Mar 9, 2004 - âoutingâ of Arthur Ashe (HIV),. Henry Hyde (adultery). ⢠celebrity medical problems (Tammy Wynette, Nicole Simpson). ⢠⦠applies mostly to ...
3/9/2004
Patient Data Privacy in Electronic Records Peter Szolovits 6.872/HST950
Protecting… ¾ What? ¾ Privacy ¾ Individual’s desire to limit disclosure of personal information
¾ Confidentiality ¾ Information sharing in a controlled manner
¾ Security ¾ Protecting information against accident, disaster, theft, alteration, sabotage, denial of service, …
¾ Against what? ¾ ¾ ¾ ¾
“Evil hackers” Malicious insiders Stupidity Information Warfare
Clinical Computing in Patient Care, September 25, 1998
Peter Szolovits
Privacy
Privacy in obscurity
¾ Right to be let alone; e.g.:
¾ Right to remain unknown
2
¾ snooping on Dan Quayle by J. Rothfeder ¾ “outing” of Arthur Ashe (HIV), Henry Hyde (adultery) ¾ celebrity medical problems (Tammy Wynette, Nicole Simpson) ¾ … applies mostly to known individuals
¾ Correlation among pervasive databases: ¾ census ¾ marketing ¾ health
Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
3
Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
Confidentiality
Legitimate Concerns
¾ Use and sharing of information by multiple users at many institutions ¾ Should be controlled by coherent policy ¾ Enforced by appropriate technology
¾ Difficulty getting insurance
4
¾ “Individual insurers may deny you coverage based on your medical history if it includes: ¾ Use of prescription drugs to treat anxiety, depression or a physical condition, including Ativan, Klonipin, Paxil, Prozac, Serzone, Zoloft, Xanax and Wellbutrin. ¾ Counseling for anxiety, depression, grief or an eating or sleep disorder. Even if you briefly sought counseling as a way to cope with the Sept. 11 terrorist attacks, you could be denied individual health insurance, according to researchers with Georgetown's Health Privacy Project.” (MSN, March 9, 2004)
¾ E.g., who may use results of your life insurance physical exam, for what purposes?
¾ Medical Information Bureau ¾ Data on all applicants for private life insurance in past 7 years Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
5
Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
6
1
3/9/2004
National Academy of Sciences Study, 1997
More Legitimate Concerns ¾ When employer pays insurance premiums, you may lose your job ¾ Self-insured companies ¾ Small employers facing “experience rated” policies
¾ Non-employment discrimination based on health ¾ Adoption ¾ Politics
Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
7
Committee Members Paul Clayton, Chair,
Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
Site Visits
U.S. Naval Research Laboratory
Institutions Visited Large, urban hospital Integrated delivery system Affiliated health care system Community Health Info Network (CHIN) ¾ State health system ¾ Insurer ¾ ¾ ¾ ¾ ¾
Thomas Rindfleisch
Sandia National Laboratories Gordon DeFriese,
Stanford University Sheila Ryan
Sheps Ctr. for Health Services Research Susan Dowell,
Univ. of Rochester, School of Nursing Bruce Sams,
Medicus Systems Corp.
Kaiser Permanente (retired)
Mary Fennell,
Peter Szolovits
Brown University
MIT
Kathleen Frawley,
Robbie Trussell
AHIMA
Presbyterian Healthcare System, Dallas
John Glaser
Elizabeth Ward
Partners Healthcare System
Washington State Dept. of Health Paul Schwartz (Special Advisor),
Richard Kemmerer
Univ. of Calif., Santa Barbara
¾ Issues Discussed ¾ Problems encountered ¾ Security and confidentiality policies ¾ Security mechanisms ¾ Effectiveness of mechanisms ¾ Education and training ¾ Disciplinary sanctions ¾ Needs to promote better security
Univ. of Arkansas School of Law
Clinical Computing in Patient Care, September 25, 1998
9
Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
Trade-offs among IT characteristics
Privacy and Security Concerns Addressed in the Report
¾ Critical to improve the quality and reduce the costs of health care. ¾ Privacy and security must be resolved if patients are to share sensitive health information with care providers. ¾ Protect patient privacy while ensuring that providers have legitimate access to information for purposes of care.
