Additional Written Testimony for National Committee on Vital and Health Statistics
Subcommittee on Health Data Needs, Standards and Security
Input on Recommendations for Security Standards August 5, 1997

Ted Cooper, MD
Clinical Information System Consultant
Kaiser Permanente Medical Care Program-Northern California
1800 Harrison 10th Floor
Oakland, CA 94612
510 (267-5659)
ted.cooper@ncal.kaiperm.org

Introduction:

I appreciate the opportunity to provide a perspective from a health care delivery organization on the protection of health care information associated with the implementation of the Health Insurance Portability and Accountability Act of 1996. I am Ted Cooper, MD. I am an ophthalmologist at the Kaiser Permanente Medical Center in Redwood City, California. I have practiced there since 1973 and have served as department chief and assistant physician-in chief. Since 1984 my primary responsibility has centered on The Permanente Medical Group's need for clinical information systems. Currently I chair the Kaiser Permanente Northern California Information Confidentiality, Privacy and Security Group. This group makes and implements policy on confidentiality, privacy, security, and access of all data and information.

I am an associate clinical professor of ophthalmology at the Stanford School of Medicine and the chairperson elect of the Computer-based Patient Record Institute.

Kaiser Permanente is the preeminent HMO in the United States. We have been delivering prepaid healthcare to our members as a public nonprofit health plan since 1946. The program is a group model HMO with the Permanente Medical Groups contracting for the delivery of healthcare services to Kaiser Health Plan members. Our national membership exceeds 7.9 million members in 18 states and the District of Columbia. It is the largest private healthcare delivery program in the United States with 90,000 employees and 9,400 full-time equivalent contracting physicians. In Northern California we care for over 2.5 members and have a market share of just over one third of our service area's health insurance purchasing population. Northern California Kaiser Permanente owns 15 medical centers with hospitals, 30 medical office complexes, has over 3,500 full-time salaried physicians and employs over 35,000 staff. We store health care information in both paper and electronic records. Our on-line electronic health records occupy more than a 330 GB of disk storage.

This written testimony provides information on:

  1. Health Care Information Security at Kaiser Permanente Northern California
  2. Superiority of Security and Confidentiality in Computer-based Health Records
  3. Concerns
  4. And Recommendations.

I wish to acknowledge the assistance of Sue Odneal, our Information Technology Security Administrator, in the preparation of this testimony.

 

Health Care Information Security at Kaiser Permanente Northern California

The Information Confidentiality, Privacy and Security Group (ICPSG):

In the summer of 1995 the Board of Directors of Kaiser Foundation Health Plan requested the CEO, Dr. David Lawrence, to address issues of confidentiality, privacy and security in Northern California. To accomplish this the Information Confidentiality, Privacy and Security Group was created and delegated this responsibility. The role and charter were communicated to all line management in the region.

The ICPSG announcement memorandum:

"Data security is an important consideration for everyone who uses confidential or proprietary information. It is critical that KPNCR comply with industry standards; JCAHO and other regulatory requirements; and audit recommendations for data and information confidentiality, privacy, and security. Additionally, we must increase the level of information security consciousness in our corporate culture. Therefore, the IT Process Sponsor Group has chartered the ICPSG to be responsible for these issues.

The Information Confidentiality, Privacy, and Security Group (ICPSG) will:

  1. implement ICPS policies, standards, and procedures compatible with local operational and business requirements,
  2. develop mechanisms for enforcing and monitoring compliance with ICPS policies, standards, and procedures,
  3. develop and implement Region-wide security awareness training programs."

Resources for security:

The Information Technology Security Department's staff was increased to support the ICPSG and the policies that resulted. There are now five full-time employees in this department. The department's reporting structure is currently in transition. It is anticipated that Information Protection will become a national activity reporting to a vice president in the Information Technology organization.

Resources were made available to participate in national organizations that were working in this area (e.g. the Computer-based Patient Record Institute and American Society for Testing and Materials).

