Medical Data: Medical Data: It’s Only Sensitive It’s Only Sensitive If It Hurts When You If It Hurts When You Touch It Touch It Daniel Masys, M.D. Daniel Masys, M.D. Director of Biomedical Informatics Director of Biomedical Informatics UCSD School of Medicine UCSD School of Medicine Professor of Medicine Professor of Medicine [email protected][email protected]PORTIA Sensitive Data Workshop
58
Embed
Medical Data: It’s Only Sensitive If It Hurts When You Touch It Daniel Masys, M.D. Director of Biomedical Informatics UCSD School of Medicine Professor.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Medical Data:Medical Data:It’s Only SensitiveIt’s Only Sensitive
If It Hurts When You Touch If It Hurts When You Touch It It
Daniel Masys, M.D.Daniel Masys, M.D.Director of Biomedical InformaticsDirector of Biomedical Informatics
• A brief history of confidentiality and A brief history of confidentiality and information security in healthcare: information security in healthcare: Hippocrates to HIPAAHippocrates to HIPAA
• Security vulnerabilities in healthcare Security vulnerabilities in healthcare settingssettings
• Why is this so hard to do?Why is this so hard to do?• Models for medical information Models for medical information
accessaccess
““What I may see or hear What I may see or hear in the course of treatment in the course of treatment
or even outside of the treatment or even outside of the treatment in regard to the life of men, in regard to the life of men,
which on no account one must spread which on no account one must spread abroad, I will keep to myself abroad, I will keep to myself
holding such things holding such things shameful to be spoken about.”shameful to be spoken about.”
- Hippocrates- Hippocrates
Professional EthicsProfessional Ethics
• AMA Principles of Medical Ethics (sect. AMA Principles of Medical Ethics (sect. 4, 1920 edition): 4, 1920 edition): “A physician shall “A physician shall respect the rights of patients…, and respect the rights of patients…, and shall safeguard patient confidences shall safeguard patient confidences within the constraints of the law”within the constraints of the law”
• Many state medical boards Many state medical boards incorporated professional society incorporated professional society ethics codes into medical practice actsethics codes into medical practice acts
Legal ContextLegal Context
• Right to control one’s bodily Right to control one’s bodily integrityintegrity
• Right to control one’s interpersonal Right to control one’s interpersonal relationshipsrelationships
• Utility or instrumental value is trust Utility or instrumental value is trust between patient and physician.between patient and physician.
HIPAA RulesHIPAA Rules(Health Insurance Portability and Accountability Act of (Health Insurance Portability and Accountability Act of
1996)1996)• 1996 Health Privacy Legislation with 1999 1996 Health Privacy Legislation with 1999
Congressional action deadlineCongressional action deadline• Congress failed to enact legislationCongress failed to enact legislation• Secretary of HHS required to issue regulations for Secretary of HHS required to issue regulations for
medical data privacy and securitymedical data privacy and security• ““Covered entities” compliance with Privacy Rule Covered entities” compliance with Privacy Rule
effective April, 2003, small health plans by April effective April, 2003, small health plans by April 20042004
• Compliance with HIPAA Security Rule for Compliance with HIPAA Security Rule for electronic systems containing Protected Health electronic systems containing Protected Health Information (PHI) required April, 2005Information (PHI) required April, 2005
HIPAA, not HIPPA :-)HIPAA, not HIPPA :-)
““Misspelling is not a violation of the Rule”Misspelling is not a violation of the Rule” Director, US Office of Civil RightsDirector, US Office of Civil Rights Speaking at UCSD, 2/5/03Speaking at UCSD, 2/5/03
HIPAA DefinitionsHIPAA Definitions• Health informationHealth information means any means any
information, whether oral or recorded in information, whether oral or recorded in any form or medium, that:any form or medium, that:1) Is 1) Is created or receivedcreated or received by a health care by a health care provider…, and;provider…, and;2) 2) Relates to past, present, or future Relates to past, present, or future physical or mental health or condition of physical or mental health or condition of an individualan individual…or provision of health …or provision of health care..or payment for provision of health care..or payment for provision of health care.care.