¾ Inappropriate releases of information from individual organizations ¾ authorized users leaking information ¾ unauthorized users breaking into systems to retrieve or alter information, or to render systems dysfunctional ¾ Systemic flows of information among organizations in health care and related industries
Peter Szolovits
8
Carl Landwehr
Columbia Presbyterian Medical Center Earl Boebert,
Peter Szolovits
Charge to the committee: ¾ Observe and assess technical and nontechnical mechanisms for protecting privacy and maintaining security in health care information systems. ¾ Identify other methods worthy of testing in health care settings. ¾ Outline promising areas for further research.
Clinical Computing in Patient Care, September 25, 1998
11
Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
10
12
2
3/9/2004
Health Information Held by Individual Organizations Can Be Protected
Two Approaches to Protect Privacy
¾ Technical practice: A variety of practices provide effective protection in an operational environment and can be implemented with reasonable effort. ¾ Policy and implementation: Technical mechanisms must be accompanied by organizational mechanisms for developing access and release policies, training workers, and penalizing violations of policy. ¾ Incentives: Health care organizations need proper set of incentives to address privacy and security concerns.
¾ Pre-emptive controls ¾ Lock & key ¾ “Need to know” … often need pre-specified understanding of who needs what under which circumstances -- military model ¾ Retroactive controls ¾ Community of trust ¾ Checking up, not prevention ¾ Sanctions
Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
13
Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
Credible threats: ¾ accidental disclosures by insiders ¾ abuse of record access priveleges by insiders ¾ insider access for profit or spite ¾ unauthorized physical intruder ¾ vengeful outsider who seeks to access, damage, disrupt
Clinical Computing in Patient Care, September 25, 1998
15
¾ Individual Authentication—such as login IDs and passwords to ensure accountability ¾ Access Controls—restrict access to need-to-know ¾ Audit Trails—track all accesses to clinical information ¾ Protection of remote access points ¾ Software discipline—limit ability to download, install, or copy software ¾ System assessment—evaluate vulnerabilities ¾ Physical Security & Disaster Recovery
Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
Authentication and Access
System and Software Discipline
Eliminate undesirable (horrendous) current practices, e.g., ¾ all doctors log in as “MD” ¾ nurses, receptionists use doctor’s account ¾ four-digit (or six-digit) “id+password” ¾ all data available to everyone ¾ no record of who creates, alters or destroys data ¾ poorly-controlled access from networks, remote sites
¾ Standard workstations ¾ hardware ¾ approved software ¾ Control over networking ¾ Control over software installation/dissemination ¾ viruses ¾ network downloads ¾ floppy drives ¾ Testing of security features
Peter Szolovits
14
Recommended Technical Practices for Immediate Implementation
Threat Model Must understand what you are protecting against: ¾ Nature: confidentiality, security ¾ Source: insider, outsider ¾ Means: tourist, cracker, …, NSA ¾ Information at risk ¾ Scale
Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
17
Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
16
18
3
3/9/2004
Physical Security ¾ Lock the computer room (wherever it may be!) ¾ Backups, recovery procedures ¾ protect the backup data ¾ test the recovery procedure ¾ Erase the disk when de-commissioning the computer
Clinical Computing in Patient Care, September 25, 1998
Peter Szolovits
19
Observed Security Features
Observed Security Features
Site Security Feature
A
B
C
D
E
F
Physical
Site
Terminal security
Security Feature
9
Security perimeter/network layout
9
9
Network physical security 9
Server physical security
B
9
9
C
D
E
F
9
Need to know/right to know
9
9
Access control list technology/management 9
Secure destruction of obsolete data/equip
Role-based access profiles
Authentication
Access overrides for emergencies
