The increased use of the Internet and latest information technologies such as wireless computing is revolutionizing the healthcare industry by improving services and reducing costs. The advances in technology help to empower individuals to understand and take charge of their healthcare needs. Patients can participate in healthcare processes, such as diagnosis and treatment, through secure electronic communication services. Patients can search healthcare information over the Internet and interact with physicians. The same advances in technology have also heightened privacy awareness. Privacy concerns include healthcare Web sites that do not practice the privacy policies they preach, computer break-ins, insider and hacker attacks, temporary and careless employees, virus attacks, human errors, system design faults, and social engineering. This topic looks at medical privacy issues and how they are handled in the U.S. and New Zealand. A sample of 20 New Zealand health Web sites was investigated.
Advances in information technology have increased the efficiency of providing healthcare service s to patients. Using Web-based technology, the healthcare team can also include the patient, who must be an informed decision maker and active participant in his or her care. These same advances also improve the features, functions, and capabilities of the electronic medical record systems and potentially increase the number of parties, namely hospitals, insurance companies, marketing agencies, pharmaceutical companies, and employers that may have unauthorized access to private medical information. These systems are justifying themselves in terms of cost and life savings. Accessibility to mobile computing devices in the healthcare industry is also evolving. Wireless computing devices enable physicians, clinicians, and nurses to enter patient data at the point of care (Kimmel & Sensmeier, 2002). Disease management systems provide caregivers with information on efficacy of drugs and treatments at various stages of a medical condition. Using bar-coding technology together with decision support, systems can ensure that patients can receive the correct medication or treatment.
Healthcare organizations must manage a tremendous amount of information, from clinical test results, to financial data, to patient tracking information. While most healthcare organizations have policies and procedures in place to guarantee at least minimum levels of privacy protection, they are not core features of most technology systems in the healthcare industry. This is true despite the fact that unauthorized disclosure of an individual’s private medical information can affect one’s career, insurance status, and even reputation in the community. Without adequate privacy protection, individuals must take steps to protect themselves from what they consider harmful and intrusive uses of their health information, often at significant costs to their health.
Healthcare privacy is an increasingly complex legal and operational issue facing the healthcare industry. For example, in the areas of mental health, HIV, pharmaceuticals, and genetic information, issues of privacy and the appropriate use of health information have already shown themselves to be particularly sensitive. The public has also become increasingly conscious of privacy issues, such as protection of electronic medical records, commercial uses of health information, and insurer and employer access to patient-identifiable information. The increasing use of the Internet also brings a corresponding need for privacy awareness. The very nature of electronic records makes them more easily transportable and thus accessible.
Healthcare professionals face many challenges as they seek ways to deliver quality healthcare while maximizing efficiency and effectiveness and at the same time ensuring privacy. A substantial barrier to improving the quality of and access to healthcare is the lack of enforceable privacy rules. Individuals share a great deal of sensitive, personal information with their doctors. This information is then shared with others, such as insurance companies, pharmacies, researchers, and employers, for many reasons. Yet unlike other personal information, there is very little legal protection for medical records.
This topic focuses mainly on the impact that information technology has on healthcare privacy and the ways in which privacy can be achieved. We examine this in the context of the situation in the U.S.A. and in New Zealand, which has supposedly the world’s strictest privacy legislations in the Privacy Act (1993). Comparisons to other countries are also made where information security technology has been applied in the medical domain.
WHAT is HEALTH INFORMATION?
The American Health Information Management Association (AHIMA) (The American Health Information Management Association and the Medical Transcription Industry Alliance, 1998) defines health information as:
• Clinical data captured during the process of diagnosis and treatment.
• Epidemiological databases that aggregate data about a population.
• Demographic data used to identify and communicate with and about an individual.
• Financial data derived from the care process or aggregated for an organization or population.
• Research data gathered as a part of care and used for research or gathered for specific research purposes in clinical trials.
• Clinical data and observations taken by trainees in a teaching hospital.
• Reference data that interacts with the care of the individual or with the healthcare delivery systems, like a formula, protocol, care plan, clinical alerts, or reminders.
• Coded data that is translated into a standard nomenclature or classification so that it may be aggregated, analyzed, and compared.
AHIMA further states that healthcare information and data serve important functions, including:
• Evaluation of the adequacy and appropriateness of patient care.
• Use in making decisions regarding healthcare policies, delivery systems, funding, expansion, education, and research.
• Support for insurance and benefit claims.
• Assistance in protecting the legal interests of the patients, healthcare professionals, and healthcare facilities.
• Identification of disease incidence to control outbreaks and improve public health.
• Provision of case studies and epidemiological data for the education of health professionals.
• Provision of data to expand the body of medical knowledge.
WHAT IS HEALTHCARE PRIVACY?
Healthcare is a service industry that relies on information for every aspect of its delivery. Health information is important to the patients, the medical practitioners, the healthcare professionals, and institutions, in addition to society as it directs the health of the population. It must be protected as a valuable asset, and in its primary form as the medical record of a unique individual, it must be safeguarded.
Privacy of health information is a legitimate concern. Such concerns grow as technology is in place to allow confidential medical records and sensitive health information such as: mental illness, HIV, substance abuse, sexually transmitted disease, and genetic information, to be made available to employers, bankers, insurers, credit card companies, and government agencies for making decisions about hiring, firing, loan approval, and for developing consumer marketing.
The application of information technology to healthcare, especially the development of electronic medical records and the linking of clinical databases, has generated growing concerns regarding the privacy and security of health information. The security and integrity of electronic health data must be protected from unauthorized users. However, in the medical field, accessibility for certain authorized functions must overrule any other concerns, that is, when a doctor needs to access the information about a patient in order to provide emergency treatment, it is imperative that the data become available without delay (Ateniese, Curtmola, de Medeiros, & Davis, 2003).
While patients have a strong interest in preserving the privacy of their personal health information, they may also have an interest in medical research and other efforts by healthcare organizations to improve the quality of medical care they receive.
categories of Healthcare Privacy
In addition to technological revolutions, which are the main cause for privacy concerns, there are three distinct kinds of violations of health information privacy according to the congressional testimony of Janlori Goldman, director of the Health Privacy Project at Georgetown University (Starr, 1999):
• Individual misappropriation of medical records;
• Institutional practices — ambiguous harm to identifiable individuals; and
• Institutional practices—unambiguous harm to identifiable individuals.
Individual Misappropriation of Medical Records
Starr (1999) states that this category involves individuals who misuse medical data, often publicly disclosing sensitive information and typically violating both the policies of the institutions that kept the records and the laws of their state. It is by far the most common type of violation of health information privacy that can be corrected by stronger penalties and more aggressive enforcement of privacy laws and policies. According to Health Privacy Project: Medical Privacy Stories (2003), examples include:
• Following the rape accusations against basketball player Kobe Bryant, the alleged victim’s medical records were subpoenaed by Bryant’s defense lawyers from a Colorado hospital. After a hospital employee released the records to ajudge, attorneys for the hospital have asked that judge to throw out the subpoenas and destroy the records already received by him, citing state and federal medical privacy laws. Attorneys for the victim are also attempting to prevent Bryant’s defense team from gaining access to her medical records from two other hospitals. However, a number of news stories have published sensitive medical information that reporters allege came from hospital employees (Miller, 2003).
• A hospital clerk at Jackson Memorial Hospital in Miami, Florida stole the social security numbers of 16 patients named Theresa when they registered at the hospital. The hospital clerk then provided the social security numbers and medical record information to a friend, also named Theresa, who opened up over 200 bank and credit card accounts and bought six new cars (Sherman, 2002).
Institutional Practices: Ambiguous Harm to Identifiable Individuals
This category consists of the use of personal health data for marketing and other purposes where the harm to the individual is ambiguous or relatively small. For example, a chemist or pharmacist sells patient prescription records to a direct mail and pharmaceutical company for tracking customers who do not refill prescriptions, and sending patients letters encouraging them to refill and consider alternative treatments. The problem is not so much harmful to the customers, who might have appreciated the reminders; what worries them most is the hands into which such lists might fall. This may also raise the question of the merchandising of health data for purposes unrelated to those for which patients provided the original information.
