From: Integrated personal health record (PHR) security: requirements and mechanisms
Requirements | Mechanisms |
---|---|
Confidentiality | • Registering authorized PHR users • Determining the information sensitivity level in PHR • Encrypting data or key fields in PHR databases • Hiding information from unauthorized users • Restrictions of information updating by unauthorized users |
Availability | • Creating an information backup • Specifying data access control list |
Integrity | • Using a digital signature • Determining the standard terminology |
Authentication | • Assigning user ID to all users • Determining password mechanisms • Using biometric scans (fingerprints, face, hands, retina) |
Authorization | • Defining the roles (patient, provider, system manager, etc.) • Defining users’ access level to information • Compiling user’s list to access information in emergencies |
Non-repudiation | • Creating an audit log (information audit) • Creating users’ accountability for any changes and manipulations |
Access right | • Determining the time and individual (authorized users) to access personal health data by PHR owner • Authorizing another user to access & control the information for sharing by PHR owner • Reviewing entities’ access to personal health data by PHR owner • Revocation of entities’ access by PHR owner at any time • Restricting the previous physician’s access right to PHR |