Token -based authentication (card plus password)
Audits 9
Audit trails & self audit
Change passwords often
Software-based audit analysis
No cleartext passwords Uniform user ID across organization 9
Incentives to reduce key sharing
9
9
9
9
9
Clinical Computing in Patient Care, September 25, 1998
Peter Szolovits
A
Access Control
21
Observed Security Features
Clinical Computing in Patient Care, September 25, 1998
Peter Szolovits
22
Observed Security Features
Site Security Feature
Site Security Feature
A
B
C
D
E
External Access Firew all
9
Dial-in protections
9
M obile access protection
9
9
n/a
n/a
n/a
C
Use antivirus technology
9
Checksum/validate software
9
n/a
Control PC software loading
9
Network software census
9
Control IP addresses
B
E
F
9
Integrated software tools
Encryption
Disaster Recovery
Crypto-based authentication
Backups, multiple storage sites
Encrypt network traffic
Data content integrity
Encrypt database contents
Operations recoverability
Digital signatures
Evaluation/Staying Technically Current
Docum ent integrity
Run anti-intrusion programs
9
Transaction non-repudiation
Vulnerability evaluation
9
Encrypt backup m edia
Stay up on CERT alerts
9
Avoid/update obsolete technologies
9
Clinical Computing in Patient Care, September 25, 1998
D
Control user software
Intruder script protection
Peter Szolovits
9
n/a n/a
A
Software Discipline
F
23
Peter Szolovits
9
9
9
9
9
9
9
9
9
9
Clinical Computing in Patient Care, September 25, 1998
24
4
3/9/2004
Recommended Organizational Practices for Immediate Implementation ¾ ¾ ¾ ¾ ¾ ¾ ¾
Policies and Governance ¾ Clearly stated policy:
Security and confidentiality policies Security and confidentiality committees Information security officers Education and training programs Sanctions Improved authorization forms Patient access to audit logs
Clinical Computing in Patient Care, September 25, 1998
Peter Szolovits
25
Peter Szolovits
Enforcement
Testing
¾ Auditing
sine qua non
¾ Periodic sampling of access logs ¾ Users’ ability to check
¾ ¾ ¾ ¾ ¾
¾ Human Resources (Personnel) ¾ ¾ ¾ ¾
¾ Governance
Responsibility Education Data access Guardianship Associating people with their actions (identification, capabilities, temporary access, termination) ¾ Enforcement ¾ Testing ¾ Transparency ¾ ¾ ¾ ¾ ¾
Emphasize importance Explicit criterion of evaluation Education and training Reprimand, …, termination
¾ Policy-making body ¾ Security officer ¾ Buy-in ¾ CIO ¾ Human Resources ¾ Entire community
¾ Education
Clinical Computing in Patient Care, September 25, 1998
26
Monitoring and awareness Review of performance Auditing “Tiger teams” Published results
for all levels of employees
¾ “Public floggings”
Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
27
Recommended Security Practices for Future Implementation
28
¾ Strong incentives to use IT, but fewer incentives to address privacy and security issues.
¾ single-session passwords, ¾ encrypted authentication sessions, ¾ token-based authentication
¾ Existing legislation is inconsistent across states; no strong federal legislation mandating protections [in 1997] ¾ Sporadic violations of privacy and security have not rallied broad public interest.
¾ Enterprise-wide authentication (single logon) ¾ Access validation—to ensure that retrieved information matches user’s access privileges ¾ Expanded audit trails
¾ Little guidance for improving privacy and security ¾ no effective standards to guide attempts to better protect health information. ¾ few means of sharing information about privacy and security violations, effective ways of protecting health information
¾ all internal accesses to information ¾ global audit trails to trace secondary distribution of data
¾ Electronic authentication of records Clinical Computing in Patient Care, September 25, 1998
Clinical Computing in Patient Care, September 25, 1998
Stronger Incentives Needed
¾ Strong authentication:
Peter Szolovits
Peter Szolovits
29
Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
30
5
3/9/2004
Recommended Elements of Industry Infrastructure for Privacy & Security
Systemic Concerns Regarding Privacy and Security
¾ Standing committee for developing and updating privacy and security standards.
