Developing a Privacy Compliance Scale for IoT Health Applications

Internet of things (IoT) is intensely gaining popularity in the healthcare industry. Though these systems are ubiquitous, pervasive and seamless, an issue concerning consumers’ privacy remains debatable. There is an immaculate rise in terms of awareness amongst patients where data privacy is concerned. IoT-based health applications are more prone to privacy risks, and hence general privacy guidelines for health applications, in general, are not adequate. Often, privacy is oversighted, causing consumers to lose interest from using an application continuously. In this paper, we propose a compliance scale modelling the privacy principles for privacy-aware novel IoT-based health applications. We have conducted an analytical review of privacy guidelines to derive at the essential principles required to develop and measure privacy-aware IoT health applications after discarding irrelevant principles, extracting repeating core principles, and merging relevant principles. A quantitative survey was deployed to empirically evaluate the proposed scale to finalize the principles based on their significance. The proposed compliance scale presents essential privacy principles to adhere in the development of novel IoT health applications. The proposed compliance scale would be significant for policymakers and applications developers to measure, better understand and respect the privacy principles of consumers towards novel IoT-based health applications.


Introduction
Privacy can be conceptualised as the right to be left alone. It refers to the process of disclosing and mobilising one's personal data under certain conditions and safeguarding measures [1]. The distinction or overlap between 'privacy' and 'security' are subtle. While 'privacy' indicates freedom from unauthorised intrusion, 'security' alludes to procedures or measures taken to ensure the safeguarding of privacy.
Privacy is a prominent issue for consumers in a globally connected network society [2]. The concern towards privacy risks is escalating as we are moving forward into a ubiquitous world, where more innovative self-care applications are being developed using a prominent technology widely known as the Internet of Things (IoT).
IoT is a convergence of smart devices that generate data through sensors to create new information and knowledge to boost human intelligence, efficiency and productivity to enhance the quality of life. It is a highly distributed and ubiquitous network of seamlessly connected heterogeneous devices integrated with the existing Internet and mobile networks. IoT paves the development of new intelligent health services which is made available anytime, anywhere, by anyone and anything. Healthcare is one of the most attractive applications for IoT [4] because it is designed to improve the efficiency, effectiveness, quality and cost of healthcare by enabling physicians to remotely monitor their patients as well as letting individuals manage their health at ease [5].
Unlike typical health applications that offer health-related services via smartphones and tablets, IoT-based health applications involve a collection of health tools and medical devices which require Internet connectivity [5]. They encompass a broad range of applications that provide health care services such as remote health monitoring, fitness programs, elderly care, electronic patient records, telemedicine, surgical simulations and so much more. The devices associated with this application often are wearable technology devices. Some other examples include headsets that measure brainwaves, clothes with sensing devices, BP monitors, glucose monitors, ECG monitors, pulse oximeters, sensors embedded in medical equipment, dispensing systems, surgical robots and device implants. Figure 1 illustrates an example of how IoT enables remote healthcare, in which health data of patients are transmitted to healthcare providers via wireless telecommunication devices for monitoring and treatment purposes. In a nutshell, these Computer Science and Information Technology 6(4): 54-62, 2018 55 applications have great potential for advance personalised connected healthcare, some of which has never been imagined before but are nevertheless possible via integration of diverse technologies. However, these applications are prone to unknown risks and issues. Despite the benefits of leveraging IoT-based health applications, there are many challenges associated with its implementation. As an example, health data collected rapidly from various sources may significantly impact consumer's privacy. It may lead to potential widespread surveillance of individuals without their consent or knowledge [6]. In June 2015, a substantial privacy-violation attack occurred when malware comprising blood gas analysers gained access into hospital networks and in the process stole confidential data [7]. Apart from this, the open and interconnected environment of IoT supports the exchange of sensitive data like mental health, genetics, reproductive care and substance which are prone to privacy risks abuse. Furthermore, all online and offline activities are recorded and stored forever which may be prone to identity threats, location threats and data eavesdropping [8]. This raises concerns as to who will have access to this information and under what terms, conditions, and whether the public will be subjected to serious privacy infringement [9]. Recent breaches of health information underscore that the risks are real. In a 2006 study, when Americans were gotten some information about the advantages of and worries about online health information, 53% of them were worried about insurers gaining access to this health information, 56% were fretful about employers having access to their health information, 77% reported being very concerned about their health information being utilized for marketing tenacities whereas 80% of them stated that they are very concerned about identity theft or fraud [10]. Based on a recent poll conducted, one in six adults (17%) whom represents 38 million individuals confessed that they suppress their respective health information from their health providers due to concerns on how the medical data might be disclosed [11]. Therefore, adequate privacy guidelines must be incorporated from the outset in the design process of the health application itself.
Since IoT health applications are still in the early age of development, this is the critical window to be addressing privacy requirements for IoT health-based applications. In a nutshell, the existing privacy scales and guidelines for health information is not comprehensive, consistent or sufficient. Eventually, this portrays a strong case on why is our study important. There are guidelines available for developers to design applications to safeguard the privacy aspects of consumers. Likewise, there are also the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) to enforce the privacy and protection of health information of consumers [12]. However, most of the guidelines available provide general privacy principles which may be insufficient to design novel IoT applications that deal with sensitive health information. We argue that IoT-based health applications are more susceptible to privacy risks and hence privacy guidelines for health applications in general are inadequate. Moreover, it is apparent that privacy is often oversighted, causing consumers to lose interest from using an application continuously. The emphasis of most research efforts is in the design of security guidelines or the combination of both the privacy and security frameworks. Hence, the prominent objective of this paper is to develop a privacy compliance scale to assist in the design of the IoT-based health applications. We have critically reviewed several privacy guidelines to identify the relevant principles to include in the scale. A quantitative survey was deployed to empirically evaluate the proposed scale to finalise the principles based on their significance.

