Kişisel sağlık verisi ihlallerinin analizi: BWM yaklaşımı ile önceliklendirme

Emre Yılmaz

doi:10.47243/jos.2612

Authors

Emre Yılmaz İstanbul Medipol University / Türkiye https://orcid.org/0000-0003-4502-9846

DOI:

https://doi.org/10.47243/jos.2612

Keywords:

Personal Data, Health, Multi-Criteria Decision Making, Prioritization, BWM

Abstract

The aim of this study is to identify the factors that cause personal health data breaches, prioritize these factors with the BWM (Best Worst Method) approach, and propose solutions to improve health data security in line with the priorities obtained. As a result of the literature review, 8 criteria were identified for the evaluation of personal health data breaches: data leakage, human errors, malware, security level (encryption), cyber-attacks, unauthorized access, privilege abuse and inappropriate data destruction policies. The criteria were analyzed using the BMW method, a multi-criteria decision-making approach. The evaluation was conducted by 6 different experts with at least 7 years of academic or professional experience in the fields of health management and health law. According to the findings of the analysis; the most important (best) criterion causing personal health data breaches was determined as “Cyber Attacks” with a weight score of 16.95%. This is followed by “Data Leaks” (16.77%), “Privilege Abuse” (15.10%) and “Malicious Software” (15.07%). “Inappropriate Data Destruction Policies” was identified as the least important (worst) criterion with a weight of 5.01%. As a result, multifaceted strategies need to be developed for preventing health data breaches and effective data security management. Methods such as advanced security measures, regular security audits and network segmentation are recommended against cyber-attacks. Patient identity; privacy can be protected by using a number of methods such as anonymization, clustering of data sets or blurring technique instead of real patient identity. To mitigate the effects of privilege abuse, methods such as role-based access control, monitoring of user activities and regular access audits should be implemented.

Downloads

Download data is not yet available.

References

ABOUELMEHDI, K., BENI-HESSANE, A., & KHALOUFI, H. (2018). Big Healthcare Data: Preserving Security and Privacy. Journal of Big Data, 5(1), 1-18. https://doi.org/10.1186/s40537-017-0110-7.

ALMAGHRABI, N. S. & BUGIS, B. A. (2022). Patient Confidentiality of Electronic Health Records: A Recent Review of the Saudi Literature. Dr. Sulaiman Al Habib Medical Journal, 4(3), 126-135. https://doi.org/10.1007/s44229-022-00016-9.

ATALAY, H. N. (2022). Kişisel Sağlık Verileri Paylaşma Niyeti ile Gizlilik Endişesi ve Algılanan Kontrol Arasındaki İlişkide Algılanan Risk ve Algılanan Faydanın Aracı Rolü. (Yüksek Lisans Tezi). Selçuk Üniversitesi Sağlık Bilimler Enstitüsü, Konya.

AWALUDIN, A., SULISTYADI, W., & CHANDRA, A. F. (2023). Analysis of Attacks and Cybersecurity in the Health Sector During a Pandemic COVID-19: Scoping Review. Journal of Social Science, 4(1), 62-70. https://doi.org/10.46799/jss.v4i1.512.

BANSAL, G., ZAHEDI, M. F., & GEFEN, D. (2010). The Impact of Personal Dispositions on Information Sensitivity, Privacy Concern and Trust in Disclosing Health Information Online. Decision Support Systems, 49(2), 138-150. https://doi.org/10.1016/j.dss.2010.01.010.

BASKAN, S. A., KARAKURT, P., & KASIMOGLU, N. (2021). Assessment of Nursing Students’ Attitudes Towards Recording and Protecting Patients’ Personal Health Data: A Descriptive Study. Galician Medical Journal, 28(3), E202133. https://doi.org/10.21802/gmj.2021.3.3.

BAŞAR, C. (2019). Türk İdare Hukuku ve Avrupa Birliği Hukuku Işığında Kişisel Verilerin Korunması. (Doktora Tezi). Dokuz Eylül Üniversitesi Sosyal Bilimler Enstitüsü, İzmir.

BAYINDIR, H. (2019). Özel Sağlık Kurumları Kapsamında Kişisel Sağlık Verilerinin İşlenmesi ve Korunması. (Yüksek Lisans Tezi). İstanbul Üniversitesi Sosyal Bilimler Enstitüsü, İstanbul.

