acm-header
Sign In

Communications of the ACM

Communications of the ACM

Security Issues For Implementation of E-Medical Records


As the electronic version of the patient medical record becomes more technologically advanced for the purposes of electronic billing, telemedicine, and worldwide data mining of health trends, the question arises as to who will be minding the store in the protection of the information contained in the record. Since telemedicine will encompass an international venue, standardization of the electronic medical record is necessary and prototypical models are being developed [5]. Confidentiality and security of a patient's health information has always been important and with the ease of access afforded electronically, security will likely be more difficult to provide without advanced planning [12].

Historically, the security of information systems (IS) in general has not been seriously considered in many instances until after a breach in security has occurred. Although in the mainframe era of centralized computing, security was given serious consideration and there was centralized control, in today's decentralized world of networked personal computers and workstations, security can be a complicated issue.

This issue is of increasing importance to everyone as our personal health care information becomes easier to access through modern electronic communications systems. The American Health Information Management Association has addressed confidentiality and security issues in a practice brief concerning telemedical records and recommends particular general actions to take [2].

It's not that security devices don't exist for these newer systems; it's as much a people-management issue as it is an issue of technological capabilities. Insurance companies, managed health care organizations, and even employers are interested in access to an individual's medical records in their attempt to reduce expenses. What should we be paying attention to as this technological advance moves forward? Implementation of a new technology requires thought on the parts of developers as early as in the analysis and design phases of successfully implementable health systems.

The actual technology of an electronic medical record seems to be falling into place. As the world moves more toward the use of telemedicine to preclude the movement of patients to more advanced facilities, the need for a fully functioning medical record is paramount. Nontechnical challenges remain, such as the legal issues pertaining to the sharing of data among enterprises and the subsequent responsibility for maintaining and protecting the data; who has responsibility for educating employees of these enterprises; the use of an electronic signature rather than the conventional handwritten signature currently used with paper medical records; who is ultimately responsible for possible security breaches within the organization; and standardization of security measures along with greater legal recourse should a breach occur. Another nontechnical issue is cost: will top management make the financial commitment to maintain and update the system in which the record resides?

Several key areas of potential management ignorance need to be mentioned and noted by system developers, analysts, and designers. A fundamental issue is that people may be naive to the potential threat of a security breach. Until a problem has been faced in some form or another, people may not be aware of its existence. Rather than experience the actual problem and suffer the often expensive consequences, a person could experience less damaging exposure to the problem, or preclude it completely, through appropriate education during the analysis process.

Education of management as well as the actual users of systems would serve two important purposes. It would serve to identify areas of concern for managers so they would have a heightened awareness of potential damage. Also, it would serve to offer prescriptive measures for alleviation (or at least minimization) of potentially damaging security breaches.

Security measures have several types of cost, that of money and that of operational ease. It will cost more money to have security than not to have it. Also, many security precautions will hamper normal operations and, therefore, reduce operating efficiency for the organization. The tradeoffs between cost of security and reduced operational efficiency must be measured by management. Perhaps management is ignorant of the fact this can indeed be done as it is in other areas of the firm. It is somewhat more difficult to measure these tradeoffs because of the difficulty in attaining relatively precise values to plug into measurement models.

Calculating a cost/benefit ratio is also extremely difficult, and therefore is another managerial aspect to be considered. Calculating the value of health care IS in general is difficult, but calculating the effects of a potential loss of information from a security breach of the patient record is even more difficult. An estimate of the probability of a loss occurring as well as the dollar amount of the damage is a necessary procedure and the organizations of today rely heavily on the dollar value when making decisions on purchases.

The proliferation of personal computers is another factor that has made computer security even more difficult, with the concentration of information being decentralized into the hands of potentially naive users. These users could especially benefit from education. The primary problem that the user is unaware of has to do with the corruption of data. Appropriate safeguards must be utilized to protect existing data from being improperly altered. The responsibility for security measures must be borne increasingly by the end user. However, user apathy, laziness, politics, power, and so forth, cannot be ignored. Simply educating the user will not be enough. In many cases, management will have to regularly ensure the appropriate safeguards are used and system developers need to be aware of these user issues.

Many people assume that outsiders are responsible for the majority of damage that can occur with breach of IS security. Highly publicized violations of computer systems by external intruders have demonstrated the vulnerability of IS on a grand scale. However, even though these large-scale intrusions have occurred, it is a mistaken notion that this is the source of most of the security problem. The majority of security breaches occur on a more numerous, smaller scale from internal sources [9]. Rindfleisch [7] also identifies the internal security risks as accidental disclosures, insider curiosity, insider subornation (releasing health information to outsiders for revenge, spite, or profit), and uncontrolled secondary usage (support functions).

