STATEMENT
To the Subcommittee on Health Data Needs,
Standards and Security
National Committee on Vital and Health
Statistics (NCVHS)
Re: Perspectives on Security Issues
Presented by Cindy Zakoworotny, MS, RRA
August 5, 1997
Good afternoon Dr. Lumpkin and Members of the Subcommittee:
My name is Cindy Zakoworotny, MS, RRA and I am testifying on behalf of the American Health Information Management Association (AHIMA). I am a member of AHIMA's Task Force on Information Security and I am Director of the Medical Record Department at Hartford Hospital in Hartford, Connecticut. On behalf of AHIMA's 37,000 members, thank you for the opportunity to address the Subcommittee on issues regarding security in the implementation of the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).
AHIMA is very much aware of the importance of the task which the National Committee on Vital and Health Statistics (NCVHS) has been charged with under the administrative simplification subtitle of Public Law 104-191. Our complete written statement answering the questions posed in your letter of invitation has been submitted for the record.
Protecting healthcare information has always been important but it has never been as hard to do as in today's healthcare environment. Information security in a computerized health record has been a topic of discussion in Congress, in research and standards development organizations, in the media, and in healthcare organizations throughout the United States. In For the Record: Protecting Electronic Health Information, the report states "the prospect of storing health information in electronic form raises concerns about patient privacy and data security, for although information technology allows the use of advanced technical mechanisms to limit access to health information, it also introduces new vulnerabilities".
One of the most compelling reasons for information security is that patients are becoming more concerned about the privacy of their health information. The NRC report goes on to say that, "information is collected for legitimate purposes, but few controls exist to ensure that it is not used for other purposes that may run counter to the patient's interests or patient privacy". More information on patients is being collected than ever before, and some of that information, like HIV status, has been used against individuals as they compete for jobs, home loans, and other matters not strictly related to health. Security disasters reported in the press have given patients good reason to be cautious when disclosing personal information.
A second reason for looking at security practices is the utility of computer-based health records. Today's healthcare information can be transmitted faster, sorted and analyzed easier, retained longer, and broadcast farther than in the past.
The American Health Information Management Association (AHIMA) believes the use of computers to collect, maintain, and store health information is an appropriate and critical advancement in healthcare, but such systems must be carefully designed and monitored and those with access to health information must be educated about their responsibility to protect its confidentiality. AHIMA also believes that organizations must regularly review their health information security programs to ensure they reflect changes in technology, the addition of new equipment, and any potential internal or external threats to the information. Patients must be confident that the sensitive information they share with healthcare providers will be handled responsibly and safeguards to protect their information are in place. Without such confidence, patients may withhold critical information that could affect the quality and outcome of care and the safety of the public.
An effective information security program will
A security program should address the following areas:
The 1991 Institute of Medicine study on the computer-based patient record (CPR) states that "among the highest priorities in the coming decade will be the enhancement and application of methods to ensure the privacy and confidentiality of patient data in the CPR. Much of the technology to make the CPR more secure already exists, but for greatest effectiveness these technologies must be better deployed or embedded in CPR systems."
Security can become a complex and costly activity when applied to information. But as a key resource of an enterprise, information must be protected from the threat of intentional and accidental harm. As our reliance on computerized information increases, so does our vulnerability to attacks that either alter or destroy data or share information inappropriately. To date, healthcare information systems have not sustained any widespread attacks on their integrity, but other industries are currently experiencing such attacks. Still, whenever computer-stored or paper-based information is inappropriately released, anxiety grows over the use of computerized patient record systems.
Without showing a list of lawsuits or news of million-dollar claims, it may be hard to convince an organization to make the commitment required to implement a comprehensive security program. However, the organization should still be encouraged to consider the risks involved. Lawsuits have been filed for inappropriate release of information and violation of privacy. Negative publicity has resulted from inadequate security systems or the lack of definitive policy.
