A Systematic Mapping Study on Patient Data Privacy and Security for Software System Development Isma Masood Department of software engineering International Islamic University Islamabad, Pakistan ismamasood786@gmail.com Saad Zafar Faculty of Computing Riphah International University Islamabad, Pakistan saadzafar@riu.edu.pk Abstract-The exchange of Electronic Health Records (EHR) has increased threats to patient data privacy and security. The software systems developed for healthcare sector are required to explicitly address patient data privacy and security. A number of solutions have been proposed to incorporate these requirements into the software systems. However, there is no comprehensive study that synthesizes the different research initiatives according to any predetermined criteria. The main focus of this paper is to survey the various proposed solutions in the literature to incorporate patient data privacy and security into software systems. The proposed solutions are mapped against: (1) the software development stage for which the solution has been proposed, and (2) the established patient privacy and security principles. The existing literature has been surveyed using a systematic mapping study by phrasing two questions. In the mapping study, a total of 58 studies, dating from 2000 to 2011, were evaluated and mapped against the aforementioned categories. Keywords-Systematic mapping study; Electronic Health Records (EHR); Patient data privacy and security; Software system development. I. INTRODUCTION Health information and medical records contain sensitive personal information including diagnosis and testing information along with person’s family history, genetic testing, history of diseases and treatments, history of drugs used, sexual orientation and practices, and testing for sexually transmitted diseases [1]. Nowadays, digitized health records are not only used for diagnosis and treatment but they are also used for other purposes like improving efficiency of the healthcare system, drive public policy development administration, conduct medical research, and to provide effective health services that can be tracked and evaluated [2,3]. Increasingly, the electronically shared information within healthcare sector is receiving new threats to patient data privacy and security. Threats to patient data privacy and security become a major cause of inaccuracies and improper disclosure of information, which threaten individual’s personal life and financial well being [3, 4]. Therefore, many laws and policies in different countries have been implemented to protect patient data privacy and security especially for EHR [5]. To bridge the gap between different patient privacy rules, regulations and policies, Markle Foundation has proposed a set of principles under a Common Framework for uniform implementation of health information exchange across the health sector [9]. Markle Foundation works for advancement of health and national security through information and information technology in the United States of America. One of the major objectives of the Common Framework is to ensure patient privacy and seamless connectivity among various organizations related to the health sector. The privacy principles defined under the framework are described later in the paper. A number of initiatives have been taken to propose effective integration these policies into software systems. However, effective implementation of all the policies and principles related to patient privacy and security into software systems remains a challenge. Therefore, there is a room for new and improved solutions in this field. But before performing any new research, there is a need to synthesize the existing work in the area and to understand the need for improvement or to identify any new solution to an unresolved matter. Typically, a systematic literature review [SLR] is performed for this purpose. The idea of conducting SLR in the field of software engineering has been proposed by Kitchenham [6]. Often, a pre-requisite for conducting SLR is a mapping study, which is performed as an initial step to assess the feasibility of a complete SLR. In this paper we have conducted a mapping study as we could not find any SLR on the proposed solutions related to the Patient Data Privacy and Security in the field of software engineering. For this mapping study, we have followed the guidelines published in [7, 8]. We have presented the results of mapping study to identify available solutions on patient data privacy and security for software system development and have categorized these solutions against: (1) software development stages in software development cycle, and, (2) the well established policy principles for patient data privacy and security presented in [9]. Specifically, our mapping study addressed the following research questions (1) which solutions of patient data privacy and security have been 166 ICSEA 2011 : The Sixth International Conference on Software Engineering Advances Copyright (c) IARIA, 2011. ISBN: 978-1-61208-165-6