1997 ASIS Mid-Year Meeting Preview
Achieving Effective Medical Information Security: Understanding the Culture
by Douglas M. Stetson
© 1997 ASIS

Among the obstacles to adoption of computer-based patient records are patient, institutional and clinician concerns about privacy of confidential information. Yet adopting high quality security is itself sometimes resisted by medical record users. This article describes, from a primary care clinician viewpoint, the features that characterize an attractive solution to the implementation of patient record security goals, as well as some strategies for implementing these features. The accompanying sidebar traces the origins of typical unauthorized access and release of confidential patient information.

Information security risks have grown with the rapid growth in the number and types of people who have a legitimate interest in the information now kept in medical records. These risks will continue to grow. While 5x7 cards never left a physician's office, we now have insurers and health plan managers who need to see medical data to evaluate claims, insurers who share information to protect themselves from fraud, legal representatives and their assistants who review medical records in detail, and administrative staffs in corporate and government institutions who gather and collate large quantities of medical information in order to develop health care management policies.

The risks of inappropriate release of medical information inherent in this situation do not stem primarily from the records maintained in the clinician's office. Instead the primary risk comes from growing computer databases of clinical information kept by non-clinical entities. Many entities have accumulated this information over several years. They intentionally cross index personally identifiable medical information by patient across providers. These systems predate clinician use of computer-based patient records. As they accumulate clinical information, for instance genetic information, they will become increasingly controversial, and controls over access will become increasingly more important to both patients and the other users of the record.

Experience: Medical Record Security Is a People Problem, Not a Computer Problem

Notorious and grievous inappropriate disclosures of confidential medical information have gained wide public attention. Patients and physicians sometimes mention them as grounds for fear that computer-based patient records will lead to dangerously poor protection of patient information. Importantly, the best known of these cases involve inappropriate access and disclosure of information contained in paper records or in widely accepted hospital information systems like those that report laboratory test results.

These disclosures highlight the importance of the individual responsibilities of those handling confidential information and the critical requirement for education and monitoring of individuals with access to confidential material.

Clearly computer-based systems can abet personal misbehavior. They can provide the careless or unprincipled person with easy access to large amounts of sensitive information. But with their information access control features, computers can also help us restrict access to confidential information to those who have legitimate access requirements.

Hostile intrusion into computer-based record systems offers those with no authority to view medical records a greater potential for gathering large amounts of confidential information than a similar attack on a paper record system. Although such invasions are still rare, medical information is now a valuable commodity and computer-based record systems require thoughtful protection from external threats.

Security Features Important to Clinicians

Security professionals faced with the task of protecting clinical information can gain the cooperation of clinicians by devising systems that meet clinician needs. Clinicians share with patients and with health care administrators a requirement for high quality medical information privacy. Clinicians also have a business and professional interest in the security of clinical records as business records.

The clinical environment where health professionals work, however, is vastly different from other situations where people regularly handle sensitive and confidential information. Unlike clerical workers or bankers, clinicians frequently need to consult others and share clinical information in order to care for their patients. Unlike other information workers who rely on computers for information, clinicians do not sit before computer screens for lengthy periods of time. Instead they briefly consult and amend clinical records intermittently, during or between patient encounters. Because many clinicians serve four or more patients an hour, executing log-on procedures that another computer system user in a different environment could easily manage once or twice a day becomes insurmountable when repeated five or ten times an hour. System designers should consider these differences when planning security systems for clinical professionals to use.

Six main features characterize computer-based patient records that meet clinician needs. Implementing these features is important to creating successful computer-based record systems, systems that clinicians will embrace and accept for regular, direct use.

1. Security sophisticated enough to guarantee my patient and myself that there will be no unauthorized access to or release of confidential information

Clinicians need to assure their patients that their records are secure from unauthorized access or disclosure. Clinicians must also assure their patients that they will be able to exercise their right to detailed control of information release. This implies access control at the level of individual data fields.

