Data Protection Analysis and Security Risks for the Health System in Greece

Today, the use of information systems in healthcare has dramatically increased. Health System can benefit from Information technology both by improving the provided services and minimizing the required time for a patient to be examined. For the society a Health system is crucial both for the existence and for the quality of leaving. Beside the positive impact Health System patient data must be protected otherwise if the data are accessible by 3rd parties the trust between the patient and the system will be lost. Lack of security, could result in the exploitation of insurance companies by some of patients and physicians. It is common understanding that a large amount of a public budget goes to health care costs and one respectable amount goes for into monitoring in order to ensure quality of medical treatment.

Initially our research will focus on overall Health Information Systems, the definition and we examine the history, the current status and we will make a survey of health systems in the world and how do they compare the system in Greece. During the research regarding the Architecture we will also investigate technologies like for the communication, control and planning. Issues like, electronic identity of the citizens, relationships between e-health and e-government and a framework regarding the usage of statistics for the overall planning will also be investigated.

Health Information Systems and e-Health are considered by international organizations as parts of the e-government strategic goal adopted by the majority of the developed countries. If we consider also the large amount of money spent yearly for this goal it is logical to state that countries all over the world have identified these risks and continuously examine the Health information systems in detail. A classical example is the European Commission vision for Person Centered Health systems which is being applied for the last 15 years. From our initial survey we have identified actions taken by countries both political (in the EU and under the umbrella of the World Health Organization) and technological (ISO, IEEE). As a first example we present the major categories that have been identified in literature:

· Loss of Personal Health Information

o Due to theft or loss

o Due to malicious attempts

o Natural disasters

· Corruption or unauthorized modification of Personal Health Information

o Due to malicious attempts

o System or communications failure

· Loss of critical ICT services

o Network failure

o System malfunction

· Unauthorized Disclosure

o Attack by hackers

o Identity theft

As we have mentioned above, due to the importance of securing patient health information, a large number of organizations and standardization groups have published standards and requirements that a system must satisfy in order to be approved for usage. During our thesis we will examine standards mainly from the International Organization for Standardization (ISO), a worldwide federation of national standards bodies from 140 countries. More specifically from our preliminary research ISO suggests security controls for e-Health from security standards such as ISO/IEC 27002:2005 (formerly ISO/IEC 17799-2005) Code of Practice for Information Security Management and its companion standard ISO/IEC 27001-2005 Information Security Management Systems – Requirements. The above mentioned standards address a large number of security aspects such us: Security policy, Information security organization, Access control, Information security incident management, Business continuity management etc.

Introduction & Background

The main subject for this thesis is the Medical information systems; in this section we have collected definitions from the literature. In addition we present the current situation in the world and more specifically in the United States, Europe, Asia and Australia regarding medical information systems and how they are applied in these countries.

Definition

Medical information systems are a combination of several sciences more specifically it is the intersection of information science, computer science, and health care. These systems mainly manage resources, devices, and methods required to optimize the acquisition, storage, retrieval, and use of information in health and biomedicine. It must be noted that health informatics tools include not only computers but also clinical guidelines, formal medical terminologies, and information and communication systems.

Current situation in the world

Medical information systems in the United States

In this section we present the chronological status of medical information system in the United States of America. According to [1] the first use of computation for medicine was for dental projects in the 1950s at the United States National Bureau of Standards by Robert Ledley. The next step in the mid 1950s were the development of expert systems such as MYCIN and INTERNIST-I. In 1965, the National Library of Medicine started to use MEDLINE and MEDLARS. At this time, Neil Pappalardo, Curtis Marble, and Robert Greenes developed MUMPS (Massachusetts General Hospital Utility Multi-Programming System) in Octo Barnett's Laboratory of Computer Science at Massachusetts General Hospital in Boston. In the 1970s and 1980s it was the most commonly used programming language for clinical applications. The MUMPS operating system was used to support MUMPS language specifications. As of 2004, a descendent of this system is being used in the United States Veterans Affairs hospital system. This system contains the biggest database with medical stored records. In order to access this electronic database a graphical user interface was developed and was widely used by healthcare personnel to access the stored information. After this first military health care system during the 70’s in the United States a plethora of commercial solutions started to be developed with Dr. Homer R. Warner being one of the fathers of Medical Informatics which also co-founded during 1968 a Department of Medical Informatics at the University of Utah. Dr. Warner contributions into Medical Informatics have been recognized also by the American Medical Informatics Association which has a award named after Dr. Warner on application of informatics to medicine [1]

During 1996 the government applied specific rules in order to protect the patient data and initiated the Health Information Portability and Accountability Act (HIPAA), for regulating privacy and medical record transmission. This created the impetus for large numbers of physicians to move towards using EMR software, primarily for the purpose of secure medical billing. The US is making progress towards a standardized health information infrastructure. In 2004 the US Department of Health and Human Services (HHS) formed the Office of the National Coordinator for Health Information Technology (ONCHIT) [2]. The mission of this office is widespread adoption of interoperable electronic health records (EHRs) in the US within 10 years.

In order to develop a set of standards for electronic health records (EHR) and supporting networks, and certify vendors who meet them, the Certification Commission for Healthcare Information Technology (CCHIT), was founded during 2005. CCHIT incorporates institutes and companies from the public and private sector and is being active under the umbrella of the US Department of Health. CCHIT group is also responsible for publishing a yearly list with certified health and medical programs which apply to the related regulations. [2] [3]

From the above it is obvious that USA has more 50 years experience in medical information system and can be considered pioneer in this field.

Medical information systems in Europe

European Union's Member States even if started to take actions regarding medical information systems much later compared to US, it has been decided that the European eHealth system will combine the most up date technology and practices. It must be noted that the European eHealth Action Plan is one of the major goals in the agenda of European Union and that a large number of Commission services are involved for this task[4] [5]. The main goal of the European Institute for Health Records is the establishment of guidelines and a regulatory board which will ensure the application of the regulations in the commercial systems within European Union. In addition to European Union also United Kingdom independently also has established a regulatory body for Health Informatics under the umbrella of the UK Council for Health Informatics Professions (UKCHIP).[6]

The United Kingdom National Health Service, provides treatment for UK residents through a variety of means has also contracted out to several vendors for a National Medical Informatics system 'NPFIT' that divides the country into five regions and is to be united by a central electronic medical record system nicknamed "the spine" [9]. Today the project is well behind schedule and its scope and design are being revised in real time. From the collected data in 2006, 60% of residents in England and Wales have more or less extensive clinical records and their prescriptions generated on 4000 installations of one system (EMIS) written in 'M' (MUMPS as was). The other 40% predominantly have records stored on assorted SQL or file-based systems. Scotland has a similar approach to central connection under way which is more advanced than the English one in some ways.

Medical information systems in Asia

From the middle 90’s (1994) Asia and Australia-New Zealand have joined forces and established the APAMI - Asia Pacific Association for Medical Informatic with a total of fifteen members. Another country in the region, Hong Kong was influenced from United Kingdom also followed UK actions and is one the first countries in the region where health information system was developed and deployed from 1995. According to [7] “Hong Kong system has been deployed at all the sites of the Authority (40 hospitals and 120 clinics), and is used by all 30,000 clinical staff on a daily basis, with a daily transaction of up to 2 millions. The comprehensive records of 7 million patients are available on-line in the Electronic Patient Record (ePR), with data integrated from all sites. Since 2004 radiology image viewing has been added to the ePR, with radiography images from any HA site being available as part of the ePR.”

Hong Kong system is being referenced by a large number of publications mainly due to the fact being a system which was developed taking into account a large number of clinicians instead of IT professionals. It must be noted also that the Health Informatics Section in Hong Kong Hospital Authority [8] was established in parallel with the proposal during the design and specification phase of the project in 1987. Being funded initially the health system by the public sector initially the e-health system was mainly installed by public hospitals. Afterwards due to the success of the system private sector also participated to the developed system under the eHealth Consortium which was established for this purpose. It must be noted that also medical informatics professionals also can participate in eHealth Consortium mainly in order to promote the usage of IT in every healthcare application.[9][10]

In the rest of Asia the most important actions towards eHealth come from India with the establishment of IAMI - Indian Association for Medical Informatics [11] and the publication Indian Journal of Medical Informatics.[12] Until recently IAMI works autonomously and mostly following US similar standards.

Medical information systems in the Australia

In 2002 the Australian College of Health Informatics (ACHI) was formed, with main objective to act as regulatory and educational point of reference for Health Informatics in Australia. Within ACHI, committees have been established in order promote and regulate the implementation of Australia eHealth system [13]. ACHI cooperates also with the Health Informatics Society of Australia (HISA) a regulatory body and Australia international representative in International Medical Informatics Association (IMIA).[14]

Conclusions

From our research it is obvious that the importance of a medical information system is recognized by all the countries as well as the privacy issues. It is important to notice that a number of countries and not each country individually work together in order to define a standard way to reach the goal for a universal health information system which will be private and manageable.