Methodology
This study was prominently built upon two approaches: an analytical review and a quantitative survey. The first approach is constructed based on the primary two objectives, which are: (1) to identify the privacy requirements for IoT-based health application and (2 to develop a scale modelling the privacy requirements for IoT-based health applications. Therefore, we reviewed the literature focusing on privacy requirements in the context of IoT health applications and formulated the scale after discarding irrelevant principles, extracting repeating core principles, and merging relevant principles. Well established models like the U.S. Office of National Coordinator (ONC) framework were the theoretical basis for the scale development. Addition to that, the second approach, a quantitative survey was deployed to empirically evaluate the proposed model to finalise the factors based on their significance. However, since there were inadequate studies with regards to privacy requirements of IoT-based health applications, the survey had to be built from scratch based on existing privacy guidelines. Thus, we conducted an expert review with total four experts two of them from the medical whereas another two from education field to ensure that statements included in the questionnaire were clear, comprehensible and mainly interpreted correctly by the respondents. Expert reviews have "value in identifying question problems that result in lower survey data quality" [13]. The expert's comments and feedback were used to improve the survey.
The survey was administered for a month between January and February 2017. Along with the questionnaire, we attached a small write up about IoT health applications pertaining definitions and examples. Quantitative research emphasises on collecting numerical data to explain a particular question. A one to five rating scale was used a measure in the survey. Data was collected via an online survey that was developed using Survey Monkey. However, we also prepared a printed version to be distributed. Altogether we had 140 respondents for the study. However, only 128 responses were extracted and found useful the rest 12 were discarded due to skipped sections and irrelevant answers. Below is the online survey link which was distributed to potential respondents: https://www.surveym onkey.com/r/kaveneshweb. A copy of the questionnaire is attached in the appendix of this paper as well. Data analysis for this study was conducted via SPSS version 19. Descriptive analysis was performed to determine the demographic information of the respondents along together with descriptive information. Descriptive statistics are useful describe the basic features of the data and they provide simple summaries about the sample and the measures. Reliability test like Cronbach's Alpha was also undertaken to assess the internal consistency of the questionnaire items. Cronbach's alpha helps to determine if the test one has designed is accurately measuring the variable of interest [14]. Furthermore, Kaiser-Meyer-Olkin (KMO) and Bartlett's Test was also conducted to determine the convenience in performing factor analysis. KMO & Bartlett's test is a measure of sampling adequacy that is recommended to check the case to variable ratio for the analysis being conducted [15]. Last but not least, Exploratory Factor Analysis (EFA) was done to identify the underlying dimensions of privacy requirements. EFA helps summarize data regroup variables into a limited set of clusters based on shared variance so that relationships and patterns can be easily interpreted and understood [16]. Figure 2 below depicts a graphical representation of the approaches utilised in conducting the research.

