Abstract
Electronic consent (e-consent) has the potential to solve many paper-based consent approaches. Existing approaches, however, face challenges regarding privacy and security. This literature review aims to provide an overview of privacy and security challenges and requirements proposed by papers discussing e-consent implementations, as well as the manner in which state-of-the-art solutions address them. We conducted a systematic literature search using ACM Digital Library, IEEE Xplore, and PubMed Central. We included papers providing comprehensive discussions of one or more technical aspects of e-consent systems. Thirty-one papers met our inclusion criteria. Two distinct topics were identified, the first being discussions of e-consent representations and the second being implementations of e-consent in data sharing systems. The main challenge for e-consent representations is gathering the requirements for a “valid” consent. For the implementation papers, many provided some requirements but none provided a comprehensive overview. Blockchain is identified as a solution to transparency and trust issues in traditional client-server systems, but several challenges hinder it from being applied in practice. E-consent has the potential to grant data subjects control over their data. However, there is no agreed-upon set of security and privacy requirements that must be addressed by an e-consent platform. Therefore, security- and privacy-by-design techniques should be an essential part of the development lifecycle for such a platform.
- Intersoft Consulting. n.d. General Data Protection Regulation GDPR—Official Legal Text. Retrieved February 1, 2021 from https://gdpr-info.eu/.Google Scholar
- Andrea Akkad, Clare Jackson, Sara Kenyon, Mary Dixon-Woods, Nick Taub, and Marwan Habiba. 2006. Patients’ perceptions of written consent: Questionnaire study. BMJ 333, 7567 (Sept. 2006), 528. DOI:https://doi.org/10.1136/bmj.38922.516204.55Google Scholar
- Amanda Anderberg, Elena Andonova, Mario Bellia, Ludovic Calès, Andreia Inamorato Dos Santos, Ioannis Kounelis, Igor Nai Fovino, et al. 2019. Blockchain Now and Tomorrow. Publications Office of the European Union, Luxembourg.Google Scholar
- Rekha Bhatia and Manpreet Singh. 2014. Formal specification of a privacy aware access control framework in web services paradigm using z notation. In Proceedings of the 2014 International Conference on Information and Communication Technology for Competitive Strategies (ICTCS ’14). ACM, New York, NY, 1--5. DOI:https://doi.org/10.1145/2677855.2677929Google Scholar
Digital Library
- Antje Brandner, Bjorn Schreiweis, Lakshmi S. Aguduri, Tobias Bronsch, Aline Kunz, Peter Pensold, Katharina E. Stein, et al. 2016. The patient portal of the personal cross-enterprise electronic health record (PEHR) in the Rhine-Neckar-Region. Studies in Health Technology and Informatics 228 (2016), 157--161.Google Scholar
- Achim D. Brucker, Lukas Brügger, Paul Kearney, and Burkhart Wolff. 2011. An approach to modular and testable security models of real-world health-care applications. In Proceedings of the 16th ACM Symposium on Access Control Models and Technologies (SACMAT’11). ACM, New York, NY, 133--142. DOI:https://doi.org/10.1145/1998441.1998461event-place: Innsbruck, Austria.Google Scholar
Digital Library
- Isabelle Budin-Ljosne, Harriet J. A. Teare, Jane Kaye, Stephan Beck, Heidi Beate Bentzen, Luciana Caenazzo, Clive Collett, et al. 2017. Dynamic consent: A potential solution to some of the challenges of modern biomedical research. BMC Medical Ethics 18, 1 (Jan. 2017), 4. DOI:https://doi.org/10.1186/s12910-016-0162-9Google Scholar
- Ozgu Can. 2013. A semantic model for personal consent management. In Metadata and Semantics Research. Communications in Computer and Information Science, Vol. 390. Springer, 146--151.Google Scholar
- Stevan Coroller, Sophie Chabridon, Maryline Laurent, Denis Conan, and Jean Leneutre. 2018. Position paper: Towards end-to-end privacy for publish/subscribe architectures in the Internet of Things. In Proceedings of the 5th Workshop on Middleware and Applications for the Internet of Things (M4IoT’18). ACM, New York, NY, 35--40. DOI:https://doi.org/10.1145/3286719.3286727Google Scholar