Consumers can become dissatisfied with an organization that has no way to ensure concerned patients that their information will be kept confidential, and this could ultimately lead to patients turning to other providers for their care, or more significantly, to keeping critical information from their providers. An institution seeking accreditation from the Joint Commission on Accreditation of Healthcare Organizations or other accreditation organizations could find that its survey results have been affected by its lack of an information security program. Institutions must also be aware that some state laws enact penalties for privacy violations, and that federal initiatives on protecting privacy include financial and criminal penalties.
If the risks have yet to be fully demonstrated to an organization, then some benefits to planning for information security should be pointed out. Currently, one of the biggest reasons that staff members choose to receive their care from other providers is a concern over their privacy. A comprehensive security program can help mitigate those concerns. Documented policies and procedures can prove extremely helpful in answering questions from patients, families, and the press. A planned approach to security provides an opportunity for cost savings, timely implementation, and increased efficiency in making operational changes. Finally, although risk can never be totally eliminated, a security program can play a part in a good defense should a lawsuit arise from an unfortunate event.
Once an organization has developed an interest in improving its information security program, the next step is to perform a current risk assessment. The process of analyzing and interpreting risk, a risk assessment includes three phases:
For The Record: Protecting Electronic Health Information cites five levels of threat to information in healthcare organizations:
Analysis should lead to setting priorities on what systems need to be secured, and the most effective methods to reduce risk
The job of creating an information security program requires the participation and support of several people within an organization. Organizational commitment, demonstrated by sponsorship from top management and physician leadership, is critical to the success of a security program. Frequently, a multidisciplinary team holds the responsibility of defining, implementing, and monitoring a security program.
Many organizational approaches can be taken to create the information security team. An existing medical record committee may oversee this activity. A quality improvement team can be organized to develop the key components of a program, and it can then delegate tasks to individuals for completion. A separate information security committee can be formed to craft policy, design programs, perform risk assessments, and monitor compliance. Attached to this testimony are several examples of sample organizational charts.
Important elements to consider in defining a structure is to be certain that all appropriate functions will be represented in some fashion, and that a team can be built that will work hard, stay educated, understand the issues, and develop the right strategies for the organization.
Suggested team members include:
The HIM professional brings an understanding of the organization's current access and release of information policies, as well as applicable federal and state laws, regulations, and external agency standards. The IS director knows the features of the information technology network architecture, the existing information system's security measures, technical options and information resources that need protecting. The facility's risk manager or attorney can help the security team understand the balance between security risks and availability of critical health information to those who need access. Human resources can advise the team on disciplinary processes, orientation, and continuing education opportunities, and on developing an appropriate confidentiality statement process. It is important to include people who make direct use of the information to take care of patients-which is the core function of the business. They would know if a particular security strategy would be too cumbersome for the "real world." Their participation in program development will help promote recommendations to other clinicians. Laboratory or radiology departments have historically been the first to automate their clinical patient result information, so that experience might serve as leverage to guide the security team around potential pitfalls of the organization's information strategy. Distributed systems or larger enterprises may employ several system administrators. Their perspectives will prove useful in designing a workable solution to information security, and their participation in implementation is critical. Finally, some thought should be paid to considering a method for obtaining the input of patients, clients, or members into the deliberations. Focus groups, reaction panels, or enlisting a representative from the patient pool are good ways to do this.
Some organizations have recognized the need for dedicated personnel to lead the design, implementation, and monitoring efforts of the information security program. That may be a full time or part-time position, depending on the size and complexity of the information system. Attached to this testimony is a sample position description for an information security manager.
Another alternative would involve obtaining the services of a consultant to help with part or all of the development of the information security program. In most respects, the basic considerations for determining when to use an information security consultant are similar to the guidelines for using any consultant. Information security consultants are most valuable to an organization when performing functions that employees cannot easily or cost-effectively accomplish themselves. A consultant could assume the functions of staff members who
Because information security is an integral part of nearly all activities in the organization, a collaborative effort should be formed between consultants and employees concerning information security projects. Although the consultant may provide the leadership and expertise, as well as do much of the work, most information security projects will require close cooperation between the consultant and the organization's staff.