Institutional Practices: Unambiguous Harm to Identifiable Individuals
This category consists of institutional practices that do cause harm to identifiable individuals. Different from the other two categories, this one raises much more serious privacy issues and needs correction and reform. Starr stresses that the commingling of the insurance and employment functions in the United States has led to serious abuse of confidential medical information; and the development of genetics has made possible a new and insidious form of discrimination. He recommends security measures such as encryption, the use of a universal health identifier, segmentation of medical records, and biometric identifiers for and audit trails of those accessing medical records (Starr, 1999). Examples from Health Privacy Project: Medical Privacy Stories (2003) and Starr (1999) include:
• Two hundred and six respondents in a survey reported discrimination as a result of access to genetic information, culminating in loss of employment and insurance coverage or ineligibility for benefits (Science and Engineering Ethics, 1996).
• A survey found that 35% of Fortune 500 Companies look at peoples’ medical records before making hiring and promotion decisions (Unpublished study, University of Illinois at Urbana-Champaign, 1996).
• An Atlanta truck driver lost his job in early 1998 after his employer learned from his insurance company that he had sought treatment for a drinking problem (J. Appleby, “File safe? Health Records May Not Be Confidential,” USA Today, March 23, 2000, p. A1).
Information technologies, such as the Internet and databases, have advanced substantially in the past few years. With the adoption of these new technologies, the healthcare industry is able to save billions of dollars in administrative and overhead costs. These savings can be used to discover new drugs or expand coverage for the uninsured. Through these new technologies, patient care will also be improved; for example, telemedicine allows medical specialists to “examine” and “treat” patients halfway around the world. Perhaps most importantly, information technologies help to empower individuals to understand and to take charge of their own healthcare needs. Patients become active participants in the healthcare process through secure electronic communication services. Wilson, Leitner, and Moussalli (2004) suggest that by putting the patient at the center of the diagnosis and treatment process, communication is more open, and there is more scope for feedback or complaint. This enhances and supports human rights in the delivery of healthcare.
The internet and Patients
The use of Internet in the healthcare industry involves confidential health information being developed and implemented electronically. There are already several applications available on the Internet for caregivers and patients to communicate and for the electronic storage of patient data. These applications include: electronic mail, online conversations and discussion lists (online chat and NetMeeting), information retrieval, and bulletin boards. Caregivers and patients use electronic mail and online chat to communicate. Patients can search the Web for information about symptoms, remedies, support groups, and health insurance rates. They can also obtain healthcare services, such as second opinions and medical consultations, and products, such as prescription drugs, online (Choy, Hudson, Pritts, & Goldman, 2002 ).
Patient databases are stored on the Internet, with some providers storing complete patient records in Internet-accessible sites. Patients can interact with databases to retrieve tailored health information (selection-based on personal profile, disease, or a particular need such as travel or cross-border healthcare) (Wilson et al., 2004). However, the availability of medical information in an electronic form (whether or not available over the Internet) raises privacy issues.
The Internet and Health Professionals
Through the use of the Internet, health professionals will have the most up-to-date information available at the click of a mouse. Hospitals, clinics, laboratories, and medical offices will be digitally linked together, allowing for the quick, efficient transfer and exchange of information. The test results will be digitized, allowing for a speedy transfer from labs to hospitals while gaining back the valuable time lost in physical transport. For example, Telehealth in Canada will make geography disappear on a large scale (Siman, 1999). It is a new initiative that significantly improves health services, particularly to remote and rural areas. It also allows physicians to do a complete physical examination of the patient via a digital link. Diagnosis can be made over long-distance telephone lines, rather than after long-distance travel, thus saving the patient the strain and cost of travel. Physicians and other caregivers may use the Internet to discuss unusual cases and obtain advice from others with expertise in treating a particular disease or condition (Siman, 1999).
The Internet and Health-Related Activities
The Internet can support numerous health-related activities beyond the direct provision of care. By supporting financial and administrative transactions, public health surveillance, professional education, and biomedical research, the Internet can streamline the administrative overhead associated with healthcare, improve the health of the nation’s population, and lead to new insight into the nature of disease. In each of these domains, specific applications can be envisioned in which the Internet is used to transfer text, graphics, and video files (and even voice); control remote medical or experimental equipment; search for needed information; and support collaboration, in real time, among members of the health community (Committee on Enhancing the Internet for Health Applications: Technical requirements and implementation strategies, 2000). For example, the Internet could do the following (Committee on Enhancing the Internet for Health Applications: Technical requirements and implementation strategies, 2000):
• Enable consumers to access their health records, enter data or information on symptoms, and receive computer-generated suggestions for improving health and reducing risk;
• Allow emergency room physicians to identify an unconscious patient and download the patient’s medical record from a hospital across town;
• Enable homebound patients to consult with care providers over real-time video connections from home, using medical devices capable of transmitting information over the Internet;
• Support teams of specialists from across the country who wish to plan particularly challenging surgical procedures by manipulating shared three-dimensional images and simulating different operative approaches;
• Allow a health plan to provide instantaneous approval for a referral to a specialist and to schedule an appointment electronically;
• Enable public health officials to detect potential contamination of the public water supply by analyzing data on nonprescription sales of antidiarrheal remedies in local pharmacies;
• Help medical students and practitioners access, from the examining room, clinical information regarding symptoms they have never before encountered; and
• Permit biomedical researchers at a local university to create three-dimensional images of a biological structure using an electron microscope 1,000 miles away.
Also called: “Medicine of the Millennium,” telemedicine is connecting geographically separate healthcare facilities via telecommunications, video, and information systems. The purpose of telemedicine is for remote clinical diagnosis and treatment, remote continuing, medical education, and access to central data repositories for electronic patient records, test requests, and care outcomes.
However, the increasing use of the Internet brings a corresponding need for privacy awareness. The very nature of electronic records makes them more easily transportable and, thus, accessible. Privacy on the Internet is becoming more and more of a concern as confidential information transmitted via the Internet may be intercepted and read by unauthorized persons. Some commonly used Internet protocols may allow information to be altered or deleted without this being evident to either the sender or receiver. Patients may be totally unaware that their personally identifiable health information is being maintained or transmitted via the Internet, and worse still, they may be subject to discrimination, embarrassment, or other harm if unauthorized individuals access this confidential information. While technology can and should be used to enhance privacy, it can also be used to undermine privacy.
Why are There Healthcare privacy concerns?
Undoubtedly, the Internet is a valuable tool for improving healthcare because of its ability to reach millions of Internet users at little or no additional cost and absence of geographic and national boundaries. Unfortunately, the Internet is also an ideal tool for the commission of fraud and other online crime. Examples of such fraud include healthcare scams such as the selling of misbranded and adulterated drugs, and bogus miracle cures.
Many of the bigger healthcare Web sites collect information by inviting users to create a personalized Web page where they can acquire medical information tailored specifically to their age, gender, medical history, diet, weight, and other factors. Some sites offer alerts on special medical conditions, health and fitness quizzes, and even the opportunity to store one’s own medical records and prescriptions online in case of emergency (Medical privacy malpractice: Think before you reveal your medical history, 2001). Other Web sites collect information using cookies. Cookies are small pieces of data stored by the user’s Internet browser on the user’s computer hard drive.
Cookies will be sent by the user’s browser to the Web server when the user revisits the same Web site. Hence the user’s information such as number of visits, average time spent, pages viewed, and e-mail address will be collected and used to recognize the user on subsequent visits and provide tailored offerings or content to the user.
The California HealthCare Foundation recently examined the privacy policies and practices of 21 popular health sites including: DrKoop.com, Drugstore.com, and WebMD.com (Medical privacy malpractice: Think before you reveal your medical history, 2001). They found that visitors to the sites are not anonymous, and that many leading health Web sites do not practice the privacy policies they preach. In some cases, third-party ad networks run banner ads on the sites that collect information and build detailed profiles of each individual’s health conditions.
