strengthening privacy and confidentiality protection … · strengthening privacy and...
TRANSCRIPT
-
STRENGTHENING PRIVACY AND CONFIDENTIALITY PROTECTIONFOR ELECTRONIC HEALTH RECORDS
Michael CzapskiSeeBeyond Pty. Ltd
Robert SteeleUniversity of Technology, Sydney
ABSTRACTInappropriate disclosure and use of personal healthinformation could have severe adverse consequences forthe individual to whom it pertains, but non-disclosurecould adversely affect other individuals or the society. InAustralia efforts are under way to develop legislation thatwill address the protection of confidential healthinformation. Development of large-scale healthinformation repositories, intended to facilitate access tohealth information to many more parties than waspreviously possible, makes the Issue of consentenforcement and access control more urgent than ever.Literature suggests that the majority of security threatsarise out of insider activities. It is proposed to develop aconfidentiality protection framework that will ensurepersonal, identifiable health information is only disclosedby consent or under circumstances prescribed by law, andthat all access to that information is audited. Theframework, based on encryption of health information atthe time of collection, and decryption at the time ofauthorised use, provides a number of advantages over thetraditional, enterprise-centric protection model.
KEYWORDSElectronic health records, security, privacy, encryption
1. Introduction
Although not without controversy [I. 2], privacy isconsidered an important civil right [3, 4] and personalinformation warrants protection through legislation [5]..As personal health information is considered the mostsensitive kind of personal information [6], its protectionis very important. particularly in the context of theemerging Electronic Health Records systems (EHRs).
EHRs have the potential for privacy andconfidentiality breaches of a previously unseen severity.To gain the benefits of EHRs while minimising the risksrequires both legislative and technological safeguards.
Current protection measures are inadequate. Existingsystems employ standards and technologies that arebased on the traditional, enterprise-centric security modelthat is not sufficient to address the issues posed by theEHRs. These issues are of immediate relevance toAustralia-specific initiatives already under way, such asthe HealthConnecf [7] and the Health e-link [8]initiatives, both of which have been criticized for relyingon legislation without providing adequate technicalmeasures [9-12].
This paper outlines the issues arising out of theimplementation of EHRs and perceived threats toconfidentiality of health information. It further proposesa confidentiality protection framework that wouldmitigate those threats and discusses its strengths andweaknesses.
2. Ethical and Legal Context
The notion of protecting confidentiality of healthinformation is reputed to go back to 460 B.C. with theHippocratic Oath containing an explicit passage to thateffect [13].
It is expected that personal health information, sharedIII confidence with health workers, will remainconfidential [14, 15].
Inappropriate disclosure of confidential healthinformation can lead to long-term adverse psychological,social or financial consequences for the affectedindividuals. These range from embarrassment, throughdiscrimination, threat of violence or death, tounwillingness to undergo medical treatment for fear ofdisclosure [16].
Disclosure of personal health information about oneindividual may affect other individuals. For exampleadvances in genetic typing and research into hereditarydiseases, coupled with inappropriate use of geneticinformation, may affect not just the individual to whomthe information pertains but also their relatives. At thesame time, lack of critical information, for example aboutallergies or communicable diseases, at critical times, may
-
lead to adverse consequences for the individual or thesociety.
Much legislative work was undertaken in recentyears, both in Australia [6,17-21] and abroad [21, 22], toestablish legal frameworks for protection of personalhealth information. Both voluntary regulation [12] andthe legislation currently in force in Australia arefragmented, differ from state to state and are consideredinadequate [2 I, 23] The draft National Health PrivacyCode [17] is not yet a law. Its proposed provisions arealready controversial [19] with some interest groups,most notably the Australian Medical Association [24],considering it too restrictive in some areas whilst notrestrictive enough in others.
3. Related Work
There is evidence of a number of efforts to standardiseelectronic health records [25-27], ensure securetransmission of health records [28, 29], implementelectronic health record repositories [21] and implementlinkages between records from different sources [12].
The essential relationship between the electronichealth information, privacy and legal protectionframeworks is exemplified by the United States' HealthPortability Accountability Act (HIPAA) and its explicithealth information privacy protection provisions [22, 30].
In Australia, under the umbrella of the federalgovernment's HealthCol1l1ect initiative, a number ofelectronic health records trials are underway inQueensland, Tasmania and New South Wales[8, 16, 31]Electronic Health Records systems are considered by theirproponents as essential to improving healthcare [21, 3 I,32],
4. Privacy and Confidentiality Threats
Whilst storage and access to records held by theAustralian EHRs are subject to consent, and research intoimplementing consent systems has been undertaken inconjunction with these initiatives [14], issues such as, forexample, transfer of ownership of records between partiesare raising concerns [33]
Privacy risks posed by the proposed national EHRsare seen as severe [10] and the purported benefits, it issuggested, are lesser to patients than to other parties [16,23,34].
Literature suggests [35-37] that the majority ofsecurity threats arise out of insider activities. Numerousindividuals, other than the information subjects and healthworkers, can access patient information. potentiallybypassing audit and access control provisions of thesystems that hold and purport to control access to thoserecords.[9]
Significant advantages that can be derived bynumerous panics, including governments and privatesector organisations, from access to personal, identifiable
health information, make those parties seek to gainaccess, not always by lawful means.
5. Issues
Personal health information about identifiableindividuals is considerably different from otherconfidential information and must be treated differently.
Although owner-controlled information schemes wereproposed and discussed [32, 38], most information aboutindividuals is collected and stored in information systemsnot under the control of the information subject.
With some notable exceptions [39], confidentialityprovisions of information systems [37, 40-42], includingthe HealthCol111ect[7] and the Health e-link[8], are basedon the traditional, enterprise-centric model of ownershipand control [9, 43] where a single enterprise is thecollector, the owner and the custodian of a collection ofinformation. This model largely pre-determines dataquality, system security and access control thinking,design and implementation.
Some of the implied assumptions, for example thatinformation is collected within the organisation directlyfrom individuals for internal organisational use, arechallenged by the new electronic health record systems,that both call for routine transfer of patient informationbetween General Practitioners, Hospitals and otherhealthcare settings, and for implementation of large-scalerepositories, storing personal health information collectedelsewhere. Confidentiality protection challenges of thosesystems suggest that a totally new approach must bedeveloped. Security measures must be an integral part ofinformation systems and must address known andexpected security threats and exposures [9, II, 15, 37]Personal health information is typically collected as partof an encounter between the patient and the healthcareprofessional, by consent, and in confidence. With largevolumes of data now held electronically it is howeverreasonably easy to mass duplicate records withoutdetection if security and audit mechanisms are bypassed.