for HIPAA compliance. for HIPAA compliance. • Protected Health Information (PHI) - Protected Health Information (PHI) -
information generated in the course of information generated in the course of providing healthcare that can be uniquely providing healthcare that can be uniquely linked to themlinked to them
• Information “use” = use within organizationInformation “use” = use within organization• Information “disclosure” = release outside of Information “disclosure” = release outside of
organizationorganization
• Gives individuals the right to:Gives individuals the right to:– A written notice of information practices A written notice of information practices
from health plans and providers from health plans and providers – Inspect and copy their Protected Health InfoInspect and copy their Protected Health Info– Obtain a record of disclosuresObtain a record of disclosures– Request amendments to their medical Request amendments to their medical
recordsrecords– Have reasonable requests for confidential Have reasonable requests for confidential
communications accommodatedcommunications accommodated– Request restrictions on uses and disclosuresRequest restrictions on uses and disclosures– Complain about violations to the covered Complain about violations to the covered
entity and to HHSentity and to HHS
Overview of effects of Overview of effects of HIPAA Privacy Rule HIPAA Privacy Rule
• Requires covered entities to:Requires covered entities to:– Make a good faith effort to get signed acknowledgement of Make a good faith effort to get signed acknowledgement of
information practices related to Protected Health Information information practices related to Protected Health Information (PHI) used in treatment, payment and operations (TPO)(PHI) used in treatment, payment and operations (TPO)
– Obtain authorization for special additional uses of PHIObtain authorization for special additional uses of PHI– Designate a privacy officialDesignate a privacy official– Develop policies and procedures (including receiving Develop policies and procedures (including receiving
complaints)complaints)– Provide privacy training to their workforceProvide privacy training to their workforce– Develop a system of sanctions for employees who violate the Develop a system of sanctions for employees who violate the
safeguards to protect privacysafeguards to protect privacy
Overview of effects of Overview of effects of HIPAA Privacy Rule HIPAA Privacy Rule
The ‘spirit’of HIPAAThe ‘spirit’of HIPAA
• Protected Health Information (PHI = person Protected Health Information (PHI = person identifiable) must be managed with the identifiable) must be managed with the same attention to consent for use, access same attention to consent for use, access control, and documentation of actions control, and documentation of actions performed as are currently applied to performed as are currently applied to physical objects such as tissue.physical objects such as tissue.
• Access to PHI is based on the general Access to PHI is based on the general principle of “need to know” and “minimum principle of “need to know” and “minimum necessary” rather than professional rolenecessary” rather than professional role
• Affects HIPAA Covered Entities that Affects HIPAA Covered Entities that maintain Protected Health maintain Protected Health Information (PHI) in electronic formInformation (PHI) in electronic form
• Directs CE’s to ‘develop, Directs CE’s to ‘develop, implement, maintain, and implement, maintain, and document’ security measures, and document’ security measures, and keep them current.keep them current.
• Scalable: burden relative to size and Scalable: burden relative to size and complexity of healthcare organizationcomplexity of healthcare organization
• Not linked to specific technologies, Not linked to specific technologies, and anticipates future changes in and anticipates future changes in technologytechnology
• Unlike Privacy Rule, affects only Unlike Privacy Rule, affects only electronic informationelectronic information
• Applies security principles well Applies security principles well established in other industriesestablished in other industries
HIPAA Security RuleHIPAA Security RuleFunctional areasFunctional areas
• Information AvailabilityInformation Availability• Protection against unauthorized:Protection against unauthorized:
Covered entities are required to:Covered entities are required to:
• Assess potential risks and vulnerabilities Assess potential risks and vulnerabilities • Protect against threats to information Protect against threats to information
security or integrity, and against security or integrity, and against unauthorized use or disclosure unauthorized use or disclosure
• Implement and maintain security Implement and maintain security measures that are appropriate to their measures that are appropriate to their needs, capabilities and circumstances needs, capabilities and circumstances
• Ensure compliance with these Ensure compliance with these safeguards by all staff safeguards by all staff
Security Vulnerabilities in Security Vulnerabilities in Healthcare SettingsHealthcare Settings
• Unintentional disclosuresUnintentional disclosures• Well-intentioned but inappropriate Well-intentioned but inappropriate
Data mining as Data mining as confidentiality threatconfidentiality threat
Latanya Sweeney, MIT, 1997
Birth date alone 12% Birth date & gender 29% Birth date & 5-digit ZIP 69% Birth date & full postal code 97%
Birth date includes month, day and year. Total 54,805 voters.
