Finding and Recommendations
Information technology offers many potential benefits to health care. Electronic medical records (EMRs) facilitate cost-effective access to more complete, accurate health data with which providers can make better decisions about patient care. Advanced communications networks can enable the sharing of data among distributed elements of integrated health care delivery systems and can enable telemedicine programs to overcome geographic boundaries between patients and providers. Electronic data processing techniques can enable managed care providers, health services researchers, and public and private oversight organizations to conduct more sophisticated analyses of health care utilization and outcomes. Electronic billing and administration systems may help reduce the administrative costs of health care. Computer-based decision support tools can help reduce variation in health care quality across providers, improve adherence to standards of care, and reduce costs by eliminating duplicative or nonefficacious tests and therapeutic procedures.
To obtain the benefits of electronic medical records, the nation must address and mitigate concerns regarding the privacy and security of electronic health care information. As the recommendations in this chapter describe, health care providers have to adopt a range of technical and organizational practices to protect health care information, and the health care industry will have to work with government to create a legal framework and proper set of incentives for heightening interest in privacy and security and for ensuring industry-wide protection of health information.
This chapter summarizes the committee's principal findings and pre-
sents recommendations for improving the privacy and security of health information. Although a number of the recommendations are directed specifically to electronic health information, many are equally applicable to the protection of paper records.
Findings And Conclusions
Finding 1: Information technology is becoming increasingly important in improving the quality and lowering the costs of health care; attempts to protect patient privacy must therefore center on finding ways to protect sensitive electronic health information in a computerized environment rather than on opposing the use of information technology in health care organizations. As the site visits conducted for this study attest, the shift to integrated health care delivery systems and managed care creates a growing demand for electronic health information and for data networks capable of transferring data within and across organizations. Electronic health information allows such organizations to better analyze data for such purposes as improving care, monitoring the quality of care, analyzing the utilization of health care resources, and managing health benefits. Care providers claim that the availability of health information on-line helps them enhance the quality of health care delivery, as well as its efficiency. Patients will see the advantages of integrating and sharing data across the institution as they begin to receive a greater proportion of their care within integrated delivery systems. The application of information technology to health care is expected to help reduce the cost of administering care.
Each of the organizations visited as part of this study has ongoing programs to expand the use of information technology for clinical care and administration; all reported positive benefits of such applications. As long as health care organizations continue to find value in these activities, whether by improving the quality or reducing the costs of care, strong incentives will exist to pursue them. Thus, although opposition to the use of electronic medical records may succeed in delaying their widespread adoption, in the long run expectations of enhanced quality and improved efficiency, combined with economic pressures, are likely to dominate. From a policy perspective, it therefore makes far more sense for the health care system to find ways to handle legitimate privacy and security concerns without foregoing the benefits of information technology.
Furthermore, properly implemented EMRs offer great potential for improving the security of health information and the privacy of patients. EMRs allow the use of technical mechanisms to either impede unauthorized access or deter potential abuses. For example, authentication and access control technologies can help ensure that access to health informa-
tion is limited to people with a legitimate need to know. Audit logs can be used to keep a record of accesses to electronic records to detect abuse. Encryption can be used to keep health information secret as it is transmitted between users. Although none of these measures can guarantee absolute security, they provide a wide range of tools to ensure authorized access and use of health information. As a result, EMRs should not be viewed as a way of undermining patient privacy but as a means of enhancing patient privacy by improving the security of health information.
Finding 2: Health care organizations need to take a more aggressive approach to improving the security of health information systems in order to better protect electronic health information. Little is known about the extent of existing violations of privacy and security in the health care industry. Although some sites were aware of some cases in which authorized users had intentionally or unintentionally released health information inappropriately (from both electronic and paper record systems), the sites visited as part of this study reported no incidents in which outside attackers breached system security and produced large-scale violations of patient privacy. Most health care organizations therefore continue to perceive insider abuse as the primary problem to be solved; however, evidence from other industries indicates that organizations with Internet connections or other kinds of remote access (e.g., modem connections) are prone to outsider attacks.1 As health care organizations put more information on-line and begin to transmit patient information electronically, they will have to ensure that adequate security protections have been developed to protect against new vulnerabilities.
Finding 3: Health care organizations have been slow to adopt strong security practices, due largely to a lack of strong management and organizational incentives; no major breach of security has occurred that has catalyzed such efforts. Thus, the information technology vendor community has not found a market for providing security features in health information systems. Although health care organizations are committed to ensuring privacy and security, the need to ensure access to information for the provision of care often works against having strong access controls and other security mechanisms. For example, hospitals often choose to allow physicians to access the health records of all patients, rather than
just their own, so that they can be certain to have access to needed information in an emergency. Concerns about the supposed inconvenience of using token-based authentication systems have led many health care organizations to rely on more convenient log-in IDs and passwords for authenticating users of health information systems. Even in cases in which security mechanisms would not necessarily impede provision of care, however, health care organizations have not always implemented strong security. Many organizations do not maintain audit logs of accesses to clinical information, nor have they developed tools or procedures for systematically reviewing the logs.
Lack of security results, in large part, from a lack of strong incentives to improve it. In the absence of a widespread, public catastrophe regarding information security, many health care organizations reported that they believe the risk of a major breach of security is low and that they could survive a major event without significant consequences. Without strong legislation or enforceable industry standards, few penalties will exist for lax security.2 Although patients may sue organizations for damage resulting from alleged breaches of privacy, such suits appear to be infrequent and have not attracted much attention. Hence, most health care organizations have, to date, dedicated the vast majority of their information technology resources to expanding the functionality of health care information systems rather than to protecting the systems that are in place. System security does not improve the financial position of most health care organizations. In the more advanced organizations, security practices do not match those widely found in other industries, and in less advanced organizations, even elementary security practices have not been implemented. Several major vendors of health care information systems reported to the committee that lack of demand by health care organizations has stifled the supply of advanced security features in health care information systems. Since health care organizations do not reward them for including security features in their products, vendors have limited incentive to offer them.
Finding 4: Patients have important roles to play in addressing privacy and security concerns. Patient concerns and expectations often set the standard for health care organizations; health care organizations must anticipate and respond to such expectations in order to survive in an increasingly competitive environment. Thus, patients who are knowledgeable about (1) the consent they give providers to disseminate data,
(2) overall flows of information within the industry, and (3) their legal and regulatory rights to privacy are in the long run an asset to an organization wishing to promote an internal culture that takes its privacy and security responsibilities seriously. Increasing the coupling between patients and provider organizations (e.g., through membership on key committees, messages sent to patients about privacy and security, and full disclosure of data flows) will ultimately benefit the organization.
Most patients and consumers are either unaware of or unconcerned about the uses to which their health records are put and the many organizations that possess their health information. Privacy and consumer advocacy groups that have a better understanding of data flows have yet to articulate a consistent position on privacy and security requirements and, until recently, have had limited influence on the legislative process. As a result, patients have little control over the ways in which information about their health is collected, used, or disseminated. For patients to feel comfortable providing personal health information to a care provider, they may need greater authority in helping to determine rules regarding the privacy of health information.
