Information technology promises many benefits to health care. By helping to make accurate information more readily available to providers, payers, researchers, administrators, and patients, advanced computing and communications technology can help improve the quality and lower the costs of health care. At the same time, the prospect of storing health information in electronic form raises concerns about patient privacy and data security, for although information technology allows the use of advanced technical mechanisms to limit access to health information, it also introduces new vulnerabilities.1 Information technology facilitates both the storage of large amounts of electronic information in a small physical space and the dissemination of this information. It also enables the creation and analysis of large databases that contain information from various sources. Unless proper controls are in place, computer
systems and networks can be accessed by unauthorized users. If not adequately addressed, such concerns can both dissuade health care organizations from investing in information technology and make patients reluctant to share information, undermining the provision of care.
In response to these concerns, the National Library of Medicine, together with the Warren Grant Magnuson Clinical Center of the National Institutes of Health and the Massachusetts Health Data Consortium, asked the Computer Science and Telecommunications Board of the National Research Council to examine ways of protecting electronic health information. As part of its research, the Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure assembled for this project conducted visits to six health care organizations that had demonstrated leadership in developing health care applications of information technology. This report examines the motivations behind the growing use of information technology within the health care industry; identifies related privacy and security concerns; and assesses a wide variety of mechanisms for protecting privacy and security in health care applications of information technology. As the report demonstrates, a variety of technical and nontechnical practices are available for protecting electronic health information held by individual organizations. Such practices do not address the privacy concerns that stem from the widespread and relatively unregulated dissemination of information among institutions in the health care industry, including providers, payers, researchers, and oversight agencies.
Electronic Health Information: Uses And Concerns
Information technology is becoming increasingly important to the health care industry as organizations attempt to find ways of lowering the costs of care while improving its quality. The health care industry spent an estimated $10 billion to $15 billion on information technology in 1996,2 and further growth is expected as organizations implement electronic medical records, upgrade administrative and billing systems, install internal networks for sharing information among affiliated entities, and use public networks, such as the Internet, to distribute health-related information and provide access to clinical databases from remote locations. Much of the demand for information technology is driven by structural changes in the health care industry and its methods of care. Integrated
delivery systems that combine hospital, clinic, and outpatient services in a single corporate entity share patient information between units to ensure continuity of care and reduce administrative overhead. Health maintenance organizations, which enrolled over 50 million members in 1995, demand information to analyze the outcomes and costs of different treatment plans.3
A central part of all these initiatives is the creation of electronic medical records (EMRs), which serve as the central clinical repository of information pertaining to patient care. In addition to streamlining administrative processes, EMRs hold great potential for improving care. Combined with analysis tools and decision aids, EMRs enable real-time review of diagnoses and care plans to ensure that established standards of care are being met. Properly implemented, this capability can reduce the variability in care and raise the quality of clinical decision making. The perceived benefits of EMRs among care providers have motivated growing investment in EMR systems-a trend that is expected to continue in the future.
Within individual organizations, electronic information systems and EMRs are potentially vulnerable to misuse from both authorized users and unauthorized outsiders who inappropriately access patient information for their personal or economic gain. Authorized users may take advantage of their legitimate authority to access information that they have no valid need to see (often regarding a friend, relative, or celebrity), or they may divulge patient information to others. Outside attackers may break into computerized information systems to steal, destroy, or tamper with data or to render the systems dysfunctional, preventing legitimate users such as doctors and nurses from accessing information critical to care. Health care organizations have experience in protecting against insider abuse because of their efforts to protect paper-based systems (though there is little data with which to determine the effectiveness of these protections). Provider organizations are considerably less experienced in protecting against outside attackers. As health care organizations expand the scale and scope of their computer networks, their vulnerability to outside attacks is bound to increase.
Little is known about the extent of privacy and security violations in health care organizations. During its site visits, the committee learned of only isolated instances of misuse of electronic health information, but no
Pharmaceutical Research and Manufacturers Association. 1996. Industry Profile. Pharmaceutical Research and Manufacturers Association, Washington, D.C., Figure 5-3; available on-line at http://www.phrma.org. Also, Health Insurance Association of America. 1996. Source Book of Health Insurance Data. Health Insurance Association of America, Washington, D.C., Table 2.5a.
data exist with which to make more general assessments. Managers at most sites believe that EMRs enable them to control and monitor access to patient information better than they could with paper record systems. However, the expanding use of EMRs dictates that awareness of the privacy and security concerns must extend beyond the leading institutions the committee visited, to all potential users of EMRs.
