap analysis methodology along with some preliminary results were presented in [26].

Pillar 2: User scenarios definition

Given the European dimension of KONFIDO, its user scenarios focus on cross-border health data exchange. In particular, two reference scenarios have been defined, the first focusing on cross-border services for a chronic patient, and the second elaborating on cross-border and cross-regional health data exchange, considering triage services in emergency situations. Several stakeholders have been taken into account in the scenarios’ definition, e.g. public and private hospitals, HCPs with different roles and patients with diverse healthcare needs, as well as various technological artifacts (mHealth apps, telemonitoring services, EHRs, etc.). The aim was to address the heterogeneity of the domain, considering the three pilot countries of the project. The second scenario is described in Table 1 [27].

Besides the textual description of each user scenario, a workflow was defined (for its realization) and analyzed in detail.

Pillar 3: User requirements elicitation

The term “user requirements elicitation” can be ambiguous in the varying contexts of user requirements engineering. In the scope of this work, we defined it as the process of exploiting diverse information sources, in order to “… discover the current project needs and agree upon its vision and goals” [28]. Our overall approach aimed at specifying high-level user goals by first defining the related business processes (BPs), based on the methodology described in Park et al. [29]. User goals in turn are defined as “abstract user requirements, not directly referring to specific technical solutions or components”. They typically refer to specific user actors, while their definition facilitates early identification of possible conflicts between actors and, consequently, their timely resolution.

The identification of BPs was based on the actions contained in the textual description of each scenario, which is a well-established approach [30]. Typically, “verbs correlate to operations which can be invoked by components or actors” [31], in order to facilitate the specification of the system functionality. The user scenario presented in Table 1 is annotated based on the above rationale by highlighting in bold the key-phrases implying BPs. The identified BPs were then analyzed by conducting a threat analysis. Typically, this refers to the systematic process of identifying and evaluating spots of vulnerability for a facility, operation, or system, which is also applicable in the context of HIT [32, 33]. Our threat analysis process involved the following steps:

1. 1.

   Asset identification; assets include anything worth to be protected and can be organized in the following indicative categories: information, infrastructure (physical infrastructure, software, etc.), persons, business functions.

2. 2.

   Threats identification; threats are uncontrolled circumstances or actions, typically related with malicious people or factors out of control (e.g. weather, physical failures, etc.), which can obtain control of, damage or destroy an asset.

Threats may refer to technical, functional, legal, personal and political aspects. We focused on technical threats, which were classified based on the STRIDE model [34]:

1. (a)

   Spoofing: refers to gaining access to a system by using a false identity.

2. (b)

   Tampering: refers to the unauthorized modification of data.

3. (c)

   Repudiation: refers to the denial of specific actions or transactions on the user’s behalf (legitimate or not).

4. (d)

   Information disclosure: refers to exposure of private or sensitive data.

5. (e)

   Denial of service (DoS): refers to the process of making a system/application unavailable.

6. (f)

   Elevation of privilege: refers to gaining access to resources by self-assigning more privileges.

The threat analysis results were combined with best practices and outcomes produced by relevant projects/initiatives, in order to define the user goals per actor. In particular, we took into account: (a) the ISO/IEC 27k family of standards; (b) outcomes of the gap analysis, the end-user survey and Workshop conducted in the scope of the project, as described below; (c) reports from relevant EU projects and initiatives, as well as (d) the recently enforced into practice General Data Protection Regulation (GDPR) [35], which aims to align data privacy laws among EU Member States.

We defined two types of user goals, i.e. functional and non-functional, corresponding to functional and non-functional requirements, respectively. Functional goals were based on the user scenarios, while the identified threats per BP were combined with other sources of information to pinpoint non-functional goals.

Aiming to consolidate and interpret the identified user goals, a meta-analysis was conducted based on a visual analytics approach. The aim was to illustrate the dependencies among the identified user goals and the respective information sources, BPs, assets and threats, as well as the strongest links among them.

