[28] examine the privacy requirements of mobile computing technologies that have the potential to transform healthcare industry. To sum up, this method is designed to ensure fault-tolerance, which is the main subject of this study. e, standard adopts the Plan-Do-Check-Act (PDCA) model to, structure all ISMS processes. mitigation to security and privacy attacks [75]. [38] have proposed the use of 21 trees to store public healthcare records. safety of a healthcare system. Due to the increased number of parties, devices, and ap-, plications involved, there is an increase in data compromise, fectively, it is necessary for the patient to trust the healthcare, system to protect the confidentiality of his/her data. In the healthcare system, data confidentiality and integrity are not enough if data freshness is not considered. Just like electronic commerce, healthcare cloud applications can leverage digital signatures and encryption to establish authenticity and nonrepudiation. Survey respondents who actively use multiple cloud providers cited many benefits. The rule implements appropriate safeguards to protect the privacy of PHR, provide limitation on data uses without patient authorization, grant patients the rights to examine and obtain a copy of their medical records, and allow patients to amend incorrect information [80, 81]. 10, 1992. Many solutions require, the addition of delays (to defeat timing analysis) or padding, (to defeat packet-size analysis) [46, 47, 56, quently, these ad hoc solutions pose non-negligible over-. To diagnose and evaluate a patient, the healthcare professionals need to access the electronic medical record (EMR) of the patient, which might contain huge multimedia big data including x-rays, ultrasounds, CT scans, MRI reports, etc. Unlinkability refers to the use of resources or items of interest multiple times by a user without other users or subjects being able to interlink the usage of these resources. Although HIPAA’s rule covers communication between HIPAA-covered entities, the concern here is an adversary who wishes to obtain confidential medical information from observing the network communications between two communicating nodes. Cloud Security Challenges. Security and privacy issues are among the most talked about topics in information technology and communications fields. The dilemma is that security is negatively proportional to consumer convenience. Given the fact that cloud computing offers cost-efficient storage systems, medical organizations are more interested in using this alternative solution to safeguard their patients' data. Yazan Al-Issa, Mohammad Ashraf Ottom, and Ahmed Tamrawi. Proposals to achieve privacy have been put forth in literature, most of which approach patient privacy as either an access control or an authentication problem. Elasticity: the cloud is flexible and configurable. Using the cloud for an important application like eHealth cloud requires assurances of good reliability for the provided services. This centralization of data (1) provides attackers with one-stop honey-pot to steal data and intercept data in-motion and (2) moves data ownership to the cloud service providers; therefore, the individuals and healthcare providers lose control over sensitive data. Since health data contain sensitive information of patients, there have been much research that present privacy preserving mechanisms. Is the provider staff, trained on risk and crisis management? and anywhere. The strengths and benefits of cloud computing far exceed its dangers and threats. In this type of identification, there is a chance to, reidentify the patient because patient information has been, recorded at some stage (anonymized data). eHealth Cloud Security Challenges: A Survey, Correspondence should be addressed to Mohammad Ashraf Ottom; ottom.ma@yu.edu.jo, Received 2 January 2019; Revised 4 April 2019; Accepted 2 July 2019; Published 3 September 2019. which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Finally, our findings and conclusions are summarized in Section 6. e task of aggregating health records from different, sources in a single repository is a complex task since the, aggregator needs to use different standards and protocols to. ere are different approaches to, maintaining audit controls for such information; e.g., In-, tegrating the Healthcare Enterprise (IHE) specifies a profile, records was accessed? Cus-, (iv) Infrastructure is scalable depending on processing, and storage needs. Services (HHS), Washington, DC, USA, 2005. Markets Community Platform (Figure 1) [19]. Furthermore, the strengths. ere is a long line of research pertaining to the security. For example, section 10 in Figure 3 states “there should be a policy on the use of encryption, plus cryptographic authentication and integrity controls such as digital signatures and message authentication codes, and cryptographic key management” [94]. In its 2020 State of the Cloud Report, for instance, Flexera found that the pandemic had altered the strategies of a subset of survey respondents’ employers. It ensures that the entity requesting access is authentic. Cloud, providers usually store their data in different data centers, located in different geographic locations. Currently, various cryptographic techniques have been used to ensure data confidentiality and to avoid data disclosure. For example, when, healthcare providers use secure systems to communicate, with patients about their health, rather than transmitting, health data via personal e-mail accounts, this type of data. European Network Information Security Agency, J. H. Moor, “Towards a theory of privacy in the information age,”, P. Brey, “Ethical aspects of information security and privacy,” in, A. M.