National Academies Press: OpenBook

For the Record: Protecting Electronic Health Information (1997)

Chapter: 4 Technical Approaches to Protecting Electronic Health Information

« Previous: 3 Privacy and Security Concerns Regarding Electric Health Information
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

4
Technical Approaches to Protecting Electronic Health Information

Technological security tools are essential components of modern distributed health care information systems. At the highest level, they serve five key functions:1

  1. Availability—ensuring that accurate and up-to-date information is available when needed at appropriate places;
  2. Accountability—helping to ensure that health care providers are responsible for their access to and use of information, based on a legitimate need and right to know;
  3. Perimeter identification—knowing and controlling the boundaries of trusted access to the information system, both physically and logically;
  4. Controlling access—enabling access for health care providers only to information essential to the performance of their jobs and limiting the real or perceived temptation to access information beyond a legitimate need; and
  5. Comprehensibility and control—ensuring that record owners, data stewards, and patients understand and have effective control over appropriate aspects of information privacy and access.

Health care organizations evaluate security technologies in terms both

1  

Note that these functions—aimed at improving system security—are conceptually different from those that would be required by the work of a database administrator or a network manager.

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

of their functional benefits for protecting patient privacy and their costs: the cost of impeding or preventing clinicians from accessing information relevant to their decision making; the cost of purchasing and integrating them into the information system environment; the cost of ongoing management, operations, and maintenance of the evolving information system; the cost of user frustration with suboptimal interfaces and procedures; and the cost of user time lost in satisfying security requirements. They must also attempt to implement a balanced approach to protecting against threats to information security and the risks posed by violations. For example, if there are two equally likely and costly threats—e.g., power outages and insiders divulging information—resources should be allocated to protect approximately equally against these threats.2

Individual technologies vary widely in terms of these cost-benefit characteristics, and as new technologies are developed and reduced to commercial practice, their characteristics change with time. System managers must choose a set of technological interventions that provide effective protection against perceived threats to system security but impose acceptable overall costs. This choice is difficult at best and requires ongoing updates of threat models; evaluations of technologies; reconsideration of integration and operation strategies; and education of management, systems staff, and users. This trade-off almost never includes any direct input from patients—one of the main stakeholder groups whose privacy is at risk—or sometimes even from health care providers—another deeply affected stakeholder group. Patient preferences and utilities are represented only implicitly, and patients can voice their assessment of system design only indirectly by their decisions about where to go for care or by their pursuit of legal redress for damages resulting from lost privacy.

This chapter addresses the technological aspects of privacy and security in health care information systems. It outlines the types of technical security tools that can help manage security risks and then describes the types of tools used by health care organizations. It examines technological issues associated with patient identifiers and other means of linking patient records, and discusses the role of rights management technologies in imposing accountability and control on secondary uses of health information. Finally, the chapter examines obstacles that impede the more widespread use of advanced technical security practice in the health care industry.

2  

This statement does not minimize the difficulty of developing a quantitative metric of likelihood. Given the limited data available on violations of privacy and security, it is far more difficult to determine the likelihood of an insider leaking information than to estimate the likelihood of power outages based on good data obtained from the power company.

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

Observed Technological Practices At Studied Sites

Through its site visits and subsequent deliberations, the committee sought to determine what practices were currently in place in health care organizations, and whether these were prudent practices, as defined primarily in other non-health care settings. Most health care systems are very heterogeneous, meaning that excellent security practices may be in effect in some localized subsystem, but may be entirely missing in other parts of the organization (possibly violating the principle of balance). Thus, summary reporting on the security practices of a widely distributed organization is only a superficial approximation of the range of practices in force.

The committee examined a range of technological practices and mechanisms that can be organized into the following main areas:

  • Authentication;
  • Access control;
  • Audit trails;
  • Physical security of communications, computer, and display systems;
  • Control of external communications links and access;
  • Exercise of software discipline across the organization;
  • System backup and disaster recovery procedures; and
  • System self-assessment and maintenance of technological awareness.

These types of practices address different combinations of the five key functional areas of technological intervention listed above (Table 4.1). Authentication, for example, supports accountability, perimeter identification, access control, and comprehensibility. Physical security addresses system availability and perimeter identification. As a result, combinations of these practices are necessary for robust security.

These security considerations are focused on protecting information within provider institutions and do not address the problems of unrestricted exploitation of information (e.g., for data mining) after it has passed outside the provider institution to secondary payers or to other stakeholders in the health information services industry. A relatively new technological approach (rights management software) is discussed below in ''Control of Secondary Users of Health Care Information" that may help in controlling the use of information both across and within organization boundaries.

The following sections discuss in more detail the eight categories of

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

TABLE 4.1 Functions Served by Different Technological Mechanisms

 

Function

Mechanism

Availability

Accountability

Perimeter Identification

Access Control

Comprehensiblity and Control

Authentication

 

x

x

x

x

Access control

 

x

x

x

x

Audit trails

 

x

 

x

x

Physical security

x

 

x

 

 

Control of links

x

 

x

 

 

Software discipline

x

x

x

x

 

Backup and disaster recovery

x

 

 

 

 

System self-assessment

x

x

x

x

 

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

security practice described above and the committee's findings based on its site visits. These findings are reported in terms of examples of observed current practice in health care computing environments. As the committee's site visits revealed, the protection of patient information could be greatly improved if existing, but currently undeployed, technologies were brought into more routine practice in health care settings. Specific technologies include strong cryptographic tools for authentication (Box 4.1), uniform methods for authorization and access control, network firewall tools, more aggressive software management procedures, and effective use of tools for monitoring system vulnerability. In the discussion below, instances in which other undeployed technologies could improve security are pointed out. Obstacles to the use of these tools and techniques are addressed later in the chapter.

Authentication

Authentication is any process of verifying the identity of an entity that is the source of a request or response for information in a computing environment. It is the linchpin for making decisions about appropriate access to health care information, just as it is for controlling legal and financial transactions. Generally, authentication is based on one or more of four criteria:

  1. Something that you have (e.g., a lock key, a card, or a token of some sort);
  2. Something that you know (e.g., your mother's maiden name, a password, or a personal ID number);
  3. Something related to who you are (e.g., your signature, your fingerprint, your retinal or iris pattern, your voiceprint, or your DNA sequence); or
  4. Something indicating where you are located (e.g., a terminal connected by hardwired line, a phone number used in a callback scheme, or a network address).

These, of course, all depend on user's integrity in not sharing the key, token, secret, or characteristic that purports to identify them. The classical method for authentication in computing environments is to assign each user a unique identifier (user or account name) and to associate a secret personal password with each such account. IDs and passwords can work reasonably well but are subject to a number of problems. For example, besides sharing their accounts with others, users may forget their password or they may pick passwords that can be guessed easily. Passwords may also be compromised if users write them down where others

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

BOX 4.1 Cryptographic Technologies

At present two kinds of cryptography are of potential use symmetric or secret-key cryptography, a system in which the same key is used for encryption and decryption, and asymmetric or public-key cryptography, a system in which two different keys are used, one for encryption and one for decryption The most common secret-key system in use today is the Data Encryption Standard (DES) developed by IBM and the National Bureau of Standards in the early 1970s and adopted as a federal standard in 1976.1 DES uses a 56-bit key to encrypt and decrypt information based on a bit manipulation algorithm that is well suited to rapid execution on modern computers. Because only a single key is involved, it must be shared (and therefore transported) between parties wishing to exchange information securely. Safe key transport can be a major problem.

 

The most common public-key system available today is the Rivest, Shamir, Adleman (RSA) system patented in 1983. RSA depends on the difficulty of factoring very large numbers and uses Euclid's algorithm from algebra to define key pairs that are used to encrypt and decrypt information by modular exponentiation. The order of key use is commutative so that if data are encoded by key 1 of a set, key 2 is used to decode the data and if data are encoded by key 2, key 1 is used to decode them. Because two keys are required, only one need be kept secret by the user to whom the key set is assigned. The other (public) key can be made generally available. If the public key is used to encrypt information, the sender can be assured that only the holder of the (other) secret key can decrypt it. Similarly, if the holder of the secret key encrypts information, someone with the public key can be sure the information came from the secret key holder. With proper certification that a public key is assigned to a given individual, this is the basis of the digital signature and related services.

 

Public-key systems run about 1,000 times more slowly than DES systems and require keys about 10 times longer.2 For this reason secret-key cryptography and public-key cryptography are often used together. Public-key cryptography is used for transactions in which the certified identity of the sender and/or receiver of a given message is crucial (and hence worth the computational cost). One such application is to transfer secure DES session keys to be used in higher-volume subsequent encrypted communication between entities.

 

1 U.S. Department of Commerce, National Bureau of Standards. 1977. "Data Encryption Standard," FIPS Publication 46. National Bureau of Standards, Washington, D.C

2 Diffie, Whitfield. 1988. "The First Ten Years of Public-Key Cryptography," Proceedings of the IEEE, Vol. 76, No. 5, May, pp. 560-577. SOURCE: Computer Science and Telecommunications Board, National Research Council. 1996. Cryptography's Role in Securing the Information Society National Academy Press, Washington, D.C.

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

can see them or if they are sent across communication lines in an unencrypted form.

Log-in credentials (accounts, passwords, physical tokens, etc.) must be linked closely to the user's employment status or relationship to the organization. Often information is slow to propagate through the organization to individual system managers when the status of a user changes: students and temporary workers come and go and employees terminate or are terminated. Leaving system accounts accessible after a user no longer has rights of access is a major source of security vulnerability.

Authentication Technologies Observed on Site Visits

As might be expected with the rapidly evolving computing environments of today's health care organizations and the integration of many legacy information systems with more modern ones, there is little uniformity in the use of authentication methodologies. Many systems are dependent on the authentication procedures built in by the vendor, and the lengths and formats of valid account names and passwords are often incompatible.

The most common practice in the sites visited was the use of unique account IDs (generally assigned by a system administrator) and conventional unencrypted passwords for each individual user. Often some attempt was made to ensure that users chose difficult-to-guess passwords and that passwords were changed every few months, but enforcement was lax. In many environments, users must remember multiple passwords, depending on which information server they are accessing, and the trade-off is user convenience (not forgetting passwords) versus security. In situations with complex or rapidly changing passwords, users are often tempted to write down the codes for easy reference, most often in personal notebooks but sometimes on slips attached to their workstations, although the committee did not observe passwords written openly during its site visits. Where password changes are required periodically and the new password is not allowed to be the same as the previous one, the most common practice was to have two easy-to-remember passwords that the user alternated between at change intervals. Controls over passwords and account deactivation were most rigorous in centrally controlled systems and became much more relaxed in more decentralized and loosely affiliated groups.