In addition to people involved in collecting andrecording information and those who use it in the courseof interaction with the subject, a great many otherindividuals may have access to confidential information,with, or without, explicit authorisation.
Even though the custodian enterprise may implementstandards-compliant security policies [43], ensure thatinformation is transmitted over secure channels[7, 8, 44],and do all that current best practices dictate, there still areindividuals, who have no relationship to the informationsubject. who have access to information about them.
Mass record storage systems, mandated by theHealthCol111ect and similar initiatives, intended tofacilitate access by many parties who have not previouslyhad access, further weakens the protection, assumed toexist when individuals agree to disclose their personalhealth information in confidence.
-
Whilst a number of standards and standards-basedtechnologies have been applied to various areas of theproblem domain[40-42, 44], and research has beenconducted into confidentiality infrastructure [14, 45],there is no evidence of an effort to develop acomprehensive confidentiality protection framework.
6. Proposed Confidentiality Framework
6.1 Requirements
The following requirements should be recognized:• apart from the need for health workers to access
information about an identifiable individual duringthe course of interaction with those individuals, thereis no need for that information to be viewable in ahuman-readable fOlID.
• technology measures must back up the legislativeprovisions [14, 24].
• methods exist whereby information about identifiableindividuals can be presented in a way such that it isstill useable for research and statistical purposes butthat it cannot be directly used to identify theindividual
• aggregated and de-identified information can bemade available for research and statisticalpurposes[15, 39, 45-47].
It is suggested that• access to confidential health information should only
be granted to those who have a patient-carerrelationship with the subject and in relation to thatrelationship, or those who must have access under thelaw.
• under no circumstances should confidential healthinformation be able to be viewed without consent orauthorisation, and without secure audit trail.
• only a system that implements active measures tomake it impossible to view protected information willsatisfy the requirements and assist in enforcing healthinformation privacy legislation.
6.2 Confidentiality Framework
It is proposed that a framework, based on encryptionof stored records, combined with access auditmechanisms, would prevent accidental or deliberatedisclosure and would facilitate prosecution of violators.To be practical. the framework must be built upon proven,effective technologies and must not impose excessiveoverheads.
Encrypting information at the point of capture anddecrypting it at the point of use will satisfy the primarypurpose of personal health information without exposingit to inappropriate disclosure.
The framework relies on a number of underlyingconcepts and infrastructure components described below.
Health In/ormation Classification Hierarchv allowslabelling of different parts of the record according to the
sensitivity of the information they contain, clinicaldiscipline, classes of health care workers that typicallyrequire access or the need to allow the subject toexplicitly grant or deny access. Certain parts of therecord would be labelled as 'mental health', 'sexualhealth', 'administrative' information or 'grant access tohospital care team'. Certain classifications would implyother classifications, for example mental healthinformation would be a specialisation of general clinicalinformation, allowing, for example, access granted to aspecialised classification to also grant access to itssuperclass.
Accessor Classification Hierarchy places eachpotential accessor into one or more groups that can begranted or denied access to specific parts of the recordaccording to the information classification hierarchylabels.
Consent Hierarchy allows the information subject toallow or deny access to specific parts of the recordaccording to information sensitivity, clinical discipline,event type, for example hospitalisation, or anycombination of the Health Information ClassificationHierarchy labels.
Each record would be represented as a XML InstanceDocument [49], structured according to the HealthInformation Classification Hierarchy.
Specific parts of the record would be encrypted usingtechniques of the XML Encryption Specification[ 48] suchthat parts of the most confidential nature would beencrypted individually, possibly with different keysaccording to the classification labels, less critical partswould be encrypted independently, possibly causingsuperencryption of some parts, and finally the entirerecord, with some parts not yet encrypted, would beencrypted in its entirety. This process would take place atthe point ofrecord creation and would result in creation ofan encrypted record, creation of a record entry in theglobal record index and the creation of a default consententry in the global consent store.
Each record would be identified by a globally uniqueID to facilitate, in conjunction with the hierarchy labels,location of appropriate encryption keys.
Encryption keys, accessor enrolment details, subjectconsent grants and access requests audit trail would beheld independently of the encrypted records, and wouldbe administered by one or more organisations establishedfor the purpose.
Access to information contained in encrypted recordswould involve location and retrieval of the records,request for access, verification of requestor identity,verification of access grant, creation of an audit trail,retrieval of decryption keys and finally decryption of theappropriate parts of the record for viewing.
The supporting technology infrastructure would, atminimum, include a global, possibly federated, recordindex, participant register, consent store, encryption keystore and audit trail store, each of which could, if desired,be independent, possibly administered by a differentorganisation. This infrastructure would be deployed at the
-
national level, or at minimum, at the level of a state, aregion or a province.
As it is encrypted, the health record could be storedanywhere, and replicated, and transferred, with noconcern for confidentiality.
The use of current common cryptographic algorithms,standards and technologies would satisfy the conditions ofproven technology and minimal impact.
6.3 Advantages
The framework would address all the major issuesassociated with the electronic health record systems.Encryption will eliminate the possibility of casualdisclosure and undetected data alteration. All accesswould be audited, and consent strictly enforced. Largevolume data storage management, including replication,distribution and facility management outsourcing. couldbe implemented with a view to attaining the greatestefficiency and cost-effectiveness. Subsets of recordscould be distributed on compact disk, or similar media, toreduce demand for network bandwidth and expediteaccess.
6.4 Disadvantages
Encryption of health records would introduce issuesnot previously encountered. Most notably, complexity ofapplications used to view patient information would beincreased. The application would need to contain thenecessary mechanism to decrypt the data and validate itsintegrity.
It would be impossible to update old records - newrecords would need to be created with additional orchanged information.
Separate infrastructure for research would have to beestablished and data would have to be specially preparedfor inclusion III research stores. perhaps usmgpseudonymity and anonymity techniques and methodsdescribed in [39. 45, 46] and elsewhere
7 Conclusions
The legal framework for protection of confidentialhealth information must be backed up by technologicalsolutions that would implement appropriate protectionmeasures.