Security Issues

In this section we present the results from our research regarding security issues which are related with health systems. More specifically our research was conducted from publications in conferences and from reports from health organizations. We investigate the main standards that are related with security and health information systems as well as the results from security research investigations in real conditions.

Security in health systems

Health care usually involves a large number of people with different roles; including patients, direct health care providers, researchers, managed care organizations, and third-party payers. For each category of people there is often difference in objectives, concerns, priorities and constraints, making data management in health care organizations a challenging endeavour. The planning, management, and delivery of health care services include the manipulation of large amounts of information and the corresponding technologies are becoming increasingly embedded in all aspects of health care. [15]

A major truth in health information systems is that there is a wide range of complex information gathering and decision-making tasks. One of the most challenging information-gathering tasks is to become educated with respect to a particular illness and the various treatment options or lifestyle changes that can help. Health care consumers gain such clinical knowledge from practitioners, the medical literature, and to an increasing extent through Internet resources. Investigating health-related issues is one of the most often pursued Web-based activities and there are many informative Web sites offering in-depth coverage. However, education is only one of the challenges facing health care consumers. A second challenge is to understand the more operational aspects of the health care delivery system, including the clinical focus and experience of practitioners and hospitals. Some questions that might be supported by data warehousing technologies and integrated access to fine-grained data are the following.

Which hospitals in the area or around the state specialize in a specific treatment or surgical procedure?
Which physicians specialize in a given treatment and how many do they perform?
How does the treatment volume of a hospital or physician compare with others across the region, state, or nation?
What is the practice profile of a given physician in terms of population, diagnoses, or treatments?
Any of these questions could be at least partially addressed through data warehousing technologies and access to underlying transaction-oriented data.

The above mentioned questions according to [16] could be considered either generally or specifically with specific criteria. It must be noted that health care delivery systems continuously evolve and the feedback from the patients is considered to be necessary for the evolution process. [16]

In addition to the above also the protection of personal medical information is considerate as a de-facto standard which should be satisfied by a e-health system. Due to the fact that the protection of information is applied also on other IT applications a large number of technologies are adopted to be used on e-health systems such an example is EPAL - Enterprise Privacy Authorization Language developed and licenced by IBM and integrated on IBM data storage devices. [17]

Why should we concern security in health systems?

The main reason is the importance of the health information stored on health databases. The one to one relationship with an individual’s life provides the risk of someone which could exploit these information for own profit. Health information contains beside personal information and medical record history also genetic information which could be exploited in the future by insurance and health companies in order to increase their profits. In addition to the above in addition to physical health information also mental health information could be exploited.

The above health information today is being used by businesses and health practitioners who are not subject to ethics. Due to the service oriented nature of the society it is obvious that a large number of different people could exploit if there is not protection measures. Thus a global privacy regulation body should ensure the protection of this information. Even if today mainly from military IT applications securing information is ensured by proper algorithms no one can ensure that involved people will not share extracted information. Especially by trusted insiders to a system.

At the same time, accurate and comprehensive health care information is critical to the quality of health care delivery, and to the physician-patient relationship. Many believe that the efficiency of the health care relationship depends on the patient’s understanding that the information recorded by a physician will not be disclosed. Without these assurances, many patients might refuse to provide physicians with certain types of information needed to render appropriate care. In order to protect the concerns of patients about privacy of data, HIPAA - Health Insurance Portability and Accountability Act was voted and passed by United States Congress in order to set a national standard for electronic transfers of health data.

Current approaches to security

Today all information is stored in databases and this is also the case for medical related information. From the period of introduction of medical measurements digitization; slowly all medical information was digitized and stored as bits and bytes. The above mentioned transformations of medical records from simple paper records to bits and bytes stored somewhere centrally and easily accessible has a negative impact in the security of the same information and increases the need to ensure the protection of the information. It must be noted that even before the digital age the protection of individual privacy was a long-standing tradition especially among health-care providers and public health practitioners, the main difference is that this protection mechanism are not enough for today digital situation. A patchwork of laws provided narrow privacy protections for selected health data and certain keepers of that data while there is a need to integrate privacy mechanisms on the digital format it self in order to ensure the protection of the data. [18]

In the USA these concerns where addressed firstly by the U.S. Department of Health and Human Services (DHHS) with the introduction of new privacy standards that set a minimum of basic protections, while balancing individual needs with those of society. These standards and recommendations are included in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) main objective is to ensure health insurance coverage after leaving an employer and also to provide standards for facilitating health-care--related electronic transactions. In addition HIPAA goal was to improve the efficiency and effectiveness of the health-care system, HIPAA included administrative simplification provisions that required DHHS to adopt national standards for electronic health-care transactions. At the same time, US Congress recognized that advances in electronic technology could erode the privacy of health information.

According to HIPAA passed documents, the HIPAA Privacy Rule (Standards for Privacy of Individually Identifiable Health Information) provides the first set of international standards for protecting the privacy of health information. According to HIPAA: “The HIPAA Privacy Rule regulates how certain entities, called covered entities, use and disclose certain individually identifiable health information, called protected health information (PHI). PHI is individually identifiable health information that is transmitted or maintained in any form or medium (e.g., electronic, paper, or oral), but excludes certain educational records and employment records. Among other provisions, the Privacy Rule

gives patients more control over their health information;
sets boundaries on the use and release of health records;
establishes appropriate safeguards that the majority of health-care providers and others must achieve to protect the privacy of health information;
holds violators accountable with civil and criminal penalties that can be imposed if they violate patients' privacy rights;
strikes a balance when public health responsibilities support disclosure of certain forms of data;
enables patients to make informed choices based on how individual health information may be used;
enables patients to find out how their information may be used and what disclosures of their information have been made;
generally limits release of information to the minimum reasonably needed for the purpose of the disclosure;
generally gives patients the right to obtain a copy of their own health records and request corrections; and
Empowers individuals to control certain uses and disclosures of their health information. “

HIPAA today is widely used and incorporated in every day health information systems, from the act it self there was a deadline to comply with the majority of the three types of covered entities specified by the rule in mid 2003. The covered entities were:

health plans,
health-care clearinghouses, and
Health-care providers who transmit health information in electronic form in connection with certain transactions.

It must be noted HIPAA, was the firs widely recognized and approved set of standards which actually protected health information in the health care industry. Since HIPAA is closely related with new IT technologies and it needed to protect medical information continuously there was a need to continuously monitor new technologies and to update where necessary potential risk due to the introduction of new technologies. One example is the following, currently health practitioners in order to access health information use online web applications over the public internet. Providers use computer software and web services in order to handle their inventories and to manage the distribution of health products. These capabilities available today widely have increased the quality of the health services but have also increased potential security risks and has also threaten the privacy of personal health information.

It must be noted that according to HIPAA authors, the main concern was the fact that in the near future there will be greater use of electronic health records and ther need for protecting the confidentiality; integrity of medical data will need to be ensured in order to meet the goal of a National Health Information Infrastructure (NHII). According to HIPAA the security standards were developed for two primary purposes:

First, and foremost, the implementation of appropriate security safeguards protects certain electronic health care information that may be at risk.
Second, protecting an individual’s health information, while permitting the appropriate access and use of that information, ultimately promotes the use of electronic health information in the industry – an important goal of HIPAA.

The Privacy Rule and Security Rule Compared

Every security system must satisfy two terms Authentication and Authorization. The same also is applied in secure health information systems and standards such us HIPAA. For example the Privacy Rule sets the standards for, among other things, which may have access to protected health information, while the Security Rule provides with the needed standards in order to ensure that only the authorized individuals will be able to access the electronic protected health information.