In New Zealand, no published survey has been previously conducted. In order to examine the privacy policies and practices of the New Zealand health sites, 20 medical related Web sites were chosen from the electronic yellow pages (www. yellowpages.com.nz) and studied for the purpose of this topic. At this site, the individual listings are arranged such that those that have Web sites appear first. Only unique sites were examined. That is, those with multiple listings or branches were ignored. Those with only a simple banner ad in the electronic yellow pages were also excluded. Of these 20 Web sites, three were medical insurers, or offered a medical insurance policy as one of their services; one was for health professionals to use to support traveling patients; and the rest were medical clinics and hospitals. The result shows that all but one of these Web sites collected personal information, but only one had a privacy statement, and it was very obscure; three used cookies, and none mentioned the purpose for which the information was collected. The New Zealand Information Privacy Principle 3 requires that a well-expressed Web site should have a privacy statement. A privacy statement tells consumers that their privacy right is being considered (Wiles, 1998). The Web sites studied all failed to meet such a requirement. The results of the above studies indicate that healthcare privacy concerns are not just problems in New Zealand, but universal ones.
According to Anderson (1996), many medical records can be easily obtained by private detectives, who typically telephone a general practice, family health services authority, or hospital and pretend to be the secretary of a doctor giving emergency treatment to the person who is the subject of the investigation
Although privacy is a concern as electronic information is vulnerable to hackers and system errors that can expose patients’ most intimate data, the most persistent risk to security and privacy is through the people who have authorized access, much more so than the hackers or inadvertent system errors. As medical information systems are deployed more widely and made more interconnected, security violations are expected to increase in number.
WHAT ARE THE CONCERNs?
The American Health Information Management Association (1998) estimates that when a patient enters a hospital, roughly 150 people have legitimate access to that person’s medical record, including food workers, pharmacists, lab technicians, and nursing staff, each with a specific authority to view components of the record necessary for their job and each with unique ability to act within a system.
The increasing use of the Internet in the healthcare industry has also heightened concerns on privacy. The CERT Coordination Center at Carnegie Mellon University, a national resource for collecting information about Internet security problems and disseminating solutions (Committee on Enhancing the Internet for Health Applications: Technical requirements and implementation strategies, 1997), lists seven general areas of vulnerability:
• Compromised system administrator privileges on systems that are unpatched or running old OS versions.
• Compromised user-level accounts that are used to gain further access.
• Packet sniffers and Trojan horse programs.
• Spoofing attacks, in which attackers alter the address from which their messages seem to originate.
• Software piracy.
• Denial of Service.
• Network File System and Network Information System attacks and automated tools to scan for vulnerabilities.
In addition to the above vulnerabilities, other concerns are:
• To whom should organizations be allowed to disclose personal health information with and without patient consent? Under what conditions may such disclosures be made?
• What steps must organizations take to protect personal health information from loss, unauthorized editing, or mischief?
• What types of security technologies and administrative policies will be considered sufficient protection?
Additional common Threats and Attacks
A threat is any of the capabilities, intentions, and attack methods of adversaries to exploit or cause harm to information or a system. Threats are further defined as being passive (monitoring but no alteration of data) and active (deliberate alteration of information). King, Dalton, and Osmanoglu (2001) define four common threat consequences and the sources of threats in the following sections:
• Disclosure: If information or data is revealed to unauthorized persons (breach of confidentiality).
• Deception: If corporate information is altered in an unauthorized manner (system or data integrity violation).
• Disruption: If corporate resources are rendered unusable or unavailable to authorized users (denial of service).
• Usurpation: If the corporate resources are misused by unauthorized persons (violation of authorization).
Temporary or careless Employees
Electronic health records stored at healthcare organizations are vulnerable to internal or external threats. Although with the protection of firewalls, careless employees, temporary employees, or disgruntled former employees cause far more problems than do hackers. As a company’s employees have tremendous access to the company’s resources, it is possible that the computer system could be hacked into internally, as well as by third parties. For example, an employee attaches a database of 50,000 names to an e-mail and sends it to a business partner who is working on a marketing campaign at another company. It would be very likely that data could be intercepted or harvested by a third party and used for improper or unauthorized purposes (Silverman, 2002).
Human Errors and Design Faults
A serious threat to the confidentiality of personal health information in hospitals and health authorities is the poor design and lax administration of access controls (Anderson, 1996). In many hospitals, all users may access all records; it is also common for users to share passwords or to leave a terminal permanently logged on for the use of everyone in a ward. This causes a breakdown of clinical and medico-legal accountability and may lead to direct harm. Other design errors include improperly installing and managing equipment or software, accidentally erasing files, updating the wrong file, or neglecting to change a password or backup a hard disk.
Another source of threat comes from the trusted personnel (the insiders) who engage in unauthorized activities (copying, stealing, or sabotaging information, and yet their actions may remain undetected) or activities that exceed their authority (abusing their access). The insiders may disable the network operation or otherwise violate safeguards through actions that require no special authorization.
crackers, Hackers, and Other intruders
While internal threats consist of authorized system users who abuse their privileges by accessing information for inappropriate reasons or uses, external threats consist of outsiders who are not authorized to use an information system or access its data, but who nevertheless attempt to access or manipulate data or to render the system inoperable. Computer break-ins are proven to have occurred in the healthcare industry. The Health Care Privacy Project, a non-profit corporation in Washington DC, reported that a hacker found a Web page used by the Drexel University College of Medicine in Pennsylvania that linked to a database of 5,500 records of neurosurgical patients (Health Privacy Project: Medical privacy stories, 2003). The records included patient addresses, telephone numbers, and detailed information about diseases and treatments. After finding the database through the search engine Google, the hacker was able to access the information by typing in identical usernames and passwords. Drexel University shut down its database upon learning of the vulnerability, and a university spokeswoman stated that officials had been unaware that the database was available online, as it was not a sanctioned university site.
A “2002 Computer Crime and Security” survey conducted by the Computer Security Institute (CSI) with the participation of the San Francisco Federal Bureau of Investigation’s (FBI) Computer Intrusion Squad found that the threat from computer crime and other information security breaches continues unabated and that the threat from within the organization is far greater than the threat from outside the organization. Results show that 74% cited their Internet connection as a frequent point of attack than cited their internal systems as a frequent point of attack (33%); 28% suffered unauthorized access or misuse on their Web sites within the last twelve months; 21% said that they did not know if there had been unauthorized access or misuse; 55% reported denial of service; and 12% reported theft of transaction information (Cyber crime bleeds U.S. corporations, survey shows; Financial losses from attacks climb for third year in a row, 2002).
According to King et al. (2001), a social engineering attack involves impersonating an employee with known authority, either in person (disguised) or by using an electronic means of communication (e-mail, fax, or the telephone). For example, an attacker places a phone call to the system administrator claming to be a corporate executive who has lost the modem pool number and forgotten the password. In the hospitals, an outsider places a phone call to an authorized insider, pretending to be a physician in legitimate need of medical information.
A RAND Corporation study of information warfare scenarios in 1995 suggests that terrorists using hacker technologies could wreak havoc in computer-based systems underlying emergency telephone services, electric power distribution networks, banking and securities systems, train services, pipeline systems, information broadcast channels, and other parts of our information infrastructure (Committee on Enhancing the Internet for Health Applications: Technical requirements and implementation strategies, 2000).
Although the above examples do not specifically describe threats to healthcare organizations, they do indicate the growing vulnerability of information systems connected to public infrastructure such as the Internet. As such, the drive for increased use of electronic health information linked together by modern networking technologies could possibly expose sensitive health information to a variety of threats that will need to be appropriately addressed.
Healthcare Privacy concerns in the United states
A Pew report (2005) documented that 89% of health seekers were concerned about privacy issues, with fully 71% very concerned. When people were made aware of the possibility of the issuance of universal medical ID numbers, a Gallup poll found that 91% opposed the plan; 96% opposed the placement on the Web of information about themselves held by their own doctor (The Gallup Organisation, 2000). On the other hand, the healthcare administrators are aware of security issues and have many safeguards in place. In a recent survey of healthcare information technology executives, participants ranked the protection of health data as their primary concern (Reid, 2004). Hospitals, for example, indicate that current security technologies in use include anti-virus software (100%), firewalls (96%), virtual private networks (83%), data encryption (65%), intrusion detection (60%), vulnerability assessment (57%), public key infractions (20%), and biometrics (10%). Virtually all respondents expected to use all these technologies to some degree during the next two years (The Gallup Organisation, 2000).