Pillar 4: Feedback from key stakeholders

An end-user engagement strategy was employed to validate the prior methodological pillars and their outcomes, and identify key barriers and facilitators for HIT adoption linked with security and interoperability. In particular, an online, anonymous and confidential survey as well as a Workshop with the participation of key stakeholders were conducted. The goal of the survey was two-fold: (a) to identify the currently applied practices regarding security and interoperability on existing HIT infrastructures for healthcare organizations of varying size and nature (e.g. private and public), and (b) to obtain insights regarding patient/citizen awareness on cybersecurity risks entailed in cross-border health data exchange and document opinions about exchanging health data with HCPs or HIT service providers. Thus, we discriminated two groups of participants in the survey: (a) HCPs and HIT stakeholders across Europe, and (b) patients/citizens.

The overall survey design was built upon key principles of human psychology [36], while it contained different content per group. Several sources were used for designing the respective questionnaires, such as relevant standards, surveys conducted by other organizations, reports, scientific papers, etc. The questionnaire structures for both participant groups are provided in Additional files 2 and 3, respectively.

For the first group, personal invitations were sent, in order to obtain high-quality, expert feedback. The survey questions for this group were structured as follows:

1. 1.

   Organization profile: referred to the organization’s size and structure (e.g. number of employees, activities in the domain, etc.).

2. 2.

   Security facts: focused on security incidents occurred in the organization, targeting IT stuff and managers.

3. 3.

   Security policy: referred to policies applied in the organization (e.g. existence of security and risk management policies, use of encryption, etc.).

4. 4.

   Security incident management: concerned handling security breaches in a technical level, targeting technical stuff and managers.

5. 5.

   Barriers and facilitators: aimed to identify key issues that facilitate or discourage the adoption of cybersecurity best practices.

6. 6.

   Personal view: focused on awareness (e.g. use of publicly available cloud storage services, importance of security in everyday work, etc.) and satisfaction regarding the current cybersecurity state.

Contrary to the survey targeting the first group, the survey for the second group was circulated publicly by using patient forums, mailing lists, and social media. It contained the following sections:

1. 1.

   Awareness regarding Information Technology risks: Focused on identifying the level of the participants’ awareness regarding the risks entailed in using HIT.

2. 2.

   Legislation: Aimed to identify the patients’/citizens’ familiarity with relevant legislation artifacts.

3. 3.

   Cross-border medical treatment: Aimed to provide insights on whether the participant was medically treated or hospitalized abroad.

4. 4.

   Cross-border medical data exchange: Focused on the participants’ opinion regarding the need for cross-border health data exchange.

5. 5.

   Barriers and facilitators: Aimed to identify issues that facilitate or discourage cross-border health data exchange from a patient’s/citizen’s viewpoint.

6. 6.

   Demographics: Contained key information about the participant, in order to facilitate the statistical analysis of the obtained data.

The end-user Workshop attracted more than 30 stakeholders from the HIT and healthcare sectors across Europe; it was organized to encourage open discussion, exploring the diverse issues concerning cross-border health data exchange. Personal invitations were sent to candidate participants from diverse organizations (healthcare, standards developing organizations, HIT associations, regional healthcare authorities, privacy authorities, research/academia, etc.), aiming to obtain input from the widest possible spectrum of stakeholders composing the European HIT ecosystem. The methodological overview along with preliminary outcomes as regards barriers and facilitators for HIT acceptance were presented in [37].

In this section, we present the main outcomes of the employed methodology (Fig. 1). Given the wide range of the activities carried-out in the scope of this work, we concentrate on the key parts of the findings.

Outcome 1: Comprehensive user requirements definition

The detailed analysis of the user scenarios highlighted the challenges and the open issues of applying them in real-world settings, taking into account the context of the project’s pilot sites. Figure 2 depicts a part of the workflow corresponding to the user scenario presented in Table 1, highlighting actions considered in the senario, the entailed challenges and open issues, as well as scenario background information.

Partial view of the workflow corresponding to the user scenario described in Table 1

Full size image

The user scenarios analysis resulted in a set of BPs (listed in Table 2). In order to illustrate the user goals definition process, we present the analysis of BP2: “Access the medical record of a foreign patient”, demonstrating this way indicative results in each step of the analysis (Table 3 depicts the assets and Table 4 the identified threats for BP2, respectively).