In addition, clinicians will wish to keep other clinicians and health care management entities from inappropriate and unnecessary access to the records of the patients they treat. Unrestricted access by clinicians or health maintenance organizations to one another's records could create unfair marketing opportunities for competitors and erode the competitive advantage of individuals or organizations who had developed particularly effective methods of delivering health care. These concerns can become prominent in the community health information network environment.

2. One-stop access to the entire patient record

Clinicians seek a system that provides complete access to all existing information on their patients. Subject to patient-generated restrictions on viewing of data, clinicians expect to have full access to patient-specific information from hospitals, outside consultants and ancillary services like pharmacy, laboratory and imaging services, as well as information created in their own offices.

3. Incomplete access notification

Clinicians presume that they have access to the entire patient record. When a patient restricts access to part of the record, the record should clearly reflect that some information has been concealed at the patient's request. This notification would permit the clinician to judge whether the missing information might be important to the clinical task at hand. The clinician could then consider whether to inform the patient of the need for access to the concealed information and request its release. At the same time patients will have to take explicit responsibility for the consequences of errors that arise from failing to make important information available.

4. Rapid access -- don't slow me down

Access to clinical information must be easy and rapid. Security should be nearly transparent to authorized users making appropriate requests. Access must not be hindered by repetitive authentication requirements. Single sign-on techniques and rapid user authentication procedures are essential to making the record accessible enough to be useful.

The requirement for facilitated but reliable access control is particularly evident in clinical outpatient environments. Historical examples are common where difficult sign-on techniques and onerous authentication procedures have led clinicians to openly circumvent security procedures or abandon use of systems entirely. Examples include sharing passwords with colleagues so that others can input and retrieve information in their stead, or users who post their passwords at their terminals because system administrators demand that the passwords be difficult to guess and frequently changed. A successful computer-based patient record system will avoid these difficulties.

Similarly, clinicians must be able to execute electronic signatures easily and rapidly. There should be a provision for signing documents in groups. For example, the narrative note, all prescriptions, all test requests, all consultation requests and all correspondence executed at a single patient visit should be signed in a single event.

Nevertheless, the system should permit individual signatures for individual items.

Finally, there must be a provision for correcting errors in records that leaves the record easy to read and understand. The information displayed must be the most current and accurate available. To do otherwise invites confusion and error arising from clinical reliance on inaccurate information. If erroneous information in a record has been corrected by an approved process that preserves a detailed audit trail, the corrected information should be displayed. The system should alert the user that the information being viewed has been corrected or amended. The system should also provide the user the option to view the record as it was at any arbitrary point of time in the past and to review the audit trail.

5. Release control

Clinicians strongly desire to control who sees their medical records and what parts they see. They resist the idea of releasing more information to other medical information users than those users need to accomplish the tasks for which they request information. This concern arises from the concept of business record privacy. Subject to the restraints imposed by patients who have final release control with respect to patient identifiable medical information, clinicians will want to control who gets medical information from their practices and will want notification when others request and obtain information from their systems.

6. Perpetual access

Clinicians have an important interest in the medical information regarding patients they have treated even if they no longer have a professional responsibility for those patients. Security procedures should guarantee clinicians perpetual access to information that they were entitled to view during the time they were caring for a particular patient.

Professionals accept responsibility for their actions. Clinicians rely on the medical record to document their actions, and they rely on the information present in the medical record when deciding their actions. Clinicians may be questioned about their actions at any time and must be able to return to the record to refresh their memories regarding events. The medical record system must support clinician access to the information they put into the record and to the information that was available to them at the time they were responsible for caring for a particular patient (archival access).

Clinicians also have a legitimate requirement to review information from the records of patients they have treated in order to devise and refine their own diagnostic and treatment strategies for improving patient care.

A clinician who has no ongoing professional relationship with a patient but who did care for the patient at one time does not require access to information entered into the record after the professional relationship with the patient terminated.

Suggestions for Successful Implementation

Implementation of security systems for computer-based patient records will require careful coordination with all involved parties. Most system users will require basic education in the benefits of effective security procedures in their own work and the costs they will face if security fails. The concept that patients have control of medical information release may be novel to many users.