How the ICPSG approached health care information security:

Members were recruited by reviewing the organizational structure and identifying the stakeholders with a security role in these areas. The individuals were selected on the basis of their ability to accomplish the items in the charter that were likely to affect their area. Members came from regional offices (healthcare informatics, IT security administration, operations, nursing administration, internal audit, occupational health, medical legal, human resources) and medical centers (physicians in internal medicine, psychiatry, and surgery, nurses, health information managers, IT support staff, chiefs of clinical information systems).

The committee members were educated on the issues of health care information confidentiality, privacy, access and security. We modeled our approach on the Computer-based Patient Record Institute Guidelines on Security, and would recommend them as a foundation for any organization. The committee was acquainted with the technology that we currently use to provide security. External security experts assisted in educating the ICPSG members and in developing a work plan.

The members came to understand that there is no completely secure solution for paper or electronic health care records and that more than information technology products and services are required to provide adequate protection. Top management, human resources, information technology services, line management and all staff must understand the basic policies, follow procedures and practice appropriate behaviors to accomplish this.

ICPSG Activities:

A formal plan was developed and resources were committed.

The primary aims of our security program are to provide:

  1. appropriate protection for health care information while making it readily available when and where providers of health care need it,
  2. an understanding of the issues of health information security issues to users of the electronic health record and their managers,
  3. and evidence to external agencies that we take appropriate measures for the protection of health care information.

An external firm was engaged to perform a security vulnerability assessment. This assessment included data processing operations and the health care delivery sites. This assessment exposed a number of vulnerabilities. The committee set the priority for addressing each.

All policies in this area were reviewed and revised. A number of additional policies were developed. Attached is the table of contents for our policies. The new and revised policies were distributed to line management via their stakeholder representatives on the committee. They were distributed electronically and in paper form and were posted to an on-line conference board so that they would be readily available to all staff at any of the 20,000 terminals in the region. The stakeholder representatives took responsibility for working out the details of implementation for their areas.

A number of these policies required procedures in the human resources arena. Procedures for which human resources took responsibility were:

  1. employee agreements to protect information,
  2. reaffirmation of the agreements as a part of employee evaluations,
  3. new employee training and orientation,
  4. and sanctions for violations of policy.

All employees and contractors are required to sign confidentiality agreements. We plan to amend the by-laws of our hospitals to make confidentiality agreements a part of the credentialing and recredentialing process for medical staff. Sanctions for breaches of confidentiality are designed to be appropriate to the severity of the breach and the intention of the individual. The sanctions include counseling and additional training, warnings that are placed in the personnel file, and termination.

A training tool-kit was developed as the foundation of our security-training program. The tool-kit contains a guide for trainers, pre-test, videotape, presentation material and a post-test. The Information Security Administration Department is available to train the trainers, to assist with the delivery of the training sessions and for any customization of the program. Very little customization is done. The Human Resources Department and line management are responsible for ensuring that all staff receives training. We have not set a policy on how frequently training should be repeated.

We recognize that a security awareness and reinforcement program was likely to return great dividends. However, deploying this effectively is still under developed. To date this effort has consisted of articles for departmental, interest group, and divisional newsletters.

As part of as project to develop our standard for architecture for distributed computing, the committee oversaw the development of the requirements for security.

A process was developed for the committee to review computer applications under development to ensure that adequate security measures were included and that they complied with policy.

The committee's operating process is designed to provide a continual review of operational issues as well as an annual review of all policies.

On-line access to health care information:

Our policy on authorizing access to clinical information is primarily based on roles, and categorization of data. Roles (job classifications) were identified that would have a need to know clinical information and mapped to the categories of data (e.g. lab, pharmacy, medical imaging) required for the performance of their duties. These roles would be granted access upon request from the information technology security managers at the user's health care delivery site.

Some roles have access only to one category of information.

Our interpretation of California State and Federal regulations were included in our definition of roles and categories.

There is a continuing difference of opinion among our physicians on the appropriate scope of access. Many physicians, particularly those in the emergency department and primary care, feel they should have total access, while those physicians in the mental health areas commonly feel that only they should have total access.

