Вы находитесь на странице: 1из 10

Journal of the American Medical Informatics Association Volume 3 Number 2 Mar / Apr 1996

..................................... :::::::::::::::::::::::::::, j~,;~~~,~~;g ::::::::::::::::: .::::::::::::::::::::


::~:~:~:;:~:$~:y :~:#:n::::::::::::.
..................
.:.;.:.:.:.:.:.:.: ........................... ~~~~~~~~,~;~~~,.:.:.‘.:.:.:.‘.:.:.:.:.:.:.: ::::::::::::::::: ,#$$gg$~,~
,:gg$$$::;:F.$:ZJ ___,_, ,_
:::::“~.y~:~:~:*,:~ ~~~p~~$gg~~~ _,,,,,,,,,,, :.:.:.:.:.:.::.:.:.:.:
:.~.~.~‘i:.~.:.:. *::::::: :m:: :.):.):.:.) ,:.:.:.:.:
The p,~~~~~: ~~~~,~~~i~

Review w

Privacy, Confidentiality: and


Electronic Medical Records
RANDOLPH C. BARROWS, JR., MD, PAUL D. CLAYTON, PHD

Abstract The enchancedavailability of health information in an electronic format is


strategic for industry-wide efforts to improve the quality and reduce the cost of health care, yet it
brings a concomitant concern of greater risk for loss of privacy among health care participants.
The authors review the conflicting goals of accessibility and security for electronic medical
records and discuss nontechnical and technical aspects that constitute a reasonable security
solution. It is argued that with guiding policy and current technology, an electronic medical
record may offer better security than a traditional paper record.
n JAMIA. 1996;3:i39-148.

One purpose of electronic medical records (EMRs) is but experience is lacking to ascertain whether current
to increase the accessibility and sharing of health rec- technologies are satisfactory for health care. As yet,
ords among authorized individuals. Privacy of infor- no model security implementations exist in any clin-
mation collected during health care processes is nec- ical computing environment,34 although awareness of
essary because of significant economic, psychologic, risks and of possible technical solutions is increasing.
and social harm that can come to individuals when
In this review, we examine the extent to which fears
personal health information is disclosed.“F34dsWith re-
mote access to distributed health data, or the pooling of the loss of privacy due to EMRs are justified, and
of health data from multiple sites in a central reposi- we discuss measures to protect the security of health
data. We also consider the trade-offs between acces-
tory, the potential for loss of information privacy is
sibility and security of EMRs compared with paper
greater than in isolated EMR systems, or in systems
records.
with paper medical records, when proper safeguards
are not taken. With appropriate safeguards, however,
computer-based medical records may actually offer Goalsof Informantional
SecurityIn HealthCare
more security than traditional paper-record systems.
Applicable security technologies exist and have A cohesive informational security policy is lacking
proved effective in the banking and military sectors, across institutions, counties, and states, and govern-
mental and nongovernmental committees are grap-
pling with difficult policy details that have far-reach-
Affiliation of the authors: Department of Medical Informatics,
ing consequences. Although the establishment and
Columbia University, New York, NY. implementation of security policies may be challeng-
ing, the goals of information security in health care
Correspondence and reprints: Randolph C. Barrows, Jr., MD,
Center for Medical lnformatics, Columbia Presbyterian Medical
can be simply stated10,20,20
Center, 1310 Atchley Pavilion, 161 Fort Washington Avenue,
New York, NY 10032. e-mail: barrows@cucis.cis.columbia.edu 1. To ensure the privacy of patients and the confiden-
Received for publication: 11/2/95; accepted for publication: tiality of health care data (prevention of unauthor-
11/8/95. ized disclosure of information)
140 BARROWS, CLAYTON, Privacy, Confidentiality, and Medical Records

