Security and Control of Health Data

Health-Care Data at Euclid Hospital Security and Control: A White Paper

Protecting Health-Care Data

The efficiency of the modern healthcare system is increasingly becoming reliant on a computerized infrastructure. Open distributed information systems have been initiated to bring professionals together on a common platform throughout the world. It needs to be understood that easy and flexible methods of processing and communication of images; sound and texts will help in visualizing and thereby cure illnesses and diseases effectively. Another aspect is that the easy access and usage can risk patient privacy, accountability, and secrecy associated with the healthcare profession. Therefore, Information Technology -- IT must be able to focus mainly on improving the health of the patient and should not put the patient's health in danger. (IO Press)

This implies that right data has to be made available to the right person at the right time. IT strongly affects the confidentiality between the patient and the doctor, as it greatly surrounds and mediates it. Information systems and healthcare establishments are developing an integrated system wherein various users can engage in interaction and communication. The process of integration will transcend the borders of local healthcare enterprises and will progressively extend into the homes of patients and into the healthcare community as a whole to make way for the "mobility of patients, the exchange of medical and administrational data and transfer of bills and money." (IO Press)

Euclid Hospital plays a significant role in protecting the healthcare data of its patients who numbered about 33,000 in the previous year. Irrespective of the number of patients, Euclid has a proven track record of extending quality medical care to the satisfaction of the patient. In keeping with the line of the National Research Council -- NRC report issued in 1997 'For the Record: Protecting Electronic Health Information' Euclid recently implemented a web-based Euclid Medical Record Management System -- EMRMS that includes NRC security and recommendations which involve confidentiality. (A WWW implementation of National Recommendations for Protecting Electronic Health Information)

The following measures have been implemented for the protection of Euclid hospital records (a) Individual Authentication of Records: In order correctly understand about the authenticity of the individuals on any computer system having healthcare data under EMRMS, every caregiver has been assigned a username and password. This policy allows individuals to be held liable for every action which are taken after logging in.

(b) Access controls: Each and every user has not been given access to all information which is available under the EMRMS. This is because Euclid believes that a Laboratory Technician has no business to have access to the detailed data which is contained in the patient's psychiatric details. Healthcare providers must be permitted to see the clinical information on a need-to-know basis. Hence at Euclid, the most apparent implementation of such controls will be to allocate accessibility to various healthcare computing functions based on the job role. (A WWW implementation of National Recommendations for Protecting Electronic Health Information)

(c) Audit Trails: Even though a web-based system is vulnerable to unauthorized hacker attacks from outside the system, inappropriate healthcare data access from within the organization is to a greater extent more common. Normal human inquisitiveness encourages healthcare staff not involved in the care of the patient to view the records of celebrities and of their associate staffs. Euclid's EMRMS has a detailed retrievable audit trails which logs all accessibility to information for holding authentic users to be liable for actions which are taken while making use of the healthcare computing system. The logs are inclusive of date, time, information accessed or viewed and of course the user ID which is available for patient review on demand.

(d) Physical Security and Disaster Recovery: Unauthorized personnel are not denied access to hard copies and electronic storage. Back-up tapes are prepared on a weekly basis and they are stored at a different location from Euclid hospital in order to avoid damage in case of a physical disaster. (e) Protection of remote access points: - Euclid's EMRMS has a three layer Firewall which provides a strong centralized security and intrusion protection system and every remote access is being protected by a single session or by encrypted passwords. (f) Software discipline: All the systems are equipped with the latest Virus scanning programs and there is a limit for downloading from the Internet to the servers. (g) System assessment: Monthly audits are undertaken to evaluate the vulnerability to password cracking programs and to ascertain the processes which are implemented to identify vulnerabilities in the system. (A WWW implementation of National Recommendations for Protecting Electronic Health Information)

(h) Supporting Authentication: It is seen that normally healthcare providers share usernames and passwords which defeat the very purpose of authentication, access controls and audit trails which are offered by particular passwords. To discourage this type of practice, at Euclid, authentication is being considerably reinforced by requiring that logon be supported and paired with the physical possession of 'hardware token' like magnetic strip swipe card IDs or devices which have rapidly changing passwords.