Implementation of electronic health records systems,facilitating access to personal. identifiable healthinformation to many more parties than previouslypossible, makes the requirement for implementation ofadequate confidentiality protection. consent. accesscontrol and audit mechanisms an urgent issue.
The confidentiality protection framework proposed inthis paper will ensure that confidential health informationcan only be viewed by consent, with authorisation or incircumstances prescribed by law, and that a completeaudit trail is maintained.
Encrypting patient records at the point where theyenter the electronic patient records systems, transmittingand storing these records in an encrypted form, andperforming decryption only at the time and at the point ofauthorised use, will eliminate the possibility of casualdisclosure.
Separating large volume data storage from storage andmanagement of authorisation, consent and encryptionkeys will facilitate storage design that optimises cost andefficiency.
Of themselves, none of the concepts that form theframework are entirely new. The systematic assembly ofthose concepts into a comprehensive health informationconfidentiality framework is, we believe, what makes animportant contribution to the field.
There are numerous technology applications, conceptsand standards, both existing and yet to be developed,implied in the framework. An enormous amount ofresearch is, and that is yet to be, undertaken in many areasto make the health information confidentiality frameworkpractical. We trust that the research will continue to turnthis vision into reality.
References
[1] A. Mackenzie, "Politics of privacy, technologies of thepolitical and the paradoxes of individuality".http:t\\ww.lancs.ac.uk-staff'mackcnza.papers:privacy. pd f,Accessed: October 2004
[2] R. Clarke. "Introduction to Dataveillance and InformationPrivacy, and Definitions of Ten11S",http:t:www.anu.cdu.au.pcoplc:Ro£cr.Clarke .•DVilntro.hlinl.Accessed: October 2004
[3] G. J. Walters. "Privacy and security: an ethical analysis,"SIGCAS Comput. s«, vol. 31, pp. 8--23. 2001.
[4] B. Phillips, "The Newest and Oldest Human Right".http:. :www.stthomasu.ca~ahrc·phillips.htmL Accessed:
[5] "Privacy and the Public Sector - Government".http: ww\V.pri \'
-
[10] Anonymous, "AMA Warning on Single National HealthDatabase", http:.··.·www.ama.com.au/wcb.nshloc.·WEEN-5G1345N. Accessed: October 2004
Interim Research Report and DraftFederal Privacy Commissioner
[11] "HealthConnectSystems ArchitectureSubmission",http://www.privacv.gov.au 'pu bIica tions!healthcsub04. pdf,Accessed: January 2004
[12] Anonymous, "PANACEA OR PLACEBO 0 - LinkedElectronic Health Records and Improvements in HealthOutcomes," NSW Ministerial Advisory Committee on Privacyand Health Information 2000.
[13] "Hippocratic Oath Classical Version".http:. \\"ww.pb~.org.·w2.bh. nova doctors/oath classical.html,Accessed: October 2004
[14] "Electronic Consent Research - Summary of FinalReports",http:!.\vww7.health.2.0\·.au:hsdd.primcarc.it docsccofi nal.doc,Accessed: October 2004
[15] P. Armstrong, "Electronic Health Records: Privacy as anessential building block," in Electronic Health Records: Privacvas an essential building hlock. Sydney: Speach at the AFR 5thHealth Congress. 2003.
[16] R. Clarke. "Research Challenges in Emergent e-HealthTechnologies" ,http://www.anu.edu.au·people/Ro~er.Clarke/EC:·eHlthRes.html.Accessed: October 2004
[17] "Proposed National Health Privacy Code".http:\\"\\"w.hcalth.2.o\·.au pubs.pcll'codc.pdf, Accessed: August2004
[18] "Guidelines on Privacy in the Private Health Sector",htto·';www.privaev.2.0\·.au'publications/hg Ol.htm!' Accessed:August 2004
[19] "Report on public submissions in relation to draft NationalHealth Privacy Code",http://www.health.gov.au.pubs/pdfireport.pdC Accessed: August2004
[20] "Health Guidelines".http:' www.pnvacv.oov.au.hcalth.·t!uidelincsimkx.htl11l.Accessed: August 2004
[21] A. Cornwall. "ELECTRONIC HEALTH RECORDS: ANINTERNATIONAL PERSPECTIVE," Health Iss lies Journal.Health Issues Centre lnc.. La Trobe Universitv, 2002.
[22J Anonymous, "Summary of the HIPAA Privacy Rule",http: Iwww.hhs.gov.'ocr·privacysLll11marv,pdf. Accessed:
[35 J P. A. Miller. "Privacy in Cyberspace. with Prof. ArthurMiller Medical Records".Imp: cvber.la\\.harvard.edu·pri\·acv99 k,st1Il8.html. Accessed:October 2004
[23] L. Beazley, "The Draft National Health Privacy Code",http:"www.aar.com.auipubs'bio·fohfeb03.htm, Accessed:October 2004
[24] "AMA submission on draft National Health Privacy Code".http:\\"ww.amaxom.au'web.nsfdoc \\EE!\-5M46'W,Accessed: October 2004
[25] O. 1. Batt, ""The" Electronic Health Record -Standardization and Implementation".http:' \vww. 2.pe2..oT2..databasesprojcctprint.asp"ID~ 25 '),Accessed: October 2004
[26] G. Paterson, M. Shepherd, X Wang, C. Watters, and D.Zitner. "Using the XML-Based Clinical Document Architecturefor Exchange of Structured Discharge Summaries," presented atProceedings of the 35th Annual Hawaii InternationalConference on System Sciences (HICSS'02)- Volume 4, 2002.
[27] "Development of an XML Version of the HL7 Dischargeand Referral Message (GPCG Project #23) Final Report",http:·w\vw.gpeg.or2.ipublication,docs'projccts'OOI !ei peG Projcct23 OI.POF, Accessed:
[28] S. Auton, B. Blobel, K. Engel, P. Humenn, M. Kratz, M.Nolte, P. Pharow, G. Schadow, G. Seppala, V. Spiegel, M.Tucker, S. Wagner, and W. Wilson, "Health Level SevenSecurity Services Framework," HL 7 Secure TransactionsSpecial Interest Group - HL 7 Organisation 1998.
[29] B. Blobel, V. Spiegel, P. Pharow. K. Ngel, and R. Krohn,"Standard Guide for Implementing EDI (HL 7) CommunicationSecurity," Otto-von-Guericke University Magdeburg 1999.