Another managerial factor to be considered is networks tend to be wide open systems with even more room for intentional and unintentional compromise of information transfer than conventional health IS. Management must realize this and educate themselves as well as the users as to the limitations in security on the network.

There is virtually no end to the effective countermeasures available for addressing the various security problems. The problem lies in incorporating the appropriate countermeasures into a system and utilizing them. The organization should be in a preventive frame of mind to protect the valuable information resource and should include security in the analysis and design phases of system development. Unfortunately, history indicates that security is not often taken seriously until after a serious breach occurs. Pending legislation may minimize this organizational tendency in the future.

At first glance, security would appear to be a rather innocuous entity, unworthy of much attention. Or so it appeared to the majority of organizations approximately 10 years ago. A survey of organizations indicated that 41% of the organizations had no security administration at all [3]. Various remedies have evolved to counter this organizational tendency in the health care industry.

The Data Protection Act of 1984 was passed in the U.K. and requires hospitals in a telecommunications network to take appropriate security measures when handling computer-generated information [11]. In the U.S., the Fair Health Information Practices Act of 1994 is designed to restrict the use of personal health information, which should help lessen the security burden [10]. In 1995, the Computer-based Patient Record Institute published guidelines for establishing information security policies indicating that every organization that creates, uses, stores, or communicates personally identifiable health care information has a legal and ethical responsibility to preserve the privacy and integrity of that information [6]. These acts and guidelines have hopefully alerted health care organizations not to follow the lead of their general IS predecessors, but have these produced enough incentive for the modern health care enterprise to actually 'do the right thing'?

Perhaps the most organizationally-motivating law that has been passed, in part to insure privacy protection and also containing security and confidentiality ramifications, is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This act also includes a provision to simplify health care administration. Included in this provision is a framework for the way health care entities will electronically maintain, transmit, and protect data. HIPAA requires that the Department of Health and Human Services (HHS) adopt security standards utilizing this framework. In response, HHS published a notice of proposed rule-making on August 12, 1998 concerning standards for the security of individual health information and electronic signature use [1]. Mandatory compliance with the various components of the final regulation is currently scheduled for 2002 and 2003 although many health care provider and payer organizations are pushing the U.S. Congress for a longer phase-in period.

Health care IS managers are becoming more aware of security issues as highly publicized security breaches occur. The only problem with this is that the most widely publicized breaches are from an intentional intruder to a particular system. In reality, much more damage is done every day through unintentional activity. Such areas as data integrity safeguards are often overlooked as being truly security safeguards. But security of data and information from threats from any source needs to be addressed by health systems managers. Unless management is aware of the entire picture, they will continue to be one step behind the next security breach.

It is the responsibility of top management of a health care organization to institute a security administration program and to oversee and ensure its implementation. HIPAA may help because it essentially requires that such a program exists. How a particular system interconnects with existing systems, what future use the system will have, and who will ultimately use the system are all questions that should be addressed at the top level of the organization in conjunction with system vendors and developers. Only at the top can management see the big picture as it relates to the entire health care organization. Because the problems caused by security lapses in one department can have an organization-wide effect, top management must plan security into the system prior to the purchase. In addition, health care organizations will also be communicating information outside their own organization and your organization will be dependent on those enterprises for appropriate security safeguards. HIPAA also addresses the interchange of data and information between organizations by mandating that every organization complies with minimum security standards.

Back to Top

The Effect of Deterrence

Even when effective safeguards have been established to protect a system, the potential for invasion still exists. After all, employees must have some degree of access to the information in order to carry out the enterprise's mission. Various levels of access granularity must be assigned to particular individuals. The added threat of getting caught may further induce an individual not to attempt an act against the system. The simple use of security software does, in fact, cut down on computer abuse [3].

The fact that the overwhelming majority of offenders of information systems are employees or ex-employees [3, 9] indicates that management must take special precautions with their systems, including overt punishment or dismissal. Appropriate education and security safeguards may help to minimize the unintentional types of damage but punishment and/or dismissal is needed for more serious, intentional violations. These dismissals should be made known to the rest of the organization. Very few instances of computer violation are reported because of management's mistaken impression that the publicity will encourage future crimes, when, in fact, the publicity would have a deterrent effect [2]. Management is missing out on an opportunity to use an effective tool of deterrence through lack of publicizing violations. Of course, managers do not want to bring attention to themselves either and may be afraid that publicity would reflect negatively on their job. This is another reason that top management should ultimately be responsible for the overall security plan.