2. To ensure the integrity of health care data (preven- that an attacker will not spend inordinate resources
tion of unauthorized modification of information) (money and time) on attempting to acquire such data
by computer break-m or cryptanalytic attack. Specif-
3. To ensure the availability of health data for au- ically desired information, as always, might be avail-
thorized persons (prevention of unauthorized or able with less trouble and expense via “social engi-
unintended withholding of information or re- neering” techniques (bribery, extortion, personal
sources) misrepresentation of identity, and so forth). The health
data of celebrities and other prominent persons may
The goal of information privacy raises issues of access be of greater monetary value in certain markets, but
control (user authentication and authorization) and currently available (although not necessarily imple-
the application of cryptographic protocols for data mented) security mechanisms, such as system man-
transmission and storage. The goal of data integrity agement, access control, and encryption techniques,
introduces the need for electronic user and data au- are sufficient to thwart or detect the covert activities
thentication?” The goal of data availability raises is- of hospital employees, newspaper reporters, relatives,
sues of access control, system reliability, and backup and other unsophisticated attackers.
mechanisms (system and data redundancy). The pol-
icy and technical aspects of these and related issues Another example of potential threats comes from in-
are discussed below. formation-hungry employers, insurance companies,
and managed care organizations. These organizations
security Policy have greater economic resources, along with the mo-
tivation of significant profit from what they can know
about individuals. Unethical operations in such in-
As many others have pointed out:J,11s4J9the main
dustries could allocate a high-end computer to the
problem with information security in health care is
task of breaking a cryptographic key used in the
not technology, but a lack of cohesive security policy.
transmission of health data over inexpensive public
Policy must shape technology, not vice versa. Security
channels. The 1995 cost of a machine capable of break-
policy defines what is to be protected, to what rea-
ing a Data Encryption Standard of the U.S. govem-
sonable degree protections will be afforded, and who
ment (DES) key within 1 year (with an 8% chance
is privileged to accessprotected items. A policy is in-
per month) is only $64,000.35Profit-motivated health
fluenced by:
care-related organizations and unethical “private in-
vestigators” might be willing to make this investment
1. The functional requirements of an information sys- and, for example, gather HIV data, which could be
tem (what users need to accomplish from the used on a covert basis to deny medical insurance
system) coverage.
2. The security requirements for the system (items
The above threats concern attacks on patient privacy,
that need to be protected) but threat models should also consider attacks on the
3. A threat model (the expected motives and re- integrity and availability of health data. Such threats
sources of potential perpetrators) might come from malevolent “hackers,” natural dis-
asters, or mechanical failures and could potentially
The role of policy is to balance the functional and se- cost data guardians more than any breach in confi-
curity requirements of a system, which are typically dentiality.
at odds. Security requirements can often be tempered The Data Security Policy and Standards developed for
by the practical concerns of a threat model, because the Mayo Clinic/Foundation provide one model ex-
costs and user inconveniences rise sharply with ample of a clear institutional security policy state-
harsher security implementations. ment.27As an example of an approach to policy set-
“Inside attacks,“” the most routine kinds of security ting, Columbia-Presbyterian Medical Center (CPMC)
transgressions, represent one example of a threat con- hired external consultants to facilitate security policy
cern. Such attacks are committed by persons who are development for its Integrated Advanced Information
legitimate system users with privileges but who abuse Management System project.6 After 24 meetings with
their privileges in search of gossip material, or for 80 people from numerous departments that spanned
other personal or financial motivations. The monetary two institutions, 14 overlapping topic areas for which
value of health data obtainable on most individuals, policy development was needed were identified:
however, is relatively low (unlike some financial data
or military secrets), so it is reasonably safe to assume 1. User authentication-issues relating to the iden-
Journal of the American Medical Informatics Association Volume 3 Number 2 Mar / Apr 1996 141

tification of a user to the system and the ways in system audits and auditability, intrusion detection
which the system might know that a user is who and notification of intrusions, and detection and
they claim to be. notification mechanisms for other types of secu-
rity problems.
2. Physical security of data center sites-issues re-
lating to the physical access to computer hard- 12. Network security-issues relating to the security
ware; theft prevention; backup and disaster recov- management of computer networks and the
ery; and the security of sensitive terminal movement of data over such networks, including
locations, such as console or control, and of pub- the security of bridges and routing equipment, the
licly accessible terminals. passing of authorization tokens, data encryption,
electronic signatures, and nonrepudiation of mes-
3. Access control to system resources-issues of the sages.
physical devices and logical mechanisms, such as
computer programs, that control accessto system 13. Informed consent- issues related to the use of
resources. medical information collected about patients and
obtaining consent from patients for desired and
4. Data ownership- issues of who wm own which potential uses of medical data.
data, the delegation of authority over data, and
enunciation of the duties and responsibilities of 14. Education of users-issues related to the educa-
data ownership. tion of users regarding their responsibilities as
system users and the risks conjured by their ac-
5. Data protection policies-issues of minimally ac- tions, including activities on the system and de-
ceptable and consistent protections to be afforded grees of nonvigilance.
by systems crossing organizational and functional
boundaries, anticipated implementation barriers From these 14 areas, a list of 65 policy items needing
to those protections, and the punitive measures definition were identified. These items were then
for organizational members abusing system ranked, resulting in a list of l.7 urgent actions. Of par-
privileges. ticular note, the number one action item was to estab-
6. Building security into systems-issues of how to lish a mechanism for making institutional policy.
assure that security requirements are addressed in
central and local participating systems, how to PrivacyandConfidentialltyIn HealthCare
partition security responsibilities between central
and local systems, and how to assure that security The relationship between health care provider and pa-
requirements remain satisfied as systems are mod- tient is one characterized by intimacy and trust, and
ified or expanded. confidentiality is embedded at least implicitly in
patient-provider interactions. The notion of confiden-
7. Security of hard copy materials-issues of how to tiality in health care has a strong professional tradi-
prevent security breaches from paper copies of tion that has suffered progressive erosion due to third-
sensitive electronic documents and data. party reimbursement schemes, managed care and
8. Systems integrity-issues related to the accuracy other health care organizational structures, and the
and reliability of system data, and the integrity perceptions and culture of professionals within mod-
and reliability of physical computer and network em health care systems.” One third of medical pro-
systems. fessionals have indicated that information is given to
unauthorized people “somewhat often.38
9. User profiles -issues related to defining user
types and roles that serve to distinguish the func- Unfortunately, information privacy has an incomplete
tional needs and security levels of users. and inconsistent legal basis.15,28
Federal law prohibit-
ing information disclosure pertains only to informa-
10. Legal and liability issues-issues relating to the tion associated with federal agencies, not to informa-
uses and misuses of the system that involve po- tion held in the private sector or by state and local
tential liabilities or legal concerns for participating governments. Most states have laws that address at
organizations, including protections under exist- least minimally the privacy of medical records but do
ing computer crime laws, liabilities when a record not consistently recognize computerized records as le-
is compromised, and requirements for user pen- gitimate documents.
alties under union contracts.
One reason for the difficulty in setting policy is that
11. Problem identification and resolution-issues of the legal concept of privacy is relative and shifts from
142 BARROWS, CLAYTON, Privacy, Confidentiality, and Medical Records