Recent evidence indicates that many medical organizations are lagging behind in their implementation of appropriate security systems. A study of 167 U.S. hospitals conducted by research firm HCPro found that 76% had not conducted an information security audit, and only half planned to do so by April 2001 (Johnson, 2001). Of the hospitals that had performed an audit, 51% said that they would need major improvements to, or a complete overhaul of, their security systems, and 49% claimed that they would have to significantly change or replace their security policies. Alarmingly, only 5% said they had an annual budget for HIPAA compliance.
The inadequacy of some medical providers’ security systems was recently underscored by the hacking of the University of Washington Medical Center (UWMC) computers (Thomson Corporation and health data management, 2005). SecurityFocus.com reported that an intruder was able to break into the UWMC computers and view the name, address, and Social Security number and medical procedures of over 4,000 cardiology patients. Theoretically, the UWMC could face potential lawsuits by distressed patients.
Healthcare Privacy concerns in New Zealand
A survey was conducted in 1998 to study the practice and plans in New Zealand for the collation and retention of health records about identifiable individuals, with particular reference to the implications for privacy arising from the increased use of National Health Index Numbers (NHI) (Stevens, 1998).
What is NHI? The NHI provides a mechanism to uniquely identify healthcare users. It was developed to help protect personally identifying health data held on computer systems and to enable linkage between different information systems whilst still protecting privacy. The NHI database records contain information of each person to whom an NHI number has been allocated, their name, date of birth, date of death, address, gender, ethnicity (up to three entries allowed), residence status, and other names by which they may be known (Stevens, 1998). It, however, does not contain any clinical information, and its availability for research purposes tends to be limited chiefly to a peripheral role in cohort studies and clinical trials (Stevens, 1998).
Alongside the NHI database is the Medical Warnings System (MWS) database, which can only be accessed via the individual’s NHI number. The MWS is designed to warn healthcare providers of the presence of any known risk factors that may be important in making clinical decisions about individual patient care.
The MWS database records contain individuals’ NHI numbers, donor information (e.g., heart or kidney), contact details for next of kin (name, relationship, and phone number), medical warnings (typically allergies and drug sensitivities, classified as “danger” or “warning” or unverified “report”), medical condition alerts (such as diabetes), and summaries of healthcare events (so far these have been limited to hospital admissions, showing dates of admission and discharge, hospital, and diagnosis or procedure code).
These two databases are maintained by New Zealand Health Care Information Services (NZHIS) formed in 1991, a division of the Ministry of Health. NSHIS is responsible for the collecting, extraction, analysis, and distribution of health information.
In this survey, it is found that a statement on the Ministry Web site states that access to the MWS is “restricted solely for the use of providers in the context of caring for that individual.” However, it is estimated that there are some 20,000 people who have direct access to the MWS and a further 70,000 who potentially have access to it, so that in practice, the security of the system probably relies heavily upon the difficulty of getting a hold of the NHI for the individual subject of an unauthorized enquiry (Johnson, 2001).
The survey further reveals that the same Web site document states, in respect of the NHI and MWS systems, “The Privacy Commissioner will be continuously involved in ensuring that the very highest possible standards of integrity and probity are maintained.” Yet NZHIS do not appear to have taken any steps either to check with the Privacy Commissioner before making that statement or, having made the statement without the Commissioner’s knowledge or agreement, to involve him/her at all in checking arrangements for operation of these databases. At the least, therefore, the statement is misleading in suggesting a form of endorsement by the Privacy Commissioner.
During the survey, more than one doctor contacted admitted that they use a different name for transactions involving their own healthcare, because they do not trust the security of records held by hospitals, laboratories, and other healthcare agencies with which they deal. This implies that the more health records that are to be integrated, the more users that must be concerned about the possibility of security breaches in any one part of the larger system. This also implies that the functions of an information system can be subverted if it does not gain and keep the confidence of both users and subjects.
WHO has access to the healthcare information?
There are a variety of organizations and individuals who have an interest in medical data, and they are both within and outside of the healthcare industry. Usually access to the health information requires a patient’s agreement by signing a “blanket waiver” or “general consent forms” when the patient obtains medical care. Signing of such a waiver allows healthcare providers to release medical information to employers, insurance companies, medical practitioners, government agencies, court orders or legal proceedings, direct marketers, medical institutions, hospitals, and newsgroups/chat rooms on the Internet.
Employers have an interest in an employee’s fitness to work and fitness to perform particular tasks such as flying airplanes, controlling air traffic, and driving trains, buses, trucks, and cars. Some self-insured businesses establish a fund to cover the insurance claims of employees, which requires employees’ medical records to be open for inspection by employers instead of an insurance company.
Insurance companies seek to combat rising costs of care by using large amounts of patient data in order to judge the appropriateness of medical procedures. They may also have an interest in healthcare data about a person’s injuries and illnesses in relation to medical claims.
In New Zealand, the Accident Rehabilitation and Compensation Insurance Corporation (ACC), whose accident records are used for calculating workplace premium, will be shared with healthcare organizations. For example, to be eligible for weekly compensation, an injured person must be (a) incapacitated through injuries and (b) an earner at the time of the incapacity. ACC obtains medical opinion to clarify incapacity. It also obtains information from Inland Revenue, employers, and accountants to satisfy the second criteria.
The medical practitioners have an explicit statutory obligation to disclose information on patients who have a serious physical condition, notifiable disease, or impairment that the doctor knows is likely to result in significant danger to the public (Clarke, 1990). In some cases it may be important that sensitive health data to be conveyed as part of information provided about a referral, in particular if the patient has been diagnosed as HIV-positive.
In the U.S., government agencies may request citizens’ medical records to verify claims made through Medicare, MediCal, Social Security Disability, and Workers Compensation. In New Zealand, government agencies such as Inland Revenue Department may share the information with healthcare organizations and ACC for tax and benefits purposes.
Medical Institutions and clinical Researchers
Medical institutions such as hospitals or individual physicians require health information for evaluation of quality of service. This evaluation is required for most hospitals to receive their licenses. Clinical researchers and epidemiologists need health information to answer questions about the effectiveness of specific therapies, patterns of health risks, behavioral risks, environmental hazards, or genetic predisposition for a disease or condition (e.g., birth defects).
Drug companies want to know who is taking which drug so that they can conduct post-marketing surveillance to develop marketing strategies. Direct marketers use health-screening tests to collect medical information and build up data banks of businesses for promoting and selling products that are related to the information collected.
court Orders/Legal Proceedings
In the U.S., medical records may be subpoenaed for court cases for people who are involved in litigation, an administrative hearing, or workers’ compensation hearing. In the (less litigatious) New Zealand context, this is more likely to involve the granting of powers of attorney to make decisions on medical matters for patients who are not capable of making such decisions.
Internet service Providers/Users
The Internet is available for individuals to share information on specific diseases and health conditions. While the Web sites dispense a wide variety of information, there is no guarantee that information disclosed in any of these forums is confidential.
mechanisms for addressing healthcare privacy
Today, healthcare organizations are confronting the challenge of maintaining easy access to medical/clinical data while increasing data security. Technology is only part of the solution. Many healthcare organizations have deployed, to varying degrees, mechanisms to protect the security and integrity of their medical records, such as the use of strong enterprise-wide authentication, encryption, several levels of role-based access control, auditing trails, computer misuse detection systems, protection of external communications, and disaster protection through system architecture as well as through physically different locations. Among other strategies, databases are also used to address security and access control. One database will have consumer identification (ID) geographic information linked to an ID number. The second database will have actual clinical information indexed by patient ID number but no personal data (Ball et al., 2004). However, there are obstacles to the use of security technologies which are yet to be resolved.
Technological security tools are essential components of modern distributed healthcare information systems. At the highest level, they serve five key functions, as seen in Table 1 (Committee on Enhancing the Internet for Health Applications: Technical requirements and implementation strategies, 1997): availability, accountability, perimeter identification, controlling access, and comprehensibility and control.
However, these types of controls focus more on protecting information within healthcare provider institutions and do not address the problems of unrestricted exploitation of information (e.g., for data mining) after it has passed outside the provider institution to secondary players or to other stakeholders in the health information services industry (Committee on Enhancing the Internet for Health Applications: Technical requirements and implementation strategies, 1997). In New Zealand, the Health Intranet, a communications infrastructure that allows health information to be exchanged between healthcare providers in a secure way, defines six key elements that any security policy must address (New Zealand Health Information Service, 2001): confidentiality, integrity, authenticity, non-repudiation, auditing and accountability.