Uniqueness in Cambridge Uniqueness in Cambridge votersvoters
Information Security Information Security ElementsElements
• AvailabilityAvailability - when and where needed- when and where needed• AuthenticationAuthentication -a person or system is who they purport -a person or system is who they purport
to be (preceded by Identification)to be (preceded by Identification)• Access ControlAccess Control - only authorized persons, for - only authorized persons, for
authorized usesauthorized uses• ConfidentialityConfidentiality - no unauthorized information disclosure - no unauthorized information disclosure• IntegrityIntegrity - Information content not alterable except - Information content not alterable except
under authorized circumstancesunder authorized circumstances• Attribution/non-repudiationAttribution/non-repudiation - actions taken are reliably - actions taken are reliably
traceabletraceable
Why is this so hard in Why is this so hard in healthcare contexts?healthcare contexts?
1.1. The nature of biomedical dataThe nature of biomedical data
The nature of biomedical The nature of biomedical datadata
• Variable levels of sensitivity; “sensitive” is Variable levels of sensitivity; “sensitive” is in the eye of multiple beholders, and highly in the eye of multiple beholders, and highly context-dependentcontext-dependent
• No bright line between person-identifiable No bright line between person-identifiable and “anonymous” dataand “anonymous” data– So inherently rich in attributes that re-So inherently rich in attributes that re-
identification potential never reaches zeroidentification potential never reaches zero
• Genome as Future Diary: An individual’s Genome as Future Diary: An individual’s medical data may have implications for medical data may have implications for other family members who have much other family members who have much different values and preferences, and for different values and preferences, and for future generationsfuture generations
Why is this so hard?Why is this so hard?
1.1. The nature of biomedical dataThe nature of biomedical data
2.2. Complex interpersonal and Complex interpersonal and organizational roles with respect to organizational roles with respect to datadata
Complex roles: entities with Complex roles: entities with justifiable (and variable) rights to justifiable (and variable) rights to
medical datamedical data• First order role definitions: First order role definitions:
1.1. The nature of biomedical dataThe nature of biomedical data
2.2. Complex interpersonal and Complex interpersonal and organizational roles with respect to organizational roles with respect to datadata
3.3. Patients who wish to exercise Patients who wish to exercise control over access to their data control over access to their data seldom understand the implications seldom understand the implications of their decisionsof their decisions
Why is this so hard?Why is this so hard?
1.1. The nature of biomedical dataThe nature of biomedical data2.2. Complex interpersonal and Complex interpersonal and
organizational roles with respect to organizational roles with respect to datadata
3.3. Patients who wish to exercise Patients who wish to exercise control over access to their data control over access to their data seldom understand the implications seldom understand the implications of their decisionsof their decisions
4.4. Personal preferences regarding data Personal preferences regarding data access change, sometimes suddenlyaccess change, sometimes suddenly
Why is this so hard?Why is this so hard?
1.1. The nature of biomedical dataThe nature of biomedical data2.2. Complex interpersonal and organizational Complex interpersonal and organizational
roles with respect to dataroles with respect to data3.3. Patients who wish to exercise control over Patients who wish to exercise control over
access to their data seldom understand access to their data seldom understand the implications of their decisionsthe implications of their decisions
4.4. Personal preferences regarding data Personal preferences regarding data access change, sometimes suddenlyaccess change, sometimes suddenly
5.5. ““Privacy Fundamentalism” – irrational Privacy Fundamentalism” – irrational political forces (“Nothing about me without political forces (“Nothing about me without me”) block efficient systems approaches me”) block efficient systems approaches
Why is this so hard?Why is this so hard?