Consultants should never be called upon, however, to make the decisions for the organization. For example, while consultants can prove very valuable in helping the organization develop the process of granting information access privileges to specific individuals, they would not normally be asked to make the day-to-day decisions concerning such privileges. Some good choices of the information security projects that could be considered for assignment to consultants are:
Consultants can identify risks and exposures that may not be obvious to employees because they are because they are too familiar with the work environment or experience in identifying and analyzing information security risks. The consultant brings an outsider's perspective to the details about potential security breaches to management's attention, as opposed to those employees who may feel that raising such issues to management could jeopardize their careers.
A consultant can assist the organization by drafting proposed policies, standards, and procedures.
The organization staff is usually best qualified to conduct ongoing information security training. Consultants are good at creating training materials and designing the curriculum and session content in a cost-effective manner.
A formal risk assessment usually requires coordinating the activities of staff members from various departments to perform a one-time analysis of the potential threats to information, and to propose measures for mitigating the risks. Leading the risk assessment process and preparing the risk assessment documentation are ideal assignments for consultants.
An information security consultant can assist the organization with the development of checklists and specifications to be included in requests for proposals (RFPs). The use of a consultant can significantly minimize the research that staff members would usually have to do.
An information security consultant can also be assigned the specialized task of researching the various access control methods, encryption techniques, and similar security measures to be purchased or implemented.
According to the JCAHO, an effective security process should minimally include the following:
Policies must also outline
Once an organizational structure is in place and the appropriate reference information has been gathered, the next step is to review, update, and create policies that will cover confidentiality and security of health information in any media. Organization policies should address the rights and responsibilities of three general constituents
There is no "perfect" policy or "right" answer. Consideration must be given to the environment, all regulatory issues, standards, the mission of the organization, and business needs. A good place to start is with an existing patient rights policy that may already address a patient's right to privacy. Consider expanding that policy by incorporating other relevant patient rights information issues.
Once a discussion of patient rights has been completed and the policy has been developed, the following additional policies should be reviewed or developed:
Information should be readily available and must be protected against destruction and unauthorized modification.
Define who is authorized to write in the record, or create an entry in a computerized information system. Authentication policies and error corrections need to be well defined to ensure the creation of complete and accurate information.
An organization should have a policy outlining under what circumstance information may be removed. Although a court order may be required to remove a medical record, secondary storage at an offsite facility is often part of the information security plan. Well-documented procedures are important to explain customary business practices from unusual information removal. Under what conditions is an organization allowed to remove computers or media that contain confidential information? Specific policies that govern this removal should be in place, along with additional safeguards in handling. Retention schedules should be updated to include electronically stored information.
A policy should document employee responsibilities in protecting patient confidentiality. This policy should include a statement of the consequences of inappropriate access and release of information. Consider developing a grading system for the severity of a policy infraction. Currently, it is standard practice for healthcare employees to sign a confidentiality statement. This agreement documents that the employee has been instructed in the information security policies and understands the consequences of violating the policy. In addition, AHIMA recommends that each employee, student, or volunteer sign a non-disclosure acknowledgement on an annual basis to remind these individuals of their ongoing responsibility. Medical staff bylaws, rules and regulations should address physician responsibilities, and the consequences of violation.
A policy regulating access to aggregate data should be instituted. With data mining tools becoming more user friendly, more access to clinical or financial data repositories may be available throughout the institution to people who are creating and distributing reports. All users authorized to access aggregate data must understand the institutional review board policies for research that should be in place. Who is allowed to create reports for management, quality improvement, patient data registries, organization planning, and marketing should be specifically defined. In most cases, patient identifiers should be eliminated in aggregate reporting, though specific circumstances may arise where patient identification is warranted. These special circumstances should be clearly defined and documented in security policy. If patient identifiers must be included to link data to other sources like paper records or other databases, the identifiers should be stripped at the earliest point possible.