Most or our clinicians involved in the direct delivery of health care have access to: demographics, problem list, allergies, medicines, lab results, pathology reports, medical imaging reports, electrocardiogram reports, inpatient and outpatient diagnoses and procedures, and immunizations. Only those clinicians who are members of mental health or substance abuse departments have access to information originating in the computer systems of their departments.

No access is provided to HIV status.

All clinicians involved in direct health care delivery have access to mental health diagnoses (originating in primary care ) departments and medicines (via the pharmacy system), used to treat mental illnesses AIDS and individuals with a positive HIV status.

In addition to the role-based approach, we have found that there are many individuals who perform duties that go beyond the standard tasks of their standard role. As the trustee (i.e. "Owner") of our health care data, I review each request for additional access and require a description of the job duties that justify additional access to each category of information.

California State regulations require that patients be allowed to view their health information. This is accomplished through our Health Information Managers.

When patients identify errors in their records, they are permitted to add amendments. In such a situation, we review the error identified by the patient with the original source of the information. If we concur that an error is present, the source or source system is used to mark the entry as erroneous and to add the amendment. In some cases the source system is unable to provide the amendment. In these cases database administrators make an amendment and notation of the change to the database. If we do not find there has been an error, the patient is permitted to add an amendment to the paper record. We do not currently employ a method for adding an amendment of this type to our electronic record. I am unaware of such a request.

No additional technical protection is provided for our employees or celebrities. All patients, including employees, have ready access to reports of who has accessed their electronic health information. Our Health Information Managers provide access to these reports.

By policy, managers and supervisors are forbidden from accessing the records of their staff unless the staff member has established a patient-physician relationship with their superior. It is not uncommon for staff to seek care from the physicians in their department and even more common to seek care from the physician who is the chief of the department.

The primary methods we use to protect health care information are:

  1. policy,
  2. sanctions for violations of policy,
  3. physical security,
  4. security training and awareness,
  5. unique user identification codes and passwords,
  6. regularly required changes of passwords,
  7. role and individual permission-based access control,
  8. log-in warnings,
  9. locking of keyboards and blanking of display screens on demand or if unused for a period of time,
  10. logging all access transactions,
  11. ready access to audit log reports,
  12. and standard procedures for release of health information.

Each of our 2.5 million members may choose to visit any of our many sites or use the telephone to seek advice from our nurses and physicians. So far we have found that it would be operationally impractical to limit access to health care information only to those clinicians who have seen the patient in the recent past or with whom an appointment is scheduled. We have not found breaches of confidentiality that would make this necessary.

Our patients see that we have information systems when they use our services. They know that we depend on their Kaiser Permanente medical number to schedule appointments, register for office visits, provide phone advice, and fill prescriptions. Many of our physicians access on-line health care information in their exam rooms with the patients present.

We are engaged in a project to develop materials that will inform members and patients of the information:

  1. we collect,
  2. how we use it,
  3. who has access to it,
  4. when and to whom we release it outside of Kaiser Permanente,
  5. and how we protect it.

We have not yet determined effective ways of delivering this knowledge to our members and purchasers.

The only situation where patients are permitted to request that their records not be computerized is in our pharmacies. We are required by regulations of the California State Board of Pharmacy to do this. In practice less than 200 of our 2.5 million members have taken this option. Not having the data in the computer has resulted in inconvenience and affected the quality of care for some of these patients. They are limited to getting refills at the pharmacy where they originally submitted the prescription. As we have more than 100 pharmacies, it is often more convenient to pick up refills at a location that is different than the one that originally filled the prescription. When the prescription is not in the computer, the regulations require that the paper prescription be physically transferred to the filling pharmacy. The quality of these patients' care is impacted when the seek care at a different facility and cannot remember the medicines that they are taking.

