|This page in the original is blank.|
Appendix A Study Committee's Site Visit Guide
General Protocol For Site Visits
STEP 1: Develop general field visit guide for use by all teams at all sites
- list topics to cover (see list I below)
- list questions to ask (see, "Possible Questions for Site Visit Interviews" below)
- select sites
STEP 2: Pre-visit contact
- make arrangements for visit (time, place, hotels)
- ask for documents on study issues ahead of time (see list II below)
- identify people to interview on site (see list III below)
STEP 3: Team preparation (conference calls)
- teams review documents, match to questions, identify gaps/ areas in need of on-site questioning
- make final decisions regarding individuals to interview on-site
STEP 4: Generate customized site visit protocol
STEP 5: Conduct site visit
- kick off introductory meeting with CEO/CIO and all actors
- follow up with one-on-one interviews
STEP 6: Debrief/draft report
- each site visitor reports on interviews
- each site visitor summarizes his or her "picture"
- team leader assimilates inputs and drafts overall report
Site Visit Information
I. Topics to cover
- Privacy policies
- Implementation of privacy policies
- Responsibilities for developing and enforcing policies
- Training of employees
- Past security incidents/events
- Definitions of privacy, confidentiality, and security
- Content of electronic medical records
- Description of information system(s)
- Perception of internal security threats
- Perception of external security threats
- Description of security mechanisms
- Evaluation of security mechanisms
- Disaster planning
- Security/damage control plans
II. Documents/information to request ahead of time
- Organization's mission statement
- Organizational chart
- Privacy and security policies
- Enabling/implementation documents for privacy/security policies
- Description of personnel practices for punishing violators
- Policies on record-keeping
- Policy for release of information from medical records
- Information system description(s)
- Strategic plan for information system
- Description of security systems for information system
- List of responsibilities within information systems department
- who is responsible for data release internally and externally?
- who has administrative oversight for making sure information policies are actually implemented?
III. People to interview
- Technical systems administrator
- Network manager
- Security director
- Medical records director
- User groups (physicians, nurses, others?)
- Legal department or counsel
Possible Questions For Site Visit Interviews
I. Organization and confidentiality policies
A1) What is the general structure of the organization? A2) What are the goals of the organization? A3) What types of services do you offer and in what types of settings? A4) To what extent do you work with affiliated health care providers?
B1) What are the organization's existing policies regarding security and confidentiality of medical records? B2) How are they stated and promulgated? B3) What information do they try to protect? B4) Are there policies targeted specifically toward electronic medical records? B5) If so, how are they different from polices directed toward paper records? B6) What balance do the policies strike between patient confidentiality and provider access?
C1) Are patients given access to their own records? If so, can they see the entire record or just an abstract? C2) Are they allowed to make corrections to their own records?
D1) Who else can information be released to (insurers, researchers, other doctors, etc.)? D2) What limits are placed on such releases? D3) Is all information released, or just some? D4) Are additional restrictions placed on "sensitive data" such as HIV tests, drug and alcohol abuse? D5) What procedures must requesters follow in order to access medical information? D6) Must patients consent to releases of medical information?
E1) What is the process by which privacy and security policies are developed and implemented? E2) Is there a committee that regularly reviews confidentiality policies? E3) Who reviewed and signed off on the existing policies? E4) Have clients/consumers been involved in the development of the confidentiality policies? E5) Have you received comments or questions from consumers regarding the information system and confidentiality or security of their data?
F1) What factors motivate and shape the development of confidentiality policies: state and federal legislation, law suits, unauthorized releases of medical information? F2) What types of liabilities do the policies protect against? F3) Do they create other liabilities/legal problems? F4)
Do policies themselves leave the organization open to suit (e.g., unfair termination or negligence)?
G1) How are violators punished? G2) How are they caught? G3) Are mechanisms in place to monitor and catch violations?
H1) What has been the response to the policy, both internally and externally? H2) What is management's view of privacy and confidentiality? H3) Who are the stakeholders in the medical information systems they use? H4) What does "security" mean to these stakeholders? H5) What information is viewed as being especially sensitive?
I1) What do you see as the primary needs for privacy and security in health care information systems? I2) How do these differ across users: providers, patients, third-party payer/insurers, public health organizations, law enforcement, researchers.
II. Data exchanges
A1) With what other institutions are data exchanged? Insurers? Government agencies (state and federal)? Other hospitals? Regulatory authorities? A2) How much of the data is exchanged? A3) Who decides on policy for what gets shared with whom? A4) What quality control mechanisms exist to ensure that policy is carried out?
III. Aggregated data
A1) What procedures are in place to handle requests for aggregate data? A2) Do researchers have access to the repository of clinical data for large-scale queries? A3) Is such access routinely available or does it have to be arranged, e.g., by ad hoc dump of data files from the operational system?
B1) If data are made available for research studies, is there any attempt to "scrub" (remove identifying information from) the data? B2) If yes, what standards are established for the degree of scrubbing, who sets such standards, and how are they verified?
