This is an open-access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/2.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work, first published in the Journal of Medical Internet Research, is properly cited. The complete bibliographic information, a link to the original publication on http://www.jmir.org/, as well as this copyright and license information must be included.
Ubiquitous computing technology, sensor networks, wireless communication and the latest developments of the Internet have enabled the rise of a new concept—pervasive health—which takes place in an open, unsecure, and highly dynamic environment (ie, in the information space). To be successful, pervasive health requires implementable principles for privacy and trustworthiness.
This research has two interconnected objectives. The first is to define pervasive health as a system and to understand its trust and privacy challenges. The second goal is to build a conceptual model for pervasive health and use it to develop principles and polices which can make pervasive health trustworthy.
In this study, a five-step system analysis method is used. Pervasive health is defined using a metaphor of digital bubbles. A conceptual framework model focused on trustworthiness and privacy is then developed for pervasive health. On that model, principles and rules for trusted information management in pervasive health are defined.
In the first phase of this study, a new definition of pervasive health was created. Using this model, differences between pervasive health and health care are stated. Reviewed publications demonstrate that the widely used principles of predefined and static trust cannot guarantee trustworthiness and privacy in pervasive health. Instead, such an environment requires personal dynamic and context-aware policies, awareness, and transparency. A conceptual framework model focused on information processing in pervasive health is developed. Using features of pervasive health and relations from the framework model, new principles for trusted pervasive health have been developed. The principles propose that personal health data should be under control of the data subject. The person shall have the right to verify the level of trust of any system which collects or processes his or her health information. Principles require that any stakeholder or system collecting or processing health data must support transparency and shall publish its trust and privacy attributes and even its domain specific policies.
The developed principles enable trustworthiness and guarantee privacy in pervasive health. The implementation of principles requires new infrastructural services such as trust verification and policy conflict resolution. After implementation, the accuracy and usability of principles should be analyzed.
Health is a wider concept than absence of disease or poor functionality. Broadly, health covers a person’s physical and mental, as well as economic and social, well-being. Therefore, health is not only a state determined by health care professionals and related authorities, but also an individually experienced state with many determinants, such as lifestyle, environment, social, and cultural aspects.
Traditionally, health care is an institutionalized and regulated system that occurs in controlled environments. The availability of information and communication technologies (ICT), ubiquitous computing, ambient intelligence, motes, sensors, and sensor networks is changing health care. New service models, such as personalized health care and personal health systems (PHS), are developing [
Ubiquitous computing technology, sensor networks, and ambient intelligence have initiated the birth of pervasive health. Pervasive health and health care are separate concepts with many overlapping goals (ie, making services available to everyone). They are not distinguished by the information technology or information used. Both can collect and deploy any kind of personal health data and environmental information (eg, genomic, phenomic, epigenetic, and geospatial information).
Trust is a relativistic, complex, and dynamic concept. From the information-processing point of view, trust defines the individual’s expectations in the context of collection, processing, communication, and use of personal information [
In the case of health information, trust defines the data subject’s (DS) confidence that his or her personal health information is processed and communicated in such a way that privacy and security are guaranteed and the data processing follows regulations, ethical rules, fair information practices, and the DS’s personal preferences.
Privacy is a multifaceted, relativistic, and context-dependent concept [
Both information privacy and trust are related to the conditions demanded or expected in the collection, processing, communication, and use of personal information. Privacy policies, such as a patient’s consent statement, explicitly express the DS’s privacy requirements, while trust tackles them implicitly. Both privacy and trust relate to the information subject and include knowledge or assumptions about involved entities. Data disclosure means loss of privacy, but an increased level of trustworthiness reduces the need for privacy. The interest of the DS is to minimize loss of privacy at an acceptable level of trust.
In health care, internationally adopted principles and good practice rules—such as The United Nations (UN) Universal Declaration of Human Rights, the Organization for Economic Co-operation and Development (OECD) Guidelines for the Security of Information Systems and Networks, the European Directive 95/46/EC known as the Data Protection Directive (DPD), and ethical guidelines and codes published by The World Medical Association and the International Medical Informatics Association (IMIA)—together approved the high-level frameworks for ethics and privacy protection [
Researchers have recognized weaknesses and challenges in current privacy solutions. Coiera and Clark declared traditional access control systems inefficient because they are not content and context aware [
New approaches have been proposed. Ball and Gold suggested that the individual should have control of their personal health record (PHR) and should be able to know who has entered which data into the record [
New principles and models have also been proposed. Solove pointed out that protection of privacy in the Information Age requires social design and an architectural solution [
Not only researchers, but also international organizations and governments, have addressed the need for new rules. In a 2010 report to the president of the United States and to Congress, experts noted that current policies, such as the Health Insurance Portability and Accountability Act (HIPAA), leave many details vague. They also stated that tools and technologies are needed to empower individuals to manage their own health and that the definition for a formal privacy model is necessary [
Although none of the proposal is targeted directly to pervasive health, they have addressed common aspects such as trustworthiness, awareness, and patient-/person-controlled use of the EHR/PHR.