Finding 5: The greatest concerns regarding the privacy of health information derive from widespread sharing of patient information throughout the health care industry and the inadequate federal and state regulatory framework for systematic protection of health information. The current structure of the industry gives care providers, payers, pharmaceutical benefits managers, equipment suppliers, and oversight organizations a variety of incentives to collect large amounts of patient-identifiable health information (e.g., clinical data). The increasing emphasis on controlling costs and quality and on improving the marketing and sales of related products and services (e.g., medications) further boosts the economic value of such information. Although these data are collected for a variety of legitimate purposes, few controls exist to prevent such information from being used in ways that could harm patients or invade their privacy, and no national debate has occurred to determine what the appropriate uses of health information should be. The existing legal and regulatory framework for protecting patient-identifiable information forms a patchwork of protection that is insufficient in an age of increasing interstate data transfers and of health care delivery systems that span state boundaries.3 Federal laws protect mostly data in the control of the federal government, while state laws provide inconsistent
protection and often apply only to limited kinds of health information. In some instances, federal law facilitates the private-sector collection of patient-identifiable health information (e.g., the federal Employee Retirement and Income Security Act, or ERISA, allows self-insured employers to collect such information on their employees by preempting state laws). As a consequence, many organizations within the health care system are free to collect and use large amounts of patient-identifiable health information for purposes that suit their economic interests, and patients lack legal standing to bring suit against those they allege have breached their privacy. Data collected for one benign and stated purpose can be used for different, unstated purposes that may run contrary to the interests or understandings of the parties from which the data were collected. For example, self-insured companies that request patient data to monitor benefits programs have few legal constraints to prevent them from using such information in employment or promotion decisions.
In organizations that are subject to formal privacy protections, such as hospitals with mandatory institutional review boards that oversee research uses of health information (see Chapter 5) and government agencies subject to the Privacy Act of 1974 (see Chapter 2), privacy concerns seem greatly diminished. These types of structures appear to have been effective in ensuring uses of health information that are consistent with privacy concerns.
Finding 6: Within individual organizations, electronic health information is vulnerable to both authorized users who misuse their privileges and perform unauthorized actions (such as browsing through patient records) and outsiders who are not authorized to use the information systems, but break in with the intent of malicious and damaging action. Health care organizations have been working for many years to develop mechanisms for protecting health information (in both paper and electronic form) from abuse by authorized users, but they must continue to strengthen their protections by, for example, implementing auditing capabilities and strengthening disciplinary sanctions. As with other types of organizations, health care organizations will become more vulnerable to attacks by outsiders as they expand their networking activities. System vulnerabilities are not limited to breaches of privacy. If realized, the most serious vulnerability might well be a skilled individual with malicious intentions who can "crash" an important health information system and deny service to health care providers that rely on that system.4
Finding 7: Adequate protection of health care information depends on both technical and organizational practices for privacy and security. Although no set of mechanisms can make organizations impervious to malicious attack or inadvertent breaches of security, a suitably crafted set of technical and organizational practices can be designed to protect health information effectively. Technologies such as tokens, log-in IDs, and passwords can be used to authenticate, or verify the identification of, users. Access control techniques can be used in combination with a well-managed information repository to limit the types of data that individual users can read, enter, or alter and the types of functions they can perform. Audit trails can record all transactions that access patient information. Encryption can be used to protect log-in IDs, passwords, databases, or information transmitted over open communications systems. Public-key cryptography tools can ensure information integrity, user authentication (for digital signatures and nonrepudiation), and audit trails. The use of these technical measures can provide reasonable security for most health care applications but does not guarantee invulnerability against all technical attacks.
Organizational policies and practices are at least as important an element of security. Organizations need explicit policies governing the privacy and security of health information. Practices and procedures flow from these policies. The health care industry employs millions of workers who routinely handle patient-identifiable information as part of their jobs. They have more opportunities to disclose information inappropriately than do outsiders, and their jobs are challenging and frequently changing. Organizational mechanisms are needed to ensure that employees, medical staff, contractors, and vendors properly protect health information. Policies are needed to specify the formal structures, ensure responsibility and accountability, establish procedures for releasing information and assigning access privileges, create sanctions for breaches of security at any level of the organization, and require training in the privacy and security practices of an organization. The culture of the organization—dependent on, but not necessarily determined by, its senior leadership—establishes the degree to which employees take their security and confidentiality responsibilities seriously. Commitment of organizational resources not only helps establish organizational culture but also ensures that funds are available for salaries of security officers and staff, for procurement of adequate technical security mechanisms (e.g., firewalls), and for studying vulnerabilities and required practices.
As the findings above indicate, attempts to improve the protection of health information need to address privacy and security concerns at both the organizational and the national or industry-wide levels. Organizations need to improve their internal mechanisms for handling health information, and the health care industry as a whole needs to improve its practices for controlling and enforcing systemic uses of health information. In the absence of strong business motivations and economic pressures to improve privacy and security, other forces may be necessary to promote change. These include industry-wide efforts to develop sound practices for protecting health information, initiatives to better educate patients about health data flows, or government regulation or legislation to provide patients with enforceable rights to privacy. Educating the public may also be an effective option for prodding organizational leaders to place a higher priority on privacy and security needs, though to date such efforts have not proved effective. Legislative initiatives have been stymied by an inability to achieve national consensus, and standards organizations are fragmented and lack sufficient authority to promulgate or enforce standards for privacy and security.
The recommendations below outline the roles of health care organizations, the health care industry, and government in improving privacy and security practices within individual health care organizations, creating the industry-wide infrastructure needed to develop and encourage adoption of stronger privacy and security practices, addressing systemic issues related to privacy and security, and ensuring research to meet future technical needs. To the extent possible, the committee has attempted to identify the organization or organizations best qualified to implement each recommendation. In some cases, private and public organizations will have to sort out their respective roles so as to make the best use of their strengths and resources.
Improving Privacy and Security Practices
As the site visits suggested, one of the obstacles to improving privacy and security in health care organizations is a lack of knowledge about the types of technical and organizational practices that are effective in protecting health information. No generally accepted set of practices exists against which organizations can compare their efforts, nor do specific standards exist. Guidelines such as these would help educate users about the types of practices that are available for protecting health information, would help ensure that health information is protected adequately within institutions, and would ensure some degree of uniformity across the
health care system. Promulgation of a set of guidelines for standard practices might provide the incentive that organizations need to commit greater resources to the development of sound security strategies and would help vendors determine which types of mechanisms to build into their products.
Because health care organizations vary considerably in the types of information systems they deploy and the types of information they use in electronic form, as well as in the resources they can devote to system security, appropriate security practices are highly dependent on individual circumstances. It is therefore not possible to prescribe in detail specific practices for all organizations; rather, each organization must analyze its systems, vulnerabilities, risks, and resources to determine optimal security measures. Nevertheless, the committee believes that a set of practices can be articulated in a sufficiently general way that they can be adopted by all health care organizations in one form or another. Moreover, the committee believes that a general set of practices can be adopted at reasonable cost given the current state of technology.
Recommendation 1: All organizations that handle patient-identifiable health care information—regardless of size—should adopt the set of technical and organizational policies, practices, and procedures described below to protect such information. The set is not expected to serve as a benchmark for the industry but is envisioned as a framework for helping organizations determine how to improve privacy and security within their own institutions. These policies either could help health care organizations meet the standards promulgated by the Secretary of Health and Human Services as directed by the Health Insurance Portability and Accountability Act of 1996 or could inform the development of such standards. The penalties established by this act for violations of privacy or security standards may provide sufficient motivation for organizations to adopt these policies. External auditing firms could also play a role by evaluating privacy and security practices as part of their annual audits of health organizations. Although auditing firms are not empowered to enforce the use of these practices, auditors' assessments might provide insight into areas that need strengthening to avoid potential liabilities.
