This analysis of the legal regulations for cloud computing in healthcare is based on the authors'... more This analysis of the legal regulations for cloud computing in healthcare is based on the authors' expertise in cloud-based data processing for healthcare and life sciences organizations. The proposed implementation roadmap should help organizations govern health data processing and storage. Novel computing infrastructures and approaches are often applied to improve processes in the healthcare and life sciences domains, 1 with some approaches going as far as incorporating virtual or mixed reality 2 as well as intelligent systems. 3 Cloud computing follows a similar path and is considered one the most important developments in IT. 4 In addition to the general benefits of cloud computing, there's a wide range of specific improvements that the cloud can bring to scientific organizations—particularly in the life sciences. As shown in recent works, these improvements can materialize in the areas of learning 5 and knowledge cocreation, 6 and are inherent to IT best practices, such as service-oriented architectures, Web services, and big data. 7,8 However, security and privacy are often cited as major concerns when considering cloud computing adoption. 9 Although there are approaches that incorporate cloud computing in the context of patient data 10 and that aim to assess the general security requirements related to introducing the cloud, 11 both the research world and practitioners are still on the lookout for applicable approaches to govern cloud computing adoption in the area of healthcare. Here, we present an approach that provides guidance for organizations in the life science domain that are adopting cloud computing and other outsourced IT services. We focus on Germany, because it's a jurisdiction with elaborate and restrictive regulations with respect to data protection, particularly in the area of healthcare. 12 Overview of Legal Regulations Almost every institution within the healthcare system—from doctor's offices to hospitals to medical insurance companies—must process personal patient data, including sensitive aspects of the patient's health status. In Germany, there is a wide range of applicable regulations that govern the protection of individual rights and the " informational self-determination rights " of patients. The universally applicable Federal Data Protection Act or Bundesdatenschutzgesetz (BDSG) defines health data as a special type of personal data with legally mandated increased protection requirements (section 9, paragraph 3 of the law. The collection, processing, and use of health data is generally allowed only for the purposes of preventive medicine and medical diagnosis, care, or treatment, or for the purpose of managing and administering health services. Such data can be processed only by medical personnel or by other people who possess the same appropriate confidentiality obligations (section 28, paragraph 7 of BDSG). However, a pre-assessment of the legality of this data processing should be conducted by the company's data protection official (section 4f BDSG), Section 5). When operating IT systems that process health data, both the original organization (for example, the hospital, practitioner, or insurer) and the outsourcing company should implement appropriate technical and organizational precautionary measures, stemming from a list of eight control requirements (that is, specific areas that the organization should control with respect to information security, as noted in paragraph 9 and the related annex to paragraph 9 of BDSG. There's a similar requirement for socially related data (data that is processed in the context of social security benefits) in § 78a of the Social Codex
Adjustment and cost-effectiveness are key elements of a successful Information Security Managemen... more Adjustment and cost-effectiveness are key elements of a successful Information Security Management System (ISMS). ISMS-Processes, as basic elements of every ISMS, need to be aligned to the organization and its mission. As of today, a specific ISMS process framework does not exist. ISMS processes are not in focus of current research. This article aims to fill this research gap by presenting results of a process mapping study regarding ISMS processes in the most important and widely accepted international standards for Information Security Management. Authors propose a set of ISMS processes within an ISMS process framework which should be implemented at an individually appropriate maturity level.
Adjustment and cost-effectiveness are key elements of a successful Information Security Managemen... more Adjustment and cost-effectiveness are key elements of a successful Information Security Management System (ISMS). ISMS-Processes, as basic elements of every ISMS, need to be aligned to the organization and their mission. Actually a specific ISMS process framework which clearly differentiates between ISMS processes and security measures controlled by ISMS-processes does not exist. ISMS processes itself are not focused in current research. This article will fill this research gap while containing the results of a study to identify criteria for ISMS core processes as well as to identify relevant ISMS core processes.