Existing Privacy Guidelines
Identification of privacy requirements for IoT-based health applications is vital for developers to understand the expectations of consumers in ensuring confident and sustainable use of novel IoT applications. In this section, we review existing solutions that were aimed at preserving privacy in several areas. These solutions are presented in a chronological manner. Table 1 summarises privacy principles that are included in existing guidelines.
Aivaloglou, Gritzalis & Skianis [17] reported a set of requirements to design privacy-aware sensor networks.
The proposed Guideline was derived based on the understanding built upon privacy requirements and challenges in preserving privacy. This guideline presents five principles with an emphasis on sensor networks, which is the backbone to develop ubiquitous IoT-based solutions that are known to impose greater privacy risks.
In May 2008, the Center for Democracy & Technology released a comprehensive privacy and security framework to support the protection of health data [18]. This framework is a revised version of the framework that was released by the Markle Foundation in the project Connecting for Health [10]. The framework contains nine principles that are based on a mix of legislative action, regulation and industry commitment.

Figure 2. Research Design Process
A comprehensive framework governing the electronic exchange of individually identifiable health information was introduced by ONC for Health Information Technology [19]. In the development process of this ONC framework, various international, national, public, private sector and security principles were reviewed. A careful review and analysis of these principles were conducted by accommodating as much variation as possible keeping well in mind at the same time as to how they apply to electronic data. The ONC framework covers eight principles that serve as a guideline for public and private sector entities that hold or exchange electronic individual health-related data and help to guide the Nation's adoption of health information technologies.
In the year 2014, Alqassem and Svetinovic [20] released a taxonomy on security and privacy requirements for the IoT. The taxonomy presented quality attributes applied in an IoT smart grid scenario. The document provides support for more investigation of expected privacy and security vulnerabilities and threats about IoT. The presented four principles mainly cover the security aspects of IoT.
In recent times, AL-mawee [8] reported a survey on security and privacy issues in IoT healthcare applications in the context of disabled users. It presents a wide range of IoT based applications for the disabled. These presentations identified the respective security and privacy issues for the applications. Furthermore, the main solutions to these applications were discussed at length and prominent privacy and security requirements for the disabled were defined as well. This study presented a guideline consisting of seven principles.
Recently, Porambage et al. [21] reported design guidelines for preserving privacy in IoT in general. The guidelines presented are applicable to govern privacy issues and concerns of different industries specifically for healthcare, smart homes, public safety and supply management. It provides insight into privacy requirements that should be integrated into the development of privacy guidelines, in our context, IoT-based health applications. The guidelines developed are based on examining the complementary pieces of technology or application-specific privacy guidelines and the IoT network attributes such as the technological aspects and legal regulations. It provides nine characteristics to be included when deploying an IoT privacy guideline.