The strongest practice observed was the experimental use of centrally issued user token cards (magnetic strip swipe cards) in conjunction with a user's personal identification number (PIN). This scheme was applied to only one of the clinical information systems in the organization, and the software to support it was written in-house. User acceptance was high

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

and was enhanced by the fact that the swipe card served other uses such as parking lot or building entry authentication. Other examples of strong authentication technologies included localized use of encrypted password-checking schemes for modem dial-up services, although subsequent communications across the network were generally unencrypted. Such examples of good authentication technology usage were rare and were not deployed organization-wide across information resources.

One weak practice observed by the committee was the use of systems in a few sites where the user ID and authentication functions were combined into a single PIN. Each user had a different PIN, but the PIN was so short that a large fraction of all possible PINs was being used, and it was relatively easy for an unauthorized user to guess a usable PIN. An even weaker practice observed at one site was the use of common shared log-in accounts for large classes of providers with shared (and widely known) passwords—e.g., a common account password shared by all physicians and another by all nurses (passwords such as "doc"). Such systems provide almost no protection and depend entirely on the ethical integrity of the entire population of providers, administrators, patients, and visitors—a practice workable in only the most fortunate of organizations.

Some sites use a location-based authentication system. For health care systems, the committee believes that authentication based solely on the location of the user is very weak and should be used only under very exigent and carefully controlled circumstances. First of all, with the proliferation of personal computers and the use of high-speed packet-switched communications systems, many users move from machine to machine in the course of their workdays and there is no single applicable location. Second, network addresses change often enough to make it difficult to keep the location database up-to-date and validated. Third, it is relatively easy to fake (Internet) addresses in current communications systems so that apparent location is not a useful or verifiable criterion for identification. Location-based denial of access is used in some sites and may be a helpful adjunct to access control (see below), but it is not sufficient for authentication.

Authentication Technologies Not Yet Deployed in Health Care Settings

In addition to procedures that strengthen the use of passwords by requiring users to change them frequently, employing codes that are hard to guess, and instituting incentives or sanctions against sharing them, a number of technological schemes are available to strengthen the use of passwords. These are not in general use in the health care industry but include single-session passwords (those that are valid for one log-on session only), encryption technologies (either secret or public key), and

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

"smart cards" (described below) or other tokens (e.g., the swipecard in limited use at one of the sites the committee visited). Each of these approaches helps avoid exposing passwords to snooping when the user's identity is being verified, and cryptographic tools provide stronger validation of the source and content of information sent between machines.

The most prudent and safe approach to authentication today in health care environments appears to be the use of a unique account identifier for each user with an encrypted password or PIN system (e.g., a secret or public-key Kerberos system as described below) in conjunction with a token. Both the password and the token must be presented to identify a user. This approach combines something you know with something you have and will be the basis, for example, for authentication in Internet commerce systems. Furthermore, this kind of password-token approach can be used for organization-wide identification so that users need be asked only once to log into the organization environment and thereafter have access privileges based on the role they fulfill and the information service they attempt to access, no matter where it is located in the organization.

Kerberos Organization Authentication. An important system for organization authentication of users, clients, and servers is called Kerberos. Kerberos was developed at the Massachusetts Institute of Technology (MIT) as part of Project Athena in the mid-1980s.3 The central contribution of Kerberos is the practical management of secret keys for secure communications among thousands of workstations in a distributed organizational computing environment. The current Kerberos implementation functions without public-key encryption technology, yet limits the number of secret keys that must be used in an interconnected system. For example, in a simplistic system, if each of 1,000 users in an organization is to communicate securely with any of the other 999 workstations, the system must generate a unique password for each possible combination of workstations. This implies managing some 1,000,000 keys (1,000 possible senders times 1,000 possible recipients). If on the other hand a central key distribution service existed that could dispense secret keys securely to pairs of users as needed for communications, then on the order of 1,000 fixed keys would be needed—one for each user to employ in communi-

3  

See Miller, S., C. Neuman, J. Schiller, and J. Saltzer. 1987. "Section E.2.1: Kerberos Authentication and Authorization System," MIT Project Athena, Cambridge, Mass. See also Needham, R., and M. Schroeder, 1978, "Using Encryption for Authentication in Large Networks of Computers," Communications of the ACM, Vol. 21, No. 12; and Kohl, J., and C. Neuman, 1993, ''The Kerberos Network Authentication Service (V5)," RFC 1510, Internet Working Group, available on-line at http://ds.internic.net/rfc/rfc1510.txt.

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

cating with the key distribution center (KDC). The Kerberos system takes such an approach and has to manage a number of keys that is directly proportional to the number of users in the organization. It distributes time-limited secret session keys without the need for passwords to pass in cleartext over any part of the computer network. Although the KDC represents a focal point of vulnerability in the system, Kerberos is a major step forward in organization management of secure communications and is the basis of strong authentication in the Distributed Computing Environment being promoted by the Open Software Foundation (OSF). Kerberos is being used actively in some health care and other facilities that the committee did not visit, in which secure authentication of more than 30,000 entities is required.

Smart Card Tokens. Internet commerce interests are pushing forward aggressively on standards for developing and deploying token-based cryptographic authentication and authorization systems (e.g., the Mastercard-Visa consortium and CyberCash Inc.). These technologies should be adapted to health care organization and interorganization applications, including the establishment of certification authorities with adequate trust levels to be effective in health care settings. Commercial deployment of these technologies will drive the prices of tokens and related software down to the point at which they can be used cost-effectively for protecting access to personal health care information, and user acceptance will be high because use of the technologies will be familiar in other settings. In support of this direction, health care organizations, elements of the health care information services industry, professional organizations, and government agencies should strongly support the development of Internet and commercial efforts in this arena.

One example of a smart card token is a card about the size of a credit card but somewhat thicker that has a liquid crystal display in which a number appears that changes every minute or so (the length of the number and frequency of change depend on the card model). Each user card generates a unique sequence of numbers over time, and, through a shared secret algorithm, servers for which the user has been assigned access privileges can generate the corresponding sequence of numbers. Since only the bona fide user (nominally) possesses the card and the number sequence is unique, the number at any given time is used as a session password. Any snooper who detects the number being sent over the network must replay it within the cycle time of the card; otherwise a new random number, known only to the holder of the card, is required for login. Other devices suitably packaged as buttons, smart cards, or similar tokens are becoming available at economically affordable prices. These have write-controlled internal memory (devices with 8 kilobytes of stor-

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

age are readily available today) along with processing capacity to support services such as user-specific information storage, authentication, and cryptographic certificate management. Some even have biometric access control features.

Biometric Authentication Technologies. Various systems that measure the physical features of an individual (e.g., fingerprints, voiceprints, retinal or iris patterns of the eye, hand geometry patterns, or facial features) or the features of repetitive actions (e.g., signature dynamics) have been studied as the basis of identification systems.4 Such biometric systems have the potential advantage of convenience and difficulty in forging an access pattern, since the basis of identification is always physically with the subject and is typically a complex pattern. However, biometric systems must be evaluated in terms of their reliability (false-positive and false-negative identification rates), the time and user frustration involved in the repeated authentication attempts that may be needed, and the difficulty of fooling the system with simulated patterns. The most extensive objective measurements of the reliability of biometric methods have been done by Sandia National Laboratories.5 These studies evaluated a number of commercial systems using voiceprint analysis, signature dynamics, retinal patterns, iris patterns, fingerprint analysis, and hand geometry. The Sandia data indicate that the most effective technologies currently available for identification verification (i.e., verifying the claimed identity of an individual who has presented a magnetic stripe card, smart card, or PIN) are systems based on retinal or hand geometry patterns. These systems have one-try false-rejection and false-acceptance rates of less than 1 percent. User pattern collection and verification processing take about 5 to 7 seconds. Biometric systems have already progressed to the point at which they are being put into operation to help verify identities in applications such as personal and electronic banking, human and social services delivery, driver's license verification, industrial security, immigration control, and other settings where convenient, nonforgeable identification is necessary.6

4  

See, for example, Daugman, J.G. 1993. "High Confidence Visual Recognition of Persons by a Test of Statistical Independence," IEEE Transactions on Pattern Analysis and Machine Intelligence 15(11):1148-1161.

5  

Holmes, J.P., L.J. Wright, and R.L. Maxwell. 1991. "A Performance Evaluation of Biometric Identification Devices," Sandia Report SAND91-0276. Sandia National Laboratories, Albuquerque, N. Mex., June. See also Bouchier, F., J.S. Ahrens, and G. Wells. 1996. "Laboratory Evaluation of the IriScan Prototype Biometric Identifier," Sandia Report SAND961033. Sandia National Laboratories, Albuquerque, N. Mex., April.

6  

See, for example, Biometrics in Human Services User Group Newsletter, Vol. 1, No. 1, July 1996.

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

Access Controls

Once a user is identified, the next step is to determine the privileges that user has in terms of accessing services and information. This requires determining access both to particular application programs and to particular sets of data. In environments in which there is no notion of organization log-in, the existence of an account for a user is the first order of access control. In a more general distributed framework, either a database must exist that contains information for each user regarding access privileges or each piece of information must be tagged to describe its access rights. The classical approach in a hierarchical file structure is protection assigned at each node—directory or file. More fine-grained systems would assign protection levels to individual data elements within each directory or file. Protections are usually assigned to control ability to perform operations on the data structure, for example, to read, write, append, delete, and create. Each node typically has an owner and a set of privileges that apply to that person, a set of privileges that apply to specially defined groups of users, and privileges that apply to everyone else. In more modern systems, quite general access control list (ACL) mechanisms are available under which each group of users may have its own set of privileges and additional privileges can be defined (e.g., whether an entity may even see that a node exists in the file structure). Similar access control mechanisms are implemented in commercial database systems and may apply at various levels of granularity in the data structure—database, table, record, or data element.7

Operationally the problem becomes one of securely maintaining the database of user privileges, assigning group memberships (roles) appropriate to the user's current function, and assigning appropriate role-based access controls to various elements of information, based on need and right to know. This operational process, of course, has little to do with technology deployment, except insofar as technology may provide a smoothly integrated user interface for managing the database of access information in a consistent and timely way. The difficulties that confound this process include not having a clear model for information secu-

7  

Note, however, that organizing all data in concert with all possible access rights is a major effort. Such a task requires that the many pieces of information contained within an electronic medical record be reviewed to ensure that retrieval of a given piece of information is consistent with all relevant access rights. This task is complicated by a number of factors. For example, not all data within a given electronic medical record are necessarily controlled by a single system or system supplier. As important, it is difficult to ensure that all data are properly filed, so that a partitioned access right will not retrieve any data that give or allow inferences beyond the authorized access rights.