This analysis of the legal regulations for cloud computing in healthcare is based on the authors'... more This analysis of the legal regulations for cloud computing in healthcare is based on the authors' expertise in cloud-based data processing for healthcare and life sciences organizations. The proposed implementation roadmap should help organizations govern health data processing and storage. Novel computing infrastructures and approaches are often applied to improve processes in the healthcare and life sciences domains, 1 with some approaches going as far as incorporating virtual or mixed reality 2 as well as intelligent systems. 3 Cloud computing follows a similar path and is considered one the most important developments in IT. 4 In addition to the general benefits of cloud computing, there's a wide range of specific improvements that the cloud can bring to scientific organizations—particularly in the life sciences. As shown in recent works, these improvements can materialize in the areas of learning 5 and knowledge cocreation, 6 and are inherent to IT best practices, such as service-oriented architectures, Web services, and big data. 7,8 However, security and privacy are often cited as major concerns when considering cloud computing adoption. 9 Although there are approaches that incorporate cloud computing in the context of patient data 10 and that aim to assess the general security requirements related to introducing the cloud, 11 both the research world and practitioners are still on the lookout for applicable approaches to govern cloud computing adoption in the area of healthcare. Here, we present an approach that provides guidance for organizations in the life science domain that are adopting cloud computing and other outsourced IT services. We focus on Germany, because it's a jurisdiction with elaborate and restrictive regulations with respect to data protection, particularly in the area of healthcare. 12 Overview of Legal Regulations Almost every institution within the healthcare system—from doctor's offices to hospitals to medical insurance companies—must process personal patient data, including sensitive aspects of the patient's health status. In Germany, there is a wide range of applicable regulations that govern the protection of individual rights and the " informational self-determination rights " of patients. The universally applicable Federal Data Protection Act or Bundesdatenschutzgesetz (BDSG) defines health data as a special type of personal data with legally mandated increased protection requirements (section 9, paragraph 3 of the law. The collection, processing, and use of health data is generally allowed only for the purposes of preventive medicine and medical diagnosis, care, or treatment, or for the purpose of managing and administering health services. Such data can be processed only by medical personnel or by other people who possess the same appropriate confidentiality obligations (section 28, paragraph 7 of BDSG). However, a pre-assessment of the legality of this data processing should be conducted by the company's data protection official (section 4f BDSG), Section 5). When operating IT systems that process health data, both the original organization (for example, the hospital, practitioner, or insurer) and the outsourcing company should implement appropriate technical and organizational precautionary measures, stemming from a list of eight control requirements (that is, specific areas that the organization should control with respect to information security, as noted in paragraph 9 and the related annex to paragraph 9 of BDSG. There's a similar requirement for socially related data (data that is processed in the context of social security benefits) in § 78a of the Social Codex
ABSTRACT The authors analyze legal regulation issues surrounding cloud computing in healthcare. A... more ABSTRACT The authors analyze legal regulation issues surrounding cloud computing in healthcare. As a result of the authors' expertise in cloud-based data processing for organizations in the areas of healthcare and life sciences, they propose an implementation roadmap. The roadmap is intended to provide guidance for organizations in the life sciences regarding the governance of health data processing and storage. This article is part of a special issue on life sciences computing.
Cloud computing is actually one of the most popular themes of information systems research. Consi... more Cloud computing is actually one of the most popular themes of information systems research. Considering the nature of the processed information especially health care organizations need to assess and treat specific risks according to cloud computing in their information security management system. Therefore, in this paper we propose a framework that includes the most important security processes regarding cloud computing in the health care sector. Starting with a framework of general information security management processes derived from standards of the ISO 27000 family the most important information security processes for health care organizations using cloud computing will be identified considering the main risks regarding cloud computing and the type of information processed. The identified processes will help a health care organization using cloud computing to focus on the most important ISMS processes and establish and operate them at an appropriate level of maturity consideri...
