National Research and Development Centre for Welfare and Health (Stakes) Centre of Excellence for ICT
New models of healthcare delivery emphasise the need for patient information to be shared among a growing number of public and private healthcare providers and across traditional organisational boundaries. In modern healthcare, information flows easily through regional and national information infrastructures. Within this structure, greater use of digitalised health information can help improve the quality and reduce costs, and the challenge today is to find the balance between new access possibilities, generated by ICT and security.
Current health information networks are typically closed public or private domains. Over the next few years the present communication infrastructure needs to be expanded to accept cross-domain communication and connections from the internet.(1,2) This new infrastructure should meet security requirements set by legislation and use available international standards.
EHR systems and eArchives
An electronic health record (EHR) is a comprehensive, structured set of clinical, demographic, environmental, social and financial data and information in electronic form. Typically it is managed by one service provider; it can also be distributed or even virtual. From the information content point of view, an EHR can also be a combination of multipurpose data produced by different service providers.(3)
In real life, EHR systems and eArchives are interconnected systems. An EHR system is a system for recording, retrieving and manipulating the information. It includes a set of patient records, rules and procedures, but its main aim is to process and archive EHRs. It also has communication facilities.(3) EHRs generally need to be archived for a long time, and ensuring their integrity and nonrepudiation during this time is a demanding task.
Information stored in the EHR system can be easily shared, which means that health professionals, secondary users – suchas payers, researchers and government agencies – and the patient have access to it. Therefore, maintaining the security of an integrated EHR system is of paramount importance.
Modern healthcare requires shared access to patient data. Once data are transferred out of the institution that provides the patient care, there is little control over its use.(4) In this case, the key problem is both to know and control who is trying to access a patient’s EHR and for what purpose.
During communication with other EHR systems there are many threats, including destruction, corruption and disclosure of data, modification of message traffic in transit and data theft. Communication interruption can also cause data loss. Therefore, network security is a major issue to prevent unauthorised access to data and for protection of transferred data.(3)
Security and privacy protection of EHRs
Security is a combination of availability, confidentiality, integrity and accountability. In healthcare, security and data protection requirements need to be defined and fulfilled. In most countries, the EHR environment is strongly regulated. The security framework of the EHR system is a combination of general legislation (eg, EU Data Protection Directive and national regulations), specific healthcare acts, norms and rules, standards and guidelines.
Security requirements derived from legislation
Personal health data should be accessed and used only for the purposes for which it has been collected and disclosed according to the consent of the data subject or legislation. Only those professionals participating in a patient’s care have a right to access their EHR. The following security and privacy protection principles arise from legislation:
- An acceptable reason for any data access is needed. This can be either the doctor–patient relationship or that it is defined by specific legislation.
- Data should not made available or disclosed to any unauthorised individual or computer process.
- Only data which is necessary should be accessed.
- Data cannot be used without the patient’s consent or specific legislation allowing its use for other purposes for which it has been collected. For example, if data has been collected for an occupational care purpose, the patient’s consent or specific legislation is required to use this data outside the occupational care domain (eg, the EHR system should include a context- and purpose-based access control service).
- Data integrity should be proven during EHR communication and archiving.
The length of time an EHR should be archived for is determined by national legislation. If national legislation stipulates it, the original EHR should be stored by an archiving organisation. When a patient’s consent is needed for data delivery, the EHR system should have a mechanism to ensure that only the information that matches the patient’s consent is delivered. As a minimum requirement, patient consent should be provided with information about how their records will be used and to whom they may be disclosed without specific consent.
Requirements for availability, integrity and confidentiality
The EHR system is responsible for making EHR information available in a correct and independently understandable form over the entire time it is archived for. This means that all EHRs planned for cross-organisational communication should be based on common semantics and terminology. The EHR should contain not only raw data but also the necessary descriptive information (eg, metadata). The EHR system should have adequate data searching mechanisms and services.
The EHR system should maintain the integrity of EHRs while archived by ensuring that data is not modified or destroyed in an unauthorised way during its use, archiving and communication. The integrity of EHRs should be proved when data is disclosed outside the service organisation.