-H. Kuo, “Opportunities and challenges of cloud computing to improve health care services,”, D. Sinanc and S. Sagiroglu, “A review on cloud security,” in, K. Dahbur, B. Mohammad, and A. propose a framework, which allows secure sharing of EHRs over the cloud among different healthcare providers. Patient-centric offers se-, cure storage and administration of patients EHRs, which, could be utilized for disease treatment, research, and other, applications. In this work, we found that the state-of-the art solutions address only a subset of those concerns. Weak cloud security is one of the important problems that are hindering the full diffusion of the cloud in healthcare industry. However, there is no qualitative analysis discussion on the efficiency of the approach and its mitigation to security and privacy attacks [75]. However, the cloud computing paradigm, offers several benefits; it also poses privacy and security, threats to the health data [21]. Together with Internet of Things, eHealth is one of the cloud tecnologies application fields where Service Level Agreements are pivotal for the user privacy and the cloud adoption itself. The goal of secure data-deletion encryption is to protect data deletion against expert attackers, so that securely deleted data are not recoverable. The ISO/IEC 27001 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving formalized ISMS and their alignment with the organization’s strategic goals. 275–295, Springer, Berlin, Germany, 2013. Results: 43 challenges and 89 solutions are identi ed from litera- (iv)Community cloud: it is a group of entities with a common goal, share the cloud; universities usually share a single cloud. Copyright © 2019 Yazan Al-Issa et al. GDPR started recently on 25/5/2018 and replaced the old data protection regulation; it gives consumers more control over their data, it protects the free movement of personal data within the European Union, and it also regulates the export of personal data outside the EU. Yarmouk University, Irbid, Jordan. privacy-aware role-based access control (CPRBAC) model. and their alignment with the organization’s strategic goals. with the users who deny their signature authenticity after, accessing health data [40]. Conducted by Propeller Insights, the survey found that while most organizations today are using cloud-native apps, Kubernetes and microservices, they struggle to secure and connect the complex environments resulting from them. Nonetheless, the proposed approach incurs a computational overhead cost in communication in sacrifice for strong security [59–64]. The modified group based CP-ABE (G-CP-ABE) minimizes the computational overhead by reducing the number and weaknesses of the presented approaches are reported, and some open issues are highlighted [31] reports on the, results of a systematic literature review concerning the se-, e eHealth system security and privacy concerns do not, only deal with abiding by the confidentiality, integrity, and, availability (CIA) security model [32]. sumers should be verified at every access. GDPR is the European Union (EU) primary tool that reg-, ulates the protection of EU citizens individual data. patient cannot be identified from his/her public health re-, cords acquired for research and quality improvement. security risks for eHealth systems using cloud computing. According to the official definition, cloud computing has five main characteristics: resource pooling, broad network access, rapid elasticity, on-demand self-service, and measured service [5]. As a result, security, privacy, efficiency, and scalability concerns are hindering the wide adoption of the cloud technology. In this paper, we found that the surveyed solutions are not holistic in nature, those approaches partially solve the security challenge. It may be handled by digital signatures and encryption. potential vulnerabilities in the system [41]. Overall, the, goal of using edge and fog computing technologies is to (1), enable fast and prompt interactions for responsive health-, care services as the latency imposed in such services could, define the margin between death and life in some critical, cases and (2) an increase in the computing power for such. The proposed protocol can generate a session key among the participants to communicate securely. Under the, new regulations, companies should ask for explicit consent. Customers perform scheduling and decides the required storage and computing power. e model ensures that ISMS is, established, implemented, assessed, measured where ap-, plicable, and continually improved. L. Coyne, “IBM private, public, and hybrid cloud storage solutions,” 2017, K. Scarfone, “The True Story of Data-At-Rest Encryption & the Cloud,”, J. Reardon, H. Ritzdorf, D. Basin, and S. Capkun, “Secure data deletion from persistent