Confidentiality, Privacy and Security C. William Hanson M.D. Professor of Anesthesiology and Critical Care CS Department Princeton University 20Privacy%20and%20Security.ppt.

Confidentiality, Privacy and Security

C. William Hanson M.D.

Professor of Anesthesiology and Critical Care

CS Department

Princeton University

http://www.cs.princeton.edu/courses/archive/spr02/cs495/Confidentiality%20Privacy%20and%20Security.ppt

Privacy

• The desire of a person to control the disclosure of personal health information

Confidentiality

• The ability of a person to control release of personal health information to a care provider or information custodian under an agreement that limits further release of that information

Security

• Protection of privacy and confidentiality through policies, procedures and safeguards.

Why do they matter?

• Ethically, privacy and confidentiality are considered to be rights (in our culture)

• Information revealed may result in harm to interests of the individual

• The provision of those rights tends to ensure that the information is accurate and complete

• Accurate and complete information from individuals benefits society in limiting spread of diseases to society (i.e. HIV)

Why do they matter?

• The preservation of confidentiality assists research which in turn assists patients

Users of health information

• Patient– Historical information for current and future care

– Insurance claims

• MD’s – Patient’s medical needs

– Documentation

– Interface with other providers

– Billing

Users

• Health insurance company– Claims processing– Approve consultation requests

• Laboratory– Process specimens– Results reporting– Billing

Users

• Pharmacy– Fill prescription

– Billing

• Hospital– Care provision

– Record of services

– Billing

– Vital statistics

– Regulatory agencies

Users

• State bureau– Birth statistics– Epidemiology

• Accrediting organization– Hospital review

• Employer– Request claims data– Review claims for $ reduction– Benefits package adjustments

Users

• Life insurance companies– Process applications– Process claims– Risk assessment

• Medical information bureau– Fraud reduction for life insurance companies

• Managed care company– Process claims– Evaluate MD’s

Users

• Lawyers– Adherence to standard of practice– Malpractice claims

• Researcher– Evaluate research program

Security

• Availability

• Accountability

• Perimeter definition

• Rule-limited access

• Comprehensibility and control

Privacy solutions

• Forbid the collection of data that might be misused

• Allow the collection of health information within a structure, but with rules and penalties for violation pertaining to collecting organizations

• Generate policies to which individual information handlers must adhere

Security controls

• Management controls– Program management/risk management

• Operational controls– Operated by people

• Technical controls– Operated by the computer system

Management controls

• Establishment of key security policies, i.e. policies pertaining to remote access– Program policy

• Definition, scope, roles and responsibilities of the computer security program

– Issue specific policy• Example: Y2K

– System specific policy• Who can access what functions where

Core security policies

• Confidentiality• Email• System access• Virus protection• Internet/intranet use• Remote access• Software code of

ethics

• Backup and recovery• Security training and

awareness

Biometrics

• The scientific discipline of measuring relevant attributes of living individuals or populations to identify active properties or unique characteristics– Can be used to evaluate changes over time for

medical monitoring or diagnosis– Can be used for security

Approaches to identification

• Token based simple security– House key, security card, transponder

• Knowledge based– SSN, password, PIN

• Two-factor– Card + PIN

Card PIN

ID Authentication

Access+

Approaches to identification

• Authoritative ID

IDAuthent-ication

Policy

Access

Audit

T

F

Identification

• Certain and unambiguous– Deterministic

• Certain with small probability of error– Probabilistic

• Uncertain and ambiguous

• Biometric schemes are probabilistic

Probabilistic

• False acceptance rate (type I error)– Percentage of unauthorized attempts that will be

accepted

– Also relevant for medical studies

• False rejection rate (type II error)– Percentage of authorized attempts that will be rejected

– Also relevant for medical studies

• Equal error rate– Intersection of the lowest FAR and FRR

Biometric ID

• Acquire the biometric ID– How do you ensure that you got the right guy

• Localize the attribute– Eliminate noise– Develop a template (reduced data set)

• Check for duplicates

Biometric applications

• Identification– Search the database to find out who the

unknown is– Check entire file

• Authentication– Verify that the person is who he says he is– Check his file and match

Biometric identifiers

• Should be universal attribute• Consistent – shouldn’t change over time• Unique• Permanent• Inimitable (voice can be separated from the

individual)• Collectible – easy to gather the attribute• Tamper resistant• (Cheaply) comparable - template

Biometric technologies

• Fingerprint– Automated fingerprint ID systems (law

enforcement)– Fingerprint recognition – derives template form

features for ID– Validating temp and /or pulse– Optical vs. solid state (capacitance)– Low FAR and FRR

Fingerprint

Hand geometry

• Dimensions of fingers and location of joints unique

• Low FAR FRR

Retinal scan

• Very reliable

• More expensive than hand or fingerprint

• Extremely low FAR FRR

Retinal scan

Voice recognition

• Automatic speaker verification (ASV) vs. automatic speaker identification (ASI)– ASV = authentication in a two-factor scheme– ASI = who is speaker– Feature extraction and matching– Problems with disease/aging etc.