Specific implementation of these policies, practices, and procedures will vary from organization to organization, depending on individual circumstances, but each organization should adopt the full spectrum of recommendations to ensure that it addresses all aspects of security. The committee hopes that individual organizations will exceed as appropriate the requirements set out below in addressing privacy and security needs specific to their own sites. Although the committee did not calculate the cost of implementing the policies, procedures, and practices outlined be-
low, each was observed in an operational setting and reportedly had been implemented at reasonable costs. These practices and procedures will not make health information systems invulnerable to all potential forms of misuse or abuse, nor can they guarantee that the privacy of health information will not be compromised. They would, however, go a long way toward minimizing potential abuse by authorized users (whether intentional or unintentional) and make outsider attacks more difficult.
Described below are technical and organizational practices and procedures that can be implemented immediately without too much difficulty or expense, as well as technical measures that could reasonably be taken in the future as the relevant technologies advance. In each case, the committee has attempted to identify approaches that take into account the specific requirements of health organizations (as opposed to organizations in other industries), balancing the need for privacy and security against the need for access in order to provide care. Each of the practices described for immediate implementation was observed to operate successfully in a health care setting. Of course, the implementation of these policies, practices, and procedures within individual health care organizations will have to be adjusted to accommodate the requirements specific to those institutions and to the various types of departments and settings within them. The demands of an AIDS clinic may be different from those of a large, urban hospital. The demands of a hospital's billing department may be different from those of an emergency room. Thus, although it may be appropriate to program a terminal in the billing department or on a physician's desk, for example, to log-off automatically after a specified period of time, it may not be appropriate for the terminal in an emergency room or an operating room to do so. Organizations will have to take these considerations into account as they develop plans for implementing the policies, practices, and procedures listed below to make sure that they adopt a strategy appropriate to their needs.
Technical Practices and Procedures for Immediate Implementation
Individual Authentication of Users. Every individual in an organization should have a unique identifier (or log-on ID) for use in logging onto the organization's information systems. This approach will make it possible to hold individual users accountable for their actions on-line and to implement access controls based on individual needs. Sanctions should be in place to discipline employees who share their identifiers or fail to log off their workstations. Where appropriate and not detrimental to the provision of care, computer workstations should be programmed to log off automatically if left idle for a specified period of time (though the period of time will have to be adjusted to accommodate local and departmental
operations). Password discipline should be exercised, requiring users to change passwords on a regular basis and to select passwords that cannot be guessed easily. Procedures should be established to (1) revoke the identifiers of employees who leave the organization; (2) identify and revoke other unused identifiers as appropriate; (3) ensure that only legitimate users are granted access to the organization's information system; and (4) guarantee that authorized users can access needed information in emergency situations.
Access Controls. Procedures should be in place that restrict users' access to only that information for which they have a legitimate need. Ideally, such controls should be based on the needs of individual users, but in practice they may have to be based on job categories. Narrow job descriptions should be used, where possible, to allow more fine-grained control of access privileges. For example, job titles such as ''doctor," "nurse," or "physician's assistant" provide less control than titles such as "cardiologist" or "emergency room nurse."5 Any of the models discussed in Chapters 4 and 5 can be used for distributing access privileges. The committee recognizes that individual organizations will have to determine the appropriate job categories within their facilities and decide whether medical staff is allowed to access the records of all patients treated by the organization (which is often the case today) or only of patients under their direct care. Again, the proper balance between access and privacy will depend on the specific setting and on the need to ensure access to information in emergency situations.
Audit Trails. Organizations should maintain in retrievable and usable form audit trails that log all accesses to clinical information. The logs should include the date and time of the access, the information or record accessed, and the user ID under which access occurred. Organizations that provide health care services to their own employees should implement the capability for employees to conduct audits of accesses to their own health records. Although self-audits will not necessarily identify large numbers of inappropriate accesses to health records, they have proved to be a cost-effective way of raising employees' awareness and appreciation of privacy concerns in organizations that have deployed them. In addition, all organizations should implement procedures for
It should be noted that the use of fine-grained access controls can exacerbate the difficulty of keeping the data in medical records organized so that they correspond with the access privileges of the users. A variety of software tools are under development to assist in managing this task (see Chapter 4).
reviewing audit logs both in response to requests from individual patients and through more formal means (e.g., random sampling). The goal of this practice should be to deter users from attempting to access information inappropriately rather than to detect a large percentage of actual breaches. All organizations (whether providers or others) should begin to plan for future implementation of more rigorous audit trails as described below in the section of practices for future implementation. One dimension of planning would be to demand that vendors provide information systems that support audit trails.
Physical Security and Disaster Recovery. Organizations should immediately take steps to limit unauthorized physical access to computer systems, displays, networks, and medical records. For example, computer terminals should be positioned and located so that they cannot be used or viewed by unauthorized users; unauthorized personnel should not have access to the locations in which records (paper or electronic) are stored. Procedures should be developed regarding paper printouts of electronic medical records and the destruction of printouts that will not be incorporated into the formal record. As part of their program for ensuring physical security, organizations should develop and implement plans for providing basic system functions and ensuring access to medical records in the event of an emergency (whether a natural disaster or a computer failure). These plans should be practiced not less than once a year to ensure that they provide rapid recovery and that staff are adequately trained. Disaster recovery plans should include regular backups of clinical information so that it can be restored if the primary data are destroyed or invalidated. Many organizations run daily, weekly, and monthly backups so that data can be recovered from both recent and archival files. Health care organizations should ensure that contractors used to transport and store backup tapes have adequate policies in place for safeguarding the information and protecting integrity. Backup tapes stored in off-site locations represent a significant vulnerability that is often overlooked. Backup tapes stored off-site should be subject to strong physical security to prevent unauthorized access or should be encrypted so that they cannot be read while they are being transported or stored.
Protection of Remote Access Points. Organizations must protect their information systems from attackers who try to gain entry through external communication points, such as the Internet or dial-in telephone lines. Organizations with centralized Internet connections should immediately install a firewall that provides strong, centralized security and allows outside access to only those systems critical to outsider users. Organizations with multiple access points should consider other forms of protec-
tion, such as TCP wrappers, to protect the host machines that allow external connections.6 Organizations should also require an additional, secure authentication process for users attempting to access the system from remote locations (e.g., those using home computers or portable computers). This should take the form of either encrypted or single-session passwords (see Chapter 4). Organizations that do not implement either of these approaches should allow remote access only over dedicated lines.
Many health care organizations currently protect their remote access points by using dial-back procedures7 or by embedding the remote access telephone number in the software employed by remote users to establish a connection. The committee does not consider such approaches adequate for protecting remote access points and recommends against their use as substitutes for these other techniques. It recommends that information systems that are not protected by firewalls or by strong authentication mechanisms be disconnected from public networks and linked only to secure dedicated lines for remote access.