[30J D. Baumer, J. B. Earp, and F. C. Payton, "Privacy ofmedical records: IT implications of HIPAA." SIGCAS Comput.Soc, vol. 30, pp. 40--47, 2000.
[31] "A NSW Health Strategy for the Electronic Health RecordGovernment's Action Plan for Health".
w\\·w.health.nsw.2.ov.au'il1l'ibs'chr'docul1lcnts,'chr strategv detaiIeJ.pdl~ Accessed: August 2004
[32] R. Clarke, "Human Identification in Information Systems:Management Challenges and Public Policy Issues",http:,',:\\'ww.anu.edu.au/people'Rol!cr.Clarke:DVilIumanID.html. Accessed: October 2004
[33] K. Dearne, "Prescribing a privacy cure",http:' ·wV,\\.consensus.col1l.au'ITWritersA wards!ITWarchivdlTWcntries02/15KarcnDcarne.htm. Accessed: October 2004
[34] M. Carter. "Integrated electronic health records and patientprivacy: possible benefits but real dangers".http: ww\\.mja.col11.au·public. i"ues '1"2 0 I 030 IOO':cal1er carter.hlml, Accessed: 178
[36J R. G. Smith. "Teleruedicine and crime".http: \\\\"w.aic.l!o\'.au publicClti,'ns landi u69.pdf. Accessed:
[37] T. Huston, "Security issues for implementation of e-medical records," COlli III lIll. ACAI, vol. 44, pp. 89--94, 2mJI.
http://www.privacv.gov.auhttp://www.health.gov.au.pubs/pdfireport.pdC
-
[38 J c. Gates and J. Slonim, "Owner-controlled Information."presented at Proceedings of the 2003 workshop on New securityparadigms. 2003.
[39] A. Rector. "Clinical e-Science Framework: A New MRC-Funded Interdisciplinary Project," Biomedical InformaticsTodav NEWSLETTER OF THE BRITISH J/EDICALINFORMATICS SOCIETY. 2002.
[40] M. Jurecic and H. Bunz, "Exchange of patient records-prototype implementation of a security attributes service inX.500," presented at Proceedings of the 2nd ACM Conferenceon Computer and communications security. 1994.
[41] B. Blobel. "Onconet: A Secure Infrastructure to ImproveCancer Patients' Care," European Journal or Medical Research,vol. 5, pp. 360-368, 2000.
[42] J. Halamka, P. Szolovits, and D. Rind. "A WWWImplementation of National Recommendations for ProtectingElectronic Health Information," JAm Med Intorm Assoc. vol, 4.pp.458-464, 1997.
[43] "ISO/IEC 17799:2000 Information technology - Code ofpractice for information security management." in ISO/IEC17799.2000,2000
[44] "Health Level Seven - Secure HL 7 Transactions USll1gInterne I Mail." Health Level Seven Inc. 1999.
[45] Anonymous, "CLEF - integrating information for theclinical e-Scientist", http:!\vww.clinical-escience.org/st:1I1.html,Accessed: October 2004
[46] R. Clarke, "Identification. Anonymity and Pseudonymityin Consumer Transactions: A Vital Systems Design and PublicPolicy Issue".http:·,w\\,\\·.anu.edu.auipcople,RoQer.ClarkeDV.'AnonPsPol.html, Accessed:
[47] "Health informatics - Anonymity user requirements fortrusted anonymisation facilities".http:www.centc2:'I.org.·TCMeet'doclistTCdocOOiNOO-013.pdC Accessed:
[48] T. Imamura. B. Dillaway, and E. Simon, "XML EncryptionSyntax and Processing, W3C Recommendation 10 December2002", W3C XML Encryption Working Group, World WideWeb Consortium, Available: http://www.w'.orgITIVxmlenc-corC!, Accessed: April 2005.
[49] eXtensible Markup Language (XML), World Wide WebConsortium, Available: hnp.z'www.w.I.org/Xfvll..'.
http://hnp.z'www.w.I.org/Xfvll..'.
-
Proceedings of the lASTED International ConferenceWEB TECHNOLOGIES, APPLICATIO:\TS, AND SERVICESJuly 4-6, 2005, Calgary, Alberta, Canada
STRENGTHENING PRIVACY AND CONFIDENTIALITY PROTECTIONFOR ELECTRONIC HEALTH RECORDS
Michael CzapskiSeeBeyond Pty. Ltd
Robert SteeleUniversity of Technology, Sydney
ABSTRACTInappropriate disclosure and use of personal healthinformation could have severe adverse consequences forthe individual to whom it pertains, but non-disclosurecould adversely affect other individuals or the society. InAustralia efforts are under way to develop legislation thatwill address the protection of confidential healthinformation. Development of large-scale healthinformation repositories, intended to facilitate access tohealth information to many more parties than waspreviously possible, makes the issue of consentenforcement and access control more urgent than ever.Literature suggests that the majority of security threatsarise out of insider activities. It is proposed to develop aconfidentiality protection framework that will ensurepersonal, identifiable health information is only disclosedby consent or under circumstances prescribed by law, andthat all access to that information is audited. Theframework, based on encryption of health information atthe time of collection, and decryption at the time ofauthorised use, provides a number of advantages over thetraditional, enterprise-centric protection model.
KEYWORDSElectronic health records, security, privacy, encryption
1. Introduction
Although not without controversy [I, 2], privacy isconsidered an important civil right [3, 4] and personalinformation warrants protection through legislation [5] ..As personal health information is considered the mostsensitive kind of personal information [6], its protectionis very important, particularly in the context of theemerging Electronic Health Records systems (EHRs).
EHRs have the potential for privacy andconfidentiality breaches of a previously unseen severity.To gain the benefits of EHRs while minimising the risksrequires both legislative and technological safeguards.
494-029
Current protection measures are inadequate. Existingsystems employ standards and technologies that arebased on the traditional, enterprise-centric security modelthat is not sufficient to address the issues posed by theEHRs. These issues are of immediate relevance toAustralia-specific initiatives already under way, such asthe HealthConnect [7] and the Health e-link [8]initiatives, both of which have been criticized for relyingon legislation without providing adequate technicalmeasures [9-12].
This paper outlines the issues arising out of theimplementation of EHRs and perceived threats toconfidentiality of health information. It further proposesa confidentiality protection framework that wouldmitigate those threats and discusses its strengths andweaknesses.
