Data sharing is sparking concern amongst the public, but is it ever a necessity?
Nathan Lea, Centre for Health Informatics and Multiprofessional Education, University College London
With the wider use of electronic records and higher-capacity computing resources, the sharing of richly detailed healthcare data to support care delivery and medical research is becoming more commonplace; concerns are being raised about the patient’s right to privacy and the medical profession’s duty of confidentiality. This article discusses how a knowledge management approach can help support the increasingly complicated security needs of safeguarding data.
The appeal of sharing healthcare data about individuals is undeniable at the point of care. Whether it is for chronic disease management or acute care, rapid access to rich, communicable information is a powerful tool. Research into
providing a means to share such information has been progressing for over a decade, and this has led to a number of standards for representing and communicating electronic healthcare records (EHRs) (some of these are listed in the side-bars).
Additional research over the last six years has shown how the EHR can also support medical research, where tens of thousands of medical records with a consistent semantic structure established using the EHR could be queried
consistently and correctly – a process described by Austin et al. The advantage, where such resources are available, is that there is no need to collect any data to support research beyond what has already been gathered during the routine provision of care.
Whilst the ease of sharing healthcare data has obvious benefits, there are legal and ethical responsibilities that constrain how the data should be used: these constraints stem from European and national data protection legislation, principles of medical and social ethics, international standards and institutional governance policies. They exist to uphold the individual’s right to privacy and the medical profession’s duty of confidentiality, where sensitive data must be protected. Invariably, healthcare providers and research institutions will adopt information security policies to dictate how sensitive healthcare data must be managed, to comply with the legislation and standards; they are usually written in natural language to be read and interpreted by people, are very difficult to refine into a form that is understandable by a computer system managing healthcare records, and in many cases may not be sufficiently precise to adequately protect the data.
Recent developments and issues with current practice
The problems of insufficient data protection are highlighted by a recent European Court of Human Rights (ECHR) ruling, where the Finnish Government was ordered to pay €34,000 in damages and costs to a nurse after it was determined
that their confidential medical record was unlawfully accessed. The ruling goes some way to illustrating how seriously the courts now take unauthorised information sharing, and are recognising the deleterious effects on an individual who suffers such breaches of confidentiality; this
comes in the midst of increasing anxieties about what the sharing of healthcare data might mean for wider individual privacy.
Whilst there is a general tolerance across Europe of sharing data to support consented research under strict constraints, there are definite concerns that even wider sharing with government agencies and third-party, commercial researchers will lead to unlawful surveillance and breaches of fundamental human rights as defined in Member State and European laws. A large number of manual security controls have to be enacted within clinical care and research settings in order to comply with legislation, information security standards and institutional governance policies. These controls need to specify whether the data may be stored in the first place
(through explicit or implied patient consent), and who could subsequently access it (based on patient consent and legitimate clinical need). It will determine whether the data may be queried for purposes beyond clinical need (for example, for ethics committee approved research) and in
what form the data can be presented (as an individual
data item, for example an age at diagnosis, or only as part of an aggregate results set).
Whatever the purpose may be, discrete data items will have different security requirements based not only on good clinical practice but also on individual patient choice (patients may be more anxious to protect their HIV status than other parts of their record) and ethical stipulations on how to restrict wider use of the data.
In the United Kingdom, medical research ethics committees are particularly concerned with identification of individuals during research projects. There are examples of different software systems that can help to assert policy-based
controls by managing passwords and encryption keys, access controls based on user roles and sophisticated auditing software, but it is still very difficult to apply the myriad of policy items needed in a healthcare setting.
The software tools to manage policies are not usually designed with the clinical care or research use cases or users in mind, particularly where there are issues of consent. Patients will sometimes be asked to give consent for certain data items to be shared for specific reasons, or might exercise the right to explicitly prohibit the sharing of particularly sensitive data. In cases when it is not feasible or possible to seek explicit consent, data can often be anonymised or pseudonymised (where identifying attributes are removed to reduce the chance of identification, particularly in research projects using anonymous participants). It is, however, very difficult
to capture and apply such details using existing access control software. It is also not always clear when and where to apply anonymisation or pseudonymisation, and to integrate that software with existing healthcare record systems.
How can healthcare data security be assured?
There is a clear gap between the process of recognising and understanding what security controls need to be specified at a policy level, and then refining those policies to a point that they can be applied in an automated, consistent and auditable way as part of the healthcare data management process. Policy specification is usually determined by information gathered through use case and risk analysis, and these details need to be recorded and sometimes updated, then applied to each part of the medical record for as long as that record is used for care and research.
In order to achieve this, it is recognised that a new knowledge management approach is needed. The design of EHRs relies on a formalism called the Archetype and its governance of data models, which together specify a “blueprint” for how an EHR for a particular clinical concept should be represented in an EHR system. These Archetypes structure the record itself, provide semantics to the record data, and define how certain data items might represent, for example, a blood pressure measurement, cancer diagnosis or a set of haematology results within a certain clinical context. Archetypes enable clinical information to be organised and shared consistently between systems.