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

rity (i.e., what information should be assigned what access controls), having multiple access privilege databases in an organization that must work in consort, and keeping track of the users in an organization and their often changing roles over time (e.g., providers who move from service to service or fill in temporarily for a colleague).

An additional crucial aspect of data access control for health care settings is to allow access overrides in the case of an emergency. When a patient shows up in an emergency care facility unconscious or incoherent, the physician, who may never have seen the patient before, must have access to crucial information (prior history, current medications, allergies, possible psychiatric status, etc.) quickly to make possibly life saving decisions about care. Thus, the context (urgency) of the need to know may override conventional access control mechanisms (with an appropriate audit log of the event, as described below).

Access Control Technologies Observed on Site Visits

The committee's review indicated that most health care organizations are attempting to adapt access control criteria and processes from paper record systems to on-line systems. Thus, most sites conceptually identify four classes of information:

  1. Public information (e.g., promotional materials, educational materials) available to any interested person inside or outside the organization;
  2. Internal confidential information (e.g., organizational policies, business strategies, outcomes and utilization information) accessible on a need-to-know basis to organization employees and affiliates;
  3. Confidential patient record information—the routine content of patient health records—accessible on a need-to-know basis to providers and oversight groups, as well as to outside groups (e.g., insurance payers); and
  4. Highly sensitive patient record information (e.g., records of celebrities or other widely recognized persons, or special content such as information related to substance abuse, psychiatric care, physical abuse, HIV status, and abortions) accessible on a restricted need-to-know basis to authorized users of patient record information.

Although these distinctions are made in principle, often information is not labeled appropriately, except for patient records and sensitive information; in fact, most organizations have not yet decided whether or not to put highly sensitive information on-line because of concerns about patient privacy. For medical record information, most sites do not distin-

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

guish access privileges among providers. Physicians approved for practice at an organization generally have access to any record they claim to need, without further review. At the paper record level, where records must be checked out of storage areas, the decision is generally made on the basis of the number of records requested. If a provider requests more than about three records at a time, questions are raised as to the purpose and authorization, with the implicit assumption that some research project is involved for which prior approval of an institutional review board is needed.

The committee found strong pressure from physicians at the sites visited not to distinguish record access privileges among in-house physicians based on any role-specific criteria. Their arguments included their already strong ethical training and commitment to maintaining patient privacy. In the small number of sites where role-based access controls were being instituted, strong pressures were felt in the workplace setting to broaden the access privileges for each role category because of providers' experiences with blocked access to portions of records that they felt they needed in the course of their work. Such difficulties might be overcome by allowing user-initiated overrides in exceptional cases, followed by audit to ensure that a legitimate need for the override existed. For example, an exceptional access might trigger an automatic e-mail notification to the physician of record and an entry noting the access placed in the patient's chart. In secondary use areas, such as insurance payers, the committee observed that such role-based access control was not questioned and was in more routine use.

Some sites allow broad access privileges for providers but make it clear that an audit trail (see below) is being kept of each access and that perceived inappropriate use will be questioned and follow-up sanctions applied. Evidence indicates that this kind of audit approach is effective as a deterrent for providers based on principles of ethics. No site questioned the need for emergency override for access to records, with provision for possible after-the-fact audit analysis. The committee found no evident use of strong authorization controls based on access control lists.

Other sites use a system that limits the databases and applications that can be accessed from particular locations. For example, workstations in the payroll department cannot access clinical databases even if the user has the appropriate (role-related) authorizations. Similarly, workstations in clinical settings may not access personnel files. Such restrictions must be viewed as a means of supplementing rather than supplanting access controls based on strong user authentication and need-to-know criteria. Location-based controls can help define the access perimeter of information systems by preventing any users lacking appropriate authorizations

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

from accessing a system from a location not reasonably associated with a need for that data.

Access Control Technologies Not Yet Deployed in Health Care Settings

Access Control List and Role Based Access. The committee believes that the flexibility of access control list technologies, such as those being deployed in the Open Software Foundation's Distributed Computing Environment, should be deployed more widely to facilitate detailed management of information access based on often changing user role(s), temporal variations in role, and so forth. Several research studies and demonstrations of role-based access control are under way that may help in defining ways to manage the complexities and promote the use of this type of authorization.8

Anonymous Patient IDs. The health care community typically assumes that a patient's name (and other personal demographic information) is routinely associated with all steps in the patient's care—for example, chart information, blood and tissue samples, laboratory tests, radiological films, pharmaceuticals. This practice constitutes implicit open visual access to aspects of patient information on the part of all persons involved in a patient's care, even if they have no need to know the identity of a patient. This in turn often leads to breaches of privacy through disclosure of private information about acquaintances. It may be possible to reduce these frequent, casual, and accidental disclosures of confidential information if unique identifiers, other than the patient's name, were used on records, orders, testing, and diagnostic procedures, except where absolutely essential. For example, there is not always a need to have a patient's name displayed in processing laboratory or pathology data, or in analyzing radiology or cardiology test results, in many other situations.9 A coded patient ID would suffice in many cases, just as bank account numbers and credit card numbers provide the true identifying label for financial trans-

8  

See Ferraiolo, David, and Richard Kuhn, "Role-based Access Controls," a summary of ongoing work at the National Institute of Standards and Technology, available on-line at http://nemo.ncsl.nist.gov/rbac/; and Wiederhold, Gio, Michel Bilello, Vatsala Sarathy, and XioaLei Qian, 1996, "A Security Mediator for Health Care Information," Proceedings of the 1996 AMIA Conference, Washington, D.C., October, pp. 120-124.

9  

In some cases, the use of patient names for laboratory tests is helpful. As one reviewer noted, on evening and night shifts when staffing is short, hospital laboratory personnel (who themselves often must draw specimens from patients in their rooms) must informally prioritize sampling. The more anonymous the specimens, the less likely is this informal but important-information exchange and judgment to be made.

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

actions. Even though some laboratories prefer to match name and ID number to ensure the proper flow of data to patient records or require signed consent forms to accompany a specimen (particularly for HIV tests), laboratory technicians have no real need to know the names of patients whose samples they are analyzing, as long as the correct result occurs (i.e., the data are bound without error or ambiguity to the proper record). Only at a few points in the overall health care process is it necessary that the patient's full identity be known. Using session identifiers in place of the full patient name is equivalent to using access tickets in the Kerberos system for distributed computing authentication and authorization control where actual user or client identity is not carried in the ticket and is available only by means of authorized requests to the key distribution center. Similar capabilities are being developed for Internet commerce, where user anonymity is desired in the context of authenticated transactions (e.g., digital voting, anonymous digital "cash" purchases, and anonymous e-mail for suggestion box submissions). Such a system would preserve patient anonymity more effectively, preventing inappropriate access to patient-identified information while allowing information to be associated accurately with the proper patient record.

Audit Trails

As discussed in Chapter 3, there are basically two kinds of interventions for minimizing violations of the confidentiality of health care information: (1) obstacles such as strong authentication and authorization technologies and (2) deterrents such as threats that misbehavior will be observed and sanctions applied. In a health care setting, obstacle-like remedies have limited effectiveness because they often cost time and aggravation for providers carrying out their necessary tasks. Deterrents can be highly effective among groups such as health care providers, who are ethically motivated, or among groups that can be influenced by sanctions such as job loss or legal process.

Audit trails, or records of information access events, can provide one of the strongest deterrents to abuse. Audit trails record details about information access, including the identity of the requester, the date and time of the request, the source and destination of the request, a descriptor of the information retrieved, and perhaps a reason for the access. The effectiveness of such a record depends on strong authentication of users having access to the system; it does little good to know that a celebrity's health care record was retrieved improperly if it is impossible to determine the identities of all those who actually retrieved the record. Audit trail information must also be kept in a safe place so that intruders cannot modify the trail to erase evidence of their access. Finally, although there

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

is some benefit in users' thinking that an audit trail is being kept and analyzed, such trails are truly effective only if their information is actually reviewed and analyzed.

Audit Trail Technologies Observed on Site Visits

The committee's site visits revealed that almost all organizations keep audit trails for access to information in central health care information systems, but they do so only inconsistently for secondary information systems. Management at one site believed that audit records were being kept but was not sure and did not feel that this was a problem because the belief that audit records were kept was enough to deter inappropriate behavior. In almost all sites, audit records were not reviewed until a complaint was received from a patient or employee who had alleged a breach of confidentiality. Follow-up was then generally a manual process of reviewing audit records and investigating the details of possible indications of misuse. Many of the sites visited by committee members display warning messages about audit review to users accessing sensitive information.

Another site allows employees to review all accesses to their own medical records (most workers in health care organizations receive personal care in their employing organization). Employees can, at the touch of a button, generate a list of all users who accessed their record over a specified period of time. Most employees reported that they check their access logs regularly after receiving medical treatment and check them periodically in between treatments to detect any unusual accesses. Although such reviews only rarely detect unwarranted accesses, both management and staff report that the capability has heightened workers' appreciation of patients' privacy concerns and has helped educate them about the legitimate flows of health care data throughout the organization (to physicians, nurses, billing clerks, etc.). All see it as a successful deterrent against internal abuses of privileges.

Audit Trail Technologies Not Yet Deployed in Health Care Settings

There is wide agreement that audit trails deter unethical use of health information insofar as breaches can be detected and sanctions instituted against abusers. Currently audit trail analysis is almost entirely manual, and as a result, audit trails are rarely scanned unless a misuse is suspected based on external evidence. Only a few of the sites visited used any sort of automated audit trail analysis or exception-reporting programs. The site that had the capability to display audit logs routinely for its own employees had developed software tools to extract a single thread of

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

patient-specific record accesses from the huge volume of audit trail entries.