C1) Is institutional review board approval required for all such studies?
D1) If a researcher is a participant in multi-institutional trials, is there hospital policy on whether shared data may retain or must have removed all identifiers?
IV. Policy implementation
A1) How/how well do specific policies actually work in practice? A2) What issues still need to be addressed? A3) Who is responsible for system security?
B1) Who is responsible for implementing privacy and security policies? B2) Is there a security officer? B3) How big is the security staff? B4)
Is responsibility centralized or distributed among a number of people? B5) If there is a central person, how is responsibility delegated to other units/people?
C1) Is there a variance between the policies for paper records and electronic records regarding security and access? C2) Are there differences in accountability for paper and electronic records?
A1) What types of violations/incidents have occurred in the past? A2) How were they detected? By whom? A3) How were they punished? A4) Was the punishment public? A5) Who handled the punishment?
B1) Are there reporting mechanisms for apparent anomalous behavior of system or users?
C1) If violations or security breaches have occurred, how were policies, training, or systems redesigned to help prevent subsequent occurrences? C2) What resources were used?
A1) How are workers educated regarding policies? A2) Is there a system of formal training? A3) If so, who performs the training? A4) Does it include training in ethics?
B1) Do workers receive additional training as their jobs/responsibilities change? B2) Do they receive additional training/education when new facilities are added to the system or when policies change? B3) Are there refresher courses? If so, how often?
VII. Information system(s)
A1) What types of information systems are in place for storing, retrieving, and manipulating medical information? (Include satellite systems as for report writing, research.) A2) What kinds of information processing do these systems support: databases, remote access, email, web sites, other? A3) What information is on-line and not on-line?
B1) How is the system organized? It is a centralized or distributed system? B2) What is the perimeter of the system? B3) What components are considered internal to the system and which are external to it? B4) How many entry points are there in the system?
C1) What media are used to provide access from inside and outside the institution? Dial up lines? Fixed/private lines? Private networks? Public networks? C2) What is the logical and physical configuration of the communications systems
D1) Is access to the information system from outside the organization possible? D2) Is such access restricted to organization employees or is it also available to "outsiders"?
E1) What parts of the information system were supplied by vendors, and which are "home grown"?
VIII. Electronic medical record
A1) What components exist as part of the electronic medical record: problem list, medications, lab results, visit history, patient-provider relationships, bedside (clinical) measurements, full-text clinical notes, images, demographic information, including employer, financial, insurance, next of kin?
B1) Are medical records kept under a master patient identifier? B2) If not, what combination of attributes is used to identify patients? B3) If so, is the master key the SSN? B4) If the SSN is not used as the primary identifier, is it nevertheless commonly available in the medical record?
C1) How is ownership of the information contained in the record determined and managed? C2) Who is responsible for ensuring the integrity and quality of information in the patient record?
D1) What technical and non-technical means are used to ensure the integrity of data in the electronic medical record? D2) Are digital signatures or time stamps used?
E1) What types of uses are made of the electronic patient record? E2) How does medical information flow through the organization for 1) routine medical purposes (e.g., emergency room visits, outpatient visits, inpatient stays); and 2) non-routine visits (e.g., special treatment of data for particular classes of individuals, such as celebrities or criminals)?
F1) How do you respond to unusual requests for information: research projects, subpoenas, etc.? F2) How do you handle requests arriving via telephone?
IX. Security threats
A1) What do you perceive to be the threats to the system, both internal and external? A2) Are current users aware of the potential threats?
B1) What internal and external threats is your system designed to protect against? B2) Did you perform a formal threat analysis?
C1) What are the vulnerabilities of the current system? C2) What threats have not been adequately addressed? C3) What types of problems have you experienced to date-hackers, system crashes, etc.?
D1) What types of security threats have arisen to date? D2) How well does/did the system handle these threats? D3) What has been learned from such experiences?
X. Security measures
A. General Issues
1a) What general types of physical security and security technol-
ogy are used in the system: Kerberos, encryption, private lines, firewalls? 1b) To what extent does cost effectiveness affect decisions regarding security? 1c) What types of tradeoffs must be made between security capability and cost?
2a) Is a single, integrated security solution feasible? 2b) Can vendor products meet local needs, or must systems be tailored for different circumstances? 2c) Are standards available for security systems?
3a) What are 5 areas in which your organization is doing a great job regarding privacy and security?
1a) What mechanisms are used for individual authentication for access? 1b) Do you have unique login for individual users? If so, what type of key is used? 1c) Who issues the key? 1d) How frequently is the key changed?
2a) How do you verify new users? 2b) How do you terminate access for employees or former employees no longer allowed into the system?
3a) Do you use passwords for authentication? 3b) What types of passwords are used? 3c) Are they selected by users or generated for them? 3d) How frequently are passwords changed? 3e) Are there limitations imposed on the types of passwords users may select?