1.1. The nature of biomedical dataThe nature of biomedical data2.2. Complex interpersonal and organizational Complex interpersonal and organizational
roles with respect to dataroles with respect to data3.3. Patients who wish to exercise control over Patients who wish to exercise control over
access to their data seldom understand access to their data seldom understand the implications of their decisionsthe implications of their decisions
4.4. Personal preferences regarding data Personal preferences regarding data access change, sometimes suddenlyaccess change, sometimes suddenly
5.5. ““Privacy Fundamentalism” – irrational Privacy Fundamentalism” – irrational political forces (“Nothing about me without political forces (“Nothing about me without me”) block efficient systems approaches me”) block efficient systems approaches
6.6. Differing perceptions of risk and benefitDiffering perceptions of risk and benefit
$995This wonderful videocamera can be yours ifyou’ll just send us yourVisa or MasterCard
World Wide Web
Dixie Baker, Ph.D.Dixie Baker, Ph.D.Chief ScientistChief ScientistCenter for Information Security TechnologyCenter for Information Security TechnologyScience Applications International Corp.Science Applications International Corp.
Daniel R. Masys, M.D.Daniel R. Masys, M.D.Director of Biomedical InformaticsDirector of Biomedical InformaticsUniversity of California, San DiegoUniversity of California, San Diego
Patient-Centered Patient-Centered Access toAccess to
Secure Systems OnlineSecure Systems Online
Patient-Centered Patient-Centered Access toAccess to
Secure Systems OnlineSecure Systems OnlineA National Library of MedicineA National Library of MedicineTelemedicine Research ContractTelemedicine Research Contract
Hb 13.2
Hct38.0
WBC 4.2
Patient-Centered Access to Patient-Centered Access to Secure Systems Online (PCASSO) Secure Systems Online (PCASSO)
Design GoalsDesign Goals
• To enable secure use of the Internet to access To enable secure use of the Internet to access sensitive patient information sensitive patient information
• To enable providers AND patients to view To enable providers AND patients to view medical data onlinemedical data online
• To develop a published, verifiable To develop a published, verifiable high-high-assurance assurance architecturearchitecture– Not proprietaryNot proprietary– No “black box” or trade secret securityNo “black box” or trade secret security
PCASSO functionsPCASSO functions• Protect healthcare information at multiple Protect healthcare information at multiple
levels of sensitivitylevels of sensitivity• Authorize user actions based on familiar Authorize user actions based on familiar
healthcare roles healthcare roles • End-to-end user accountabilityEnd-to-end user accountability• Empower consumers to access their own Empower consumers to access their own
medical recordsmedical records• Patient viewable audit trailsPatient viewable audit trails• Automated e-mail notification of records Automated e-mail notification of records
changeschanges• Security protection extended to user PCSecurity protection extended to user PC
• 53 patients enrolled as of 9/30/99 53 patients enrolled as of 9/30/99 (started June, 1999)(started June, 1999)
• Enrollment criteria:Enrollment criteria:– Age 18 or olderAge 18 or older– Receive health care from UCSDReceive health care from UCSD– One or more visits in past 6 monthsOne or more visits in past 6 months– Primary care physician co-signs consentPrimary care physician co-signs consent
Differing user Differing user perceptions of perceptions of multi-step login multi-step login
Patient Comments on Patient Comments on PCASSOPCASSO
• ““Love this program and really is super easy to use”Love this program and really is super easy to use”• ““I was at the lab this morning and some results are I was at the lab this morning and some results are
posted already…very impressed”posted already…very impressed”• ““Thank you for this ‘peek’ into our own medical Thank you for this ‘peek’ into our own medical
records. So often patients seem to feel at the records. So often patients seem to feel at the mercy of the HMO’s and at least this may alieviate mercy of the HMO’s and at least this may alieviate <sic> some of that distrust.”<sic> some of that distrust.”
• ““As one who has always been involved in my As one who has always been involved in my health care decisions, I value that I have access to health care decisions, I value that I have access to this information. Great system, I find it very user this information. Great system, I find it very user friendly and feel very confident that my privacy is friendly and feel very confident that my privacy is maintained at all times…”maintained at all times…”
Provider Comments on Provider Comments on PCASSOPCASSO
• ““The Kremlin is easier to get into.”The Kremlin is easier to get into.”• ““I signed on once, and have suffered enough.”I signed on once, and have suffered enough.”• ““Unfortunately it’s so cumbersome to use that it Unfortunately it’s so cumbersome to use that it
is virtually useless.”is virtually useless.”• “…“…security is too tight…I will keep on using my security is too tight…I will keep on using my
cable modem and PC Anywhere to get into my cable modem and PC Anywhere to get into my office computer and then access labs that way.”office computer and then access labs that way.”