time to time to reflect the public versus private inter- 1. Strict limits on accessand disclosure must apply to
ests of society? Consider, for example, current airline- all personally identifiable health data, regardless of
passenger and baggage-inspection policies compared the form in which the information is maintained.
with those of 30 years ago, and laws that require the
reporting of infectious, especially sexually transmit- 2. All personally identifiable health records must be
ted, diseases. In addition, privacy is partly in the eye under an individual’s control. No personal infor-
of the beholder, and an intrusion of privacy perceived mation may be disclosed without an individual’s
by one person may be considered as a convenience by uncoerced, informed consent.
others (targeted marketing, mail-order catalogs, solic- 3. Health-record information systems must be re-
itations by insurers and service-providers of preven- quired to build in security measures to protect per-
tive health, and so forth). sonal information against both unauthorized access
In a 1993 survey, 80% of persons believed that con- and misuse by authorized users.
sumers had lost control over information about them- 4. Employers must be denied access to personally
selves.% EMR developers should strive to maintain identifiable health information on their employees
the confidentiality of personal health information to and prospective employees.
foster public trust in information systems that hold
promise for improving health care quality and de- 5. Patients must be given notice of all uses of their
creasing the costs of care. For their own benefit and health information.
the benefit of society, patients should not be made ret- 6. Individuals must have a right of access to their
icent in sharing medically relevant information with
own medical and financial records, including rights
health care practitioners. to copy and correct any and all information con-
The goal of strict information privacy conflicts with tained in those records.
goals of optimal patient care, however, as well as with
medical research, public health, and social policy, all 7. Both a private right of action and a governmental
of which may require access to patients’ confidential enforcement mechanism must be established to
m$dical records without their explicit knowledge or prevent or remedy wrongful disclosures or other
consent. In addition, health care providers have a misuse of information.
working need for high data availability and are intol- 8. A federal oversight system must be established to
erant of cumbersome security procedures. For in- ensure compliance with privacy laws and regula-
stance, when access hurdles are too steep, logon ses- tiOIlS.
sions and passwords may be shared among providers.
Because the use of information technology in health Pending federal legislation with bipartisan support
care is still relatively new and not yet ubiquitous, (the “Bennett Bill”)” seeks to implement recommen-
there is generally too little awareness of the risks con- dations to protect the confidentiality of medical infor-
jured by such actions. mation and to guarantee access to patients of their
Technically, the confidentiality medical records in own health data, with the hope that such measures
computers can be maintained proactively by both will promote a health-information infrastructure. The
access-control mechanisms and audit trail logs (dis- bill has drawn sharp criticism, however, from con-
cussed below), which can be inspected proactively sumer-rights advocacy groups like the ACLU due to
or in response to suspicious events. Other mecha- lack of patient controls over how personal health in-
nisms for assuring confidentiality include the edu- formation may be used and disseminated, particularly
cation of EMR users regarding security concerns, regarding the compilation of health information
professional responsibilities, and personal account- within certified “health information services.“37
ability; time-outs on system terminals; hard-copy con- The Joint Commission on Accreditation of Health Or-
trol; clear policies; and consistent disciplinary actions. ganizations has begun to demand that patients’ rights,
Human factors, however, such as errors, negligence, security policies, and information-management stan-
and unethical activities, can result in breaches of dards be addressed in more explicit ways?’ The 1995
confidentiality despite optimal security implementa- standards proposed significant new requirements in
tions. these areas. Jn recognition that most health care or-
Accordingly, the American Civil Liberties Union ganizations are not yet able to meet those standards,
(ACLU) believes that a privacy policy for health in- the 1996 version downsized the information manage-
formation should be based on the following princi- ment chapter by more than 70 requirements,~ with
ples? the stated intention of a more gradual deployment.
Journal of the American Medical Informatics Association Volume 3 Number 2 Mar / Apr 1996

