Skip to main content

Currently Skimming:

4 Technical Approaches to Protecting Electronic Health Information
Pages 82-126

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 82...
... Health care organizations evaluate security technologies in terms both 1Note that these functions aimed at improving system security are conceptually different from those that would be required by the work of a database administrator or a network manager.
From page 83...
... It outlines the types of technical security tools that can help manage security risks and then describes the types of tools used by health care organizations. It examines technological issues associated with patient identifiers and other means of linking patient records, and discusses the role of rights management technologies in imposing accountability and control on secondary uses of health information.
From page 84...
... The committee examined a range of technological practices and mechanisms that can be organized into the following main areas: · Authentication; · Access control; · Audit trails; · Physical security of communications, computer, and display systems; · Control of external communications links and access; · Exercise of software discipline across the organization; · System backup and disaster recovery procedures; and · System self-assessment and maintenance of technological aware ness. These types of practices address different combinations of the five key functional areas of technological intervention listed above (Table 4.1~.
From page 86...
... As the committee's site visits revealed, the protection of patient information could be greatly improved if existing, but currently undeployed, technologies were brought into more routine practice in health care settings. Specific technologies include strong cryptographic tools for authentication (Box 4.1)
From page 88...
... Leaving system accounts accessible after a user no longer has rights of access is a major source of security vulnerability. Authentication Technologies Observed on Site Visits As might be expected with the rapidly evolving computing environments of today's health care organizations and the integration of many legacy information systems with more modern ones, there is little uniformity in the use of authentication methodologies.
From page 89...
... Authentication Technologies Not Yet Deployed in Health Care Settings In addition to procedures that strengthen the use of passwords by requiring users to change them frequently, employing codes that are hard to guess, and instituting incentives or sanctions against sharing them, a number of technological schemes are available to strengthen the use of passwords. These are not in general use in the health care industry but include single-session passwords (those that are valid for one log-on session only)
From page 90...
... as part of Project Athena in the mid-1980s.3 The central contribution of Kerberos is the practical management of secret keys for secure communications among thousands of workstations in a distributed organizational computing environment. The current Kerberos implementation functions without public-key encryption technology, yet limits the number of secret keys that must be used in an interconnected system.
From page 91...
... In support of this direction, health care organizations, elements of the health care information services industry, professional organizations, and government agencies should strongly support the development of Internet and commercial efforts in this arena. One example of a smart card token is a card about the size of a credit card but somewhat thicker that has a liquid crystal display in which a number appears that changes every minute or so (the length of the number and frequency of change depend on the card model)
From page 92...
... The Sandia data indicate that the most effective technologies currently available for identification verification (i.e., verifying the claimed identity of an individual who has presented a magnetic stripe card, smart card, or PIN) are systems based on retinal or hand geometry patterns.
From page 93...
... The difficulties that confound this process include not having a clear model for information secu 7Note, however, that organizing all data in concert with all possible access rights is a major effort. Such a task requires that the many pieces of information contained within an electronic medical record be reviewed to ensure that retrieval of a given piece of information is consistent with all relevant access rights.
From page 94...
... . Access Control Technologies Observed on Site Visits The committee's review indicated that most health care organizations are attempting to adapt access control criteria and processes from paper record systems to on-line systems.
From page 95...
... The committee found strong pressure from physicians at the sites visited not to distinguish record access privileges among in-house physicians based on any role-specific criteria. Their arguments included their already strong ethical training and commitment to maintaining patient privacy.
From page 96...
... It may be possible to reduce these frequent, casual, and accidental disclosures of confidential information if unique identifiers, other than the patient's name, were used on records, orders, testing, and diagnostic procedures, except where absolutely essential. For example, there is not always a need to have a patient's name displayed in processing laboratory or pathology data, or in analyzing radiology or cardiology test results, in many other situations.9 A coded patient ID would suffice in many cases, just as bank account numbers and credit card numbers provide the true identifying label for financial trans 8See Ferraiolo, David, and Richard Kuhn, "Role-based Access Controls," a summary of ongoing work at the National Institute of Standards and Technology, available on-line at http://nemo.ncsl.nist.gov/rbac/; and Wiederhold, Gio, Michel Bilello, Vatsala Sarathy, and XioaLei Qian, 1996, "A Security Mediator for Health Care Information," Proceedings of the 1996 AMIA Conference, Washington, D.C., October, pp.
From page 97...
... Audit Trails As discussed in Chapter 3, there are basically two kinds of interventions for minimizing violations of the confidentiality of health care information: (1) obstacles such as strong authentication and authorization technologies and (2)
From page 98...
... All see it as a successful deterrent against internal abuses of privileges. Audit Trail Technologies Not Yet Deployed in Health Care Settings There is wide agreement that audit trails deter unethical use of health information insofar as breaches can be detected and sanctions instituted against abusers.
From page 99...