According to the Privacy Rule “each e-health entity in order to be covered must have implemented safeguards for administration, physical and technical issues.” It must be noted that upon implementation of the previous mentioned safeguards, a product or a provided e-health service will comply with the security rule but still they will not be the same since there are fundamental primary distinctions between the two rules. More specifically primary distinctions are:

Digitized vs non digitized information: According to HHS security standards introductions “It is important to note that the privacy rule applies to all forms of patients’ protected health information, whether electronic, written, or oral. In contrast, the Security Rule covers only protected health information that is in electronic form. This includes EPHI that is created, received, maintained or transmitted. For example, EPHI may be transmitted over the Internet, stored on a computer, a CD, a disk, magnetic tape, or other related means. The Security Rule does not cover PHI that is transmitted or stored on paper or provided orally.”
“Safeguard” requirement in Privacy Rule: According to HHS Security 101 document “The Privacy Rule contains provisions that currently require covered entities to adopt certain safeguards for PHI. While compliance with the Security Rule is not required until 2005 for most entities (2006 for small health plans), the actions covered entities took to implement the Privacy Rule may already address some Security requirements. Specifically the Privacy Rule states: (1) Standard: safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. (2) Implementation specification: safeguards. (i) A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart. (ii) A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure. The Security Rule provides for far more comprehensive security requirements of the Privacy Rule and includes a level of detail not provided in that section. As covered entities begin security compliance planning initiatives, they should consider conducting an assessment of the initiatives implemented for privacy compliance”

Security Standards

According to HHS the security standards are divided into the categories of administrative, physical, and technical safeguards. In brief a short definition of each safeguard category is given below:

Administrative safeguards: These safeguards are related with the administration functions which need to be implemented in order to meet the security standards. In general, these are the administrative functions that should be implemented to meet the security standards. These include assignment or delegation of security responsibility to an individual and security training requirements.
Physical safeguards: According to the standard this category includes the necessary safeguards related with the main equipment and subsystems involved for the interaction with the system either remotely or locally. In addition also the backup systems fall into this category.
Technical safeguards: According to the standard this category includes automated tasks used for the protection of the data and the related data access mechanisms.

In addition to the above mentioned safeguards, the Security Rule also contains several standards and implementation specifications which can be used directly into day to day e-health products and systems.

According to HHS mission statement “…strategy for addressing the complex issues related to privacy and security stem from three main stakeholders: State government, Federal government, and the Private Sector. The issue of privacy has been addressed from several directions. Primary among them has been to (a) statistical databases, (b) define a privacy specification language, and (c) ensuring that the database itself ensures privacy” [19].

Protecting Private Health Information

According to Privacy Rule the main objective is to protect information that is being transmitted and communicated between the above mentioned entities. According to privacy rule these related type of information is contained in the term protected health information (PHI), which according to HHS is defined as “generally individually identifiable health information that is transmitted by, or maintained in, electronic media or any other form or medium.” This information relates to

the past, present, or future physical or mental health, or condition of an individual;
provision of health care to an individual;
payment for the provision of health care to an individual. If the information identifies or provides a reasonable basis to believe it can be used to identify an individual, it is considered individually identifiable health information.

De-Identified Information

De-identified data according to HHS includes all the data related with non personalized data based on statistical analysis of the collected personal data. This data are not covered by the Privacy rule and is given a permission to be used by 3rd party entities for research and educational purposes. The process in order to de-identify data according to HHS could be either based on a) statistical de-identification a properly qualified statistician using accepted analytic techniques concludes the risk is substantially limited that the information might be used, alone or in combination with other reasonably available information, to identify the subject of the information or the or b) safe-harbor method a covered entity or its business associate de-identifies information by removing 18 identifiers and the covered entity does not have actual knowledge that the remaining information can be used alone or in combination with other data to identify the subject .

Limited Data Sets

For covering the space between fully identifiable data and de-identified data HHS also categories data to limit data sets, this sets include health information on a limited data set, the full definition according to HHS is “which is not directly identifiable, but may contain more identifiers than de-identified data that has been stripped of the 18 identifiers”. Due to the mixture characteristic of this data set according to HHS each patient must be asked and agree in written before such kind of information could be stored and used. It must be noted that this kind of data category was especially defined in order to protect both patients, companies and health institutes to establish a specific agreement for each type of data list. In addition according to HHS the following apply for this kind of sets:

not use or disclose the information other than as permitted by the agreement or as otherwise required by law;
use appropriate safeguards to prevent uses or disclosures of the information that are inconsistent with the data-use agreement;
report to the covered entity any use or disclosure of the information, in violation of the agreement, of which it becomes aware;
ensure that any agents to whom it provides the limited data set agree to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and
not attempt to re-identify the information or contact the individual.

Situation in Greece

Greece

According to [20] Greece, or the Hellenic Republic as it is officially called, lies at the southernmost end of the Balkan region. It covers an area of 131 957 km2. It is bordered to the northwest by Albania, to the north by the Former Yugoslav Republic of Macedonia and by Bulgaria, to the north-east by Turkey, to the east by the Aegean Sea, to the south by the Mediterranean Sea, and to the west by the Ionian Sea. Greece’s topography is highly diverse. The numerous islands in the Aegean and Ionian Seas occupy about one-fifth of its territory. Much of the land is mountainous and rugged, less than a fourth is lowland, and about one-fifth is forested. Greece’s population according to the 1991 census was 10 259 900, giving an overall population density of about 78 persons per km2. The capital is Athens, with a population of about 3 400 000.

Figure 1: Greece Map

Greek Health System Historical Background

According to [20], following Greek independence in 1830 and until the end of the nineteenth century, no more than 10% of Greeks had coverage for health care by any type of statutory body. In 1922 the Ministry of Hygiene and Social Welfare was established. The level of care provided at that time was rudimentary compared to that in other European countries. Municipalities and communities controlled the few existing municipal and communal hospitals, while some large hospital institutions were controlled by the state at national level. Some private hospitals were also in existence.

For modern Greece the first actions for the establishment of a modern health governmental organization was the IKA - Social Security Organization during middle 30’s. The main objective of IKA was to combine health services and pension coverage to Greek citizens based on specific criteria, this criteria resulted about one of three Greek citizens to be covered by IKA.

After 7 years upon the establishment of IKA due to the Word War a large amount of hospitals started to be build and until the end of the War no important change was made to the system. 5 years after the end of the war and after the finish of Greek Civilian War a new separate entity was established the National Health Service. The main objective was to cover the whole Greek region and to decentralize health care to specific health regions but with three central regions to satisfy the needs. The National Health Service was widely accepted by the majority of the political parties but was never able to be implemented mainly due to the fact that the re-establishment of the economy was given more priority.

The next major step for the National Health System constituted with the development of the necessary hospitals and the recruitment of the personnel to satisfy the needs of the Health system. During the decade of the 60’s Greece was growing exponentially and a large amount of money were available to the Government to implement their health program and also the pension plans. During this period also a large amount of money were spent without to much reasoning and only with micro-politics in minds, for the first time even if the money were enough a large amount of decision especially regarding pension planes resulted to a cash shortcoming. Such en example was the category of the Greek citizens with the farmers and their families, who at that time comprised more than 50% of the Greek population, which for the first time provided with coverage with the establishment of the OGA-Agricultural Insurance Organization.

Due to the priority of the Goverments being the economic development and the creations of roads and transportation systems health was one of the lowest priorities for the Greek governments during 60-70. Only IKA since it was also managing the pension capital collected from around one third of Greek citizens had the ability and the needed funds to increase the hospitals and public physicians. In addition IKA funded partially private hospitals and a large amount of cases where supported by private clinics, the term of private hospitals was mainly proposed by the conservative governments during that period which were more in favour of liberal mixture of public and private health service centres. During the 60s the private sector expanded rapidly mainly due to the fact that a large number of physicians decided to combine their practice with business activities.

The above mentioned system started to have problems due to dictatorship of 1967–1974 and during this period the health system was changed to a more public system which followed closely a military like approach which was presented during 1968 by the famous Patras plan which was mainly aiming to expand the public sector in the provision of services through the establishment of new public hospitals; to reduce regional inequalities; to improve offered health care services for the rural population; the introduction of a family doctor system; efforts to cope with the great shortage in nursing personnel; improvements in environmental programmes;

After the end of dictatorship due to the opinion that everything should change a large amount of good practices were abandoned and a new reform was presented. For this reason a study was conducted on the health care system in order to indicate the main problems and propose measures. According to this study the main problems included the following:

the provided coverage was not analogous to the finance situation
health services were mostly centralized in the large cities
in rural areas there was lack of fundamental health services
public hospitals were not being managed by managers
Ministry of Health was not free financially
Health system was not truly free and unethical practices where a day to day business

Based on the above findings a political war was started and every political party proposed a solution which was never being approved by all the parties. This resulted in to situation where for twenty years the Greek Health system is being continuously transformed and in addition the main funding part of Greek Health System the public insurance schemes continuously change for micro-political profits which make the problem bigger. In addition a very large problem is the fact that the income of the government insurance schemes are not being managed by the ministry of Health but from the ministry of economics which most of the times utilize it in order to close other economic gaps.

A large boost over the Health system in Greece was proposed during the socialist party which was the introduction of the National Health Service (NHS). Slowly from this period and due to the fact that Greece was becoming a full member of Europe there was a dialog between the political parties and European Union and the system was starting to becoming more Europe like. As a result the following where introduced, (a) equity in the delivery and financing of health care services, (b) slowly introduction of private health alternatives (c) decentralization in the planning process, (d) Ministry of Health would have more power in the economics of the health system

During the next 20 years upon the 1983 act there were no huge changes in the Greek Health System but only improvements regarding the development of Hospitals and infrastructure and salary increases, this was mainly due to the fact that Greece was planning to become a full member in the European Community and had to meet some criteria which where also partially funded by the European Commission. More specifically this resulted in the decentralization of the Greek Health system with the establishment of 176 rural health centres and 19 small hospitals. University hospitals where established at Ioannina, Patras and Crete, which actually as an impact increased the population on this areas since the combination of Universities and hospitals helped the economic growth of the regions. Due to the high quality of services offered by the public hospitals there was no business for private hospitals but instead of specialized diagnostic centres.

