Evaluation and Neuronal Network-Based Classification of the PHRs Privacy Policies Inma Carrión University of Murcia mariainmaculada.carrion@ um.es José L. Fernández- Alemán University of Murcia alemán@um.es Chrisina Jayne London Metropolitan University c.jayne@londonmet.ac.uk Dominic Palmer-Brown London Metropolitan University d.palmer- brown@londonmet.ac.uk Ambrosio Toval University of Murcia atoval@um.es Juan M. Carrillo-de-Gea University of Murcia jmcdg1@um.es Abstract There has been growing interest by health services providers in providing PHRs (Personal Health Records) which can store individual's personal health information. In PHRs, access to data is controlled by the patient, not by the health care provider. Although a number of benefits can be achieved with the PHRs, important security and privacy challenges of PHRs arise. In this paper a review of the privacy policies of 22 free web-based PHRs is presented. Our objective is to measure the effects of adoption of international standards and cost on privacy and security characteristics. Security and privacy characteristics were extracted according to the standard ISO/TS 13606-4. A statistical analysis was conducted and a neural network-based classification of PHRs was performed. Some improvements can be done to current privacy policies of PHRs to enhance management of other users’ data, notification of changes in privacy policy to users and access audits. 1. Introduction In recent years, there has been growing interest by governments around the world in computerizing the health-care records [1]. Examples of this trend can be found in the US and European governments. In 2004, President Bush announced that the majority of Americans would be connected to EHRs by 2014 [2]. Five years after, in 2009, The American Recovery and Reinvestment Act was signed by President Obama, which included the investment of 19,000 million dollars to digitalize medical records in US [3]. In 2010, the Vice-President of the European Commission, Neelie Kroes, also announced at the High Level eHealth Conference that the Members States of the European Union will intend to make their health systems compatible before 2015 [4]. In the health field, several terms that could lead to confusion are used: electronic health record (EHR), electronic medical record (EMR) and personal health record (PHR). An EHR is a distributed personal health record in digital format. The terms EHR and EMR are often interchangeably, but there is a formal distinction. The EHR is all patient's healthcare data from multiple sources, accessible from anywhere by any healthcare provider. The EHR is different from EMR because it is not limited to a healthcare provider [5]. Nowadays, with growing use of Web 2.0 technologies, patients can access to their own health information via tools like Personal Health Records (PHR). The Markle Foundation defines a PHR as “An electronic application through which individuals can access, manage and share their health information, and that of others for whom they are authorized, in a private, secure, and confidential environment” [6]. The following benefits can be achieved with the PHRs [7,8]: provide a unified summary of users' entire health history, be easy to understand and use, 24/7 access to all users' healthcare data from anywhere in the world, collaborative disease tracking, continuous communication between patient and physicians At present, a number of companies such as Google and Microsoft are developing their own PHRs. In this context, a number of new security and privacy threats hang over patients' health data [9]. Information might be fragmented and accessible from several sites (by visiting different doctors' offices, hospitals, providers, etc). Safety defects in some of these systems could cause the disclosure of information to unauthorized people or companies, and health data therefore need protection against manipulations, unauthorized accesses and abuses. Data needs careful protection, thus being necessary to be extremely strict in storage and information exchange activities. These threats are arguably more challenged than those found in most other industry sectors due to [10]: (1) the number of health record entries of patients, (2) numbers of healthcare personnel and organizations that might come into contact with a patient at any one time; (3) difficulty of classifying 2012 45th Hawaii International Conference on System Sciences 978-0-7695-4525-7/12 $26.00 © 2012 IEEE DOI 10.1109/HICSS.2012.257 2840