As for outside intruders, legislation is slowly evolving to provide criminal and civil punishment to systems abusers. The Cable Communications Policy Act of 1984, which amends the Communications Act of 1934, provides for both criminal and civil penalties for unauthorized use of commercial networks. The Stored Wire and Electronic Communications and Transactional Records Access Act of 1986 also provides for criminal and civil liabilities in the cases of unauthorized use of systems.

Some cases have received widespread publicity concerning illegal use of computer systems, but prosecution and punishment have been slow in coming because of the relatively new and unique nature of computer crime, which relates to the misuse of a nonphysical electronic medium. Many states now have instituted a variety of statutes relating to punishment of computer crimes.

Publicity concerning the existence of security devices as well as the result if caught misappropriating information from a system also serves to deter potential offenders. Obvious security roadblocks rather than those hidden from the user will increase the awareness of the end user. User friendliness does have the cost tradeoff of a decreased deterrent effect but these, as well as other, tradeoffs must be seriously considered by the person assigned the organizational responsibility for security.

Back to Top

An Organizational Security Management Plan

Of importance to organizational administrators are the security measures outlined by HHS to which they must adhere. It will be a requirement for all organizations to assign the security responsibilities to a specific person or persons. Administrative procedures must be identified to facilitate security steps to protect information. Physical and technical safeguards must be identified and utilized by the organization. Each requirement has implementation features that must be met to demonstrate compliance. Education of all employees is necessary and will also be the responsibility of the organizational entity in charge of implementation of HIPAA.

Where does one start in implementing security for the electronic patient record, especially to be in compliance with HIPAA? Even before the systems analysis and design professionals begin to gather the security-related requirements, from a management point of view there are several key elements that should be incorporated into an overall security plan.

The plan should start with an examination of the security and privacy posture of the organization as a whole. A security review plan should be prepared, a business impact analysis of major systems should be conducted, and an operational impact analysis should be conducted to determine if each management function has adequate procedures and tools to detect and correct security violations.

After the results of this examination have been studied, security procedures should be established that are tailored to the needs of the organization. There should be a management emphasis on security awareness, periodic security and privacy checks, clear policies established for punishment, and self-audit and self-control functions established for each department [8].

An information security staff may be established to develop the program, supervise the implementation and training, and update security procedures. But because of apathy, politics, cost, and decreased ease of operation, the plan will face an uphill battle without the support and influence of top management, including the financial support that will be necessitated by HIPAA.


There are many tools available for the safeguarding of health information systems and the electronic patient record. But unless the tools are implemented, they are of no use.


Part of the security plan should include local-area network (LAN) communications. There are five main issues involved [4]. First, adequate network planning of security during the project planning phase is imperative. To be as failsafe as possible, security should be designed into the system in the planning phase. Adding on security devices later is not always possible or practical. While assessing the compatibility and interconnectivity of systems in the planning phase, appropriate compatibility of security devices should be assessed simultaneously. For example, if system prototypes are going to be evaluated and feedback results incorporated into the final design specifications, system security safeguards should be prototyped as well and designed into the overall functioning requirements of the system.

Second, the level of LAN service must be determined, including such factors as media access control method (for example, contention versus token passing), transmission method (digital or analog, amplitude, frequency or phase modulation, and so forth), cable type (fiber optic is more secure than twisted pair or coaxial cable because of readily apparent effects of cable interruption at the receiving end), type of topology (bus, ring, or star), and network hardware and software to be utilized.

Third, sound network management must be insured including human resource management. As with regular information systems security, appropriate administrative safeguards including personnel authorization and screening must be instituted.

Fourth, the dangers must be recognized from connections to sources external to the LAN. The most secure network is only as secure as its weakest link and if external systems are not secure, this will have a negative impact on the security of the LAN. With the advent of managed care organizations communicating with one another as partners, it is imperative to know what security safeguards are being employed whenever they have access to the LAN and patient record. An organization's partners' communications systems could be the weak link in your system!

And finally, appropriate and controlled access to LAN data and programs must be established. This is accomplished through the personnel screenings mentioned earlier as well as data integrity and validity rules built into the software. For example, a zip code of other than five digits cannot be entered into a database without a warning to the user or an incompatible communications address may not be entered.