Today even if for the last ten year there has been changes in the ruler political parties which govern Greece, due to the European Commission obligations the status is considered stable and any changes are mainly being driven from European Commission and includes socio-economic issues (elderly people, bad economic situation, privatization of partial health sector)

More specifically the following are the main concerns:

Economic freedom
Introduction of full and part time doctors
Legislation for the establishment of private hospitals closely related with private international insurance organizations

The Health System today in Greece

The system today in Greece has a centralized organization the National Health System, this health organization is obliged to offer its services to all EU and non-EU citizens according to global agreements. The main entities where the services are offered are rural health centres and provincial surgeries in rural areas, regional and district hospitals, polyclinics and university hospitals. Secondary care is provided by public hospitals, private for-profit hospitals and clinics or hospitals owned by social insurance funds. Greece being a full EU member offers its services on all EU citizens and the process is the same as in the case of other European country. The Health system is funded by the Government budget from the insurance bodies.

Figure 2: Structure of the Greek Health Care System

Current activities in Greece under Europe umbrella

Greece being a full member of the European Union is obliged to be compliant with the Initiatives. In 2007, the Commission launched the Lead Market Initiative which sets out an agenda for the deployment of innovative eHealth services and Greece is taking actions to apply it. The EU currently has a worldwide lead in the deployment of regional/national health information networks, and this lead could be turned into significant market opportunities for eHealth systems and services both within the EU and on world markets. The Lead Market Initiative was also intended to address economic challenges in the health sector: health spending is rising faster than GDP and is forecast to reach 16% of GDP by 2020 in OECD countries. As the population ages, the costs of long-term healthcare are rapidly increasing, with serious implications for the sustainability of current health and social care systems. The Lead Market Initiative will focus on developing services and markets that can help make the sector more efficient (for example, by extending independent living and continuity in long term care through the development of telemonitoring and telemedicine). While most eHealth investment has until now focused on generic ICT infrastructure in primary and secondary health care, future growth is expected in specialised eHealth services such as e-prescriptions, electronic health records, telemonitoring and homecare.

Adoption of Technologies in Greece and EU

In order for the previous mentioned plans to be successful the need for Europe and Greece to have the appropriate infrastructure is obvious, more specifically the future of Health Systems is closely connected with the availability of broadband technologies and telecommunication infrastructure both wired and wireless. In addition a major issue is the adoption of these technologies in the population and especially in the general practitioners. Based on the above we decided to make a research regarding the usage and adoption of these technologies in EU and in Greece.

From our research we discovered a telephone survey of general practitioners (GPs) across the EU27 in 2007 and we present here the results. From this survey positive result where identified regarding the availability of computers and Internet use in primary health care: over 87% of GPs are using computers in the EU27 and 66% are using them routinely during consultations. About 70% use the Internet, although still only about half of practices are connected through broadband. Furthermore, there are wide differences across countries: Denmark having the highest broadband penetration (91%) and Romania the lowest (about 5%). From the report countries have very different connectivity with an impact on eHealth systems establishemnt: Denmark, Finland, Norway and the Netherlands are the countries with the largest number of GPs connected to other health actors, while Latvia, Romania, Bulgaria, and Greece have the lowest overall connectivity. According to [5] eHealth potential is greatly enhanced where there are dedicated electronic health networks directly connected to other health actors (such as hospitals, insurance bodies, health authorities, pharmacies, etc.). From this point of view, GPs are still not sufficiently connected. Even though 55.2% have access to at least one other institutional network, rates are generally lower for secondary health care connections (hospitals or specialists) and other health actors such as pharmacies. Connectivity to secondary care health actors (i.e. hospitals and specialists) is more frequent in smaller countries such as Denmark, Norway, the Netherlands or Belgium, probably because issues of interoperability between regional health systems in larger countries represent a significant challenge. Finally, GP connections to pharmacies and patients’ homes are not yet developed except in Denmark, which is leading in overall GP connectivity. Connectivity with other health actors is a prerequisite for implementing services such as telemonitoring, eReferral and ePrescription, which are key components of the European eHealth agenda.

According to [5] and published reports in the same EU section at Europa Website it is stated that “those countries most advanced in terms of access and connectivity tends to perform above average in the use of networks for professional purposes. In Denmark, for instance, email is used extensively for communication between doctors and patients, with about 60% of GPs doing so (as against the EU average of 4%). Other examples include Finland and UK (77% and 53%, respectively, for making appointments with other care providers) and Sweden (9% using telemonitoring vs the 1% EU average).” Similarly, wide differences can be observed in the exchange of patient data by electronic networks or the Internet (Figure 3)

Figure 3: Electronic exchange of data for at least one purpose (Greece has one of the lowest percentage) Source: EU

According to the European eHealth action plan [5] positive and consistent result across countries is the high percentage of GPs using the Internet and computers for their own continuous education (with a EU27 average of 82%). The GP survey generally shows that differences in eHealth are currently particularly acute across countries. More eHealth benchmarking analysis at other health care levels and regionally will be performed during 2008 in order to assess further the existing gaps in deployment, take-up and use of electronic services for health.

Figure 4:Computer Usage in Europe. Greece is near the EU rate. Source: EU -https://www.ehealth-indicators.eu/ICT_ehealth_use/access.html

Figure 5:Internet access in European Countries. Greece is near the EU rate. Source: EU - https://www.ehealth-indicators.eu/ICT_ehealth_use/access.html

Figure 6: Access to broadband in practices. Greece is near the EU rate. Source: EU - https://www.ehealth-indicators.eu/ICT_ehealth_use/access.html

Greece current eHealth indicators

European Union has identified the main eHealth services and based on the adoption by each country of the specific services the level of achievement of each country is being measured. The main services identified by the European Union are:

Storage of administrative patient data
Storage of medical patient data
Use of a computer during consultation
Use of a Decision Support System
Transfer of administrative patient data to reimbursers or other carers
Transfer of lab results from the laboratory
Transfer of medical patient data to other carers
E-Prescribing

Based on the above services the current situation in Greece is depicted in the following graph.

Figure 7: eHealth status in Greece, Source: EU https://www.ehealth-indicators.eu/ICT_ehealth_use/scoreboard.html

Figure 8: Indicator scoreboard Patterns of eHealth use in the EU (Source: https://www.ehealth-indicators.eu/ICT_ehealth_use/scoreboard.html)

From the above it is obvious that Greece is behind the European Union average. From our research and based on the data given in the previous section the main reason is due to the low adoption of technologies from the general practitioners. In order to compare the situation with the rest of Europe we present Indicator scoreboard table for EU (Figure 8). From the table it is obvious that Denmark and Holland are the leaders in European Union regarding eHealth followed by Finland and Sweden. The main reason is based on our research due to the maturity of public health services in these countries which in combination with the large usage by the population of ITC technologies enable the establishment of eHealth systems.

In order to understand better the situation we present also the eHealth graphs in Denmark and in Finland. A strong connection between ITC technologies adaptation and eHealth use is obvious.

Figure 9: eHealth use in Denmark, Source:https://www.ehealth-indicators.eu/ICT_ehealth_use/scoreboard.html

Figure 10: eHealth use in Finland, Source:https://www.ehealthindicators.eu/ICT_ehealth_use/scoreboard.html

Greece current situation regarding privacy

Security and protection of personal medial information is considered as a specific part of the overall rights of privacy and secrecy of information and communication. The Constitution of Greece recognizes the rights of privacy and secrecy of communications. Article 9 states: "(1) Every person's home is a sanctuary. The private and family life of the individual is inviolable. No home search shall be made, except when and as specified by law, and always in the presence of representatives of the judicial power. (2) Violators of the preceding provision shall be punished for violating the home's asylum and for abuse of power, and shall be liable for full damages to the sufferer, as specified by law."

A constitutional amendment in 2001 added a new provision to this article granting individuals a direct right to protection of their personal information. The new provision, Article 9A, states: "All persons have the right to be protected from the collection, processing and use, especially by electronic means, of their personal data, as specified by law. The protection of personal data is ensured by an independent authority, which is established and operates as specified by law."

Article 19 of the Constitution protects the privacy of communications. It states: "Secrecy of letters and all other forms of free correspondence or communication shall be absolutely inviolable. The guarantees under which the judicial authority shall not be bound by this secrecy for reasons of national security or for the purpose of investigating especially serious crimes shall be specified under law."