Additional privacy concerns arise from the widespread dissemination of information throughout the health care system—often without explicit patient consent. Health care providers, payers (e.g., insurers), managers of pharmaceutical benefits programs, equipment suppliers, and oversight organizations collect large amounts of patient-identifiable health information for use in managing care, conducting quality and utilization reviews, processing claims, combating fraud, and analyzing markets for health products and services. In general, such information is collected for legitimate purposes, but few controls exist to ensure that it is not used for other purposes that may run counter to the patient's interests or patient privacy. For example, self-insured employers who collect patient data to monitor benefits programs and combat fraud are not systematically prevented from using such information to deny workers promotions or continued employment because of information in their health records. From the patient's perspective, the flows of health information among these many types of organizations may be of more concern than the possible misuse of information by authorized users within a particular organization or by outside attackers.
Protecting Electronic Health Information
Protection of electronic health information held by individual organizations requires a combination of both technical and organizational practices, the selection of which involves implicit trade-offs among cost, complexity, and degree of privacy provided. Organizational practices are at least as important as technical practices. Although technical mechanisms can be used to validate the identity of computer users, establish controls on the information they can access, and encrypt information transmitted between locations, organizational policies establish the objectives of technical measures, determining who is allowed access to information and how tightly access will be controlled. Moreover, large numbers of health care workers have a legitimate need to access patient-identifiable information and have more opportunities than outsiders to disclose information inappropriately. As managers at several sites reported, strong training programs and disciplinary policies are often the most effective way of ensuring that workers comply with privacy and security policies. They act as a deterrent to potential abuse, rather than as an obstacle.
Such practices, however, do not address the privacy concerns stemming from the systemic flows of information throughout the health care industry. These concerns can be addressed only through initiatives at a national level that delineate and enforce standards for the appropriate uses of health information.4 Existing federal laws, however, protect only data in the control of the federal government, and state laws provide inconsistent protection and often apply only to limited kinds of health information. In some instances, federal law facilitates the private-sector collection of patient-identifiable health information and allows self-insured employers to collect such information on their employees. Thus, to ensure the protection of health information, additional policy actions may be required.
As the site visits attested, health care organizations have a strong interest in maintaining privacy and security, but must balance this interest against the need to ensure that information can be retrieved easily when required for care. Many hospitals, for example, do not restrict physicians from being able to access records of patients not under their care, preferring instead to allow them access to information on all patients in case of emergencies. In some cases, practices have not been widely implemented that could improve security without adversely affecting care, such as systems for auditing access to clinical information or for systematically reviewing audit logs. Given the rapid pace at which health care organizations have been trying to install and expand the functionality of health care information systems, they have had limited resources to dedicate to security concerns.
Part of the problem is a lack of strong incentives for upgrading security practices. Privacy is not often a market differentiator in the health care industry; patients generally select care providers and health plans for reasons other than their ability to protect patient information. Because there has not yet been a widespread and public catastrophe regarding information security in the health care industry, many organizations believed that the risk of a major breach of security is low. Several sites visited for this study believe that they could survive a major event without significant consequences. Moreover, no strong legislation or enforceable industry standards yet exist that govern the privacy and security of health information. Thus, there have been few incentives to invest time
These concerns are discussed in detail in Institute of Medicine, 1994, Health Data in the Information Age: Use, Disclosure, and Confidentiality, Molla S. Donaldson and Kathleen N. Lohr (eds.), National Academy Press, Washington, D.C.; and Office of Technology Assessment, 1993, Protecting Privacy in Computerized Medical Information, OTA-TCT-576, U.S. Government Printing Office, Washington, D.C., September, Chapter 4, pp. 75-87.
