电子健康记录中的安全性和隐私保护：系统文献综述。

Security and privacy in electronic health records: a systematic literature review.

机构信息

Department de Informatics and Systems, Faculty of Computer Science, University of Murcia, 30100 Murcia, Spain.

出版信息

J Biomed Inform. 2013 Jun;46(3):541-62. doi: 10.1016/j.jbi.2012.12.003. Epub 2013 Jan 8.

DOI:10.1016/j.jbi.2012.12.003

PMID:23305810

Abstract

OBJECTIVE

To report the results of a systematic literature review concerning the security and privacy of electronic health record (EHR) systems.

DATA SOURCES

Original articles written in English found in MEDLINE, ACM Digital Library, Wiley InterScience, IEEE Digital Library, Science@Direct, MetaPress, ERIC, CINAHL and Trip Database.

STUDY SELECTION

Only those articles dealing with the security and privacy of EHR systems.

DATA EXTRACTION

The extraction of 775 articles using a predefined search string, the outcome of which was reviewed by three authors and checked by a fourth.

RESULTS

A total of 49 articles were selected, of which 26 used standards or regulations related to the privacy and security of EHR data. The most widely used regulations are the Health Insurance Portability and Accountability Act (HIPAA) and the European Data Protection Directive 95/46/EC. We found 23 articles that used symmetric key and/or asymmetric key schemes and 13 articles that employed the pseudo anonymity technique in EHR systems. A total of 11 articles propose the use of a digital signature scheme based on PKI (Public Key Infrastructure) and 13 articles propose a login/password (seven of them combined with a digital certificate or PIN) for authentication. The preferred access control model appears to be Role-Based Access Control (RBAC), since it is used in 27 studies. Ten of these studies discuss who should define the EHR systems' roles. Eleven studies discuss who should provide access to EHR data: patients or health entities. Sixteen of the articles reviewed indicate that it is necessary to override defined access policies in the case of an emergency. In 25 articles an audit-log of the system is produced. Only four studies mention that system users and/or health staff should be trained in security and privacy.

CONCLUSIONS

Recent years have witnessed the design of standards and the promulgation of directives concerning security and privacy in EHR systems. However, more work should be done to adopt these regulations and to deploy secure EHR systems.

摘要

目的

报告关于电子健康记录（EHR）系统安全性和隐私性的系统文献综述结果。

资料来源

在 MEDLINE、ACM 数字图书馆、Wiley InterScience、IEEE 数字图书馆、Science@Direct、MetaPress、ERIC、CINAHL 和 Trip 数据库中以英文撰写的原始文章。

研究选择

仅选择涉及 EHR 系统安全性和隐私性的文章。

数据提取

使用预定义搜索字符串提取了 775 篇文章，由三位作者对其进行了评估，并由第四位作者进行了核对。

结果

共选择了 49 篇文章，其中 26 篇使用了与 EHR 数据隐私和安全性相关的标准或法规。使用最广泛的法规是《健康保险流通与责任法案》（HIPAA）和《欧洲数据保护指令 95/46/EC》。我们发现 23 篇文章在 EHR 系统中使用了对称密钥和/或非对称密钥方案，13 篇文章使用了伪匿名技术。共有 11 篇文章提出使用基于公钥基础设施（PKI）的数字签名方案，13 篇文章提出使用登录/密码（其中 7 篇与数字证书或个人识别码（PIN）结合使用）进行身份验证。首选的访问控制模型似乎是基于角色的访问控制（RBAC），因为它在 27 项研究中使用。其中 10 项研究讨论了应由谁来定义 EHR 系统的角色。11 项研究讨论了应由谁来提供对 EHR 数据的访问权限：患者或医疗实体。在审查的 16 篇文章中，有 6 篇文章指出，在紧急情况下，有必要覆盖已定义的访问策略。在 25 篇文章中，系统会生成系统访问日志。只有 4 篇文章提到应该对系统用户和/或医疗人员进行安全和隐私方面的培训。