... More effective software tools are needed to maintain continuous surveillance of audit trail information so that abuses are detected quickly and sanctions meted out, both to maintain the effectiveness of audit trails as prevention tools and to contain, as soon as possible, the extent of any abuse. Such tools must be relatively sophisticated and take into account expected usage patterns and auxiliary information, such as appointment schedules and referral orders, in order to minimize the false-positive and false-negative rates in audit trail analyses.
From page 100...
... These issues become especially important as the number of devices in a typical health care organization grows to tens of thousands and operational control over configurations, locations, connectivity, software census, and so forth becomes increasingly complex. Physical security also requires that outdated computing equipment be disposed of properly.l° Given that the average time to turn over computing equipment in the rapidly evolving marketplace is between 1.5 and 3 years, the proper disposal of equipment, media, and other materials that contain confidential information is essential.
From page 101...
... In organizations with 20,000 workstations of various sorts distributed throughout wide-reaching work locations, it is nearly impossible to maintain close physical control over the location of equipment and the means by which it is accessed. This does not mean there is no effort aimed at the physical security of these machines in the sites visited, just that the problem is operationally very difficult.
From page 102...
... Such unscrupulous intruders are often undeterred by ethical considerations or threats of audit trails; thus effective technical obstacles are necessary. The strong authentication and authorization technologies discussed above constitute a crucial element of prudent practice.
From page 103...
... Nevertheless they serve a useful purpose in focusing system administrator's attention on a smaller number of points of entry in a complex organization so as to control the most obvious kinds of attacks. Similar techniques can be used to control dial-up modem access to network services, again through the use of strong authentication techniques and limited service access.
From page 104...
... . Network Control Technologies Not Yet Deployed in Health Care Settings Firewall Technologies.
From page 105...
... Similarly, a number of government agencies concerned about security protection, such as the Department of Defense, Department of Energy, and National Aeronautics and Space Administration, also operate independent networks. To manage controlled access to health care information as time goes on, a dedicated health care network would focus interfaces with the Internet on controlled gateways and firewalls, offering a first line of protection under which individual health care organization networks could operate using additional access controls as appropriate.
From page 106...
... It is essential to keep up with community reports of vulnerabilities and solutions through agencies such as the CERT Coordination Center at Carnegie Mellon University.l3 Encryption Encryption technologies are the basis for many of the technological tools available to help secure computer-based information. Such technologies have received much attention in the popular press recently in terms of protecting Internet commerce, in terms of protecting the infrastructure of the Internet itself, and in terms of arguments for and against continued export control on products employing strong encryption tools.l4 Encryption can serve a number of uses in health care settings, including the following: · Being the basis of strong user and computer authentication and access control; · Protecting stored information or on-line communications against .
From page 107...
... Although all sites were generally aware of the existence of encryption technologies, these were not yet seen as essential parts of the needed information system infrastructure. Despite the ready availability of much cryptographic technology and numerous specifications for incorporating it into operational services, very few users of modern distributed computing systems actually take advantage of cryptographic protections.
From page 108...
... The technical community has only begun to demonstrate workable, trusted systems using modern cryptographic tools. Software Discipline Computer software is at the core of health care information system functionality whether network communications tools, operating systems, database systems, user interface tools, back-office operations programs, administrative and clinical applications programs, word processing systems, electronic mail systems, World Wide Web (WWW)
From page 109...
... Whenever a new service is enabled for example, a new network service or some of the newer distributed software technologies such as lava and other component-based systems testing should be extremely thorough and careful, and conducted in networking environments that are well monitored and isolated from the overall organization until confidence in proper function is established. New component-based software tools may both facilitate the more effective organizational management of distributed software and introduce new ways to bypass system administrator security controls.
From page 110...
... , but no routine software census procedures have been put in place even after this incident. Software Control Technologies Not Yet Deployed in Health Care Settings Industrial, academic, and government organizations all face major problems in managing software systems across distributed computing environments.
From page 111...
... At the strongest sites, an inventory of critical systems was in place along with an evaluation of the maximum outage that can be sustained for various information resources without affecting health care. This evaluation is used as the basis for guiding the purchase of redundant processing facilities and their location within campus sites unlikely to be affected simultaneously by any but the most disastrous environmental failures.
From page 112...
... As indicated above, almost no attention is paid in current operations to protecting the content of backup media against snooping, other than physical security in the strongest sites: intruders would have to enter a physically locked facility to steal tape copies of backup information. There is no use of encryption technologies or cryptographic checksum technologies to protect backup stores against snooping or theft or to detect points at which unauthorized modifications might have been made to software or other file system content.
From page 113...
... Bellovin, 1994, Firewalls and Internet Security, Addison-Wesley, Reading, Mass.; Khanna, Raman ted.) , 1993, Distributed Computing: Implementation and Management Strategies, Prentice-Hall, Englewood Cliffs, N.J.; and Neumann, Peter, 1995, Computer Related Risks, Addison-Wesley, Reading, Mass.
