E-Health data risks & protection for public cloud : An elderly healthcare usecase for Swedish municipality

Abstract: Organizations are increasingly adopting the cloud to meet their business goals more cost-effectively. Cloud benefits like scalability, broad access, high availability, and cost-effectiveness provide a great incentive for organizations to move their applications to the cloud. However, concerns regarding privacy data protection remain one of the top concerns for applications migrating to the cloud. With various legislations and regulations mandating organizations to protect personal data, it is required that cloud applications and associated infrastructure are designed in a manner that provides adequate data protection. To achieve this there is a need to understand various data protection legislations, regulations, and risks faced by the cloud applications and various security controls that can be put in place to address those. Smart homes equipped with health monitoring systems have the potential to monitor the health of elderly people in their homes. In such homes, sensors are employed to monitor the activity of individuals and leverage that information to detect anomalies and raise alarms to the caretakers. However, hosting such a system in the cloud has potential privacy impacts, since health data is treated as sensitive privacy data in many regulations.  This thesis is conducted based on a use case of the deployment of an elderly health care monitoring system for municipalities in Sweden. I analyzed various regulations and privacy risks in migrating such a health monitoring system to the public cloud, the regulations captured are specific to the use case where the e-health data of Swedish citizens is captured in the cloud. The study also highlights various data protection approaches that can be employed to address the identified concerns.  In the thesis, I highlighted that data residency, data control, and the possibility of data leakage from the public cloud are among the top concerns for the municipality. I also listed various applicable data protection regulations and legislation, with “Swedish law for public access to information and secrecy” having a crucial influence on privacy data storage. I evaluated various data protection approaches to alleviate the above concerns, which include access control, anonymization, data splitting, cryptographic measures, and leveraging public cloud capabilities.