It has been recognised that knowledge that is captured from risk analyses and policy specification also needs to be represented consistently, so that it can be interpreted by different systems and reused to protect each part of a patient’s record while it is used for different purposes. These details require semantic interoperability because there will be different systems and users who rely on those details for different purposes (be it to assert anonymisation procedures or deny access). To that end, a new formalism to extend the capabilities of the Archetype to the security domain has been developed: the Secutype. The purpose of the Secutype is to support existing software systems by allowing for a consistent semantic formalism to configure that software, as well as specify both human and computer readable policy.
Work on the Secutype specifications, and tools to author and manage them, are in progress at University College London. By considering the current working practice of clinicians and health informaticians, an editing tool is being developed that allows for the definition of clinical data items according to EHR standard specifications, and the construction of Secutypes as a means to specify the policy applicable to each of these data items (for example, to specify that an HIV test result will have a certain data format, and that it can only be accessed by the requesting physician and patient, but not, for example, an ophthalmologist or anyone else who does not have a legitimate care relationship with that patient, without their explicit their consent). Its Secutype, to determine whether access requests should be granted to individuals requesting it, and for which purposes, governs the HIV data within the EHR system.
The Secutype research, which forms part of a doctoral thesis, will be evaluated to determine its effectiveness in live EHR care and research systems, how well it can protect healthcare data, and what system performance overheads it may introduce. Secutypes are anticipated to help assert the required security controls for healthcare data, and provide a sound basis for information security assurance based on recorded facts about how data items should be protected. The ECHR ruling on the Finnish case sets a long awaited and significant precedent: data owners and custodians are more likely to implement ways of determining assurance and be able to prove that their protection methods are adequate. Furthermore, legislation across Europe is likely to change so that guidance is more thorough and constraints on behaviour are clearer, especially since the sharing of data across Member States seems increasingly desirable. Whether legislative changes will help clarify matters or complicate them further is unclear. Data security is nevertheless a constantly and rapidly evolving area where there are few concrete solutions. There needs to be a way to be flexible to evolving security and confidentiality requirements, whilst keeping track of the changing guidelines and legal stipulations. Versatile knowledge management, however, is fundamental to achieving any kind of demonstrable success.
Electronic healthcare record standards and specifications
- openEHR Foundation (www.openehr.org)
- Health Level 7 (www.hl7.com)
- European Committee for Standardization (http://www.cen.eu/cenorm/homepage.htm)
- International Organization for Standardization ISO 13606-1:2008 (http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=40784)
International Information Security Standards
- International Organization for Standardisation frequently asked questions for ISO/IEC 17799:2005 information technology – Security techniques – Code of practice for information security management http://www.iso.org/iso/support/faqs/faqs_widely_used_standards/widely_used_standards_other/information_security.htm)
- International Organization for Standardization ISO 227799:2008 Health informatics – Information security management in health using ISO/IEC 27002 (http://www.iso.org/iso/iso_catalogue/catalogue_tc/cataloguedetail.htm?csnumber=41298)
Healthcare Service Guidelines and Independent Bodies’ Analyses
- United Kingdom National Health Service Information Governance for Connecting for Health (http://www.connectingforhealth.nhs.uk/systemsandservices/infogov)
- Foundation for Information Policy Research (FIPR) (www.fipr.org)
1. Austin T, Kalra D, Tapuria A, Lea N, Ingram D. Implementation of a query interface for a generic record server. Int J Med Inform http://dx.doi.org/10.1016/
2. European Court fines Finland for data breach. e-Health Insider 2008 Jul 25. http://www.e-health-insider.com/News/3992/european_court_fines_finland_for_data_breach. Last accessed 2008 Aug 15.
3. Anderson A, Brown I, Fisher F, Korff D. Evidence submitted by the Foundation for Information Policy Research (EPR61). Parliament Select Committee on Health Publications and Records, Written Evidence. 2007 Mar 15. Available at http://www.publications.parliament.uk/pa/cm200607/cmselect/cmhealth/422/422we22.htm. Last accessed 2008 Aug 15.
4. Lea N, Hailes S, Austin T, Kalra D. Knowledge management for the protection of information in electronic
medical records. eHealth beyond the horizon – get IT there. Proceedings of MIE2008. IOS Press; 2008 May: 685-90.
5. Beale T. Archetypes: constraintbased domain models for future-proof information systems. In: Baclawski K, Kilov H, editors. Eleventh OOPSLA Workshop on Behavioral Semantics: Serving the Customer (Seattle, Washington, USA, November 4, 2002). Boston: Northeastern University; 2002. p. 16-32.
- Healthcare providers will take measures to provide greater assurance about the adequacy of their protection
- measures. This will have an effect on information governance requirements and stipulations
- The European Court of Human Rights ruling may lead to further legislative controls and a review of what guidance and procedures exist in healthcare organisations to protect information
- There will be increasing demands from individuals, civil rights groups and independent bodies for current
- government policies on data sharing to be reviewed
- Patients may expect greater transparency about how their records are handled by healthcare organisations, and may want more control over where they are stored and who can have access to them