From page 114...
... It is unlikely that such sites would even know if intrusions into their systems had occurred. SITE VISIT SUMMARY Table 4.2 summarizes the various security tools, operations, and procedures the committee observed at the six health care sites visited.
From page 115...
... TECHNICAL APPROACHES 115 TABLE 4.2 Summary of Security Tools and Practices Observed During Site Visits Site Security Feature A B C D E F Authentication Individual user IDs and passwords Token-based authentication (e.g., token plus password) Change passwords often No unencrypted passwords Uniform user IDs across organization Incentives to reduce key sharing Access Control Need to know, right to know Access control list technology and management Role-based access profiles Access overrides for emergencies Audit Trails Audit trails and self-audit Software-based audit analysis Physical Security Terminal security Security perimeter, network layout Network physical security Server physical security Secure destruction of obsolete data or equipment Control of Links Firewall Dial-in protections continued on next page
From page 116...
... 116 FOR THE RECORD: PROTECTING ELECTRONIC HEALTH INFORMATION TABLE 4.2 Continued Site Security Feature A B C D E F Mobile access protection Intruder script protection Control Internet Protocol addresses Encryption Cryptography-based authentication Encrypt network traffic Encrypt database contents Digital signatures Document integrir, Transaction nonrepudiation Encrypt backup media Software Discipline Use antivirus technology Checksum, validate software Control user software Control PC software loading Network software census Integrated software tools Backup and Disaster Recovery Backups, multiple storage sites Data content integrity Operations recoverability System Self-Assessment Evaluation, Staying Technically Current Run anti-intrusion programs Vulnerability evaluation Stay up on CERT alerts ./ Avoid or update obsolete technologies ./
From page 117...
... Patient Identifiers and Techniques for Linking Records Developing robust methods of indexing and linking patient records is critical to ensuring that providers have reliable data on which to base medical decisions. Patient-specific health care information must be bound uniquely and unambiguously to the person to whom it relates _ ..
From page 118...
... Names and addresses are generally inadequate as unique identifiers because they are not necessarily unique within large populations of patients. As a result, health care organizations have developed other mechanisms for generating patient identifiers.
From page 119...
... Many managed care organizations and integrated delivery systems are addressing the records-linking problem by developing master patient indexes. Such systems allow records at each affiliated institution to retain their original identifiers, but generate an overall index listing the various 20See Anderson, Ross J
From page 120...
... Instead of wanting to ensure payment for information access, however, health care organizations want to authenticate, authorize, and record who accessed what information and for what reason in the health care setting. One approach to this type of control may be to pursue adaptations of rights management technologies being developed to manage intellectual property rights.22 Such software controls would operate internally within provider organizations and also externally, as records pass to payers and other secondary users.
From page 121...
... Although it is unlikely that such a rights management system can be made foolproof against the most technically competent unethical user, it may provide an audit trail of access up to a point of abuse, including recording that a local copy has been made (presumably against privacy protection laws) or that an overt act to circumvent software controls had occurred.
From page 122...
... OBSTACLES TO USE OF SECURITY TECHNOLOGY The move to computerized patient records is made more urgent by many pressures: the need to allow simultaneous access to records by various providers involved in patient care in modern streamlined clinical settings; the push toward increased cost-effectiveness, meeting the needs of highly mobile patients, regional integration of providers and referral systems, and the use of telemedicine and telecare; the push toward evidence-based care; the need to analyze outcomes and utilization; the need for better clinical research support; attempts to improve health through more thorough immunization and nutrition programs; and so on. Despite an aggressive move toward computerized health care records in recent years and ongoing parallel technological improvements, there are still many obstacles and impediments to achieving usable and secure systems.
From page 123...
... make technological interventions more acceptable by making them less of an annoyance to users; and (2) increase purchaser awareness regarding security issues, thus creating a market demand for these technologies so that vendors will integrate strong security tools in health care information system products.
From page 124...
... Effective Public-key Management Infrastructures Are Essential but Still Nonexistent The basis for many of the features desired for security in health care information systems depends on deploying public-key cryptographic technologies authentication, digital signatures, information integrity management, session key exchange, rights management, and so on. Trusted and effective key management is at the heart of these tools but is not a well-established process at this time.
From page 125...
... A great deal of technology already exists that can help protect health care information, but much of it has not been brought into routine practice yet. Specific technologies include strong cryptographic tools for authentication, uniform methods for authentication and access control, network firewall tools, more aggressive software management procedures, and effective use of system vulnerability monitoring tools.
From page 126...
... Distributed system technologies, including security, need to be demystified, and managers must be educated about realistic goals, alternative solutions, and operational practices to take advantage of these tools. Only in this way can the health care industry improve its practices for protecting electronic health information.


This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.