Protection of External Electronic Communications. Health care organizations need to protect sensitive information that is transmitted electronically over open networks so that it cannot be easily intercepted and interpreted by parties other than the intended recipient. To do so, organizations that transmit patient-identifiable data over public networks such as the Internet should encrypt all patient-identifiable information before transmitting it outside the organization's boundary. Any of several available encryption schemes will suffice. Organizations that cannot or do not meet this requirement either should refrain from transmitting informa-
tion electronically outside the organization or should do so only over secure dedicated lines.8 Policies should be in place to discourage the inclusion of patient identifiable information in unencrypted e-mail.
Software Discipline. Organizations should exercise and enforce discipline over user software. At a minimum, they should immediately install virus-checking programs on all servers and limit the ability of users to download or install their own software. Census software or regular audits can be used to ensure compliance with such policies. Current technological tools for checking software downloaded from the Internet are limited; hence, organizations will have to rely on organizational procedures and educational campaigns to protect against viruses, Trojan horses, and other forms of malicious software and to raise users' awareness of the problem.
System Assessment. Organizations should formally assess the security and vulnerabilities of their information systems on an ongoing basis. At a minimum, they should run existing "hacker scripts" and password "crackers" against their systems on a monthly basis. During their annual audits, external auditors should require each organization to demonstrate that it has procedures in place for detecting system vulnerabilities and that it conducts formal vulnerability assessments.
Organizational Practices for Immediate Implementation
Security and Confidentiality Policies. Organizations should develop explicit security and confidentiality policies that express their dedication to protecting health information. These policies should clearly state the types of information considered confidential, the people authorized to release the information, the procedures that must be followed in making a release, and the types of people who are authorized to receive information. They should clearly reference relevant state and federal legislation regarding the confidentiality of health care information.
Security and Confidentiality Committees. Organizations should establish standing committees charged with developing and revising policies and procedures for protecting patient privacy and for ensuring the security of information systems. Small organizations that lack the resources or personnel for a formal committee should, at a minimum, designate a person or a small group of people to develop policy.
Information Security Officers. Organizations should identify a single employee to serve as a security officer who is authorized to implement and monitor compliance with security policies and practices and to maintain contact with national organizations that promulgate and enforce guidelines and standards regarding system security. The security officer should have tools available for implementing access and retrieval control mechanisms, as well as the firewall functions that control access and transmittal to remote locations. The information security officer need not be a full-time position in a small organization, but sufficient time should be invested to ensure adequate protection.
Education and Training Programs. Organizations should establish education and training programs to ensure that all users of information systems receive some minimum level of training in relevant security practices and knowledge regarding existing confidentiality policies. All computer users should complete such training before being granted access to any information systems.
Sanctions. Organizations should develop a clear set of sanctions for violations of confidentiality and security policies. Such sanctions should be applied uniformly and consistently to all violators, regardless of job title. Organizations should exercise zero tolerance in enforcing sanctions, ensuring that no violation goes unpunished. Sanctions should be established in relation to the seriousness of the violation. Organizations should terminate employees who willfully violate policy and should report such violations to appropriate licensing boards, where applicable. Negligent, rather than willful, violations of policy should be given lesser sanctions. Organizations should ensure that processes are in place for adjudicating all alleged violations of policy.
Improved Authorization Forms. Health care organizations should develop authorization forms designed to improve patients' understanding of health data flows and to limit the time period for which patients authorize the release of health information. These forms should be separate from other consent forms (e.g., those requesting consent to provide care), should inform patients of the existence of an electronic medical record,
and should outline the policies and procedures in place to protect patient privacy. In addition, the forms should explicitly list the types of organizations to which identifiable or unidentifiable information is commonly released (e.g., insurers, researchers, and managed care companies). The forms should authorize the organization to release the specified information for a limited amount of time only, after which the organization must obtain new authorization from the patient. Attempts should be made to write the form in language that is accessible to the patient population.
Patient Access to Audit Logs. Health care providers should give patients the right to request audits of all accesses to their electronic medical records and to review such logs. As with access to patient records, providers may retain the right to share the audit log with patients in the presence of a provider employee who can explain the reasons for legitimate access. This practice not only will enable patients to ensure that their privacy has not been violated but will also help educate patients as to health data flows and perhaps create a more trusting relationship between patients and providers.
Security Practices for Future Implementation
The practices listed above are intended for immediate implementation in order to provide health care organizations with a minimally sufficient level of security in the current environment. Over the next several years, the security environment will change significantly as health care organizations move more health information on-line and begin to transfer more information electronically between users. In order to prepare for this new world and maintain adequate privacy and security, practices will have to evolve. Health care organizations will need to continue to invest in security technology.
The practices outlined below are intended to help the health care industry prepare for the future. In large part, the ability of health care organizations to implement the technical practices recommended below will depend on the general availability of the relevant technology. In some cases, availability will be a consequence of demands in markets including but not limited to health care (i.e., the general business market). In other cases, products will become available only if health care organizations demand them. In either event, health care organizations should start planning now to implement these practices in the future. They should begin to work with vendors to define the requirements of future health information systems so that the systems will be available when needed.
Strong Authentication. Health care organizations should move toward implementing strong authentication practices that provide greater security than individual log-on IDs and passwords. Authentication systems incorporating single-session or encrypted authentication protocols (similar to the Kerberos protocol described in Chapter 4) are expected to become available in some commercial products as early as 1997 and should be adopted shortly thereafter. Token-based authentication systems that require some sort of card, button, or badge in addition to a user password should also be adopted. Such systems are used widely in the banking industry today (automated teller machines are an example) and are being used experimentally in some health care organizations. Though more costly than a system using log-in IDs and passwords, the additional protection of token-based systems is likely to become necessary in health care organizations, and the price of tokens and readers is expected to drop over the next several years as their use expands in other industries.
Enterprise-wide Authentication. Organizations should move toward enterprise-wide authentication systems in which users need to log on only once during each session and can access any of the systems, functions, or databases to which they have access privileges. Such systems should be generally available in 2001. Because such a system concentrates security for many systems in a single authentication transaction, it must be used in conjunction with other technical and management practices that ensure good password protection.
Access Validation. Organizations that store, process, or collect health information should use software tools to help ensure that the information made available to users complies with their access privileges. It is often difficult to partition medical records in a way that closely matches the access privileges of different types of users. For example, doctors' notes can contain sensitive information that many users with access to clinical information have no need to know. Access controls themselves, whether based on job descriptions or sets of individual user privileges, provide no means of ensuring that the data retrieved by individual users contain no information that they are not privileged to see. Efforts are currently under way to develop tools that will check the information being transmitted to the user to detect and mask information that they have no need to know.
Expanded Audit Trails. Health care organizations should implement expanded audit trails. It is reasonable to expect that by 2001, all health care organizations should be able to maintain logs of all internal accesses to clinical information, especially if they begin to demand audit capabilities
today.9 In the longer term, health care organizations should pursue the use of technologies and products that support interorganizational (i.e., global) audit trails that allow all patient-identifiable health information to be traced as it passes through the health care complex. Examples of such technologies include the cryptographic envelopes and electronic watermarking technologies described in Chapter 4. These technologies are still in their infancy and will require additional research and development to become commercially viable (see Recommendation 5).