The primary goal of a security architecture design in the healthcare industry is the protection of the healthcare provider’s assets: hardware, software, network components, and information resources.
Healthcare Finance Administration (HCFA) (CPRI toolkit: Managing information security in heath care, 2005) suggests that technical protection measures are traditionally grouped into three high level categories:
Table 1. Functions of technological security tools
Ensuring that information is accurate and up to date when needed
Ensuring the access to and use of information is based on a legitimate need and right to know
Knowing and controlling the boundaries of trusted access to the information system, both physically and logically
Ensuring the access is only to information essential to the performance of jobs and limiting the access beyond a legitimate need
Comprehensibility and control
Ensuring that record owners, data stewards, and patients understand and have effective control over appropriate aspects of information privacy and access
• Confidentiality measures provide the mechanism to ensure that the privacy of information is maintained. Mechanisms include encryption (e.g., virtual private networks, end-to-end, and link level encryption).
• Integrity measures enhance the reliability of information by guarding against unauthorized alteration. Protection measures include: digital signature and strong authentication using certificates provided through the Public Key Infrastructure (PKI) initiative.
• Availability measures seek to ensure that information assets are accessible to internal and external users when needed and guard against “denial of service” attacks. Protection measures include: firewalls and router filters for mitigating availability risks created by denial of service attacks.
While developing guidelines for the clinical security system for BMA (British Medical Association), Ross Anderson (1996) identified a few shortcomings of the NHS (UK National Health Services) wide network, which are useful for any security architectures to be built for the healthcare industry:
• The absence of an agreed common security policy enforced by all the systems that will connect to the network.
• The lack of confidence in the technical security measures such as firewalls.
• Many of the NHS wide network applications are unethical, which make personal health information available to an ever-growing number of administrators and others outside the control of both patient and clinician. Such availability contravenes the ethical principle that personal health information may be shared only with the patient’s informed and voluntary consent. For example, the administrative registers will record patients’ use of contraceptive and mental health services, while the NHS clearing system will handle contract claims for inpatient hospital treatment and contain a large amount of identifiable clinical information.
• Item of service and other information sent over existing electronic links between general practitioners and family health services authorities. While registration links are fairly innocuous, at least two suppliers are developing software for authorities that enables claims for items of service, prescriptions, and contract data to be pieced together into a “shadow” patient record that is outside clinical control (Advanced information system, Family Health Services computer unit, 1995; Data Logic product information at http://www.datlog.co.uk/).
Table 2. Key elements of a security policy
Ensuring that the message is not readable by unauthorized parties whilst in transit by applying strong encryption tools, such as Digital Certificates
Ensuring that the message is not damaged or altered whilst in transit by using secure private networks and Digital Signatures
Ensuring that the user is a trusted party by using user ID/password and/or Digital Certificates
Ensuring that the sender cannot claim the message is counterfeit, or deny sending and receiving it by using secure private networks and Digital Signatures
Recording user connectivity and site access for audit purposes
Identifying clear responsibilities of organizations and individual users through compliance with Legislation and Security Policies
Table 3 is a typical security architecture, the components of which are formed based on the ten basic security services (physical security; firewalls; intrusion detection; access control; authentication; privacy and integrity (encryption); electronic signature/non-repudiation; virus protection; audit trail creation and analysis; and database security) identified by HCFA and a list of application-specific baseline requirements for the healthcare industry proposed by King et al. (2001). Some of the components and guidelines are also adopted from the Anderson’s UK NHS model.
There is an increasing number of health practitioners transferring patient health information using electronic mail across wide area networks, for example, using mailbox systems to transfer registration data and item of service claims to family health services authorities, links between general practitioners and hospitals for pathology reports, and the use of Internet electronic mail to communicate with patients that require continuing management. Anderson (1996) suggests that the problem may be tackled using cryptography: encryption and digital signatures can protect personal health information against disclosure and alteration, whether accidental or malicious, while in transit through a network.
Table 3. Security architecture principles and guidelines
Encryption is required over all communications channels (e.g., Internet, ISP-based connections, dial up etc.). Confidential data must be kept encrypted on user laptops and workstations. Such information is to be disclosed only to named individuals on a need-to-know basis.
• Firewalls—Use at connection to Internet and boundary points.
• Physical Control—Central office and Data Center c ontinued p hysical security; integrated smart card access control.
• Encryption—Application-specific, primarily DES-based and PKI-based key mgmt; SSL.
• Database Security—Proprietary, DBMS-specific; DAC, PKI-enabled; RBAC (role-based access control) integrated; DAC.
Business unit managed change control is required. Field-level change history must be maintained. Rollback functionality is required.
Encryption—Application-specific, primarily DES-based and PKI-based key management; SSL (Secure Socket Layer).
Virus scanning and redundant and high availability solutions are required. Strong system configuration, change control, and regular backup/restore processes are required.
Virus Prevention—Workstation-based and server-based program; signed applications.
Strong authentication (encrypted username and password, token, certificate).
Authentication—User ID and password-based with limited smart card pilots; Private key-based with multi-factor identification.
Encryption is a tool for preventing the possibility of attack and interception during transmission and storage of data, for assuring confidentiality and integrity of information, and for authenticating the asserted identity of individuals and computer systems by rendering the data meaningless to anyone who does not know the “key.” Information that has been cryptographically wrapped cannot be altered without detection. For example, the integrity of a health message is destroyed by removal ofpersonal identifiers or by encryption of crucial pieces of the message. At the destination, the receiver decrypts the message using the same key (symmetrical encryption) or a complementary but different key (asymmetrical encryption) (New Zealand Health Information Service, 2001). Pretty Good Privacy (PGP) and GNU-PGP are commonly used third-party encryption software, which are available free for most common makes of computer.
There are two types of encryption systems: Public-key encryption and private-key encryption. The most commonly used and secure private-key encryption system is the Data Encryption Standard (DES) algorithm developed by IBM in the 1970s, which is gradually replaced by the newer and more efficient algorithm, the Advanced Encryption Standard (AES), which was chosen by the U.S. government after a long, open contest.
Authorization and access control
Authorization by business unit or function and detailed role-based access control are required.
Access Control—Platform-specific access control lists; RBAC-based, centrally managed access.
Strict change controls are required. Field-level file change history must be maintained. Digital signatures for creator and the checker are required.
Electronic Signature—FIPS 140-1 digital signature; Escrow for encryption keys (not signing keys).
Auditing and monitoring
System-level for user-access, file changes, failed login attempts, alarms.
• Audit Trail Creation & Analysis—Logs generated on a platform-specific basis; Consistent log content, directive data reduction and analysis.
• Intrusion Detection—Automated monitoring of limited entry/exit points; Pro-active with integrated action plan.
Compliance with Legislation.
For example, HIPAA in the U.S., European Union Data Protection Directive or the Health Information Privacy Code 1994 in New Zealand.
According to Wayner (2002), the basic design of DES consists of two different and complementary actions: confusion and diffusion. Confusion consists of scrambling up a message or modifying it in some nonlinear way. Diffusion involves taking one part of the message and modifying another part so that each part of the final message depends on many other parts of the message. DES consists of 16 alternating rounds of confusion and diffusion.
Public-key encryption is quite different from the DES. The most popular public-key encryption system is the RSA algorithm, developed in the late 1970s, which uses two keys. If one key encrypts the data, then only the other key can decrypt it. Each person can create a pair of keys and publicize one of the pair, perhaps by listing it in some electronic phone book. The other key is kept secret. If someone wants to send you a message, only the other key can decrypt this message, and only you have a copy of that key. In a very abstract sense, the RSA algorithm works by arranging the set of all possible messages in a long loop in an abstract mathematical space (Wayner, 2002). Public key cryptography is the underlying means for authenticating users, securing information integrity, and protecting privacy. For example, New Zealand North Health is planning to use encryption to encrypt the patients’ NHI number and to deposit the information in a database. As such, information about any individual can only be retrieved by means of the encrypted identifier.
In the wide area networks, both secure socket layer (SSL) encryption and IP security (IPSec) should be deployed to allow the continued evaluation of different modes of securing transactions across the Internet. SSL is used to transport the encrypted messages on a communication channel so that no message could be “intercepted” or “faked.” It provides authentication through digital certificates and also provides privacy through the use of encryption. (IPSec) protocol, a standards-based method of providing privacy, integrity, and authenticity to information transferred across IP networks, provides IP network-layer encryption.
