Presentation to the
National Committee on Vital & Health Statistics
Subcommittee on Health Data Needs, Standards, and Security

August 5,1997
Washington, DC

by
Dale W. Miller

Thank you for the opportunity to provide input on recommendations for information security standards.

Irongate, Inc. is an information security consulting firm that works with healthcare organizations to preserve the confidentiality, protect the integrity, and ensure the availability of all forms of valuable and sensitive healthcare information including patient records, care-giver and employee records, billing data, and business records.

Irongate, Inc. conducts reviews to identify information security exposures and evaluate the security measures being used by healthcare organizations, leads risk assessments to determine the specific vulnerabilities for new systems and procedures, develops information security policies and procedures, designs and delivers information security awareness training, and plans and designs an optimum organization structure for the management of the information security function.

My comments are based on my experience in providing these services to healthcare, banking, and other industries as a consultant for the past eleven years. During the last five years these services have been devoted almost exclusively to healthcare clients.

These comments also reflect discussions at tutorials, conferences, workshops, and standards development organizations related to healthcare information security. Unfortunately this group, together with Irongate, Inc.Æs clients, represents only those organizations who are both concerned about information security and are actively engaged in taking steps to improve information security. While I believe that most caregivers and employees are very aware and concerned about information security, many organizations are not formally addressing information security.

In general, I believe the healthcare industry has done a poor job of implementing effective information security programs. Some of the reasons for this are:

1. the lack of properly defined and accepted responsibility.
2. the lack of adequate system capabilities.
3. the failure of organizations to implement organization-wide information security programs.

1. Lack of properly defined and accepted responsibility

Although the senior management of most healthcare organizations understands that the organization must protect patient confidentiality, many organizations have not formally recognized and defined the responsibility for information security. Nearly every organization does have some policies regarding confidentiality and has implemented some system security features. Usually a member of the information systems department performs routine security administration tasks including assigning logon ids, granting access privileges, and revoking access for employees who are leaving the organization.

Because the responsibility for the organizationÆs information security program has not been assigned, there is no one individual or team with the responsibility to ensure that policies and procedures have been developed, information security awareness training is provided to all staff members, appropriate controls have been implemented, and auditing and monitoring of information security functions is performed.

Basic coordination of security measures across departments and systems does not occur. Different systems within the organization have different levels of security. Security exposures that are not directly a systems function such as disposal of paper containing confidential information are frequently not adequately addressed.

In the absence of formally defined responsibility, access control decisions are often made by persons who are not in a position to determine the appropriate access privileges for systems users. Because access control decisions are partially made and implemented by the systems staff rather than management of caregivers, additional bureaucracy requiring unnecessary forms, signatures, and delays is created.

2. Lack of adequate system capabilities

In general, current healthcare information systems provide very poor tools for managing access control. Although, good system security practice for access control has been defined for many years and systems in use in other industries provide tools for implementing good security, many healthcare systems do not include these security features. Developers of healthcare systems are not using the security experience and expertise from other industries to integrate good security features in their systems.

Many healthcare information systems do not include features to encrypt passwords, enforce minimum password lengths, enforce periodic password change, automatically logoff unattended terminals, permit distributed administration of access control, or encrypt sensitive patient data. Major healthcare organizations are currently installing computer-based patient record systems that do not even provide password encryption. Systems personnel in those organizations can gain access to any userÆs password and, if they are so inclined, impersonate any caregiver to gain access to confidential patient information, enter orders, or sign patient records. Those organizations will not be able to enforce individual accountability for the confidentiality, accuracy and authenticity of the records. As a result patient care and patient privacy may suffer.

Most healthcare organizations utilize several different information systems provided by different vendors. These systems typically support a specific function or department such as the laboratory or radiology. In order to gain access to the information needed to care for a patient or bill for services, personnel at these organizations must logon to several systems with each requiring a different password and login protocol. Thus the users of the these systems are required to know multiple passwords, sometimes as many as six or eight. Users tend to create security exposures by writing these passwords down rather than memorizing them. Few healthcare systems are designed to support a single-sign-on process that allows the user to gain access to all information to which they are authorized by using a single logon id and password.