DataOwnershipand LegalAccountabilty record identifies a confidential source of information


about the requesting patient.41
Data ownership is a legally complex issue. Ownership
of a medical record is at best a limited right that is Useof MedicalData
primarily custodial in nature, and information con-
tained in the record is often characterized as the pa- The established primary uses of medical records are
tient’s property.16 Any immediate and clear legal as- in providing health care, paying for it, and assuring
signment of electronic health data ownership, from its proper delivery. Secondary uses of medical data
which may follow assignment of responsibility, does include those made by various business and govern-
not appear likely. All parties who are entrusted with mental organizations such as life and auto insurers,
health data, both the movers and the users, should employers, licensing agencies, public health agencies,
reasonably be considered as stewards of that data, the media, medical researchers, educational institu-
and may be held liable for irresponsible acts and tions, rehabilitation and social welfare programs, and
breaches of confidentiality. uses for legal purposes. Responsibility for the protec-
tion of patient privacy and the confidentiality of com-
InformedConsentto Disclosure puterized medical information must extend to these
secondary users. Institutional policy should dictate
An informed consent to disclosure of information typ- how patient data may be. used and to whom infor-
ically requires that the patient: mation will be released.
When electronic records are used for research, valid
1. Be told what information is to be disclosed. epidemiologic studies may be conducted using aggre-
2. Understand what is being disclosed. gates of nonidentifiable patient data. The Bennett Bill
requires specific patient authorization when such
3. Is competent to provide consent. “scrubbed” data are inadequate.41 In addition, en-
4. Consents willingly, free from coercion. crypted patient identifiers might provide acceptable
research results and still adequately protect patient
Implementation of the doctrine of informed consent privacy.
to disclosure involves many potential difficulties, and
“informed consent,” as it pertains to the typical uses
of health care data, is arguably a misnomer. Infirm or
confused patients cannot meaningfully sign an in- Originators of the few landmark computer-based pa-
formed release, and no informed release specifically tient-record systems have grappled with the afore-
covers all potential or desired uses of medical data mentioned conflicting goals of security and function-
that may be collected on an individual. Also, patients ality in health care systems.7’40Usually, systems use
are coerced into giving up personal rights to confi- some form of password security for user authentica-
dentiality when they apply for insurance or sign a tion, and user-specific or role-specific menus may be
hospital waiver that allows medical information to be used to implement further limitations on access.How-
shared. In recognition of such concerns, a general re- ever, standard password access controls do not pre-
lease of medical information in New York state no vent insider threats and are not helpful when authen-
longer applies to HIV data. Finally, patients are typi- tication has been compromised.
cally asked to authorize disclosure of medical infor-
In addition, tight accesscontrol at the level of the type
mation, yet only about half of the states guarantee a
patient’s right to see his or her own medical record. of user, computer application, or patient fails in crit-
ical ways in the health care environment.9’10 Sensitive
Traditionally, patients have difficulty gaining accessto data (i.e., mental health data or HIV status) are often
their own records, and without knowledge of what is among the most important items necessary to take
contained in the record, consent for disclosure cannot care of a patient. This is the information that may
be fully informed. The position of the American need to be made available and shared among numer-
Health Information Management Association reflects ous care providers and ancillary health personnel.
a balance of opinion and states that an EMR requires Most often, numerous persons at multiple levels in
that patients have greater accessto their own medical multiple roles (medical students, residents, nurses,
record.5 The proposed Bennett Bill would guarantee therapists, dietitians, social workers, administrators,
that right, except when disclosure might endanger the consultant physicians, covering physicians, and a pri-
life or safety of any individual, or information in the vate or personal “attending” physician) are routinely
144 BARROWS, CLAYTON, Privacy, Confidentiality, and Medical Records

