Health Information Technology (HIT)has the potential to improve the health of individuals of all ages, aid medical research, and reduce the costs of delivering healthcare, but its effective use and acceptance by the public and healthcare professionals depend on employing proper protections for the security and privacy of health information. While considerable progress can be made by applying current best practices for managing data, there are a number of areas specific to HIT where more research is needed to provide technology to support better practices. At least six key areas need to be addressed by the security and privacy research community: (1) access controls and audit, (2) encryption and trusted base, (3) automated policy, (4) mobile health (mHealth), (5) identification and authentication, and (6) data segmentation and de-identification.
(1) Access Controls and Audit. Workflows at Health Care Organizations (HCOs) are complex and safety critical; this makes it difficult to achieve least privilege in assigning access to HCO personnel. HCOs react to this by allowing broad access and relying on accountability and education to control insider threats. These strategies can be augmented by auditing computer records; this is currently done largely in reaction to specific complaints. These procedures are increasingly inadequate because they do not scale to developments like broader sharing of records in Health Information Exchanges (HIEs) or to emerging threats like large-scale fraud. Research is needed to provide better automation so that large volumes of records can be examined by computer algorithms that are thorough and flexible enough to learn and infer threats quickly and feed experience from operational behavior back into preventative measures. HCOs can begin this process by learning from other areas such as the financial services sector (credit card fraud detection) and messaging (spam detection) while addressing issues specific to healthcare, such as the potentially high cost of a mistaken denial of access.
(2) Encryption and Trusted Base. HCOs are struggling with rapid changes in the systems they need to secure. Early HCO computing systems used mainframe computers that could be accessed from terminals located in a hospital facility. This trusted base was relatively easy to secure until the Internet offered remote access, but standard enterprise protections such as firewalls were accepted as being sufficiently effective. Now the situation is increasingly complicated by technology changes such as: Bring Your Own Device (BYOD) arrangements in which HCO employees put sensitive data on their own cell phones and tablets, the use of cloud services in which Electronic Health Records (EHRs) are held by third parties, participation in HIE systems that move data between a changing collection of HCOs, and the deployment of patient portals, which provide a new attack surface for access to the EHR. Encryption is a powerful tool for addressing challenges with trusted base. For instance, if the data stored on a lost laptop or maintained by a compromised cloud service is encrypted, the threat of a privacy compromise is greatly reduced. Research is needed to make such strategies efficient and convenient enough to enable their universal deployment, particularly to protect data at rest (that is, in storage). These problems and the required solutions also apply to secondary use data for medical research or public health. Another area of concern is the rise of Advanced Persistent Threats (APTs), which entail sophisticated attacks, possibly supported by foreign governments. While these attacks do not currently target EHRs, they are creating significant levels of collateral damage to EHR systems, especially when such systems are attached to certain types of targets like government and university networks.
(3) Automated Policy. A key challenge faced by many HCOs is the need to share EHRs securely though HIEs such as those being set up by many states and regions, and the need to share them though rapidly evolving partnerships with various business associates. Current techniques are too informal and manual to provide the desired efficiency and convenience. For instance, if it is necessary to get an attorney to review each interstate data exchange, then a high level of exchange of EHR data will lead to a high level of expense (and delayed access). Enabling computers to settle policy decisions automatically can lead to reduced costs, improved care (though timely information exchange), and better support for secondary use of data. Research is needed to determine reliable ways to express policies. We also require strategies to integrate and enforce formally expressed policies into common HCO and HIE information architectures. Such advances will touch on other important areas like legal and medical ontologies and will inform the development of legal codes and consent management in the future.
(4) Mobile Health (mHealth). Mobile devices, including intelligent medical implants, cell phones that sense and process health data, and a variety of new types of sensors and actuators that can be worn on the body, are creating a changing landscape for managing health information. Data are collected everywhere, not just in an HCO facility, and are collected by just about everyone, not just HIPAA-compliant HCOs. Participants include HCOs and patients themselves together with large and small companies that specialize in health guidance, sensor hardware, information technology, communications, and other areas. This diversity, the pervasiveness of the information collection, and the rapid rate of technology and regulatory change in this area raise security and privacy concerns that range from modest risks to the privacy of activity data (like data collected by a pedometer) to safety-critcal risks (like the integrity of software in an insulin pump). These changes have also blurred the distinction between areas like medical devices and the EHR, with corresponding overlaps between government regulatory agencies. Research is needed to determine threats and requirements and ‘safe rules of the road’ such as proper procedures for securing device software and the way data are handled by the intermediaries that stand between the EHR and patients using mobile health devices.
(5) Identification and Authentication. A long-standing problem in healthcare delivery is the risk of mis-identifying a patient. Mis-identifications cost lives, but procedures to reduce this risk are often cumbersome and may impede effective sharing of data between institutions. In addition to the problem of identification there is an emerging problem with authentication, that is, in proving identity. Inadequate authentifcation procedures are exploited by attacks like medical identity theft. Increasing use of computer-based access diminishes traditional mechanisms of authentication like face-to-face meetings between individuals who know each other personally. This problem will become worse with the deployment of HIEs, which greatly increase the pool of people for whom identification and authentication are required within a single system. While some of the problems in this area are non-technical policy concerns and many issues will be sufficiently addressed by broader Public Key Infrastructure (PKI), there is also a need for novel contributions. What is especially needed is a ‘science of identification and authentication’ in which studies that involve the full gamut of regulatory, human factor, cryptographic, computer system, and other relevant considerations are subjected to analysis so that meaningful progress can be made and measured. Current research in this area needs to be expanded and integrated with operational approaches, most of which have not improved substantially for a long period of time. There is also a need to consider the special risks and circumstances of the healthcare sector; for instance, methods that work for employees may not be practical for patients.
(6) Data Segmentation and De-Identification. It is widely recognized by both HCOs and government regulators that patients feel that some types of health data are especially sensitive. Examples include records related to mental health, drug abuse, genetics, sexually transmitted diseases, and more. When health data is shared, there is a desire to transmit this information only when it is necessary. For example, a provider who needs immunization records may not need to see mental health notes. Interest in how to perform this kind of data segmentation has intensified with the growth of HCOs and the introduction of HIEs. However, there is little understanding of exactly how this type of segmentation can deliver meaningful privacy with acceptable impact on the safety and quality of care. Vendor products that claim to segment data may mislead patients and caregivers if they are poorly designed. A technology closely related to data segmentation is de-identification, wherein records are transformed so it is difficult to determine whether a given record is associated with a given individual. The data segmentation problem needs some of the rigor that has been applied to the de-identification problem. In particular, we require ways to measure the tradeoffs between privacy, safety, and quality. These measures should be used to determine tradeoffs for specific segmentation technologies. The de-identification problem itself also faces new challenges such as how to protect privacy of genomic data. New techniques are emerging in this area, but new research is required to determine information flows and privacy risks and to design sufficiently efficient protective measures.
Acknowledgement. This position paper draws heavily on ideas in the Strategic Health Advanced Research Projects on Security (SHARPS) (http://sharps.org) funded by the Office of the National Coordinator for Health Information Technology in the Department of Health and Human Services. However, the opinions offered are those of the author only. This is an abstract from the following work published as an expert report by the OECD in their report on information and communication technologies and the health sector:
- Building a Smarter Health and Wellness Future: Privacy and Security Challenges, Carl A. Gunter. Chapter 9 in ICTs and the Health Sector: Towards Smarter Health and Wellness Models, OECD, October 2013, pages 141-157.