This year Kaiser Permanente began moving to a national structure for information technology from a divisional one and security was placed on the list of items to be addressed during the first year of this change. We have gained upper management's commitment by alerting them to issues raised in the literature, by organizations such as the Computer-based Patient Record Institute, the American Health Information Management Association, the National Research Council, internal and external audits, and security assessments. A statement that something is necessary and requires resources alone has been inadequate. Anecdotes and reports in the media have been very helpful in gaining management's attention.

Technical Practices:

Policy requires a unique user ID and password for each person who signs on to any Kaiser Permanente system. There are some operational settings (e.g., chart rooms, volunteers' desks) where terminals are shared by many people and are primarily used only to display information. In these situations they are limited to the information they need e.g. chart inventory. Rarely, and under special circumstances, shared user IDs are permitted. Users are granted access to data processing resources (transactions and files) via software controls, based upon policies defined by trustees and the ICPSG.

Password-generating tokens are used by a number of users who access systems remotely. The security architectural design team has recommended these as a standard for all remote authentication. Remote access points are controlled physically; entry into the Kaiser Permanente network is controlled by a firewall (to filter Internet requests) and by a two-step authentication process for dial-in users.

A 7-digit number uniquely identifies patient records. This number will be expanded in the near future to accommodate longer character strings.

Encryption:

Encryption is acknowledged as a requirement for transmission of patient and business data. Currently, SSL is employed on our patient-based World Wide Web system. Passwords are also encrypted, as are personal identification numbers (PINs) and their identifiers. Given the limited scope of these efforts, ongoing costs have not been determined; initial costs were for development and implementation. No special software is in use.

The Internet:

We are making very limited use of the Internet to transmit identifiable health care information. We have policies and guidelines that permit the use of physician-patient e-mail over the Internet. It is only done at the patient's request and after informing the patient of the open exposed nature of unencrypted e-mail and obtaining their permission. We serve Silicon Valley and many of our members are very conversant with Internet security issues, but still request the use of unencrypted e-mail. Common sense seems to prevail on the content of these e-mail messages and we are still waiting our first security situation to arise with this.

The State of California passed regulations for telemedicine in 1996. They are in force now and a strict interpretation of them would require a written consent for each use of the telephone, fax, and e-mail. "Clean-up" legislation is being proposed.

We have a pilot project that involves the World Wide Web. A password protected site permits a patient to request appointments, to obtain advice nurse services, and to access Kaiser Permanente on-line illness-based support groups and health care references. Certificates control authentication and all transmissions are sent under Secure Sockets Layer.

A PIN system for our members was developed and implemented to support this effort. We also use this PIN system for automated telephone (interactive voice response) systems for appointment verification, cancellation and prescription refills.

Use of digital/electronic signatures is being investigated. The technology is not being used at this time.

Physical Security:

Central processors and distributed servers are housed in secured rooms that are climate controlled as necessary. Terminals and workstations are in protected areas as well and may be secured to furniture if appropriate. Most facilities have guard services posted 24 hours a day and have controlled access points during and after business hours. Our data center has been designed to be resistant to most disasters. It has been designed to withstand earthquakes up to magnitude 8.5. It has state of the art fire suppression systems, uninterrupted power with batteries and backup generators and redundant water supplies. Users of laptops are required by policy to take additional precautions to prevent loss or damage.

Data Recovery and Integrity:

Backup tapes are automatically produced and stored in an off site, out-of-area vault. Tests to certify that recovery of data and systems can be accomplished from these tapes are regularly performed. System programmers and database administrators oversee the integrity of the systems and data. Extensive use is made of automated tools for monitoring integrity and assisting with recovery.

Special Considerations:

A private network without any external connections may be looked upon as fairly secure. The privacy of transmissions can still be compromised through tapping of electromagnetic emanations or data lines, or by interception of microwave or satellite signals, but this requires someone with knowledge, equipment, and intent. An "open" environment, (even a network with only one desktop modem) exposes the enterprise to the world, and special controls need to be considered. These include:

  1. firewalls - to screen incoming and outgoing transmissions,
  2. authentication tools - to verify the identities of persons and other hosts/networks,
  3. and encryption - to ensure privacy of messages.

