Privacy and Security in Multi-User Health Kiosks


  • Harold Takyi
  • Valerie Watzlaf University of Pittsburgh
  • Judith Talbot Matthews
  • Leming Zhou University of Pittsburgh
  • Dilhari DeAlmeida University of Pittsburgh



Enforcement of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) has gotten stricter and penalties have become more severe in response to a significant increase in computer-related information breaches in recent years. With health information said to be worth twice as much as other forms of information on the underground market, making preservation of privacy and security an integral part of health technology development, rather than an afterthought, not only mitigates risks but also helps to ensure HIPAA and HITECH compliance. This paper provides a guide, based on the Office for Civil Rights (OCR) audit protocol, for creating and maintaining an audit checklist for multi-user health kiosks. Implementation of selected audit elements for a multi-user health kiosk designed for use by community-residing older adults illustrates how the guide can be applied.



Author Biographies

Valerie Watzlaf, University of Pittsburgh

Associate Professor

Leming Zhou, University of Pittsburgh

Assistant Professor

Dilhari DeAlmeida, University of Pittsburgh

Assistant Professor


Adhikari, R., Richards, D., & Scott, K. (2014). Security and privacy issues related to the use of mobile health apps. Paper presented at the 25th Australasian Conference on Information Systems mHealth App Privacy and Security Issues 8th -10th Dec 2014, Auckland, New Zealand.

Annas, G. J. (2003). HIPAA regulations—a new era of medical-record privacy? New England Journal of Medicine, 348, 1486-1490.

Appari, A., & Johnson, M. E. (2010). Information security and privacy in healthcare: Current state of research. International Journal of Internet and Enterprise Management, 6, 279-314.

Ballmann, B. (2015). Understanding network hacks. Springer

Bishop, M. (2003). What is computer security? Security & Privacy, IEEE, 1(1), 67-69.

Choi, Y. B., Capitan, K. E., Krause, J. S., & Streeper, M. M. (2006). Challenges associated with privacy in health care industry: Implementation of HIPAA and the security rules. Journal of Medical Systems, 30(1), 57-64.

Christiansen, J. R. (2013). HIPAA/HITECH Compliance: Using the OCR audit protocols. Retrieved from

Ciampa, M. (2008). Security+ Guide to Network Security Fundamentals, 1 yr: Cengage Learning.

Ballmann, Big, P. (2008). Hacking internet kiosks. Retrieved from

Ding, X., Verma, R., & Iqbal, Z. (2007). Self-service technology and online financial service choice. International Journal of Service Industry Management, 18, 246-268.

Fei Yu, R. J. (2011). Mobile device security. Retrieved from

Garg, V., & Camp, L. (2015). Risk characteristics, mental models, and perception of security risks.

Gribaudo, M., Iacono, M., & Marrone, S. (2015). Exploiting Bayesian networks for the analysis of combined attack trees. Electronic Notes in Theoretical Computer Science, 310, 91-111.

Günay, A., Erbuğ, Ç., Hekkert, P., & Herrera, N. R. (2014). Changing paradigms in our interactions with self-service kiosks. Human-Computer Interfaces and Interactivity: Emergent Research and Applications: Emergent Research and Applications, 14.

Gunter, T. D., & Terry, N. P. (2005). The emergence of national electronic health record architectures in the United States and Australia: Models, costs, and questions. Journal of Medical Internet Research, 7, e3.

Hsieh, C.-t. (2015). Implementing self-service technology to gain competitive advantages. Communications of the IIMA, 5(1), 9.

