Assistant Professor Department of Emergency Medicine University of Manitoba Canada.
Many healthcare administrators, clinicians, and analysts consider information security to be realm of Information Technology (IT) professionals working behind the scenes to protect computer networks and servers from unauthorised access by nefarious outsiders. This common but narrow view belies both the many ways in which sensitive health-related information can be exposed and the many countermeasures available and necessary to mitigate the threat of information breach.
The collection and storage of private and health-related information is growing as more Healthcare Organisations (HCOs) adopt Health Information Technology (HIT) such as Electronic Medical Records (EMRs). As more data becomes available, its use for other than purely clinical needs (such as quality and process improvement initiatives) is also increasing.
HCOs from around the globe are actively engaging in quality and performance improvement initiatives in hopes of transforming into more efficient and effective providers of care. Teams engaged in such initiatives are utilising methodologies such as Lean and Six Sigma to ensure a measured, structured approach to improving quality and performance. Most improvement efforts are data-intensive, using available information to determine baseline values, monitor ongoing performance, and detect changes as a result of process improvements. To be of most value, data must be accurate, timely, and readily available to the teams charged with improving processes.
This growing volume of electronic health and personal data being amassed in databases, coupled with the fact that more people have legitimate need to access and use data for myriad needs, results in an increased risk of a breach of health information. A breach of security has the potential to result in an unauthorised release of an individual’s (or, more likely, many individuals’) private health information. The information at risk commonly ranges from name and birthday to detailed credit information and private health matters.
Electronic health information can be made almost entirely secure. The trade-off, though, is that nobody would be able to access it. An ongoing dialogue between healthcare providers, researchers, administrators, and information stewards is necessary so that appropriate levels of privacy and security can be maintained. This is required so that information that needs to be shared can be shared, without risking wide-scale leaks. It is the responsibility of all who may have stewardship over and / or have access to health information to ensure that the accessibility, confidentiality, and integrity of the information remains protected from unauthorised access, modification, and / or disclosure.
The statistics on health information breaches are quite startling. According to the United States Department of Health and Human Services, in 2009 and 2010 (when information on health information breaches was first collected by the Department), the personal medical information of approximately 7.8 million people had been exposed improperly (1). Incredibly, a single case involving the theft of 1.7 million records from an unlocked van of a records management company was reported.
According to the “2012 HIMSS Analytics Report: Security of Patient Data” survey (2) released in April 2012, 27 per cent of the 250 leading healthcare organisations who participated in the survey indicated their organisation experienced a security breach within the previous 12 months. This was up from 19 per cent in 2010 and 13 per cent in 2008. Of those HCOs that reported a breach, 69 per cent experienced more than one. Interestingly and somewhat worrisome, 18 per cent of respondents were not aware of whether or not a data breach had been experienced by their organisation in the previous 12 months.
The 2012 HIMSS Analytics survey noted that 56 per cent of respondents stated the source of security breach was unauthorised access by an employee, whereas three per cent of breaches were caused by a network breach by an outsider. Twenty-two per cent reported breaches due to theft of laptops or handheld devices, and 10 per cent reported breaches due to data being housed by a third-party vendor.
The US Department of Health and Human Services has identified several types of incidents resulting in large breaches (which involve more than 500 records):
The theft of personal health information can occur when traditional paper records or electronic media such as laptops, tablets, and memory devices are stolen. Deliberate theft is the largest category of breach reported by the Department of Health and Human Services.
A breach of health information can occur due to the loss of records. Such incidents include the loss of paper records or the loss of electronic media (i.e., laptops, tablets, or memory and backup devices).
There is an upswing in deliberate attempts to gain access to sensitive computer systems through the use of ‘phishing,’ hacking, or similar methods to gain login / password information. In these cases, individual computers and / or network servers are accessed by unauthorized persons to obtain private health information of others.
Information breaches can occur as a result of a failure to take adequate care of protected health information. These types of errors include misdirected shipping / mailing of paper records (due to an incorrect mailing address, for example). This can also occur if unencrypted information is inadvertently emailed to an incorrect and / or unauthorised recipient.
This could happen either by paper records not being properly disposed of, or electronic information not being completely obliterated, and may result in an information breach.
Understanding how information breaches occur is necessary when developing and implementing effective countermeasures. Governments at all levels are working to implement effective legislation aimed at improving information security. Driven by both the need to maintain regulatory compliance with legislation, and the desire to protect the privacy of their patients, HCOs are developing policies and procedures to safeguard this data. Information security, however, ultimately depends on how well the data is physically protected via technology and responsible human behaviour.
To combat data breaches, governments at all levels around the globe have introduced (or are introducing) legislation aimed at curbing the unauthorised access to personal and health information. These regulations typically dictate how health information can be collected, used and disclosed. They also specify how such data ought to be protected throughout its lifecycle and allow for the accessing and sharing of data for legitimate purposes (such as improving quality or providing care). Most legislation attempts to strike a balance of protecting sensitive data without over-burdening healthcare providers with excessive measures to actually access information.