BEZIRGAN GÖZMENER, S. (2019). Kişisel Sağlık Verilerinin Kayıt ve Korunmasında Hemşirelerin Cezai Sorumluluğu. (Yüksek Lisans Tezi). Dokuz Eylül Üniversitesi Sosyal Bilimler Enstitüsü, İzmir.

CALVARESI, D., SCHUMACHER, M., & CALBIMONTE, J. P. (2020). Personal Data Privacy Semantics in Multi-Agent Systems Interactions. In International Conference on Practical Applications of Agents and Multi-Agent Systems (pp. 55-67). Springer, Cham.

CHOI, S. J., JOHNSON, M. E., & LEHMANN, C. U. (2019). Data Breach Remediation Efforts and Their Implications for Hospital Quality. Health Services Research, 54(5), 971-980. https://doi.org/10.1111/1475-6773.13203.

COVENTRY, L., & BRANLEY, D. (2018). Cybersecurity in Healthcare: A Narrative Review of Trends, Threats and Ways Forward. Maturitas, 113, 48-52.

ÇELİK, Y. (2017). Özel Hayatın Gizliliğinin Yansıması Olarak Kişisel Verilerin Korunması ve Bu Bağlamda Unutulma Hakkı. Türkiye Adalet Akademisi Dergisi, 32, 391-410. https://dergipark.org.tr/tr/pub/taad/issue/52657/693992.

ÇOBAN, Ç., & TÜYSÜZ, M. F. (2019). E-Sağlık ve Güvenlik: Riskler, Fırsatlar ve Çözüm Önerileri. Academic Perspective Procedia, 2(3), 925-934. https://doi.org/10.33793/acperpro.02.03.104.

DURMUŞ, V. (2021). Kişisel Sağlık Verilerinin Korunmasında İdarenin Hukuki Sorumluluğu. Dokuz Eylül Üniversitesi Hukuk Fakültesi Dergisi (DEUHFED), 14(1), 67-76.

DÜLGER, M. V. (2015). Sağlık Hukukunda Kişisel Verilerin Korunması ve Hasta Mahremiyeti. İstanbul Medipol Üniversitesi Hukuk Fakültesi Dergisi, 1(2), 43-80.

ENTZERIDOU, E., MARKOPOULOU, E., & MOLLAKI, V. (2018). Public and Physician’s Expectations and Ethical Concerns About Electronic Health Record: Benefits Outweigh Risks Except for Information Security. Healthcare Technology Letters, 5(1), 54-60. https://doi.org/10.1049/htl.2017.0017.

ESKİMEZ, Z., & TOSUNOZ, İ. K. (2023). Hemşirelik Öğrencilerinin Kişisel Sağlık Verilerinin Kayıt ve Korunması Konusundaki Tutumları. Etkili Hemşirelik Dergisi, 16(4), 513-523.

EWOH, P. & VARTIAINEN, T. (2024). Vulnerability to Cyberattacks and Sociotechnical Solutions for Health Care Systems: Systematic Review. Journal of Medical Internet Research, 26, e46904. https://doi.org/10.2196/46904.

FANG, Y., GUO, Y., HUANG, C., & LIU, L. (2019). Analyzing and Identifying Data Breaches in Underground Forums. IEEE Access, 7, 48770-48777. https://doi.org/10.1109/access.2019.2910229.

GÖKÇAY, B., & ARDA, B. (2019). Kişisel Sağlık Verilerinin Korunması Kapsamında Sağlık Araştırmalarında Etik Bakış. Turk Kardiyol Derneği Araştırmaları, 47(3), 218-227.

HÄIKIÖ, J., YLI-KAUHALUOMA, S., PIKKARAINEN, M., IIVARI, M., & KOIVUMÄKI, T. (2020). Expectations to Data: Perspectives of Service Providers and Users of Future Health and Wellness Services. Health and Technology, 1-16.

IBRAIMI, L., ASIM, M., & PETKOVIĆ, M. (2009). Secure Management of Personal Health Records by Applying Attribute-Based Encryption. In Proceedings of the 6th International Workshop on Wearable, Micro, and Nano Technologies for Personalized Health (pp. 71-74). https://doi.org/10.1109/PHEALTH.2009.5754828.