2. Ethical and Legal Context
The notion of protecting confidentiality of healthinformation is reputed to go back to 460 B.C. with theHippocratic Oath containing an explicit passage to thateffect [13].
It is expected that personal health information, sharedin confidence with health workers, will remainconfidential [14, 15].
Inappropriate disclosure of confidential healthinformation can lead to long-term adverse psychological,social or financial consequences for the affectedindividuals. These range from embarrassment, throughdiscrimination, threat of violence or death, tounwillingness to undergo medical treatment for fear ofdisclosure [16].
Disclosure of personal health information about oneindividual may affect other individuals. For exampleadvances in genetic typing and research into hereditarydiseases, coupled with inappropriate use of geneticinformation, may affect not just the individual to whomthe information pertains but also their relatives. At thesame time, lack of critical information, for example aboutallergies or communicable diseases, at critical times, may
35
-
lead to adverse consequences for the individual or thesociety,
Much legislative work was undertaken in recentyears, both in Australia [6,17-21] and abroad [21, 22], toestablish legal frameworks for protection of personalhealth information, Both voluntary regulation [12] andthe legislation currently in force in Australia arefragmented, differ from state to state and are consideredinadequate [21, 23). The draft National Health PrivacyCode [17] is not yet a law. Its proposed provisions arealready controversial [19] with some interest groups,most notably the Australian Medical Association [24],considering it too restrictive in some areas whilst notrestrictive enough in others.
3. Related Work
There is evidence of a number of efforts to standardiseelectronic health records [25-27], ensure securetransmission of health records [28, 29], implementelectronic health record repositories [21] and implementlinkages between records from different sources [12].
The essential relationship between the electronichealth information, privacy and legal protectionframeworks is exemplified by the United States' HealthPortability Accountability Act (HIPAA) and its explicithealth information privacy protection provisions [22, 30].
In Australia, under the umbrella of the federalgovernment's HealthConnect initiative, a number ofelectronic health records trials are underway inQueensland, Tasmania and New South Wales[8, 16,31).Electronic Health Records systems are considered by theirproponents as essential to improving health care [21, 31,32],
4. Privacy and Confidentiality Threats
Whilst storage and access to records held by theAustralian EHRs are subject to consent, and research intoimplementing consent systems has been undertaken inconjunction with these initiatives [14], issues such as, forexample, transfer of ownership of records between partiesare raising concerns [33].
Privacy risks posed by the proposed national EHRsare seen as severe [10] and the purported benefits, it issuggested, are lesser to patients than to other parties [16,23,34].
Literature suggests [35-37] that the majority ofsecurity threats arise out of insider activities. Numerousindividuals, other than the information subjects and healthworkers, can access patient information, potentiallybypassing audit and access control provisions of thesystems that hold and purport to control access to thoserecords. [9].
Significant advantages that can be derived bynumerous parties, including governments and privatesector organisations, from access to personal, identifiable
health information, make those parties seek to gainaccess. not always by lawful means.
5. Issues
Personal health information about identifiableindividuals is considerably different from otherconfidential information and must be treated differently.
Although owner-controlled information schemes wereproposed and discussed [32, 38], most information aboutindividuals is collected and stored in information systemsnot under the control of the information subject.
With some notable exceptions [39], confidentialityprovisions of information systems [37, 40-42], includingthe HealthConnect[7] and the Health e-link[8], are basedon the traditional, enterprise-centric model of ownershipand control [9, 43] where a single enterprise is thecollector, the owner and the custodian of a collection ofinformation. This model largely pre-determines dataquality, system security and access control thinking,design and implementation.
Some of the implied assumptions, for example thatinformation is collected within the organisation directlyfrom individuals for internal organisational use, arechallenged by the new electronic health record systems,that both call for routine transfer of patient informationbetween General Practitioners, Hospitals and otherhealthcare settings, and for implementation of large-scalerepositories, storing personal health information collectedelsewhere. Confidentiality protection challenges of thosesystems suggest that a totally new approach must bedeveloped. Security measures must be an integral part ofinformation systems and must address known andexpected security threats and exposures [9, II, 15,37]Personal health information is typically collected as partof an encounter between the patient and the health careprofessional, by consent, and in confidence. With largevolumes of data now held electronically it is howeverreasonably easy to mass duplicate records withoutdetection if security and audit mechanisms are bypassed.
In addition to people involved in collecting andrecording information and those who use it in the courseof interaction with the subject, a great many otherindividuals may have access to confidential information,with, or without, explicit authorisation.
Even though the custodian enterprise may implementstandards-compliant security policies [43], ensure thatinformation is transmitted over secure channels[7, 8, 44],and do all that current best practices dictate, there still areindividuals, who have no relationship to the informationsubject, who have access to information about them.
Mass record storage systems, mandated by theHealthConnect and similar initiatives, intended tofacilitate access by many parties who have not previouslyhad access, further weakens the protection, assumed toexist when individuals agree to disclose their personalhealth information in confidence.
36
-
Whilst a number of standards and standards-basedtechnologies have been applied to various areas of theproblem domain[ 40-42. 44). and research has beenconducted into confidentiality infrastructure [14, 45),there is no evidence of an effort to develop acomprehensive confidentiality protection framework.
6. Proposed Confidentiality Framework
6.1 Requirements
The following requirements should be recognized:• apart from the need for health workers to access
information about an identifiable individual duringthe course of interaction with those individuals, thereis no need for that information to be viewable in ahuman-readable form.
• technology measures must back up the legislativeprovisions [14, 24).
• methods exist whereby information about identifiableindividuals can be presented in a way such that it isstill useable for research and statistical purposes butthat it cannot be directly used to identify theindividual
• aggregated and de-identified information can bemade available for research and statisticalpurposes[15, 39, 45-47).
It is suggested that• access to confidential health information should only
be granted to those who have a patient-carerrelationship with the subject and in relation to thatrelationship, or those who must have access under thelaw.
• under no circumstances should confidential healthinformation be able to be viewed without consent orauthorisation, and without secure audit trail.
• only a system that implements active measures tomake it impossible to view protected information willsatisfy the requirements and assist in enforcing healthinformation privacy legislation.
6.2 Confidentiality Framework
It is proposed that a framework, based on encryptionof stored records, combined with access auditmechanisms, would prevent accidental or deliberatedisclosure and would facilitate prosecution of violators.To be practical, the framework must be built upon proven,effective technologies and must not impose excessiveoverheads.