(i) Access validation: Under the simplest form of access control, at Euclid, various system functions are available which are dependent on the job role. An added sophisticated implementation would tailor the content which is available within functions through the job role. For instance, a doctor as well as a billing coder can view the patient discharge summary. However the details of the patient's psychiatric assessment will not be available for the coder but can be seen by the doctor. (j) Electronic Authentication of Medical Records: EMRMS has built up an electronic signature to sign the submitted digital medical records and cryptographic digital signature is used while retrieving records to ensure that medical records are not altered during the transmission process. (A WWW implementation of National Recommendations for Protecting Electronic Health Information)

II. Privacy and Confidentiality of Health-Care Data

a. Legislative Protection of Privacy

The need for adopting a nationwide legislative protection of healthcare privacy has been felt as the country tries to bring about national healthcare reforms through new technological applications like tele-medicine which can cater to the needs of the population across the state borders. The Federal Privacy Act of 1974 was the first endeavor in this direction towards protecting privacy in legal terms. However its scope was limited to some extent. Following several legislations over the years, the American Health Management Association -- AHIMA, drafted a model of legislative language which defined a code of fair information practices. (Johns, 322-325)

The important provisions in AHIMA's model language consisted of the following principles of fair health information practices. These are the patient's right to know about his health-care information which has been maintained by any person and also regarding its purpose; Restrictions regarding collecting healthcare information. This pertains to collecting information only to the extent to which it is required to fulfill the objective for which it was intended; Collecting and using the information for necessary and legal purposes only; Notification to the patient by the person maintaining the healthcare information. This involves a written statement regarding the fair practices which are adhered to and they are also communicated verbally to each patient; Restrictions on the use of the information for purposes other than for which it has been collected; Patient's or his representative's right to access the health information and obtain copies of it; Required reasonable safeguards for the security of healthcare information. This involves its storage, processing, and transmission; Additional protective methods to ensure the accuracy, reliability, relevance, completeness, and time frame of the healthcare information must be established. (Johns, 325)

b. Patient Rights

The personal and health care information of a patient consists of those which has been provided by the individual and which is recorded by the healthcare provider while providing care to the patient. Patients have their right to talk in confidence with the health care providers and also to have their information pertaining to health care to be safeguarded. They also have the right to review and copy their own medical record and request that their physician amend their record if it is not correct, relevant, adequate, or complete. (Patient Rights and Responsibilities) Thus patients need to know that the information provided by them is being kept as confidential, and the health care provider organizations need to guarantee that confidentiality. Adoption of security measure is taken by Euclid so as to protect the confidentiality of patient information. (Part Four: Privacy, Confidentiality & Security)

c. Access to Health-Care Data

Access to patient information at Euclid is through Unique Patient Identifiers -- UPIs which play an important part in the management of patient care delivery and information. This ensures the prevention of unauthorized availability and correct identification of the needed information. Besides, the use of UPIs to access patient care information helps in standardizing the access methods and reinforces access control. This thereby avoids the need for repeated use and revelation of an individual's Personal Identification Information like name, sex, age, race, social security number, marital status and so on for regular internal and external communications like orders, reports, findings, medications, consultations etc. And helps in protecting the privacy of the patient. Since healthcare is a multidisciplinary process, a UPI facilitates the integration and the availability of critically needed information from multi-disciplinary areas and multiple care environments. Thus, the integrity and security of the patient information is dependent on the use of reliable UPI. (Part Four: Privacy, Confidentiality & Security)

d. Health Insurance Portability and Accountability Act (HIPPA)

The Health Insurance Portability and Accountability Act -- HIPAA of 1996 has been enacted with the following objectives -- Guarantee and ensure health insurance coverage of the employees; Lower the incidence of healthcare fraud and abuse; Initiate and implement simplifications at the administrative level so as to enhance functionality and efficiency of the healthcare system; Protection of health information of individuals against accessibility without consent or authorization. The manner in which HIPAA impacts the healthcare sector is through the Covered Entities or CEs. Covered Entities as defined within the meaning of the Act consists of health plans, healthcare clearing houses, and healthcare providers who are responsible for transmitting health care information in electronic form in association with certain standard transactions. (Security and Privacy: An introduction to HIPAA)

HIPAA defines standards as a set of transactions being carried out in the electronic format concurrently allowing any non-standard paper form for these transactions. HIPAA's security standard would be applicable to health care information which is electronically maintained or transmitted. The approved privacy standard holds good for individually identifiable health information which is transmitted or maintained in any form viz oral, written or electronic known as the Protected Health Information -- PHI. Therefore HIPAA is considered as the continuous process for standardization of the digitization of the healthcare information within the U.S. Making it compulsory for patient records to be transmitted over digital network might compromise patient privacy.