Not all current systems provide the functionality to control access to information with sufficient granularity to limit a userÆs access to the information necessary for the individualÆs assigned responsibilities. At many organizations all physicians and sometimes other caregivers are granted access to the information for all patients associated with the organization whether or not the particular physician is caring for the patient. At a large facility this may mean that each physician has unrestricted access to the information for thousands of patients.

Most current systems do not include the functionality which permits assigning the highest level security management privileges to several people without requiring them to share the system level password. This lack of functionality makes it impossible to enforce individual accountability.

Because few organizations have defined their specific needs, they do not appear to demand that system vendors provide adequate security functionality when these organizations evaluate and purchase systems. All too frequently, information security seems to be addressed during the implementation phase, after it is too late to influence the security functionality that will be provided by the vendor.

The technology to provide greatly improved security of health information exists, but that technology has not been included in many health information systems.

3. Failure of organizations to implement information security programs.

Current security initiatives at healthcare organizations tend to be small projects to address isolated issues rather than efforts to implement comprehensive, organization-wide information security programs. These projects are typically motivated by an impending accreditation survey by JCAHO, concern about risks related to the connection of the organizationÆs systems to Internet, or installation of a computer-based patient record system. The perceptions of the risks are usually based on media stories of computer break-ins or unauthorized disclosure rather than on risk assessments. The security activities tend to be initiated by committees or project teams at lower levels in the organization rather than by senior management.

The broad scope of the information security function within an organization and the need to implement a formal information security program tailored to the needs of the organization does not appear to be well recognized by senior management of healthcare organizations. While the concepts and principles for protecting information are very similar from organization to organization, the information security program at each organization must be designed to meet the specific needs of that individual organization. For example, the challenges of protecting confidentiality at a rural hospital that may also be the major employer in the community are somewhat different than at a large medical center in a major metropolitan area. In the smaller community, the hospital management, caregivers, volunteers, and clergy may know the majority of the patients and all may have access to patient information via the hospitalÆs information systems.

In order to achieve cost-effective protection, the organization must design its information security program to conform to the specific culture, management style, systems environment, and other unique characteristics of the organization. Senior management support of a coordinated effort rather than many diverse project team and committee tasks is much more likely to produce a successful program.

The lack of a formal program leads to inconsistent and incomplete implementation of security measures both procedurally and in system functions. Many organizations do not appear to recognize the extent of the costs associated with the disparate security activities being undertaken by various project teams and committees. Formal coordination of these activities is far most cost-effective and yields significantly improved security measures.

Recommendations

• This committee has advocated the passage of health privacy legislation. I believe such legislation would be most effective if it includes measures which require the protection of each personÆs privacy and provides for individuals to recover damages from healthcare organizations upon a breach of confidentiality even in the absence of provable economic damages. I believe such legislation should not specify detailed technical requirements for information security because it would be likely to limit innovation and preclude utilizing new security technology for the protection of health information. In my opinion, legislation which creates incentives for organizations to improve security rather than mandates specific measures is likely to be most helpful.
• In addition to legislation, HCFA could also increase management attention to information security by requiring that as a condition of participation in Medicare programs, the Board of Directors or Trustees of a healthcare organization be held accountable for establishing organization-wide information security programs in very much the same manner that Banking Circular 229 issued by the Comptroller of the Currency on May 31, 1988 held Boards of Directors of banks responsible for establishing formal information security programs at National banks.
• The work of standards development organizations, particularly ASTM, is extremely helpful in providing the basic foundation that organizations can use to develop comprehensive information security programs. These standards contribute to consistent levels of protection of information at different organizations. I believe that work should be encouraged and supported in lieu of legislation defining specific security measures.
• Accreditation organizations such as JCAHO can cause an improvement in information security to occur by increasing the emphasis on information security during their accreditation surveys. In addition to the implementation of good security practice, accreditation criteria should require that healthcare organizations encourage their information security staff to acquire certification as Certified Information System Security Professionals and should require CISSP accreditation when hiring information security managers or engaging information security consultants. This certification, based on examination and requiring continuing professional education, will help to ensure that healthcare information security programs utilize sound, generally accepted practices and are implemented by trained professionals.
• I believe this committee can help to improve the state of information security in healthcare by raising the awareness of the responsibility of the management of healthcare organizations to address information security, by increasing the awareness of healthcare organizations of the necessity to demand that vendors include much more security functionality in their products, and by fostering the education of consumers of healthcare about how their health information is gathered, used, and disseminated.