These threats were analyzed, taking also into account further information sources, e.g. ISO standards, guidelines produced by other European projects, etc. Based on our analysis, a set of 30 user goals were defined in total (Tables 5 and 6 demonstrate two example goals associated with BP2).

Aiming to further analyze the identified user goals, we conducted a meta-analysis using visual analytics. Diagrams demonstrating the link among the outcomes of intermediate analysis steps (i.e. assets and threats), the original information investigated (i.e. standards, policy recommendations, etc.) and the final user goals, were produced. This visualization highlighted the complexity of these links for specific intermediate outcomes, information sources and user goals, and gave a broader overview concerning the overall contribution in the user goals’ definition by grouping the intermediate analysis steps and the original information investigated according to their category. Figure 3 provides an indicative example visualization, depicting a subset of the links among information sources (e.g. standards, BPs, reports on the left side of the figure), intermediate outcomes (assets and threats, in the middle) and user goals G7, G8 and G12 (on the right side of the figure). Respectively, Fig. 4 provides an example visualization depicting the overall contribution of the categories of information sources considered in our analysis (left side of the figure) and the categories of intermediate analysis steps (i.e. assets and threats, in the middle) in the user goals definition (right side of the figure).

Sankey diagram illustrating an indicative view of links among specific information sources considered in the analysis

Full size image

Sankey diagram illustrating the overall contribution of the categories of information sources considered in the analysis for goal definition

Full size image

Table 7 demonstrates the quantified contribution of the most important information categories. Evidently, ISO standards were the most influential source of information in this respect.

Outcome 2: Barriers and facilitators for HIT acceptance

The gap analysis study provided the initial input for this outcome, since it revealed barriers and constraints as well as open issues and challenges for information security in the health sector. This input has been further elaborated in the Workshop and also through the conducted survey. As an example, we present the analysis of the everyday operational processes applied in one of the KONFIDO pilot sites, the Santobono Pausilipon Hospital (PAUSIL) in Naples, Italy. PAUSIL is a specialized pediatric hospital with more than 1000 employees and it demonstrated high adherence to the controls contained in the gap analysis template and the respective underlying standards. Nevertheless, some indicative gaps were identified (Table 8).

Overall, the main issues identified through the gap analysis for the considered analysis subjects can be summarized as follows:

1. 1.

   Full adherence to the targets set by international standards for information security is currently not universally met. For example, the processes applied in the considered hospitals demonstrated high adherence with the controls proposed by information security standards. However, compliance with standards was not evident in the review of the considered interoperability and software security frameworks.

2. 2.

   The analysis of national cybersecurity strategies and reference reports highlighted the difficulty in balancing between a high-level document and actionable information. As a consequence, this material can be ambiguous for users and, therefore, the adherence is partly incentivised and arbitrarily localized.

3. 3.

   As technology evolves at rapid pace, cybersecurity artifacts can quickly become outdated. A sustainability plan for the employed technologies should be undertaken, in order to enhance user trust. In some cases, legacy or vulnerable technologies were identified in the investigated technology frameworks.

4. 4.

   Lack of integration towards a holistic security approach was clearly identified. While, various interesting technologies are being developed in parallel, it seems that each project focuses on a specific technological aspect and integration is not taken into account to leverage cybersecurity of HIT as a whole.

The survey focusing on selected stakeholders, i.e. HIT experts, managers, HCPs and health IT stuff working in hospitals, resulted in 35 submissions. The open survey targeting patients/citizens attracted 437 submissions. The analysis of the submitted responses led to the identification of barriers and facilitators regarding HIT acceptance. For example, barrier B1: “Lack of awareness regarding information technology risks” was identified due to the analysis of the responses to the questions “Have you ever thought about your privacy regarding your health data?” (depicted in Fig. 5) and “Do you feel well-informed regarding possible health data security risks?” (depicted in Fig. 6), provided by the patients/citizens group.

Answers to question “Have you ever thought about your privacy regarding your health data?”

Full size image

Answers to question “Do you feel well-informed regarding possible health data security risks?”