Iris scanning

• Less invasive than retinal scanning

• Technically challenging balancing optics, ambient light etc.

• Can be verified (live subject) by iris response to light

Face recognition/thermography

• Facial architecture and heat signature

• Relatively high FAR/FRR

• Useful in two factor scenarios

Hand vein

• Infrared scanning of the architecture of the hand vessels

Signature

• Architecture of the signature

• Dynamics of the signature (pressure and velocity)

Biometric identification issues

• Privacy, anonymity

• Legal issues not defined

Security: availability

• Ensures that accurate, up-to-date information is available when needed at appropriate places

Security: accountability

• Ensures that users are responsible for their access to and use of information based on a documented need and right to know

Security: perimeter definition

• Allows the system to control the boundaries of trusted access to an information system both physically and logically

Security: rule-limited access

• Enables access for personnel to only that information essential to the performance of their jobs and limits the real or perceived temptation to access information beyond a legitimate need

Security: comprehensibility and control

• Ensures that record owners, data stewards and patients can understand and have effective control over appropriate aspects of information confidentiality and access

Availability

• Backups with local and off-site copies of the data

• Secure housing and power sources for CPU even during disasters (when system availability may be crucial)

• Virus protection

Accountability

• Audit trails and warnings

• User – Authentication – unique ID process– Authorization – to perform set of actions, i.e.

access only their own patients

Perimeter definition

• System knows users and how they are using the system– Define the boundaries of the system (i.e. within

the firewall) Princeton-Penn-HUP– How do you permit/monitor off-site access– Modems?

• Tools– Cryptographic authentication

Perimeter definition

• Public key-private key– Encryption

• Privacy and confidentiality

– Digital signatures• Prescription signature

– Content validation• Message hasn’t been messed with

– Nonrepudiation• “I didn’t say that”

Role limited access

• Spheres of access– Patient list: patients one has a role in the care of– Content specific: billing clerk/billing info– Relevant data: researcher on heart disease

shouldn’t be able to learn about HIV status

Taxonomy of organizational threats

• Motive– Health records have economic value to insurers,

employers, journalists, enemy states etc.– Curiosity about the health status of friends,

romantic interests, coworkers or celebrities– Clandestine observation of employees (GE)– Desire to gain advantage in contentious

situations (divorce)

Resources

• Attackers may range from– Individuals– Small group (e.g. law firm)– Large group (e.g. insurer, employer)– Intelligence agency– Organized crime

Initial access

• Site access

• System authorization

• Data authorization

Site

Data

SystemWorker

Billing clerk

Computer vendorMD, RN

Technical capability

• Aspiring attacker (limited skills)– Research target– Masquerade as an employee– Guess password– Dumpster diving– Become temporary employee

Technical capability

• Script runner– Acquire software from web-sites for automated

attacks

• Accomplished attacker– Able to use scripted or unscripted (ad-hoc)

attacks

Levels of threat

• Threat 1– Insiders who make “innocent” mistakes and

cause accidental disclosure– Elevator discussion, info left on screen, chart

left in hallway etc.

• Threat 2– Insiders who abuse their privileges

Threat

• Threat 3– Insiders who access information

inappropriately for spite or profit– London Times reported that anyone’s electronic

record could be obtained for $300

• Threat 4– Unauthorized physical intruder– Fake labcoat

Threats

• Threat 5– Vengeful employees or outsiders bent on

destruction or degradation, e.g. deletion, system damage, DOS attacks

– Latent problem

Countering threats

• Deterrence– Create sanctions– Depends on identification of bad actors

• Imposition of obstacles– Firewalls– Access controls– Costs, decreased efficiency, impediments to

appropriate access

Countermeasures

Type System Data Site Threat Counter

1 Y Y Y MistakeOrg and technical measures

2 Y Y N/AImproper use of access privileges

Authentication and auditing

3 Y N N/AUnauthorized for spite of money

Authentication and auditing

4 Y N YUnauthorized physical intrusion

Physical security and access control

5 Y N N Technical breakinAuthentication, access and crypto

Counter threat 1

• Behavioral code

• Screen savers, automated logout

• ? Patient pseudonyms

Counter threat 2

• Deterrence

• Sanctions

• Audit

• Encryption (user must obtain access keys)