Electronic Authentication of Records. All health care organizations that use computerized electronic systems for order entry, discharge summaries, and other critical records should incorporate technologies for electronic signatures. At a minimum, such systems should record the log-on identifier of the user that enters or modifies data in an electronic record. Such capabilities are possible today and should be incorporated into all new systems brought on-line after 1999. Whether or not a cryptographic digital signature is used is not as important as the capability to identify the individual who enters or alters each element of information in the electronic record. Organizations that wish to use such signatures to establish evidentiary trails admissible in a court of law must pay attention to the legal requirements of the states in which they operate. This recommendation is not intended to support or undercut various existing or proposed digital signature laws at the state level, although the federal Health Insurance Portability and Accountability Act of 1996 mandates the development of standards for electronic signatures by February 1998.
Creating an Industry-wide Security Infrastructure
Although individual organizations can make considerable progress in improving patient privacy and the security of health information by implementing the policies, practices, and procedures outlined in Recommendation 1 above, additional efforts must be taken at the industry level to facilitate long-term advances in privacy and security. To date, most health care organizations have attempted to assess the vulnerabilities of their electronic health information systems and to develop solutions in isolation, without benefiting from the experience of others. Greater collaboration in both of these areas promises long-term improvements in privacy and security throughout the industry.
Recommendation 2: Government and the health care industry should take action to create the infrastructure necessary to support the privacy and security of electronic health information. The comprehensive protection of electronic health information would benefit from an industry-wide infrastructure that would develop and promote adoption of proven practices for protecting privacy and security and would facilitate greater sharing of security-related information among organizations that collect, process, and store health information. Many of these tasks are currently conducted in a fragmented manner, with little coordination between standards-development bodies and accrediting agencies or between organizations responsible for different sectors of the industry, such as hospitals, managed care organizations, and insurers. The committee believes that greater coordination of these disparate efforts would help address many of the systemic concerns about the privacy of health information and would provide clear leadership to individual health care organizations regarding the standards with which they should comply. While health care organizations have strong incentives to develop health care applications of national information infrastructure, they do not necessarily have strong incentives to improve privacy and security. The committee makes three subrecommendations described below to support this goal.
Recommendation 2.1: The Secretary of Health and Human Services should establish a standing health information security standards subcommittee within the National Committee on Vital and Health Statistics to develop and update privacy and security standards for all users of health information. Membership should be drawn from existing organizations that represent the broad spectrum of users and subjects of health information. The Secretary of Health and Human Services has already charged the National Committee on Vital and Health Statistics (NCVHS) with recommending standards for the security of electronic health information as called for in the Health Insurance Portability and Accountability Act of 1996. NCVHS should appoint a standing subcommittee that would monitor changing concerns regarding the privacy of health information and new approaches to protecting such information. Although a number of disparate organizations are currently attempting to develop standards for the security of health information systems and patient privacy (including the American National Standards Institute's Health Informatics Standards Board and its members, the Computer-based Patient Record Institute, and the American Health Information Management Association), none of these organizations represents the broad spectrum of users of health information as well as NCVHS does, and none has demonstrated clear leadership in setting and promulgating
standards. The decentralization of standards-making activities has instead tended to impede the dissemination and application of standards in the health care industry.
The committee recommends that the health information security standards subcommittee be empowered to advise and offer recommendations to the Secretary of Health and Human Services regarding (1) uniform standards of privacy and security that would apply to all users of health information, whether providers, payers, benefits managers, or researchers; (2) exchanges of health information between and among health-related organizations; (3) limits on the types of health information that different types of organizations should be allowed to collect (e.g., determining how much information the insurance industry needs for fraud detection) and how long such information may be kept; and (4) acceptable and unacceptable uses of health information for different types of organizations. It should be formed as a standing committee that will develop revised standards as the uses of health care information change and new technologies become available.
Recommendation 2.2: Congress should provide initial funding for the establishment of an organization for the health care industry to promote greater sharing of information about security threats, incidents, and solutions throughout the industry. Little is known about the extent of violations of privacy and security in the health care industry, in part because the health care industry lacks a formal mechanism for sharing information about the types of attacks and breaches of privacy that organizations have experienced, and mechanisms for improving privacy and security. Establishment of an organization to facilitate information exchanges would provide a means for improving the security of health care organizations as they move into a more networked environment and would provide a sounder basis for making policy. As with the computer emergency response team (CERT Coordination Center) at Carnegie Mellon University, which facilitates information sharing among the Internet community, such an organization would allow sharing of effective technical practices for authentication, access control, encryption, and disaster recovery, as well as organizational practices such as consent statements, employee education, audit trail analysis, provision of access to referring physicians, definitions and enforcement of need-to-know scenarios, confidentiality committee structures, and policies and procedures for exchanging clinical data between disparate provider organizations. At a time when the industry is entering a period of rapid computerization and profound restructuring, and hence facing new problems, a forum for exchange of information has obvious benefits.
The organization, nominally called Med-CERT, would (1) acquire re-
ports of security-related incidents at health care organizations; (2) define best practices for addressing common problems; (3) make recommendations to the health information security standards subcommittee regarding standards for securing health information systems; (4) define needed research; and (5) act as a liaison between the health care industry and the computer security community at large (including the CERT Coordination Center, the NASA Automated System Incident Response Corps, and international bodies). In order to facilitate the cooperation of health care organizations, the organization would have to take steps to ensure the confidentiality of incident information shared with it. To ensure a degree of visibility, Med-CERT should be established either within the federal government or as a private entity with strong links to a government agency such as the Department of Health and Human Services. Given the fiscal realities and existing priorities of the health care industry, MedCERT will undoubtedly require funding from the federal government. Initial funding need not be large, perhaps just enough to support a dozen full-time employees.
Addressing Systemic Issues Related to Privacy and Security
Recommendations 1 and 2 (with 2.1 and 2.2) are geared toward promoting better policies, procedures, and practices within health care organizations for protecting patient health information. As noted in Chapter 3, the greatest concerns regarding patient privacy stem from the widespread dissemination of information throughout the health care industry and related industries, often without the knowledge or consent of patients. In many cases, this information can be used in ways that are perceived as detrimental to patient privacy and contrary to the interests of patients. The committee recognizes that privacy interests are only one consideration in the use of patient health information and acknowledges the existence of considerable controversy regarding the extent to which such practices should be allowed. Such controversy pits the economic interests of companies that use health information against those of patients. Although the committee was not constituted with the range of expertise needed to render judgments and recommendations in this area, it calls attention to the existence of this conflict and emphasizes the need to determine how and to what extent greater control needs to be taken over these flows of information in order to protect patient privacy. Only when such questions are answered can policy be properly formulated.
Recommendation 3: The federal government should work with industry to promote and encourage an informed public debate to deter-
mine an appropriate balance between the privacy concerns of patients and the information needs of various users of health information. The purpose of this debate should be to reach some general consensus about the balance that should be struck between privacy concerns and the demands of organizations for health information. Attempts will be needed to develop initial consensus about the central issues and the parameters of an acceptable resolution. To further this debate and provide opportunities for better informing the debate, the committee makes five subrecommendations.
