Mar 20, 2009
The EU Agency ENISA [European Network and Information Security Agency] today released its report presenting major potential Emerging and Future Risks [EFR] in a possible remote health monitoring and treatment scenario. The report is the result of an Emerging and Future Risk assessment based on scenario building and analysis. E-health is the first scenario that has been developed and analyzed by an international group of interdisciplinary experts. In the report 14 risks have been identified. It also underlines the importance of a cautionary approach to be followed in regards to the adoption of beneficial e-health solutions: “Caution seems to be the prudent answer at this point: the benefits are clear, but also the risks entailed cannot be ignored”.
In our scenario Ralph is a diabetic, enrolled in a remote health monitoring and treatment programme. He goes about his daily business wearing a special vest with biosensors, keeping track of his vital signs, ensuring rapid response from doctors, while his personal data may be literally flowing around, in order to enable this kind of service. This scenario shows us that remote health schemes undoubtedly offer a great potential. Many benefits can be identified for citizens’ wellbeing and quality of life, but what are the risks entailed? It seems that e-health solutions are very important and beneficial. At the same time, they may generate serious considerations, regarding security, privacy, data protection and legal, as well as in the social, political and ethical area
In the course of the study, the major assets that are to be protected, e.g. health, life, human rights, etc, have been identified. Based on this, the most important risks generated regarding these assets are subsequently identified and further analysed. This is following a comprehensive risk assessment approach, as developed by ENISA in the context of the Emerging and Future Risks Framework. In a nutshell, the report draws the attention to 14 major risks in total, among them breaches of data protection legislation, mission creep meaning secondary use of data, intrusive data surveillance and profiling by insurance companies, employers, credit-checking companies, etc, data loss or theft, system failures and service disruption.
The Agency commented:
“With the development of the EFR capacity, the agency aims at early identification of risks for new application areas and/or technologies. This will help developers and policy makers understand the impacts of new application and manage the resulting risks. At the example of the analyzed e-Health scenario ENISA underlines the risks of an overly optimistic approach to e-health, driven by the industry. While such initiatives and services are undoubtedly beneficial and worth deploying for the general good, we must at least identify and understand the various challenges posed and need to be overcome, in particular in respect to security and privacy.”