and money in efforts to significantly improve privacy and standards. Rising concerns about patient privacy—and recent legislative initiatives—may create new incentives for improving privacy and security within the health care industry. The Health Insurance Portability and Accountability Act of 1996, for example, directs the Secretary of Health and Human Services to develop and promulgate security standards for electronic health information by February 1998 and to make recommendations to Congress regarding the privacy of individually identifiable health information by August 1997. Other legislation was introduced to the 105th Congress that also addresses the privacy of health information.5
In order to better protect electronic health information, health care organizations will have to work individually, collectively, and with relevant government entities to address the broad scope of concerns regarding privacy and security. Choices will need to be made regarding practices that adequately balance privacy concerns against the need to ensure access to the information for providing care. The recommendations provided below reflect the committee's deliberations regarding feasible practices for improving the privacy and security of electronic health information at the level of both individual organizations and the health care system as a whole. They address several areas: privacy and security practices health care organizations should adopt to protect electronic health information; mechanisms for creating an industry-wide infrastructure for improving privacy and security; ways of addressing privacy concerns that arise from the systemic sharing of information among different institutions; development of patient identifiers; and topics for future research.
Improving Privacy And Security Practices
Health care organizations can adopt a number of technical and organizational practices to improve the protection of health information. Different health organizations face different threats and differ in the resources
they can use to address security, and so it is not realistic to prescribe a detailed set of practices for industry-wide adoption; however, it is reasonable to provide practice guidelines that can be adapted to individual circumstances.
Recommendation 1: All organizations that handle patient-identifiable health care information—regardless of size—should adopt the set of technical and organizational policies, practices, and procedures described below to protect such information. The committee believes the technical and organizational policies, practices, and procedures listed in Box ES.1 can be implemented immediately without too much difficulty or expense. The list should be adopted in its entirety to ensure that measures are taken to protect against the variety of threats to electronic health information and to compensate for the multiple vulnerabilities of health information systems. Nevertheless, each organization—and each department within each organization—will need to determine how best to implement each practice to ensure that an appropriate balance is struck between access and privacy in each location.
The committee believes that adoption of these practices will help organizations meet the standards to be promulgated by the Secretary of Health and Human Services in connection with the Health Insurance Portability and Accountability Act—or can inform the development of such standards. Penalties established by the act for violations of privacy or security are likely to motivate organizations that collect, analyze, and store patient-identifiable health information to implement such practices. Further, the committee hopes that external auditing firms will incorporate an evaluation of privacy and security procedures into their annual audits of health care organizations.
Over time, the technical solutions available to health care organizations for protecting health information will evolve-as will the sophistication of the threat. Health care organizations will have to upgrade their security practices as new technology becomes available. Box ES.2 describes technical measures that health care organizations could reasonably adopt in the future. Their ability to implement the technical practices recommended will depend to a large extent on the general availability of the relevant technology. Some products will become available only if health care organizations demand them.
Creating An Industry-Wide Security Infrastructure
While individual organizations can take many steps to improve the security of health information they hold, the committee's site visits and experience in other industries suggests that additional efforts must be taken to facilitate greater emphasis on security at the industry level.
BOX ES. 1 Security Practices Recommended for Immediate Implementation
This box summarizes a discussion of practices recommended in Chapter 6 of this report. Readers should read Chapter 16 in full for the complete detail, argumentation, and support for these measures.
Technical Practices and Procedures
Individual authentication of users. To establish individual accountability, every individual in an organization should have a unique identifier (or log-on ID) for use in logging onto the organization's information systems. Strict procedures should be established for issuing and revoking identifiers. Where appropriate, computer workstations should be programmed to automatically log off if left idle for a specified period of time.
Access controls. Procedures should be in place for ensuring that users can access and retrieve only that information that they have a legitimate need to know. Audit trails. Organizations should maintain in retrievable and usable form audit trails that log all accesses to clinical information. The logs should include the date and time of access, the information or record accessed, and the user ID under which access occurred. Organizations that provide health care to their own employees should enable employees to conduct audits of accesses to their own health records. Organizations should establish procedures for reviewing audit logs to detect inappropriate accesses.
Physical security and disaster recovery. Organizations should limit unauthorized physical access to computer systems, displays, networks, and medical records; they should plan for providing basic system functions and ensuring access to medical records in the event of an emergency (whether a natural disaster or a computer failure); they should store backup data in safe places or in encrypted form.