• ““It would be wonderful when patients call me in It would be wonderful when patients call me in the evenings & weekends to be able to punch up the evenings & weekends to be able to punch up their info on my home pc and have instant their info on my home pc and have instant access to their lab results, X-rays, medications, access to their lab results, X-rays, medications, etc.”etc.”
• ““...It’s incredibly handy to have this stuff ...It’s incredibly handy to have this stuff available on the Internet. Nice work.”available on the Internet. Nice work.”
Desiderata for electronic Desiderata for electronic consent consent
in healthcarein healthcare
1.1. Permits access to health data by Permits access to health data by checking that patient consent checking that patient consent exists for the information requests, exists for the information requests, using methods that check for using methods that check for explicit, inferred or implied consentexplicit, inferred or implied consent
2.2. Should allow access to patient Should allow access to patient information to those who have been information to those who have been explicitly permitted by a patientexplicitly permitted by a patient
E. Coiera et. al., J. Am Med Informatics Assoc, 2004E. Coiera et. al., J. Am Med Informatics Assoc, 2004
Desiderata for electronic Desiderata for electronic consent consent
in healthcare, cont’din healthcare, cont’d
3.3. Should never allow access to patient Should never allow access to patient information by those explicitly information by those explicitly denied access by the patientdenied access by the patient
4.4. Should allow access to patient Should allow access to patient information to individuals information to individuals determined to have inferred or determined to have inferred or implied consent based on their implied consent based on their clinical roles, responsibilities, or clinical roles, responsibilities, or clinical circumstanceclinical circumstance
E. Coiera et. al., J. Am Med Informatics Assoc, 2004E. Coiera et. al., J. Am Med Informatics Assoc, 2004
Desiderata for electronic Desiderata for electronic consent consent
in healthcare, cont’din healthcare, cont’d
5.5. Does not endanger patient safety Does not endanger patient safety by denying access to information by denying access to information by clinically approved individuals by clinically approved individuals when consent is indeterminantwhen consent is indeterminant
6.6. Does not impede clinical work by Does not impede clinical work by clinically approved individuals, clinically approved individuals, when consent is indeterminantwhen consent is indeterminant
E. Coiera et. al., J. Am Med Informatics Assoc, 2004E. Coiera et. al., J. Am Med Informatics Assoc, 2004
Desiderata for electronic Desiderata for electronic consent consent
in healthcare, cont’din healthcare, cont’d
7.7. Has security safeguards to prevent Has security safeguards to prevent access by circumventing consent access by circumventing consent checking mechanismchecking mechanism
8.8. Minimizes the number of requests Minimizes the number of requests made to clinicians and patients to made to clinicians and patients to avoid disruption of clinical care or avoid disruption of clinical care or the private lives of individualsthe private lives of individuals
E. Coiera et. al., J. Am Med Informatics Assoc, 2004E. Coiera et. al., J. Am Med Informatics Assoc, 2004
Desiderata for electronic Desiderata for electronic consent consent
in healthcare, cont’din healthcare, cont’d
9.9. Does not require expensive or Does not require expensive or burdensome infrastructureburdensome infrastructure
E. Coiera et. al., J. Am Med Informatics Assoc, 2004E. Coiera et. al., J. Am Med Informatics Assoc, 2004
Author Observation: criteria are in Author Observation: criteria are in conflict with one another, and no conflict with one another, and no single model performs well against single model performs well against all 9 criteriaall 9 criteria
Models for e-consentModels for e-consent
1.1. General consentGeneral consent = “opt in”. = “opt in”. Patient accepts all provider policies Patient accepts all provider policies (Notices of Information Practices). (Notices of Information Practices). Most common current model.Most common current model.