Another site has a system that collects data prospectively on the legitimacy of access to records. For every access to data, the system displays a short checklist of reasons for access (e.g., providing care, quality review, billing, and so on). The checklist varies, depending on the requester's role, and is derived from context information such as patient-provider relationships, ward or bed assignments, and past access patterns. If the appropriate reason is not listed in the checklist, the requester types the reason in a text field. If the requester is a primary caregiver, access is assumed to be legitimate, and no reason is requested; any other provider who claims to be caring for the patient is approved for a six-month period of time. Quality review requesters are asked again after one week, on the assumption that their study should not require them to keep accessing a record for longer than that. Those looking at the record because they are merely trying to identify the right patient would be asked again on the next access. In most instances, the extra cost to the user is just to hit an OK response. In addition to these records being kept for possible future audit, all accesses are also reported to the patient's primary care provider, who can use this information to detect unwarranted snooping. When given the opportunity to turn off this reporting function, about half of the doctors chose to do so and not receive such notifications. This arrangement may provide an important basis for detecting suspicious accesses flagged by automated audit software and forwarded for human review.

More effective software tools are needed to maintain continuous surveillance of audit trail information so that abuses are detected quickly and sanctions meted out, both to maintain the effectiveness of audit trails as prevention tools and to contain, as soon as possible, the extent of any abuse. Such tools must be relatively sophisticated and take into account expected usage patterns and auxiliary information, such as appointment schedules and referral orders, in order to minimize the false-positive and false-negative rates in audit trail analyses. Criteria for access review might include claimed emergency need, any access to a celebrity record, access at a time or from a location out of the ordinary for a given provider, or access to a record by a provider for whom no recent appointment or referral record is available.

Physical Security of Communications, Computer, and Display Systems

Physical security entails appropriate controls to prevent unauthorized people from gaining access to an organization's information systems, in-

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

cluding workstations, servers, and displays, so they cannot tamper with or derive information from the equipment. These controls can include such practices as positioning monitors and keyboards so they cannot be seen easily by anyone other than the user, or locating workstations that are used only intermittently (e.g., those in an examination room or an interview room near the main lobby) behind locked doors. Physical security is not a substitute for other security measures such as authentication and access control, but it can supplement these practices by limiting exposure of the information systems to unauthorized users.

The ability to implement strong physical security depends on knowledge of the inventory and configuration of communications and computing equipment in an organization so that appropriate controls can be implemented. For example, to manage internal network security properly, system managers must know the configuration, composition, and layout of network communications facilities within an organization so they can identify potential areas of vulnerability. These issues become especially important as the number of devices in a typical health care organization grows to tens of thousands and operational control over configurations, locations, connectivity, software census, and so forth becomes increasingly complex.

Physical security also requires that outdated computing equipment be disposed of properly.10 Given that the average time to turn over computing equipment in the rapidly evolving marketplace is between 1.5 and 3 years, the proper disposal of equipment, media, and other materials that contain confidential information is essential. Sending a machine to an external contractor for repair with a disk that contains patient-specific information raises potential security problems. Deleting all files on a disk without degaussing or ''wiping" the surface11 leaves the contents of the disk intact for recovery by disk data structure analysis and reconstruction programs, potentially revealing confidential information previously stored on the disk. Similarly the disposal of backup tapes, floppy disks,

10  

In one instance, a commercial typing service that had been under contract to a local hospital went out of business. Its computer disks eventually were offered for sale at a local second-hand merchant-complete with patients' medical information that had never been erased. See Flaherty, David H. 1995. "Privacy and Data Protection in Health and Medical Information," notes for presentation to the 8th World Congress on Medical Informatics, Vancouver, B.C., Canada, July 27 (available on-line at latte.cafe.net/gvc/foi/presentations/ health.html).

11  

Degaussing refers to a procedure in which the magnetically recorded ones and zeros that are the physical embodiment of data stored on a disk are erased. Wiping refers to a procedure in which random bits are written over the deleted data several times. Degaussing or wiping are not typically performed when a file is deleted by the operating system (this is the basis for "undelete" commands that recover deleted files).

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

and other media without degaussing can also lead to disclosure of confidential information.

The committee found that most of the sites visited had moderate physical security in place for their information systems; one site had somewhat stronger practices. The machines that provide centrally controlled services—mainframes and other production servers—were identified, located in very secure settings, and well controlled at the sites the committee visited. This derives from historical concerns in information systems departments for central equipment. In the strongest sites, support included excellent commercial-grade secure machine rooms with card-key access, alternative power, redundant storage for key file systems, and backup server equipment.

Outside the main server areas, however, physical security was much more relaxed. In organizations with 20,000 workstations of various sorts distributed throughout wide-reaching work locations, it is nearly impossible to maintain close physical control over the location of equipment and the means by which it is accessed. This does not mean there is no effort aimed at the physical security of these machines in the sites visited, just that the problem is operationally very difficult. Control of equipment in inpatient clinical care settings was tighter than in outpatient settings, and the least control was exerted over machines in research areas. Even in clinical settings, it was often difficult to control access to workstations and terminals so that the demands of work flow did not impede information security. For example, configuring terminals so that authorized clinical staff have easy access may conflict with a configuration in which unauthorized people are unable to look at display content, sit at an abandoned logged-in terminal, or snoop output at printers or paper disposal containers.

To prevent unauthorized users from gaining access to machines that are left unattended while logged on (and to prevent employees from working at such machines under another employee's ID), many of the sites visited programmed their workstations to automatically log-off or obscure screen contents after a specified period of time. Practices varied among locations within sites visited, depending on the set of applications accessible from a given workstation and the work flow within a particular setting. Computer terminals in nursing stations, for example, may typically wait longer before logging off than those in more accessible areas because nurses often need to walk away from terminals momentarily to check on patients or refer to other information. Workstations used by physicians for order entry may have to be programmed to log off more quickly, to prevent an unauthorized person from entering a false order. Some hospitals allow departments to adjust the log-off time within some specified parameters to fit in better with the needs of users. In several

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

sites, log-in or screen-lock time-outs for unattended machines were eliminated or made very long for the convenience of busy clinical staff who did not want to bother with repeat authentication procedures.

Control of External Communication Links and Access

All of the sites the committee visited employ internal local area networks (LANs) to interconnect user client computers with information servers, and they often employ backbone links between multiple LANs within complex campuses or to connect LANs between geographically separate sites. Because physicians are mobile and need to access patient information from hospital and clinic sites and from home in off hours, external network or dial-up modem access is frequently provided as well. About half of the sites already have connections to the Internet, and those that do not are feeling pressures from providers and patients for Internet access.

Each type of external access to health care information resources poses possible security vulnerabilities that could compromise patient privacy. If a remote site uses weak authentication methods—enabling an intruder to easily pose as a trusted physician—and the remote network is connected directly to the information services of another site, the intruder can gain inappropriate access to confidential information. If a campus network is connected directly to the Internet (or to a widely distributed and open intranet), an intruder can install snooping software on an idle workstation and grab cleartext passwords or can exercise more sophisticated break-in scripts to exploit network service vulnerabilities and gain entry to confidential servers.

Although the committee's site visits did not reveal any substantial evidence of intrusions and misuse from this kind of external break-in, ample evidence at other commercial, academic, and government sites indicates that this threat is real and inevitable for health care organizations (see Chapter 3). Such unscrupulous intruders are often undeterred by ethical considerations or threats of audit trails; thus effective technical obstacles are necessary. The strong authentication and authorization technologies discussed above constitute a crucial element of prudent practice. Another important practice is to allow only few, well-defined, and very carefully monitored external access points to organization networks and information resources. One way to control external network access is to use firewall technologies.12 A firewall is basically a single focused point

12  

Cheswick, William R., and Steven M. Bellovin. 1994. Firewalls and Internet Security. Addison-Wesley, Reading, Mass. See also Chapman, D. Brent, and Elizabeth D. Zwicky. 1995. Building Internet Firewalls. O'Reilly & Associates Inc., Sebastopol, Calif.

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

of entry for external users that can be configured and controlled to observe high security standards. This is done by requiring strong authentication and by allowing access only to trusted, essential services deemed necessary for organization business. Focusing access control efforts on a single firewall machine takes some of the burden away from having to fully secure many thousands of workstations otherwise accessible to outsiders. This is not to say that internal workstations should not be monitored and configured with secure software; rather, the firewall provides a more reliably effective first barrier to inappropriate entry.

A firewall normally sits between an internal trusted network and an external network connection either to the Internet or to an untrusted part of an intranet. In the most common configuration, a firewall consists of devices called a screening router and a bastion host. The screening router allows only messages from a specified list of trusted parties or locations to enter the system. Such requests are directed to the bastion host, which is configured securely to run only a limited set of trusted and necessary services for external users-for example, e-mail routing or remote terminal connections (with strong user authentication). Communication packets for authorized services are passed through "proxy" handlers in the firewall, which monitor packet types and sequences to give increased assurance of appropriate use. The router or firewall (1) should be configured to prevent users from making it appear as though they are trusted parties (in technical terms, it should prevent "spoofing") so that an outside workstation cannot appear to be an internal trusted workstation, (2) should prohibit unsafe connections (e.g., for the Network File Service protocol), (3) should prevent viewing internal Domain Name Service information (the host's Internet address information containing details about its internal network configuration), (4) should require direct console log-ins to control critical firewall system functions, and (5) should keep full audit trail information that cannot be modified once written.

Firewalls do not offer perfect protection; they are after all just another computer or software system. They may be vulnerable to so-called tunneling attacks, in which packets for a forbidden protocol are encapsulated inside packets for an authorized protocol, or to attacks involving internal collusion. Furthermore, firewalls check only the tags identifying various data packets, not the content of the packets being retrieved and, hence, depend on error-free organization of the domain they protect. Nevertheless they serve a useful purpose in focusing system administrator's attention on a smaller number of points of entry in a complex organization so as to control the most obvious kinds of attacks. Similar techniques can be used to control dial-up modem access to network services, again through the use of strong authentication techniques and limited service access.

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

Network Control Technologies Observed on Site Visits

Based on the committee's site visit review, all sites were acquainted with the threats from external access, and almost all of those sites with Internet connections used effective firewall technology to control unauthorized users. Expert attention was not always given to these issues though. One site claimed not to have an Internet connection but nevertheless was able to receive electronic mail from Internet sites. Sites without current Internet connection had plans to install a firewall along with any future connection. In those sites with extensive network connectivity, even if firewall technologies were used, limited effort was applied to monitoring break-in attempts, even though system administrators acknowledged that break-ins were feasible.