Protection of remote access points. Organizations with centralized Internet connections should install a firewall that provides strong, centralized security and allows outside access to only hose systems critical to outside users. Organizations with multiple access points should consider other forms of protection to protect the host machines that allow external connections. Organizations should also require a secure authentication process for remote and mobile users such as those using home computers. Organizations that do not implement either of these approaches should allow remote access only over dedicated lines.
Protection of external electronic communications. Organizations should encrypt all patient-identifiable information before transmitting it over public networks, such as the Internet. Organizations that do not meet this requirement either should refrain from transmitting information electronically outside the organization or should do so only over secure dedicated lines. Policies should be in place to discourage the inclusion of patient identifiable information in unencrypted e-mail.
Software discipline. Organizations should exercise and enforce discipline over user software. At a minimum, they should install virus-checking programs on all servers and limit the ability of users to download or install their own software. These technical practices should be supplemented with organizational procedures and educational campaigns to provide further protection against malicious software and to raise users' awareness of the problem.
System assessment. Organizations should formally assess the security and vulnerabilities of their information system on an ongoing basis. For example, they should run existing "hacker scripts" and password "crackers" against their systems monthly.
Security and confidentiality policies. Organizations should develop explicit and clear security and confidentiality policies that express their dedication to protecting health information. These policies should dearly state the types of information considered confidential, the people authorized to release the information, the procedures that must be followed in making a release, and the types of people who are authorized to receive information,
Security and confidentiality committees. Organizations should establish formal points of responsibility (standing committees for large organizations, a single person or a small committee for small organizations) to develop and revise policies and procedures for protecting patient privacy and for ensuring the security of information systems.
Information security officers. Organizations should identify an information security officer who is authorized to implement and monitor compliance with security policies and practices. The information security officer should maintain contact with relevant national information security organizations.
Education and training programs. Organizations should establish programs to ensure that all users of information systems receive some minimum level of training in relevant security practices and knowledge regarding existing confidentiality policies before being granted access to any information systems
Sanctions. Organizations should develop a clear set of sanctions for violations of confidentiality and security policies that are applied uniformly and consistently to all violators, regardless of job title. Organizations should adopt a zero-tolerance policy to ensure that no violation goes unpunished.
Improved authorization forms. Health care organizations should develop authorization forms that will improve patients' understanding of health data flows and limit the time period for which authorizations are valid. The forms should list the types of organizations to which identifiable or unidentifiable information is commonly released.
Patient access to audit logs. Health care providers should give patients the right to request audits of all accesses to their electronic medical records and to review such logs.
BOX ES. 2 Security Practices Recommended for Future Implementation
Strong authentication. Health care organizations should move toward implementing strong authentication practices that provide greater security than individual logon IDs and passwords, such as single-session or encrypted authentication protocols and token-based authentication systems (described in Chapter 4).
Enterprise-wide authentication. Organizations should move toward enterprise-wide authentication systems in which users need to log on only once during each session and can access any of the systems, functions, or databases to which they have access privileges.
Access validation. Health care organizations should use software tools to help ensure that the information made available to users complies with their access privileges. Such tools, now under development, will scan the contents of a medical record to detect and mask particular units of information that a user is not authorized to see.
Expanded audit trails. All organizations that store, process, or collect health information should implement expanded audit trails. By 2001, all health care organizations should be able to maintain logs of all internal accesses to clinical information, especially if they begin to demand audit capabilities today. In the longer term, health care organizations should pursue the use of technologies and products that support interorganizational (ie., global) audit trails that allow all patient-identifiable health information to be traced as it passes through the health care complex.
Electronic authentication of records. To ensure the integrity of data contained in electronic medical records, all health care organizations that use computer-based systems to handle critical records and functions (such as entering physicians' orders) should use technologies for electronic authentication that will be capable of identifying individuals who enter or alter information in the electronic record.
Mechanisms to promote sharing of information about the vulnerabilities of health information systems and about practices for addressing these vulnerabilities could lead to long-term improvements in privacy and security throughout the industry.