involved in a patient’s care, and it is difficult to pre- message warning that all user activities are recorded.
dict which person in which role will validly need ac- A similar approach at Boston’s Beth Israel Hospital,
cess to a person’s health record at some particular along with a system utility that allows users to review
time. Provisions for emergencies, when none of the the names of persons who have looked at their elec-
patient’s usual care team is around, must also be tronic record, was reported to effectively deter “in-
made. Thus, in an EMR setting, prohibition of access sider” abuse of system privileges.”
by most medical users to most data on most patients
is often not practical. For this reason, clinical system Cryptography
pioneers have usually allowed all clinical personnel
access to the computerized medical record of all pa- Cryptographic techniques applicable to the goals of
tients in a hospital, and often to the records of patients privacy, integrity, and accesscontrol have not yet been
not in the hospital as well (i.e., records of discharged significantly deployed in the health care environment,
patients or their ambulatory care, or both). and experience is needed before establishing that they
Improved multilevel and role-based accessmodels for could provide security solutions compatible with the
health care that better accommodate user needs are diversity of health care needs.”
under development.8,12,22,23 A “need-to-show” model As a trivial example of an encryption cipher, the fa-
(versus the military “need-to-know” multilevel secu- mous Caesar Cipher uses a “shift-by-three” rule, so
rity model) and its supportive technical platform have that every “A” in a message is replaced by a “D,”
been proposed, with the specific intention of extend- every “B” by an “E,” and so forth. The algorithm is
ing the notion of individual professional accountabil- said to have been used by Julius Caesar to encode
ity for health data to interaction with information sys- communications with his generals via human messen-
tems.29 Such accountability may help discourage gers whom he did not trust. Many more complicated
information sharing across unauthorized informal hu- and secure mathematical algorithms for encryption
man networks,” a problem that is difficult to address exist. Private-key, or “secret-key,” encryption depends
by technology on a number or string of characters that is shared only
between the communicating parties and is used by an
The determination of how much effort should go to-
encryption algorithm to encode and decode the mes-
ward authenticating a person is a matter of institu-
sage. The exact ,encryption algorithm need not be a
tional policy. User identifiers with password authen-
secret. The best ‘known such encryption algorithm is
tication are often employed, but other technical
DES, mentioned above. A main problem with private-
solutions, such as biometric authentication by mor-
key encryption protocols is that communicating par-
phometric hand measurements or voiceprints, system-
ties must somehow securely share and use the “se-
synchronized random-number generating cards, and
cret” key
passphrase-encrypting smartcards, are more expen-
sive, but they may be more effective alternatives when The use of public-key encryption can avoid some of
deemed compatible with policy considerations. the pitfalls of the need to share a secret key by making
use of a mathematical technique that creates an
As an example of an approach to access control, the “asymmetrical cryptosystem,” that is, the keys to en-
CPMC Clinical Information System (CIS) implements code and decode a message are different but inti-
an access-control matrix with one axis representing mately linked, so that they are, in effect, functional
user roles (attending physicians, residents, medical inverses of each other and can only be used together.
students, hospital nurses, clinic nurses, various types In public-key cryptography, one key is published, and
of technicians, and so forth) and the other axis rep- the other remains private to a user. To send a secret
resenting data types (laboratory data, radiology re- message, the sender obtains the recipient’s public key
ports, discharge summaries, demographic informa- and uses it to scramble the message, which the recip-
tion, and so forth). We defined 68 user types and six ient can decode with his or her private key. In addi-
classes of data. Departmental leaders make the deter- tion, the creator of a message or document can “sign”
mination of access privileges for each user type, sub- it by encoding a piece or algorithmic “digest” of the
ject to the approval of the hospital medical board. document with his or her secret key, so that anyone
Users receive a menu of options specific for their de- can then verify the “signature” by decoding it with
fined access privileges. Login screens remind users the signer’s published key.
that information is limited to legitimate medical pur-
poses and that misuse can lead to dismissal as well The New York State Community Health Management
as civil and criminal penalties. Access to data on VIPs Information System (NYSCHMIS) Confidentiality and
and hospital employees invokes an additional screen Data Security Policy says:
Journal of the American Medical Informatics Association Volume 3 Number 2 Mar / Apr 1996 145

All data collected into or handled through the from leaving an EMR site, or can impose an extra
repository and defined as ‘deniable’ (identifia- layer of password security on authorized users.
ble) . . . shall be encrypted, both when being
transmitted through the network or if written to
a local system. Software and/or hardware shall Reilabilty, Redundancy,
andSystemBackups
be supplied with secure algorithms which will
encrypt/decrypt all such sensitive data.32 As discussed above, threat models should consider
potential “attacks, ” whether accidental or intentional,
For practical purposes, due to the imbedding of sen- on the integrity and availability of health data. Hard-
sitive data in text documents, we recommend that all ware or software failures, including “denial-of-ser-
health data in an EMR environment be encrypted vice” attacks, can cause downtime or loss of vital
when transmitted over public or insecure channels health care data for EMR users. The reliability of EMR
and when residing on storage devices in local ma- systems and data should be considered a security con-
chines. cern and should be covered in security policy and sys-
The Massachusetts Institute of Technology’s Kerberos tem management activities, usually through mecha-
is a secret-key cryptographic protocol for the provi- nisms that support data redundancy and system
sion of authentication and authorization services in a backups.
distributed environment. Although its use has been
outlined for the health care setting, it has not been AuditTrails
implemented? Public-key cryptographic protocols
have been proposed to address the need for a patient Primarily because of limitations on the applicability
identifier that is universal (across ‘institutions and of access-control methods in health care, the audit
states).% Software tool kits for the secure transmission trail has become a critical tool for managing issues of
and archiving of files by medical applications are be- data security. In any large computing environment is
ginning to appear In the near future, vendor prod- a significant risk for misuse of the system by author-
ucts will supply encryption technology embedded ized users. For this reason, the audit trail has become
within computer systems for health care. Until then, an important reactive security mechanism and is often
EMR-developers are forced to create their own imple- used for post hoc detection of security violations and
mentations of well-known and secure cryptographic for support of disciplinary actions.
algorithms and protocols.35
For example, at CPMC, the CIS records both the iden-
tity of any individual who looks at patient data and
Datalntegrity the type of data accessed.In one illustrative instance,
a resident physician (physician in specialty training)
Electronic patient data can be assumed valid based on in obstetrics harassed a nurse about being pregnant
software testing and verification, access-control mech- before the nurse had announced her pregnancy to any
anisms, and error-checking protocols used in data individual. The nurse complained, and review of au-
transport, or they can be additionally authenticated as dit-trail data showed that the resident physician had
valid with digital signatures, as discussed above. indeed looked at the nurse’s test results, and without
Most lapses in data integrity will continue to be due a valid “need to know,” this led to an official repri-
to human error and to malfunctions or “bugs” in mand.
medical computer systems.
One problem with audit-trail data is that the data are
typically far too voluminous for human processing.
Firewalls “Level C2” is a U.S. Department of Defense computer
security classification requiring auditing and the un-
Firewalls are computers that are positioned between availability of encrypted passwords, and a level C2
a site’s internal network and an unsecured public net- audit mechanism for a multiuser system can fill 1 gi-
work, such as the Internet, and may be useful at EMR gabyte of disk space within an hour.= One published
sites. Firewall computers are configured to monitor prototype system generated 7 megabytes (MB) per
and regulate the messages passing into and out of a day per average user, and up to 136 MB per busy
site’s private network and so can prevent unauthor- user.’ The CIS audit-trail logs as implemented at
ized users from entering local computer systems from CPMC fill about 100 MB of disk space per month.
the outside, or can prevent particular programs and Typically, 95% of audit data are of no security signif-
services from operating through the firewall. Such icance,’ and use of the data accumulated in security
functionality can help protect private information audit files is at best minimal. Extraneous data in the
146 BARROWS, CLAYTON, Privacy., Confidentiality, and Medical Records