Counter threat 3

• Audit trails

• Sanctions appropriate to crime

Counter threat 4

• Deterrence

• Strong technical measures (surveillance tapes)

• Strong identification and authentication measures

Counter threat 5

• Obstacles

• Firewalls

Issues with countermeasures

• Internet interface

• Legal and national jurisdiction

• Best balance is relatively free internal environment with strong boundaries– Requires strong ID/auth

Recommendations

• Individual user ID and authentication– Automated logout – Password discipline

• Access controls– Role limited– Role definitions

• Cardiologist vs. MD

• Audit trails

Recommendations

• Physical security and disaster recovery– Location of terminals– Handling of paper printouts

• Remote access points– VPN’s– Encrypted passwords– Dial-ins

Recommendations

• External communications– Encrypt all patient related data over publicly

available networks

• Software discipline– Virus checking programs

• System assessment– Run scripted attacks against one’s own system

Recommendations

• Develop security and confidentiality policies– Publish– Committees– ISO’s– Sanctions

• Patient access to audit logs– Who saw my record and why

Future recommendations

• Strong authentication– Token based authentication (two factor)

• Enterprise wide authentication– One-time login to authorized systems

• Access validation– Masking

• Expanded audit trails• Electronic signatures

Universal patient identifier

• Methodology should have an explicit framework specifying linkages that violate patient privacy

• Facilitate the identification of parties that make improper linkages

• Unidirectional – should facilitate helpful linkages of health records but prevents identification of patient from health records or the identifier

Implications of the Health Insurance Portability and Accountability Act of 1996

Mark Weiner, M.D.Assistant Professor of Medicine

University of [email protected]

Computer Science 495Special Topics in CS: Medical Informatics

February 21, 2002

http://www.cs.princeton.edu/courses/archive/spr02/cs495/HIPAA-princeton.ppt

What is HIPAA• Health Insurance Portability and Accountability Act of

1996• proposed by Sen. Edward Kennedy (D-MA) and Nancy

Kasselbaum (R-KS)– Focused on issues involving

• obtaining new insurance at new job with pre-existing conditions

• protection from fraud• administrative simplification

– Electronic transmittal of data for billing purposes

– Privacy issues related to transmission of clinical data

What Information is covered under HIPAA

• Personal Health Information (PHI)– Anything that can potentially identify an

individual

Name

Zip code of more than 3 digits

Dates (except year)

Telephone and fax numbers

Email addresses

Social Security Numbers

Medical Record Numbers

Health Plan Numbers

License numbers

Privacy vs. Security• Privacy

– Administrative mechanisms that govern the appropriate use and access to data

• Not all hospital employees need to know everything about a patient

• Security– Technical mechanisms to ensure privacy

• don’t have a fax machine that receives personal information in a public place

• Encrypt electronic communications

Privacy before HIPAA4th Amendment (…secure in their persons, houses, papers and effects against unreasonable searches and seizures…)Fair Credit Reporting Act (1970)Privacy Act (1974)Family Educational Rights and Privacy Act (1974)Right to Financial Privacy Act (1978)Privacy Protection Act (1980)Electronic Communications Privacy Act (1986)Video Privacy Protection Act (1988)Employee Polygraph Protection Act (1988)Telephone Consumer Protection Act (1991)Driver’s Privacy Protection Act (1994)Telecommunications Act (1996)Children’s Online Privacy Protection Act (1998)Identity Theft and Assumption Deterrence Act (1998)Gramm-Leach-Bliley Act (1999)

Gaps in privacy protection

• Most of the preceding laws protect aspects of personal information (mostly financial), but not Health Information

• Inconsistent State laws exist for protection of information regarding certain health conditions -- HIV, Mental Illness, Cancer

Concern about loss of Privacy

• 1998 National Survey– 33% concerned about the amount of

information being requested from various sources

– 55% VERY concerned

• 1995 Survey– 80% agreed with statement that they had lost all

control of their medical information

Concern About Loss of Privacy

• 1999 Survey– What issues concerned them the most in the

coming century?• 29% listed “Loss of Personal Privacy” as 1st or 2nd

concern

• 23% or less selected terrorism, world war, global warming

Concern About Loss of Privacy

• Internet usage (1999 survey)– 82% have used a computer– 64% have used the internet– 58% have sent e-mail– 59% worry that an unauthorized person will

gain access to their information– 75% of people visiting health sites are

concerned that information is being shared

Concern About Loss of Privacy

• Electronic Medical Records/Data Banks– 75% express concern about insurance

companies putting information about them in a database accessible by others

– 35% of Fortune 500 companies look at medical records before making hiring or promotional decisions

Concern About Loss of Privacy

• Genetic information– 85% concerned that insurers and employers

may gain access to personal genetic information– 63% would not take genetic screening tests if

the information was going to be shared with insurers and employers

– 32% of eligible people refused to have genetic testing for breast cancer risk because of privacy concerns

Are These Privacy Concerns Unfounded?

