Eliciting healthcare providers’ requirements for a cloud-based e-health framework

Introduction

In this blogpost we will get to know what a healthcare provider expects from a cloud-based e-health framework, such as ASCLEPIOS. These requirements are seen from two points of view: healthcare-related functionalities and data privacy.

Source of requirements

In our previous blogpost we discussed how GDPR helps shape the ASCLEPIOS solution which needs to be compliant with the foreseen guidelines and regulations. Apart from GDPR, the ASCLEPIOS healthcare and data privacy requirements are also derived from interviews with healthcare providers and the standard ISO 18308 ASCLEPIOS. This combination provided us an understanding of how to build a cloud-based e-health framework which protects privacy and allows healthcare professionals to deliver services, by providing them with access to the health information they need.

For the interviews, two questionnaires were designed. The first questionnaire was created for IT professionals from the healthcare organisations such as network administrators, system administrators and information security officers. The second questionnaire targetted clinicians and stakeholders working in healthcare organisations.

As we have seen in our “Intro to Demonstrators” blogpost series, the ASCLEPIOS framework will be used by the three demonstrators developed in the Netherlands, Germany and Norway: The stroke acute care demonstrator is developed by AMC and involves hospitals, the ambulance service and researchers in the Netherlands. Hospitals and researchers from Germany are involved in the in-and outpatient sleep medicine demonstrator developed by Charite and CBMI. The demonstrator for benchmarking antibiotics prescription is developed by Norwegian Centre for E-health Research with the involvement of general practitioner offices in Norway.

The partners identified representatives from these healthcare organisations that would potentially use the demonstrators, in order to give the most valuable information. Totally, 13 specialists from 5 healthcare organisations were interviewed.

Healthcare and data privacy requirements

Health data offer a huge potential for improvements of efficiency, effectiveness and quality of healthcare. Health data privacy must be protected, but at the same time this should not interfere with healthcare professionals’ accessibility to health data they need to deliver healthcare. As such, a challenging set of requirements was collected, especially considering the need to address them all in the ASCLEPIOS framework.

Personal data stored on the cloud must be encrypted. This implies requirements for the management of encryption/decryption keys and ensuring minimal storage overhead. At the same time though, it should be possible to perform a search on encrypted data. The need to represent links between health record entries and external resources, for example, medical images, is also identified.

The GDPR articles 15 and 20 raised the requirements for enabling patients to obtain access and control to their personal data and to be able to transfer their data from one institution to another. But when it comes to access control and health data availability, we observed an interesting dilemma between introducing strict technical access control and making data available whenever needed by healthcare professionals. The respondents agreed that strong technical access policies would increase lawful data processing. However, they pointed out that these policies might reduce data availability and lead to unwanted outcomes, such as slowing down the work of clinicians and, consequently, the delivery of healthcare services.

The interviewed participants in principle agreed that patients should have active access control of their personal health data within health institutions. However, this would require patients to actively update the access control rules, remember the names of the doctors and other details, which could be challenging. Another challenge is the application of access control in emergency situations, when the patient is unconscious. Therefore, access control needs to be carefully designed to avoid situations where delivery of care could be impeded by lack of information.

All the respondents agreed on the need for secure audit control of all health data processing activities: who, when, where, why and for how long they had access to health data. Article 30 of the GDPR obliges healthcare organisations to maintain a log for processing activities under their responsibility, and article 15 gives patients the right to get information about any operations performed on their data.

Utilisation of requirements

The healthcare and data privacy requirements were collected and analysed, to be used as a basis to specify the involved ASCLEPIOS framework functionalities. A requirement prioritisation process followed in order to assess the requirements as of high, medium, and low priority.  A strategy giving valuable insights for healthcare organisations that wish to be GDPR compliant, will be defined based on these requirements. Furthermore, the prioritised requirements’ list will guide the project’s development activities and ensure that stakeholders’ needs are aligned with the technical implementation decisions.

If you want to find out more about how all these concepts will be incorporated in ASCLEPIOS, stick around for upcoming blogposts.

References

  1. Kassaye Yitbarek Yigzaw et al. (2019). ASCLEPIOS Technical, Security, Healthcare and Data Privacy Requirements. Deliverable 1.1 of the ASCLEPIOS project funded under the European Union’s Horizon 2020 research and innovation action grant No: 826093
  2. General Data Protection Regulation https://gdpr-info.eu/
  3. ISO standard 18308:2011 “Health informatics – Requirements for an electronic health record architecture” https://www.iso.org/obp/ui/#iso:std:iso:18308:ed-1:v1:en