In the Canadian province of Alberta, for example, the Health Information Act (HIA) sets out rules to protect the privacy of an individual's health information and stipulates how and when information can be collected, used and disclosed. The legislation requires that information custodians (such as healthcare providers) and affiliates (such as employees and contractors who work for a custodian) are only to obtain, utilise, and share private health information in the most limited manner possible, with the highest degree of anonymity possible, on a need-to-know basis.
Another example of legislation is the United States Health Insurance Portability and Accountability Act of 1996 (or HIPPA). HIPPA provides guidelines for the protection of personal health information while balancing the need to disclose such information if and when it’s needed for the delivery of patient care and other legitimate purposes. The HIPPA guidelines also specify the administrative, physical, and technical safeguards that must be in place to help ensure that private health information remains confidential and that the integrity and availability of the information is maintained.
The International Standards Organization (ISO) has taken an interest in the protection of health information. It’s most recent standard for health information, ISO 27799:2008, applies directly to health information in all its aspects. The standard outlines controls for managing health information security and identifies best practice guidelines for protecting and maintaining the security of health information. The intent of this standard is to assist HCOs ensure a minimum requisite level of information security appropriate to their size and how they intend to use the data.
Perhaps the best approach protecting private health information is to encrypt it at the source. Encrypting sensitive information on source databases (or other data files) will help prevent unauthorized access or disclosure should the database be directly accessed. Legislation and other guidelines commonly mandate encryption of health information (especially when passing health information over an open network, or sharing files). There are many types of encryption algorithms in use by HCOs (such as, DES, 3DES, RSA, AES). An appropriate choice of encryption algorithm for an HCO is one that balances overall system and encryption performance with necessary security precautions based on the type of data being encrypted and applications for which it is being used. For some organisations and / or applications, encryption at the source is not a viable option (for cost and / or performance reasons). For this reason, data should always be encrypted when it leaves the confines of the network for transport or analysis.
Some of the most common causes of privacy breaches are loss and theft of portable devices (such as laptops, tablets, memory sticks, and now even ‘smart phones’) used to store health information. Avoiding the storage of health information on such devices (in favor of the use of encrypted network connections such as Virtual Private Networks, or VPNs) reduces the risk of privacy breach if such devices are lost or stolen. When absolutely necessary to transfer health information on such devices, both the data and device storage medium should be encrypted and the device itself should be protected with a secure log-in. Many government laws mandate a significant financial or other penalty when loss or theft of a mobile device occurs; properly encrypted data and storage devices may protect organisations from such penalties under provisions of certain legislation.
HCOs are becoming increasingly inter-connected, and now rely on networks to share information throughout and between organisations. Properly implemented network security is essential to keeping information secure, especially now that ‘phishing’ and hacking attacks into healthcare networks are an increasing concern. The basic premise of network security is to ensure that access is limited to authorised users, and those users are only able to access applications and data that they are authorized to see. One very common threat to information security is password sharing (or ‘generic’ logins). Although it might be convenient for clinical staff to share a password, or access computers via others’ login credentials, such practices can leave the door wide open to information breaches.
As more clinical systems (and thus more data) become available, there are many ways in which information is used throughout modern healthcare organisations. Healthcare dashboards, scorecards, and other forms of aggregated de-identified information pose little risk of privacy breach (provided that the data sources are sufficiently protected). There is an increasing ‘gray area’, however, in which de-identified information may be required for 'seemingly’ legitimate purposes. Many audits, critical incident reviews, and quality improvement projects may request information that is de-identified to handle a complaint or to develop contact lists for infection control.
Healthcare professionals in the position to request and / or provide data that might reveal private health information must consider if the request can be handled without disclosing the sensitive information. Once private health information is released (even via legitimate request), it is possible that a breach may occur even by accident. Health research has long been subject to the scrutiny of ethics boards to ensure that no unnecessary private health information is released (even if it’s ‘nice to have’, but not essential to the study). Quality improvement projects internal to the healthcare organisation seem not to be subject to the same scrutiny, yet represent a very real risk of data breach. Users of health information have the responsibility to use what is only absolutely necessary.
As more health information becomes available electronically, and as the need for such information for clinical care and healthcare improvement continues to grow, there will always be a need to balance data security and usability. If health information is not kept secure in multiple ways (via encryption, secure hardware, and responsible use), the unauthorised exposure of private data will continue to occur. If these breaches continue to occur, especially on a large scale, the likely response will be a tightening of access to health information for everything but pure clinical care.
Information security is not really about technology and industry best practices – it is about the patient. When a patient presents to a healthcare facility, they are expecting healthcare professionals ‘to do no harm.’ In the modern era, doing no harm now includes protecting the patient’s privacy in addition to their health. A balanced approach to information security and usability will ensure that both are possible.
Trevor Strome is responsible for developing and implementing innovative analytics tools for use in healthcare quality improvement initiatives. He has broad experience in health informatics implementations, healthcare quality improvement initiatives, and healthcare analytics development.