Connections from remote organization networks were much less carefully managed in that authenticated access to remote site networks was not ensured, yet once connected remotely, an intruder would have no problem connecting to any organization network or machine. Dial-up installations tended to use dated equipment and therefore provided little security protection against unauthorized use. One of the sites with quite up-to-date practices had a dial-in access system that uses commercially available cryptographic tools for user authentication; another site was experimenting with this technology. Some sites used a modem callback scheme, which offers improved security but may be subverted in some settings by not hanging up the line before callback. Also, in an era of portable laptop computers and increasingly mobile health care providers, it is very difficult to maintain callback lists adequately to allow bona fide access from needed sites. In the strongest sites, modem equipment was being upgraded to more modern and secure authentication technologies that do not depend on caller location, and old equipment normally was left inoperable unless specific arrangements were made for manual activation for a particular need (e.g., access by a remote service technician).

Network Control Technologies Not Yet Deployed in Health Care Settings

Firewall Technologies. More extensive use of firewall systems between geographically and administratively distinct sections of an organization intranet should become commonplace, along with more conscientious monitoring of firewall performance. Current firewall systems are often difficult to configure and maintain, however. Vendor refinement of these products should be strongly encouraged along with Internet and commercial research into improved tools to prevent and to detect misuse.

Wireless Communication Technologies. Only one site visited was experi-

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

menting with wireless communications for client computer access and had not put any service into routine use. That site fully recognized the security problems (e.g., interception of unencrypted transmissions) attendant on wireless systems. Another site is using satellite communication technologies to support telemedicine consultations and is taking the precautions of activating the links only during periods of operational use and of using encryption techniques to prevent unauthorized access. Wireless systems are expected to become much more commonplace in coming years, and adequate use of cryptographic tools, secure vendor products, and user-administrator education will be essential.

Independent Health Care Network. Just as firewall technology can help focus solutions to vulnerability concerns for organizational intranetworks in manageable interfaces, a national network dedicated to health care purposes would facilitate the security of health care information. The banking industry has developed an independent network over which most electronic financial transactions take place. Similarly, a number of government agencies concerned about security protection, such as the Department of Defense, Department of Energy, and National Aeronautics and Space Administration, also operate independent networks. To manage controlled access to health care information as time goes on, a dedicated health care network would focus interfaces with the Internet on controlled gateways and firewalls, offering a first line of protection under which individual health care organization networks could operate using additional access controls as appropriate. Because a network large enough to connect all players in the health care sector would connect a large part of the world, any such network also should be designed to use cryptographic and other information security technologies internally. The economics of such a network are clearly an important issue, but these may be mitigated because a dedicated network might merge naturally with communications systems being put in place for distributed organizational integration, telemedicine, and telecare.

Denial-of-Service Vulnerabilities. Computing systems are vulnerable to a variety of attacks that do not involve improper access to information content but deny access to services and information content to all users and hence render the system unusable for health care. Such denial-of service attacks can be accidental or intentional and can take various forms, including disruption of environmental services (e.g., power, air conditioning, communications), exhaustion of system resources (e.g., memory, processes, file or swap disk space, access ports), or overloading of system services (e.g., high-speed pinging for network response, broadcast storms, setting up many partially opened connections, sending volumes of e-mail

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

messages, fetching large numbers of Web pages). Protecting against such attacks is often difficult because they represent normal system usage carried to the extreme. Physical security of system resources and firewall protection for intranet access are both important steps, although the firewall itself is subject to service and resource overload attacks. Beyond that, system staff awareness and vigilance are essential, including the ability to identify the nature of a problem and trace the source to seek remedy. It is essential to keep up with community reports of vulnerabilities and solutions through agencies such as the CERT Coordination Center at Carnegie Mellon University.13

Encryption

Encryption technologies are the basis for many of the technological tools available to help secure computer-based information. Such technologies have received much attention in the popular press recently in terms of protecting Internet commerce, in terms of protecting the infrastructure of the Internet itself, and in terms of arguments for and against continued export control on products employing strong encryption tools.14 Encryption can serve a number of uses in health care settings, including the following:

  • Being the basis of strong user and computer authentication and access control;
  • Protecting stored information or on-line communications against snooping or eavesdropping;
  • Validating information content against unauthorized and undetected modification; and
  • Validating the origin and content of physician orders, or other critical transactions and documenting the fact that they took place through the use of digital signatures.

Two points should be noted about cryptographic technology. The

13  

The CERT Coordination Center is the organization that grew from the computer emergency response team formed by the Defense Advanced Research Projects Agency in November 1988 in response to the needs indentified during the Internet worm incident. The CERT charter is to work with the Internet community to facilitate its response to computer security events involving Internet hosts, to take proactive steps to raise the community's awareness of computer security issues, and to conduct research targeted at improving the security of existing systems (see www.cert.org).

14  

Computer Science and Telecommunications Board, National Research Council. 1996. Cryptography's Role in Securing the Information Society. National Academy Press, Washington, D.C.

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

first point is that security tools based on cryptography are still largely undeployed anywhere in the public computing industry, much less in health care. In the sites visited, the committee found almost no use of encryption technologies except in a few localized experimental settings for authentication of users of clinical information systems and in one telemedicine link using special commercial equipment to protect video transmitted by satellite channel. Neither secret-key nor public-key encryption was in routine use as a basis for authentication, to protect information sent over the network against snooping, to protect the contents of on-line databases, to validate information content and transactions (e.g., digital time stamps, cryptographic checksums, digital signatures, and nonrepudiation of orders), or to encrypt backup media against off-line tampering or access. Although all sites were generally aware of the existence of encryption technologies, these were not yet seen as essential parts of the needed information system infrastructure.

Despite the ready availability of much cryptographic technology and numerous specifications for incorporating it into operational services, very few users of modern distributed computing systems actually take advantage of cryptographic protections. Perhaps the most common active uses are in secure telephone systems using the Secure Telephone Unit-III (STU-III) specification (mostly by U.S. government agencies) and the Lotus Notes messaging and collaboration system used within limited corporate enterprises. A number of universities have set up Kerberosbased authentication systems based on software exported by MIT; some groups are using Zimmerman's Pretty Good Privacy system to authenticate and protect e-mail traffic; and there is some use of a product called Secure Sockets to protect sensitive World Wide Web communications. However, these are isolated and represent a very small fraction of the overall user population and traffic on intranets or the Internet. Thus, the lack of vendor-supported products in this area may be seen as a major impediment to more routine use.

The second point is that cryptography does not solve the security problem-cryptography transforms the access problem into a key management problem. (In other words, the problem of protecting a large volume of unencrypted information in transformed into the usually easier problem of protecting a much smaller volume of information, specifically the keys needed for encryption and decryption.) Much of the current discussion about commerce systems, legally binding digital document management, and strong authentication centers on the problems of secure and certified key management. The foundation of strong, publickey-based user authentication is an infrastructure system by which unforgeable certificates are issued with public keys that are trusted and ensure that a key is associated with the stated person. This certificate

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

authority acts much like a notary public in the signing of conventional legal documents, where the notary seal certifies that the document signature was performed at an indicated time and place by an identified person. The analogue to a notary in digital authentication is a "certification authority"—some third party that signs a certificate containing the user's identity and public key. In turn, the third party's key must be signed by a higher-level certification authority. This process of signing higher-level certificates continues until one reaches a trusted certificate known to everyone. Only a few examples of key management systems exist today, such as the military telephone communications system using STU-III, Lotus Notes, campus Kerberos deployments, and beginning experiments with public-key systems in Internet commerce (e.g., MasterCard-Visa). For Internet commerce, the banking system is stepping forward to attempt to provide this function. In a broader setting, it has been suggested that the federal government establish a certification authority system, perhaps administered by the U.S. Postal Service or the Social Security Administration, but these are only postulated mechanisms at this point. As the scope of key management services grows, trust in the integrity of key assignments tends to diminish, and the problems of revocation in the case of key compromise become much more difficult. However this key certification function is carried out, it is an essential part of the necessary infrastructure for public-key authentication and digital signature systems and for the economical development of commercially supported, trusted security tools based on these technologies. The technical community has only begun to demonstrate workable, trusted systems using modern cryptographic tools.

Software Discipline

Computer software is at the core of health care information system functionality—whether network communications tools, operating systems, database systems, user interface tools, back-office operations programs, administrative and clinical applications programs, word processing systems, electronic mail systems, World Wide Web (WWW) browsers, or information retrieval tools. The proper functioning and integrity of computer software used by the organization is one of the key pillars of maintaining health care information integrity, availability, and access control. Many of the pre-scripted attacks used by Internet intruders simply exploit bugs in operating system or network service software on various machines to gain unauthorized entry. Uncontrolled system software on machines in the organization may introduce viruses (programs that propagate themselves within distributed computing environments and can cause damage or interfere with operations); Trojan horses (programs

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

that on the surface perform a legitimate function but which also or instead compromise confidential information such as passwords or provide special easy access paths for unauthorized persons); or programs that perform unauthorized functions in organizational environments (e.g., eavesdropping on cleartext network communications, interfering with network or system operations, copying displayed information to files or e-mail messages).

One of the most effective countermeasures is employee education. Most users are motivated by sound ethical principles but may not realize that when they bring a new program onto their machine from a friend or Internet site, the program may be contaminated with a virus or Trojan horse. Other ways of managing organizational software content include controlling the loading of unauthorized software by disabling floppy and CD-ROM drives on individual workstations; forcing workstations to obtain applications they run from organizational servers whose content is closely controlled; running software census programs that record versions, configurations, and cryptographic checksums of software loaded on distributed machines (e.g., using the program tripwire); scanning machines on the organizational network for unauthorized active service ports (e.g., using the SATAN script collection15); and prohibiting or logging all file transfers from outside the organization (e.g., through the file transfer protocol or WWW protocols). In general, it is dangerous to offer network services that are not needed and that do not perform an identified valuable function for organizational operations. Whenever a new service is enabled-for example, a new network service or some of the newer distributed software technologies such as Java and other component-based systems-testing should be extremely thorough and careful, and conducted in networking environments that are well monitored and isolated from the overall organization until confidence in proper function is established. New component-based software tools may both facilitate the more effective organizational management of distributed software and introduce new ways to bypass system administrator security controls. Adopt-

15  

SATAN stands for Security Administrator Tool for Analyzing Networks and is a testing and reporting tool that collects a variety of information about networked hosts by examining network services. It can report data, investigate potential security problems (with a simple rule-based system), and provide pointers to patches or workarounds. In addition to reporting vulnerabilities, SATAN gathers general network information (network topology, network services run, types of hardware and software being used on the network). SATAN has an exploratory mode that allows it to probe hosts that have not been explicitly specified; thus making it a potential tool for attackers. For more information see ftp://info.cert.org/pub/cert_advisories/CA-95%3A06.satan.