This analysis of the legal regulations for cloud computing in healthcare is based on the authors'... more This analysis of the legal regulations for cloud computing in healthcare is based on the authors' expertise in cloud-based data processing for healthcare and life sciences organizations. The proposed implementation roadmap should help organizations govern health data processing and storage. Novel computing infrastructures and approaches are often applied to improve processes in the healthcare and life sciences domains, 1 with some approaches going as far as incorporating virtual or mixed reality 2 as well as intelligent systems. 3 Cloud computing follows a similar path and is considered one the most important developments in IT. 4 In addition to the general benefits of cloud computing, there's a wide range of specific improvements that the cloud can bring to scientific organizations—particularly in the life sciences. As shown in recent works, these improvements can materialize in the areas of learning 5 and knowledge cocreation, 6 and are inherent to IT best practices, such as service-oriented architectures, Web services, and big data. 7,8 However, security and privacy are often cited as major concerns when considering cloud computing adoption. 9 Although there are approaches that incorporate cloud computing in the context of patient data 10 and that aim to assess the general security requirements related to introducing the cloud, 11 both the research world and practitioners are still on the lookout for applicable approaches to govern cloud computing adoption in the area of healthcare. Here, we present an approach that provides guidance for organizations in the life science domain that are adopting cloud computing and other outsourced IT services. We focus on Germany, because it's a jurisdiction with elaborate and restrictive regulations with respect to data protection, particularly in the area of healthcare. 12 Overview of Legal Regulations Almost every institution within the healthcare system—from doctor's offices to hospitals to medical insurance companies—must process personal patient data, including sensitive aspects of the patient's health status. In Germany, there is a wide range of applicable regulations that govern the protection of individual rights and the " informational self-determination rights " of patients. The universally applicable Federal Data Protection Act or Bundesdatenschutzgesetz (BDSG) defines health data as a special type of personal data with legally mandated increased protection requirements (section 9, paragraph 3 of the law. The collection, processing, and use of health data is generally allowed only for the purposes of preventive medicine and medical diagnosis, care, or treatment, or for the purpose of managing and administering health services. Such data can be processed only by medical personnel or by other people who possess the same appropriate confidentiality obligations (section 28, paragraph 7 of BDSG). However, a pre-assessment of the legality of this data processing should be conducted by the company's data protection official (section 4f BDSG), Section 5). When operating IT systems that process health data, both the original organization (for example, the hospital, practitioner, or insurer) and the outsourcing company should implement appropriate technical and organizational precautionary measures, stemming from a list of eight control requirements (that is, specific areas that the organization should control with respect to information security, as noted in paragraph 9 and the related annex to paragraph 9 of BDSG. There's a similar requirement for socially related data (data that is processed in the context of social security benefits) in § 78a of the Social Codex
Adjustment and cost-effectiveness are key elements of a successful Information Security Managemen... more Adjustment and cost-effectiveness are key elements of a successful Information Security Management System (ISMS). ISMS-Processes, as basic elements of every ISMS, need to be aligned to the organization and its mission. As of today, a specific ISMS process framework does not exist. ISMS processes are not in focus of current research. This article aims to fill this research gap by presenting results of a process mapping study regarding ISMS processes in the most important and widely accepted international standards for Information Security Management. Authors propose a set of ISMS processes within an ISMS process framework which should be implemented at an individually appropriate maturity level.
Adjustment and cost-effectiveness are key elements of a successful Information Security Managemen... more Adjustment and cost-effectiveness are key elements of a successful Information Security Management System (ISMS). ISMS-Processes, as basic elements of every ISMS, need to be aligned to the organization and their mission. Actually a specific ISMS process framework which clearly differentiates between ISMS processes and security measures controlled by ISMS-processes does not exist. ISMS processes itself are not focused in current research. This article will fill this research gap while containing the results of a study to identify criteria for ISMS core processes as well as to identify relevant ISMS core processes.