Major Security Principles

Implementation of the security features of successful computer-based patient record systems proceeds from three major principles:

1. Patient is in ultimate control.

All access authority to patient-identifiable medical information ultimately arises from permission granted by the patient. Governments will undoubtedly compel some access in executing its public health responsibilities despite reservations by some patients.

2. No one has access to a medical record without specific permission.

All access must be specifically granted to specific individuals. In particular, physicians and nurses should not have routine and unlimited access to the records of patients who are not under their care at the moment. The concept of access by role should be a guide to the specific privilege a system may grant a specific user, but should never be the basis for access to a record belonging to a person with whom the user has no professional relationship.

3. Access terminates immediately (and automatically) when no longer appropriate.

When a patient withdraws access privileges, when a clinician loses staff privileges or when an employee ceases to work in a position requiring medical record access, access must terminate immediately. If a clinical professional requires subsequent archival access the system should provide that access, but the system should log each instance of such access and administrators should review the logs to detect abuse of the privilege.

Security Implementation Strategies

The following seven implementation strategies can help when generating a site specific implementation plan:

1. Clinicians request access from patients.

Although patients will be the ultimate authority for release of medical information, patients are likely, as a matter of convenience, to employ their primary care givers as their agents for this responsibility. Primary care givers will request and patients will grant primary access to medical records subject to specific, patient-originated restrictions. Access will terminate on a date certain and will be for specific purposes (e.g., to provide medical care). The patients will indicate release authority by executing an informed consent for release of medical information. This release will include a computer-based document that the patient record software consults to verify access authority asserted by various users.

2. Primary care givers will become patient fiduciaries and grant secondary access.

The primary care giver will grant secondary access to other care givers as required to provide the patient with medical care. People granted secondary access will have the same privileges, limited by role, as people with primary access. However, all access except archival access will terminate when secondary users complete their care of a particular patient. Software will handle the details.

3. Several primary care givers may coexist.

Patients may designate as many primary care givers as they choose. Patients will be responsible for terminating any primary access authorities they have granted.

4. Exceptions must be granted for emergency access.

In a health care environment anyone may need to provide emergency care for a patient. In these situations the emergency care providers, regardless of usual employment, may require access to any patient's medical information despite having no formal professional relationship with the patient. The record system should permit such emergency access to any specific patient record on assertion of an emergency requiring such access. Each example of such access should be logged and immediately evaluated for legitimacy.

5. Simplify clinical access.

System designers should use any available hardware and software solutions to simplify using the system. Simplify user authentication. Provide access to multiple systems from a single sign on. Use security processes appropriate for the physical environment. Do not create barriers that are not justified by a credible risk. Implement simple safeguards that will prevent innocent meddling by the curious. Permit remote access, but be circumspect about potential unauthorized access attempts. Consider encryption on the fly and hardware token authentication for remote access.

6. Execute confidentiality agreements periodically.

Create agreements that clearly disclose management policy regarding user responsibilities accompanying the privilege of access to confidential information. Include employees, clinical staff, volunteers and vendors among the users. Emphasize individual responsibility for maintaining security. Insist on password protection. Describe clearly the penalties that accompany inappropriate access or disclosure of confidential information. Train individuals to understand the agreements and repeat the training periodically. Execute and renew the agreements as part of the training program. Condition access to confidential information on successful completion of the training program.

7. Enforce security policy vigorously and uniformly.

Because most serious violations of privacy and confidentiality involve inappropriate behavior by individuals with authorized access, an essential feature of clinical information system security is the policy for dealing with violations. Whatever policy management adopts, the policy must be one with clearly stated penalties that management can uniformly enforce. Management must consider that, as experience has shown, the person making inappropriate and unjustifiable inquiries to the record system may be a senior officer in administration or a highly valued clinical department head.