Findings & Discussion
This study proposes a compliance scale modelling the privacy requirements for IoT-based health applications. Compliance scales presented in the preceding section are critically reviewed with respect to their suitability to aid the development of privacy-aware IoT-based health applications. The principles were evaluated using a list of pre-defined criteria. After that, essential privacy principles to govern for IoT-based health applications were derived. The following list describes the criteria used to gauge suitability of the existing guidelines for privacy-aware IoT health applications: (1) generalizability: to what extent is the guideline applicable to IoT-based health applications in general?, (2) ambiguity: is there any principle(s) that is ambiguous or similar but segmented into two different principles?, (3) relevance: are the principles relevant for IoT-based healthcare applications?, and (4) completeness: are the principles adequate to cater for IoT-based healthcare applications?
Our analysis of existing privacy guidelines reveals essential principles to adhere in an ideal privacy-aware application. Guidelines presented above are aimed at preserving privacy in specific areas. Out of the six the guidelines analyzed, four are related to IoT (i.e. G1, G4, G5 and G6), whereas G2 and G3 focus on preserving privacy in health data in general. Based on our review, there has not been much work done in the area of safeguarding privacy in IoT, and to the best of our knowledge, ours is the first study whose primary focus is on IoT-based health applications.
Results presented in Table 2 indicate that the guidelines reviewed in this paper are useful for their respective purposes, but isn't sufficient if they are to be used to govern IoT health applications. Based on the review, each of the reviewed guidelines has its strengths and limitations with regards to its suitability to govern privacy aspects of IoT health applications. However, G2, G3 and G6 require minimum modification if applied in our context. We also took notice that none of the above guidelines covers life-span of the collected data. The duration of storing health data might post a privacy concern. The data subjects should be informed about the period of storage of their data by the data users, and it is also the right of the data subjects to aware of the time of disposal of their health data.

G1
G2 Table 3 illustrates the proposed privacy compliance scale. The included principles were carefully examined and incorporated from the guidelines above.

Access control
Consumer health related information should only be accessible by authorized personnel. Limited access to consumer's health related information should be ensured.

Anonymity
The identity of the consumers using IoT-based health applications, device and system needs to be protected. Unlinkability must be ensured between the consumers and their health related data respectively. Identification and tracking of consumers should be impossible. Indistinguishability among consumers should be achieved

Consent
Before the collection of health related data, the consumer needs to be acknowledged on the details being collected. Clinicians or third parties may access the information only via the consent of the consumer. Data subject's consent is also needed for the duration of storing and disposal of the collected health data.

Data disclosure
Health consumer needs to be notified and aware of with whom his/her health data is being shared with. Once the user has clearly understood via a short notice with whom the data will disclosed, then the collection process may take place. Consumer needs to be empowered whether to share his/her health related information to third parties or other entities.

Data minimization
The collection and storage of consumer's health data should be minimized to which that information is necessary to perform a service.

Openness and transparency
Consumers not only need to know the use of their health data but the manner of collection as well. The personnel who has access to it and where it resides should also be made loud and clear.

Purpose specifications
The purpose why the health data is being collected needs to specified at the time of collection. The usage of data should be limited to that particular purpose stated in the beginning and if there is further use of it, the user should be notified from time to time.

Safeguard and remedies
Consumer's health data should be protected against risks for example unauthorized access, destruction, and etc. In the event it happens. The consumer should be notified regarding the breach and violation.