The 2001 amendment, in addition to adding two new provisions to this article, establishes an independent authority, to supervise matters relating to telecommunications. 2539 Article 19(2) now states: "The matters relating to the establishment, operation and powers of the independent authority ensuring the secrecy of paragraph 1 shall be specified by law." Article 19(3) states: "The use of evidence acquired in violation of the present article and of articles 9 and 9A is prohibited."

Data Protection Framework

The Law on the Protection of Individuals with regard to the Processing of Personal Data (Data Protection Act) was approved by the Parliament in April 1997. Greece adopted last the data protection law and its law was written to directly adopt the EU Data Protection Directive (1995/46/EC).

Data Protection Authority

With the Data Protection Act the Hellenic Data Protection Authority (DPA) was initiated which was responsible to ensure that Greece would apply the Data Protection Act set of guidelines, principles and rules relating to the use, processing, storage and export of personal data in both electronic and manual files. DPA was an independent organization reporting only to the European union.

According to the official site of DPA (https://www.dpa.gr) it has 24 members mainly professors from universities, from different fields both technological (telecommunications, IT) and non technological (Lawyers)

The DPA enforces the Act. The Authority may impose on the controllers or on their representatives both administrative and penal sanctions. The administrative sanctions range from warning with an order for the violation to cease within a specified time limit, to the destruction of the file or a ban of the processing and the destruction of the relevant data. The penal sanctions include: punishment by imprisonment for up to three years and a fine amounting between 300000 EURO and 1500000 EURO.

The DPA is responsible for archival audits, issuing regulatory acts arising from legislation on data protection, and providing information and recommendations to interested parties to ensure compliance with data protection regulations. Its mandate includes issuing directives to enhance uniformity in implementation and to protect personal data vis-à-vis technological developments; assisting controllers in drafting codes of conduct; examining complaints; reporting violations; and issuing decisions related to the right to access information. The DPA grants permits for the collection and processing of sensitive personal data and is accountable for the interconnection of files, including sensitive data and the trans-boundary flow of personal data. The DPA's communications office is in charge of all public relations and communication with private and public services and institutions, the media, foreign data protection authorities, European Union authorities, and international organizations and institutions.

According to [25] “In 2004, the Greek Data Protection Authority received 626 complaints, 682 questions regarding data protection matters and 663 registrations to Robinson’s List (list of persons who do not wish data relating to them to be submitted to processing for the promotion of sales and long distance services), conducted 36 controls to files, issued 66 decisions and three opinions. The majority of the complaints are examined by the Auditors Department. Some complaints are also examined by the Board. A decision or an answer is issued and the interested parties are notified.”

Conclusions

In this section we presented the status in Greece regarding the overall Health system , the initiatives regarding the e-Health adoption in Greece. From the given facts it is obvious that initially Greece followed a lonely approach regarding the formalization of the Health system which didn’t include the introduction of technologies since the more important issue was to build the basis for a health system (Hospitals, Doctors, Social Security, Insurance institutions etc). During the 80’s and 90’s after Greece has been a full member of the European Union Greece started to work in parallel with the rest of the European countries in order to modernize the system and to start including new technologies in the Health System. Under the umbrella of EU it is obvious that Greece is starting to introduce e-Health technologies but this from our research we conclude that it is not enough. In addition to the decision from our research it is obvious that there is a need from the general practitioners to adopt these new technologies and to start using them in a daily basis. In order to accomplish this firstly the infrastructure should be made available (i.e. broadband connectivity, wireless communications etc) to the main personnel of the Health system. From our research and from the broadband report for Greece it was obvious that during the last three years progress has been made regarding the infrastructure and the broadband availability. Lastly in this section we examined the framework in Greece regarding privacy issues which we concluded that it is general and it doesn’t deal specifically with health issues. This is mainly due to the fact that e-Health has not been implemented and adopted yet and it is still being under discussions with the EU. We believe that during the next years Greece will adopt the EU guidelines in order to provide a unified e-Health system which will be based on the standards approved by the EU. European Union closely monitors the eHealth status in European countries and as a result EU has defined the main services which actually define eHealth. From our research we discovered valuable data which actually strengthen our position regarding the interrelation between public health service maturity, technology adoption and eHealth utilization. More specifically from our research Scandinavian countries are currently the pioneers regarding eHealth in Europe (Denmark, Finland, Sweden) and have achieved the majority of the goals, while the rest of Europe is way behind the current status of these countries.

Data protection applied to health system

In this section we present the main concepts regarding data protection applied to health Systems. More specifically we present the current status regarding data protection issues mainly from US being the pioneers in this field with more than 30 years of experience. More specifically we present the US Privacy Act and the main definitions used in this document. We also present the similar approach proposed by EU which is highly related with the US proposal and standards.

US Privacy Act

In the US the Privacy Protection Study Commission (PPSC) was created by the Privacy Act of 1974 to investigate the personal data recordkeeping practices of governmental, regional, and private organizations. In its landmark 1977 report, Personal Privacy in an Information Society (PPSC, 1977a), the commissioners noted that: Every member of a modern society acts out the major events and transitions of his life with organizations as attentive partners. Each of his countless transactions with them leaves its mark in the records they maintain about him The report went on to point out that: ... as records continue to supplant face-to-face encounters in our society, there has been no compensating tendency to give the individual the kind of control over the collection, use, and disclosure of information about him that his face-to-face encounters normally entail. [22]

Health services research (HSR), through the analysis of large databases of health information, offers the potential to improve the quality of health care delivery and the effectiveness of health care policies. At the same time, the analysis of personally identifiable health information from many individuals raises concerns about privacy and confidentiality. There is a need to protect the individual subjects of study by taking measures that are reliable, but are also compatible with good research that can benefit society as a whole. Ensuring both values is particularly important at this time because of policy debates about health privacy and the confidentiality of computerized health information, and recent criticisms about the effectiveness of institutional review boards (IRBs) in protecting research subjects, although much of the recent criticism has actually focused on clinical trials

Health records regarding privacy are examined in two cases, the firs one involves when the data are being created and maintained and the second case when the data are stored electronically. Before the digitization era all records where in addition protected by the characteristics of the data which were bulky difficult to be moved and difficult to be interconnected with other personal information. Today the data are easily digitized and stored in a single format which is the well known bits-and-bytes formats which permits it to be transmitted in seconds all over the world. In addition due to the fact that each data needs to be “utilized” by different practitioners and bureaucracy employers a known feature of tagging and interconnection with personal data makes it feasible to eaves droppers and non ethical people to exploit the data. In addition due to the relation of health status and the lifestyle of the patient additional “personal”-unique information is also connected with the collected dataset. Today also living in the era of Genomics and Bioinformatics genetic data are also being slowly to be integrated also beside for simple testing. [22] All the above being very important to achieve the ultimate goal of personalized medical treatment also increase the security risks which could have a totally different result and beside the personalized medical treatment it could result to discrimination from “decision makers” for a patient to have his/her appropriate treatment based on “economic” criteria (profits) instead of “health” criteria.

The above mentioned “economic” based decision is being done by other parties external to the healing relationship which depend their profit margin from personal detailed information. Even if this is sound very crucial this has become the reality and considering the fact that today mainly the pension government organizations which actually fund national health systems are actually being shared on stocks demonstrates clearly why e-health should be strengthen regarding security. In addition to the above the vision of e-health also leaves a fingertip for any individual which follows him for all his life and considering also the aging issue of Europe and the West civilization in general will have a huge impact and could develop new kinds of discrimination on daily activities like hiring, issuing insurances.

Regarding the second case during the storage and the retrieval of health data, it is obvious that the benefits from using the technology of electronics, internet and digitization add also some risks since “makes” easier the job of the eavesdroppers and for sure there is a need to protect it or otherwise the benefits are not enough. In the past also the same problems were there but there were issues which made the job of the eaves droppers more difficult, for example there where storage problems, the eavesdropping could be done only locally and after bypassing physical barriers to entry.

Regarding storage the location of databases due to the large amount of data has resulted also to the distribution of the storage centres and with large cases being administrated by non-security experts. It should be noted that due to the fact that copies of data are required to be stored both locally upon the place of examination and remotely on a centralized server, this issue is not so easy to overcome by a magic technology but it will need also the introduction of security processes according to a regulatory framework.

Adding to the above the profit maximization rule of business and the marketing evolution to glorify personalized marketing, becomes clear that related companies will push medical practitioners to request and collect additional marketing information for each patient. This in combination with the problems of the law which enables the usage of patient health collected data in case that personal information is not shown, enables such statistical market between companies and health service and pharmaceutics providers.