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

ing widely supported and tested standards wherever possible is to be desired.

Software Control Technologies Observed on Site Visits

As in other areas, with the rapidly evolving computing environments of today's health care organizations and the integration of many modern and legacy information systems, there is little uniformity in the control of software systems, and few vendor tools exist to help with this problem. Controls over system software were most rigorous in closed, centrally managed mainframe and server systems and became much more relaxed in more decentralized and loosely affiliated groups. In some sites visited, the committee observed that local workstation floppy drives had been disabled to prevent unauthorized software loading. In general, this was done incompletely, however, and in one site the administrators claimed that drives had been disabled but site visitors were able to mount a floppy disk on a machine in a public area. Another of the sites regularly runs a network software census program to keep track of what software (by name at least) is running on each workstation in the organization. None of the sites visited audited installed software to determine if unauthorized changes had occurred. Also, whereas most sites have experienced problems in the past with imported software viruses, no site regularly runs antivirus software across systems to prevent problems. Rather, antivirus software is used after the fact to clean up virus problems once they are detected. Most sites are wary of the general use of Web-related tools because these make software loading from network sites a matter of clicking a mouse button. In those sites running Web software with Internet connectivity, none has disabled downloading external files by internal personnel; they depend entirely on employee ethics, knowledge, and good judgment to protect software resources.

The weakest practices observed by the committee included essentially uncontrolled software content for workstations, especially in open research areas. At least one incident has been reported in which a student intern loaded break-in scripts onto an internal workstation and experimented with them (causing no apparent damage), but no routine software census procedures have been put in place even after this incident.

Software Control Technologies Not Yet Deployed in Health Care Settings

Industrial, academic, and government organizations all face major problems in managing software systems across distributed computing environments. For the longer term, the committee recommends strong support for the development of standards and the deployment of vendor-

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

supplied tools for organizational integration of secure distributed computing. Candidates for infrastructure elements of such a suite of tools include OSF's Distributed Computing Environment (DCE), the Object Management Group's Common Object Request Broker Architecture (CORBA), secure World Wide Web access management tools, and the Java component-based Web browser extension technology. Desirable capabilities should include uniform client-server authentication tools, access control lists for authorization, encryption of all data messages, and use of digital signature and content validation tools so that trusted software can be used within reliably secure networked domains.

System Backup and Disaster Recovery Procedures

Despite the increased reliability of modern computing systems using technologies such as high-density integrated circuits, improved packaging techniques, and high-capacity storage media, operational systems do fail. Processors, memory, and disks sometimes fail; software occasionally runs amok; environmental failures such as power outages, floods, and earthquakes regularly occur; and users sometimes delete important files accidentally. To guard against these outages and losses, alternative power sources and processing facilities must be provided for the most critical systems, and up-to-date system file backups must be performed and media kept secure. Good practices to cover for these kinds of failures have been in place for decades, and lower-cost systems and peripheral equipment have made redundancy and backup more convenient and effective than ever.

System Backup Procedures Observed on Site Visits

In its site visits, the committee found excellent practices generally in place for centrally managed mainframe and server systems. At the strongest sites, an inventory of critical systems was in place along with an evaluation of the maximum outage that can be sustained for various information resources without affecting health care. This evaluation is used as the basis for guiding the purchase of redundant processing facilities and their location within campus sites unlikely to be affected simultaneously by any but the most disastrous environmental failures. Full system backups are done regularly and the content is stored at multiple sites to protect against destruction of a single focused site. Routine drills are run to practice switching from hypothetically damaged operational facilities to backup facilities and to restore damaged information in the event of peripheral storage failure. The strongest sites also have redundant network communications facilities in place, routed independently so that

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

environmental or mechanical accidents (e.g., backhoe damage during construction) do not interrupt vital links beyond tolerable periods.

Backup procedures, redundant facilities, and practice drills are much less common in more decentralized and loosely affiliated equipment sites. Often, personal workstations are dependent on users themselves for regular backup, a procedure frequently forgotten in the press of routine work activities. As indicated above, almost no attention is paid in current operations to protecting the content of backup media against snooping, other than physical security in the strongest sites: intruders would have to enter a physically locked facility to steal tape copies of backup information. There is no use of encryption technologies or cryptographic checksum technologies to protect backup stores against snooping or theft or to detect points at which unauthorized modifications might have been made to software or other file system content.

System Backup Procedures Not Yet Deployed in Health Care Settings

One of the key future technological challenges comes from needing to back up increasingly large file systems; often these contain terabytes of information (1 terabyte = 1012 bytes) when radiological image data are stored on-line. Off-line or mirrored storage is still relatively expensive, and the long time required to fully back up such large file stores means that times between full dumps increase. Systems that use time-stamped incremental backups will have to become routine.

System Self-Assessment and Attention to Technological Awareness

Concerns about computer security have been voiced for decades—historically most loudly in areas of national security and business—and procedural and technological solutions have been worked out for all but the most assiduous kinds of attacks. More recently, with the growth of the Internet and distributed computing, these issues have been felt more broadly, and a whole new class of problems centered on powerful new means of remote access to computers of all kinds has raised additional security challenges. Again procedural and technological solutions have been devised that offer prudent protection but recognize that concerted, directed, professional attacks on almost any computer facility will likely succeed despite the most rigorous protection. However, these ''prudent practice" solutions have not been adopted uniformly, partly because the number of affected computers has grown exponentially and partly because people responsible for these systems are not trained to select and apply these solutions or are unable to enforce workable solutions within an organization.

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

In 1988, the Defense Advanced Research Projects Agency began funding a computer emergency response team (CERT Coordination Center) at Carnegie Mellon University as a national resource for collecting information about Internet security problems and disseminating solutions. However, this dissemination process has been slow and spotty; for example, a recent CERT summary alert (CERT Summary CS-96.02) lists seven general areas of vulnerability:

  1. Compromised system administrator privileges on systems that are unpatched or running old OS versions;
  2. Compromised user-level accounts that are used to gain further access;
  3. Packet sniffers and Trojan horse programs;
  4. Spoofing attacks, in which attackers alter the address from which their messages seem to originate;
  5. Software piracy;
  6. Send-mail attacks; and
  7. Network File System and Network Information System attacks and automated tools to scan for vulnerabilities.16

The existence of many of these problems and solutions for them were known as long as 3 to 4 years ago, yet systems are still in operation that do not employ the necessary safeguards. Much has been written in other forums about procedures for managing systems safely in modern networked environments.17

16  

Network File System, or NFS, is an Internet protocol (defined in RFC 1094; available online at http://ds.internic.net/rfc/rfc1094.txt) for remote access to shared file systems across networks. Several vulnerabilities exist in the NFS protocol that allow intruders to gain privileged system access, unless the ports used by NFS are protected by a firewall and other techniques, and care is taken to share file structures only among trusted hosts. Network Information Service, or NIS, is used among Sun computer systems for the administration of network-wide databases. A vulnerability exists in early versions of NIS that allows unauthorized users to obtain a copy of the NIS maps from a system running NIS. The remote user can attempt to guess passwords for the system using NIS password map information that might be obtained in this way.

17  

See, for example, Holbrook, P., and J. Reynolds (eds.), 1991, "Site Security Handbook," IETF RFC 1244, July; a draft revision dated June 1996 is under review (see http:// www.ietf.org/html.charters/ssh-charter.html). See also Garfinkel, Simson, and Gene Spafford, 1996, Practical UNIX and Internet Security, 2nd edition, O'Reilly and Associates Inc., Cambridge, Mass.; Cheswick, William R., and Steven M. Bellovin, 1994, Firewalls and Internet Security, Addison-Wesley, Reading, Mass.; Khanna, Raman (ed.), 1993, Distributed Computing: Implementation and Management Strategies, Prentice-Hall, Englewood Cliffs, N.J.; and Neumann, Peter, 1995, Computer Related Risks, Addison-Wesley, Reading, Mass.

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

Although only limited network intrusions have been detected to date in the health care settings visited by committee members, this occurrence is very common in other settings—commercial, academic, and government. Because health care organizations are moving rapidly toward network-based distributed computing systems (as stated above, one organization already has more than 20,000 workstations in its network system), the committee believes strongly that it is prudent for health care settings to adopt good practice in evaluating system threats and vulnerabilities. Steps that should be taken include aggressively staying current with standards and technologies for security management and with the vulnerability experiences reported by other sites (e.g., through the CERT Coordination Center registry). A health organization-focused CERT-like group would provide a focal point for collecting and coordinating the dissemination of information about security problems and solutions. Such a forum would also serve to educate and share experiences among managers, administrators, and technical personnel and even to promote the establishment of standards for technology and procedures across health care organizations.

Sites should continuously appraise their system architectures, hardware and software technologies, and procedures to eliminate outdated components and practices in favor of more effective solutions. Sites should regularly exploit the same tools that intruders use to probe vulnerabilities in their systems, including network service script sets such as SATAN and password-cracking programs, and they should routinely use software protection tools such as virus detection software and software checksum protection (e.g., tripwire).

System administrators at most of the sites visited by the committee were broadly aware of these practices but, except for one site, did not have them in place in any operational sense. System groups tended to react in response to perceived or detected problems rather than to maintain proactive vigilance. Sites with the weakest practices simply discounted this class of threats or placed it at such low priority that no financial or staff resources were allocated to deal with it. It is unlikely that such sites would even know if intrusions into their systems had occurred.