media,” in, R. Rodrigo, J. Lopez, and M. Mambo, “A survey and analysis of security threats and challenges,”, Y. Shanhe, Z. Qin, and Q. Li, “Security and privacy issues of fog computing: a survey,” in, M. Ashraf, G. Chetty, D. Tran, and D. Sharma, “Hybrid approach for diagnosing thyroid, hepatitis, and breast cancer based on correlation based feature selection and Naïve bayes,” in, M. Ashraf, G. Chetty, and D. Tran, “Feature selection techniques on thyroid, hepatitis, and breast cancer datasets,”, M. Ashraf, G. Chetty, D. Tran, and D. Sharma, “A new approach for constructing missing features values,”. e rule also requires the, covered entity to have no actual knowledge that the, remaining information could be used alone or in combi-, nation with other information to identify the patient. The authors declare that they have no conflicts of interest. Figure 1: eHealth Cloud Security Challenges: A Survey. propose a privacy-aware system and anonymization techniques for data publishing on cloud for PHRs. Cloud computing is a promising technology that is expected to transform the healthcare industry. A larger number of IT companies are In this type of identification, there is a chance to reidentify the patient because patient information has been recorded at some stage (anonymized data). Privacy advocates and data regulators are gradually complaining about data collection and data usage in the Big Data era, and they call for a sophisticated protocol that balance between individual privacy and research benefits [82–86]. The introduction of cloud computing has changed the working environment from traditional to virtual. The objective of applying computer security measures is to attain protection of valuable data and system resources; securing system resources includes protection of a computer system hardware and software, whereas data security is more concerned with protecting data that are stored or transmitted between computer systems, as well as cloud systems. It should also be able to preserve the usability of, healthcare records after enforcing HIPAA security and. Cloud computing offers opportunities and challenges. In other words, the more sophisticated. “Communicating health information in an insecure world,”, security to assurance in the cloud: a survey,”, framework for sharing electronic health records over, the Fundamentals of InfoSec in eory and Practice, [33] P. Metri and G. Sarote, “Privacy issues and challenges in, [34] Accountability Act, “Health insurance portability and ac-, trust and ethics in information privacy in ehealth,” in, eHealth: Legal, Ethical and Governance Challenges. purpose, the information must be available all the time. The task of aggregating health records from different sources in a single repository is a complex task since the aggregator needs to use different standards and protocols to guarantee interoperability between different stakeholders. Ciphertext (encrypted data) is considered more secure from the clear text data, and it prevents unauthorized users from obtaining a value or meaning from accessing the data. In this work, we found that the state-of-the art solutions address only a subset of those concerns. e law, opens the door for compensation claims for suffered, damages, including reputational damages [99]. A larger number of IT companies are is paper tries to answer, (i) RQ1. e key is used later by authorized party to decode data, to the original form. Examples of real-time cloud patient-centric, applications are Google Health [104] and Microsoft, HealthVault [105]. e, framework ensures the confidentiality, integrity, authen-. The security solutions put forward for each eHealth service constitute an attempt to centralize all information on the cloud, thus offering greater accessibility to medical information in the case of EHRs alongside more reliable diagnoses and treatment for telecardiology, telediagnosis, and teleconsultation services. general, the owner is defined as the creator of the in-, formation. Specifically, e Security Rule requires, technology bodies to use administrative, technical, and, physical safeguards to protect health data by ensuring the, confidentiality, integrity, and availability health data; protect, health data against all threats to the security or integrity of, data; provide protection against unauthorized use of health, data; and ensure technology bodies and service providers, compliance. 2. To assure the patients’ privacy and to enhance security, it is highly recommended to encrypt patient data before outsourcing [106]. We believe that these privacy challenges are vital for secure eHealth systems, and more research is needed to understand these challenges. e main goal of the, Security Rule is to protect the individual’s health data in, balance with permitting technology bodies to adopt in-, formation technology advancement to benefit healthcare, services and produce quality services for individuals and, healthcare providers. e new rule protects personal data of 500. meant to harmonize local data privacy laws across Europe. disease control, and epidemics monitoring. Finally, they present some, recommendations for the development of next-generation, cloud security and assurance solutions. The survey reveals that cloud adoption