Recommendation 2: Government and the health care industry should take action to create the infrastructure necessary to support the privacy and security of electronic health information. The comprehensive protection of electronic health information requires an institutional infrastructure that will develop and promote compliance with industry-wide standards for privacy and security and facilitate greater sharing of security-related information among organizations that collect, process, and store health information Although health care organizations have strong incentives to adopt information technology, they do not necessarily have adequate incentives to develop the infrastructure necessary to promote privacy and security without support from government
Recommendation 2.1: The Secretary of Health and Human Services should establish a standing health information security standards subcommittee within the National Committee on Vital and Health Statistics to develop and update privacy and security standards for all users of health information. Membership should be drawn from existing organizations that represent the broad spectrum of users and subjects of health information. The subcommittee should be empowered to advise and offer recommendations to the Secretary of Health and Human Services regarding (1) uniform standards of privacy and security; (2) exchanges of health information between and among health-related organizations; (3) limits on the data collection activities of different types of health-related organizations (e.g., how much information the insurance industry needs for fraud detection, how long such information may be kept); and (4) acceptable and unacceptable uses of health information for different types of organizations.
Recommendation 2.2: Congress should provide initial funding for the establishment of an organization for the health care industry to promote greater sharing of information about security threats, incidents, and solutions throughout the industry. Many sites reported that their attempts to improve security are limited by a lack of good information about the types of threats the industry faces, the types of incidents that have occurred, and the kinds of practices that other organizations have successfully employed. Establishment of an organization to facilitate exchanges of such information would provide a vehicle for improving the security of electronic health information as health care organizations increase their reliance on information technology and would strengthen the knowledge base for making policy in this area. It could be modeled after the computer emergency response team established at Carnegie Mellon University for Internet security (the CERT Coordination Center) and be called Med-CERT.6 To obtain the cooperation of health care organizations, Med-CERT would have to maintain the confidentiality of incident information shared with it.
The CERT Coordination Center is the organization that grew from the computer emergency response team formed by the Defense Advanced Research Projects Agency (DARPA) in November 1988. Its charter is to work with the Internet community to facilitate incident prevention, incident response, and communication during system emergencies. It attempts to raise the Internet user community's awareness of computer security issues and conducts research targeted at improving the security of existing systems. CERTsm is a service mark of Carnegie Mellon University. (Information on CERT is available on-line at www.cert.org.)
Addressing Systemic Concerns Related To Privacy And Security
Recommendations 1 and 2 (with 2.1 and 2.2) address actions to protect the privacy and security of health information held by individual health care organizations; they do not address the privacy concerns that result from the legitimate and widespread systemic flows of information within the health care system. Although the committee was not constituted with the range of expertise needed to render recommendations about ways to balance patients' desire for privacy against the social benefits that accrue from better access to information for health care, research, and other purposes, it does call attention to the existence of this conflict and recommends a national debate to determine how and to what extent greater control needs to be taken over these flows of information in order to protect patient privacy.7 Only when this national debate takes place can policy be formulated properly.
Recommendation 3: The federal government should work with industry to promote and encourage an informed public debate to determine an appropriate balance between the privacy concerns of patients and the information needs of various users of health information. The objective of this debate should be to develop a consensus about the ways in which privacy concerns can be balanced against the legitimate needs of other users for patient-identifiable health information. If the result of this debate is a decision that the privacy interests of consumers should weigh more heavily in this competition, several legislative options could strengthen the hands of consumers. These include (1) legislation to restrict access to patient-identifiable health information based on the intended use; (2) legislation to prohibit specific practices of concern to patients; (3) legislation to establish information rights for patients; and (4) legislation to enable a health privacy ombudsman (described below) to take legal action against those who violate privacy standards (these options are explained in greater detail in Box 6.2 of Chapter 6). To further this debate, the committee makes five subrecommendations.
Recommendation 3.1: Organizations that collect, analyze, or disseminate health information should adopt a set of fair information practices similar to those contained in the federal Privacy Act of 1974. These practices would define the obligations and responsibilities of organizations that collect, analyze, or store health information; give patients the
right to demand enforcement of these obligations and responsibilities; and require disclosure of data collection activities to make the sharing of health information more transparent to patients. Such disclosure would educate patients about the flows of health data and their rights in controlling those flows, thereby facilitating the discussion of privacy and security issues and the development of consensus. The committee believes that personal awareness of privacy rights and potential abuses is one of the best countervailing pressures against the economic incentives that drive organizations to share information. Moreover, public awareness and concern may be an essential prerequisite to the passage of necessary legislation of any strength.