Site Visit Summary

Table 4.2 summarizes the various security tools, operations, and procedures the committee observed at the six health care sites visited. A check mark indicates that the security feature is actively supported at that site with state-of-the-art technologies and operational practice in such a way that the site could serve as an example for others to follow. Absence

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

TABLE 4.2 Summary of Security Tools and Practices Observed During Site Visits

 

Site

Security Feature

A

B

C

D

E

F

Authentication

 

 

 

 

 

 

Individual user IDs and passwords

 

 

Token-based authentication (e.g., token plus password)

 

 

 

 

 

 

Change passwords often

 

 

 

 

 

 

No unencrypted passwords

 

 

 

 

 

 

Uniform user IDs across organization

 

 

 

 

Incentives to reduce key sharing

 

 

Access Control

 

 

 

 

 

 

Need to know, right to know

 

 

 

 

 

Access control list technology and management

 

 

 

 

 

 

Role-based access profiles

 

 

 

 

 

Access overrides for emergencies

 

 

 

 

 

 

Audit Trails

 

 

 

 

 

 

Audit trails and self-audit

 

 

 

 

 

Software-based audit analysis

 

 

 

 

 

 

Physical Security

 

 

 

 

 

 

Terminal security

 

 

 

 

 

 

Security perimeter, network layout

 

 

 

 

Network physical security

 

 

 

 

 

Server physical security

 

Secure destruction of obsolete data or equipment

 

 

 

 

 

 

Control of Links

 

 

 

 

 

 

Firewall

 

 

Dial-in protections

 

 

 

 

 

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

 

Site

Security Feature

A

B

C

D

E

F

Mobile access protection

 

 

 

 

 

 

Intruder script protection

 

 

 

 

 

ControlInternet Protocol addresses

 

 

 

 

 

Encryption

 

 

 

 

 

 

Cryptography-based authentication

 

 

 

 

 

 

Encrypt network traffic

 

 

 

 

 

 

Encrypt database contents

 

 

 

 

 

 

Digital signatures

 

 

 

 

 

 

Document integrity

 

 

 

 

 

 

Transaction nonrepudiation

 

 

 

 

 

 

Encrypt backup media

 

 

 

 

 

 

Software Discipline

 

 

 

 

 

 

Use antivirus technology

 

 

 

 

 

Checksum, validate software

 

 

 

 

 

Control user software

 

 

 

 

 

 

Control PC software loading

 

 

 

 

 

 

Network software census

 

 

 

 

 

Integrated software tools

 

 

 

 

 

 

Backup and Disaster Recovery

 

 

 

 

 

 

Backups, multiple storage sites

 

Data content integrity

 

 

 

 

 

 

Operations recoverability

 

System Self-Assessment Evaluation, Staying Technically Current

 

 

 

 

 

 

Run anti-intrusion programs

 

 

 

 

 

Vulnerability evaluation

 

 

 

 

 

Stay up on CERT alerts

 

 

 

 

 

Avoid or update obsolete technologies

 

 

 

 

 

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

of a check mark means that the site pays only minimal attention to the given security feature or, in the opinion of the site visit team, could have made significantly more effective use of existing, proven technologies and practices. These judgments may differ from those of individual site managers and system administrators, who judge the need for a particular precaution on the basis of the perceived threat (or lack of it) within the organization. These security considerations are focused on preserving information confidentiality within provider organizations and do not address the problems of unrestricted use of information (e.g., for data mining) after it has passed, with consent, outside the provider organization to secondary payers or to other stakeholders in the health information services industry.

Key Issues In Using Technology To Protect Health Information

In addition to securing health information systems, as described above, technical tools can play a role in protecting patient privacy by facilitating or impeding the distribution of health information. While advanced computing and communications technology, in general, facilitates the dissemination of health information, technologies exist that can help limit unauthorized or inappropriate distribution of health information. Such technologies include patient identifiers and other approaches for linking records contained in disparate databases, as well as rights management technologies for limiting secondary distribution of health information.

Patient Identifiers and Techniques for Linking Records

Developing robust methods of indexing and linking patient records is critical to ensuring that providers have reliable data on which to base medical decisions.18 Patient-specific health care information must be bound uniquely and unambiguously to the person to whom it relates through the use of an identifying label such as a medical record number. To ensure that the identifier is unique, organizations must prevent assignment of the same number to two different patients; to ensure that it is unambiguous, organizations must prevent indexing of any single patient's

18  

Within the computer science community, data integrity and availability are considered an integral element of system security. See Computer Science and Telecommunications Board, National Research Council. 1991. Computers at Risk: Safe Computing in the Information Age. National Academy Press, Washington, D.C.

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

records by two or more different numbers. Otherwise it may be difficult to find all the data associated with a person.

In a traditional health care environment, each organization—whether a hospital, a physician's office, or a pharmacy—generates its own identifier for each new patient. That identifier is used for all transactions involving the patient and provider, but the identifier is different for each organization. Names and addresses are generally inadequate as unique identifiers because they are not necessarily unique within large populations of patients. As a result, health care organizations have developed other mechanisms for generating patient identifiers. Some assign patient numbers sequentially; as new patients register with the hospital, physican, or insurer, they are assigned the next number in sequence. Other organizations use the Social Security number (SSN), relying on the Social Security Administration to ensure that numbers are assigned uniquely and unambiguously.19 Still others have their own specific algorithms for generating numbers. One site visited for this study generated identifiers from the patient's first and last names, year of birth, and gender using an algorithm developed for generating driver's license numbers. An extra "tie breaker" digit is used to differentiate between multiple patients with otherwise identical numbers.

Administering patient identifier systems can be a cumbersome task, especially in organizations with large patient populations. Patients change addresses frequently or report their names differently (using a nickname versus a full name or a maiden name instead of a married name); this makes it difficult to use demographic information to determine whether two records with different numbers actually belong to the same patient. As health care systems merge into larger enterprises and integrated delivery systems, they increasingly face the problem of integrating and linking records from organizations that used incompatible identifier systems. Each of the sites the committee visited is concerned with the problem of managing unique and consistent patient identifiers within its enterprise.

One proposal for addressing this difficulty is to assign each patient a universal identifier to be used throughout the health care system. The Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) directs the Secretary of Health and Human Services to promulgate standards for a universal health identifier by February 1998. The proposed identifier would be assigned to each patient, employer, health

19  

Not all Social Security numbers are unique or assigned unambiguously. There are an estimated 4 million to 12 million false, invalid, or ambiguously assigned numbers in the current system, although improvements in management of the SSN continue to reduce the rate of error.

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

plan, and health care provider in the United States. One candidate for the universal health identifier is the Social Security number. Use of the SSN appears to have many potential advantages: it is already the basis for the medical record number in many organizations (including Medicare) or is elsewhere contained in the medical record, and a system already exists for assigning numbers. Use of the SSN as a universal patient identifier, however, raises the concern that it might facilitate linking of medical records with other types of records that are also referenced by SSN, such as Social Security, employment, financial, and driving records.

To circumvent this problem, it may be possible to use a system in which individuals have different unique identifiers to index information about them in different domains such as health care, banking, and insurance. Thus, Social Security records could continue to be indexed by SSN, but driving records would use a different numeric scheme, as would medical records, educational history, and so forth. Someone who desires to collate these disparate data sets would find that they contain no convenient shared identifier. Collation would depend on the presence of other distinguishing data in each database, perhaps including name, address, and birthdate. Because each database is likely to contain different subsets of such data and because none of them alone is enough to identify someone uniquely, the collation process would be fraught with greater uncertainties, and would be more difficult and costly. Linking information between domains would require an overt act to translate different identifiers; however, those organizations with legitimate needs to link data could routinely collect the data necessary to create the links without requiring a universal identifier, though possibly at greater expense.

Cryptographic methods allow many other variations in identification schemes. The British Medical Association, for example, is encouraging adoption of an identifier scheme wherein the patient's identifier at any institution is computed from public information about the individual (name, part of the postal code, and date of birth) combined with a secret identifier unique to the institution.20 Other options include the use of temporary pseudonymous identifiers for tracking independent pieces of data such as laboratory results.

Many managed care organizations and integrated delivery systems are addressing the records-linking problem by developing master patient indexes. Such systems allow records at each affiliated institution to retain their original identifiers, but generate an overall index listing the various

20  

See Anderson, Ross J. 1996. "An Update on the BMA Security Policy," Notes of the Workshop on Personal Information Security, Engineering and Ethics, University of Cambridge, England, June 21-22.

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

numbers by which each patient's records are referenced in different institutions. Several companies now offer a service for creating master patient indexes for health care organizations. Typically, they use demographic data and incident information to link patient records across the enterprise and can determine unambiguously the patient to whom all but a small percentage of existing patient records refer.

Another approach to linking records across disparate organizations is to rely not on a particular number but on a limited set of specific patient attributes. One experimental system that is taking this approach allows providers in the emergency rooms of three Boston area hospitals to query each other's clinical databases for information about patients.21Because the three hospitals have their own patient identifier systems, the experimental system uses four attributes to search for related records: first name, last name, date of birth, and gender. Each system returns only unambiguous matches to the requester. In its present form, this system may not be feasible for linking larger numbers of records over a larger number of organizations, but it does highlight the possibility that additional research may yield innovative ways of linking records that do not rely on a single, universal identifier (See Chapter 6, Recommendation 5).

Control of Secondary Users of Health Care Information

From a technical perspective, the problem of controlling the use of information among secondary users is analogous to the problem of controlling intellectual property rights for vendors of on-line publications and other valuable information. Instead of wanting to ensure payment for information access, however, health care organizations want to authenticate, authorize, and record who accessed what information and for what reason in the health care setting. One approach to this type of control may be to pursue adaptations of rights management technologies being developed to manage intellectual property rights.22Such software controls would operate internally within provider organizations and also externally, as records pass to payers and other secondary users. The essential elements of a rights control system include the following:

  • Chunks of information (components of the patient record, includ-

21  

Kohane, Isaac S., F.J. van Wingerde, James C. Fackler, Christopher Cimino, Peter Kilbridge, Shawn Murphy, Henry Chueh, David Rind, Charles Safran, Octo Barnett, and Peter Szolovits. 1996. "Sharing Electronic Medical Records Across Multiple Heterogeneous and Competing Institutions," available on-line at www.emrs.org/publications/.

22  

See, for example, a description of IBM cryptolope technology: Rodriguez, Karen. 1996. "Pushing the Envelope," Communications Week, May 13, p. 37. Similar technology is being developed by Xerox and AT&T.

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
  • ing text, laboratory results, and images) to be transmitted outside the organization are encrypted by a server within a health care provider's information system. The encryption is designed so that the information can be accessed only by special software (possibly a Java "applet") with an encryption key supplied by the server on receipt of properly authenticated user credentials.
  • Potential users authenticate themselves through one of the public-key schemes and present authorization credentials for access to an appropriate part of the record. Types of access might include viewing demographic information only; viewing details of the most recent provider visit; viewing the full patient record except for potentially sensitive areas; or viewing, printing, and copying the entire record. Each access request would be logged to ensure accountability, and the software would destroy the access key after each use so that subsequent uses require reauthentication.
  • The user downloads special access software from the provider (or trusted third party) that contains a key to decrypt the document upon authentication and tracks the use of portions of the document according to authorized privileges. Viewing software must be secure against tampering, and the system must make it difficult to implement work-arounds, such as "screen scraping" and core dump analyses, that would give users uncontrolled access to the decrypted material. Some workers in this field have gone so far as to propose that this approach could succeed only in the context of closed "network appliance" machines to which the user would have no access for software reconfiguration. If the encrypted document were sent to other users, they could access it only with the viewer application supplied by the provider, which would require new authentication and authorization before allowing access.