files obviously makes it harder to detect suspicious for the pattern matching of events, has been delete-
behavior, especially that which might be detected by riously inefficient.30 Thus, in the best systems, anom-
complex relationships between the data features, aly and misuse detection methods complement each
something particularly difficult for humans to dis- other.
cover.
Each system is out of necessity however, somewhat
Automated reduction and analysis tools for audit trail ad hoc and custom designed. Few systems are general
data could help immensely, but their availability has or flexible enough to be easily portable or adaptable.
been limited. Frank discusses data-reduction methods More generic systems, capable of reuse and retarget-
for intrusion detection and gives an example of selec- ing, are likely to be inefficient or of limited power.
tion methods used to identify a subset of data features Also, the cost of building an intrusion-detection sys-
that best classify some audit data.= Systems that im- tem is high and requires specialized knowledge input
plement some kind of automated analysis of audit- from system and security experts who can make an
trail data are a relatively recent development. Early appropriate choice of statistical metrics and can spec-
approaches to audit-trail analysis only categorized ify expert rules. Moreover, testing and validation of
threats as due to internal versus external penetrators, intrusion-detection systems are difficult, because po-
but the current goal is to identify threats by any users tential attack scenarios can be difficult to simulate,
or processes that attempt an illegal action within their and the lack of a common audit-trail format precludes
authorized boundaries (abuse of system privileges), or easy comparisons between the performance of exist-
that attempt an action not within their authorized ing systems and common attack scenarios.
boundaries (exceed system privileges), as well as any Consequently, no commercially available audit-anal-
action by unauthorized system users, such as intrud- ysis tool kit exists, and there is as yet no known ap-
ers that masquerade as authorized users or otherwise plication of software tools for audit analysis in the
evade system authentication and security controlsz6 health care sector. The idea, however, was discussed
Later models for performing intrusion detection have by Shea and colleagues’ and is apparently under ac-
used statistical user profiling or expert system tech- tive implementation in the European community.26
niques that examine the deviation of actual user be-
haviors from anticipated or usual behaviors on the
system.” A Comparlsonof the Paperand Electronic
RecordEnvironments
One way to distinguish intrusion-detection methods
is based on the type of intrusion: anomaly detection Many security issues discussed to this point can apply
versus misuse detection?’ Misuse detection involves to paper-based as well as electronic records. The most
well-defined patterns of intrusion that exploit weak- obvious new risk factor afforded by the electronic rec-
nesses in software and can be detected directly be- ords is also the benefit that pushes us toward the elec-
cause it searches for known vulnerabilities, misuse tronic format: enhanced convenience of accessibility
detection is of little use in detecting new or unknown and distribution of health information. A related and
intrusive behaviors. Anomaly detection depends on potentially troubling capability is the ability to query
unusual behavior or unusual use of system resources, for a population of patients who have a common fea-
and it seeks to detect the complement of normal be- ture (such as, the same surgeon or a particular test
havior. In general, intrusive activity is expected to be result). Any risks of an electronic breach of security
some subset of anomalous activity; however, intrusive must be weighed against analogous risks and recog-
behavior does not always coincide with anomalous nized disadvantages of paper record systems. Elec-
behavior and might be accomplished as the sum of tronic records are arguably more secure if the proper
individual nonanomalous activities. policies and best available technologies are in place.
Nine developed intrusion detection tools are reviewed For example, paper medical records do not allow one
by Marshall.’ Most of these systems perform both to obtain an accurate audit trail of who has seen the
anomaly and misuse detection. Statistical techniques record and what portions of the record were accessed.
lend themselves to anomaly detection but are inade- Also, the use of paper records make it difficult to re-
quate to detect all types of intrusions and do not pre- strict certain classes of users to see only particular
vent users from gradually training their usage pro- types of information. Paper records are easily altered
files, so that activity previously considered anomalous by removal or substitution of documents, but an elec-
might be regarded as normal. Expert systems and tronic document signed with an encrypted digital sig-
model-based techniques lend themselves to misuse nature is much more difficult to alter. The paper rec-
detection, but specification of the orderings on facts, ord can be in only one place at a time, whereas the
Journal of the American Medical Informatics Association Volume 3 Number 2 Mar / Apr 1996 147