Definitions

According to [22] The most general and common view of privacy conveys notions of withdrawal, seclusion, secrecy, or of being kept away from public view, but with no pejorative overtones. By contrast, an invasion of privacy occurs when there is intentional deprivation of the desired privacy to which one is entitled. In public policy generally and health policy in particular, privacy takes on special meanings, some derived from moral theories, others from legal doctrine, and one from the widespread use of health information. According to [23] Privacy is sometimes characterized as the "right to be left alone" [23]

Beside the above definitions a large amount of people believe that a definition is to broad and depending on the context being protected a more accurate definition could be given. In the case of e-Health privacy we select the Informational privacy definition as it is documented on [22] firstly described by Schoeman, Allen and Powers, according to this definition informational privacy is “a state or condition of controlled access to personal information" . This definition also includes very important characteristics of this kind of information that “whenever another party has access to one's personal information by reading, listening, or using any of the other senses. Such loss of privacy may be entirely acceptable and intended by the individual, or it may be inadvertent, unacceptable, and even unknown to the individual.”

For the same concept “informational privacy” also according to Westin [24] it is being defined as "the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others" and its importance is being stated by Westin [24] “informational privacy has value for all in our society, and it accordingly has special claims on our attention.”

It seems that the authors for the Privacy Act of 1974 liked these definitions since are included also in this act which according to historians is the most significant step to protect privacy in a modern society. Today discussions about privacy are mainly related with ?recordkeeping privacy? and mostly for political issues and this is logical since the Privacy Act of 1974 were targeted on this specific interest group.

With the introduction of technology and its integration in all of our day to day activities the information being stored is not only some votes every four years and has extended the political issues. In addition the evolution of statistics and the integration of data mining technologies with business related sciences (Marketing) has introduced also the privacy concerns for the second level of stored information which is semi personal but which identifies large number of the aspects of the individual.

Another term which is related to privacy is Confidentiality, this term connects the patient with the health system. A patient acting in a good will provide his information on a health system which acts as a confidante which means that has a duty to honour the information the patient has shared with. Of course the health system is not as the patient an individual but a large number of people which will have access to this information and most probably will never meet them face to face. From the above it is obvious that a patient cannot feel that the secret is safe with him as it is, in the past in similar cases the “secret” was locked with a key which only the “secret” owner possessed or with his confidante. A similar approach is present also in technology today with the public key encryption mechanism, but what is this key approach is being named? According to the standards regarding security this approach is named “data disclosure, whether or not any relationship exists between a data subject and a data holder, an essential construct is that of data confidentiality.” Data confidentiality mentioned previously is an additional information for the data which states that the enclosed information is protected and must be treated as such.

Security

In the context of health record information, confidentiality implies controlled access and protection against unauthorized access to, modification of, or destruction of health data. Confidentiality has meaning only when the data holder has the will, technical capacity, and moral or legal authority to protect data-that is, to keep such information. Data security exists when data are protected from accidental or intentional disclosure to unauthorized persons and from unauthorized or accidental alteration .

In computer-based or computer-controlled systems, security is implemented when a defined system functions in a defined operational environment, serves a defined set of users, contains prescribed data and operational programs, has defined network connections and interactions with other systems, and incorporates safeguards to protect the system against a defined threat to the system, its resources, and its data.

More generally, protective safeguards include:

hardware (e.g., memory protect);
software (e.g., audit trails, log-on procedures);
personnel control (e.g., badges or other mechanisms to control entry or limit movement);
physical object control (e.g., logging and cataloging of magnetic tapes and floppy disks, destruction of paper containing person-identifiable printouts);
disaster preparedness (e.g., sprinklers, tape vaults in case of fire, flood, or bomb);
procedures (e.g., granting access to systems, assigning passwords);
administration (e.g., auditing events, disaster preparedness, security officer); and
Management oversight (e.g., periodic review of safeguards, unexpected inspections, policy guidance).

In a study that focuses on the protection of health-related data about individuals, defining which items are health related is more difficult than one might initially think. The most obvious categories are medical history, current diagnoses, diagnostic test results, and therapies. Other pieces of information are more distantly related to health—because of what one might infer about a person's health. Examples include type of specialist visited, functional status, lifestyle, and past diagnoses. Nevertheless, not everything in a medical record is relevant to health status or is health related. Insurance coverage and marital status are cases in point. Some elements could nevertheless be considered sensitive because of the social stigma that could result if they are revealed. Examples include sexual preference, address, or the receipt of social services.

Figure 11: A new taxonomy of data confidentiality, security, and informational privacy. (Source: Health Data in the Information Age: Use, Disclosure, and Privacy – 1994)

The three issues—data confidentiality, security, and information use—are obviously related (Figure 4). They overlap to some extent and collectively represent the area of direct concern in this report. One reason to keep the three issues separate is that different remedies are relevant to each.

Data confidentiality is a matter of law and regulation. Legislation would be required to establish that health-related information is confidential, to spell out the rationale for the position, and to clarify the ramifications and consequences of attaching protection to health data.
Security is a matter of technology, management controls, procedures, and administrative oversight. In the public sector, the action agents are regulators; in the HMO, a policy and oversight board could establish security policies. Implementation and management would be provided by technical and system design personnel.
Informational privacy (information use) is the most difficult to sort out.

From the previous it must be noted that globally after the 9/11 incidents a large number of citizens globally are not sure if total privacy is preferred to non-privacy in order to fight terrorism actions. Until the nations agree on these and as result on health-related information, it is not yet clear how this will or can be done. At the level of the HMO, information use would be decided by the governing board. At a regional or national level, federal agencies, legislators, professional bodies, consumer advocates, and industrial lobby groups are all likely to be involved.

European Union Privacy Act

European Union has been also active in the issues regarding Privacy and the protection of personal information. The first action from the EU was during October 1995 and was documented in the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The Directive was adopted by the member countries (during that period) and the progress of the adoption is available through the European Union official site [23]. Greece has adopted and made the necessary actions through the establishment of the Hellenic Data Protection Authority two years later during 1997.

The second major step for the Data Protections is the Directive 2002/58/EC of the European Parliament regarding the protection of health patient identifiable data and its privacy in the electronic communications sector. This Directive is complementary to the first one and includes also issues and measures regarding how the collected data are being processed in such a way to ensure the data protection of an individual. In addition to the 2002 Directive European Union also published Directive 2006/24/EC in order to include also a special category of data generated by provisioning systems of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC. The two additional directives have not been applied yet by European Countries and Greece since it has not been approved yet by European Countries.

It must be noted that from the above it is clear that EU has updated the directive twice the last five years mainly due to the terrorist attacks in the US, UK and Spain. More specifically the EU has made the directives less strict regarding the protection of the data which is the main reason why it has not been adopted yet from the countries since a large majority has not been convinced yet.

Interviews

From our study we collected a large number of information regarding e-health systems and the security aspects upon which large number of countries have been based upon and developed regulations and standards specifically for the development of e-Health systems. In addition we identified the current situation in Greece of the Health System based on a literature and historical survey and reading past newspapers articles. We understood the importance of the European Union to act as a central authority and the strategic goal of European Union to achieve during 2010 a minimum acceptable level of e-health on each full member country. The missing point which this section tries to fill is to include in our report real metrics from representatives of the Health system in Greece. Actually after having understood the importance of e-health and the problems that it has we wanted to know the opinions of the decision makers in the health industry. In this section we present the findings of these interviews.

Partners

We talked in total with four managers of Greek NHS hospitals, two of them where from Athens (Evagelismos and Sotiria) and the other two where University Hospitals of Ioannina and Patras and one from a small hospital at Milos Island. In addition we interviewed the manager of a private clinic Ygeia at Athens. We decided to interview the specific category hospitals for the following reasons:

In order to compare how well prepared are private and public hospitals in the e-health concept and especially in security and utilization issues
In order to identify if a region plays a role in this fact
In order to identify if University driven hospitals being more close to research and technology know more compared to non University hospitals
In order to identify if small clinics with limited amount of cases care the same for e-health compared to large urban hospitals.
In order to understand better how the health system works in Greece and how well is prepared for the EU goal. (Communication from the Ministry etc)

Procedure

The procedure that we followed was the following:

We conducted a letter during June in Greek informing them of the Project, and asking if they wished to participate.
After a positive reply we sent the email questionnaire with a cover letter
The structured email questionnaires sent back were incorporated into a spreadsheet for ready analysis.

The letter sent was the following and was sent via email.

Dear Mr XXXXX

Your Hospital E-Health 2010 goal readiness

I’m a student of Kingston University and upon completion of my Thesis I’m investigating e-Health systems concepts and the current situation in Greece. During my thesis I’m conducting a research in order to identify the level of readiness of Greek hospitals to satisfy the strategic goal of 2010 for a European eHealth society.

