HEALTH RECORDS AND INFORMATION SECURITY
National Committee on Vital & Health Statistics
Testimony submitted to Committee Hearing on Information Security
August 1997
IDX Systems Corporation
This statement represents a contribution to the discussions being undertaken by the Committee in its formulation of recommendations to the Secretary of the Department of Health and Human Services. The intent of this document is not to represent specifications of current products of the IDX Systems Corporation. It is a position statement intended to facilitate informed discussion.
Copyright 1997 IDX Systems Corporation. All rights reserved. Further questions should be referred to: Nick Beard MD, Director, Enterprise Systems IDX Systems Corporation, Seattle, WA. Tel: 206 689 1387.
Information security entails maintaining information integrity and information availability, as well as control of information accessibility.
Information integrity refers to the maintenance of adequate protection of information from inappropriate alteration or corruption, through malfeasance (tampering with evidence, sabotage, etc.) or accident (technology failure, fire, flood, etc.). Information availability entails ensuring that information systems (systems which include people, paper, and a range of technologies) are reliably available, so that information is accessible where and when expected.
The primary purpose of retained information is important. A distinction may be drawn between information recorded for "operational" purposes and that recorded for "archival" purposes. Operationally important information is typically recorded to communicate potentially vital clinical facts to care providers, and thus ready access is crucial. Archival information does not always require such urgent access. However, these distinctions are often blurred, and information may be in both categories.
Information security involves trade-offs between appropriate accessibility and restrictions on accessibility. Computer-based records are generally more secure than paper ones. They also present different security challenges.
Information security involves a trade-off between appropriate accessibility and restrictions on accessibility. This is exemplified by the common tendency to writein locations that are not secureunmemorable computer system passwords.
Computer based records are not intrinsically less secure than paper-based ones. In many respects, they are more secure. Recall that information security entails information integrity and availability, as well as control of accessibility. The maintenance of integrity of paper-based records is time consuming, and accomplished to varying degrees of effectiveness. Availability of paper-based records is a well documented, chronic problem. Paper records are generally only accessible by one person at a time, and are almost never "backed up."
These limitations of paper records are substantial drivers towards implementation of computer-based records. Computer-based records are generally more secure than paper oneshowever, they present different security challenges. The main new challenges that computer-based records create are: (i) that a far more complete and coded collection of information on any individual may be collated and reside in one logical site, (ii) that records may be "active," in that the computer-based record may "initiate" activities on the basis of its contents, through the use of advanced computational techniques such as expert systems, and (iii) that individuals (the hacker problem) may "browse" recordssuch as from a remote locationin a way which would hardly be possible with paper records. These "new" challenges arise through the risk of inappropriate exploitation of the features and the benefits computer-based records offer. Thus each such challenge is both an attraction and a risk.
Security entails policies and procedures, as well as records and systems. Accessibility restrictions may be lessened if proper policies and procedures are implemented, so that information access is recorded and audited.
Institutions require comprehensive information management policies, concerning who (which individuals or types of individuals) may have access to what kind of information (such as knowledge of the existence of, or contents of, records). Computer-based systems are part of the approach to implementing such policies.
In any situation where a powerful new tool is deployed, especially in the health care industry, the responsibility for its proper use rests with the userthe health care provider. This is not to suggest that patients, information systems vendors and statutory bodies have no part to playsimply that it is in the setting of the day-to-day work of providing health care that tools and rules are implemented.
Emphasis in general should be on the provision of appropriate, reliable access to information of guaranteed integrity. Many discussions on information security focus on techniques to selectively deny access to information. Denial of information access is less commonly required. Moreover, such controls are less important if proper policies and procedures are implemented so that information access may be recorded and audited. It is noteworthy that recording access to, and use of, paper-based records is notoriously difficult.
Approaches to information management should be consistent across institutions. This helps to ensure that overall system behavior (i.e., the behavior of the whole collection of interconnected information management activities, which may include people carrying paper, policies for transmission of paper, of fax, controls on printing; as well as the behavior of the various computer-based systems in place) is comprehensible, and as predictable as possible. This reduces the chance of "weak spots" which were not recognized. Most institutions have deployed information systems which combine paper-based aspects in addition to computer-based systems from a variety of vendors. No single systems vendor is likely to be able to solve all information security problems in such environments. Moreover, technology alone is not the answer to information security.
Encryption technologies are acknowledged to be an important part of the overall technical infrastructure required to facilitate information security. New technologies that help to uniquely identify a system user continue to emerge. Examples include biometric identification techniques, such as fingerprint, voiceprint and retinal image identification. However, these must be at least (i) affordable, and (ii) reliable, and to date no such technologies have emerged as candidates for widespread adoption.
Health services providers have the primary responsibility for the proper management of records that they hold on patients' behalf. Information systems vendors have a responsibility to provide proper tools to manage records in a secure fashion.
Although health services providers have the primary responsibility for the proper management of records, patients have a legitimate interest in the access provisions that are associated with their records. This should not, in our view, extend to a right to specify the precise format in which records are retained unless there is a clear mechanism for recovery by the institutions affected of the additional cost burden that would result from such provision.
Information systems vendors have a responsibility to provide proper tools to manage records in a secure fashion. The role of information systems vendors and the standards to which they must build products and provide services will grow as the extent of computer-based records increases.
Inappropriate information security statutes may hamper the development and deployment of computer-based patient records systems, denying the health care industryand thus patientsthe benefits such systems bring.
The problem of appropriate security for computer-based health care information is a complex one. We recognize that there may be a temptation to argue for prompt introduction of statutes to specify security standards to be deployed rapidly.
Inappropriate, statutorily enforced, specifications for information security measures may hamper the development and deployment of computer-based patient records systems, denying the health care industryand thus patientsthe benefits such systems bring.
We would instead recommend the development of viable standards by a multidisciplinary cross-industry group, which would facilitate an organized approach to developing standards rather than having each vendor pressed to develop customized code for various clients. Vendors and their clients may then work as partners in establishing workable solutions.