Privacy and Security in Multi-User Health Kiosks
Enforcement of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) has gotten stricter and penalties have become more severe in response to a significant increase in computer-related information breaches in recent years. With health information said to be worth twice as much as other forms of information on the underground market, making preservation of privacy and security an integral part of health technology development, rather than an afterthought, not only mitigates risks but also helps to ensure HIPAA and HITECH compliance. This paper provides a guide, based on the Office for Civil Rights (OCR) audit protocol, for creating and maintaining an audit checklist for multi-user health kiosks. Implementation of selected audit elements for a multi-user health kiosk designed for use by community-residing older adults illustrates how the guide can be applied.
Adhikari, R., Richards, D., & Scott, K. (2014). Security and privacy issues related to the use of mobile health apps. Paper presented at the 25th Australasian Conference on Information Systems mHealth App Privacy and Security Issues 8th -10th Dec 2014, Auckland, New Zealand. http://www.colleaga.org/sites/default/files/attachments/acis20140_submission_12.pdf
Annas, G. J. (2003). HIPAA regulations—a new era of medical-record privacy? New England Journal of Medicine, 348, 1486-1490.
Appari, A., & Johnson, M. E. (2010). Information security and privacy in healthcare: Current state of research. International Journal of Internet and Enterprise Management, 6, 279-314.
Ballmann, B. (2015). Understanding network hacks. Springer
Bishop, M. (2003). What is computer security? Security & Privacy, IEEE, 1(1), 67-69.
Choi, Y. B., Capitan, K. E., Krause, J. S., & Streeper, M. M. (2006). Challenges associated with privacy in health care industry: Implementation of HIPAA and the security rules. Journal of Medical Systems, 30(1), 57-64.
Christiansen, J. R. (2013). HIPAA/HITECH Compliance: Using the OCR audit protocols. Retrieved from http://christiansenlaw.net/2012/09/hipaahitech-compliance-using-the-ocr-audit-protocols/
Ciampa, M. (2008). Security+ Guide to Network Security Fundamentals, 1 yr: Cengage Learning.
Ballmann, Big, P. (2008). Hacking internet kiosks. Retrieved from http://archive.hack.lu/2008/Craig_Hacking%20Kiosks.pdf
Ding, X., Verma, R., & Iqbal, Z. (2007). Self-service technology and online financial service choice. International Journal of Service Industry Management, 18, 246-268.
Fei Yu, R. J. (2011). Mobile device security. Retrieved from http://www.cse.wustl.edu/~jain/cse571-11/ftp/mobiles.pdf
Garg, V., & Camp, L. (2015). Risk characteristics, mental models, and perception of security risks.
Gribaudo, M., Iacono, M., & Marrone, S. (2015). Exploiting Bayesian networks for the analysis of combined attack trees. Electronic Notes in Theoretical Computer Science, 310, 91-111.
Günay, A., Erbuğ, Ç., Hekkert, P., & Herrera, N. R. (2014). Changing paradigms in our interactions with self-service kiosks. Human-Computer Interfaces and Interactivity: Emergent Research and Applications: Emergent Research and Applications, 14.
Gunter, T. D., & Terry, N. P. (2005). The emergence of national electronic health record architectures in the United States and Australia: Models, costs, and questions. Journal of Medical Internet Research, 7, e3. http://dx.doi.org/10.2196/jmir.7.1.e3
Hsieh, C.-t. (2015). Implementing self-service technology to gain competitive advantages. Communications of the IIMA, 5(1), 9.
Kizza, J. M. (2013a). Computer network vulnerabilities. In Guide to computer network security (pp. 89-105). London: Springer
Kizza, J. M. (2013b). Security threats to computer networks. In Guide to computer network security (pp. 63-88). London: Springer
Kokkonen, E. W. J., Davis, S. A., Lin, H.-C., Dabade, T. S., Feldman, S. R., & Fleischer, A. B. (2013). Use of electronic medical records differs by specialty and office settings. Journal of the American Medical Informatics Association, 20(e1), e33-e38. doi: 10.1136/amiajnl-2012-001609
Kowitlawakul, Y., Chan, S. W. C., Pulcini, J., & Wang, W. (2015). Factors influencing nursing students' acceptance of electronic health records for nursing education (EHRNE) software program. Nurse Education Today, 35, 189-194.
Kwon, J., & Johnson, M. E. (2013). Security practices and regulatory compliance in the healthcare industry. Journal of the American Medical Informatics Association, 20(1), 44-51.
Meuter, M. L., Ostrom, A. L., Roundtree, R. I., & Bitner, M. J. (2000). Self-service technologies: Understanding customer satisfaction with technology-based service encounters. Journal of Marketing, 64(3), 50-64.
Nazareth, D. L., & Choi, J. (2015). A system dynamics model for information security management. Information & Management, 52, 123-134.
O'Brien, D. G., & Yasnoff, W. A. (1999). Privacy, confidentiality, and security in information systems of state health agencies. American Journal of Preventive Medicine, 16, 351-358.