Recommendation 3.1: Organizations that collect, analyze, or disseminate health information should adopt a set of fair information practices similar to those contained in the federal Privacy Act of 1974. These practices would define the obligations and responsibilities of organizations that collect, analyze, or store health information; establish enforcement rights for patients; and make the flows of health information more transparent to patients (Box 6.1).10 It is expected that, at minimum, organizations that collect, process, or disseminate health information would disclose information describing the existence and nature of all individually identified health data they retain, the source from which the data are collected, and the types of organizations to which they regularly release the data. Such disclosure helps educate patients about the flows of health data and their rights in controlling those flows, thereby facilitating the discussion of privacy and security issues and the development of consensus. Personal awareness of privacy rights and potential abuses is one of the best countervailing pressures against the economic incentives that drive organizations to share information. Moreover, public awareness and concern may be an essential prerequisite to the passage of necessary legislation of any strength.
Recommendation 3.2: The Department of Health and Human Services should work with state and local governments, health care researchers, and the health care industry to establish a program to promote consumer awareness of health privacy issues and the value of health information for patient care, administration, and research. It should also conduct studies that will develop a series of recommendations for improving the level of consumer awareness of health data flows. Patients generally know less about the collection and uses of health information than do care providers, insurers, managed care organiza-
BOX 6.1 Major Provisions of the Federal Privacy Act of 1974
The Privacy Act of 1974 is designed to outline the responsibilities of federal agencies regarding the collection, use, and dissemination of personal information contained in their records systems. The act adopts the set of principles outlined by a committee of the Department of Health, Education, and Welfare in 1973 for protecting privacy:1 (1) there must be no secret personal data record-keeping system; (2) there must be a way for individuals to discover what personal information is recorded and how it is used; (3) there must be a way for individuals to prevent information about them, obtained for one purpose, from being used or made available for other purposes without their consent; (4) there must be a way for individuals to amend a record about themselves; and (5) an organization creating, maintaining, using, or disseminating records of identifiable personal data must ensure the reliability of the data for their intended use and must take reasonable precautions to prevent misuse of the data. The Privacy Act specifically
tions, researchers, and others who make use of the information. Having a neutral party like the Department of Health and Human Services, which is also involved in the development of standards for electronic data exchange, privacy, and security, take a more active role in educating patients may help improve patients' understanding of health data flows and generate a more informed public debate. Studies could examine the use of current public media such as magazines, community college-based seminars, and local news media as vehicles for informing the general public about these issues.
Recommendation 3.3: Professional societies and industry groups11 should continue and expand their leadership roles in educating members about privacy and security issues in their conference discussions and publications. These are the primary organizations for reaching health care professionals who use health information. Although each already has some initiatives under way regarding privacy, such programs need to be given higher priority. These organizations, whose members have a strong interest in the use of patient information in a clinical setting, could work with privacy advocates and patient representatives to gain a deeper, more comprehensive view of patient concerns regarding privacy and would then be in a better position to develop sound recommendations in this area.
Recommendation 3.4: The Department of Health and Human Services should conduct studies to determine the extent to which—and the conditions under which-users of health information need data containing patient identities. Attempts to limit or control the flows of data to users not involved in the provision of care-whether through legislative or other means-will have to be based on a thorough analysis of the types of uses that different types of organizations have for health information. Secondary users make many claims that patient-identifiable data are necessary for legitimate uses such as fraud detection and benefits management. These claims originated at a time in which public concerns for privacy were far less intense than they are today and in which technologies to protect anonymity were far less developed. A fresh look to determine the minimum set of patient-identifiable data needed for these stated goals could result in a significant reduction of collected data that
are patient identified. It may be possible to use aggregated or anonymous data for certain applications. In other cases, such as some long-term medical research, identifiable data may be the only alternative. Understanding these different uses and the differing needs for patient-identifiable data will allow a more reasoned debate of patient privacy issues.
Recommendation 3.5: The Department of Health and Human Services should work with the U.S. Office of Consumer Affairs to determine appropriate ways to provide consumers with a visible, centralized point of contact regarding privacy issues (a privacy ombudsman). Consumers currently have limited avenues for seeking redress of alleged violations of privacy or for fully understanding their rights in this area. Although some hospitals employ advocates to act on the patient's behalf in addressing a variety of concerns, privacy is only one of a variety of problems that these patient advocates must address, and many other provider organizations have no one to counsel patients about their rights to privacy. Moreover, there is no obvious place for patients to lodge concerns regarding alleged breaches of privacy by organizations that are not care providers, such as insurers, benefits managers, and marketing firms. Consumers need a mechanism for learning about their rights and how they may seek recourse for violations of fair information practices, and they need to be protected from the possibility that their access to care may be jeopardized by exercising their established privacy rights. A privacy advocate appointed within the Department of Health and Human Services is ideally situated to work with the Office of Consumer Affairs to determine the type of ombudsman that would be appropriate for health privacy issues.
Several different models for a privacy ombudsman are possible, depending on the anticipated size of the need and the level of decentralization desired. For example, a national telephone hotline could be established to provide consumers a ''one-stop shop" for guidance regarding means of seeking redress; state offices could be established to field complaints from patients and conduct investigations as necessary. Several state Attorney General's offices already have ombudsmen to address patient safety and rights in nursing homes and to accept complaints regarding insurance companies; their roles could expand to address issues related to patient privacy, by taking advantage of existing capabilities and infrastructure.12
Together, the five subrecommendations in recommendation 3 are intended to promote a broad public debate over the ways in which—and the extent to which—privacy considerations should enter into the nation's attempt to determine ways of adjudicating the competing interests of consumers and various organizations in society (providers, employers, payers for health care). If the result of this debate is a decision that the privacy interests of consumers should weigh more heavily in this competition, several legislative options could strengthen the hands of consumers (Box 6.2).
Developing Patient Identifiers
The systemic issues relating to patient privacy are strongly related to the possible development and promulgation of a universal patient identifier. The Health Insurance Portability and Accountability Act of 1996 directs the Secretary of Health and Human Services to promulgate standards for a universal health identifier that will be assigned to each individual (i.e., patient), employer, health plan, and health care provider for use in the health care system. The decision to implement a universal health identifier and the particular design of the identifier have significant implications for patient privacy to the extent that they facilitate or impede the linking of records between and among institutions.13
The ability to link patient records among health care organizations has many advantages in the provision of care, epidemiological research, and the analysis of care and utilization patterns. For example, it is generally the case that physicians can provide better care if they have a complete patient record on which they can base clinical decisions. In some instances, insurance fraud can also be detected more easily when more complete patient records are available. The ability to link health information with other types of information such as employment, education, driving record, credit history, previous arrests and convictions, purchasing habits, telephone conversations, and e-mail exchanges, however, is more
BOX 6.2 Possible Legislative Options for Addressing Systemic Concerns
Patients currently have few rights regarding the privacy of health information contained in private databases, beyond those provided at the state level. State laws are inconsistent, often incomplete, and difficult to prosecute. A number of initiatives could be pursued to give patients greater rights regarding the protection of health information. Should the nation wish to pursue a pubic policy course that places greater emphasis on the privacy and security of patient-specific health information, legislation (or, equivalently, regulation with the force of law) may be needed. The committee believes that legislation of the following types could enhance the privacy of health-related information.
contentious. Economic and other forces create incentives to link individual patient data in ways that may well be detrimental to patient interests For example, linkages of patient information with purchasing and financial information can subject individuals to marketing campaigns for new or existing therapies. Patient information linked to employment may create incentives for denying an otherwise qualified individual a job
Recommendation 4: Any effort to develop a universal patient identifier should weigh the presumed advantages of such an identifier against potential privacy concerns. Any method used to identify patients and to link patient records in a health care environment should be evaluated against the privacy criteria listed below.