2.2. General consent with specific General consent with specific denial.denial. Patient accepts provider Patient accepts provider policies but denies consent for a) policies but denies consent for a) particular information or b) particular information or b) particular parties’ access or c) particular parties’ access or c) disclosure for particular purposesdisclosure for particular purposes
E. Coiera et. al., J. Am Med Informatics Assoc, 2004E. Coiera et. al., J. Am Med Informatics Assoc, 2004
Models for e-consentModels for e-consent
3.3. General denial with specific consentGeneral denial with specific consent = = Paitent denies all access except for Paitent denies all access except for consent for a) particular information or consent for a) particular information or b) particular parties’ access or c) b) particular parties’ access or c) disclosure for particular purposesdisclosure for particular purposes
4.4. General denialGeneral denial = “opt out”. Each new = “opt out”. Each new episode of care requires explicit episode of care requires explicit consent. (Likely scenarios for opt out: consent. (Likely scenarios for opt out: psychiatric care, drug rehab, sexually psychiatric care, drug rehab, sexually transmitted disease treatment).transmitted disease treatment).
E. Coiera et. al., J. Am Med Informatics Assoc, 2004E. Coiera et. al., J. Am Med Informatics Assoc, 2004
Rights management wrappers associated with clinical information that record the assertion:
Access to (information)by an (entity)for a (purpose)in a (context)is {consented to | denied }
Could attach to specific facts, episodes of care, or complete medical record
Putting Health Information Security Putting Health Information Security
into Perspectiveinto Perspective• The current fervor related to health The current fervor related to health
information security is sometimes information security is sometimes marked by “irrational exuberance”marked by “irrational exuberance”
• Data available to date suggests that Data available to date suggests that breaches of confidentiality in breaches of confidentiality in healthcare usually cause either no healthcare usually cause either no apparent harm or some personal apparent harm or some personal psychological harm, while psychological harm, while inaccessibility of healthcare data inaccessibility of healthcare data causes preventable medical errors, up causes preventable medical errors, up to and including deathto and including death
Kohn L, et al. Committee on Quality of Health Care in America.
To Err is Human: Building a Safer Health System.
Institute of Medicine, Dec 1999
Medical ErrorsMedical Errors
• Between 44,000-98,000 preventable Between 44,000-98,000 preventable deaths each year in hospitalsdeaths each year in hospitals
• Injury rates from 2.9% (general med-Injury rates from 2.9% (general med-surg) to 46% (ICU settings)surg) to 46% (ICU settings)
• 7th leading cause of death in US7th leading cause of death in US• Likely underestimates due to:Likely underestimates due to:
– Injury thresholds for reportingInjury thresholds for reporting– Errors had to be documented in clinical Errors had to be documented in clinical
recordrecord
Medical ErrorsMedical Errors• Majority of errors do not result from individual Majority of errors do not result from individual
recklessness, but from flaws in health system recklessness, but from flaws in health system organization (or lack of organization).organization (or lack of organization).
• Failures of information management are common: Failures of information management are common:
– illegible writing in medical recordsillegible writing in medical records– lack of integration of clinical information lack of integration of clinical information
systemssystems– inaccessibility of recordsinaccessibility of records– lack of automated allergy and drug lack of automated allergy and drug
interaction checkinginteraction checking
Information Security Information Security ElementsElements
• AvailabilityAvailability - when and where needed - when and where needed• AuthenticationAuthentication -a person or system is who they purport -a person or system is who they purport
to beto be• Access ControlAccess Control - only authorized persons, for - only authorized persons, for
authorized usesauthorized uses• ConfidentialityConfidentiality - no unauthorized information disclosure - no unauthorized information disclosure• IntegrityIntegrity - Information content not alterable except - Information content not alterable except
under authorized circumstancesunder authorized circumstances• Attribution/non-repudiationAttribution/non-repudiation - actions taken are reliably - actions taken are reliably
traceabletraceable
Putting Health Information Security Putting Health Information Security
into Perspectiveinto Perspective• If ‘keeping the bad guys out’ causes even a If ‘keeping the bad guys out’ causes even a
single additional death due to inaccessibility single additional death due to inaccessibility of information to authorized providers, we of information to authorized providers, we have failed to achieve a proper perspective have failed to achieve a proper perspective on health information securityon health information security
• From HIPAA back to Hippocrates:From HIPAA back to Hippocrates: Primum Primum non nocerenon nocere - - first do no harmfirst do no harm