Data life-span
The duration of storing the health data collected. After the prescription, for how long the health data can be kept by the data user. If the health care data is no longer needed, it should be disposed of with the data subject's consent. If the data is required for further prescription, then the data subject's consent is needed for the extension of data storing duration.
The quantitative study that was conducted to evaluate the scale was conducted with a sample consisting of 128 respondents from diverse backgrounds (mean age 26, SD = 8.22). Table 4 represents the demographic information of the respondents. The following section depicts the descriptive statistics on the variable of the study. Based on Table 4, the statistic interpretation is conducted which are adopted from Klein [22], and Table 5 reveals the overall mean score value and its respective status.  In summary, based on the analysis of the questionnaire, eight dimensions with three items respectively each tend to produce an overall mean status of 4.21 and above which depicts Strongly Agree except for the last dimension, Data Life-Span, with an overall mean of 4.20 which resulted in Agree.
Cronbach's alpha was utilised to measure internal consistencies especially when you have multiple Likert questions in a questionnaire that form a scale to determine whether the scale is reliable [23]. Therefore, Cronbach's Alpha test is conducted to confirm the validity of the questions prepared for a study. The Table 6 below illustrates the range of reliability of the Cronbach's Alpha. However, a higher coefficient does not always mean the degree of reliability is higher because the alpha is pretentious by the length of the test. For instance, in our study the length is short, therefore leaving the value of alpha small [22]. Therefore, if all the 27 items are combined as shown in Table 7 the degree of the alpha value increase compared to analyzing items per factor. Therefore, all the nine dimensions produced adequate status to support all the dimensions. KMO is conducted to calculate individual and multiple variables. Besides that, it is utilised to present the ratio of the squared correlation between variables to the squared partial correlation between variables. The KMO statistic ranges between 0 and 1. A value close to 1 indicates that patterns of correlations are relatively compact and so factor analysis should yield distinct and reliable factors. Kaiser [24] recommends accepting values higher than 0.5 as barely 60 Developing a Privacy Compliance Scale for IoT Health Applications acceptable. Therefore, values beneath this ought to lead you to either gather more information or reexamine which factors to incorporate. Whereas values between 0.5 and 0.7 are mediocre, values between 0.7 and 0.8 are good, values between 0.8 and 0.9 are great, and values above 0.9 are superb [25]. Bartlett's test tests the null hypothesis that the original correlation matrix is an identity matrix. Therefore, values beneath 0.05 are highly significant. For these data, Bartlett's test is considered highly significant [25]. Sig. .000 Addition to that the result for KMO and Bartlett's test also produced adequacy of 0.919 (refer to Table 8) which is more than sufficient. Leaving that aside, EFA was conducted on 27 items related to nine dimensions to extract, merge and discard the final dimensions. Table 9 shows the developed privacy compliance scale for IoT health applications with standard labels (Strongly Disagree to Strongly Agree, ranging from 1-5) and the codes that were used in the EFA. The pattern matrix of the EFA is presented in Table 10. The common extraction method was used which is the principle component analysis with the use of promax rotation method to make the output more understandable. The results suggested that all the nine dimensions remain since they keep most of the original value. No items were removed or merged to cross relation or strong relations among each other. Therefore, the pattern matrix supports all the dimensions to be included in the final scale.

Data Minimization
The collection and storage of my health data should be minimized to perform a service in the IoT health application. DM1 Unnecessary collection of health or personnel data should be avoided at all times therefore only the necessary information should be extracted to perform a service in the IoT health application. DM2 My health data should be collected for the specified purpose and should be obtained by lawful and fair manner. DM3

Openness and Transparency
I need to be clear about the usage of my health data that is captured via the IoT health application. OT1 I need to know the manner of collection and where my health data resides.
OT2 I need to know who will have access to my health data. OT3

Purpose of Specifications
The purpose why my health data is being collected via the IoT health application should be specified at the time of collection. PS1 The usage of data should be limited to the particular purpose stated at the outset. PS2 If my health data is going to be used for other purposes then what was indicated at the initial, I should be notified from time to time. PS3

Safeguard and Remedies
My health data should be protected against all possible risks such as unauthorized access and destruction. SR1 My health data should be safeguarded especially in terms of storage, use and disclosure of health information. SR2 In the event if a breach takes place, I should be notified regarding the breach and violation soonest possible. SR The final scale (refer to Appendix) was formulated upon discarding irrelevant requirements, extracting repeating core principles, and merging relevant principles. It is anticipated that this scale will be useful for developers to better understand the privacy requirements of consumers towards novel IoT-based health applications and would enable them to develop privacy-aware IoT health applications.

Conclusion and Future Work
There have been inadequate studies with regards to privacy requirements of IoT-based health applications. We have studied existing privacy guidelines in deriving suitable principles that are salient to develop privacy-aware IoT-based health applications. Results indicate the access control, anonymity, consent, data disclosure, data life-span, data minimization, openness and transparency, purpose of specifications, and safeguard and remedies are essential principles to be respected in designing a privacy-aware health application. The derived principles make up a scale that would be useful for policymakers and applications developers to better understand and measure the privacy requirements of consumers towards IoT-based health applications. Due to the time constraint, we did not try the scale with an actual IoT health application. However, we provided an overview on IoT health applications which was complemented with a diagram to illustrate how it works. Future research could embark on the validation of the proposed framework with an actual IoT health application.