The method should be accompanied by an explicit policy framework that defines the nature and character of linkages that violate patient privacy and specifies legal or other sanctions for creating such linkages. That framework should derive from the national debate advocated in Recommendation 3.
The committee notes that legislation in all of these areas has implications that go far beyond the question of protecting the privacy interests of consumers, and realizes that making recommendations about the desirability of such legislation is beyond its expertise and charge.
It should facilitate the identification of parties that link records so that those who make improper linkages can be held responsible for their creation.
It should be unidirectional to the degree that is technically feasible: it should facilitate the appropriate linking of health records given information about the patient or provided by the patient (such as the patient's identifier), but prevent a patient's identity from being easily deduced from a set of linked health records or from the identifier itself.
The first criterion requires that the nation decide which types of record linkages will be legal or illegal. The United States has applied this approach sporadically to protect certain types of information. For example, the perceived unfairness of using videotape rental records in the fight against the confirmation of Judge Bork for a seat on the Supreme Court led to the adoption of a law that specifically prohibits such a practice The same law does not apply, however, to other types of records. In practice, it is difficult to legislate a prohibition on the collection of such data because institutions often have a legitimate need for the information Prohi-
bitions must therefore focus on the uses of such data. Unscrupulous people could, of course, still collect, collate, and use such data in ways that are prohibited, but the threat of well-defined and rigorously enforced legal sanctions would help limit such abuses.
The second criterion helps to make such a policy framework enforceable by reducing or eliminating opportunities to create improper linkages between records. If a visible and overt act is necessary to link information, illegal or unauthorized attempts to link information from various sources can be detected and traced, and guilty parties sanctioned. For example, if financial databases and health information databases used different identifiers, linkage between financial and health information would require someone to provide a translation between the different identifiers. If linkage of health and financial information without explicit patient consent were defined as a prohibited act, the fact that a linkage had been made would be an obvious indicator that a prohibited act had occurred; the party responsible for the translation would be a logical point at which to begin an investigation.
The third criterion supports patient privacy by requiring that the patient provide some information (e.g., an identifier) that can be interpreted as patient authorization for a linkage to take place. However, unidirectional linkage prevents inference of the patient's identity from just the information contained in any collection of records.
Practical application of these criteria is difficult given existing technology, but it will become more straightforward as technologies for controlling the distribution of information, such as rights management software (see Chapter 4), become more commonplace and as additional research investigates new types of identification and records-linking schemes (see Recommendation 5). In the meantime, many health care organizations have found that they can effectively link patient records within their expanding health care systems through the creation of master patient indexes. These indexes match patient records in affiliated institutions that use differing numbering systems through the use of demographic data. Although not all records or patients can be matched unambiguously, organizations that have adopted this approach report high levels of success. Linkages with organizations outside the institution can often be accomplished with information already contained in the patient record.
The three criteria given above are meant to ensure that privacy concerns are explicitly recognized in the debate over the universal patient identifier. The committee recognizes that privacy interests are only one dimension of this debate. For example, it is also important that an identifier be structured such that it does not unduly delay or prevent the provision of care, meaning that it must allow care providers to retrieve or link
patient records in an emergency situation when the patient may be unable to divulge a particular identification number or may not be carrying an identification card. Other criteria must also be considered in the debate (Box 6.3).
One often-discussed universal patient identifier is the Social Security number (SSN). The committee believes that an unmodified SSN would provide little, if any, protection against attempts to link health information with other types of personal information. Although not part of its original design, the SSN is in such broad use, not only by the Social Security Administration but also by all other branches of government and many commercial enterprises, that it almost serves the function of a universal identifier today. As such, use of the SSN raises many legitimate privacy concerns.14 On the other hand, the SSN has several attributes that make it attractive as a universal patient identifier. Among these are the fact that the SSN forms the basis of the identifier used by the Medicare program, is contained in many existing patient records held by public and private organizations, and has an existing management infrastructure for assigning numbers.15
Making a recommendation for or against the use of the SSN as a universal health identifier goes beyond the committee's charge and collective expertise. However, the committee notes that the use of any universal health identifier raises many of the same privacy issues raised by use of the SSN. The question the nation must therefore address is whether there are ways of attaining the presumed benefits of a universal patient identifier-better-informed health care, improved detection of fraud in connection with paying for health care services, and simplification of the administration of health care benefits-without jeopardizing patient privacy.16
Meeting Future Technological Needs
Recommendation 5: The federal government should take steps to improve information security technologies for health care applications.
Szolovits, Peter, and Isaac Kohane. 1994. "Against Universal Health-care Identifiers," Journal of the American Medical Informatics Association, Vol. 1, pp. 316-319.
Hammond, W. Ed. 1997. "The Use of the Social Security Number as the Basis for the National Citizen Identifier," White Papers-The Unpredictable Certainty: Information Infrastructure Through 2000. National Academy Press, Washington, D.C., forthcoming.
For example, through the use of a system of identifiers in which individuals have a different unique identifier for each type of data collected about them or through cryptographic means, as described in Chapter 4.
BOX 6.3 Other Possible Criteria for a Universal Patient Identifier
A universal patient identifier will have to meet other criteria in addition to those designed to protect patient privacy. The following list of criteria derives from a recent report by the Institute of Medicine on the privacy of health information. The committee neither endorses nor rejects these criteria but includes them here as examples of the other considerations that will undoubtedly enter into the debate over universal patient identifiers.
As outlined in preceding chapters of this report, patient privacy and the security of electronic health information would be greatly improved by the use of several technologies that are currently under development. The committee has identified three sets of research areas that must be pursued: (1) technologies relevant to computer security generally; (2) technologies specific to health care concerns; and (3) testbeds for a secure health care information system.
Technologies Relevant to the Computer Security Community as a Whole
Recommendation 5.1: To facilitate the exchange of technical knowledge on information security and the transfer of information security technology, the Department of Health and Human Services should establish formal liaisons with relevant government and industry working groups. Many of the technologies that could be used to better protect health information will be developed by the computer security community regardless of the needs or demands of the health care industry. Technologies for authentication, authorization, encryption, and system reliability, for instance, apply to many areas in which information security is relevant and will continue to receive attention from researchers and technologists. Biometric identifiers are the basis for approaches to very strong authentication. Public-key cryptography can be used to solve some privacy and integrity problems but requires an administrative infrastructure to be effective; thus, promotion of a public-key infrastructure would facilitate the greater use of public-key cryptography and its applications to more secure communications and data storage. Better methods to validate software packages and authenticate their sources will be needed in a computing environment based on widespread connectivity through the Internet and remotely executable programs (e.g., Java "applets") to protect against computer viruses and Trojan horse attacks. Although the Department of Health and Human Services is represented in many nongovernment efforts that promote health information standards, the committee believes that the health care community has not connected adequately to the information security community. For example, a consortium for developing biometric identification techniques has recently been formed but lacks representation from health-related government organizations. The health care community must be better aware of developments outside health care and must be prepared to adopt relevant solutions developed for other industries.