Virtual Private Network (VPN)
Virtual private networks (VPNs) are standard secure links between companies and their resource users, which allow a company’s local networks to be linked together without their traffic being exposed to eavesdropping. It can reduce the exposure to interception of international network traffic. With the increasing use of Internet in the healthcare industry, VPNs play a significant role in securing privacy. VPNs use tunneling and advanced encryption to permit healthcare organizations to establish secure, end-to-end, private network connections over third party networks. Some practical applications that will be used include accessing and updating patient medical records, Tele-consultation for medical and mental health patients, electronic transfer of medical images (x-ray, MRI, mammography, etc.), psychiatric consultations, distance learning, and data vaulting (ScreamingMedia, 1999).
The Hawaii Health Systems Corporation (HHSC) has created a Virtual Private Healthcare Network and Intranet solution that allows for collaboration between its 12 hospitals, 3,200 employees, and 5,000 partners located worldwide. By creating a sophisticated healthcare network that supports high speed, broadband data connectivity, doctors, specialists, and administrators can collaborate throughout the State of Hawaii just as if they were together at the same hospital. This scalable solution also allows existing and future partners, clients, and suppliers to connect to the HHSC network to collaborate and share data. By using a unique subscription profile concept, the network provides impenetrable security and allows for the free and secure flow of mission critical data (ScreamingMedia, 1999).
When private networks carrying confidential data are connected to the Internet, firewalls must be utilized extensively to establish internal security boundaries for protecting the internal private network, computers, data, and other “electronic assets” from tampering or theft by outsiders. Firewalls are a collection of network computing devices such as routers, adaptive hubs, and filters working in tandem and configured to ensure that only expressly permitted packets of data may enter or exit a private network. Firewalls will screen all communication between the internal and external networks according to directives established by the organization. For example, Internet access to an internal patient data system should be entirely prohibited or limited only to those people authenticated by a password or security token (Committee on Enhancing the Internet for Health Applications: Technical requirements and implementation strategies, 2000).
Communications security is also important. Some general practices have branch surgeries, and many hospitals have branch clinics, so the possibility of access via a dial up modem from branches is often raised (Anderson, 1996). In such cases, the main additional risk is that an outside hacker might dial up the main system and gain access by guessing a password. In order to avoid that, Anderson (1996) suggests that there should be no direct dial access to the main computer system. Instead, the main system should dial back the branches. Extra effort should also be made to educate users to choose passwords with care, and all incidents should be investigated diligently.
Audit Trails and Intrusion Detection Monitoring
Transaction logs and audit trails are important, as changes to the patient data can be closely monitored and traced. Audit trails record who and when alterations are made to particular files.
The use of audit trails is invaluable, as they can be used as evidence in a court of law. The HCFA information systems create audit logs that record, in a centralized repository, logon and logoff; instances where a role is authorized access or denied access; the individual acting in that role; the sensitivity level of the data or other asset accessed; what type of access was performed or attempted (e.g., whether the nature of the requested action was to create, read, update, execute a program, or delete). Anderson (1996) suggests that periodic audits should be carried out, and from time to time these should include penetration tests. For example, a private detective might be paid to obtain the personal health information of a consenting patient. In this way, any channels that have developed to sell information on the black market may be identified and closed off.
Intrusion detection is primarily a reactive function that responds as attacks are identified. HCFA recommends the use of intrusion detection software to monitor network and host-based assets and employ a computer emergency response team to report and respond when incidents occur.
New technology called “biometric authentication” is being used to replace passwords and other security measures with digital recognition of fingerprints or other unique attributes. Biometrics uses individual physiological (finger-scan, iris scan, hand-scan, and retina-scan) or behavioral characteristics (voice and signature scans) to determine or verify identity. The most commonly used is the physiological biometrics. Because biometric security is based on a unique feature of an individual’s body, for instance, a fingerprint, it is very difficult to copy, steal, or replicate this information (The Independent Research Group, 2002). Iris-scan is very suitable for use by healthcare institutions. Iris-scan can verify or identify a person based on the unique characteristics of the human iris. The strengths of iris-scan include its high resistance to false matching, the stability of the iris over time, and the ability to use this biometric to provide access to healthcare information or entry into physically secure locations, such as a medical record-keeping or information technology department.
A study done in Albuquerque, New Mexico indicates that the most effective technologies currently available for identification verification (i.e., verifying the claimed identity of an individual who has presented a magnetic stripe card, smart card, or PIN) are systems based on retinal, iris, or hand geometry patterns (Stevens, 1998). On the other hand, single-sign-on technology enables users to log on via user IDs and passwords, biometrics, or other means to gain immediate access to all information systems linked to a network (Clarke, 1990). Single sign-on (SSO) is the capability to authenticate to a given system/application once, and then all participating systems/applications will not require another authentication (King et al., 2001). Both technologies are designed to provide increased security in an unobtrusive manner (Clarke, 1990). St. Vincent Hospital and Health Care Services, Indianapolis had implemented a combined biometric and single-sign-on system in one of its acute care departments using different types of biometric readers to identify physicians and nurses.
Internet commerce interests are pushing forward aggressively on standards for developing and deploying token-based cryptographic authentication and authorization systems (e.g., the Mastercard-Visa consortium and CyberCash Inc.) (Siman, 1999). Smart Card Token is a smart card about the size of a credit card and has a liquid crystal display on which a number appears that changes every minute or so. Each user card generates a unique sequence of numbers over time and, through a shared secret algorithm for which the user has been assigned access privileges, can generate the corresponding sequence of numbers. The number can be used as a session password. The write-controlled internal memory supports services such as user-specific information storage, authentication, and cryptographic certificate management. Some even have biometric access control features. Employees and appropriate contractors will be issued smart cards or tokens that store a private key and other essential authentication information.
A serious threat to the confidentiality of personal health information in hospitals and health authorities is the poor design and lax administration of access controls (Anderson, 1996). Anderson stresses that, in particular, the introduction of networking may turn local vulnerabilities into global ones if the systems with ineffective access controls are connected together in a network, and then instead of the data being available merely to all staff in the hospital, they might become available to everyone on the network.
However, access controls must also be harmonized among networked systems, or moving information from one system to another could result in leaks. The solution for this is to have a common security policy that clearly states who may access what records and under what circumstances. Anderson emphasizes that the following are important to the implementation of effective access controls:
• A senior person such as a hospital manager or partner in general practice must be responsible for security, especially if routine administration is delegated to junior staff. Many security failures result from delegating responsibility to people without the authority to insist on good practice.
• The mechanisms for identifying and authenticating users should be managed carefully. For example, users should be educated to pick passwords that are hard to guess and to change them regularly; and terminals should be logged off automatically after being unused for five minutes. • Systems should be configured intelligently. Dangerous defaults such as maintenance passwords and anonymous file transfer access supplied by the manufacturer should be removed. User access should be restricted to departments or care teams as appropriate. With hospital systems that hold records on many people, only a few staff should have access to the files of patients not currently receiving treatment.
In many hospitals all users may access all records and often share passwords and leave terminals permanently logged on for the use of everyone in a ward. Such behavior causes a breakdown of clinical and medicolegal accountability and may lead to direct harm: one case has been reported in which a psychiatric patient changed prescription information at a terminal that was left logged on (Anderson, 1996).
It is important for administrators to educate all users that passwords issued to an individual should be kept confidential and not be shared with anyone. When a user ID is issued to a temporary user who needs access to a system, it must be deleted from the system when the user has finished his or her work. All passwords should be distinctly different from the user ID, and ideally they should be alphanumeric and at least six characters in length. Also, passwords should be changed regularly, at least every 30 days. Rittinghouse and Ransome (2004) suggest that it is a good security practice for administrators to make a list of frequently used forbidden passwords. Standard passwords that are often used to get access to different systems for maintenance purposes are not recommended.
Database authentication and access control will be public key enabled and role-based. This means that a user will employ a multi-factor authentication procedure based on knowledge of his/her private key to obtain access to a database. Once authentication is complete, access, sometimes down to the record level, will be granted or denied based on the user’s roles and associated privileges. Database security will be implemented on a discretionary access control (DAC) basis.