¾ Many concerns regarding patient privacy stem from sharing of information among organizations in health care industry. ¾ Existing data flows are largely unregulated and often occur without patient consent or knowledge. ¾ Possible development of a universal patient identifier could exacerbate such concerns.
¾ examine security mechanisms and help establish rules governing data flows. NCVHS ¾ reports directly to Secretary of HHS
¾ Organization for gathering and sharing information about security threats, incidents, and solutions in health care. ¾ similar to the computer emergency response team (CERT) for the Internet ¾ seed funding from Congress Clinical Computing in Patient Care, September 25, 1998
Peter Szolovits
31
Typical Flows of Health Information Patient’s Employer
Clinical Laboratory
Employer’s Clinic & Wellness program
State Bureau of Vital Statistics
Encourage national debate to determine appropriate balance between patient privacy and organizational needs for information
Medical Researcher
¾ Fair information practices (e.g., federal Privacy Act of 1974) ¾ DHHS should establish program to promote consumer awareness of issues and uses of health information. ¾ Professional societies should educate members about privacy and security issues ¾ DHHS should conduct studies to determine extent to which various users need patient identifiable health information ¾ DHHS should work with the U.S. Office of Consumer Affairs to determine way to give consumers a visible, centralized point of contact re: privacy issues (such as an ombudsman).
Accrediting Organization
Life Insurance Company
Retail Pharmacy
Pharmacy Benefits Manager
32
Consulting Physician
Managed Care Organization
Health Insurance Company
Clinical Computing in Patient Care, September 25, 1998
Proposed Means of Addressing Systemic Concerns
Care Provider (physician, hospital
Patient
Peter Szolovits
Spouse’s Employer
Medical Information Bureau
Lawyer in malpractice case
long term repository, patient-identified data short term repository, patient-identified data
flow of patient-identified medical information
temporary access, patient-identified data
flow of non-identifiable medical information
long term repository, non-patient-identified data temporary access, non-patient-identified data
Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
34
Fair Information Practices (Federal Privacy Act, 1974)
Recommendation on Patient Identifiers
¾ No secret databases that include personally identified information
Any method used to identify patients or link patient records should: 1. be accompanied by a policy framework that identifies the kinds of linkages that violate patient privacy and that specifies legal sanctions. 2. facilitate identification of parties that link records. 3. allow unidirectional linking of information: it should facilitate linking of records based on information given by patient (such as an identifier), but prevent a patient’s identity from being easily deduced from records or the identifying scheme itself.
¾ Agencies must publish policies on all databases
¾ Right to see my information, with ability to correct ¾ Prevent data collected for one purpose from being used for another ¾ Agency responsible for reliability and security of data ¾ Right to sue
Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
35
Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
UHID postponed until privacy legislation
36
6
3/9/2004
Recommendation for Meeting Future Technological Needs
Meeting Future Challenges Continued attention to privacy and security issues is necessary to keep pace with the evolution of: ¾ applications of information technology in health care; ¾ nature and capabilities of the threats to electronic health information; ¾ technical and nontechnical mechanisms for providing privacy and security
Clinical Computing in Patient Care, September 25, 1998
Peter Szolovits
37
Future Security Technologies of Particular Interest to Health Care
Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
38
Closing thoughts
¾ Methods of identifying and linking patient records that protect patient privacy. ¾ Technologies for enabling patients to receive health care anonymously: pseudonyms, cryptographically generated aliases, narrative templates, smart cards. ¾ Audit tools that allow more frequent examination of audit logs to detect inappropriate accesses to information. ¾ Tools for rights enforcement and management to control secondary distribution of data Clinical Computing in Patient Care, September 25, 1998
Peter Szolovits
¾ establish formal liaisons with industry and government security working groups. ¾ support research in areas of particular importance to health care, but that might not be otherwise pursued. ¾ fund experimental testbeds to explore different means of controlling access in an operational environment.