Kizza, J. M. (2013a). Computer network vulnerabilities. In Guide to computer network security (pp. 89-105). London: Springer

Kizza, J. M. (2013b). Security threats to computer networks. In Guide to computer network security (pp. 63-88). London: Springer

Kokkonen, E. W. J., Davis, S. A., Lin, H.-C., Dabade, T. S., Feldman, S. R., & Fleischer, A. B. (2013). Use of electronic medical records differs by specialty and office settings. Journal of the American Medical Informatics Association, 20(e1), e33-e38. doi: 10.1136/amiajnl-2012-001609

Kowitlawakul, Y., Chan, S. W. C., Pulcini, J., & Wang, W. (2015). Factors influencing nursing students' acceptance of electronic health records for nursing education (EHRNE) software program. Nurse Education Today, 35, 189-194.

Kwon, J., & Johnson, M. E. (2013). Security practices and regulatory compliance in the healthcare industry. Journal of the American Medical Informatics Association, 20(1), 44-51.

Meuter, M. L., Ostrom, A. L., Roundtree, R. I., & Bitner, M. J. (2000). Self-service technologies: Understanding customer satisfaction with technology-based service encounters. Journal of Marketing, 64(3), 50-64.

Nazareth, D. L., & Choi, J. (2015). A system dynamics model for information security management. Information & Management, 52, 123-134.

O'Brien, D. G., & Yasnoff, W. A. (1999). Privacy, confidentiality, and security in information systems of state health agencies. American Journal of Preventive Medicine, 16, 351-358.

Oyelami, J. O., & Ithnin, N. B. (2015). Establishing a sustainable information security management policies in organization: A guide to information security management practice (ISMP). International Journal of Computer and Information Technology, 4(01), 44-49.

Rebollo, O., Mellado, D., Fernández-Medina, E., & Mouratidis, H. (2015). Empirical evaluation of a cloud computing information security governance framework. Information and Software Technology, 58, 44-57.

Rindfleisch, T. C. (1997). Privacy, information technology, and health care. Communications of the ACM, 40(8), 92-100.

Rinehart-Thompson, L. A. (2013). Introduction to health information privacy and security: AHIMA Press.

Smith, B. (2008). Hacking the kiosk. Retrieved from

Smith, G. (2012). White house hacked in cyber attack that used spear-phishing to crack unclassified network. Retrieved from

Soares, E., Oliveira, C., Maia, J., Almeida, R., Coimbra, M., Brandão, P., & Prior, R. (2016). Modular health kiosk for health self-assessment. Paper presented at 2016 IEEE Symposium on Computers and Communication (ISCC).

Solove, D. J. (April 2013). HIPAA turns 10: Analyzing the past, present and future impact. Journal of AHIMA, 84(4), 22-28.

Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information technology systems. Recommendations of the National Institute of Standards and Technology, Technology Administration, U.S. Department of Commerce. NIST Special Publication, 800-830.

Swanson, M. (2001). Security self-assessment guide for information technology systems. National Institute of Standards and Technology, Technology Administration, U.S. Department of Commerce. NIST Special Publication, 800-826. Retrieved from

Uhley, P. (2006). Kiosk security. Retrieved from

Watzlaf, V. J., Moeini, S., & Firouzan, P. (2010). VoIP for telerehabilitation: A risk analysis for privacy, security, and HIPAA compliance. International Journal of Telerehabilitation, 2(2), 3-14.

Watzlaf, V. J., Moeini, S., Matusow, L., & Firouzan, P. (2011). VOIP for telerehabilitation: A risk analysis for privacy, security and HIPAA compliance: Part II. International Journal of Telerehabilitation, 3(1), 3-10. doi:

Yang, H.-D., Lee, J., Park, C., & Lee, K. (2014). The Adoption of Mobile Self-Service Technologies: Effects of Availability in Alternative Media and Trust on the Relative Importance of Perceived Usefulness and Ease of Use. International Journal of Smart Home, 8(4), 165-178.



How to Cite

Takyi, H., Watzlaf, V., Matthews, J. T., Zhou, L., & DeAlmeida, D. (2017). Privacy and Security in Multi-User Health Kiosks. International Journal of Telerehabilitation, 9(1), 3–14.



Privacy and Security