I would appreciate if you would like to participate to reply to this email and you will receive automatically a structured email with the questionnaire. You will receive a copy of the results by email

You are not obliged to take part in this research project and it will make no difference to the care you receive whether you participate or not.

Progress and results of the Project will be displayed in the Practice and the Trust.

Any information you supply will be treated in the strictest of confidence and in accordance with the Practice’s and Trust’s policies on confidentiality.

If you have any queries please don’t hesitate to contact with me directly via my personal mobile phone XXXXXXXXX

Yours sincerely

Panagiotis Pilixos

The questionnaire sent was the following:

EMAIL QUESTIONNAIRE - Remember to click REPLY before filling this page in.

· Thank you for replying to the Letter regarding the Project - Your Hospital E-Health 2010 goal readiness

· A copy of the results of the survey, will be sent to you after the completion

· Only answer those questions you wish to.

· Any information you supply will be treated in the strictest confidence and in accordance with the Trust's and Practice's policies on confidentiality. (www.dpa.gr)

· Any data collected will be used only for the purposes of this project and will not be disclosed to any other person or organisation

· After completing the questionnaire please return to the email address shown as soon as possible

· ONLY ANSWER BETWEEN THE BRACKETS { } DO NOT ALTER THE

QUESTIONAIRE IN ANYWAY.

01 :{ } (Y / N) Are you aware of European Union Strategy goal of 2010 for eHealth

02 :{ } (Y / N) The hospital provides to each practitioner an Email account

03 :{ } (Y / N) The hospital provides to each practitioner a broadband connection at home

04 :{ } (Y / N) The hospital provides to each practitioner a mobile broadband connection at home or a mobile email connection (blackberry)

05 :{ } (Y / N) Do patients at your hospital communicate with their doctors via email

06 :{ } (Y / N) Do you exchange patient health information via email

07 :{ } (Y / N) Does a patient record being stored electronically

08 :{ } (Y / N) Are you aware of DSA authority in Greece

09 :{ } (Y / N) Does your hospital has telemedicine equipment

10 :{ } (Y / N) Does your hospital has backup systems for digital patient data

11 :{ } (Y / N) Does your hospital has a remote backup systems for digital patient data

12 :{ } (Y / N) Does your hospital have installed protection systems for the digitized medical information

13 :{ } (Y / N) Do you have WiFi inside the hospital for office PC’s

14 :{ } (Y / N) Is the WiFi secured and under compliance with EU regulations for eHealth?

15 :{ } (Y / N) Do you have an IT department inside the hospital which administrated the network

16 :{ } (Y / N) Do you have a budget for learning the practitioners usage of IT

Thank you for your cooperation.

The response from the hospital managers was the following

Figure 12: Questionnaire analysis

Critical evaluation of the results

From the replies we concluded into the following:

Question 1: the knowledge of European i2010 eHealth is known to the majority but it seems to be known by close to research (University hospitals).
Question 2: Email is a familiar tool and each hospital offers to their doctors an email address
Question 3: Only private and university hospitals offer broadband connections to their doctors. The reason why other public hospitals don’t offer broadband connection it might be due to costs which a University hospital doesn’t have since the broadband connection is given via the University local wireless metropolitan university network.
Question 4: Only the private hospital offers to their doctors mobile connectivity, this could be considered mainly as an economic issue and the lack of funding from the Greek government.
Question 5: The fact that 100% of the doctors from all hospital don’t have email comm. unication with their patients demonstrates the situation in Greece and the low penetration of email communication beside work.
Question 6: Only private and university hospitals use email to exchange medical information and more specifically according to the hospital managers this is done mainly between doctors.
Question 7: Mainly due to legislation it was noticed that all hospitals had only digital medical instruments. In addition due to the fact that the majority are from US it was noticed by two hospitals that they support HIPAA standard formats.
Question 8: The knowledge of dsa.gr is considered mainly due to the 2004 Olympic games and the fact that it was the first case where this regulatory body had a press coverage regarding the traffic cameras. (This was also mentioned by three managers as a comment)
Question 9: Mainly telemedicine was available when it was needed at the University hospital of Ioannina and the small hospital at Milos in order to support remotely nearby villages and islands.
Question 10: Only the private hospital had local backup of the digital patient data, but all hospitals had (Question 11) remote backup storage. This must be related with regulations which each hospital must comply with.
Question 12: It was very important to notice that none of the hospitals have installed additional protection system for the data. This could be the case due to the central stored server which also reduces the costs.
Question 13: All hospitals had installed Wireless networks for interconnecting the office PC’s
Question 14: The answer on this question is interconnected with Question 15, it is obvious that only those hospitals (large enough) having an IT department new if the WiFi satisfied the specified criteria.
Question 16: It is obvious that learning IT lessons are only available on private hospitals mainly due to budget issues.

Conclusions

Health information technology applied following the world wide standards and the proposed security measure is beneficial for the society members. It can reduce costs due to the proper management of the resources without compromising the satisfaction of the patients. The following benefits have been identified by the incorporation of technologies into the health system day to day activities:

Improved health care quality of service
Minimization of medical error related with appointments, offered medication etc
Reduction of health care costs
Administration has more tools which could increase their efficiency and overall the performance of the system
Ecological benefits like any other paperless organization (less paper, less transportation)

Regarding the individual patient the above benefits will overall increase the level of the offered service. In addition a data mining operation on the stored data will also have a huge impact on the overall public health, more specifically:

Due to the global interoperation between countries it is feasible to have an early detection of infectious disease outbreaks, a recent example was the world health organization bird flue during 2005-2006 which demonstrated the health globalization can be helpful in such cases.
Stored content of past diseases could enable tools which will improve the tracking of chronic disease management

In our study we examined the current situation regarding e-Health and the data privacy issues globally (US, Asia) and locally (Europe and GreecE). One of the first conclusions is that the importance of a medical information system has been recognized by all the countries as well as the privacy issues, and this is evident from the funding that is being given from the European Commission and from the monitoring of the eHealth status of all the countries. In our opinion globalization also plays a major role since from our research it was obvious that the standards regarding e-Health were developed with cooperation between countries and not alone. In addition we should not forget that eHealth has also business perspectives and being also connected with ITC technologies the major players of this industry is more in favour of standards in order to reduce the cost of ownership of eHealth products.

Beside the “global conclusion” we also presented facts in Greece regarding the overall Health system and the initiatives regarding the e-Health adoption in Greece. From the given facts it is obvious that initially Greece followed a lonely approach regarding the formalization of the Health system mainly focused on the data insertion. Initially Greece due to the fact that didn’t had a Health system in first place, the attempts was not focused on technology usage but to build the basis for a health system (Hospitals, Doctors, Social Security, Insurance institutions etc). During the 80’s and 90’s after Greece has been a full member of the European Union Greece started to work in parallel with the rest of the European countries in order to modernize the system and to start including new technologies in the Health System. Under the umbrella of EU it Greece is obliged to adopt and to use e-Health technologies but this from our research we concluded that it is not enough. From our research it was obvious that there are some barriers to accomplish like availability and adoption of ITC technologies by general practitioners in a daily basis. In order to accomplish this firstly the infrastructure should be made available (i.e. broadband connectivity, wireless communications etc) to the main personnel of the Health system. From our research and from the broadband report for Greece it was obvious that during the last three years progress has been made regarding the infrastructure and the broadband availability.

Regarding eHealth privacy from our research we discovered that European Union is the main regulatory body and that eHealth privacy directives are not available and are being examined under a general framework (directives) for security and privacy. From our research it is obvious that European Union member countries don’t approve fully the current proposed directives which are being characterized also as “Big Brother”. The majority of the used eHealth security related standards came mostly from United States and more specifically from the Health Insurance Portability and Accountability Act which is being currently used by the majority of the eHealth providers. It must be noted that from our research we discovered that the majority of European Health Informatics companies are closely related with US companies and that there is a strong push of the American eHealth standards (HIPAA) to be adopted (with minor modifications) by European Union, such examples are SAP, Microsoft, and IBM.

Lastly the situation in the Greek Health System from our research has similarities with the penetration of IT into the Greek society. It was obvious from the questionnaire which was sent by us and we received replies from 6 hospitals that in brief the hospital managers are aware of the benefits of e-Health but mainly due to economical reasons they are not ready to meet the i2010 goal.