39
¾ Plan and design security and confidentiality, don’t just tack it on ¾ Leverage: ¾ ¾ ¾ ¾
Technology Policy Standards and Cooperation Legislation
¾ Remember “Spy vs. Spy”
Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
40
Why? HIPAA Regulations on Individually Identifiable Health Information
¾ Part of Administrative Simplification section of HIPAA (Health Insurance Portability and Accountability Act of 1996 --Kennedy/Kassebaum Bill) ¾ 1/5 of Americans believe personal health information (PHI) has been used inappropriately ¾ PHI use necessary for improved quality, reduced cost ¾ existing protections fragmented
Based on 45 CFR parts 160 & 164 Federal Register Vol. 65, No. 250, Pp. 82462-82829, Dec. 28, 2000 http://aspe.hhs.gov/admnsimp/final/PvcPre01.htm
Peter SzolovitsPeter Szolovits
Clinical Computing in Patient Care, September 25, 1998
41
Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
42
7
3/9/2004
History of Privacy Provisions
Other “simplification” issues
¾ Congress gave itself until Aug 21, 1999 to enact legislation -- it did not do so ¾ Backup was that Secretary of HHS was to promulgate rules by Feb 21, 2000 -- this was extended because of 70,000 comments ¾ Rule promulgated Dec. 2000 ¾ Bush administration has put it on “hold”, mainly because of cost complaints ¾ Sec. Thompson agreed to issue the rule, Apr. 2001 ¾ Congress may legislate later, based on experience ¾ Rules are now in force, mostly ¾ work in progress
¾ Standards for electronic health care transactions, including detailed data elements
Clinical Computing in Patient Care, September 25, 1998
Peter Szolovits
¾ unique health identifiers ¾ providers ¾ patients
¾ ¾ ¾ ¾
code sets security standards electronic signatures transfer of information among health plans
¾ Target date: Feb 21, 1998
43
Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
Sanctions
Principles
¾ Civil penalties for violations of standards: $100/person/violation, max $25,000/violation/year ¾ Knowing violations of health identifier or deliberate disclosure:
¾ Allow smooth flow of PHI for treatment, payment, related operations, public interest ¾ Prohibit flow of PHI for other purposes, without consent of subject ¾ Fair information practices
¾ $50,000 + 1 year jail ¾ $100,000 + 5 years jail if “under false pretenses” ¾ $250,000 + 10 years jail if “with intent to sell, transfer or use … for commercial advantage, personal gain, or malicious harm”
44
¾ Allow subject to access PHI (later, excludes psych notes) ¾ Allow subject to have records amended for errors or incompleteness ¾ Allow subject to know who else uses PHI
¾ Require persons who hold PHI to safeguard it ¾ accountable for own use and disclosure ¾ legal recourse
¾ Minimal Necessary Use and Disclosure ¾ Few limits on use for treatment, more for other functions Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
45
Limitations of HIPAA
Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
46
Consent (before HIPAA) ¾ Most patients believe their private medical data may not be divulged without specific consent ¾ But, consent may effectively be forced ¾ But, many exemptions exist:
¾ Responsibilities cannot follow data; therefore ¾ Recommendation applies to
Covered Entities
¾ Health Plans ¾ Health Care Clearinghouses ¾ Providers who transmit PHI electronically
¾ Does not apply to others who hold/process data ¾ contractors, third-party administrators, researchers, public health officials, life insurance issuers, employers, marketing firms, ...
¾ … but: Covered Entities required to contract with business associates to pass on responsibilities, along with identified health data used “in behalf of” a covered entity
¾ For treatment and related purposes (e.g, utilization review) ¾ For obtaining payment ¾ Emergency care, health depts., law enforcement, coroners, business operations, oversight, research, …
¾ Does not apply to paper records ¾ … but: if the information was ever in electronic form, responsibility is “sticky”
¾ No private right of action Peter Szolovits
Changed, applies to all PHI
Clinical Computing in Patient Care, September 25, 1998
47
Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
48
8
3/9/2004
When is a nod a nod?
