For the Record: Protecting Electronic Health Information

Testimony to the National Committee on Vital and Health Statistics
Subcommittee on Health Data Needs, Standards, and Security

Tuesday, August 5, 1997

Carl Landwehr
Supervisory Computer Scientist
U.S. Naval Research Laboratory
and
Member, Committee on Maintaining Privacy and Security in
Health Care Applications of the National Information Infrastructure
Computer Science and Telecommunications Board
National Research Council

Good morning, and thank you for the opportunity to testify before the National Committee on Vital and Health Statistics subcommittee on Health Data Needs, Standards, and Security. My name is Carl Landwehr. I am a Supervisory Computer Scientist at the U.S. Naval Research Laboratory, where I head a section responsible for computer security research within the Center for High Assurance Systems. I served on the National Research Council study committee that produced the report, For the Record: Protecting Electronic Health Information. I believe that members of the NCVHS have received copies of the report, which was released in March of this year. I will submit another copy along with my oral testimony this morning.

The National Research Council committee on which I served was asked by the National Library of Medicine, the Warren G. Magnusson Clinical Center, and the Massachusetts Health Data Consortium, to investigate ways of improving the privacy and security of health care applications of the national information infrastructure. The charge to the committee was three-fold: (1) to observe and assess existing procedures and practices for protecting the privacy and security of electronic health information; (2) to identify other mechanisms worthy of testing in a health care environment, and (3) to outline promising areas for further research. In order to carry out this charge, the committee conducted a series of site visits to six different health-related organizations during which we discussed privacy and security concerns as well as the mechanisms used to protect electronic health information. The committee also met with a range of other experts in computer security, health informatics, and patient privacy to better understand concerns about privacy and security and to identify security methods that work in health care and other industries.

Before I discuss the committee's findings and recommendations, let me first define the terminology the committee used in the report. The committee used the term "privacy" to refer to an individual's ability to limit the disclosure of personal information. This definition implies that privacy is a goal that we try to achieve by protecting that information that has been revealed and by limiting disclosures of information to others. "Confidentiality" refers to a condition in which personal information is shared or released in a controlled manner. Hence, confidentiality policies outline the specific rules governing releases of information and attempt to balance the need for access to information against the desire to protect the patient's privacy. "Security" consists of technical and nontechnical measures for protecting information and information systems against malicious attacks or accidents. As such, security measures support confidentiality policies by helping ensure that information is available only to those with a legitimate need to know and is released only in accordance with stated policies. But security also includes measures to ensure the integrity of information and the availability of the information systems in which it is stored.

The committee found that a wide variety of practices, both technical and organizational, have been developed and implemented. Organizational practices are at least as important as technical measures in protecting electronic health information.

Our site visits revealed that these practices have not been consistently and uniformly deployed throughout the industry, however. To date, health care organizations have not had consistent economic and regulatory incentives to strengthen security. Sporadic violations of privacy and security have failed to rally broad interest; and few sanctions exist that compel greater attention to privacy and security. Most organizations face strong pressures to expand the capabilities for access to their health information systems. Those that have put information on-line are beginning to take protective steps they believe are reasonable and justifiable. However, no single organization the committee visited has adopted the full range of practices the committee believes is necessary to protect electronic health information.

Two other factors slow the adoption of security technology in health care. One is a lack of standards that define the types of security mechanisms that health care organizations should demand from vendors of medical information systems. The other is the lack of a mechanism for health care organizations to share information about security breaches that have occurred and practices that are effective in preventing them.

To remedy these problems, the committee made a series of recommendations. First, the committee called for all organizations that handle patient-identifiable health care information -- regardless of size -- to adopt a wide-ranging set of technical and organizational policies, practices, and procedures. The technical practices include:

  1. Individual authentication of users, so that they can be held to account for their actions;
  2. Access controls to ensure that users can access and retrieve only information for which they have a legitimate need;
  3. Audit trails to allow organizations to track and review all accesses made to patient-identifiable health information;
  4. Physical security and disaster recovery techniques to keep intruders and emergencies from affecting operations;
  5. Protection of remote access points to prevent outside crackers from breaking into information systems via Internet or modem connections;
  6. Protection of external electronic communications, through encryption of the use of dedicated lines;
  7. Software discipline to prevent the installation or downloading of malicious software that could copy or corrupt patient data; and
  8. System Assessment to ensure organizations are aware of the vulnerabilities of their information systems.

In order to be effective, these technical practices must be complemented by a set of organizational practices that establish structures for creating, implementing, and enforcing policies. The organizational practices recommended by the committee include:

  1. Development of policies that specify the types of information that will be released to users inside and outside the organization and that outline the security mechanisms that will be employed to protect information and systems;
  2. Security and confidentiality committees that regularly review and update those policies;
  3. Information security officers who are responsible for implementing and monitoring compliance with security policies and practices;
  4. Education and training programs to help all health care workers understand their responsibilities in protecting health information and the practices used;
  5. Sanctions that are employed consistently and uniformly to discipline those who violate confidentiality and security policies;
  6. Improved authorization forms that tell patients who inside and outside the organization will have access to their medical records; and
  7. Patient access to audit logs to allow patients to review who has seen their records.

The committee believes these practices can be adopted almost immediately with minimal difficulty and expense.

Incorporation of these practices into standards promulgated by the Secretary of Health and Human Services represents the first step toward improving the protection of electronic health information. Additional efforts will also be needed to facilitate deployment of technical solutions and revision of standards over time. To do so, the committee also recommends that the federal government work with industry to develop the necessary infrastructure to help health care organizations better protect health information. It recommends the establishment of a standing health information security standards committee within NCVHS to develop--and update--privacy and security standards as necessary. It also recommends the establishment of an organization modeled after the computer emergency response team at Carnegie Mellon University for sharing information about security threats, incidents, and solutions in the health care industry.

Such measures, while significant, will not by themselves ensure adequate privacy for patients. They do not address systemic concerns about patient privacy that stem from the widespread sharing of health information throughout the health care system. Health information routinely flows among care providers, insurers, pharmacists, state public health organizations, and perhaps even employers, life insurers, and marketing firms. Such sharing is largely unregulated and represents a significant concern to patients and privacy advocates alike. Privacy concerns posed by these data flows require national discussion to determine how best to balance a patient's privacy interests against other organizations' legitimate needs for health information.

Efforts under way to develop a universal identifier for patients heighten these systemic concerns. While a universal identifier can more easily link information for care payment, administration, and research, it could also facilitate the linkage of health records with records outside the health care system, whether employment, driving, or financial. Such privacy concerns must be considered explicitly in any attempt to develop a universal identification system.

In summary, the committee strongly encourages the development and promulgation of security standards to help health care organizations determine how best to protect electronic health care information and to help vendors determine which capabilities to provide in health information systems. Such standards must include organizational as well as technical practices and should outline the capabilities desired in security systems rather than particular implementations or solutions. At the same time, the National Committee on Vital and Health Statistics and the Secretary of Health and Human Services must take additional steps to foster the development and deployment of innovative security solutions through the creation of a standing standards-setting body and the establishment of an information-sharing body. Additional efforts will be needed to address systemic concerns stemming from the sharing of information throughout the health care industry.

The committee believes that adoption of its recommendations will foster continued progress in modernizing the health care industry, while ensuring that patient privacy is maintained. I would encourage the NCVHS to review the full contents of the committee's report for additional perspective on these issues.

I will now be pleased to answer any additional questions. Thank you.