Recommendation 3.2: The Department of Health and Human Services should work with state and local governments, health care researchers, and the health care industry to establish a program to promote consumer awareness of health privacy issues and the value of health information for patient care, administration, and research. It should also conduct studies that will develop a series of recommendations for improving the level of consumer awareness of health data flows. Patients appear to be less informed than care providers and other users of health information about the various ways in which health care information is used, the potential benefits of such uses, and the implications for patient privacy. Having a neutral party educate patients would be a first step toward elevating the level of debate.
Recommendation 3.3: Professional societies and industry groups8 should continue and expand their leadership roles in educating members about privacy and security issues in their conference discussions and publications. These groups represent a wide variety of health care professionals who must address questions of access and privacy on a regular basis. They would make good platforms for educating many of these professionals about patient privacy and ongoing initiatives in government and industry.
Recommendation 3.4: The Department of Health and Human Services should conduct studies to determine the extent to which—and the conditions under which—users of health information need data containing patient identities. Patients, providers, and other users of health information continually question each other's needs for patient-identifiable data. Limiting the use of such data to those cases in which there is a
demonstrable need would be a first step toward promoting responsible use of patient information and reducing concerns about privacy. Given its role in recommending privacy standards and its position as a neutral arbiter, the Department of Health and Human Services seems the logical organization to sponsor such a study.
Recommendation 3.5: The Department of Health and Human Services should work with the U.S. Office of Consumer Affairs to determine appropriate ways to provide consumers with a visible, centralized point of contact regarding privacy issues (a privacy ombudsman). This effort would provide patients with a centralized source of information regarding patient privacy and provide a means to field complaints from patients about alleged breaches of privacy.
Developing Patient Identifiers
The current effort to develop standards for a universal health identifier as mandated by the Health Insurance Portability and Accountability Act has potential implications for patient privacy.9 While use of a common identifier for indexing patient records has the potential of improving the quality and reducing the costs of health care by making a more complete patient record available to providers, of facilitating the creation of longitudinal patient records for health care researchers, and of simplifying the administration of health care benefits, it could also facilitate the assembly of information about patients without their consent (e.g., the linkage of medical records with financial and employment records).
Recommendation 4: Any effort to develop a universal patient identifier should weigh the presumed advantages of such an identifier against potential privacy concerns. Any method used to identify patients and to link patient records in a health care environment should be evaluated against the privacy criteria listed below.
The method should be accompanied by an explicit policy framework that defines the nature and character of linkages that violate patient privacy and specifies legal or other sanctions for creating such linkages. That framework should derive from the national debate advocated in Recommendation 3.
It should facilitate the identification of parties that link records so that those who make improper linkages can be held responsible for their creation.
It should be unidirectional to the degree that is technically feasible: it should facilitate the appropriate linking of health records given information about the patient or provided by the patient (such as the patient's identifier), but prevent a patient's identity from being easily deduced from a set of linked health records or from the identifier itself.
The first criterion requires that the nation decide which types of record linkages will be legal and illegal and establish a legal framework to codify and enforce those decisions. The second criterion helps to make such a policy framework enforceable, perhaps by making a visible and overt act necessary to link information. Thus, illegal or unauthorized attempts to link information from various sources can be detected and traced, and guilty parties penalized. The third criterion supports patient privacy by requiring that the patient provide some information (e.g., an identifier) that can be interpreted as patient authorization for a linkage to take place and by preventing inference of the patient's identity from the information contained in any collection of records.