Social Engineering and careless Disclosure safeguards
The weakest link in security will always be people, and the easiest way to break into a system is to engineer your way into it through the human interface (CPRI toolkit: Managing information security in heath care, 2005). The main threat to the confidentiality of clinical records is carelessness in handling telephone/e-mail/fax inquiries, instant messaging and on-site visits, and inadequate disposal of information.
According to King et al. (2001), social engineering safeguards consist of non-technical (procedural) means that include: security training for all corporate users; security awareness training for all system administration personnel with well-documented procedures, handling, and reporting; and security awareness training for personnel responsible for allowing outside visitors into restricted areas (such as assigned escorts).
With regard to careless disclosure, Anderson (1996) developed a set of common sense rules that the best practices have used for years and that are agreed by the UK NHS Executives. Whether records are computerized or not, these rules of best practice can be summed up as clinician-consent-call back-care-commit:
• Only a clinician should release personal health information. It should not be released by a receptionist or secretary.
• The patient’s consent must be obtained, except when the patient is known to be receiving treatment from the caller or in the case of emergency or the statutory exemptions. In the latter two cases the patient must be notified as soon as reasonably possible afterward.
• The clinician must call back if the caller is not known personally, and the number must be verified, for example, in the Medical Directory. This procedure must be followed even when an emergency is claimed, as private investigators routinely claim emergencies.
• Care must be taken, especially when the information is or may be highly sensitive, such as HIV status, details of contraception, psychiatric history, or any information about celebrities.
• The clinician must commit a record of the disclosure to a ledger. This should have the patient’s name; whether consent was sought at the time (and, if not, the date and means of notification); the number called back and how it was verified; and whether anything highly sensitive was disclosed.
In addition, the guidelines for disclosure by telephone should also apply to faxes. Verifying the identity or, failing that, the location of the caller is just as important as it is when disclosing personal health information over the telephone. It is important, and it is the BMA’s established advice that personal health information should be faxed only to a machine that is known to be secure during working hours.
Equipment Theft, Loss, and Damage
Anderson (1996) considers the most serious threat to the continued availability of computerized clinical information in general practice to be theft of the computer that has been experienced by over 10% of general practices surveyed. Data can also be destroyed in other ways such as by fire, flood, equipment failure, and computer viruses. He suggests that physical security measures must be taken; hygiene rules to control the risk of computer virus infestation must be applied together with a tested recovery plan.
Since most organizations do not perform realistic tests of their procedures, with the result that when real disasters strike recovery is usually held up for lack of manuals and suppliers’ phone numbers, it is important that a drill based on a realistic scenario, such as the complete destruction of a surgery or hospital computer room by fire must be carried out, and a full system recovery to another machine from back up media held off site must be performed. Another measure is to keep several generations of back ups in cases of equipment failure and virus attacks that it may take time to notice that something has gone wrong. A typical schedule in a well run establishment might involve back ups aged one, two, three, four, eight, and twelve weeks, as well as daily incremental back ups.
Limitations of security Technologies
Despite an aggressive move toward computerized healthcare records in recent years and ongoing parallel technological improvements, there are still limitations of the security technologies to achieve usable and secure systems (Gillespie, 2001).
Firewalls do not offer perfect protection, as they may be vulnerable to so-called tunneling attacks, in which packets for a forbidden protocol are encapsulated inside packets for an authorized protocol, or to attacks involving internal collusion (Gillespie, 2001). One of the concerns with firewalls is that most firewalls pass traffic that appears to be Web pages and requests more and more, as it is the way to get things to work through the firewall. The solution is to re-implement the whole as Web services (Webmail being a good example). These pressures continually erode the effectiveness of firewalls (Ateniese et al., 2003). For example, the NHS Network in Britain is a private intranet intended for all health service users (family doctors, hospitals, and clinics — a total of 11,000 organizations employing about a million staff in total). Initially, this had a single firewall to the outside world. The designers thought this would be enough, as they expected most traffic to be local (as most of the previous data flows in the health service had been). What they did not anticipate was that as the Internet took off in the mid-1990s, 40% of traffic at every level became international. Doctors and nurses found it very convenient to consult medical reference sites, most of which were in America. Trying to squeeze all this traffic through a single orifice was unrealistic. Also, since almost all attacks on healthcare systems come from people who are already inside the system, it was unclear what this central firewall was ever likely to achieve (Ateniese et al., 2003).
The basis for many of the features desired for security in healthcare information systems depends on deploying cryptographic technologies. However, there are limitations to the use of cryptography. One problem is that security tools based on cryptography are still largely undeployed. One general weakness is poor usage of the system by individuals that includes: easily guessed passwords to the cryptographic system are chosen, or even written down on a sticker and stuck on the notebook, or people use the same password across different systems. The password then becomes as safe as the weakest system that is using it (which will often be something like a Web browser that has been told to remember the password) (Anderson, 2005; Gutmann, 2005). The other problem is that cryptography does not solve the security problem, that is, cryptography transforms the access problem into a key management problem, including authentication, digital signatures, information integrity management, session key exchange, rights management, and so on. It is observed that as the scope of key management services grows, trust in the integrity of key assignments tends to diminish, and the problems of revocation in the case of key compromise become much more difficult (Gillespie, 2001). Although public key infrastructure can help deal with the problem, it has also introduced complexities of its own. This has led to organizations effectively misusing cryptographic keys, as managing them appropriately has become too complex. The simplest example is that everyone in the organization really does get the same key.
The deployment of biometrics is proven to be advantageous to the healthcare providers because it provides added security, convenience, reduction in fraud, and increased accountability. It increases the level of security by providing access to health information to authorized individuals and locking out those with nefarious intent. However, there are drawbacks to the technology. For example, when performing an iris-scan, individuals must remain perfectly still during enrollment and presentation, or the system will not be able to scan the iris, therefore causing false non-matching and failure-to-enroll anomalies to occur. Reid (2004) further identified a few drawbacks to biometrics: hardware costs, user perception, placement, and size. For example, iris-scans require specialized cameras with their own unique light source that can be very expensive. The user perception on having infrared light shined into the eye is quite disconcerting. To get the iris in the proper position can be quite time consuming. Some cameras can use eye recognition techniques to try to auto-pan and focus the camera, but such solutions do increase the cost of the camera and may still require some user coordination. The current size of the camera, which has been reduced to that of a desktop camera on steroids, is still very large. It needs further reduction to be able to work efficiently on a desk.
Hardware and software costs
The costs of putting secure technologies in place can be tremendous. Very often the implementation of secured systems requires procurement of new software and hardware as the legacy system becomes obsolete. Unfortunately, there are not many commercial tools readily available in the market to integrate legacy systems into modern distributed computing environments. Furthermore, such integration will involve many database content inconsistencies that need to be overcome, including patient identifier systems, metadata standards, information types, and units of measurement.
Overall the lack of standards for security controls and for vendor products that interoper-ate between disparate systems will hinder the implementation and enforcement of effective security solutions.
The importance of assuring the privacy and confidentiality of health information has always been acknowledged. However, up until recently the legal protection for personal information has been patchy and disorganized (ScreamingMedia, 1999).
The healthcare industry is currently going through an overhaul to meet government-mandated regulations stemming from HIPAA to ensure patient confidentiality, privacy, and efficiency. HIPAA, which was passed in 1996 and effective in 2001, gives consumers the right to their medical records, to limit disclosure, and to add or amend their records. Providers must have complied by April 2003. Entities covered include health insurers, physicians, hospitals, pharmacists, and alternative practitioners such as acupuncturists.
HIPAA requires all healthcare providers, health insurers, and claims clearinghouses to develop and implement administrative, technical, and physical safeguards to ensure the security, integrity, and availability of individually identifiable electronic health data. Failure to comply with HIPAA can result in civil fines of up to $25,000 a year for each violation of a standard. Because HIPAA encompasses dozens of standards, the fines can add up quickly, and wrongful disclosure of health information carries a criminal fine of up to $250,000, 10 years imprisonment, or both (King et al., 2001).
In New Zealand, the Privacy Act, which came into force on July 1, 1993, provides a measure of legal protection for all personal information, including health information, and applies to the public and private sectors and to information held in both paper and electronic formats.
