EHR security: present requirements and future challenges

Pekka Ruotsalainen
National Research and Development Centre for Welfare and  Health (Stakes) Centre of Excellence for ICT
Helsinki, Finland
E: pekka.ruotsalainen@sw

New models of healthcare delivery emphasise the need for  patient information to be shared among a growing number of  public and private healthcare providers and across  traditional organisational boundaries. In modern healthcare, information flows easily through regional and national information infrastructures. Within this structure, greater use of digitalised health information can help improve the quality and reduce costs, and the challenge today is to find the balance between new access possibilities, generated by ICT and security.

Current health information networks are typically closed public or private domains. Over the next few years the present communication infrastructure needs to be expanded to accept cross-domain communication and connections from the internet.(1,2) This new infrastructure should meet security requirements set by legislation and use available international standards.

EHR systems and eArchives
An electronic health record (EHR) is a comprehensive, structured set of clinical, demographic, environmental, social and financial data and information in electronic form. Typically it is managed by one service provider; it can also be distributed or even virtual. From the information content point of view, an EHR can also be a combination of multipurpose data produced by different service providers.(3)

In real life, EHR systems and eArchives are interconnected  systems. An EHR system is a system for recording, retrieving and manipulating the information. It includes a set of patient records, rules and procedures, but its main aim is to process and archive EHRs. It also has communication facilities.(3) EHRs generally need to be archived for a long time, and ensuring their integrity and nonrepudiation during this time is a demanding task.

Information stored in the EHR system can be easily shared, which means that health professionals, secondary users –  suchas payers, researchers and government agencies –  and the patient have access to it. Therefore, maintaining the security of an integrated EHR system is of paramount  importance.

EHR communication
Modern healthcare requires shared access to patient data.  Once data are transferred out of the institution that  provides the patient care, there is little control over its  use.(4) In this case, the key problem is both to know and  control who is trying to access a patient’s EHR and for what  purpose.

During communication with other EHR systems there are many threats, including destruction, corruption and disclosure of data, modification of message traffic in transit and data theft. Communication interruption can also cause data loss. Therefore, network security is a major issue to prevent unauthorised access to data and for protection of  transferred data.(3)

Security and privacy protection of EHRs
Security is a combination of availability, confidentiality,  integrity and accountability. In healthcare, security and  data protection requirements need to be defined and  fulfilled. In most countries, the EHR environment is strongly regulated. The security framework of the EHR system is a combination of general legislation (eg, EU Data Protection Directive and national regulations), specific healthcare acts, norms and rules, standards and guidelines.

Security requirements derived from legislation
Personal health data should be accessed and used only for  the purposes for which it has been collected and disclosed  according to the consent of the data subject or legislation.  Only those professionals participating in a patient’s care  have a right to access their EHR. The following security and  privacy protection principles arise from legislation:

• An acceptable reason for any data access is needed. This  can be either the doctor–patient relationship or that it is defined by specific legislation.
• Data should not made available or disclosed to any  unauthorised individual or computer process.
• Only data which is necessary should be accessed.
• Data cannot be used without the patient’s consent or specific legislation allowing its use for other purposes for which it has been collected. For example, if data has been collected for an occupational care purpose, the patient’s consent or specific legislation is required to use this data outside the occupational care domain (eg, the EHR system should include a context- and purpose-based access control  service).
• Data integrity should be proven during EHR communication and archiving.

The length of time an EHR should be archived for is determined by national legislation. If national legislation stipulates it, the original EHR should be stored by an archiving organisation. When a patient’s consent is needed for data delivery, the EHR system should have a mechanism to ensure that only the information that matches the patient’s consent is delivered. As a minimum requirement, patient consent should be provided with information about how their records will be used and to whom they may be disclosed without specific consent.

Requirements for availability, integrity and confidentiality
The EHR system is responsible for making EHR information available in a correct and independently understandable form over the entire time it is archived for. This means that all EHRs planned for cross-organisational communication should  be based on common semantics and terminology. The EHR should contain not only raw data but also the necessary descriptive information (eg, metadata). The EHR system should have adequate data searching mechanisms and services.

The EHR system should maintain the integrity of EHRs while archived by ensuring that data is not modified or destroyed in an unauthorised way during its use, archiving and communication. The integrity of EHRs should be proved when data is disclosed outside the service organisation.

To maintain confidentiality, the EHR system should ensure  that data is not made available or disclosed to an  unauthorised individual or computer process. It should also  check that all necessary conditions are met before any data  is accessed or disclosed. If necessary, the EHR system  should encrypt EHRs in data transmission.

Methods and tools to archive the trusted EHR communication environment
An EHR system should protect the confidentiality, integrity, availability and accountability of all EHRs, both when patient information is used inside the organisation and when there is cross-organisational data access. Therefore, an EHR system should have the necessary administrative, physical and technical infrastructure.

Administrative measures
The privacy and security risks posed by EHRs are not only technological, but also social and political. Therefore, key administrative measures needed include security policy, contracts and education. Organisations collecting, manipulating, storing and distributing personal health information should have a written security policy. This policy describes rules relating to how EHR information should be collected, used and preserved so that confidentiality, availability and integrity are proven. This policy also defines responsibilities inside and between organisations. It is proposed that security policy is based on requirements set by the ISO/WD 27799 standard.(5)

A data protection policy is also needed that includes definitions regarding a patient’s rights. Additional polices required include an EHR preservation policy and a network security policy. It is essential that healthcare professionals understand why it is important to maintain the secure environment for EHRs. Therefore, education covering security threats, privacy protection and security requirements should be systematically organised and offered to all employees.

Information and communication services
Different layers of security are needed to build a secure  EHR infrastructure. The first level consists of identification and authentication of patients, health professionals and entities. There exist commercial safeguards designed for this purpose, such as PKI services with ID tokens (eg, a health professional card). The second level is the privilege management and access control level. In the healthcare environment, privileges should be linked to the roles of health professionals. Access control services should manage both patient consent and enable purpose- and consent-based access to the EHR. The third level is needed to prevent unauthorised modification of the contents of EHRs. This requires a digital signature and encrypting to prove that data cannot be read by any unauthorised person or process during communication.

Monitoring and auditing services
It is also necessary to maintain the accountability of the  EHR system. This is best achieved by monitoring with the  help of audit logs that have accessed or distributed data,  when and for what purpose. These multiorganisational audit trails should be regularly analysed, and the service should also be available to patients.

Security of future EHRs
The EHR of the future will be a combination of a citizen’s  lifelong private and public health history and will be  accessible at anytime and from anyplace via the internet or  a mobile network.(2,6) Next-generation technology makes it possible to store this health history on a portable personal token that is connected to the internet. Future EHRs should also support dynamic access to its content. The patient should have the tools to control what data is accessed, when and for what purpose. This all requires security services that are not available today. In cases of dynamic access, the data requester should prove the doctor–patient relationship exists before any access is granted. This can be done by establishing a privilege management infrastructure, using identity distribution services, “care relationship credentials” and purpose- and context-based access control services.(7)

The EHR of the future will support care delivered across  borders, which means it is possible that the communication  partners will have different security policies. To enable  trusted and secure cross-country access to EHRs, the access control service of the communication network should match partners’ security policies using the security policy  bridging service.(8)

Conclusion
The collection, storage and communication of a large range of personal health data presents a major security dilemma.(4) In a networked, integrated EHR environment, security risks should be carefully analysed. A trusted EHR network should be built on ethical principles, legislation and security policy and use international standards. Nevertheless, we have to remember that technical solutions can only prevent some misuse and that users remain the greatest threat to security.

References