Oyelami, J. O., & Ithnin, N. B. (2015). Establishing a sustainable information security management policies in organization: A guide to information security management practice (ISMP). International Journal of Computer and Information Technology, 4(01), 44-49. http://www.ijcit.com/archives/volume4/issue1/Paper040107.pdf
Rebollo, O., Mellado, D., Fernández-Medina, E., & Mouratidis, H. (2015). Empirical evaluation of a cloud computing information security governance framework. Information and Software Technology, 58, 44-57.
Rindfleisch, T. C. (1997). Privacy, information technology, and health care. Communications of the ACM, 40(8), 92-100.
Rinehart-Thompson, L. A. (2013). Introduction to health information privacy and security: AHIMA Press.
Smith, B. (2008). Hacking the kiosk. Retrieved from http://www.mcafee.com/us/resources/white-papers/foundstone/wp-hacking-kiosk.pdf
Smith, G. (2012). White house hacked in cyber attack that used spear-phishing to crack unclassified network. Retrieved from http://www.huffingtonpost.com/2012/10/01/white-house-hacked-cyber-_n_1928646.html
Soares, E., Oliveira, C., Maia, J., Almeida, R., Coimbra, M., Brandão, P., & Prior, R. (2016). Modular health kiosk for health self-assessment. Paper presented at 2016 IEEE Symposium on Computers and Communication (ISCC).
Solove, D. J. (April 2013). HIPAA turns 10: Analyzing the past, present and future impact. Journal of AHIMA, 84(4), 22-28.
Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information technology systems. Recommendations of the National Institute of Standards and Technology, Technology Administration, U.S. Department of Commerce. NIST Special Publication, 800-830.
Swanson, M. (2001). Security self-assessment guide for information technology systems. National Institute of Standards and Technology, Technology Administration, U.S. Department of Commerce. NIST Special Publication, 800-826. Retrieved from www.dtic.mil/dtic/tr/fulltext/u2/a394141.pdf
Uhley, P. (2006). Kiosk security. Retrieved from http://www.defcon.org/images/defcon-14/dc-14-presentations/DC-14-Uhley.pdf
Watzlaf, V. J., Moeini, S., & Firouzan, P. (2010). VoIP for telerehabilitation: A risk analysis for privacy, security, and HIPAA compliance. International Journal of Telerehabilitation, 2(2), 3-14.
Watzlaf, V. J., Moeini, S., Matusow, L., & Firouzan, P. (2011). VOIP for telerehabilitation: A risk analysis for privacy, security and HIPAA compliance: Part II. International Journal of Telerehabilitation, 3(1), 3-10. doi: https://doi.org/10.5195/ijt.2011.6070
Yang, H.-D., Lee, J., Park, C., & Lee, K. (2014). The Adoption of Mobile Self-Service Technologies: Effects of Availability in Alternative Media and Trust on the Relative Importance of Perceived Usefulness and Ease of Use. International Journal of Smart Home, 8(4), 165-178. http://dx.doi.org/10.14257/ijsh.2014.8.4.15
Copyright (c) 2017 Harold Takyi, Valerie Watzlaf, Judith Matthews, Leming Zhou, Dilhari DeAlmeida
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
- The Author retains copyright in the Work, where the term “Work” shall include all digital objects that may result in subsequent electronic publication or distribution.
- Upon acceptance of the Work, the author shall grant to the Publisher the right of first publication of the Work.
- The Author shall grant to the Publisher and its agents the nonexclusive perpetual right and license to publish, archive, and make accessible the Work in whole or in part in all forms of media now or hereafter known under a Creative Commons Attribution 4.0 International License or its equivalent, which, for the avoidance of doubt, allows others to copy, distribute, and transmit the Work under the following conditions:
- Attribution—other users must attribute the Work in the manner specified by the author as indicated on the journal Web site;
- The Author is able to enter into separate, additional contractual arrangements for the nonexclusive distribution of the journal's published version of the Work (e.g., post it to an institutional repository or publish it in a book), as long as there is provided in the document an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post online a prepublication manuscript (but not the Publisher’s final formatted PDF version of the Work) in institutional repositories or on their Websites prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work. Any such posting made before acceptance and publication of the Work shall be updated upon publication to include a reference to the Publisher-assigned DOI (Digital Object Identifier) and a link to the online abstract for the final published Work in the Journal.
- Upon Publisher’s request, the Author agrees to furnish promptly to Publisher, at the Author’s own expense, written evidence of the permissions, licenses, and consents for use of third-party material included within the Work, except as determined by Publisher to be covered by the principles of Fair Use.
- The Author represents and warrants that:
- the Work is the Author’s original work;
- the Author has not transferred, and will not transfer, exclusive rights in the Work to any third party;
- the Work is not pending review or under consideration by another publisher;
- the Work has not previously been published;
- the Work contains no misrepresentation or infringement of the Work or property of other authors or third parties; and
- the Work contains no libel, invasion of privacy, or other unlawful matter.
- The Author agrees to indemnify and hold Publisher harmless from Author’s breach of the representations and warranties contained in Paragraph 6 above, as well as any claim or proceeding relating to Publisher’s use and publication of any content contained in the Work, including third-party content.
Revised 7/16/2018. Revision Description: Removed outdated link.