• 1999- A Michigan based Health System accidentally posted medical records of thousands of patients on the Internet

• A Utah-based pharmacy benefits management company used patient data to solicit business for its parent company -- a drug store

Are These Privacy Concerns Unfounded?

• Health Insurance Claims forms blew out of a truck on its way to a recycling center

• A patient in a Boston-area hospital discovered that her medical record had been read by more than 200 hospital employees

• A Nevada woman purchased a used computer that still had prescription records from the pharmacy that formerly owned the computer

Are These Privacy Concerns Unfounded?

• Johnson and Johnson markets a list of 5 million names and addresses of elderly incontinent women

• A few weeks after undergoing a blood test, an Orlando woman received a letter from a drug company promoting their treatment for high cholesterol

Are These Privacy Concerns Unfounded?

• A banker who also sat on a county health board identified people with cancer and called in their mortgages!

• A physician diagnosed with AIDS had his surgical privileges suspended (Medical Center of Princeton)

• A newspaper published the history of psychiatric treatment and suicide attempt of congressional candidate

Why does electronic communication increase privacy concerns?

• Problems with paper charts - Messy, difficult to find, one physical copy - all make it harder to acquire and disseminate information

• Electronic documents can be intentionally or unintentionally transmitted to thousands of people at once

What is HIPAA designed to do?

• Give patients more control over use of data

• Set boundaries on uses and disclosures of data

• Establish safeguards to protect data

• Establish accountability for privacy breaches

• Balance privacy with social responsibility

HIPAA Timeline

• 1996 - HIPAA Signed into law– Privacy regulations not specified– Congress was to enact laws and policy regarding

privacy by 1999– If Congress failed to develop standards, task

would fall to Department of Health and Human Services (DHHS)

• 1999 - DHHS becomes responsible for developing privacy regulations

HIPAA Timeline

• 1999 - DHHS proposes privacy standards and opens them up for public comment

• 1999-2000 DHHS receives 50,000 comments on regulations

• December 2000 - DHHS publishes “Final Privacy Rule”

• February 2001 - Enactment of Final Rule delayed because of “administrative difficulties.” Further public comment requested

HIPAA Timeline

• April 2001 - Privacy Rule implementation phase begins

• April 2003 - Deadline for covered entities to complete implementation plan

HIPAA Stipulations for Using and Releasing Information

• Notification

• Consent

• Authorization

HIPAA Stipulations for Using and Releasing Information

• Notification– Informing patients in simple language regarding

the manner in which their data is handled

HIPAA Stipulations for Using and Releasing Information

• Consent – one time, general agreement to use the patient’s

information in treatment. For payment, or for “healthcare operations”

– Lasts indefinitely, necessary for treatment

– Sharing information between primary care physician and consulting specialist

– Regulations allows provision of care to be conditioned on patient’s consent to use information for payment purposes.

HIPAA Stipulations for Using and Releasing Information

• Authorization – limited in time and scope– Non-routine purpose– Example : Patient is actively participating in a

research protocol and personal health information will be shared with a clinical service or university

Health-related activities covered by HIPAA

• Health Care

• Billing

• Marketing

• Fund Raising

• Research

HIPAA In Health Care• Consent to release information to insurance carriers for

billing purposes• Primary and consulting physicians given full access to

record for treatment purposes• Hospital Staff provided “minimum necessary”

information to conduct business• Laboratories and Radiology offices can use information

for billing purposes• Stipulations about auditing of who has seen/used what

information

HIPAA In Health Care

• Fax machines

• Hospital information networks

• E-mail

• Physical security of computer hardware

Research under HIPAA

• Continues as before when appropriate informed consent is obtained from subjects.