- Maryam Davari and Elisa Bertino. 2019. Access control model extensions to support data privacy protection based on GDPR. In Proceedings of the 2019 IEEE International Conference on Big Data (Big Data’19). 4017--4024. DOI:https://doi.org/10.1109/BigData47090.2019.9006455Google Scholar
- R. H. Dolin, L. Alschuler, C. Beebe, P. V. Biron, S. L. Boyer, D. Essin, E. Kimber, T. Lincoln, and J. E. Mattison. 2001. The HL7 clinical document architecture. Journal of the American Medical Informatics Association 8, 6 (Dec. 2001), 552--569.Google Scholar
- e-Estonia. 2018. Blockchain and Healthcare: The Estonian Experience. Retrieved February 1, 2021 from https://e-estonia.com/blockchain-healthcare-estonian-experience/.Google Scholar
- Matthew E. Falagas, Ioanna P. Korbila, Konstantina P. Giannopoulou, Barbara K. Kondilis, and George Peppas. 2009. Informed consent: How much and what do patients understand? American Journal of Surgery 198, 3 (Sept. 2009), 420--435. DOI:https://doi.org/10.1016/j.amjsurg.2009.02.010Google Scholar
- Anders T. Gjerdrum, Håvard D. Johansen, and Dag Johansen. 2016. Implementing informed consent as information-flow policies for secure analytics on ehealth data: Principles and practices. In Proceedings of the 2016 IEEE 1st International Conference on Connected Health: Applications, Systems, and Engineering Technologies (CHASE’16). 107--112. DOI:https://doi.org/10.1109/CHASE.2016.39Google Scholar
- Christine Grady, Steven R. Cummings, Michael C. Rowbotham, Michael V. McConnell, Euan A. Ashley, and Gagandeep Kang. 2017. Informed consent. New England Journal of Medicine 376, 9 (2017), 856--867. DOI:https://doi.org/10.1056/NEJMra1603773Google Scholar
Cross Ref
- D. Grunwell and T. Sahama. 2015. Information accountability and Health Big Data Analytics: A consent-based model. In Proceedings of the 2015 17th International Conference on E-health Networking, Application, and Services (HealthCom’15). 195--199. DOI:https://doi.org/10.1109/HealthCom.2015.7454497Google Scholar
- Birger Haarbrandt, Bjorn Schreiweis, Sabine Rey, Ulrich Sax, Simone Scheithauer, Otto Rienhoff, Petra Knaup-Gregori, et al. 2018. HiGHmed—An open platform approach to enhance care and research across institutional boundaries. Methods of Information in Medicine 57, Suppl. 01 (July 2018), e66--e81. DOI:https://doi.org/10.3414/ME18-02-0002Google Scholar
- Bente Hamnes, Yvonne van Eijk-Hustings, and Jette Primdahl. 2016. Readability of patient information and consent documents in rheumatological studies. BMC Medical Ethics 17, 1 (2016), 42. DOI:https://doi.org/10.1186/s12910-016-0126-0Google Scholar
- Thomas Hardjono. 2019. Federated authorization over access to personal data for decentralized identity management. IEEE Communications Standards Magazine 3, 4 (Dec. 2019), 32--38. DOI:https://doi.org/10.1109/MCOMSTD.001.1900019Google Scholar
- Yuichi Hashi, Kazuyoshi Matsumoto, Yoshinori Seki, Masahiro Hiji, Toru Abe, and Takuo Suganuma. 2015. Data management scheme to enable efficient analysis of sensing data for smart community. In Proceedings of the 2015 IEEE 39th Annual Computer Software and Applications Conference, Vol. 3. 182--187. DOI:https://doi.org/10.1109/COMPSAC.2015.233Google Scholar
- Yuichi Hashi, Kazuyoshi Matsumoto, Yoshinori Seki, Masahiro Hiji, Toru Abe, and Takuo Suganuma. 2015. Design and implementation of data management scheme to enable efficient analysis of sensing data. In Proceedings of the 2015 IEEE International Conference on Autonomic Computing. 319--324. DOI:https://doi.org/10.1109/ICAC.2015.58Google Scholar
Digital Library
- Signant Health. 2020. State of eConsent Report 2020. Retrieved February 1, 2021 from https://discover.signanthealth.com/2020-eConsent-Survey.html.Google Scholar
- Oliver Heinze, Markus Birkle, Lennart Köster, and Björn Bergh. 2011. Architecture of a consent management suite and integration into IHE-based regional health information networks. BMC Medical Informatics and Decision Making 11, 1 (Oct. 2011), 58. DOI:https://doi.org/10.1186/1472-6947-11-58Google Scholar