Encrypting information at the point of capture anddecrypting it at the point of use will satisfy the primarypurpose of personal health information without exposingit to inappropriate disclosure.
The framework relies on a number of underlyingconcepts and infrastructure components described below.
Health In/ormation Classification Hierarchy allowslabelling of different parts of the record according to the
sensitivity of the information they contain, clinicaldiscipline, classes of health care workers that typicallyrequire access or the need to allow the subject toexplicitly grant or deny access. Certain parts of therecord would be labelled as 'mental health', 'sexualhealth', 'administrative' information or 'grant access tohospital care team' _ Certain classifications would implyother classifications, for example mental healthinformation would be a specialisation of general clinicalinformation, allowing, for example, access granted to aspecialised classification to also grant access to itssuperclass.
Accessor Classification Hierarchy places eachpotential accessor into one or more groups that can begranted or denied access to specific parts of the recordaccording to the information classification hierarchylabels.
Consent Hierarchy allows the information subject toallow or deny access to specific parts of the recordaccording to information sensitivity, clinical discipline,event type, for example hospitalisation, or anycombination of the Health Infonnation ClassificationHierarchy labels.
Each record would be represented as a XML InstanceDocument [49), structured according to the HealthInformation Classification Hierarchy.
Specific parts of the record would be encrypted usingtechniques of the XML Encryption Specification[ 48) suchthat parts of the most confidential nature would beencrypted individually, possibly with different keysaccording to the classification labels, less critical partswould be encrypted independently, possibly causingsuperencryption of some parts, and finally the entirerecord, with some parts not yet encrypted, would beencrypted in its entirety. This process would take place atthe point of record creation and would result in creation ofan encrypted record, creation of a record entry in theglobal record index and the creation of a default consententry in the global consent store.
Each record would be identified by a globally uniqueID to facilitate, in conjunction with the hierarchy labels,location of appropriate encryption keys.
Encryption keys, accessor enrolment details, subjectconsent grants and access requests audit trail would beheld independently of the encrypted records, and wouldbe administered by one or more organisations establishedfor the purpose.
Access to information contained in encrypted recordswould involve location and retrieval of the records,request for access, verification of requestor identity,verification of access grant, creation of an audit trail,retrieval of decryption keys and finally decryption of theappropriate parts of the record for viewing.
The supporting technology infrastructure would, atminimum, include a global, possibly federated, recordindex, participant register, consent store, encryption keystore and audit trail store, each of which could, if desired,be independent, possibly administered by a differentorganisation. This infrastructure would be deployed at the
37
-
national level, or at minimum, at the level of a state, aregion or a province.
As it is encrypted, the health record could be storedanywhere, and replicated, and transferred, with noconcern for confidentiality.
The use of current common cryptographic algorithms,standards and technologies would satisfy the conditions ofproven technology and minimal impact.
6.3 Advantages
The framework would address all the major issuesassociated with the electronic health record systems.Encryption will eliminate the possibility of casualdisclosure and undetected data alteration. All accesswould be audited, and consent strictly enforced. Largevolume data storage management, including replication,distribution and facility management outsourcing, couldbe implemented with a view to attaining the greatestefficiency and cost-effectiveness. Subsets of recordscould be distributed on compact disk, or similar media, toreduce demand for network bandwidth and expediteaccess.
6.4 Disadvantages
Encryption of health records would introduce issuesnot previously encountered. Most notably, complexity ofapplications used to view patient information would beincreased. The application would need to contain thenecessary mechanism to decrypt the data and validate itsintegrity.
It would be impossible to update old records - newrecords would need to be created with additional orchanged information.
Separate infrastructure for research would have to beestablished and data would have to be specially preparedfor inclusion 111 research stores, perhaps usingpseudonymity and anonymity techniques and methodsdescribed in [39, 45, 46] and elsewhere
7 Conclusions
The legal framework for protection of confidentialhealth information must be backed up by technologicalsolutions that would implement appropriate protectionmeasures.
Implementation of electronic health records systems,facilitating access to personal, identifiable healthinformation to many more parties than previouslypossible, makes the requirement for implementation ofadequate confidentiality protection, consent, accesscontrol and audit mechanisms an urgent issue.
The confidentiality protection framework proposed inthis paper will ensure that confidential health informationcan only be viewed by consent, with authorisation or incircumstances prescribed by law, and that a completeaudit trail is maintained.
Encrypting patient records at the point where theyenter the electronic patient records systems, transmittingand storing these records in an encrypted 1'01111, andperforming decryption only at the time and at the point ofauthorised use, will eliminate the possibility of casualdisclosure.
Separating large volume data storage from storage andmanagement of authorisation, consent and encryptionkeys will facilitate storage design that optimises cost andefficiency.
Of themselves, none of the concepts that form theframework are entirely new. The systematic assembly ofthose concepts into a comprehensive health informationconfidentiality framework is, we believe, what makes animportant contribution to the field.
There are numerous technology applications, conceptsand standards, both existing and yet to be developed,implied in the framework. An enormous amount ofresearch is, and that is yet to be, undertaken in many areasto make the health information confidentiality frameworkpractical. We trust that the research will continue to turnthis vision into reality.
References
[1] A. Mackenzie, "Politics of privacy, technologies of thepolitical and the paradoxes of individuality",htl p: ':'W\\,v.lancs.ac.u k!staffmac kcnzafpapcrs:'pri \·acv. pd f,Accessed: October 2004
[2] R. Clarke, "Introduction to Dataveillance and InformationPrivacy, and Definitions of Terms",http:'\\"\\w.anu.cdu.3u:'pcoplc'Rogcr.Clarkc·DV·lntro.htI111,Accessed: October 2004
[3] G. J. Walters, "Privacy and security: an ethical analysis,"SIGCAS Comput. Soc., vol. 3\, pp. 8--23,2001.
[4] B. Phillips, "The Newest and Oldest Human Right",http:: W\\w.stthol11asu.ca.:~ahrc/phillips.htl11l, Accessed:
[5] "Privacy and the Public Sector - Government",http:! www.privacv.gov.au/!!overnment..index.html. Accessed:
[6] "AUSTRALIANS ENCOURAGED TO COMMENT ONNEW HEALTH PRIVACY SAFEGUARDS",h ttp: .•/www.health.!!ov.au ..intemet/wcl11s:.Publ ish ing.ns l!C ontent .health-mediarel-vr~002-kp-kp0213-l.htl11, Accessed: October2004
[7] "HealthCol1l1ect System Architecture," HealthConnectProgram Office, Australian Government Department of Healthand Ageing 2003.