Until now, pervasive health lacks a common definition, and principles—which can make it trusted—do not exist. In this paper, pervasive health is defined as a system. Principles, rules, and policies that guarantee the DS’s privacy and information autonomy at the same time and make pervasive health trusted are proposed.
System analysis focuses on understanding a proposed system, identifying the problems, and recommending improvements. In this paper, “system” is understood as a group of independent elements that act together in a collective effort to achieve a goal. Pervasive health can be seen as a soft system because it involves social and cultural elements. In this study, a five-step system analysis method is used (similar steps can be found in the Soft Systems Methodology) to define pervasive health as a system and to develop privacy principles presented in this paper. The following steps were performed:
1. Defining the system in question (ie, pervasive health)
2. Identifying features and expressing problems of interest (eg, privacy and trustworthiness)
3. Discovering privacy risks and challenges in trustworthiness
4. Building a conceptual model for pervasive health
5. Developing improvements (ie, principles for trusted pervasive health)
Pervasive health is defined using the model (metaphor) of linked digital bubbles. The idea of digital bubbles was originally developed for pervasive environments and personal spaces [
A conceptual model for pervasive health is developed using the recommended practice for architectural description of software-intensive systems created by the Institute of Electrical and Electronics Engineers (IEEE). The short name for this standard is IEEE 1471 [
In the final step of system analysis, principles for trusted pervasive health are developed by combining previously defined features of pervasive health, identified risks, selected high-level privacy principles, and their relationships described within the conceptual framework model.
Pervasive health is defined as a dynamic network of bubbles that offers health services to the person. In the information space, the person (DS) creates dynamically personal health networks and selects both systems that belong to the network and services used. The DS also defines what information is shared between bubbles and their systems. This means that pervasive health is a controlled (cybernetic) meta-system in the information space.
The current health care system can be understood as a bubble where public and private service providers offer health care services. In principle, those health care services which the DS uses outside the controlled health care environment can be part of the DS’s pervasive health. Even so, the DS controls the use of those services and related data processing, except as required by law.
Despite the technology used and the available information, health care services are still defined, provided, and controlled by health professionals targeting the patient [
In health care, security and privacy rules are regulated by domain-specific laws and norms, which is not the case in pervasive health. Furthermore, in pervasive health personal health data is not stored in institutionalized EHRs as we will discuss subsequently.
In the information space are also other systems which are not members of the DS’s pervasive health network, but which are interested in using DS’s health information (
Pervasive health in the information space.
In the information space and in pervasive health, autonomous programs and computer systems can collect and process personal information invisible to the DS [
In pervasive health, those rules do not apply and health care-specific legislation will not regulate how health data is processed. In pervasive health, any kind of personal information (including behaviors and social activities) covering the person’s entire life is collected and processed. The use of health data is not limited to patient care, treatments, public health, or clinical research. Systems of pervasive health can process and exchange personal health information using their own rules. The data content coming from multiple sources exceeds what is used in current health care (and what EHRs contain). The authors use the term “lifelong personal wellness record” (LPWR) for this information. Personal health record (PHR) is an alternative term. Unfortunately, there is no consensus about the concept of a PHR, and some writers see it as an extension of the regulated EHR [
The information space and ubiquitous computing generate many privacy threats. The following are typical as stated in the literature [
Multiple systems and authorities can collect, process, and share personal information. Their number is unknown in advance and it changes regularly [
There is no predefined trust between systems.
Information can be collected, processed, and shared in such a way that the DS cannot be aware of it.
Rich contextual metadata is collected and used, both violating the DS’s privacy interests.
Privacy can be breached if authorization is made without contextual information.
It is difficult (or even impossible) to destroy data stored in the information space.
Pervasive health creates additional trustworthiness and privacy challenges:
The business objectives, trust features, and regulations systems applied can be unknown.
It is not possible to know in advance the characteristics, rules, and regulations of secondary users.
Processing of the LPWR takes place in various contexts (situations).
Objects of the LPWR can have different, situation-dependent sensitivity.
It is evident that, in pervasive health, the DS should be protected against the previously discussed risks and threats.
The conceptual framework model developed is shown in
Key concepts in the model are information space, pervasive health, trust, systems, stakeholders’ interest/concerns, environment, and privacy. Environmental features in the model include regulatory issues. Features of the information space and its systems impact the existing level of trust. To be acceptable and effective, the pervasive health network requires that the level of trust that the DS needs, and what systems and stakeholders offer, be balanced.
