New constructions of equality test scheme for cloud-assisted wireless sensor networks.

Public key encryption with equality test enables the user to determine whether two ciphertexts contain the same information without decryption. Therefore, it may serve as promising cryptographic technique for cloud-assisted wireless sensor networks (CWSNs) to maintain data privacy. In this paper, an efficient RSA with equality test algorithm is proposed. The presented scheme also handles the attackers based on their authorization ability. Precisely, the proposed scheme is proved to be one-way against chosen-ciphertext attack security and indistinguishable against chosen ciphertext attacks. Moreover, the experimental evaluations depict that the underlying scheme is efficient in terms of encryption, decryption, and equality testing. Thus, this scheme may be used as a practical solution in context of CWSNs, where the users may compare two ciphertexts without decryption.

An efficient and provably secure key agreement scheme for satellite communication systems.

Satellite communication has played an important part in many different industries because of its advantages of wide coverage, strong disaster tolerance and high flexibility. The security of satellite communication systems has always been the concern of many scholars. Without authentication, user should not obtain his/her required services. Beyond that, the anonymity also needs to be protected during communications. In this study, we design an efficient and provably secure key agreement scheme for satellite communication systems. In each session, we replace user's true identity by a temporary identity, which will be updated for each session, to guarantee the anonymity. Because the only use of lightweight algorithms, our proposed scheme has high performance. Furthermore, the security of the proposed scheme is proved in the real-or-random model and the performance analysis shows that the proposed scheme is more efficient than some other schemes for satellite communication systems.

Data breach remediation efforts and their implications for hospital quality.

OBJECTIVE: To estimate the relationship between breach remediation efforts and hospital care quality. DATA SOURCES: Department of Health and Human Services' (HHS) public database on hospital data breaches and Medicare Compare's public data on hospital quality measures for 2012-2016. MATERIALS AND METHODS: Data breach data were merged with the Medicare Compare data for years 2012-2016, yielding a panel of 3025 hospitals with 14 297 unique hospital-year observations. STUDY DESIGN: The relationship between breach remediation and hospital quality was estimated using a difference-in-differences regression. Hospital quality was measured by 30-day acute myocardial infarction mortality rate and time from door to electrocardiogram. PRINCIPAL FINDINGS: Hospital time-to-electrocardiogram increased as much as 2.7 minutes and 30-day acute myocardial infarction mortality increased as much as 0.36 percentage points during the 3-year window following a breach. CONCLUSION: Breach remediation efforts were associated with deterioration in timeliness of care and patient outcomes. Thus, breached hospitals and HHS oversight should carefully evaluate remedial security initiatives to achieve better data security without negatively affecting patient outcomes.

The Policy Effect of the General Data Protection Regulation (GDPR) on the Digital Public Health Sector in the European Union: An Empirical Investigation.

The rapid development of digital health poses a critical challenge to the personal health data protection of patients. The European Union General Data Protection Regulation (EU GDPR) works in this context; it was passed in April 2016 and came into force in May 2018 across the European Union. This study is the first attempt to test the effectiveness of this legal reform for personal health data protection. Using the difference-in-difference (DID) approach, this study empirically examines the policy influence of the GDPR on the financial performance of hospitals across the European Union. Results show that hospitals with the digital health service suffered from financial distress after the GDPR was published in 2016. This reveals that during the transition period (2016⁻2018), hospitals across the European Union indeed made costly adjustments to meet the requirements of personal health data protection introduced by this new regulation, and thus inevitably suffered a policy shock to their financial performance in the short term. The implementation of GDPR may have achieved preliminary success.

Assessment of Employee Susceptibility to Phishing Attacks at US Health Care Institutions.

Importance: Cybersecurity is an increasingly important threat to health care delivery, and email phishing is a major attack vector against hospital employees. Objective: To describe the practice of phishing simulation and the extent to which health care employees are vulnerable to phishing simulations. Design, Setting, and Participants: Retrospective, multicenter quality improvement study of a convenience sample of 6 geographically dispersed US health care institutions that ran phishing simulations from August 1, 2011, through April 10, 2018. The specific institutions are anonymized herein for security and privacy concerns. Exposures: Simulated phishing emails received by employees at US health care institutions. Main Outcomes and Measures: Date of phishing campaign, campaign number, number of emails sent, number of emails clicked, and email content. Emails were classified into 3 categories (office related, personal, or information technology related). Results: The final study sample included 6 anonymized US health care institutions, 95 simulated phishing campaigns, and 2 971 945 emails, 422 062 of which were clicked (14.2%). The median institutional click rates for campaigns ranged from 7.4% (interquartile range [IQR], 5.8%-9.6%) to 30.7% (IQR, 25.2%-34.4%), with an overall median click rate of 16.7% (IQR, 8.3%-24.2%) across all campaigns and institutions. In the regression model, repeated phishing campaigns were associated with decreased odds of clicking on a subsequent phishing email (adjusted OR, 0.511; 95% CI, 0.382-0.685 for 6-10 campaigns; adjusted OR, 0.335; 95% CI, 0.282-0.398 for >10 campaigns). Conclusions and Relevance: Among a sample of US health care institutions that sent phishing simulations, almost 1 in 7 simulated emails sent were clicked on by employees. Increasing campaigns were associated with decreased odds of clicking on a phishing email, suggesting a potential benefit of phishing simulation and awareness. With cyberattacks increasing against US health care systems, these click rates represent a major cybersecurity risk for hospitals.

Understanding the relationship between data breaches and hospital advertising expenditures.