[8] "EHR*Net Refined Requirements and Architecture Report",w\\w.hcalth.nsw.!!ov.auiil11/ibsfchL·docul11cnts/rcfined reguircments architcctun:v!.1 rcport.doc, Accessed: September 2002
[9] M. Czapski. "A question of confidence, not a question oftrust. Better data confidentiality protection is necessary,"presented at HIC 2004, Brisbane, Australia, 2004.
38
http://www.privacv.gov.au/!!overnment..index.html.http:///www.health.!!ov.au
-
[10] Anonymous. "AM A Warning on Single National HealthDatabase", http:·\\w\\.ama.cllm.auiweb.n-;C'docWEEN-5GB45N. Accessed: October 2004
[II] "HealthConnectSystems ArchitectureSubmission",http://www.privacv.\!ov.au·publications/healthcsub04.pdt~Accessed: January 2004
Interim Research Report and DraftFederal Privacy Commissioner
[12] Anonymous. "PANACEA OR PLACEBO? - LinkedElectronic Health Records and Improvements in HealthOutcomes," NSW Ministerial Advisory Committee on Privacyand Health Information 2000.
[13] "Hippocratic Oath Classical Version",http://www.pbs.org/\\·gbh··novaidoctorsfoalhclassical.html.Accessed: October 2004
[14] "Electronic Consent Research - Summary of FinalReports",http://www7 .health. gov .awhsddipri mcarc/it/docs/ccofi nal.doc,Accessed: October 2004
[15] P. Armstrong, "Electronic Health Records: Privacy as anessential building block," in Electronic Health Records: Privacyas an essential building block. Sydney: Speach at the AFR 5thHealth Congress, 2003.
[16] R. Clarke, "Research Challenges in Emergent e-HealthTechnologies",http:.!/www.anu.edu.au p.:ople Ro\!er.Clarke'EC/eHlthR.:s.hlml,Accessed: October 2004
[17] "Proposed National Health Privacy Code",hltp:!/www.hcalth.!!Ov.au pub,pdrcodc.pdt~ Accessed: August2004
[18] "Guidelines on Privacy in the Private Health Sector",http://www.privacv.gov.au'publications/hg Ol.html, Accessed:August 2004
[19] "Report on public submissions in relation to draft NationalHealth Privacy Code",http:i\vww.health.\!oy.au.pubs,'pdhep0l1.pdL Accessed: August2004
[20] "Health Guidelines",http://www.privacv.!!o\.aU/health!\!uidelines/index.html.Accessed: August 2004
[21] A. Cornwall. "ELECTRONIC HEALTH RECORDS: ANINTERNATIONAL PERSPECTIVE," Health Issues 101l1'//al.Health Issues Centre Inc .. La Trobe University, 2002.
[22] Anonymous, "Summary of the HIPAA Privacy Rule".http:,\vww.hhs.!!O\·.·ocr/privacvsummarv.pdf, Accessed:
[35] P. A. Miller, "Privacy in Cyberspace, with Prof. ArthurMiller - Medical Records".http:.!/cyber.law.harvard.cdu. privacv99/lesson8.html, Accessed:October 2004
[23] L. Beazley. "The Draft National Health Privacy Code".http:·/w\\w.aar.com.au/pubs.'L1io·fohfeb03.htm, Accessed:October 2004
[24] "AMA submission on draft National Health Privacy Code",http:·.www.ama.com.auiweb.nsf.doc/\VEEN- ••M462W.Accessed: October 2004
[25] O. J. Bott, ""The" Electronic Health Record -Standardization and Implementation",http://www.!!pcg.onz/databascs.'projcctprinl.asp'lID=152,Accessed: October 2004
[26] G. Paterson, M. Shepherd, X. Wang, C. Watters, and D.Zitner, "Using the XML-Based Clinical Document Architecturefor Exchange of Structured Discharge Summaries," presented atProceedings of the 35th Annual Hawaii InternationalConference on System Sciences (HICSS'02)- Volume 4,2002.
[27] "Development of an XML Version of the HL 7 Dischargeand Referral Message (GPCG Project #23) Final Report",http://www.gpCg.org/publicationsfdocs/projccts2001/GPeG Projcct23 OJ.PDF, Accessed:
[28] S. Auton, B. Blobel, K. Engel, P. Humenn, M. Kratz, M.Nolte, P. Pharow, G. Schadow, G. Seppala, V. Spiegel, M.Tucker. S. Wagner, and W. Wilson, "Health Level SevenSecurity Services Framework," HL 7 Secure TransactionsSpecial Interest Group - HL 7 Organisation 1998.
[29] B. Blobel, V. Spiegel, P. Pharow, K. Ngel, and R. Krohn,"Standard Guide for Implementing EDI (HL 7) CommunicationSecurity," Otto-von-Guericke University Magdeburg 1999.
[30] D. Baumer, J. B. Earp, and F. C. Payton, "Privacy ofmedical records: IT implications of HIPAA," SIGCAS COIllPUI.s«; vol. 30, pp. 40--47, 2000.
[31] "A NSW Health Strategy for the Electronic Health RecordGovernment's Action Plan for Health",
www.hcalth.nsw.gov.auiimiibs/ehr/documentsichr stratcQ,v dctailed.pdC Accessed: August 2004
[32] R. Clarke, "Human Identification in Information Systems:Management Challenges and Public Policy Issues",http:.'/w\\w.anu.edu.auipeoplc'Ro!!er.ClarkeDV/1 Iuman ID. hlml, Accessed: October 2004
[33] K. Dearne, "Prescribing a privacy cure",http://www.consensus.colll.auiIT\VritersAwards/ITWarchivedTWentries02/15KarenDearne.htm, Accessed: October 2004
[34] M. Carter, "Integrated electronic health records and patientprivacy: possible benefits but real dangers",htlp).fwww.mja.colll.au/publiciisslles·l72 0 I 030 lOn/carter/carter.html. Accessed: 178
[36] R. G. Smith, "Telemedicine and crime",http: \\'ww.aic.gov.au'pllbllcations·tandili69.pdf, Accessed:
[37] T. Huston, "Security issues for implementation of e-medical records," COII/IIlUIl. ACM, vol. 44, pp. 89--94,2001.