ISMAIL, S. J. I., HENDRAWAN, RAHARDJO, B., JUHANA, T., & MUSASHI, Y. (2024). Malssl—Self-Supervised Learning for Accurate and Label-Efficient Malware Classification. IEEE Access, 12, 58823-58835. https://doi.org/10.1109/access.2024.3392251.

İZGİ, M. C. (2014). Mahremiyet Kavramı Bağlamında Kişisel Sağlık Verileri. Türkiye Biyoetik Dergisi, 1(1), 25-37. Erişim adresi: http://turkishbioethics.org/jvi.aspx?pdir=tjob&plng=tur&un=TJOB65375.

JIANG, J. X., & BAI, G. (2019). Evaluation of Causes of Protected Health Information Breaches. JAMA Internal Medicine, 179(2), 265-267.

KİŞİSEL VERİLERİ KORUMA KURUMU. (2018). Kişisel Verilerin Korunması Kanunu Hakkında Sıkça Sorulan Sorular. Erişim adresi: https://www.kvkk.gov.tr/Icerik/4196/KisiselVerilerin-Korunmasi-Kanunu-Hakkinda-Sikca-Sorulan-Sorular.

KİŞİSEL VERİLERİ KORUMA KURUMU. (2018a). 100 Soruda Kişisel Verileri Koruma Kanunu. KVKK Yayınları, Ankara.

KİŞİSEL VERİLERİ KORUMA KURUMU. (2018b). Kişisel Verilerin Korunması Kanunu ve Uygulaması. Erişim adresi: https://www.kvkk.gov.tr/yayinlar/K%C4%B0%C5%9E%C4%B0SEL%20VER%C4%B0L ER%C4%B0N%20KORUNMASI%20KANUNU%20VE%20UYGULAMASI.pdf.

KİŞİSEL VERİLERİ KORUNMASI KANUNU. (2016). 6698 Sayılı Kişisel Verilerin Korunması Kanunu.

KRUSE, C. S., FREDERICK, B., JACOBSON, T., & MONTICONE, D. K. (2017). Cybersecurity in Healthcare: A Systematic Review of Modern Threats and Trends. Technology and Health Care, 25(1), 1-10.

KÜZECİ, E. (2019). Kişisel Verilerin Korunması (3. Baskı). Seçkin Yayıncılık, Ankara.

KWAN, H. H., RILEY, M., PRASAD, N., & ROBINSON, K. (2020). An Investigation of the Status and Maturity of Hospitals’ Health Information Governance in Victoria, Australia. Health Information Management Journal, 51(2), 89-97. https://doi.org/10.1177/1833358320938309.

LEE, J., & CHOI, S. J. (2021). Hospital Productivity After Data Breaches: Difference-in-Differences Analysis. Journal of Medical Internet Research, 23(7), e26157.

LI, J. (2015). Ensuring Privacy in a Personal Health Record System. Computer, 48(2), 24-31. https://ieeexplore.ieee.org/abstract/document/7042698.

LIU, V., MUSEN, M. A., & CHOU, T. (2015). Data Breaches of Protected Health Information in the United States. JAMA, 313(14), 1471-1473.

LOOI, J. C., LOOI, R. C., MAGUIRE, P. A., KISELY, S., BASTIAMPILLAI, T., & ALLISON, S. (2024). Psychiatric Electronic Health Records in the Era of Data Breaches – What Are the Ramifications for Patients, Psychiatrists and Healthcare Systems?. Australasian Psychiatry, 32(2), 121-124. https://doi.org/10.1177/10398562241230816.

MEHRAEEN, E., AYATOLLAHI, H., & AHMADI, M. (2016). Health Information Security in Hospitals: The Application of Security Safeguards. Acta Informatica Medica, 24(1), 47-50. https://doi.org/10.5455/aim.2016.24.47-50.

ORAK, B. (2019). Kişisel Sağlık Verilerinin Korunması. (Yüksek Lisans Tezi). Hacettepe Üniversitesi, Ankara.

OREL, A., & BERNIK, I. (2018). GDPR and Health Personal Data; Tricks and Traps of Compliance. Studies in Health Technology and Informatics, 255, 155-159. PMID: 30306927.