Wide-area networks (WANs) that transmit information outside the organization have features important to organizational security stemming from the inherent openness of the systems. Satellite and nonsecure telephone and data lines are easily interrupted by intruders and one of the only effective safeguards is encryption or scrambling of data for transmission so that if interception occurs, the recipient will have unintelligible data and not sensitive information.

Back to Top

System Analysis and Design Considerations

HIPAA allows organizations to have a grace period for compliance with the new regulation. However, it behooves the organization to begin planning early because there may be requirements that would necessitate changes in existing hardware, software, and networking systems currently in use. Organizational managers must work with vendors to decide on strategies for implementation and maintenance of the required security standards. It is always best to design security beginning in the analysis phase of system design. However, there will always be changes after the fact that need to be addressed and the required standards from HIPAA will need to be interleaved into existing systems.

In reality, system security is best included in the analysis phase of a project to insure adequate protection. Because security devices can have a direct impact on the user, including security devices in prototypes would offer systems users a realistic view of the potential impact of the devices. The problem is not really to find a solution, but rather to formulate the proper problem. With prototyping, the feedback process allows the proper problem to be formulated. Proper security precautions should be part of the proper formulation of that problem (or system analysis in this case). Eliciting complete security requirements from the user in the analysis phase is unlikely to occur. Human beings (managers and end users in this case) will tend not to include security requirements in a system when asked, unless they have had the experience of a security breach.

Further, it is important to note that system analysts must be more than just computer specialists. System security involves a distinct effect on productivity and efficiency and this must be taken into account when assessing which security devices may unduly affect human beings. Hence, analysts must educate themselves about the world of health care to some extent. Perfect security may have the tradeoff of severely limiting users in the accomplishment of their jobs—analysts must take this into account in the design of security into a system and invoke the appropriate tradeoffs when necessary.

Security devices are not always accepted readily by the user. Rather than simply incorporating a given device into the system and laying it on the user, the analyst may choose to employ a more effective approach in her or his role as a change agent. Eliciting the feelings of users concerning their activities and interactions may allow the change agent to positively address areas of resistance on the part of the user and further facilitate the actual use of security devices in the final product.

Back to Top

Conclusion

There are many technological and administrative tools available for the safeguarding of health information systems and the electronic patient record. But unless the tools are implemented, they are of no use. The appropriate management of security measures from the top echelon of a health care organization is imperative. As the reliance on IS grows in health care organizations the potential for financial loss and compromise of patient confidentiality also grows. It is of strategic importance for an organization to shield itself against the potential threat of loss of information. Top management must have a security plan that is tailored around the organization's business objectives. It is also important to emphasize the importance of including security evaluation in the analysis and design of health information systems.

Back to Top

References

1. Department of Health and Human Services. Security and electronic signature standards. Federal Register 63, 55 (Aug. 12, 1998).

2. Fletcher, D.M. Practice brief on telemedical records. Journal of the American Health Information Management Association (Apr. 1997).

3. Hoffer, J.A. and Straub, D.E. The 9 to 5 underground: Are you policing computer crimes? Sloan Management Review (Summer 1989), 35–43.

4. Jamieson, R. and Low, G. Security and control issues in local area network design. Computers and Security. (June 1989), 305–316.

5. Kilman, D.G. and Forslund, D.W. An international collaboratory based on virtual patient records. Commun. ACM 40, 8 (Aug. 1997), 111–117.

6. Kohl, D. Crossing the privacy minefield. Health Management Technology 16, 9 (Aug. 1995), 50.

7. Rindfleisch, T.C. Privacy, information technology, and health care. Commun. ACM 40, 8 (Aug. 1997), 93–100.

8. Scoma, L. Developing a healthy security posture. Journal of Information Systems Management (Winter 1986), 61–62.

9. Simpson, R.L. Security threats are usually an inside job. Nursing Management 27, 12 (Dec. 1996), 43.

10. Simpson, R.L. Ensuring patient data, privacy, confidentiality, and security. Nursing Management 25, 7 (July 1994), 18–20.

11. Stanberry, B. The legal and ethical aspects of telemedicine: Confidentiality and the patient's right to access. Journal of Telemedicine and Telecare 3 (1997), 179–187.

12. U.S. Congress, Office of Technology Assessment. Bringing Health Care Online: The Role of Information Technologies. OTA-ITC-624. September, 1995.

Back to Top

Author

Terry Huston ([email protected]) is an assistant professor at the University of Victoria in British Columbia, Canada.


©2001 ACM  0002-0782/01/0900  $5.00

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2001 ACM, Inc.


 

No entries found