mtenrlion&kwnalof

ELSEVIER International Journal of’ B&Medical Computing 43 (1996) 139 I35

IMedical Computing

Security implementation issues in Japan

Koji Yamamoto”.“, Kiyomu Ishikawab, Makoto Miyaji’, Yoshikazu Nakamura“, Saburo Nishi’, Tetsuaki Sasaki’, Kazuo Tsujig, Ryoichi Watanabed

Abstract

A survey was conducted in the year 1994 among medical school hospitals in Japan to know whether there are some written rules or regulations about the use of medical information, and whether they are well matched both to secure patient’s privacy and to promote the adequate use of the information. A questionnaire was mailed to 80 medical school hospitals in Japan and 65 of them responded. Besides copies of rules. questioners were also requested for detailed investigation. Twenty nine hospitals responded to our request. The security implementation issues in Japan will be discussed using data thus obtained.

1. Introduction

“The health information of individuals is data which is very sensitive to his/her privacy and should be treated carefully and differ- ently from other information”. This state- ment is impressive, seems to be easily understandable, and sounds convincing among the public. This, however. seems to

* Corresponding author

have made a delay in improving national laws and/or regulations for handling such information.

On the other hand, in the medical sector, such information has streamed out from hos- pitals in several situations, (e.g. the cases to assure the insurance of a patient or in re- search usage), leaving the information uncon- trollable by patients. Historically few patients complained about such a use of his/her infor- mation. A ‘good’ paternalism between the patients and the doctors has prevailed. ln-

0020-7101~96~$15.00 X’; 1996 Elbcvier Science Ireland Ltd. All rights reserved

PI1 SOO20-7101(96)012?X-X

deed, many doctors considered that they could use all the information about their patients freely. Such a situation has been changing as the term ‘privacy’ has gradually been conceived as giving the patient the right to control his/her information, and the term ‘informed consent’ has appeared in the literature. Nevertheless, by 1993, according to our previous survey, about 39% of doc- tors still considered that medical records be- long to them.

Much of the information stored in hospi- tal information systems (HIS) is related to that used in medical affairs. Matsuoka said that HIS only collects a garbage of data, useless for clinical research, which might also account for the lack of enthusiasm among physicians in establishing practical measures to secure privacy.

Under these circumstances it is of great importance to know how each hospital con- siders the significance of securing informa- tion, and makes written rules or regulations to control the information flow; which will present one of the aspects about the secu- rity implementation issues in Japan of to- day.

2. A survey

Although the majority of hospitals and clinics in Japan are already computerized to some extent, written regulations are less likely to exist among the private health sec- tor, thus, the survey among medical school hospitals. A questionnaire was sent to SO medical school hospitals in the year 1994 to find out whether they have some written regulations about the use of medical infor- mation, and whether they are well matched both to secure patient’s privacy and to pro- mote the adequate use of the information. Besides a questionnaire, copies of rules were

also requested for detailed investigation. Re- sponses were obtained from 65 hospitals, and 29 hospitals sent copies of their rules.

3. A brief result

Table 1 shows the abbreviation of the questionnaire and the result of simple statis- tics. Only such items which are used in the following discussion are listed here. All questions are re-numbered. Here, we classified the use of medical information into ‘primary’ and ‘secondary’ according to the purpose of use. ‘Primary’ means that the data of a patient is used for his direct benefit, i.e. for his health care? for insurance for financial support for him, etc. While all the other usage. such as for research, edu- cation, and hospital management, etc. are classified as ‘secondary’. As shown in this table, about 90% of hospitals have a de- partment to administer medical information (medical informatics).

In about 40% of hospitals medical infor- mation is managed without written rules. In about 80% of hospitals, the secondary use of medical information is limited according to the user’s profession and working place. However, there are 6% of cases in which all workers in the hospital can use medical in- formation freely for research, education and hospital management. Such a loose manage- ment of medical information seems to be much worse as the size of the hospital in- creases (Table 2). Similarly, as the size of hospital becomes bigger, the medical infor- matics departments are paid less attention.

To know in some detail how each hospi- tal manages the security issues, we have scrutinized the copies of the written rules gathered from 29 hospitals. During this ex- ercise of research, we confined our attention to the following 10 points:

131

Table I A selection of questions and statistics

Ql. Do you have a department aiming for the administration of medical information Yes: 56 No: 8 ?: I

Note: 22 (39.3%) of those with a Medical Informatics Department have a full-time Head of Department Q.2 Whether a written rule about the management of computerized medical information exists?