The Health Information Privacy Code 1994, which is consistent with the provisions of the Privacy Act 1993 (s.46), was issued by the Privacy Commissioner specifically to protect the privacy of personal health information. While the code protects personal health information relating to an identifiable individual, it does not apply to statistical or anonymous information that does not enable the identification of an individual.
The Medicines Act 1981 was issued by the Ministry of Health to penalize any unauthorized sale of prescription medicines, publication of advertisements containing insufficient information about precautions and side effects, and advertising the availability of new medicines before their approval for use in New Zealand. Under Section 20, the maximum penalty for an individual is up to six months imprisonment or a fine not exceeding $20,000. Sections 57 and 18 have a maximum penalty for an individual of three months imprisonment and a fine not exceeding $500.
European Union Data Protection Directive
International action may further affect the ways in which personal health information is transmitted over the Internet. The EU Data Protection Directive, which went into effect on October 25, 1998, requires EU member states to block outbound transmissions of data to countries that do not have laws providing a level of privacy protection similar to that in the country where the data originated (Siman, 1999). The directive affords the people to whom the data refer a host of rights, including the right to be notified of data collection practices, to access information collected about them, and to correct inaccuracies (Stevens, 1998). In 1998, New Zealand addressed three aspects of the Privacy Act to ensure it is adequate for the purposes of the EU directive. This is important for New Zealand businesses dealing in personal data originating from Europe because the directive limits the exportation of data to third countries (countries outside the EU) that do not have an adequate privacy protection (Wiles, 1998). The three aspects are:
• The channeling of data from Europe through New Zealand to unprotected data havens;
• Limits on who may exercise rights of access and correction under the Privacy Act; and
• The complaints process. “With a long queue of complaints awaiting investigation, the EU may have concerns that our complaints system is not sufficiently resourced to provide timely resolution of complaints.”
In view of the above, the Privacy Commissioner addressed that the Privacy Act is built upon a desire that the collection, holding, use, and disclosure of personal information should be carefully considered and that all activities in this area should be as open as possible.
The growth of wireless computing in healthcare will take place for two reasons (The Independent Research Group, 2002):
• For all electronic medical record systems to work, physicians cannot be tied down to wired PC workstations. They will need to use some type of wireless device that allows them access to the relevant hospital databases.
• As the cost of healthcare continues to rise, many individuals are being treated on an outpatient basis. To keep track of an outpatient’s vital statistics or signal when the patient needs immediate medical attention, many pervasive devices, such as toilet seats, scales, smart shirts, smart socks, and pacemakers, are being developed that collect relevant patient information. Collected data can then be transmitted via a wireless device using a wireless or mobile network to the patient’s physician, who can then decide on possible interventions.
In the recent years, the technological advancements in sophisticated applications and interoperability has increased the popularity of wireless LAN (WLAN) and the use of wireless technology in healthcare. Also with the faster connection speeds of broadband LANs, the healthcare providers have developed a number of applications to improve patient safety and the healthcare delivery process. According to Kourey (2005), the use of personal digital assistants (PDAs) has become increasingly popular. It is because, “PDAs provide access to data and e-mail, store and retrieve personal and professional information and facilitate communication in wireless environments, their use among healthcare professionals has skyrocketed. Industry experts predict the trend to continue. In 2001, 26% of American physicians used handheld devices for tasks related to patient care. While some experts predict this number to reach 50% by 2005.” Increasingly, clinicians can check on patient data or order treatments through secure wireless networks from anywhere in the hospital. For example (Hermann & Norine, 2004):
• A nurse is automatically notified on a handheld wireless device that a patient’s blood pressure is falling.
• A doctor on rounds receives the results of an important blood test on a wireless PDA instead of having to call the lab for the information.
• A telemetry system records the vitals signs of dozens of patients in critical care and sends them wirelessly to a central control station for continuous, around-the-clock monitoring.
• A surgeon completing a procedure writes after-care orders while still in the operating room and transmits them to the clinical information system, making them instantly part of the patient’s electronic record.
Rittinghouse and Ransome (2004) stress that employees who have not been properly educated about wireless security may not realize the dangers a wireless network can pose to an organization, given wireless computing is still a very new technology. They classify WLAN security attacks into two types:
• Passive attacks — An unauthorized party simply gains access to an asset and does not modify its content (i.e., eavesdropping). While an attacker is eavesdropping, he or she simply monitors network transmissions, evaluating packets for specific message content. For example, a person is listening to the transmissions between two workstations broadcast on an LAN or that he or she is running into transmissions that take place between a wireless handset and a base station.
• Active attacks — An unauthorized party makes deliberate modifications to messages, data streams, or files. It is possible to detect this type of attack, but it is often not preventable. Active attacks usually take one of four forms (or some combination of such):
1. Masquerading: The attacker will successfully impersonate an authorized network user and gain that user’s level of privileges.
2. Replay The attacker monitors transmissions (passive attack) and retransmits messages as if they were sent by a legitimate messages user.
3. Message modification: It occurs when an attacker alters legitimate messages by deleting, adding, changing, or reordering the content of the message.
4. Denial-of-service (DoS): It is a condition that occurs when the attacker prevents normal use of a network.
When patient information is sent wirelessly, additional security measures are advisable, although a well-defined wireless utility basically protects confidentiality and restricts where the signal travels (Hermann & Norine, 2004). Tabar (2000) suggests that the growth of new technology also creates a unique security threat and requires user authentication protocols. For example, PDAs, laptops, and even mobile carts can fall into unauthorized hands; the electronic ID must be stored elsewhere. Vendors are working on solutions such as: hardware ID tokens that are inserted into the mobile devices before use and radio transmitter-tracking devices. Other browser-based only applications on the mobile computing device are also used such that the patient data resides only on the server and cannot be accessed by the mobile computing device once it is outside the WLAN coverage area. Turisco and Case (2001) argue that while vendors are responsible for code sets, encryption, privacy, and audit trails, user organizations need to manage the device with extreme care or cautions. Physical security is of paramount concern in the wireless communications. The device needs to be turned off when not in use and be kept in a safe place. Tabar (2000) concurs that the greatest hurdle in information security still rests with the user, and no technology can make up for slack policies and procedures. “Changing perceptions, culture and behavior will be the biggest challenges,” says Monica Summers, IS Director at Beaufort Memorial Hospital, Beaufort, S.C. “It’s not just the technology. You could slap down $5 million in technology, and it won’t stop people from giving out their password.” (Tabar, 2000).
Privacy is not just about security measures, but is at least as much about what information is collected and collated and practically recoverable. Health information has always been regarded as highly sensitive, which must be protected by medical ethics and privacy legislations. The emergence of new technology and new organizational structures in the healthcare industry has opened up the means and the desire to collect and collate such information in ways never previously considered.
The increased use of the Internet and latest information technologies such as wireless computing are revolutionizing the healthcare industry by improving healthcare services, and perhaps most importantly, empowering individuals to understand and take charge of their own healthcare needs. Patients become involved and actively participate in the healthcare processes, such as diagnosis and treatment through secure electronic communication services. Patients can search healthcare information over the Internet and interact with physicians. This enhances and supports human rights in the delivery of healthcare. The same technologies have also heightened privacy awareness. Privacy concerns include: healthcare Web sites that do not practice the privacy policies they preach, computer break-ins, insider and hacker attacks, temporary and careless employees, virus attacks, human errors, system design faults, and social engineering. Other concerns are the collection, collation, and disclosure of health information. Healthcare providers and professionals must take into account the confidentiality and security ofthe information they collect and retain. They must also ensure that their privacy policies or secure technologies meet the public expectation and abide by the law. Such policies and technologies must also be implemented to ensure the confidentiality, availability, and integrity of the medical records. If this is not done, resources could be wasted in developing secure systems, which never reach fruition, and the new systems will never gain the confidence of the public or of the health professionals who are expected to use them.
Technology is, to a large extent, both the cause of and the solution to concerns about the protection of personal health information. However, there are limitations to the secure technologies that need on-going research and development. Technologies, if coupled with physical security control, employee education, and disaster recovery plans, will be more effective in securing healthcare privacy. Further advances of new information technologies, if designed and monitored carefully, will continue to benefit the healthcare industry. Yet patients must be assured that the use of such technologies does not come at the expense of their privacy.