Although it is unlikely that such a rights management system can be made foolproof against the most technically competent unethical user, it may provide an audit trail of access up to a point of abuse, including recording that a local copy has been made (presumably against privacy protection laws) or that an overt act to circumvent software controls had occurred. Further it might be possible cryptographically to watermark digital medical record documents with the identities of the users to whom they were issued in confidence so that if a subsequent inappropriate disclosure is made, its source could be identified.

An obvious extension of these ideas would be to use rights management inside organizations as well, to enforce organizational policy on data collection, access, and dissemination. For example, an organization could use rights management tools to ensure that clinical data cannot be collected or aggregated even by internal staff except with the approval of

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

an institutional review board. Rights management tools, coupled with legal reform to define acceptable use and disclosure, may also make it feasible to deploy a uniform health care identifier system with appropriate accountability for bona fide use within the health care industry.

Obstacles To Use Of Security Technology

The move to computerized patient records is made more urgent by many pressures: the need to allow simultaneous access to records by various providers involved in patient care in modern streamlined clinical settings; the push toward increased cost-effectiveness, meeting the needs of highly mobile patients, regional integration of providers and referral systems, and the use of telemedicine and telecare; the push toward evidence-based care; the need to analyze outcomes and utilization; the need for better clinical research support; attempts to improve health through more thorough immunization and nutrition programs; and so on. Despite an aggressive move toward computerized health care records in recent years and ongoing parallel technological improvements, there are still many obstacles and impediments to achieving usable and secure systems. The following are the principal hurdles related to the use of security technology that the committee found.

Difficulty of Building Useful Electronic Medical Records

The challenge of developing digital health care record systems that are useful, efficient, and cost-effective has proved to be so difficult that deployment of any system that works in the clinical care arena is the primary priority. Security is often relegated a much lower priority in this process. One of the goals of computerized patient record systems is to make care more cost-effective while maintaining high quality. Although minimizing inappropriate, expensive tests and treatments is an important part of these goals, the most direct goal is to save provider time (i.e., allow providers to care for more patients in less time). To date, the committee has been unable to document any clinical information system that saves provider time overall. Stronger security measures can only exacerbate this shortcoming by creating more hurdles that a provider must overcome to use a system; thus, security is often sacrificed in the interest of user acceptance and efficiency. As one chief information officer of a large health care organization told the committee, ''Every minute of time a system costs a user to enforce security controls is multiplied 20,000 times across our physician population, and this translates into the loss of real dollars." The transition period between paper-based records and electronic records adds to the cost and increases the threshold to move to-

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

ward electronic medical records since health care organizations must manage both the old paper and the new electronic record systems at the same time.

Lack of Market Demand for Security Technology

Few organizations can afford to develop and integrate strong information security technologies into their operational systems. Until vendors incorporate stronger, integrated, standard, open technologies, reliance on old and vulnerable technologies for user authentication, access control, network protection, and so forth, will persist. This seems to be a chicken-and-egg problem, however. Although some vendors do not appear to put much effort into security mechanisms, others reported that they have invested considerable effort in developing sound security features in clinical information systems they were marketing, but that these features do little to enhance sales. Vendors contend that there is little market demand for security that can help motivate a vendor to invest heavily in it. If this is true, at least some vendors may be prepared to deliver stronger security capabilities quickly if health care organizations make those capabilities a requirement for future system purchases. This suggests that a two-pronged approach is needed: (1) make technological interventions more acceptable by making them less of an annoyance to users; and (2) increase purchaser awareness regarding security issues, thus creating a market demand for these technologies so that vendors will integrate strong security tools in health care information system products.

Organizational Systems Accumulate—They Are Not Designed

Many of the provider sites visited by committee members are in acquisition mode; that is, they are actively pursuing mergers and acquisitions of other health care providers with the hope of achieving economies of scale in managing a larger organization, benefiting from referrals of patients from larger and larger population areas, and reducing competition. The merger of diverse hospitals and clinics entails inheriting legacy information systems that do not communicate information well with each other, much less share a common security framework. Such systems are not designed but evolve within the exigencies of business goals. Relying on the overriding ethical behavior of providers within the systems, security integration and reinforcement often receive lower priority. At a technological level, it would help greatly if commercial tools were available to integrate legacy systems into modern distributed computing environments. Beyond that, however, many other database content inconsisten-

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

cies have to be overcome, including patient identifier systems, database terminology, information types, and units of measurement.

Cryptography-based Tools Are Still Out of Reach

As noted in the discussion of encryption, there is almost no common use of cryptographic tools in any modern public distributed computing setting today. It seems clear that cryptography-based technologies and standards specification are available for inclusion in health care systems, but this has not happened to any real extent, except in a few specialized commercial products and in more adventuresome academic settings. Much more aggressive demonstration of these tools and their integration into real systems are needed.

Effective Public-key Management Infrastructures Are Essential but Still Nonexistent

The basis for many of the features desired for security in health care information systems depends on deploying public-key cryptographic technologies—authentication, digital signatures, information integrity management, session key exchange, rights management, and so on. Trusted and effective key management is at the heart of these tools but is not a well-established process at this time. Substantial challenges remain to demonstrate a key management system (or systems) that connects keys reliably with bona fide organizations, providers, patients, and service personnel; that provides rapid and unassailable operational verification of credentials; that makes theft of key information difficult in systems deployed to non-computer expert user groups; that enables recovery of information in the case of lost keys; and that ensures rapid revocation of compromised keys and prevents exploitation of compromised information with protection based on those keys. Preliminary efforts to establish public-key management infrastructures are under way in the banking and Internet commerce communities but, to date, nowhere in the health care industry. Such systems must be set up to certify provider organizations, physicians, nurses, and other support personnel, as well as patients themselves, and these must operate effectively, conveniently, and in a setting of unquestioned trust and confident risk management. Considerable challenges remain to demonstrate a key management capability that is usable for health care, and demonstration projects should begin at once.

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

Helpful Technologies Are Hard to Buy and Use

Providers can rarely afford to develop their own information systems, and those sold by most vendors do not offer organizational solutions for security controls. Thus, with the push to more distributed systems, providers are forced to put up with multiple, incompatible authentication and authorization technologies or to construct special solutions for parts of their organizations. The tools to manage heterogeneous computing environments in terms of security, reliability, and so forth are not well developed. Standard ways are needed to link component systems together that meet requirements and do not overburden the system administrator. A great deal of technology already exists that can help protect health care information, but much of it has not been brought into routine practice yet. Specific technologies include strong cryptographic tools for authentication, uniform methods for authentication and access control, network firewall tools, more aggressive software management procedures, and effective use of system vulnerability monitoring tools. Some of these technologies—token authentication cards, for example—have been relatively expensive for wide deployment in large organizations. However, the costs of these technologies are decreasing (through volume adoption and competition) at the same time that their usability is improving. The tools to manage software across distributed heterogeneous systems consisting of many thousands of machines and users, including program census management, version control, and integrity control, are poorly developed. Overall the lack of standards for security controls and for vendor products that interoperate between disparate systems means that chief information officers postpone decisions about implementing and enforcing effective security solutions.

Education and Demystifying Issues of Distributed Computing and Security

The revolution in distributed computing and communications systems that has been brewing since the 1960s and 1970s has taken hold full force in commercial organizations during the past decade. Health care organizations have been among the slowest to adopt these new technologies, however, and existing management and information systems personnel are not fully prepared. The lack of technical understanding, the lack of direct experience with these new tools, the lack of confidence in their management, the lack of a peer group of successful adopters (except for a few academic medical organizations), and uncertainties about reasonable risks and expectations all leave conservative organizational managers hesitant to make decisions. The design, implementation, and opera-

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

tion of effective, secure distributed systems are still not well understood by many users or designers, nor are methods for the detection and control of intrusions. Management ignorance and uncertainties translate into delays in defining requirements for, procuring, and deploying modern health care information systems. Distributed system technologies, including security, need to be demystified, and managers must be educated about realistic goals, alternative solutions, and operational practices to take advantage of these tools. Only in this way can the health care industry improve its practices for protecting electronic health information.

Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 82
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 83
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 84
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 85
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 86
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 87
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 88
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 89
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 90
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 91
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 92
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 93
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 94
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 95
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 96
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 97
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 98
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 99
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 100
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 101
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 102
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 103
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 104
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 105
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 106
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 107
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 108
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 109
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 110
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 111
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 112
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 113
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 114
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 115
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 116
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 117
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 118
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 119
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 120
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 121
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 122
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 123
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 124
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 125
Suggested Citation:"4 Technical Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 126
Next: 5 Organizational Approaches to Protecting Electronic Health Information »
For the Record: Protecting Electronic Health Information Get This Book
×
Buy Hardback | $32.95 Buy Ebook | $26.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

When you visit the doctor, information about you may be recorded in an office computer. Your tests may be sent to a laboratory or consulting physician. Relevant information may be transmitted to your health insurer or pharmacy. Your data may be collected by the state government or by an organization that accredits health care or studies medical costs. By making information more readily available to those who need it, greater use of computerized health information can help improve the quality of health care and reduce its costs. Yet health care organizations must find ways to ensure that electronic health information is not improperly divulged. Patient privacy has been an issue since the oath of Hippocrates first called on physicians to "keep silence" on patient matters, and with highly sensitive data--genetic information, HIV test results, psychiatric records--entering patient records, concerns over privacy and security are growing.

For the Record responds to the health care industry's need for greater guidance in protecting health information that increasingly flows through the national information infrastructure--from patient to provider, payer, analyst, employer, government agency, medical product manufacturer, and beyond. This book makes practical detailed recommendations for technical and organizational solutions and national-level initiatives.

For the Record describes two major types of privacy and security concerns that stem from the availability of health information in electronic form: the increased potential for inappropriate release of information held by individual organizations (whether by those with access to computerized records or those who break into them) and systemic concerns derived from open and widespread sharing of data among various parties.

The committee reports on the technological and organizational aspects of security management, including basic principles of security; the effectiveness of technologies for user authentication, access control, and encryption; obstacles and incentives in the adoption of new technologies; and mechanisms for training, monitoring, and enforcement.

For the Record reviews the growing interest in electronic medical records; the increasing value of health information to providers, payers, researchers, and administrators; and the current legal and regulatory environment for protecting health data. This information is of immediate interest to policymakers, health policy researchers, patient advocates, professionals in health data management, and other stakeholders.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!