This analysis of the legal regulations for cloud computing in healthcare is based on the authors'... more This analysis of the legal regulations for cloud computing in healthcare is based on the authors' expertise in cloud-based data processing for healthcare and life sciences organizations. The proposed implementation roadmap should help organizations govern health data processing and storage. Novel computing infrastructures and approaches are often applied to improve processes in the healthcare and life sciences domains, 1 with some approaches going as far as incorporating virtual or mixed reality 2 as well as intelligent systems. 3 Cloud computing follows a similar path and is considered one the most important developments in IT. 4 In addition to the general benefits of cloud computing, there's a wide range of specific improvements that the cloud can bring to scientific organizations—particularly in the life sciences. As shown in recent works, these improvements can materialize in the areas of learning 5 and knowledge cocreation, 6 and are inherent to IT best practices, such as service-oriented architectures, Web services, and big data. 7,8 However, security and privacy are often cited as major concerns when considering cloud computing adoption. 9 Although there are approaches that incorporate cloud computing in the context of patient data 10 and that aim to assess the general security requirements related to introducing the cloud, 11 both the research world and practitioners are still on the lookout for applicable approaches to govern cloud computing adoption in the area of healthcare. Here, we present an approach that provides guidance for organizations in the life science domain that are adopting cloud computing and other outsourced IT services. We focus on Germany, because it's a jurisdiction with elaborate and restrictive regulations with respect to data protection, particularly in the area of healthcare. 12 Overview of Legal Regulations Almost every institution within the healthcare system—from doctor's offices to hospitals to medical insurance companies—must process personal patient data, including sensitive aspects of the patient's health status. In Germany, there is a wide range of applicable regulations that govern the protection of individual rights and the " informational self-determination rights " of patients. The universally applicable Federal Data Protection Act or Bundesdatenschutzgesetz (BDSG) defines health data as a special type of personal data with legally mandated increased protection requirements (section 9, paragraph 3 of the law. The collection, processing, and use of health data is generally allowed only for the purposes of preventive medicine and medical diagnosis, care, or treatment, or for the purpose of managing and administering health services. Such data can be processed only by medical personnel or by other people who possess the same appropriate confidentiality obligations (section 28, paragraph 7 of BDSG). However, a pre-assessment of the legality of this data processing should be conducted by the company's data protection official (section 4f BDSG), Section 5). When operating IT systems that process health data, both the original organization (for example, the hospital, practitioner, or insurer) and the outsourcing company should implement appropriate technical and organizational precautionary measures, stemming from a list of eight control requirements (that is, specific areas that the organization should control with respect to information security, as noted in paragraph 9 and the related annex to paragraph 9 of BDSG. There's a similar requirement for socially related data (data that is processed in the context of social security benefits) in § 78a of the Social Codex
ABSTRACT The authors analyze legal regulation issues surrounding cloud computing in healthcare. A... more ABSTRACT The authors analyze legal regulation issues surrounding cloud computing in healthcare. As a result of the authors' expertise in cloud-based data processing for organizations in the areas of healthcare and life sciences, they propose an implementation roadmap. The roadmap is intended to provide guidance for organizations in the life sciences regarding the governance of health data processing and storage. This article is part of a special issue on life sciences computing.
Cloud computing is actually one of the most popular themes of information systems research. Consi... more Cloud computing is actually one of the most popular themes of information systems research. Considering the nature of the processed information especially health care organizations need to assess and treat specific risks according to cloud computing in their information security management system. Therefore, in this paper we propose a framework that includes the most important security processes regarding cloud computing in the health care sector. Starting with a framework of general information security management processes derived from standards of the ISO 27000 family the most important information security processes for health care organizations using cloud computing will be identified considering the main risks regarding cloud computing and the type of information processed. The identified processes will help a health care organization using cloud computing to focus on the most important ISMS processes and establish and operate them at an appropriate level of maturity consideri...
Uploads
Papers by Knut Haufe