The committee recognizes that practical application of these criteria (the second, in particular) will be difficult given the current state of technology. Nevertheless, these criteria are intended to ensure that privacy concerns are explicitly recognized in the debate over universal patient identifiers. In the end, other criteria will also have to be considered in deciding whether and how to develop a universal identifier—to ensure that it will allow access to patient records as needed for medical care, research, and billing; that it can be integrated easily into existing health information systems; and that some sort of system can be established for distributing and managing identifiers. Balancing these criteria against the privacy criteria recommended above may not be an easy task. For example, whereas the Social Security number (SSN) would facilitate access, would integrate well into existing systems, and has a system for assigning and managing numbers better than most alternatives, it is not clear that it can meet the privacy criteria without modification.10 Although originally developed as an identifier for Social Security records, the SSN is now widely used for banking, employment, driving, and medical records, as well as for tax purposes, making it easier to compile a wide range of information about individuals. Making a recommendation for or against use of the SSN or any other proposal for a universal health identi-
fier goes beyond the committee's charge and expertise. The committee notes, however, that the use of any universal health identifier raises many of the same privacy issues raised by the SSN. The question the nation must therefore answer is whether there are ways of attaining the presumed benefits of a universal patient identifier without jeopardizing patient privacy.
Meeting Future Technological Needs
As the threats to electronic health information become more sophisticated and health care organizations take greater advantage of information technology, additional technologies for security will become necessary.
Recommendation 5: The federal government should take steps to improve information security technologies for health care applications. Such steps would involve three areas: (1) technologies relevant to computer security generally, (2) technologies specific to health care concerns, and (3) testbeds for a secure health care information system. In each area, the federal government will need to work with industry and universities to determine which roles it can most usefully play.
Recommendation 5.1: To facilitate the exchange of technical knowledge on information security and the transfer of information security technology, the Department of Health and Human Services should establish formal liaisons with relevant government and industry working groups. Many information security technologies of value to the health care community will be developed regardless of the specific needs or demands of the health care industry. To take advantage of such technologies, the health care community needs to become more closely connected with other industries on the leading edge of security and the information security community so that it is prepared to adopt relevant solutions developed for other industries.
Recommendation 5.2: The Department of Health and Human Services should support research in those areas listed below that are of particular importance to the health care industry, but that might not otherwise be pursued. These technologies offer greater immediate benefit to health care than to other industries for protecting privacy interests and require specific attention and funding by health-related government agencies and industry. These include the following:
- Methods of identifying and linking patient records. Research is needed to develop a scheme for linking patient records in a manner that satisfies the three criteria for privacy outlined in Recommendation 4, allowing patient records to be easily indexed and linked for purposes of care and
- other purposes and impeding inappropriate linkages. This research should also address the extent to which a universal identifier is needed to facilitate improved care and health-related research and to simplify administration of benefits.
- Anonymous care and pseudonyms. Today, patients who wish to remain anonymous for purposes of care run a serious risk that the medical history information needed to provide quality medical care will be unavailable. Some approaches to solving this problem show promise for reducing the need to link patient records through the use of patient specific identification, thus potentially mitigating the need for assigning patients unique, universal identifiers.
- Audit tools. The generation of audit trails typically results in enormous amounts of data that must then be analyzed. Automated tools to analyze audit trail data would enable much more frequent examination of accesses and thus make audit trails a more effective deterrent.
- Tools for rights enforcement and management. The primary unsolved technical problem today relates to secondary recipients of information: today's access control tools can effectively limit the primary (first-person) access of any given individual to data stored on-line, but they are ineffective in controlling the subsequent distribution of data. More effective tools for control of secondary distribution of data, such as rights management technology, would go a long way toward enforcing restrictions imposed by primary data providers.
Recommendation 5.3: The Department of Health and Human Services should fund experimental testbeds that explore different approaches to access control that hold promise for being inexpensive and easy to incorporate into existing operations and that allow access during emergency circumstances. The trade-offs between access to health information and the potential benefits and harm resulting from greater access are not well understood. Research is needed to better explicate the costs and benefits of various levels and types of information protection so that decision makers have the information they need to make wise choices. Testbeds specifically for testing the efficacy of various security mechanisms should be developed on the scale necessary (single department within an organization, a single hospital, or a network of organizations) to mimic the types of behaviors expected in an actual operational environment.
The committee believes that these recommendations provide a robust framework for addressing many of the vulnerabilities of health informa-
tion systems at both the institutional and systemic levels. Clearly, additional work is needed, yet the committee believes that, with these mechanisms in place, the health care industry will be able to move forward in its attempts to improve health care while simultaneously protecting patient privacy.