The entire issue of sophisticated access control to personal health information has gained new prominence and is a stumbling block to widespread use of clinical information systems. The urgency and importance of clinical information security stem from the growing detail of clinical records and the ever widening circle of users who view the information. The oft-cited failures of privacy and confidentiality have generally arisen not from the existence of computer-based records per se, but from inappropriate behavior of personnel handling confidential information. We should take advantage of the improvements in access control that computer-based systems offer and strictly limit inappropriate access to avoid inappropriate disclosure. Computer-based patient records should be more secure than traditional paper records. To create successful systems we must aggressively employ technology to simplify legitimate access and avoid procedures that limit access that clinicians require and presently enjoy. In particular systems must not slow clinicians in completing their work. Finally, we must always hold users of confidential information responsible for their actions. When we are successful, we will be able to provide users with rapid access to appropriate information, and we will be able to assure our patients that we are handling the information they entrust to us with the care it deserves.

Historic View: The Metamorphosis of Clinical Records

Medical records were not always as complex as they are today. The brief clinical practice aids written by clinicians for their own use in years gone by have rapidly become minutely detailed, voluminous documents serving many users. At the same time, reliance on professional ethical integrity, once the sole protection of sensitive clinical information, is no longer sufficient to preserve patient confidence in medical information security.

1940: Clinical practice aids

When I was a child, my doctor had my clinical record on a couple of 5x7 index cards stapled together. He had my immunization record and a few words about each visit I made and some brief notes describing my physical exams. He used the records to recall some details of my case when I visited. In the unlikely circumstance that he were asked to testify about my care in court, he would have looked at these cards to refresh his memory about a particular encounter. The records were his. The only other person who might ever see them was his office nurse. These records served essentially clinical needs. The people who handled them were aware of their ethical responsibilities to preserve patient confidentiality. There was little risk of inappropriate disclosure of confidential information.

1960: Res ipsa loquiter

The legal concept of res ipsa loquiter, "the thing speaks for itself," greatly relieved the difficulty that plaintiffs' attorneys had finding expert witnesses to testify against physicians accused of malpractice. Courts accepted the idea that simply finding operating room tools in the abdomen of a patient after surgery bespoke a medical error. Finding evidence of inappropriate practice recorded in a medical chart was similarly viewed as undeniable proof of error. More importantly, the absence of information in a medical record that provided a reasonable explanation for an otherwise questionable event led similarly to a presumption of error. Finally, the absence of a record that an action had been taken was presumed to indicate that no action had been taken. The record had become a legal tool for evaluating medical practice. The result was an explosion of testing and documentation. Physicians learned that a detailed record was their best defense against malpractice claims. Medical records became economically important, and people outside the medical office were seeing them more regularly. These new users included lawyers, their staffs and insurance company employees.

1980: Managed care

The advent of managed care saw health care administrators take a greater interest in medical records. To evaluate claims and to control costs they wanted ever more detailed information about a patient's illness, what care they received, where and from whom. They wanted to know what medications clinicians prescribed and what tests they ordered. They began to review the necessity of visits, tests and treatments. The record began to serve administrative purposes that included the evaluation of physician performance in terms of cost and outcome. At the same time, clinicians themselves began to use clinical information from their records to evaluate their own practices and their own productivity. Medical records now had great economic importance and an ever larger group of non-clinical users was viewing confidential medical information. This larger user group included many who did not come from a long tradition of ethical obligation to protect patient confidentiality.

1990: Contemplated legislation

With legislative health care reform, Congress began addressing the issues of privacy and confidentiality on a national level. The likely outcome will be that patients have ultimate control over who sees their records and what part of those records they care to release. I expect that clinicians will accept a fiduciary responsibility for the release of medical information to other appropriate parties on the patient's behalf. The medical record that once was the clinician's personal record will have become the patient's personal record, needed and used legitimately by a large number of clinical and non-clinical individuals. Medical information will be widespread, and the danger of inappropriate access will grow.

Douglas M. Stetson, M. D., is principal scientist with J. D. Stetson Associates, Inc., in San Francisco.