There should be a policy prohibiting the downloading of patient data files, unless this activity is specifically part of an employee's job responsibilities. A prohibition should also exist against loading unauthorized software onto workstations or downloading programs from the Internet, as these may contain viruses that can infect the organization's information system network
Network access standards should be delineated in policy to ensure the security of the organization's networks--including all wide-area and local-area network--and that they are under the general control of the network supervisor. This reduces the risk of "backdoor" access to the networks that finds its way around the protection built into firewalls and the documented network configuration.
If the organization has hired outside contractors or vendors to provide services that allow or require access to patient information, it must take reasonable steps to protect information held by these contractors and their employees against theft, loss, unauthorized destruction, or other unauthorized access. If on-line access to the organization's information systems will be granted to employees of a contractor or vendor, the agreement should specify which employees would have this capability.
Generally, it is unnecessary to obtain signed agreements from the contractor's individual employees. Instead, the facility should sign an agreement with the contractor that makes the contractor responsible for the actions of its employees. But in cases where particularly sensitive information is involved, each employee of the business who will have access to the information may be required to sign a separate nondisclosure agreement. Or, the business could be asked to provide copies of the signed statements it keeps on file for its employees.
If a vendor will have possession of the data (as in the case of computer outsourcing), the vendor should sign an agreement requiring that the data be returned in a usable form upon termination of the agreement.
Electronic disclosure of health information should be limited to the minimum amount of data needed by the authorized agency. Reasonable steps should be taken to ensure proper data transmittal to the authorized agency, and that the agency has proper access and use of the information. Because the data will be transmitted over public telephone lines, encryption of the data should be considered. There should be a written agreement between the transmitting and receiving agencies that outlines the specific authorization, access, and use of the data transmitted.
Make certain that the organization's recycling programs provide for secure disposal of all patient-identifiable information. Such storage media as disks and tapes should be properly erased and overwritten before they are disposed, and hard drives should be erased or destroyed before they are discarded or sold outside the organization.
In summary, there is no absolute right policy. Each institution needs to evaluate its information resources and threats, and determine its own course.
Many of the access control systems that are in use today limit the risk of information access, and streamline the presentation of information to the user. Imagine if an employee's sign-on screen listed every system and function available at the facility where he or she works today. In most cases, the menu or windows would be filled with system names and icons that not everyone would need to use. A major part of any information security strategy is to address the job of matching users with the unique set of information tools that they require. First, the user must be identified or authenticated, then the system has to know what information that particular user needs to access.
Whatever the method of authentication employed, it is critical to secure identifying information that is stored and transmitted in the information system. Policies should be in place that prohibit displaying or sharing passwords or tokens. Encryption of the identifying data during transmission and storage should be required. Limited and secure access to authentication files should be the standard. ©Kerberos, a system for authentication of users, clients, and servers, is the basis of strong authentication in the Distributed Computing Environment promoted by the Open Software Foundation. ©Kerberos creates a key distribution center that limits the number of required private keys.
Many healthcare organizations today are plagued with the problem of prompt assignment and cancellation of user access. New employees who have just been hired need access to computer systems almost immediately, but it frequently takes days to assign privileges, distribute passwords or tokens, conduct orientation, etc., and such delays often lead to passwords being shared. Some possible ways of addressing these delays might include streamlining the authorization and communication process, or issuing short-term general access to managers so that they can assign it to new staff until permanent privileges can be assigned. Upon termination of employment, a notification should occur that results in a cancellation of access on the last day of employment. An organization should have a process in place for immediate termination of access in cases of disciplinary suspension or termination, with particular care paid to employees who had system administrator privileges
One of the biggest challenges facing information security today comes with the pursuit of single log-on access, where a user needs only one authentication step to have access to all systems that the user desires, regardless of whether that is an internal or external system. The proliferation of distributed systems has increased this challenge.