- Duncan Hull, Steve R. Pettifer, and Douglas B. Kell. 2008. Defrosting the digital library: Bibliographic tools for the next generation web. PLoS Computational Biology 4, 10 (Oct. 2008), e1000204. DOI:https://doi.org/10.1371/journal.pcbi.1000204Google Scholar
- N. Huynh, M. Frappier, H. Pooda, A. Mammar, and R. Laleau. 2016. SGAC: A patient-centered access control method. In Proceedings of the 2016 IEEE 10th International Conference on Research Challenges in Information Science (RCIS’16). 1--12. DOI:https://doi.org/10.1109/RCIS.2016.7549286Google Scholar
- N. Huynh, M. Frappier, H. Pooda, A. Mammar, and R. Laleau. 2019. SGAC: A multi-layered access control model with conflict resolution strategy. Computer Journal 62, 12 (2019), 1707--1733. DOI:https://doi.org/10.1093/comjnl/bxz039Google Scholar
- International Organization for Standardization. 2014. ISO 22600-1:2014. https://www.iso.org/cms/render/live/en/sites/isoorg/contents/data/standard/06/26/62653.html.Google Scholar
- Michael Jefford and Rosemary Moore. 2008. Improvement of informed consent and the quality of consent documents. Lancet Oncology 9, 5 (May 2008), 485--493. DOI:https://doi.org/10.1016/S1470-2045(08)70128-1Google Scholar
- Joshua Joy, Minh Le, and Mario Gerla. 2016. LocationSafe: Granular location privacy for IoT devices. In Proceedings of the 8th Wireless of the Students, by the Students, and for the Students Workshop (S3’16). ACM, New York, NY, 39--41. DOI:https://doi.org/10.1145/2987354.2987365Google Scholar
- Jane Kaye, Liam Curren, Nick Anderson, Kelly Edwards, Stephanie M. Fullerton, Nadja Kanellopoulou, David Lund, et al. 2012. From patients to partners: Participant-centric initiatives in biomedical research. Nature Reviews: Genetics 13, 5 (April 2012), 371--376. DOI:https://doi.org/10.1038/nrg3218Google Scholar
- Atif Khan and Ian McKillop. 2013. Privacy-centric access control for distributed heterogeneous medical information systems. In Proceedings of the 2013 IEEE International Conference on Healthcare Informatics. 297--306. DOI:https://doi.org/10.1109/ICHI.2013.42 ISSN: null.Google Scholar
Digital Library
- Barbara Kitchenham. 2004. Procedures for Performing Systematic Reviews. Technical Report TR/SE-0401. Keele University, Keele, UK.Google Scholar
- S. Kiyomoto, M. S. Rahman, and A. Basu. 2017. On blockchain-based anonymized dataset distribution platform. In Proceedings of the 2017 IEEE 15th International Conference on Software Engineering Research, Management, and Applications (SERA’17). 85--92. DOI:https://doi.org/10.1109/SERA.2017.7965711Google Scholar
- Paul Koster, Muhammad Asim, and Milan Petkovic. 2011. End-to-end security for personal telehealth. Studies in Health Technology and Informatics 169 (2011), 621--625.Google Scholar
- C. S. Kouzinopoulos, K. M. Giannoutakis, K. Votis, D. Tzovaras, A. Collen, N. A. Nijdam, D. Konstantas, G. Spathoulas, P. Pandey, and S. Katsikas. 2018. Implementing a forms of consent smart contract on an IoT-based blockchain to promote user trust. In Proceedings of 2018 Innovations in Intelligent Systems and Applications (INISTA’18). 1--6. DOI:https://doi.org/10.1109/INISTA.2018.8466268Google Scholar
- Tsung-Ting Kuo, Hyeon-Eui Kim, and Lucila Ohno-Machado. 2017. Blockchain distributed ledger technologies for biomedical and health care applications. Journal of the American Medical Informatics Association 24, 6 (Nov. 2017), 1211--1220. DOI:https://doi.org/10.1093/jamia/ocx068Google Scholar
Cross Ref
- Gary Leeming, James Cunningham, and John Ainsworth. 2019. A ledger of me: Personalizing healthcare using blockchain technology. Frontiers in Medicine (Lausanne) 6 (2019), 171. DOI:https://doi.org/10.3389/fmed.2019.00171Google Scholar
- Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, and Aquinas Hobor. 2016. Making smart contracts smarter. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS’16). ACM, New York, NY, 254--269. DOI:https://doi.org/10.1145/2976749.2978309Google Scholar
Digital Library