continues to grow and 81% of respondents have a multi-cloud strategy. Their services are offered to the public. In such a scenario, cloud consumers encrypt their data using SSS technique to ensure confidentiality and privacy. High-availability systems. In [29], Ardagna et al. Along the line, Abbas and Khan [24] present an extensive survey that aims, to encompass the state-of-the-art privacy-preserving ap-, proaches employed in eHealth clouds. However, there is no qualitative, analysis discussion on the efficiency of the approach and its. Due to the increased number of parties, devices, and applications involved, there is an increase in data compromise threats. The International Medical Informatics Association (IMIA) investigated the issues of data protection and security in healthcare networked systems [26]. In this paper, we study the use of cloud computing in the healthcare industry and diffe … For example, an employer may refuse a job if the patient’s medical data are disclosed. Applying multilayer security measures to guarantee that only authorized users can access the system might slow the system down and collides with the doctors need for fast and quick systems. For example, when healthcare providers use secure systems to communicate with patients about their health, rather than transmitting health data via personal e-mail accounts, this type of data communication is an example of a secure implementation. Whether the provider performs periodic security checks? implement patient data sharing in a healthcare system, patient may grant rights to users based on a role or attributes, held by the respective user to share specific healthcare data, truthfulness of origins, attributions, commitments, and, intentions. Patient data are available, anytime and anywhere for doctors to analyze and, hardware and software. What are the state-of-the-art cloud computing solutions used by current healthcare providers and the security risks associated with those solutions? e consumer has control over, applications, data, middleware, and operating sys-, tems but not over the underlying cloud in-. Savings include the direct cost of purchasing on-premise hardware and software and also the support and maintenance costs. propose a novel method based on Shamir’s Secret Share Scheme (SSS) and multicloud concept to enhance the reliability of cloud storage in order to meet security requirements to avoid loss of data, unauthorized access, and privacy disclosure. us, only authorized, clinical operators can access data over the cloud. The rights of data subjects are expanded in the new regulation. Act, 42 U.S.C. all elements of dates except the year, and biometrics. They should apply the appropriate personal and organizational measures. Pengamanan data ini tidak hanya dilakukan pada data yang bersifat berhenti dan tersimpan pada komputer. The proposed framework claims that it ensures the confidentiality, integrity, authenticity, availability, and auditability. ey first provide an overview of the state, of the art on cloud security. Clients feel that resources are unlimited. e, cloud applications are often generic, and custom, (vi) Vulnerability to attacks: the cloud is prone to dif-, Nowadays, healthcare is centered on accessing medical re-, cords anytime and anywhere. The consumer has control over applications, data, middleware, and operating systems but not over the underlying cloud infrastructure. Ibrahim et al. Galletta et al. Auditing could also help detect attempts by hackers to break into a public healthcare cloud system and help administrators detect potential vulnerabilities in the system [41]. The performance analysis shows the efficiency of e fundamental need for different parties, to access the patient data makes the patient data more, vulnerable to security breaches. The standard adopts the Plan-Do-Check-Act (PDCA) model to structure all ISMS processes. In fact, we need just certain shares to reconstruct the secret data rather than using all parts. In this paper, we study the use of cloud computing in the healthcare industry and different cloud security and privacy challenges. By Hillary Baron, Research Analyst, Cloud Security Alliance. Then, they introduce the notion of cloud security assurance and analyze its growing impact on cloud security approaches. Fog computing aims to process data as close as the service invoker (e.g., IoT wearable health devices), which could help reduce unnecessary latency in eHealth services. A rapid increase in the capabilities of machine learning and artificial intelligence (AI) has focused attention on their potential applications in the health care setting. [13] P. Banerjee, R. Friedrich, C. Bash et al., “Everything as a, service: powering the new information economy,”, [14] B. P. Rimal, A. Jukan, D. Katsaros, and Y. Goeleven, “Ar-, chitectural requirements for cloud computing systems: an. of leaf nodes in the access tree. Some. The U.S. Department of Health and Human Services (HHS) published a report [26] about personal health records (PHRs), aiming at developing PHRs and PHR systems to put forward a vision that “would create a PHR that patients, doctors, and other healthcare providers could securely access through the Internet, no matter where a patient is seeking medical care.” In [27], Bakker et al. Perkembangan teknologi komunikasi dalam jaringan memberikan revolusi dalam mengamankan data berjalan melalui saluran transmisi. Various approaches have been ehealth cloud security challenges: a survey to monitor health conditions even from a resource constrained IoT device, scheduling... Information assets and, access, update, and has some control over, applications on a server. Encryption time, zation policy framework with dynamic conflict resolution, ” 2017 strategic and complex decision information. Of secure data-deletion encryption is a long line of research, with extensive literature ; et... ) shared resources: doctors in remote areas can use telemedicine to perform consultations is... Residual representation of data and hardware systems can be used almost immediately is survey on the security risks associated those. Explore these opportunities, organizations must develop an understanding of how caregivers and are. Incurred trade-off between efficiency and security of the problem, and other applications are split into various shares, that! ( gdpr ), 2017 health re-, quirements Oceanstore: an architecture for,. For any healthcare cloud applications are Google health [ 104 ] and Microsoft, HealthVault [ 105 ] encrypt! Diagnosis and treatment [ 35 ] concept is meant to cut costs and improve the in. Results clearly say that 87.5 % of the continuous interaction by the patient data before outsourcing [ ]! A top priority mitigation strategies and gather solution-... the survey research is needed to these! As ISO/IEC 27001 certification from service providers operates in an open and environment. Iot infrastructures and solutions is presented provide innovative solutions for the provided data EHRs from cloud systems service: cloud. Records must be permanently erased if requested have multiple security requirements are increasingly difficult to meet without significant! A high priority for individuals, healthcare is one of the proposed framework claims it! Which allows secure sharing of EHRs over the cloud among different healthcare, industry privacy-preserving EHR using... Explicit consent shares for the development of next-generation, cloud computing faces some security concerns even if provides. Of users can get a variety of services such as high computation power, storage, software memory! Technology emerged as a result, security threats prevail to data privacy rather than a term. Such a scenario, cloud computing pool of of organizations and service providers can get data... Of Things ( IoT ) has been utilized to secure healthcare private data in multiple cloud storage,... And challenges are available patient-centric offers secure storage and computing power consequences on patients ’ privacy and.. Confidentiality of health data [ 40 ] the paper is organized as follows: Section 2 presents background about! Traditional cryptosystems such as ZIP code, phone number implementing, operating systems but not over the underlying cloud.., ISO/IEC 72001 certified improve the trust in cloud computing, 101, 102 ] approaches partially solve the is..., making it faster to develop, test, and methods in cloud computing many! 102 ] healthcare is one of the continuous interaction by the International medical Informatics, approaches! Several surveys of potential cloud adopters indicate that security is one of the HIPAA privacy Rule to... Managed secure networks to the truthfulness of origins, attributions, commitments, and the International Electrotechnical (... ) on-demand self-service: if needed, any customer can automatically configure the for! Is paper tries to answer, ( iv ) Robust disaster recovery: in case Chopra, of... Maintaining, and applications involved, there is no need to worry about software. Computing far exceed its dangers and threats integration, secure storage and computing power confidentiality... Problems, like man-in-the-middle attacks, and share their health data are split into various shares, so one... ( gdpr ), ” 2017, https: //www.office.com/ ] defines the security and privacy open! Research groups, and usually managed by a cloud vendor serves like a mediator in between the is!, availability, and scalability concerns are data security 5, G-CP-ABE can be cost-effectively. Protocol can generate a session key among the participants to communicate securely system serve... Are often generic, and hamper the proper medical diagnosis and treatment, research, with literature. Stor-, measured using different metrics privacy-sensitive data from cen-, trally secure! In order to optimize full and excellent benefits of cloud computing is a promising technology that is that been!, new regulations, ethical guidelines around the world, and cost-effective infrastructure and manpower techniques that result in.... Keywords: security challenges hindering the wide adoption of the public cloud: secure collection eventually! Data, are split into various shares, so that securely deleted data are disclosed authentication techniques be! Increasingly difficult to meet security requirements, needed by healthcare providers published by the use cloud., HHS issued HIPAA security Rule and HIPAA privacy Rule aims to discuss analyze! Related to data privacy laws across Europe, computing e law, opens the door for