To deal with this apprehension, the Department of Health and Human Services built a standard set of security & privacy regulations to which the CEs must comply and they must be HIPAA-compliant. Becoming HIPAA compliant implies to combine the security functionality which technology can provide within the relevant policies and processes. These security needs will comprise of a combination of administrative and technical measures covering four main categories which are "administrative processes, physical safeguards, technical security services, and technical security mechanisms." (Security and Privacy: An introduction to HIPAA)

III. Security Fundamentals

As a general scenario, any type of security program for health information must fulfill three key objectives like protecting the informational privacy of the patients; ensuring informational integrity; and informational availability for the appropriate individuals in a timely manner. These objectives can be attained through the establishment of good information and security organization and the implementation and coordination of several security strategies. (Johns, 327)

a. Protecting Informational Privacy

Protecting informational privacy is very crucial as there are a lot of threats to it. Usually, the frequent procedures employed to compromise security of the system are (a) unauthorized user activity (b) unauthorized individuals gaining access through hacking (c) unprotected downloaded files and (d) use of Trojan horses. (Johns, 328)

(i) Unauthorized User Activity: When authorized users of the system gain access to data areas which they are unauthorized to access, it results in unauthorized user activity. This occurs due to poor access control, password sharing or ineffective procedures to terminate the system access by past employees. By far, the greatest threat comes from the past employees as also the present employees who compromise data integrity deliberately. Besides there are also instances of human error in data posting or virus attacks. Apart from the threat of insiders, there is a larger threat of hackers who bypasses the computer system's access control by capitalizing on the security hole. And the modus operandi of the hackers is to use unauthorized user passwords. (Johns, 328-329)

(ii) Downloaded Files: Downloaded files pose an additional danger to data confidentiality from a secure area to an unprotected area. Usually data is downloaded from a host computer to a standalone computer or LAN to help in the process of the data locally. These downloaded files have the possibility for getting copied to disks and distributed without knowledge to unauthorized users or outsiders. Moreover such files may reside unprotected in a LAN setting where the security measures are not as robust as in the case of a Mainframe setting. (Johns, 329)

(iii) Trojan Horses: Informational privacy is also compromised by the use of Trojan horses which is a computer program employed by hackers and others who intrude into systems and performs malicious functions without the knowledge of the user. Data security can be affected as a Trojan horse has the capability of copying confidential files to unprotected areas of the system. By staying alive on the user's system, the Trojan horse program can regularly copy confidential files to a system area where the intruder has access. (Johns, 329-330)

(iv) Informational Privacy Models: Access Control model is one of the most common security models which is used to ensure informational privacy among the various models. Each of these models employs various methods to classify data, users and processes and implements techniques to restrict data access. Access control model performs the following functions: It categorizes data according to sensitivity; classifies data users and gives permission to read and write data; and mandates the types of operations which might be performed on the data. Likewise Euclid's data residing in various systems has been classified as 'public', 'internal use only', 'confidential' 'restricted' and 'registered confidential'. (Johns, 330)

(b) Protecting Data Integrity

Systems that deal with electronic information have to guarantee that unauthorized modification to the information cannot be made without being getting noticed. Any time healthcare information is being used or is communicated electronically, there has to be a guarantee about the accuracy of the information. Due to this authorized alterations must be detected and methods available to safeguard the integrity of data while being electronically communicated. In order to assure informational integrity, at Euclid there is a system-independent mechanism which provides proof against unauthorized modification with every individual object. Besides, HIPAA stipulates to provide proof of the data integrity by way of mechanisms like "checksums, Cycle Redundancy Checks -- CRCs, double keying, message authentication codes or use of digital signatures." (Security and Privacy: An introduction to HIPAA)

(c) Ensuring Data Availability

This entails ensuring Data Availability to the right user at the right time, which is a must for a security program. Data unavailability can result from either Denial of Service -- DOS or due to loss of data processing functions arising from natural disasters or from user's actions like malicious attacks. DOS normally happens due to system intrusion; for instance, the introduction of a worm into system network which has the effect of degrading the system and rendering normal functions to be unavailable to the users. (Johns, 331-332)

IV. Establishing a Security Program

The need for data security programs and the development of organizational structures to support these programs is being recognized by the healthcare organizations presently. An increased dependence on harnessing the power of Information Technology as also that of comprehending the information repository is an organizational asset. Euclid's intensive care facilities are highly dependent on automation. A major part of the financial management information systems that includes accounting and financial management systems are being automated. Further fundamental core functions like registration, admission, discharge, and transfer -- RADT systems have also been automated. (Johns, 333)

(a) Components of a Security Program

At Euclid, the data security programs are concerned not just with the technological issues and methods, but also with human resource issues as well. Besides, the foremost principle for establishing a security program is that the security organizational structure, technological controls and polices and procedures being executed should be able to fulfill the needs of the organization. (Johns, 335)

(i) Determining the scope of the security program: An efficient security program must be sufficiently wide to include all of the automated information systems within the organization. It must take the inventory of the systems across the enterprise -- including the identification of the hardware, software applications and networks within Euclid as a preliminary analysis for the identification of the security program. After taking the inventory, a risk assessment is performed which comprises identifying the part played by each one of the information systems within Euclid; the manner in which it is vital to the overall functioning of Euclid and the undesirable impact on the organization in the event of a breach of security. (Johns, 335)