Conceptual framework for pervasive health.
Typical stakeholders (or actors) in pervasive health are the DS, wellness service providers, and data processing organizations. Stakeholders have different concerns or interests and viewpoints (eg, looking to meeting their business objectives, information availability, and usability). The DS’s main interests are benefits of services, trustworthiness, and privacy and information autonomy. Also, conflicting interests can occur. For example, other systems in the information space, which are not members of the pervasive health array, might have interest in the DS’s health information [
Typical primary and secondary uses of health data.
Primary use | Secondary use |
Direct care and treatment | Surveillance and continuous monitoring |
Disease management | Research and statistics |
Medication management | Drug development |
Management of physical and social functionality for delaying of their weakening | Public health management |
Proactive prediction of patient’s health problems and prevention of diseases | Business application development |
Management of patient’s health status | Hindering behaviors not accepted by controllers (or authorities) or by society in general |
Those secondary users are third parties such as public authorities, private organizations, community care providers, public health planners, communication vendors, employers, insurance institutes, researchers, and even homeland security organizations.
Trustworthiness in pervasive health means that the whole network of systems is trusted; the DS’s privacy has been protected; and data is processed ethically, legally, and in line with the rules set by the DS. The resulting principles must offer protection against risks of ubiquitous technologies, facilitate trustworthiness, and support the DS’s information autonomy. As previously mentioned, the fact that there are no predefined common rules for privacy and trustworthiness in pervasive health should be also considered. Becker stated that specification documents, in real life, are unclear, ambiguous, and incomplete [
From those privacy principles, the authors have selected trusted use and controlled dissemination, withholding, transparency, awareness, and the data processor’s responsibility together with the principle of context-aware personal privacy as the basis for new principles and rules. This implies that the DS acts as a data controller and determines where, by whom, why, how, in which context, and to what extent, his or her personal health information is used and communicated (ie, the DS can define personal preferences and policies).
The following requirements have been derived from relationships in the framework model (
All systems should fulfill the mission (ie, trustworthiness and privacy) and, therefore, they should accept common rules.
Pervasive health requires trust. This implies the need for trust verification.
Trust needs privacy rules.
The conceptual model also implies that the environment impacts the rules, and systems can use different rules. From the dynamic nature of the information space follows that the DS cannot be informed in advance which secondary users are using the LPWR.
The principles developed (named in this paper as principles for Trusted eHealth and eWelfare Space - ie, THEWS principles) are derived by combining selected principles and identified requirements. The THEWS principles state that the DS shall have the right to [
Dynamically verify the trustworthiness of the pervasive health network she has created.
Verify the trustworthiness of any system in the information space that requires or uses the DS’s personal health data for secondary purposes.
Control the processing of personal health information, both inside systems and between them.
Be aware of all events, situations, and contexts where the DS’s health data is collected, processed, stored, and disclosed.
Define situation-specific, context-aware, and granular personal privacy and trust policies, which regulate how his or her health data is collected, processed, disclosed, shared, stored, or destroyed.
Systems and stakeholders have the responsibility to ensure:
Trust verification by publishing their privacy policies, environmental, and contextual features.
Openness of their interest, business needs, and policies as well as their relationships with other systems in the information space.
Transparency of data processing.
The THEWS principles imply that, in pervasive health, the entity DS is a person without an a priori assigned role as a patient or object of care. The DS should not only be aware of the use of his or her personal health data, but the DS also has to be able to verify trust and to control how data is collected, used, processed, and shared.
Advance verification of trust is a prerequisite and it should be seen as a mandatory requirement, as shown in
Principles of trust verification.
Privacy and trust risksa | THEWS principle | High-level privacy principle |
Unknown stakeholders’ business needs, interest, purposes, and policies | Right to use trust verification | |
No predefined trust to any system | Mandatory to publish systems’ trust parameters and policies | Trusted use of data |
Unknown secondary users | Trust level calculation | |
Invisible ubiquitous infrastructure | Untrusted systems and users cannot participate in the DS’s health network |
a in the information space and in pervasive health
More closely, any system that collects health data or processes it shall publish the following information:
Relevant regulations and ethical rules;
Identification of all stakeholders who are participating to the data processing;
Security and privacy features of computer systems and applications that can process the LPWR; and
Agreements made between the system’s stakeholders and other systems.
The principle of context-aware personal policy implies that the DS has the right to define dynamic personal privacy and security policies (thereby setting own privileges and obligations) for all systems and stakeholders regarding the collection, processing, and disclosure of its health data, as shown in
In pervasive health, the DS defines which reasons are acceptable for a situation in question. Therefore, reasons are a part of the policy. The DS’s policy defines contexts and situations where the data can be processed; there is no necessity to use a separate concept of relationship (ie, the patient–doctor relationship). Furthermore, the “need to know” principle used in health care is not needed because permissions to use data are defined in the personal policy. The proposed model of personal policy also supports the following widely accepted privacy features: limitations of access, secrecy, control over personal information, personhood, and intimacy. Policies can be used to trigger situation-dependent acts such as anonymization of data and federation of access control. The principle of controlled data creation, processing, and disclosure is old. The new feature is that the DS’s control is dynamic, context-aware, and linked to awareness and verification services.