Vendors and Data Security Consultants:

Requests-for-proposal for products under consideration for acquisition include questions regarding security features, including:

  1. authentication, including ability to use tokens and biometrics,
  2. security administration, including the ability to assign minimum and maximum password lengths, password history, password life span, etc.,
  3. compatibility with existing operating system security features,
  4. authorization, or selective control over access to system components.
  5. special features such as automatic time-outs,
  6. and logging and reporting features (of user and security administrator activities).

Many computer system users seem to find security non-beneficial and intrusive. They consider the time spent in logging on, changing passwords, etc., as wasted time, and are most concerned with ease of use. Single sign-on, or being able to authenticate oneself to all authorized applications in one step, is considered to be one of today's most-desired security features (although it is actually a productivity tool rather than a security feature). It is, however, difficult to attain.

Trustees take security very seriously, especially for the applications and data for which they are responsible. They want to be able to state who may use what data under what circumstances, and to be able to review what has been done (in other words, authentication, authorization, and auditing are their chief concerns). Costs of security features need to be balanced against the risks of an unsecured system.

Security technologies used by other industries, particularly banking and government could be applied to healthcare applications. Digital certificates and virtual private networks (in fact, all variations of encryption) are beginning to be regarded as requirements for authenticating users and securing transmissions.

IT Security assists clients in designing and implementing application controls during the systems development/acquisition cycle. The process takes place over most phases of the project and is reiterated as the application is enhanced and maintained. Security solutions for new applications must be in compliance with policies and are based upon system and client requirements such as:

  1. platform (e.g., operating system),
  2. risks/threats,
  3. regulation/law,
  4. sensitivity of data,
  5. and business unit operations (e.g., hours of business, physical location).

We try to find the simplest solutions possible, implementation of which can be carried over to other applications and systems regardless of hardware or software platform.

Superiority of Security and Confidentiality in Computer-based Health Records

Well-designed, implemented, and monitored computer-based health record systems provide better protection for health information than paper-based systems. The major factors that provide computer-based systems with superiority for protecting information are their ability to:

  1. positively identify each user,
  2. verify authorization,
  3. predefine access rights,
  4. restrict retrieval based on the circumstances of the access request (need-to-know-now),
  5. encrypt transmissions,
  6. record each user access in logs,
  7. and display personal identifying information only when necessary.

 

Major Impediments

The major impediment to good health care information security is the absence of industry standards for the policies, procedures, and technology required to provide adequate protection. Other major impediments to good protection of health care information are complacency, overconfidence, competition with other priorities for attention and resources (particularly for line management at medical centers), the limits of technology in legacy systems, turnover of personnel, and corporate mergers and reorganization.

 

Concerns

I am concerned that regulations might place a large and costly burden on administrative overhead. e.g.:

  1. requiring written consent to be obtained to collect, store and use information on patients each time care is delivered,
  2. requiring each patient give permission to each individual caregiver or user before access to a record is permitted,
  3. requiring the patient's primary care physician to approve each clinician or user who requests access to a record.

The analysis of health care data is required to determine the best and most cost effective ways to treat and manage illness and health. When done as research, an institutional review board is used to protect patient interests. However, essentially the same analyses are required as a part of business for management reporting and decision support. I would like to see regulations that will protect patient confidentiality interests in this situation.

In addition, I am concerned about the potential for violation of confidentiality through the sale of identifiable health information. As an ophthalmologist, organizations have offered to sell me lists of names and addresses of likely candidates for refractive surgery, cataract extraction, and laser surgery for diabetic retinopathy. A regulation prohibiting and providing prosecution for the sale of such information seems to be required.

I am also concerned by the potential of health care information to be used to discriminate against individuals, without their knowledge or consent, when they apply for health care, life and other insurance, and in education and employment. Regulations preventing such use are essential.