Technologies Specific to Health Care
Recommendation 5.2: The Department of Health and Human Services should support research in those areas listed below that are of particular importance to the health care industry, but that might not otherwise be pursued. These technologies offer greater immediate benefit to health care than to other industries for protecting privacy interests and require specific attention and funding by health-related government agencies and industry. They include the following:
- Methods of identifying and linking patient records. Research is needed to find ways of indexing and linking patient records in a manner that protects patient privacy. The ideal scheme would meet the three criteria for privacy outlined in Recommendation 4. It would allow patient records to be easily indexed and linked for purposes of care and other purposes determined to be legitimate, while impeding inappropriate linkages. This research should also address the extent to which a universal identifier is needed to facilitate improved care and health-related research and to simplify administration of benefits.
- Anonymous care and pseudonyms. Today, a patient who wishes to remain anonymous for purposes of care faces a number of serious disadvantages. For example, patients wishing to receive care anonymously must currently pay for health services in cash. More seriously, a patient wishing to be anonymous runs a serious risk when his or her medical history is on-line, although the content of that history may be critical to providing quality medical care. The use of pseudonyms or cryptographically generated aliases may mitigate this problem in the future. An alternative might be the use of narrative templates to restrict the use of names in blocks of narrative text; a record in which names occur only in a header, can be efficiently (and perhaps automatically) purged of identifying information. For patients with strong privacy concerns, smart cards containing their medical histories might present an acceptable alternative to storing data in a hospital database or larger community-wide system. Reliable techniques for linking patient records without specific patient identification may reduce the need for assigning patients unique, universal identifiers.
- Audit tools. Audit trails are useful as a deterrent to improper access only if there is some possibility that an improper access will in fact be recognized as such. However, the collection of audit trails routinely generates enormous amounts of data that must then be analyzed. Automated tools to analyze audit trail data would enable much more frequent examination of accesses and thus serve a more effective deterrent role. For example, intelligent screening agents could be developed that would
- sort through audit data and flag some records for more thorough analysis.
- Tools for rights enforcement and management. The primary unsolved technical problem today relates to secondary recipients of information: today's access control tools can effectively limit primary (first-person) access to data stored on-line, but they are ineffective in controlling the subsequent distribution of data. Work on electronic watermarking (or digital fingerprinting) may provide tools with which the passage of data through a network can be tracked if not prevented. Work is also under way to develop tools that provide fine-grained access control for information. Such tools limit not only the types of information that certain recipients can receive but also the types of actions recipients can take on such information, and they can be used to make audit trail entries on each access action. For example, they may prevent recipients from directly printing the information, storing it on their own computer systems, or forwarding it to another user.17 More effective tools for rights enforcement and management would help to control secondary distribution of data.
Testbeds for Privacy and Security
Recommendation 5.3: The Department of Health and Human Services should fund experimental testbeds that explore different approaches to access control that hold promise for being inexpensive and easy to incorporate into existing operations and that allow access during emergency circumstances. Today, the trade-offs between the benefits and cost of greater access to electronic health information are not well understood, with the result that decision makers in health care organizations lack a sound analytical basis from which to determine the appropriate level of attention to protecting information. Research is needed that better explicates the costs and benefits of various levels and types of information protection so that decision makers need not function in a vacuum. The Internet Engineering Task Force has been successful in developing standards through a process of trial-and-error development of representative networked systems. Such an approach may prove useful for developing privacy and security standards in health care and may
be more successful than attempts to develop standards through traditional committee structures.
Similar research in the health care field could provide useful insight into effective practices and generate information that health care organizations might use to judge the efficacy, cost, and accessibility of varying approaches to privacy and security. Although the National Library of Medicine has funded the development of numerous testbeds to explore health care applications of the national information infrastructure, these efforts do not have as their primary focus attempts to explore privacy and security practices. A number of targeted security testbeds would provide useful information to the health care industry.
The recommendations outlined in this chapter are not meant to be the final word on privacy and security in health care applications of information technology. Over time, the availability of new technology, experience with security management, changes in the structure of the health care industry, changes in the threats posed against information and communications systems, and changes in the public policy environment will require a reevaluation of effective practices. As witnessed to date, the increased capability of information technology in health care, such as electronic medical records, will continually force society to address policy issues that before could be left dormant. Yet, while the nation struggles with legislative initiatives related to privacy, the recommended practices outlined above demonstrate that meaningful steps can be taken to reduce the risk of improper disclosure at an organizational level. The committee believes that these recommendations can help to address concerns about patient information outlined in the Alice scenario in Chapter 3 and can pave the way for more productive, secure applications of information technology to health care (Box 6.4).
BOX 6.4 Charlotte's Data Flows
Charlotte, Alice and Bob's daughter, grew up in a world that refused to stand still, Charlotte was 5 when the managed care firm purchased her pediatrician's practice, and from that age, her primary medical record was kept electronically. Fueled by increasingly available and cheap computing and communications technologies, continuing attempts to control health care costs, and the need for easier access to expert specialists, telemedicine became more common. Alice frequently used her home computer to consult medical references and get additional information about Charlotte's childhood illnesses and injuries. When Charlotte was 10, the managed care firm started a program to make its patients' medical records available to them electronically. Because this was part of an initiative to attract more patients, the firm publicized the program widely and paid particular attention to ensuring that records would be released only to property identified individuals. Alice, Bob, and Charlotte decided to join the program and were each issued a plastic card to use for authenticating requests. When Charlotte graduated from high school and went away to college, she decided to take a copy of her medical records with her. She used her card to authorize the electronic transmission of her health records to her college's student health services program.
How Did This Come About?
A number of publicized privacy violations that damaged some of their competitors had alerted senior managers of the care firm to vulnerabilities in its own procedures. In response, the firm revised its procedures to reduce the exposure of its patients' records to other groups. Samples sent to outside laboratories for analysis were encoded with numbers, rather than names, so that results could be provided anonymously. Audit trails were incorporated in the provider's own systems, and policies were established to allow patients to review the audit logs. It became straightforward to remove direct patient identification from records released to groups that did not have a legitimate need for that information When patient-identified records were released, means were provided to ''fingerprint" them with hidden information in order to detect abuses. Under the medical records protection laws that had been enacted, violations traced back through these fingerprints could be prosecuted as criminal offenses, and patients could also sue for damages. With these controls in place, management realized that it was now in a position to offer the new patient access record service without exposing itself to undue risks and that its well-developed systems could lead to a competitive edge.
How Were the Risks Reduced?
First, the communications infrastructure had been made much more resistant to eavesdropping by the incorporation of practical cryptography. Built into the communications network interface at each home was a privacy service module that incorporated a private key and could negotiate a new key for each communication session, entirely transparent to the communicating parties. These facilities had first been used to ensure the integrity and confidentiality of real-time telemedicine links and record transfers.
As described above, the firm had upgraded its electronic record system to incorporate access controls and audit trails so that accesses by its employees could be adequately tracked, and properly authenticated prescriptions could be issued directly from the system to local pharmacies. To support the new service, a special, patient-only access system had been added that replicated records from the system used by providers but had no other access to it. In addition to being able to examine her health records, Charlotte was able to review a list of all the people who had accessed her records and the purpose of each access.
To be sure that a request for Charlotte's records came from her and not from someone else in the household, the firm also offered each of its patients a card that could be used in authenticating requests. The card avoided using the Social Security number for this purpose because those numbers were too widely available to be used for authentication. The card was used by the firm to identify its patients unambiguously, thereby reducing the paperwork required on each office visit and, in some cases, improving emergency treatment.