Uses of data by Covered Entities
¾ Agreement: informal, perhaps implied, e.g., to let a consultant see clinical notes, let hospital include patient in a directory ¾ Consent: written, but often generic, e.g., on admission to hospital. This covers most “health care operations” ¾ Authorization: written, specific to the case. For psychiatric notes and all data uses other than health care operations. E.g., research. ¾ Patient may negotiate Restrictions on disclosure, e.g., to particular staff, family members, etc.
¾ For treatment, payment, health care operations without patient authorization changed ¾ For public health, research, health oversight, law enforcement, use by coroners, mandatory State reporting, search warrants without patient authorization ¾ Must allow access to the subject of the records ¾ Must get individual consent for any other uses
Clinical Computing in Patient Care, September 25, 1998
Peter Szolovits
Rejected in comment period 49
Health Care Operations ¾ ¾ ¾ ¾ ¾ ¾ ¾ ¾
Clinical Computing in Patient Care, September 25, 1998
Clinical Computing in Patient Care, September 25, 1998
Peter Szolovits
50
NOT Health Care Operations
Treatment Payment Quality assessment and improvement activities Review competence of professionals, organizations; conduct training; accreditation Insurance rating concerning existing coverage Auditing Legal proceedings Added: Business planning and development, management, general administration, fundraising, “internal marketing”
Peter Szolovits
Substitute regulatory protections for pro forma authorizations often used today.
¾ ¾ ¾ ¾ ¾ ¾ ¾
51
Marketing Sale, rent or barter of information Use in parts of organization not health-related Rate setting prior to subject’s enrollment Employment determinations Fund raising These uses Research “to obtain generalizable require explicit knowledge” authorization
Clinical Computing in Patient Care, September 25, 1998
Peter Szolovits
52
Sweeney’s “All the Data on All the People”
Identifiable ¾ Name, address, phone number, fax number, email address, URL, IP address, social security number, medical record n., health plan n., account n., certificate/license n., vehicle id, device id, biometric id, full-face photo,
¾ Global disk storage per person:
¾ “any other unique identifying number, characteristic, or code” ¾ “actual knowledge that the information could be used … to identify”
1983
1996
2000
0.02
28
472
¾ Date of birth, zip code, gender, race, profession, etc. ¾ 9-digit zip code + dob make 97% of Cambridge, MA residents uniquely identifiable (!!!!)
(MB/person)
¾ Patterns of doctor visits, immunizations, etc. ¾ identifiable by inference ¾ depends on knowledge and abilities of data user
¾ Small bin sizes lead to identifiability ¾ Aggregate data into larger bins ¾ dob => age ¾ 3 digits of zip codeClinical Computing in Patient Care, September 25, Peter Szolovits
1998
53
Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
54
9
3/9/2004
Sweeney’s Cambridge
Problem of “other information”
¾ 1997 Cambridge, MA voting list on 54,805 voters
¾ Governor Weld’s data found in Mass “de-identified dataset” ¾ Dates you visited a health care provider (over a lifetime) are probably unique ¾ Can be used to re-identify you if someone has both deidentified data and other data that link to identifiers
¾ Name, address, ZIP, birth date, gender, …
¾ Combinations that uniquely identify: ¾ ¾ ¾ ¾
Birth date (mm/dd/yy) BD + gender BD + 5-digit ZIP BD + 9-digit ZIP
12% 29% 69% 97%
¾ Unique individuals ¾ Kid in a retirement community ¾ Black woman resident in Provincetown
Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
55
Danger of Re-identification
Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
57
56
Peter Szolovits
Clinical Computing in Patient Care, September 25, 1998
58
Methods of Generalization/Suppression
¾ Make sure data cannot be traced back to a set of size