(a) Yes in regulations of hospital, or school administration 25 (b) Yes as an internal rule of the department appeared in Q.1 8 (c) Yes but is not treated specially but is included as a part of statements for managing 3 other office documents (d) None 24 (e) Other (including cases of under-preparation. and no data ones) 5

4.3 Whether a written rule about the management of medical information in paper system exists? (a) Yes exists. which is written among the regulation of hospital, or school administration 30 (b) Yes exists, which is written as an internal rule of the department appeared in Q.l 5 (c) Yes exists. which is not treated specially but is included as a part of statements for 2 managing other office documents (d) None 22 (e) Other (including cases of under-preparation, and no data ones) 6

Q.4 Is there any limitation on the secondary use of medical information’? (multiple answer) (a) All employees of the hospital can use freely. on condition that the purpose of use is 4 limited to research, education. and/or hospital management (b) Besides the limitations given above (a). available data and the way of use are limited 50 according to the user‘s position and working place (c) Persons from outside the hospital, such as the area doctor, can use data directly 0 (d) For the clinical test of new drugs agreement of the president of the hospital is 1 necessary (e) Other 1 (f) No data (including a case that the data is not open to use for secondary purpose as 10

(1) Is the purpose of use clearly stated? (2) Whether the procedure allows for differ-

ences between the ‘primary’ and the ‘secondary’ use?

(3) How much of the range of access to information depends on user’s profes- sion and his working site‘?

(4) Is there any rule to clarify where the responsibility lies for the creation, mod- ification and deletion of data?

(5) Are there any rules about the use of data from other clinics‘?

(6) Are there any measures to protect pa- tient data from leakage to those uncon- cerned with the delivery of care?

87.5% 12.5%

41.7% 13.3”/;1 5.0%)

40.0%

50.8% 8.5% 3.4%

37.3%

6.1 ‘%I

76.9%

0.0% I .5’%1

1.5% 15.4”/;1

(7) Is there any rule for the use of informa- tion in any disclosure to the public, e.g. the presentation at a conference?

(8) Are there any penalties for the violation of rules?

(9) Is there any statement describing the patient’s right of access to the medical record concerning him?

(10) Is there any statement concerning a third administrative party, such as the security council, to regulate the security issues?

Table 3 shows the summary of our exer- cise. From this table it will be visualized how the security issue is treated in the practical

132 K. Y~~rwc~mc~to et 01. : Intrmational Journal qf’ Bionwclicul C‘omputing 4.1 (1996) 129- 13.5

Table 2 Statistics categorized by size of hospital

Number of Beds Q2 43 Q1

Computerized Paper Department

a b c d a b c d Full Part None

> 650 12 I 0 6 12 651-1000 7 6 2 8 8 < 1001 6 I 1 10 10

situation. It will also be shown that a signifi- cant part of the rules is about the closed use of information> i.e. use within each hospital.

4. Discussion

4.1. I~fO?mWd co?‘lsent

Informed consent has an essential signifi- cance in keeping mutual trust between a pa- tient and medical providers such as physicians. In Japan, this is sometimes done implicitly. For example, when a patient at- tends a clinic it is usually considered that he makes a contract with the clinic. Although, in principle, a physician of the patient should give an explanation about everything such as medication, clinical tests he wants to carry out, diagnoses he considers. etc., how to make it is not defined. The physician might say, for example, ‘1 want to carry out a clinical test for liver disease’, and the detailed explanation about each item in the test is not explained to the patient. This style of in- formed consent is quite common. We call this the ‘general’ informed consent. While the ‘specific’ informed consent is such that de- tailed explanation is necessary before doing the action related to patient care. Concerning clinical tests for infectious diseases the situa- tion is complicated. For surgical operations,

2 0 4 3 16 2 3 1 II II 11 2 0 1 7 9 6 4

it is sometimes considered that such tests are of great importance to secure the health of the medical team. In the case of HIV tests, the situation is further complicated. Accord- ing to the 1993 year report on HIV tests, 73% of X42 hospitals did the tests. Among them, 67% performed tests with sufficient informed consent for all cases, while in 26.8% the informed consent is insufficient. For such cases of surgical operations, 5.5% of them did the test irrespective of the patient’s agree- ment.

4.2. Secondmy use c$ iqforrnution

As previously noted, little attention is paid to the secondary use of information. When a patient is admitted to a medical school hospi- tal, he should sign a sheet, which is usually written in the form of a statement, e.g. ‘as this is a school hospital, there is a possibility that your case is used for education’. It is doubtful whether or not the patient knows how this information is actually used. If the information is confined within a hospital, it is possible to establish feasible measures to con- trol the information flow. If the information flow is controlled by any measures, the infor- mation may referred to as ‘safe and in a controllable state’ and such a system is known to be safe. But the secondary use of information always forces the system to have

Table 3 Summary of looking-up exercise

In all rules of the 26 hospitals. sentences exist describing the purpose of use. Many of them are about medical care. education, research. and administrative use.

P2. LXf~erence hetwem tlzr primary and the secondq~ USP A difference exists in one of the hospital among the 26. That is about where the responsibility lies in borrowing

medical records. For patient care, each doctor can borrow his patient’s medical records. While for the secondary use, a chief doctor or a head of department has its responsibility to make allowance of use.

P3. Functional dependencies on usher 1s profission and xwking site In 13 hospitals the medical information and/or the utilities of the information system are classified into several

categories. For these categories, the functional dependencies on user’s profession and working site are tabled. The categorisation of data and/or system utilities differs much among hospitals.

P4. Who is responsible ,fbr da tu irwertion. mod$cation. und deirtion In two hospitals we found a statement like ‘every user should have responsibility for the data he enters into the

computer system’. But no hospitals have a clear statement about the responsibility on each data insertion, modification. and deletion.