Once the user has been authenticated, the next security step is to present the appropriate set of information resources--not too many, and not too few. Most institutions use an access matrix like the one that is attached to this written statement. Internal information may include the master patient index, appointment schedules, and other widely used resources that do not contain confidential data. Confidential information would be patient identifiable medical and financial information, and registered confidential would be specially protected information or information about a specially protected class of patients, like employees.
A second layer of access control decisions concerns what functions the user has authority to perform. "Read access" allows the user to view the information, but not alter it. "Write access" allows users to add to, modify, or delete data. Some users may be given the authority to execute or run programs, or to delete system resources, like files or programs. "Access control" creates a bridge between policy and the technical functions of the computer system. Education is the bridge between policy and the use of the systems.
"Comprehensive" and "ongoing" are the key words associated with an information security training program. A training program should have the goals of raising the awareness of the participants regarding security issues, improving information security practices, and protecting confidentiality. Everyone who has access to information about the patients must be trained, including:
While a training program must be designed to reach each of these categories on a regular basis, the approach to each category may differ. Training can be delivered through general orientation, staff meetings, written materials, on-screen instruction, videos, and computer-assisted training material. The program can also include more interactive forms of training that increase individual awareness through the use of discussion groups, role playing, and participants' involvement in identifying information security risks in their work areas so that their understanding and investment in the subject is enhanced.
An organization should establish at least three types of information security training: general orientation, application specific, and position specific training. They should be addressed to everyone with access to patient information to ensure that they all understand their responsibilities. Everyone with potential access to confidential information should be oriented to general security policies and their responsibilities. This orientation may include such topics as:
Individuals who are given access to information resources should be instructed in the security features of the existing systems, as well as any new applications that are brought on-line. These security features would include sign on, passwords, logoff, and any additional features. individuals should also be trained on how to appropriately handle paper-based medical records, and the printing of electronic patient data. They should be involved in discussions on their specific roles in disclosing information from either paper-based or electronic patient records.
Finally, every department manager has a responsibility to orient new employees to the specific information access and security requirements of their jobs, and to be certain the employees have demonstrated competence in ensuring the confidentiality and security of patient information.
Because of the shifting dynamics of health information management today, information security must be addressed in an ongoing manner. The type and amount of information stored may change. Equipment used to store and retrieve information may be updated. So, ongoing monitors should be provided to evaluate the effectiveness of each program component as part of an effective information security program. Security policies should be reviewed at least annually, and revised as necessary. Evaluation of educational sessions should be built into each presentation, and relevant feedback incorporated into future programs. One of the most common, ongoing monitoring activities is the performance of routine system access audits.
An audit log is a record of actions that users perform on data. These actions may be additions or changes to data, deletions of data, or "read only" views of the data. Audit or transaction logs can help maintain data security in a number of ways:
An audit log should contain the following data elements:
The audit log should be capable of performing the following data management functions:
The following are suggestions of items that an audit log report could include:
Audit logs can be used to retrospectively monitor and document user activity. But a record of all transactions can create a huge volume of data in a very short period of time. Retention policies should be established for audit information, taking into consideration how the log will be used in any corrective action. Making sense out of this data and using them to find weaknesses in the security system will continue to challenge organizations as they expand their patient information systems as well as the networks used to access these systems.
Information can never be completely secure, no matter the amount of planning or investment. Opportunities will always arise to improve and tighten security systems. Maintaining a plan for how to deal with breaches of security, as well as an organizational approach that promotes learning from mistakes, can ensure consistent and fair practices.