Full size image

As another example, facilitator F6: “Wide recognition of the need for a security policy based on standards” was partly identified due to the responses to the question “Please rank the importance of the issues that you think might facilitate the adoption of security-oriented best practices” provided by the selected stakeholders group (Fig. 7). Similarly, answers to question “Please rank the following barriers, hindering acceptance of cross-border health data exchange” provided by the patients/citizens group (Fig. 8) were linked with barrier B2: “Lack of end-user confidence on their overall electronic health data handling”.

Answers to question “Please rank the importance of the issues that you think might facilitate the adoption of security-oriented best practices” (for readability, only the most popular responses are presented)

Full size image

Answers to question “Please rank the following barriers, hindering acceptance of cross-border health data exchange”

Full size image

Overall, the analysis of the survey responses and the outcomes of the Workshop led to the identification of a comprehensive set of barriers and facilitators regarding HIT acceptance (shown in Tables 9 and 10, respectively). The barriers identified in Table 9 are grouped with respect to awareness, interoperability, legislation, trust, and usability.

Outcome 3: Recommendations for the technical design

Based on the outcomes from all methodological pillars (Fig. 1), we concluded with a list of recommendations for the design phase of the KONFIDO toolkit. Notably, not all the produced recommendations concern technical aspects that can be overcome in the context of KONFIDO. Some of them are quite generic, exceeding the KONFIDO scope. Nevertheless, since these can be useful for the designers of cybersecurity tools in the health domain, we cite below the full list of recommendations:

1. R1.

   Strive for high adherence to standards as this reinforces end-users’ trust in HIT.

2. R2.

   Leverage existing technical frameworks of the domain (in the European context, e.g. OpenNCP and eIDAS), but also follow a flexible design to address technical dependencies to the extent possible.

3. R3.

   Implement state-of-the-art cybersecurity technologies and measures, while ensuring sustainability of the technical solutions.

4. R4.

   Consider how and where consent is registered as well as accessed by patients and HCPs.

5. R5.

   Adopt a clear and comprehensive data handling scheme, in order to facilitate its understanding (for both patients and HCPs).

6. R6.

   Usability should be a first-class priority in cybersecurity technical developments, given that this constitutes a key acceptance factor for the end-users.

7. R7.

   Implementation details should target the three pilot countries as there are too many open issues to plan and conclude in the development of an EU-wide robust technical solution. A prototype toolkit targeting the three pilot countries can be used as an example for the future development of an EU-wide solution.

8. R8.

   Carefully take into account the diversity of organizational and information workflows applied in healthcare organizations, and adapt the technical design accordingly.

9. R9.

   Comply with all applicable laws and regulations in the involved regions and countries, but also with EU regulations related to HIT. At the same time, be adaptable to prominent changes regarding legal issues and take into account that legislation is not aligned among EU Member States.

10. R10.

    The lack of budget to address security aspects by healthcare organizations dictates that new cybersecurity technologies shall be cost-effective, contributing to practical solutions.

Principal results

The current study provided a comprehensive set of user requirements and a set of barriers and facilitators for HIT acceptance associated with the design of secure and interoperable HIT, concluding with recommendations for the technical design phase of cybersecurity solutions focusing on health data exchange and the KONFIDO toolkit in particular.

According to the gap analysis, full adherence with information security standards is currently not universally met. In view of the rapid pace of cybersecurity technologies, sustainability plans shall be defined for adapting existing/evolving frameworks to the state-of-the-art. Overall, lack of integration in a holistic security approach was clearly identified. For each user scenario, a comprehensive workflow has been defined, highlighting challenges and open issues for their application in our pilot sites. The threat analysis resulted in a set of 30, high-level user goals in total, which were documented in detail, while links among our information sources and assets, threats and goals were identified as part of a meta-analysis. The survey and the Workshop with key stakeholders validated the above-mentioned outcomes. Indicative barriers of HIT acceptance include lack of awareness regarding HIT risks and legislations, lack of a security-oriented culture as well as usability constraints, while important facilitators concern the adoption of standards and the efforts to establish a common legislation framework across EU. To this end, GDPR is a significant step forward which will certainly affect the management of patient data and the design of HIT systems. However, its detailed analysis exceeds the scope of our user requirements engineering methodology and, therefore, GDPR is not further elaborated in this paper.