We can find two ideas. One is that all information about a patient belongs to him/her, and all doctors (and/or medical staff) of the patient can retrieve all information of him/her whenever necessary to perform the care of the patient. The other idea is that the permission of use is necessary of the chief or the head of the department (or the president) to which patients attend. There is a hospital where the rules are clearly divided into two cases of (a) retrieve data of a patient, (b) retrieve massive data for statistical investigation.

P6. Mrasures to protect ,fiowi lidug~~ In 26 hospitals there is some description about the prohibition of the leakage of information. Some hospitals

also describe practical methods to protect for this, e.g. about the use of a password, a shredder. etc. Inhibition of unnecessary use of the system also appears in the rules of two hospitals. In a hospital. limitation of access to highly sensitive diagnosis of patients is also explained.

P7. Rulc~ about thle disclosurr of’ it! fiwmatiot? to public In three hospitals there are described procedures such that permission of the head of the department responsible

to the data is necessary before it can be used for presentation at conferences or submission in a paper. One other hospital describes a need to offer a reprint of the paper to the medical informatics department.

Most of the penalties are written in such a way to terminate the use of the computer system. However. such a penalty may not be so effective since by so doing, doctors can not make daily patient care. One of the hospital describes the stoppage of reporting support to departments when any violation happens to occur by one of the members of those departments.

P9. Putimtk right to ~ic~~~3s his dutu No written rule exists about the right of access of a patient. One hospital briefly touches on the case that

patients are also working at the hospital.

P IO. Existence of’ third udt,ninistuatiw purt), No description is found about this.

many open exits, and the information flow becomes uncontrollable. Information outside these exits are referred to as unsafe and in an uncontrollable state’. We should add to these exits the cases of leakage through ill-use of the system. If there is a way to extract any data from the exit, then the system itself may be called unsafe. Fortunately in many secondary uses of information, there are several ways to make it difficult to know the details of individ- uals. If it were practically impossible to know every detail of each patient from the informa- tion of uncontrollable state, then we may call this system also safe. Thus, the design of the gateway from the controllable and uncontrol- lable states may be the most important for the design of the security system.

4.3. PHD systm

Several projects are concurrently running about the IC cards system. This system is very attractive since each individual carries his own medical records or key information concern- ing it, which may create the possibility of creating a disconnected networking system among hospitals and clinics, although there is a criticism concerning the out-dated media dependencies which the system inherently has.

As the data in the IC cards is managed by an individual, such data may be called to be in ‘decontrolled’ state. A discussion concern- ing what kinds of information need to be transferred from the controllable state to the decontrolled state may exist. The principle of minimum requisite is, of course, the funda- mental rule to have a higher security. The key of this discussion depends on how much infor- mation one wants to input to the cards, or in other words, how is the cards are used (this is the same as what infrastructure the society can afford). At one extreme, if the cards only contain small amounts of ciphered key infor- mation to reach the patient’s data in HIS,

then, the shortcoming of media dependencies may be enlightened, because in such a case the severe protection of the cards may be laid only on data modification.

4.4. Security levels

As is readily known the security problem has many aspects. For example, the same item has different securities and importance for different individuals, which depends on where that item is used. To make the discussion simpler, it will be necessary to introduce some variable models pertinent to all cases.

In the previous discussions we introduced three states, ‘controllable’, ‘uncontrollable’, and ‘decontrolled’, and it was stated that the system is safe if and only if it is practically impossible to obtain information of a patient from the data in an uncontrollable state. This definition may be true verbally, however, this only describes the states of the system. As the same item has different securities, we will introduce security level variables. Then, the system variables may be described by a tuple (items). The system might also depend on the level of security.

To avoid data from tangling, the idea used in the operating system may give us a hint. That is, one can write information into the system with a higher level of security, but has no tool to obtain information from that level. While from the system with a lower level of security, one can obtain information but has no tool to write information to that level. And for any information in the same level of security, utilities exist to read, write: update and to delete.

As is readily known that the above men- tioned data control gives us a secure system in the sense that one can not modify information

beyond or below the security level to which one belongs. This simple model, however, can not describe mutual communications between two different security levels and the secrecy of information to upper level. One of the ideas to amend these defects while keeping information flow secure, is to add a function to transfer unchangeable messages. To ex- press this principle as a model we will intro- duce a variable r describing the responsibility level. The variable r indicates the security level from which the message is sent. Thus, the system variable becomes a tuple (items). Any person with the responsibility level of I can put messages onto any levels S. This may be expressed something like (message, s, Y). He can read all information for which both

the security and the responsibility levels are below and including the level r. The modifi- cation of information, however, is carried out only when s = r^. When the responsibility vari- able is missing, one can read and update information within the same security level; this is a special case to express information which is confined to a department. This model can express almost all cases. For ex- ample, if a technologist of clinical tests wants to know a patient diagnosis, he may make a request to the doctor of the patient. In this case the message will be of the form (mes- sage, doctor, technologist). The doctor re- ceives the request. He may make a decision to offer him the information, in the form (information, technologist, doctor).