To maintain confidentiality, the EHR system should ensure that data is not made available or disclosed to an unauthorised individual or computer process. It should also check that all necessary conditions are met before any data is accessed or disclosed. If necessary, the EHR system should encrypt EHRs in data transmission.
Methods and tools to archive the trusted EHR communication environment
An EHR system should protect the confidentiality, integrity, availability and accountability of all EHRs, both when patient information is used inside the organisation and when there is cross-organisational data access. Therefore, an EHR system should have the necessary administrative, physical and technical infrastructure.
The privacy and security risks posed by EHRs are not only technological, but also social and political. Therefore, key administrative measures needed include security policy, contracts and education. Organisations collecting, manipulating, storing and distributing personal health information should have a written security policy. This policy describes rules relating to how EHR information should be collected, used and preserved so that confidentiality, availability and integrity are proven. This policy also defines responsibilities inside and between organisations. It is proposed that security policy is based on requirements set by the ISO/WD 27799 standard.(5)
A data protection policy is also needed that includes definitions regarding a patient’s rights. Additional polices required include an EHR preservation policy and a network security policy. It is essential that healthcare professionals understand why it is important to maintain the secure environment for EHRs. Therefore, education covering security threats, privacy protection and security requirements should be systematically organised and offered to all employees.
Information and communication services
Different layers of security are needed to build a secure EHR infrastructure. The first level consists of identification and authentication of patients, health professionals and entities. There exist commercial safeguards designed for this purpose, such as PKI services with ID tokens (eg, a health professional card). The second level is the privilege management and access control level. In the healthcare environment, privileges should be linked to the roles of health professionals. Access control services should manage both patient consent and enable purpose- and consent-based access to the EHR. The third level is needed to prevent unauthorised modification of the contents of EHRs. This requires a digital signature and encrypting to prove that data cannot be read by any unauthorised person or process during communication.
Monitoring and auditing services
It is also necessary to maintain the accountability of the EHR system. This is best achieved by monitoring with the help of audit logs that have accessed or distributed data, when and for what purpose. These multiorganisational audit trails should be regularly analysed, and the service should also be available to patients.
Security of future EHRs
The EHR of the future will be a combination of a citizen’s lifelong private and public health history and will be accessible at anytime and from anyplace via the internet or a mobile network.(2,6) Next-generation technology makes it possible to store this health history on a portable personal token that is connected to the internet. Future EHRs should also support dynamic access to its content. The patient should have the tools to control what data is accessed, when and for what purpose. This all requires security services that are not available today. In cases of dynamic access, the data requester should prove the doctor–patient relationship exists before any access is granted. This can be done by establishing a privilege management infrastructure, using identity distribution services, “care relationship credentials” and purpose- and context-based access control services.(7)
The EHR of the future will support care delivered across borders, which means it is possible that the communication partners will have different security policies. To enable trusted and secure cross-country access to EHRs, the access control service of the communication network should match partners’ security policies using the security policy bridging service.(8)
The collection, storage and communication of a large range of personal health data presents a major security dilemma.(4) In a networked, integrated EHR environment, security risks should be carefully analysed. A trusted EHR network should be built on ethical principles, legislation and security policy and use international standards. Nevertheless, we have to remember that technical solutions can only prevent some misuse and that users remain the greatest threat to security.
- Stein LD. The electronic medical record, promises and threats. World Wide Web J 1997;2:217-9.
- Ruotsalainen P, Pohjonen H. European Security Framework for Healthcare. Stud Health Technol Inform 2003;96:128-34.
- Ruotsalainen P.Security requirements in EHR systems and archives. Stud Health Technol Inform 2004;103:453-8.
- Anderson J. Security of the distributed electronic patient record: a case-based approach to identifying policy issues. Int J Med Inform 2000;60:111-8.
- ISO.Health informatics security management in health using ISO/IEC 17799, ISO/TC 215/WG4, document N410, 11-02-2005.
- Ruotsalainen P. A cross-platform model for secure electronic health record communication. Int J Med Inform 2004;73:291-5.
- International Telecommunication Union. Security in telecommunications and information technology. Available from: www.itu.int/itudoc/itu-t/86435.html
- Blobel B. Analysis, design and implementation of secure and interoperable distributed information systems. Stud Health Technol Inform 2002;89:1-329.