The overall outcomes obtained from the presented user requirements engineering methodology were consolidated as recommendations for the design of cybersecurity solutions. Despite the fact that some of these recommendations do not concern technical aspects that can be overcome in the context of KONFIDO, we stress their importance, as they can provide significant insights for the design and development of cybersecurity solutions in the healthcare domain at large.

Limitations

As our study relies on multiple methodological steps, various limitations per step can be identified. In particular, the gap analysis study entails the subjectivity in both the obtained responses and the interpretation of the analysis subjects. As a mitigation action, we extensively discussed and tried to clarify cases of vague/unclear input across the respective WGs. When necessary, we contacted the producers of the analysis subjects (e.g. consortia of the considered projects) for clarifications. The employed gap analysis framework (template) did not specifically address cross-border data exchange, storage and management, which is the main objective of our project. In addition, while relying on ISO standards and having an adequate level of detail concerning information security, the employed gap analysis template might not cover all possible conditions. Nevertheless, we believe that potential missing aspects will be identified and addressed as the technical development evolves.

The user scenarios were driven by the current setting of the KONFIDO pilot sites. Given the project setup, the pilot studies for assessing the KONFIDO toolkit will be conducted in three European countries. Thus, it is possible that our analysis missed cybersecurity-related aspects that are applicable in other European countries. In order to overcome this limitation, the conducted end-user survey targeted a broad audience, aiming to obtain input from the widest possible spectrum of stakeholders composing the European eHealth ecosystem.

Overall, as the study of other HIT ecosystems (e.g. the case of exchanging health data among different hospitals in US) is out of the current work’s scope, the European focus of the study can be considered as a limitation per se. Nevertheless, the heterogeneity which is met across the different national healthcare systems in Europe constitutes a unique characteristic that is worth investigating. Our study outcomes could also be generalized and exploited in the context of exchanging data in other contexts, e.g. with other countries outside EU. For example, the Trillium-II project [38], which focuses on EU-US cooperation and particularly on exchanging patient summary data, could find our outcomes useful both regarding barriers, facilitators and end-user goals, as well as our technical advances. Raising awareness about cybersecurity for health data exchange requires intensive synergies, in order to build the necessary cybersecurity-oriented culture and address the respective barriers that were identified in our study.

Comparison with prior work

To the best of our knowledge, this is the first systematic study presenting and applying a comprehensive, user requirements engineering methodology for the design of secure and interoperable HIT. Our methodology included a broad range of activities, starting from a gap analysis study which reviewed a wide range of relevant projects/initiatives, technological artifacts as well as end-user organizations’ policies and national cybersecurity strategies. User scenarios have been defined and analyzed in detail, focusing on three pilot sites and cross-border health data exchange. The respective user requirements elicitation phase containing a threat analysis of the business processes entailed in the user scenarios, defined assets, threats and, ultimately, high-level user goals. Finally, an end-user survey and a Workshop with the participation of diverse stakeholders validated the obtained outcomes of the previous steps and identified key barriers and facilitators for HIT adoption linked with cybersecurity. Overall, the presented methodology is aligned with best practices [39] and established methods in the domain of requirements engineering for digital health, with respect to requirements elicitation and validation [40], as well as security requirements identification [41].

This study enabled us to define a comprehensive set of user requirements, a set of barriers and facilitators for HIT acceptance and, ultimately, a set of recommendations for designing a toolkit for secure and interoperable health data exchange in Europe. We argue that our results provide important insights to the domain, while our methodological framework constitutes a paradigm that can be reused for investigating other kinds of cybersecurity-related risks in the health sector. Equally important, the identified barriers and facilitators for HIT acceptance may constitute a useful guide for HIT stakeholders in reinforcing the adoption of their solutions by the targeted end-users (i.e. HCPs and patients/citizens).