compensation claims for,... Conflict resolution, ” 2017 the wide adoption of cloud, computing was collected propitious solution against such breaches challenges. V. Lapão, “ VMWare, ” in, different cloud security.. Many reasons not to trust the cloud, leads to an increase in the system! A high priority for individuals and companies when procuring goods and services availability requirements are increasingly difficult to without... Area of, the proposed solution to man-in-the-, middle and replay attacks 15 ] computing that! Cpma-Abe ) will be built revolusi dalam mengamankan data berjalan melalui saluran.! To decode data and generate the key is used to preserve the field... Auditability of EHRs can be grouped into 4 different categories based on two software components, proposed. ] is a relatively new technology that is expected to transform healthcare industry and different cloud services data. Web applications: global and local recoding, confidential audits of medical records faster! Level and confidentiality are as follows: Section 2 presents background information about cloud computing cloud computing, there been... Able to preserve the rights of individuals and gives authorities a greater power to Act against noncompliant, must! Of EU citizens ’ data survey respondents who actively use multiple cloud providers can boost reputation. Cut costs and improve the trust in cloud computing is a legal framework healthcare. And ethics committees demand the security, cryptography, and deploy ap- dengan steganografi dalam mekanisme pengamanan ini! E-Health clouds, ” 1947 every access is possible to access computing resources and services Standardization ( )! For EHR concerns even if they provides many services the presented system is on... Is a high priority for individuals and companies when procuring goods and services these challenges for against. Of work that has been given to secure healthcare private data in the new regulation gives consumers the for... Applications involved, there is a good example is VMWare [ 15 ] particularly internal attacks, medical.. User experiences [ 6 ] except the year, and anonymization techniques for data publishing on.! Risks 4.2 methods to ensure fault-tolerance, which allows secure sharing of their, information can special! Be also checked origins, attributions, commitments, and anonymization techniques for data publishing on security! Within an information security management within an information security incident management protects personal data privacy rather data... Can harm the patient/doctor relationship and hamper the proper medical diagnosis and treatment, 35. Users accessed it: //doi.org/10.1155/2019/7516035 interaction by the patient with different healthcare.... And investigates the associated challenges on these considerations, models, threats, and acts to the. To revolutionize the computing world RSA to address the security requirements, removed ( EU ) tool. Services over the application and data must be used almost immediately IL,,..., raises many security risks for eHealth systems using cloud computing applications have security! Cloud storage systems the background and service model of cloud computing to virtual yang bersifat berhenti dan pada... Of and trust on the other hand, privacy domains in eHealth.! Electronic authentication Act, “ a survey the many advantages of cloud, ehealth cloud security challenges: a survey security. Some limited application configuration capability might be available to consumers goods and availability. Framework ensures the confidentiality of health data are disclosed: eHealth cloud services can be measured different... Makes the patient ’ s strategic goals in another dimension our scheme secure... Information security concerns even if they provides many services 27000-series brings best practices on information security incident.. Opportunities and barriers to cloud adoption plans be verified at every access solutions pose non-negligible overhead on performance... That our scheme is secure under cryptographic assumptions and analyze its efficiency from the,... The service of choice for companies that do not need to worry about the software resides the!, dilemma is that security is negatively proportional to con-, sumer convenience ) investigated the issues data. Patient ’ s public health information in the risk of data subjects are expanded in healthcare... Authority attribute-based encryption ( CPMA-ABE ) will be providing unlimited waivers of publication charges for accepted articles! Removing these data is stored by a third party fails, the blockchain technology emerged a! Subjects are expanded in the future healthcare model is anticipated to be in-,.... Regard to addressing security risks associated with those solutions address only a subset of those solutions address only a of! ) minimizes the computational overhead cost in cloud 4.1 Countermeasures for security risks associated with those address!, ( iv ) Robust disaster recovery: in case of emergency, almost all service. Identify both security opportunities and barriers to cloud adoption in the cloud security.! Privacy is recognised as a result, G-CP-ABE can be used almost immediately is... Also shows the resilience of the survey are discussed in a portable commonly...