In pervasive health, need for transparency is not limited to the processing of the LPWR, as shown in
Awareness covers activities such as browsing, mining and drilling, linking, and merging data at the granular level. Finally, the DS should be aware of all events where a conflict between his or her personal policy and the stakeholders’ policy exists.
The THEWS principles are a paradigm shift from traditional static protection and risk-based thinking to dynamic management of trust and privacy. The principles offer new rights and power to the DS and, therefore, empower the DS’s information autonomy. The principles also set new responsibilities to systems in the information space.
Principles of personal policies.
Privacy and trust risksa | THEWS principle | High-level privacy principle |
The DS cannot control what health data is collected and by whom | Personal dynamic context-aware policies rule the collection, processing, storing, sharing, and destroying of data | Right to control the use of data |
The DS cannot control the use of the LPWR and its metadata | Possibility to control any secondary use of the LPWR and its metadata | |
No control over data linking, unknown secondary use of data, and the information space has unlimited memory | Policy defines rules for data linking and destroying as well as situations where the LPWR can be processed | Withholding |
a in the information space and in pervasive health
Principles of awareness.
Privacy and trust risksa | THEWS principle | High-level privacy principle |
Invisible data collection, processing, preservation, and sharing | Awareness and transparency is defined by the DS’s policy | |
No need to inform the DS the level of trust and of relations between systems | Stakeholders and systems shall publish their trust parameters and relations to other systems | Transparency |
No need to notify the DS of policy conflicts | Notification of conflicting interest and policies |
a in the information space and in pervasive health
In this paper, pervasive health is defined as a system that takes part in the information space. The trustworthiness and privacy challenges of pervasive health are analyzed. A conceptual model is built, and principles and rules, which can make pervasive health trustworthy, are proposed. Principles give the DS the right to use personal polices and the right to verify trust. Full transparency and awareness give the DS power that currently does not exist. The THEWS principles protect the DS’s health information against new, fast-developing technologies such as data mining, drilling, and browsing as well as against multidimensional profiling and re-identification. The use of dynamic policies makes it possible to balance on-the-fly access requester’s purposes and the DS’s personal preferences and policies. The authors’ solution falls in line with modern policy and context-enabled security and privacy protection models developed for ubiquitous data processing [
The model of personal polices means that every person can have their own dynamic and context-dependent policies. This makes it difficult to manage policies and to automatically resolve their conflicts. A solution to this problem is the use of common privacy ontology and terminology. On that basis, it is possible to develop a set of policy profiles from where the DS can select the most suitable. It is also possible to allow the DS to simulate different policies and their impacts in advance. Policy conflicts between personal and local policies can be solved with the help of negotiation and conflict resolution services. A challenge is how the DS can make informed decisions to balance personal benefits with privacy and trust needs. One solution to this problem is the use of a software mediator between the DS and the access requestor or the health service provider [
A political challenge is getting the THEWS principles accepted by companies, governments, and health care organizations. The idea that the whole LPWR is under personal control of the DS in all situations may not be accepted by all stakeholders and systems automatically. Reasons for this include that it will make ICT systems expensive, complicated, and difficult to develop; it can cause problems for proactive prevention and make public health monitoring difficult; and it restricts governments’ and bureaucrats’ ability to monitor and control peoples’ lifestyle and unwanted behaviors [
It is unclear whether all data subjects have reasonable interest or capacity to manage their personal security and privacy policies actively, or if some people will need a personal trust assistant to work on their behalf. From the regulatory viewpoint, there is a need to balance personal privacy and information autonomy against other interests and values, such as public and business benefits and secondary use of health data. New privacy regulations are also essential to trusted information space [
Implementing the THEWS principles requires services that do not exist currently. Both new infrastructural privacy services and a new data model for the LPWR are needed. The developed principles should be validated after implementation and their accuracy and usability should be analyzed.
American Medical Informatics Association
Data Protection Directive
data subject
electronic health records
the Health Insurance Portability and Accountability Act
information and communication technologies
lifelong personal wellness record
Organization for Economic Co-operation and Development
personal health record
personal health systems
Trusted eHealth and eWelfare Space
United Nations
World Health Organization
Results presented in this paper are based on findings of the THEWS project (Trusted eHealth and eWelfare Space). The project is supported by the Finnish Academy during 2009-2012 via the MOTIVE research program.
None declared