Although information security is a job for everyone, the responsibility for investigating and responding to security breaches should be delegated to one person. The information security manager is the logical choice to provide a clearinghouse for reported problems. If an employee caused the breach because he or she did not understand the security features of a system, the information security manager can recommend or offer additional training. The security manager can also perform investigations on audit logs if inappropriate access is suspected, and provide support material for disciplinary action. If an external break-in occurs, the security manager can help perform confidence testing to be certain that information remained unaltered and intact.
Disciplinary action stemming from security breaches is best handled through normal human resources procedures by employee supervisors. Standards for corrective action based on levels of violation can help ensure consistent interpretation and application of policy. The information security team should review, record, and categorize all security breaches. The aggregate data from these actions can then be used in performance improvement activities, and to support further risk assessment.
Technical solutions play a big part in securing information, however, and some general concepts about technology should be considered when designing an overall security program. The NRC describes five key functions of security tools:
Availability: ensuring that accurate and up-to-date information is available when needed at appropriate places.
Accountability: helping to ensure that healthcare providers are responsible for their access to and use of information, based on a legitimate need and right to know
Perimeter Identification: knowing and controlling the boundaries of trusted access to the information system, both physically and logically
Controlling Access: enabling access for healthcare providers only to information essential to the performance of their jobs, and limiting the real or perceived temptation to access information beyond a legitimate need
Comprehensibility and Control: ensuring that record owners, data stewards, and patients can understand and have effective control over appropriate aspects of information privacy and access
The types of security tools employed to meet these requirements fall into eight groups:
The healthcare industry is increasingly using e-mail to communicate between providers, and between providers and patients. Although a convenient way to facilitate communication, basic e-mail lacks the security protections of more established communication technologies. Confidential information should not be transmitted through unencrypted e-mail, because it is vulnerable to interception and alteration that the recipient may not be able to detect. Confidential e-mail should be encrypted using public key/private key encryption software and digitally signed. E-mail should also be purged and destroyed on a regular schedule
An internal network that many facilities are developing, an intranet allows organizations to take advantage of Internet protocols and Internet-derived technologies without all of the risks of the Internet. The use of Web browsers as front-end tools decreases the need for training, and reduces the technical integration issues and costs. An intranet runs on hardware and software and networks under the control of the facility. Although they do not pose the same challenges as Internet connection, intranets do facilitate broader access to more information faster than ever, so, like any other technical advance, security implications need to be considered.
Web browser technology allows access to multiple databases from a single, front-end user interface. Previously, a user may have needed to log into the laboratory system and then into the radiology system separately, negotiating the security features of each system. Because browser technology eliminates the need to use separate applications to see the results, security measures that usually happen at the application level need to be dealt with at the network level or within the design of the Web browser itself.
Most current Internet applications consist of general public information that has benefits outside the walls of an organization, for instance, the Internet shows what services are provided, how to schedule an appointment, or announcements of future health fairs. The industry, however, has begun to recognize the benefits of transmitting patient information for administrative and clinical use over an existing global computer network. The dilemma is how to transmit confidential information across a network designed for access. Three categories of information security risks are associated with Internet use:
The information systems department should be responsible for establishing a connection to the Internet. A firewall should protect that connection. A firewall can protect all networks from external threats. A Virtual Private Network (VPN) allows the user to send private messages across public access computers, and it is being investigated as the solution to maintaining privacy of individual messages on the Internet. Two security techniques required in a VPN are strong authentication and encryption.
Today's healthcare industry has seen very little application of these techniques. Although encryption software is readily available, certain administrative issues need to be resolved that concern the management of keys that allow the user to encrypt and decrypt messages. Currently, electronic commerce applications are leading the efforts to employ these technologies broadly. For the healthcare industry to fully utilize the Internet, it needs to learn the lessons from these other industries and to adopt them.
AHIMA advocates that all healthcare organizations, their consultants and vendors commit to strong information security programs. It is critical that consumers have trust in the nation's healthcare delivery system. Thank you for the opportunity to testify and I would be happy to answer any questions.