same information in electronic format can be available References n


to multiple users simultaneously. Also, the content of
(Sorted Chronologically by Year and
the computer-based medical record can be presented Alphabetically by First Author
in a clearly organized and legible fashion, so that care- within Each Year)
givers will more likely respond to important infor-
1968
mation. In a paper-based environment, real-time rule-
based suggestions and warnings cannot be generated 1. Curran WJ, Steams B, Kaplan H. Privacy, confidentiality and
when standards of health care are missed. Also, costs other legal considerations in the establishment of a centralized
healthdata system. N Engl J Med. 1968;281:241-8. .
may soon favor the use of electronic record systems.
For example, at CPMC, the cost to find and pull a 1987
paper record from the file room for doctors, for just a 2. Picciotto J. The design of an effective auditing subsystem. Pro-
single patient visit, has been estimated to be between ceedings of the 1987 IEEE Symposium on Security and Privacy.
$5 and $10. In contrast, we estimate that the total cost Washington, DC IEEE Computer Society Press.
for the creation and lifetime maintenance of an elec- 1990
tronic record for our patients is between $25 and $50.
3. Brannigan V, Beier 8. Standards for privacy in medical infor-
Thus, substantial advantages to the electronic record mation systems: a technico-legel revolution. In Miller RA, ed.
exist, and it seems prudent to move ahead with im- Proceedings of the Fourteenth Annual Symposium for Com-
plementations of electronic records, including the pol- puter Applications in Medical Care. Los Alamitas, CA: IEEE
Computer Society Press, 1990:266-70.
icies required to guide the application of available se-
curity technologies. 1991
4. Marshall VH. Intrusion detection in computers: a summary of
Conclusion the Trusted Information Systems (TIS) Report on Intrusion..De-
tection Systems (TIS report #348). McLean, VA: Booz, Allen &
Hamilton, January 29, 1991.
Although security concerns surrounding health data
1992
in EMR environments are justified, solutions are sur-
mountable with currently available technologies. In 5. American Health Information Management Association. Posi-
the banking industry, analogous security implemen- tion Statement. Chicago: AHIMA, March 1992:l.
6. Clayton PD, Sideli RV, Sengupta S. Open architecture and in-
tations have allowed greater personal convenience, in- tegrated information at Columbia-Presbyterian Medical Center.
cluding access to personal bank accounts from a MD Comput. 1992;9:297-303.
choice of locations and at all times of day, without 7. Murphy G. System and data protection. In: Ball MJ, Collen MF,
security compromises. Although neither automatic eds. Aspects of the Computer-based Patient Record. New York:
bank tellers nor electronic medical records are free Springer-Verlag, 1992201-13.
8. Orr GA, Brantley BA. Development of a model of information
from instances of abuse, implementation of available security req uirements for enterprise-wide medical information
protocols for electronic systems probably provides systems. In Frisse ME, ed. Proceedings of the Sixteenth Annual
better security than the security measures that are Symposium for Computer Applications in Medical Care. New
used in analogous manual systems. In any security York: McGraw-Hill, 1992287-91.
system, the weak links are most likely to be human. 9. Shea S, Sengupta S, Crosswell A, Clayton PD. Network infor-
mation security in a Phase III Integrated Academic Information
A major challenge will be that of enticing developers, Management System (IAIMS). In: Frisse ME, ed. Proceedings of
the Sixteenth Annual Symposium for Computer Applications
who are eager for working medical computer appli- in Medical Care. New York: McGraw-Hill, 1992283-6.
cations, to make the financial and time investments in
designing and building adequate security features 1993
into their systems. Institutional policies will be a key 10. Bakker AR. Security in medical information systems. In van
stimulus in this regard. Chief financial officers will Bemmel JI-I, McCray AT, eds. Yearbook of Medical Informatics.
likely come to regard security investments as insur- New York: Shattauer, 199352-60.
11. Gostin LO, Turek-Brezina J, Powers M, Kozloff R, Faden R, Stei-
ance policies: although we must pay for the policies,
nauer DD. Privacy and security of personal information in a
we are pleased when there is no need to file a claim. new health care system. JAMA. 1993;270:2487-93.
A more formidable barrier than security requirements 12. Henkind SJ, Orlowski JM, Skarulis PC. Application of a muli-
to the implementation of sharable records in an EMR level access model in the development of a security infrastruc-
environment is the current lack of convenient and ac- ture for a clinical information system. In: Safran C, ed. Pro-
ceptable ways to acquire data from patients and pro- ceedings of the Seventeenth Annual Symposium on Computer
Applications in Medical Care. New York: McGraw-Hill, 1993:
viders in an electronic format. Security issues should 64-8.
not deter progress toward solving this more substan- 13. Lincoln TL. Privacy: a real-world problem with fuzzy bound-
tial problem. aries. Methods Inf Med. 1993;32:104-7.
BARROWS, CLAYTON, Privacy, Confidentiality, and Medical Records