BP:

Business Process

EHR:

Electronic Health Record

eID:

electronic IDentification

eIDAS:

electronic IDentification, Authentication and trust Services

ENISA:

European Union Agency for Network and Information Security

epSOS:

European Partners – Smart Open Services

EU:

European Union

GDPR:

General Data Protection Regulation

HIT:

Health Information Technologies

HCP:

Healthcare Provider

IEC:

International Electrotechnical Commission

ISO:

International Organization for Standardization

ISO/IEC 27k:

The ISO/IEC 27000 suite of standards

IT:

Information Technology

JASeHN:

Joint Action to Support the eHealth Network

mHealth:

Mobile Health

NCP:

National Contact Point

OpenNCP:

Open-source and reference version of the NCP software

p-PUF:

photonic Physical Unclonable Functions

SIEM:

Security Information and Event Management

SQuaRE:

Systems and software Quality Requirements and Evaluation

STORK:

Secure idenTity acrOss boRders linked

STRIDE:

Spoofing – Tampering – Repudiation – Information disclosure - Denial of service – Elevation of privilege

WG:

Working Group

The authors would like to thank the Advisory Board members of the KONFIDO project for their feedback on the presented user requirements engineering methodology.

Funding

The research leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 727528 (KONFIDO - Secure and Trusted Paradigm for Interoperable eHealth Services).

This paper reflects only the authors’ views and the Commission is not liable for any use that may be made of the information contained therein.

Availability of data and materials

The questionnaires used in the two surveys as well as the gap analysis template cited in the manuscript are provided as supplementary material.

Authors and Affiliations

1. Institute of Applied Biosciences, Centre for Research & Technology Hellas, Thermi, Thessaloniki, Greece

   Pantelis Natsiavas & Vassilis Koutkias

2. MedCom, Odense, Denmark

   Janne Rasmussen & Jan Petersen

3. Sundhed.dk, Copenhagen, Denmark

   Maja Voss-Knude

4. Information Technologies Institute, Centre for Research & Technology Hellas, Thermi, Thessaloniki, Greece

   Κostas Votis & Dimitrios Tzovaras

5. Department of Engineering, University of Naples “Parthenope”, Naples, Italy

   Luigi Coppolino & Luigi Romano

6. Bit4id S.r.l, Naples, Italy

   Paolo Campegiani

7. IDIBAPS, Hospital Clinic de Barcelona, Universitat de Barcelona, Barcelona, Spain

   Isaac Cano

8. eHealth R&D Unit, EURECAT, Barcelona, Spain

   David Marí

9. Fondazione Santobono Pausilipon, Naples, Italy

   Giuliana Faiella & Fabrizio Clemente

10. Telbios S.r.l, Milan, Italy

    Marco Nalin

11. Eulambia Advanced Technologies Ltd, Athens, Greece

    Evangelos Grivas

12. CEA, LIST, Point Courrier 172, 91191, Gif-sur-Yvette Cedex, France

    Oana Stan

13. Department of Electrical and Electronic Engineering, Imperial College of Science, Technology and Medicine, London, UK

    Erol Gelenbe

14. Time.lex, Brussels, Belgium

    Jos Dumortier

15. Exus Software Ltd, London, UK

    Ioannis Komnios

Contributions

PN, JR, MV-K, KV, LC, PC, IC, DM, GF, FC, MN, EvangelosG, OS, ErolG, JD, JP, DT, LR, IK and VK contributed in the gap analysis study (supervised by JR, JP and VK), validated the questionnaires of the end-user survey, and contributed in the realization of the end-user Workshop. MV-K, GF, MN, IC and DM conducted the user scenarios analysis. PN and VK defined the overall user requirements engineering approach and conducted the user requirements elicitation phase as well as the end-user survey. VK supervised the entire study. All the authors read, reviewed and approved the content of the paper.

Corresponding author

Correspondence to Vassilis Koutkias.

Ethics approval and consent to participate

The survey targeting citizens/patients referred in the manuscript was approved by CERTH’s Bioethics Committee. The participants gave online informed consent to participate in the survey.

Consent for publication

Not applicable; the manuscript does not contain individual level of data.

Competing interests

One of the authors (namely, VK) is an Associate Editor with BMC Medical Informatics and Decision Making in a different section (i.e., “Decision Support”) compared to the section that the current paper has been submitted to (i.e., “Healthcare Information Systems”). The authors declare that they have no competing interests.

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. The Creative Commons Public Domain Dedication waiver (http://creativecommons.org/publicdomain/zero/1.0/) applies to the data made available in this article, unless otherwise stated.

Reprints and permissions