• Special consideration necessary when using data without explicit consent of subjects– Few restrictions when using de-identified data on

populations of patients (no names, SSNs, addresses; birthdates; populations must have substantial size)

– Oversight required to use identifiable data

Research under HIPAA• Patient consent NOT required with identifiable data

when all of the following are true:– IRB approves protocol and use of data

– use or disclosure of data presents minimal risk

– will not affect privacy and welfare of individual

– consent process impractical

– research could not be conducted without information

– plan exists to protect identifiers from improper use and disclosure

– Data will not be reused for other purposes without authorization from IRB

HIPAA in Research Summary

• Little oversight needed for de-identified, population-based data

• IRB authorization required to access identifiable patient information

• Duty to inform patients regarding research uses of their data

• Audit trails of information access for research• ??? Responsibilities when initiating patient contact

based on knowledge of personal information

Accountability

• Civil penalties– Violation of standards will be subject penalties

of $100 per violation, up to $25,000 per person, per year for each requirement or prohibition violated.

Accountability

• Federal criminal – up to $50,000 and one year in prison for obtaining or

disclosing protected health information

– up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses”

– up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.

Penn’s High LevelApproach to HIPAA

• Identify organizational components and communication links relevant to Health Care– Define which components of health information

can be transmitted among which the components

– Set up secure communication strategy among components (intranets, firewalls, encryption)

University of Pennsylvania Health System

• 4 owned hospitals– Hospital of the University of Pennsylvania– Presbyterian Medical Center– Pennsylvania Hospital– Phoenixville Hospital

• 65 owned primary care ambulatory practices (Community Care Associates)

University of Pennsylvania Health System

• Owned by the University of Pennsylvania that also has other related health care entities – Nursing school– Dental School– Student Health Service– Counseling

The overlapping lines of communication

“Health Care Component”

University(Hybrid Entity)

SOM

SON

CPUP

CHOP VA

St. Luke’sHoly Redeemer Penn Friends

ORA

(IRBs) AthleticsStudent HealthCounselingWharton LDI CTTSchool of Social Work

Wistar Cancer NetworkIndependent Medical Staffs –

PAH, PMC, PHX

Others

SODM

__ - Hybrid__ - ACEs__ - OHCAs

CCAPHXPMCPAH

HUP

Covered Entity within Hybrid

Penn’s Approach to Research Data Use

• Research requires data!

• Not all research requires personal identifiers

• Personal identifiers are often necessary to validate and integrate data from different systems

• Identifiers are often necessary to conduct retrospective research

Penn has a Research Database

• Pennsylvania

• Integrated

• Clinical and

• Administrative

• Research

• Database

The PICARD System}

Data Integration and Access

IDX

SMS

Cerner

Dept system

DataWarehouse(Oracle 8.1.5

on DEC Alpha DS20)

ApplicationServer

(Apache)

WebClients

MSAccess

FTP

OracleSql*Net8

HTML

ODBC

Oracle Tools

Available Data

• Ambulatory Data– Primary and subspecialty care data-- Jan 1997 -

May 2001– Patient information

• Location

• Gender

• Race

• Birthdate

• Insurance carrier

Available Data

• Inpatient data– Patient information – Admission Detail - 1988-1999 for HUP and

Presby• Admission, DC dates, LOS

• Diagnoses

• Procedures for recent admissions

• Charges for procedures/room/medicine etc.

Available Data

• Laboratory– 75 common chemistries, hematology and

serology results since August, 1997

• Cardiology testing– Stress test, cath, echo results

• Pharmacy– Limited population

• Pulmonary Function test data

Penn’s Approach to Research Data Use

• Minimal oversight– Information regarding a provider’s own patients– Determination of numbers of patients meeting

specified criteria

• IRB approval– Release of Medical Record numbers for additional

chart review

• IRB and “PAC” review– Required before patient contact initiated

Administrative Issues in Data Use• Steps to contact patients through a targeted

approach for potential enrollment in research– Our office generates lists of potentially eligible patients– Lists forwarded to primary care provider (PCP)

• Discretion if provider needs to contact patient

– PCP returns lists of authorized patients to our office– Investigator receives list of authorized patients– Investigator contacts patients in the context of the PCP

Research Data Use vs Patient Contact

• Additional authorization from primary care provider required before contacting patients– Labor intensive process– Can we delegate responsibility for obtaining

authorization to investigator?– Does patient have to be contacted by provider and

affirm interest in study participation prior to being contacted by investigators?

Questions for discussion

• Should we allow patients to opt out of allowing their data to be used in research, even without personal identifiers?

• Do we allow patients to refuse directed contact regarding research participation? If so, for how long?

• Federal law vs. “6:00 news” law

Resources• HIPAA Administrative Simplification:

– http://aspe.hhs.gov/admnsimp/

• HIPAA Privacy:– http://www.hhs.gov/ocr/hipaa/

• Workgroup on Electronic Data Interchange Strategic National Implementation Process:– http://snip.wedi.org/

• American Association of Medical Colleges– http://aamc.org/members/gir/gasp