References

[1] https://en.wikipedia.org/wiki/Medical_informatics

[2] Certification Commission for Healthcare Information Technology (July 18, 2006): CCHIT Announces First Certified Electronic Health Record Products Retrieved July 26, 2006

[3] Certification Commission for Healthcare Information Technology (July 31, 2006):CCHIT Announces Additional Certified Electronic Health Record Products Retrieved July 31, 2006

[4] European eHealth Action Plan

[5] European eHealth Action Plan i2010

[6] UK Council for Health Informatics Professions (UKCHIP)

[7] APAMI Asia Pacific Association for Medical Informatics

[8] Health Informatics Section in Hong Kong Hospital Authority

[9] Hong Kong Society of Medical Informatics

[10] eHealth Consortium

[11] Indian Association for Medical Informatics

[12] Indian Journal of Medical Informatics

[13] Australian College of Health Informatics

[14] Health Informatics Society of Australia

[15] Introduction to the Minitrack: Health Care Data Management, Donald J. Berndt and James Studnicki. Proceedings of the 34th Hawaii International Conference on System Sciences – 2001

[16] Consumer Decision Support Systems: A Health Care Case Study, Donald J. Berndt. Proceedings of the 34th Hawaii International Conference on System Sciences – 2001

[17] Protecting Privacy of Health Information through Privacy Broker, Jaijit Bhattacharya, S.K.Gupta and Bhurvi Agrawal. Proceedings of the 39th Hawaii International Conference on System Sciences – 2006

[18] https://www.hhs.gov/healthit/privacy/resources.html

[19] Agrawal R., Kiernan J., Srikant R. and Xiu Y, Hippocratic Databases (Vision Paper). IBM Almaden Research Center. 2002

[20] https://www.cia.gov/library/publications/the-world-factbook/

[21] EPIC and Privacy International, Privacy and Human Rights 2005

[22] Health Data in the Information Age: Use, Disclosure, and Privacy, (1994) Insitute of Medicine available online https://books.nap.edu/openbook.php?record_id=2312&page=137

[23] https://ec.europa.eu/justice_home/fsj/privacy/law/implementation_en.htm

[24] Privacy and Freedom, Westin (1967)

[25] https://www.privacyinternational.org/article.shtml?cmd[347]=x-347-559534

[26] Centre for Global eHealth Innovation (Canada)

[27] Centro de Educación Virtual y Simulación, División de Educación Fundación Santa Fe de Bogotá (Colombia)

[28] Norwegian centre for Telemedicine (WHO Collaborating Centre)

[29] eHealth News EU Portal

[30] e-Health (European Union)

[31] International Society for Telemedicine & eHealth

[32] Med-e-Tel - The International Educational and Networking Forum for eHealth, Telemedicine and Health ICT

[33] Warwick eHealth Research Group

[34] eHealth Initiative

[35] e-Health Nurses Network (UK)

[36] LiTel - Telehealth League of Federal University of Minas Gerais - UFMG Brazil

[37] The Australian e-Health Research Centre (Australia)

[38] eHealthLAB: knowledge center showcasing eHealth best-practices

[39] APEC e-Health Portal Site (Korea)

[40] Health2.info: Health 2.0 Information Social Network

[41] British Computer society Health Informatics Forum, encompassing e-Health

[42] Smart Systems for Health Agency (Ontario, Canada)

[43] HealthcareMagic (Bangalore, India)

[44] Hall of Fame of Utah Technology Council

[45] US Office of the National Coordinator for Health Information Technology (ONCHIT)

[46] https://www.linuxmednews.org Linux Medical News

[47] Certification Commission for Healthcare Information Technology (July 18, 2006): CCHIT Announces First Certified Electronic Health Record Products Retrieved July 26, 2006

[48] Certification Commission for Healthcare Information Technology (July 31, 2006):CCHIT Announces Additional Certified Electronic Health Record Products Retrieved July 31, 2006

[49] European eHealth Action Plan

[50] European eHealth Action Plan i2010

[51] UK Council for Health Informatics Professions (UKCHIP)

[52] National Programme for IT in the NHS

[53] APAMI Asia Pacific Association for Medical Informatics

[54] Health Informatics Section in Hong Kong Hospital Authority

[55] Hong Kong Society of Medical Informatics

[56] eHealth Consortium

[57] Indian Association for Medical Informatics

[58] Indian Journal of Medical Informatics

[59] Australian College of Health Informatics

[60] Health Informatics Society of Australia

[61] IT applications in health care technology

Literature

[1] Health Data in the Information Age: Use, Disclosure, and Privacy, (1994) Insitute of Medicine available online https://books.nap.edu/openbook.php?record_id=2312&page=137

[2] HIPAA for Health Care Professionals by Carole Krager and Dan Krager

[3] The Practical Guide to HIPAA Privacy and Security COMPLIANCE, by Kevin Beaver, Rebecca Herold

[4] HIPAA in Daily Practice, by Allan F. Gilbreath, Charles R. Dinkins 2003

[5] Building Foundations for Ehealth By World Health Organization Global Observatory for eHealth

[6] EHealth 2005 - Telematics in Health Care, IOS Press, Incorporated, Gvg

[7] European Conference on EHealth 2006: Proceedings of the ECEH'06,

Organized by European Research Net on EHealth

Glossary of terms

ACHI

Australian College of Health Informatics

AMIA

American Medical Informatics Association

APAMI

Asia Pacific Association for Medical Informatics

CCHIT

Commission for Healthcare Information Technology

CMS

Clinical Management System

CPOE

Computerized Physician Order Entry

CPRS

Computerized Patient Record System

DPA

Data Protection Authority

European Council

EPAL

Enterprise Privacy Authorization Language

EPIC

Electronic Privacy Information Center

EPR

Electronic Patient Record

ESY

Greek National Health System

European Union

FLOSS

Free and Open Source Software

FOIA

Freedom of Information Act

GDP

Gross Domestic Product

General Practitioner

GRD

Greek Drachmas (1 Euro = 365.75 GRD)

HER

Electronic Health Record

HHS

Health and Human Services

HIPAA

Health Insurance Portability and Accountability Act

HISA

Health Informatics Society of Australia

HKSMI

Hong Kong Society of Medical Informatics

HMO

Health Maintenance Organization

HSR

Health Services Research

IAMI

Indian Association for Medical Informatics

ICT

Information and Communication Technology

IEC

International Electrotechnical Commission

IEEE

Institute of Electrical and Electronics Engineers

IKA

Greek Social Security Organization

IMIA

International Medical Informatics Association

IRB

Institutional Review Boards

ISO

International Standards Organization

Information Technology

KEPE

Centre of Planning and Economic Research

KESY

Central Health Council

MUMPS

Massachusetts General Hospital Utility Multi-Programming System

NHHI

National Health Information Infrastructure

NHS

National Health Service

NIH

National Institutes of Health

OECD

Organisation for Economic Co-operation and Development

OGA

Greek Agricultural Insurance Organization

ONCHIT

Office of the National Coordinator for Health Information Technology

PKI

Public Key Infrastructure

UKCHIP

United Kingdom Council for Health Informatics Professions

WHO

World Health Organization

XML

eXtended Markup Language

Abstract

Introduction & Background

Definition

Current situation in the world

Medical information systems in the United States

Medical information systems in Europe

Medical information systems in Asia

Medical information systems in the Australia

Conclusions

Security Issues

Security in health systems

Why should we concern security in health systems?

Current approaches to security

The Privacy Rule and Security Rule Compared

Security Standards

Protecting Private Health Information

De-Identified Information

Limited Data Sets

Situation in Greece

Greece

Greek Health System Historical Background

The Health System today in Greece

Current activities in Greece under Europe umbrella

Adoption of Technologies in Greece and EU

Greece current eHealth indicators

Greece current situation regarding privacy

Data Protection Framework

Data Protection Authority

Conclusions

Data protection applied to health system

US Privacy Act

Definitions

Security

European Union Privacy Act

Interviews

Partners

Procedure

Critical evaluation of the results

Conclusions

SOFTWARE PROJECT/CASE STUDY

2021年12月28日

Top 10 Tips for Retiring From Your Job

2018年6月2日

Basic Training Rules!

2018年6月2日

Ποιοι προηγο?νται – π?σου? πελ?τε? ?χει χ?σει η ΔΕΗ – Π?? διαμορφ?νεται η π?τα

2018年6月2日

Aνανε?σιμε? πηγ?? εν?ργεια?

2018年6月2日

Why Customer Complaints Are Good For Your Business

2017年3月9日

Vodafone pioneers global maternity policy

2015年4月1日

社区洞察

其他会员也浏览了

Trustweek... What a Week!

HIPAA Compliant Texting: Everything You Need To Know

Revolutionizing Healthcare Data Management: The Benefits of Tokenization

Is TEFCA Truly the Future of Health Data Interoperability? Or a Major Security Risk?

Differential Privacy, never under Pressure

Safeguarding the Digital Pulse: Strengthening Data Security in India's Healthcare Ecosystem

Emerging Trends in Clinical Data Management and Their Impact on Hiring Needs

Privacy and Data Protection

The 7 concerns about Unified Access to all relevant Patient Data and How to Tackle them

Protecto Vault: A New Standard for Data Protection in GenAI Applications