ÖKSÜZOĞLU, H. T. (2019). 6698 Sayılı Kişisel Verilerin Korunması Kanunu ve Avrupa Birliği Hukukunda Kişisel Verilerin Silinmesi ve Düzeltilmesi. Bilişim Hukuku Dergisi, 2, 185-242.

ÖZDEMİR, M., YILMAZ, M., & KAYA, H. (2022). Kişisel Sağlık Verilerinin 6698 Sayılı Kanun Çerçevesinde Korunması. 19 Mayıs Sosyal Bilimler Dergisi, 3(1), 85-96. https://doi.org/10.52835/19maysbd.1079524.

SAFRAN, C., BLOOMROSEN, M., HAMMOND, W. E., LABKOFF, S., MARKEL-FOX, S., TANG, P. C., & DETMER, D. E. (2007). Toward a National Framework for the Secondary Use of Health Data: An American Medical Informatics Association White Paper. Journal of the American Medical Informatics Association, 14(1), 1-9.

SEH, A. H., AL-AMRI, J. F., SUBAHI, A. F., AGRAWAL, A., KUMAR, R., & KHAN, R. A. (2021). Machine Learning Based Framework for Maintaining Privacy of Healthcare Data. Intelligent Automation & Soft Computing, 29(3), 697-712. https://doi.org/10.32604/iasc.2021.018048.

SEH, A. H., ZAROUR, M., ALENEZI, M., SARKAR, A. K., AGRAWAL, A., KUMAR, R., & AHMAD KHAN, R. (2020). Healthcare Data Breaches: Insights and Implications. In Healthcare (Vol. 8, No. 2, p. 133). MDPI.

ŠKILJIĆ, A. (2020). Cybersecurity and Remote Working: Croatia’s (Non-)Response to Increased Cyber Threats. International Cybersecurity Law Review, 1(1-2), 51-61. https://doi.org/10.1365/s43439-020-00014-3.

SMITH, T. T. (2016). Examining Data Privacy Breaches in Healthcare. Erişim adresi: https://scholarworks.waldenu.edu/cgi/viewcontent.cgi?referer=&httpsredir=1&article=3726&context=dissertations (12 Mayıs 2020'de erişildi).

SPENCER, K., SANDERS, C., WHITLEY, E. A., LUND, D., KAYE, J., & DIXON, W. G. (2016). Patient Perspectives on Sharing Anonymized Personal Health Data Using a Digital System for Dynamic Consent and Research Feedback: A Qualitative Study. Journal of Medical Internet Research, 18(4), 66.

TAHER, F., ALFANDI, O., AL-KFAIRY, M., HAMADI, H. A., & ALRABAE, S. (2023). DroidDetectMW: A Hybrid Intelligent Model for Android Malware Detection. Applied Sciences, 13(13), 7720. https://doi.org/10.3390/app13137720.

ULLAH, F., NAEEM, H., JABBAR, S., KHALID, S., LATIF, M. A., AL‐TURJMAN, F., … & MOSTARDA, L. (2019). Cyber Security Threats Detection in Internet of Things Using Deep Learning Approach. IEEE Access, 7, 124379-124389. https://doi.org/10.1109/access.2019.2937347.

VAN KESSEL, R., HAIG, M., & MOSSIALOS, E. (2023). Strengthening Cybersecurity for Patient Data Protection in Europe. Journal of Medical Internet Research, 25, e48824.

YILDIRIM, B. F. (2019). Sağlığın Kişiselleşmesi ve Kişisel Sağlık Bilgi Sistemleri. Bilgi Yönetimi Dergisi, 2(2), 127-135.

YILMAZ, D., ERGÜNER ÖZKOÇ, E., & ÖĞÜTÇÜ, G. (2021). Elektronik Sağlık Kayıtlarında Farkındalık. Hacettepe Sağlık İdaresi Dergisi, 24(4), 777-792.

ZEYBEK ÜNSAL, Ç., & ÖRNEK BÜKEN, N. (2018). Biyotıp Araştırmaları İle İlgili Olarak, “Kişisel Verilerin Korunması Kanunu” ve “Kişisel Sağlık Verilerinin İşlenmesi ve Mahremiyetinin Sağlanması Hakkında Yönetmelik” Ne Diyor?. Türkiye Klinikleri Journal of Medical Ethics Law and History-Special Topics, 4(1), 82-90.