4a) In practice are passwords routinely shared or posted? 4b) Are methods used to protect against password sharing?
5a) Are mechanisms other than keys and passwords used for authentication, such as smart cards, palm readers, voice recognition systems, address filtering gateways?
6a) Do you have an authentication server? 6b) Is information stored in encrypted form on the server?
7a) Does the information system automatically maintain audit trails of who accessed what information? 7b) What types of audit capabilities are in place? 7c) Who reviews such audit trails, and how frequently? 7d) What fraction of accesses is reviewed, and how thoroughly? 7e) Who determines review policy? 7f) What consequences are there for infractions of policy?
1a) Is access to medical records granted to everyone, or is it differentially restricted? 1b) If restricted, is it restricted by specific individual or by role? 1c) Who defines roles in the institution, and who decides what access is appropriate for each role? 1d) How are appropriate access privileges determined? 1e) Are temporary employees given access to systems? If so, how? Who grants that access?
2a) Do users have access to all patient records? 2b) If so, how do you regulate cross-patient queries? 2c) Is access granted or denied to the entire medical record, or is the record segmented and access granted to segments? 2d) If segmented, who defines these segments and decides access policy to them? Is it the information systems department, a medical records committee, . . . .?
3a) Is restriction of access to medical records preemptive, or is presumptive access granted with audit based review? 3b) How do you monitor staff access to other resources? 3c) Is there a regular report generated on access requests and access grants/denials?
4a) Are certain types of records kept more secure (field limitations on HIV lab tests, VIP records, etc.)? 4b) Are psychiatric records on-line? If so are they treated specially for access? 4c) Is HIV status on-line. Is it treated specially for access? Is HIV infection or AIDS suppressed from the problem list? 4d) Are medication lists altered to hide HIV or psychiatric medications?
1a) Are databases encrypted? If so, what type of encryption is used? If not, are databases protected only through access control?
2a) Are data encrypted during transmission over the network or to remote sites? If so, what type of encryption is used?
E. Protection Against External Threats
1a) What mechanisms are used to secure access from outside the institution? Dial-back schemes? Firewalls? Private lines or public networks? Authentication schemes? Encryption techniques?
2a) Are mechanisms in place to detect outsider probes? How do you know if someone is ''sniffing" your system? 2b) Are there technical means available for detecting intrusion? 2c) What administrative mechanisms are used (awareness, reporting mechanisms, etc.)?
F. Software Discipline
1a) What types of software controls are in place to protect against Trojan horses and viruses?
2a) How do you attempt to control/limit the copying of data to prevent its subsequent release or unauthorized use?
G. Backup Procedures
1a) Do you have procedures in place for regularly backing up computer data? 1b) If so, what data are backed up: medical records, administrative data, password and access files? 1c) How frequently are
data backed up and by whom? 1d) Where are backup tapes stored? 1e) Are back-up data stored in an encrypted or unencrypted form?
H. Emergencies/Contingency Plans
1a) What types of backup systems are in place to restore information/service in case of a catastrophe: redundancy, data storage, networks?
2a) How do you handle contingency/disaster planning? 2b) Are there formal procedures in place? 2c) Is there an oversight committee?
XI. User perspectives
A1) How important do users believe privacy and security are in health information systems? A2) What input did/do they have into the choice of security measures used or the design of the information system? A3) Do most users tend to favor or promote systems that require the least additional effort on their part? A4) Would users likely be strong supporters of increased security systems, or reluctant participants in systems that add to their daily workload? A5) What particular challenges did user perspectives add to the design process?
B1) Do users utilize the systems as intended? B2) Do they understand the security systems that are in place? B3) Do they find them effective? B4) Have they found ways to circumvent security measures that they don't believe provide real value? B5) What changes do users believe would make the system more effective and user friendly?
C1) Have security measures had adverse effects on the provision of health care? C2) Have there been cases in which physicians were unable to access an electronic record, or accessed wrong information, which caused a bad outcome? C3) How do security measures affect the availability of systems/information? C4) Have security measures resulted in denial of services?
D1) Do physicians and nurses put different types of information into an electronic patient record than they would put into a paper record? D2) If clinical notes are dictated, what confidentiality provisions apply to the transcription service? D3) Is it in-house or not? D4) Are there policies that cover dictation? D5) How are they enforced?
XII. Future research/needs
A1) How well have existing security measures worked? A2) What threats are not addressed or incompletely addressed? A3) What types of enhancements could be made to existing systems? A4) What would you do next if additional funding was made available for system upgrades?
B1) What types of incentives are necessary to stimulate adoption of additional security measures? B2) What is necessary to give other organi-
zations the incentive to adopt electronic medical records and adequate security mechanisms?
C1) How will the perceived threat change over time? How will countermeasures change?
D1) How will future development of information technology change the privacy and security picture? D2) Does the prospect of computers in the home imply significant changes or challenges to your current operations?
E1) What technologies do you know of that are currently under development that could have a significant impact on system security and accessibility?