14. Lunt LT. A survey of intrusion detection techniques. Comput vided by Dr. Christopher D. Chute, Section of Medical Infor-
Security, 1993;12:405-18. mation Resources, Mayo Clinic/Foundation, Rochester, MN).
15. U.S. Government, Office of Technology Assessment. Medical 28. Institute of Medicine. Confidentiality and privacy of personal
Privacy Report, 1993. Chapter 1: Introduction, Summary and data. In: Donaldson MS, Lohr KN, eds. Health Data in the In-
Options. Washington, DC, 1993. formation Age: Use, Disclosure, and Privacy. Washington, DC
16. U.S. Government, Office of Technology Assessment. Medical National Academy Press, 1994.
Privacy Report, 1993. Chapter 3: Computerized Health Care In- 29. Kowalski S. An accountability server for health care informa-
formation. Washington, DC, 1993. tion systems. Int J Biomed Comput. 1994;35(suppl 1):130-8.
17. U.S. Government, Office of Technology Assessment. Medical 30. Kumar S, Spafford EH. An application of pattern matching in
Privacy Report, 1993. Appendix A: Selected Topics in Computer intrusion detection. Technical Report CSD-TR-94-013. COAST
Security. Washington, DC, 1993. Project, Dept. of Computer Sciences, Purdue University, West
Lafayette, IN, June 17,1994.
1994 31. Lawrence LM. Safeguarding the confidentiality of automated
medical information. Jt Comm J Qua1 Improv. 1994;20:639-46.
18. American Civil Liberties Union. Toward a New Health Care 32. New York State CHMIS Executive Policy Committee. NYS
System: The Civil Liberties Issues. An ACLU Public Policy Re- CHMIS Confidentiality and Data Security Policy, Draft. Albany,
port (ISBN O-914031-24-4); New York, February 1994. NY, December 21,1994.
19. Barber B, Bakker A, Bengtsson S. Conclusions and recommen- 33. Robinson DM. Health information policy: without confidenti-
dations. Int J Biomed Comput. 1994;35(suppl 1):221-9. ality. Int J Biomed Comput. 1994;35(suppl 1):97-104.
20. Bengtsson S. Clinical requirements for the security of the elec- 34. Shea S. Security versus access: trade-offs are only part of the
tronic patient record. Int J Biomed Comput. 1994;35(suppl 1): story. JAMIA. 1994;1:314-5.
29-31. 35. Shneir B. Applied Cryptography. New York: John Wiley & Sons,
21. Bleumer G. Security for decentralized health information sys- 1994.
tems. Int J Biomed Comput. 1994;35(suppl1):140-5. 36. Szolovits P, Kohane I. Against simple universal health-care
22. Brannigan VM. A framework for “need to know” authoriza- identifiers. JAMIA. 1994;1:316-9.
tions in medical computer systems: responding to the consti- 1995
tutional requirements. In Ozbolt JG, ed. Proceedings of the
37. American Civil Liberties Union of Massachusetts. Statement of
Eighteenth Annual Symposium on Computer Applications in
opposition to S. 1360, the so-called “Medical Records Confiden-
Medical Care. JAMIA. 1994 suppl:392-6.
tiality Act of 1995.” Boston, November 4, 1995.
23. Dargahi R, Classen DW, Bobroff RB, et al. The development of
38. Davis R. Online medical records raise privacy fears. USA Today.
a data security model for the collaborative social and medical March 22, 1995:A:1.4.
services system. In: Ozbolt JG, ed. Proceedings of the Eight-
39. Latham L. Network security, part 2: policy should come first.
eenth Annual Symposium on Computer Applications in Med- Inside Gartner Group This Week. April 26, 1995.
ical Care. JAMIA. 1994 suppl:349-53. 40. Safran C, Rind D, Citroen M, Bakker AR, Slack WV, Bleich I-IL.
24. France FH, Gaunt PN. The need for security-a clinical view. Protection of confidentiality in the computer-based patient rec-
Int J Biomed Comput. 1994;35(suppl 1):189-94. ord. MD Comput. 1995;12:187-92.
25. Frank J. Artificial Intelligence and Intrusion Detection: Current 41. Senate Bill 1360: The Medical Records Confidentiality Act of
and Future Directions. Davis, CA: Division of Computer Sci- 1995. 104th Congress, 1st Session.
ence, University of California-Davis, June 9,1994.
26. Hayam A. Security audit center-a suggested model for effec- 1996
tive audit strategies in health care informatics. Int J Biomed 42. Paskavitz MR, ed. Briefings on the JCAHO. Information man-
Comput. 1994;35(suppl1):116-27. agement (IM). Special Report Review and Analysis: 1996
27. Information Security Subcommittee, Mayo Clinic/Foundation. JCAHO Standards. Marblehead, MA: Opus Communications,
Data Security Policies and Standards; September 1994 (pro- 1995; 16-18 (ISBN l-885829-140).