39
http://http:.!/www.anu.edu.auhttp://hltp:!/www.hcalth.!!Ov.auhttp://www.privacv.gov.au'publications/hghttp://www.!!pcg.onz/databascs.'projcctprinl.asp'lID=152,http://www.gpCg.org/publicationsfdocs/projccts2001/GPeGhttp://www.hcalth.nsw.gov.auiimiibs/ehr/documentsichr
-
[3RJ c. Gates and J. Slonim, "Owner-controlled information."presented at Proceedings of the 2003 workshop on New securityparadigms, 2003.
[39] A. Rector, "Clinical e-Science Framework: A New MRC-Funded Interdisciplinary Project," Biomedical InformaticsTodav - NEWSLETTER OF THE BRITISH AJEDICALINFORMA TICS SOCIETY. 2002.
[40] M. Jurecic and H. Bunz, "Exchange of patient records-prototype implementation of a security attributes service inX.500," presented at Proceedings of the 2nd ACM Conferenceon Computer and communications security, 1994.
[41] B. Blobel, "Onconet: A Secure Infrastructure to ImproveCancer Patients' Care," European Journal of Medical Research,vol. 5, pp. 360-368,2000.
[42] J. Halamka, P. Szolovits, and D. Rind, "A WWWImplementation of National Recommendations for ProtectingElectronic Health Information," JAm Med Inform Assoc, vol. 4,pp. 458-464, 1997.
[43] "ISOfIEC 17799:2000 Information technology - Code ofpractice for information security management," in ISO/IEC17799.2000, 2000.
[44J "Health Level Seven - Secure HL7 Transactions uSlllglnterncl Mail." Health Level Seven Inc. 1999.
[45J Anonymous, "CLEF - integrating information for theclinical e-Scientist", http://www.clinical-cscicnce.orl!/start.html.Accessed: October 2004
[46] R. Clarke, "Identification, Anonymity and Pseudonymityin Consumer Transactions: A Vital Systems Design and PublicPolicy Issue",http:!'www.anu.edu.au/pcoplc!Ro!!:cr.Clarkc!DV! AnonPsl'ol.hlml, Accessed:
[47] "Health informatics - Anonymity user requirements fortrusted anonymisation facilities",http:/\\\'>,\·.ccntc251.omTCMect'doclistTCdocOO!NOO-o l3.pdj~ Accessed:
[48] T. Imamura, B. Dillaway, and E. Simon, "XML EncryptionSyntax and Processing, W3C Recommendation 10 December2002", W3C XML Encryption Working Group, World WideWeb Consortium. Available: http:'.\~,\w.w3.or~.'TR.!xmlcnc-corc!, Accessed: April 2005.
[49] eXtensible Markup Language (XMLj, World Wide WebConsortium, Available: http://www.w3.org/XMLI.
40
http://www.clinical-cscicnce.orl!/start.html.http://http:!'www.anu.edu.au/pcoplc!Ro!!:cr.Clarkc!DV!http://www.w3.org/XMLI.
-
[Proceeding] Web Technologies, Applications, and Services ~WTAS 2005~ Page 1 0[3
QAeTA A Scientific and Technical Publishing Cor
Horne login My Cart Reviewers Only Contact FAQ lASTED Print page
Publication Search:
IRates (USD):$110.00 (Hardcopy);$100.00 (Online);$110.00 (CD)
Individual Articles (USD):$20.00 (Online)
_Journals Web Technologies, Applications, andServices
-WTAS 2005-_ Proceedings
_ Papers
_ Subscriptions 7/4/2005 - 7/6/2005Calgary, Alberta, Canada
_ Submissions
_ Call for PapersEditor(s): M.H. Hamza
210 pages
advanced search
ISSN: N/A; ISSN (CD): N/A;ISBN: 0-88986-483-7; ISBN (CD): 0-88986-485-3
Please choose a year: 120053'Add to Shopping Cart
The lASTED Conference onWeb Technologies,Applications, and
ServicesCalgary, Alberta, Canada
July 17·19, 2006
Hardcopy >1 __ O_n_li•••n •••e...;.;.S...;.;u_b_SC•••f..;.iP•..•.ti_o •..n_ •... CD
Abstracts may contain minor errors and formatting inconsistencies.Please contact us if you have any concerns or questions.
Track - Web·Based Applications Free Subscr
494-038 An Evolvable, Composable Framework for RapidApplication Development and Dynamic Integration of Medical Image
Abstract Buy noProcessing Web ServicesT. Mitsa and P. Joshi (USA)
494-043 WebFace: A Web-based Facial Animation SystemAbstract Buy noM. AI-Marri, A. AI-Qayedi, and R. Benlamri (UAE)
494-079 Load Balancing Grid Computing MiddlewareAbstract Buy noA. Touzene, S. AI Yahyai, K. Day, and B. Arafeh (Sultanate of Oman)
494-081 Post-Deployment Specification, Analysis and Testing ofEnterprise Web Applications Abstract Buy noW. Haque, A. Kranz, and R.A. Lucas (Canada)
http://www.actapress.com/Content_ oC Proceeding.aspx?proceedingID=310 19/04/2006
http://www.actapress.com/Content_
Page 1TitlesSTRENGTHENING PRIVACY AND CONFIDENTIALITY PROTECTION 1. Introduction 2. Ethical and Legal Context
Page 2Titles3. Related Work 4. Privacy and Confidentiality Threats 5. Issues
Page 3Titles6. Proposed Confidentiality Framework
Page 4Titles7 Conclusions References
Page 5Page 6Page 7TitlesWeb Techn and CALL FOR PAPERS WEB TECHNOLOGIES, APPLICATIONS -WTAS 2005-
ImagesImage 1
Page 8ImagesImage 1Image 2
Page 9ImagesImage 1Image 2Image 3Image 4Image 5Image 6Image 7
Page 10TitlesTel: 403-288-1195 E-mail: [email protected] Back tQlhe_WTAS 2Q05 Harne Page
ImagesImage 1Image 2
Page 11TitlesSTRENGTHENING PRIVACY AND CONFIDENTIALITY PROTECTION 1. Introduction 2. Ethical and Legal Context
Page 12Page 13Titles6. Proposed Confidentiality Framework
Page 14Titles7 Conclusions References
Page 15Titles39
Page 16Titles40