- W. Ma and K. Sartipi. 2014. An agent-based infrastructure for secure medical imaging system integration. In Proceedings of the 2014 IEEE 27th International Symposium on Computer-Based Medical Systems. 72--77. DOI:https://doi.org/10.1109/CBMS.2014.87Google Scholar
- Weina Ma and Kamran Sartipi. 2014. An agent-based infrastructure for secure medical imaging system integration. In Proceedings of the 2014 IEEE 27th International Symposium on Computer-Based Medical Systems. 72--77. DOI:https://doi.org/10.1109/CBMS.2014.87Google Scholar
Digital Library
- Eve Maler. 2015. Extending the power of consent with user-managed access: A standard architecture for asynchronous, centralizable, Internet-scalable consent. In Proceedings of the 2015 IEEE Security and Privacy Workshops. 175--179. DOI:https://doi.org/10.1109/SPW.2015.34Google Scholar
- Paul Malone, Mark McLaughlin, Ronald Leenes, Pierfranco Ferronato, Nick Lockett, Pedro Bueso Guillen, Thomas Heistracher, and Giovanni Russello. 2010. ENDORSE: A legal technical framework for privacy preserving data management. In Proceedings of the 2010 Workshop on Governance of Technology, Information, and Policies (GTIP’10). ACM, New York, NY, 27--34. DOI:https://doi.org/10.1145/1920320.1920325Google Scholar
- Pooya Mehregan and Philip W. L. Fong. 2016. Policy negotiation for co-owned resources in relationship-based access control. In Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies (SACMAT’16). ACM, New York, NY, 125--136. DOI:https://doi.org/10.1145/2914642.2914652Google Scholar
- David Moher. 2009. Preferred Reporting Items for Systematic Reviews and Meta-Analyses: The PRISMA statement. Annals of Internal Medicine 151, 4 (Aug. 2009), 264. DOI:https://doi.org/10.7326/0003-4819-151-4-200908180-00135Google Scholar
Cross Ref
- Wanda Montalvo and Elaine Larson. 2014. Participant comprehension of research for which they volunteer: A systematic review. Journal of Nursing Scholarship 46, 6 (Nov. 2014), 423--431. DOI:https://doi.org/10.1111/jnu.12097Google Scholar
- Victor Morel, Mathieu Cunche, and Daniel Le Métayer. 2019. A generic information and consent framework for the IoT. In Proceedings of the 2019 18th IEEE International Conference on Trust, Security and Privacy in Computing and Communications and the 13th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE’19). 366--373. DOI:https://doi.org/10.1109/TrustCom/BigDataSE.2019.00056Google Scholar
- A. Norta, D. Hawthorne, and S. L. Engel. 2018. A privacy-protecting data-exchange wallet with ownership- and monetization capabilities. In Proceedings of the 2018 International Joint Conference on Neural Networks (IJCNN’18). 1--8. DOI:https://doi.org/10.1109/IJCNN.2018.8489551Google Scholar
- Hans-Ulrich Prokosch, Till Acker, Johannes Bernarding, Harald Binder, Martin Boeker, Melanie Boerries, Philipp Daumke, et al. 2018. MIRACUM: Medical informatics in research and care in university medicine. Methods of Information in Medicine 57, Suppl. 1 (July 2018), e82--e91. DOI:https://doi.org/10.3414/ME17-02-0025Google Scholar
- C. Pruski. 2010. e-CRL: A rule-based language for expressing patient electronic consent. In Proceedings of the 2010 2nd International Conference on eHealth, Telemedicine, and Social Medicine. 141--146. DOI:https://doi.org/10.1109/eEMED.2010.27Google Scholar
- A. R. Rajput, Q. Li, M. Taleby Ahvanooey, and I. Masood. 2019. EACMS: Emergency access control management system for personal health record based on blockchain. IEEE Access 7 (2019), 84304--84317. DOI:https://doi.org/10.1109/ACCESS.2019.2917976Google Scholar
Cross Ref
- Fatemeh Rezaeibagha, Khin Than Win, and Willy Susilo. 2015. A systematic literature review on security and privacy of electronic health record systems: Technical perspectives. Health Information Management 44, 3 (Oct. 2015), 23--38. DOI:https://doi.org/10.1177/183335831504400304Google Scholar
- Marco Robol, Travis D. Breaux, Elda Paja, and Paolo Giorgini. 2019. Consent verification under evolving privacy policies. In Proceedings of the 2019 IEEE 27th International Requirements Engineering Conference (RE’19). 422--427. DOI:https://doi.org/10.1109/RE.2019.00056Google Scholar