OBJECTIVES: To estimate the relationship between data breaches and hospital advertising expenditures. STUDY DESIGN: Observational data on hospital expenditures were analyzed using a propensity score-matched regression. The regression was specified as a generalized linear model using a gamma distribution and log link. METHODS: The study sample included Medicare hospitals captured by a survey of traditional media outlets. Hospitals included were nonfederal acute care inpatient hospitals from 2011 to 2014. Voicetrak provided data on hospital advertising expenditures. The Healthcare Cost Report Information System provided data on hospital characteristics and financial variables. Study groups were matched using observable characteristics, such as revenue, number of beds, discharges, ownership, and teaching status. The study excluded hospitals in Maryland and the US territories for financial reporting consistency. Data breaches included theft, loss, unauthorized access/disclosure, improper disposal, and hacking. Advertising expenditures were collected from media outlets including television, radio, newspapers and business journals, and local magazines in a city/metropolitan area. RESULTS: Breached hospitals (n = 72) were more likely to be large, teaching, and urban hospitals relative to the control group (unweighted n = 915). A data breach was associated with a 64% (95% CI, 7.2%-252%; P = .023) increase in annual advertising expenditures, holding observable characteristics constant. CONCLUSIONS: Breached hospitals were associated with significantly higher advertising expenditures in the 2 years after the breach. Efforts to repair the hospital's image and minimize patient loss to competitors are potential drivers of the increased spending. Advertising costs subsequent to a breach are another cost to the healthcare system that could be avoided with better data security.

A beginner's guide to avoiding Protected Health Information (PHI) issues in clinical research - With how-to's in REDCap Data Management Software.

Protecting personally identifiable information is important in clinical research. The authors, two faculty members involved in developing and implementing research infrastructure for a medical school, observed challenges novice researchers encountered in recognizing, collecting, and managing Protected Health Information (PHI) for clinical research. However, we had difficulty finding resources that provide practical strategies for novice clinical researchers for this topic. Common issues for beginners were: 1. Recognition of PHI, e.g. lack of recognition of 'indirect' PHI, i.e., that the combination of two or more non-PHI data types or other specific information could result in identifiable data requiring protection; 2. Collection of PHI, e.g., proposed collection of data not necessary for fulfillment of the project's objectives or potential inadvertent collection of PHI in free text response items; and 3. Management of PHI, e.g., proposed use of coding systems that directly included PHI, or proposed data collection techniques, electronic data storage, or software with inadequate protections. From these observations, the authors provide the following in this paper: 1. A brief review of the elements of PHI, particularly 'indirect' PHI; 2. Sample data management plans for common project types relevant to novice clinical researchers to ensure planning for data security; 3. Basic techniques for avoiding issues related to the collection of PHI, securing and limiting access to collected PHI, and management of released PHI; and 4. Methods for implementing these techniques in the Research Electronic Data Capture (REDCap) system, a commonly used and readily available research data management software system.

Individual privacy versus public good: protecting confidentiality in health research.

Health and medical data are increasingly being generated, collected, and stored in electronic form in healthcare facilities and administrative agencies. Such data hold a wealth of information vital to effective health policy development and evaluation, as well as to enhanced clinical care through evidence-based practice and safety and quality monitoring. These initiatives are aimed at improving individuals' health and well-being. Nevertheless, analyses of health data archives must be conducted in such a way that individuals' privacy is not compromised. One important aspect of protecting individuals' privacy is protecting the confidentiality of their data. It is the purpose of this paper to provide a review of a number of approaches to reducing disclosure risk when making data available for research, and to present a taxonomy for such approaches. Some of these methods are widely used, whereas others are still in development. It is important to have a range of methods available because there is also a range of data-use scenarios, and it is important to be able to choose between methods suited to differing scenarios. In practice, it is necessary to find a balance between allowing the use of health and medical data for research and protecting confidentiality. This balance is often presented as a trade-off between disclosure risk and data utility, because methods that reduce disclosure risk, in general, also reduce data utility.

Security threat assessment of an Internet security system using attack tree and vague sets.

Security threat assessment of the Internet security system has become a greater concern in recent years because of the progress and diversification of information technology. Traditionally, the failure probabilities of bottom events of an Internet security system are treated as exact values when the failure probability of the entire system is estimated. However, security threat assessment when the malfunction data of the system's elementary event are incomplete--the traditional approach for calculating reliability--is no longer applicable. Moreover, it does not consider the failure probability of the bottom events suffered in the attack, which may bias conclusions. In order to effectively solve the problem above, this paper proposes a novel technique, integrating attack tree and vague sets for security threat assessment. For verification of the proposed approach, a numerical example of an Internet security system security threat assessment is adopted in this paper. The result of the proposed method is compared with the listing approaches of security threat assessment methods.

Physical security, HIPPA, and the HHS wall of shame.

In this article, the author a healthcare IT expert, reveals what experts have discovered in analyzing HIPPA data breaches. Most are the result of theft or loss. She explains why this is so, and offers a solution--improved physical security.

Privacy and data security in E-health: requirements from the user's perspective.

In this study two currently relevant aspects of using medical assistive technologies were addressed-security and privacy. In a two-step empirical approach that used focus groups (n = 19) and a survey (n = 104), users' requirements for the use of medical technologies were collected and evaluated. Specifically, we focused on the perceived importance of data security and privacy issues. Outcomes showed that both security and privacy aspects play an important role in the successful adoption of medical assistive technologies in the home environment. In particular, analysis of data with respect to gender, health-status and age (young, middle-aged and old users) revealed that females and healthy adults require, and insist on, the highest security and privacy standards compared with males and the ailing elderly.