Another concern is that access log requirements might be written that would make the delivery of health care by teams unworkable. In the situation where several individuals are looking at a single display (e.g. ICU, ER), presumably only one is logged on. How do we capture the access of the other team members for the access audit log? Similarly, in primary care, teams of doctors, and others (e.g. physician assistants, nurses, medical assistants, pharmacists, health educators, and clerks) are all involved in the care of the patient as they flow through the office. Team members often look at the paper health care record together. How do we manage access control for on-line records when a team looks at the same display?

 

Recommendations

Having Federal regulations that establish reasonable minimum standards for health care information protection would be an enormous aid to health care delivery organizations. If we had such regulations, we would not have to spend resources to determine what protection is required and then justify the resources necessary to develop and implement it. We do not need to justify the resources that are required to implement Federal standards. Many discussions with great amounts of passion could be avoided. We could just do it.

It is essential to have regulations with significant penalties and adequate prosecution for violations of the regulations. The regulations should cover:

  1. patient and provider rights for health care information,
  2. informing patients and providers of information practices of organizations,
  3. securing consent to store and use health care information for:

    a.) the delivery of health care,
    b.) managing health care organizations,
    c.) research,
    d.) performance reports on providers,

  4. who has authorization to access on-line health care information,
  5. circumstance of appropriate access,
  6. transmitting health care information,
  7. disclosure and redisclosure of health care information,
  8. and sale of individually identifiable health information.

 

Summary

At Kaiser Permanente, we have found it necessary to have a formal program for health care information protection. For this program to be effective it must have the authority to do what is needed and the line management structure must recognize and reinforce this authority.

The development of a health care information security program must take into consideration patterns of human behavior and deploy solutions that are workable in the health care delivery setting.

Having Federal regulations that establish reasonable and appropriate standards for health care information protection would be an enormous aid to health care delivery organizations.

 

ATTACHMENT

KPNC Information Confidentiality, Privacy, and Security Policies - Contents

INTRODUCTION

GENERAL SECURITY

Data Security

Use of Corporate Data

Confidentiality and Security of Patient/Membership Data

Data Classification

Confidentiality of Patient/Membership Data for Staff/Executives/Celebrities

Reporting Breaches of Information Security (DRAFT)

Access to KPNCR Systems and Data by Outside Service Providers and Non-KPNCR Entities (PENDING APPROVAL)

Physical Security

Securing Personal Computer Hardware (FUTURE RELEASE)

Retention and Disposal of Data and Output

Internet Use and Security (PENDING APPROVAL)

Dial Access to Regional Computing Platforms

Home and Mobile Computing

Fax Communication Security

ADMINISTRATION

Acquiring, Controlling, and Possessing User Identification Codes

HUMAN RESOURCES

Confidentiality and Security Responsibilities

Confidentiality and Security Orientation and Training (FUTURE RELEASE)

Intellectual Property (FUTURE RELEASE)

Confidentiality Breaches and Staff Discipline (FUTURE RELEASE)

APPLICATION SECURITY CONTROLS

Application Development (PENDING APPROVAL)

Testing Business Applications (FUTURE RELEASE)

Emergency Changes to Production Data (FUTURE RELEASE)

Correcting Errors in the Clinical Data Repository (FUTURE RELEASE)

Patient Demographic Information (PATDEM)

Admission/Discharge/Transfer and Case Abstracting Systems (ADT/CABS)

Patient Registration System (Reg Plus)

Outpatient Summary Clinical Record (OSCR) (PENDING APPROVAL)

Operating Room Scheduling Office System (ORSOS) (PENDING APPROVAL)

Clinical Information Presentation System (CIPS)

Mental Health Data Access

HIV Status Data Access (PENDING APPROVAL)

Caregiver-Patient E-mail Communication

PIN System (FUTURE RELEASE)

Kaiser Permanente Online (PENDING APPROVAL)

TECHNICAL CONTROLS

Local Area Network (LAN) Security

Virus Prevention (PENDING APPROVAL)

Vendor Access (PENDING APPROVAL)

GLOSSARY