- Ramkinker Singh and Vipra Gupta. 2013. Dynamic federation in identity management for securing and sharing personal health records in a patientcentric model in cloud. International Journal of Engineering and Technology 5, 3 (2013), 9.Google Scholar
- Rudi Studer, V. Richard Benjamins, and Dieter Fensel. 1998. Knowledge engineering: Principles and methods. Data & Knowledge Engineering 25, 1 (March 1998), 161--197. DOI:https://doi.org/10.1016/S0169-023X(97)00056-6Google Scholar
Digital Library
- Integrating the Healthcare Enterprise. 2020. IHE IT Infrastructure ITI Technical Framework. 1. https://www.ihe.net/uploadedFiles/Documents/ITI/IHE_ITI_TF_Vol1.pdf.Google Scholar
- Integrating the Healthcare Enterprise. n.d. Advanced Patient Privacy. Retrieved February 1, 2021 from https://wiki.ihe.net/index.php/Advanced_Patient_Privacy_Consents.Google Scholar
- Integrating the Healthcare Enterprise. n.d. Audit Trail and Node Authentication. Retrieved February 1, 2021 from https://wiki.ihe.net/index.php/Audit_Trail_and_Node_Authentication.Google Scholar
- Integrating the Healthcare Enterprise. n.d. Basic Patient Privacy Consents. Retrieved February 1, 2021 from https://wiki.ihe.net/index.php/Basic_Patient_Privacy_Consents.Google Scholar
- Nguyen Binh Truong, Kai Sun, Gyu Myoung Lee, and Yike Guo. 2019. GDPR-Compliant personal data management: A blockchain-based solution. IEEE Transactions on Information Forensics and Security 15 (2019), 1746--1761. DOI:https://doi.org/10.1109/TIFS.2019.2948287Google Scholar
Digital Library
- Max-R. Ulbricht and Frank Pallas. 2016. CoMaFeDS: Consent management for federated data sources. In Proceedings of the 2016 IEEE International Conference on Cloud Engineering Workshop (IC2EW’16). 106--111. DOI:https://doi.org/10.1109/IC2EW.2016.30Google Scholar
- J. Patrick Woolley, Emily Kirby, Josh Leslie, Francis Jeanson, Moran N. Cabili, Gregory Rushton, James G. Hazard, et al. 2018. Responsible sharing of biomedical data and biospecimens via the “Automatable Discovery and Access Matrix” (ADA-M). npj Genomic Medicine 3, 1 (July 2018), 1--6. DOI:https://doi.org/10.1038/s41525-018-0057-4Google Scholar
- Bo Yu, Duminda Wijesekera, and Paulo C. G. Costa. 2014. An ontology for medical treatment consent. In Proceedings of the 9th International Conference on Semantic Technologies for Intelligence, Defense, and Security (STIDS’14). 72--79.Google Scholar
- Lelethu Zazaza, H. S. Venter, and George Sibiya. 2019. The current state of electronic consent systems in e-health for privacy preservation. In Information Security. Communications in Computer and Information Science, Vol. 973. Springer, 76--88.Google Scholar
Index Terms
Security and Privacy Requirements for Electronic Consent: A Systematic Literature Review
Recommendations
Principled Electronic Consent Management: A Preliminary Research Framework
EST '10: Proceedings of the 2010 International Conference on Emerging Security TechnologiesConsent is a multifaceted concept that has not received much attention in information systems literature. In this paper we categorise current electronic consent decision making systems into first generation, ex-post and principled Electronic Consent ...
Secure EPCglobal class-1 gen-2 RFID system against security and privacy problems
OTM'06: Proceedings of the 2006 international conference on On the Move to Meaningful Internet Systems: AWeSOMe, CAMS, COMINF, IS, KSinBIT, MIOS-CIAO, MONET - Volume Part IRadio Frequency Identification (RFID) system is an important technology in ubiquitous computing environment RFID system should be compatible with most RFID system applications to support the ubiquitous computing environment Recently, researchers had ...
Designing Privacy-by-Design
APF 2012: Revised Selected Papers of the First Annual Privacy Forum on Privacy Technologies and Policy - Volume 8319The proposal for a new privacy regulation d.d. January 25th 2012 introduces sanctions of up to 2% of the annual turnover of enterprises. This elevates the importance of mitigation of privacy risks. This paper makes Privacy by Design more concrete, and ...






Comments