The trend towards digitization of healthcare is obvious. It’s summed up by eHealth, a term now ubiquitous in the media and which refers to all the digital and information technologies that affect healthcare. This can encompass a multitude of different processes, services and resources that make use of information technology to structure and support healthcare functions. These digitization activities have taken place under the label of eHealth.

The term can also reflect a broad diversity of goals. The coordinating body of the federal eHealth Suisse uses the term: My healthcare information. At the right time, at the right place., also refers in a general sense to an increase in efficiency, improved quality, heightened security and promotion of the economic sustainability of existing health service processes. Here – and this is a point that is often misunderstood – technology should not be the primary focus. Information security and data protection should assume the highest priority.

Technical innovations should indeed support and strengthen existing processes and structures through electronic imaging. But eHealth is also positioned and established as a substantial driver for overall considerations, improvements and innovation within the structure of healthcare services.

In more specific terms, we can expect opportunities for improvement in the following areas:

• Integrated technical foundation: For organization and communication of healthcare services
• Rapid emergency response: The right information can make all the difference in an emergency
• Secure treatment: Minimization of mistakes in stressful situations
• Less bureaucracy: More efficient management and administration (fewer forms)
• More rights and self-determination: electronic patient records (maintenance of patient rights and data protection)
• Cost savings: Economic potential (e.g. confidential online consultation)
• Cost stability: Affects all the goals above

The implementation activities in these action areas are expected to create the essential organizational, normative and technical foundations that are key to the development of eHealth. They are:

• National coordinating body
• Legal foundation
• eHealth architecture
• Standardization of patient data and interoperability
• Infrastructure for secure identification and authentication of patients and care providers
• Quality criteria for health information and healthcare services

This is not about vision or strategy, but a rapidly advancing reality. The Swiss parliament adopted the federal legislation on the electronic patient record (EPDG) on June 19, 2015. The law is set to come into force in 2017, and paves the way for new opportunities in electronic health services:

• Electronic patient records accessible from anywhere, at any time
• Online services that offer high quality health information for the promotion of personal health literacy
• Telemedicine and telemonitoring for remote medical consultation and treatment (eDoctor, mHealth = mobile health)

The finance sector: catch-up and comparison

Although it has come much later, the healthcare sector is currently experiencing the kind of explosive expansion and penetration that revolutionized the finance sector.

We can draw a broad analogy here with developments in the finance sector. Analog approaches were digitized, transferred to mobile platforms and automated as far as possible.

The difference is most apparent in the perspective of risk: in the finance sector, risk means the loss of money; in the healthcare sector, extreme risk can mean the loss of lives. This fact should be borne in mind when considering eHealth.

Clearly, the healthcare sector has a lot of catching up to do when it comes to digitization in medical and healthcare administrative areas. The networking of such a sensitive and complex area as the healthcare sector is associated with considerable risks. This is particularly true when digital usage is expanded and intensified in every direction, bringing it closer to the patient and closer to the doctors, specialists and healthcare personnel in general.

Paradigm shift, acceptance

At the same time, we must not ignore the complex issues and risks implicit in this approach of IT and medicine. It will require a comprehensive paradigm shift on the part of all concerned. Hospitals, clinics, medical practices, administrative functions in the healthcare sector, and doctors and patients must all accept the new conditions, and recognize their potential and benefits in order to generate added value and an overriding sense of purpose for themselves and for society.

This means that questions concerning the minimum requirements for security standards must be treated categorically. And we must remember that ultimately it all comes down to people. The implementation of new technical systems alone will amount to little if we do not introduce clarity around the high security requirements that the sensitive nature of health data demands.

Technology should follow process. It is important that processes are first mapped in their entirety and allotted to clearly defined specialist requirements in order to stimulate public discourse.

Information protection and data protection

Data protection assumes a particular importance when it comes to the sensitive health data of patients in digital form. Clearly, with the expanded availability of patient data, a categorical assurance should be given that all health professionals and involved parties with access to electronic patient data must comply with the same strict rules of medical professional confidentiality and data protection.

The basic problem is readily apparent – the more people with knowledge of sensitive, confidential data, the less secure it is and the more difficult it is to maintain privacy. The rights of patients in relation to their health data must also be rigorously secured. Here, data protection advocates and experts see diverse risks and challenges. Data protection violations may occur through (Swiss eHealth Forum, paper by Dr. Georg Sasse):

• Clinical personnel
• Patients
• IT staff
• Administration (employees and patients)
• Research activities (patient groups)
• External support services
• Third-party intervention (databases, big data, profiling, data mining, etc.)
• Technological implications (unsecured cloud computing, mobile devices, etc.)

It is worth bearing in mind that hospital employees are both the most frequent offenders and the most likely victims in terms of data protection violations.

We know that information processes between patients, general practitioners, clinics, hospitals, laboratories and pharmacists, etc, are not always efficient or error-free. This raises the risk of medical error and unnecessary duplication of treatment.

As the complexity of procedures in the healthcare sector increases, so too does the volume of information about patients and the number of professionals and authorities that require access to this data to ensure efficient treatment. The electronic patient record aims to compensate for this loss of efficiency by enabling proper access.

An important point is that patients must be able to decide themselves whether they want an electronic patient record. They must also retain the right to determine who can view and access their records, and to what extent. As this affects sensitive data in particular, neither employers nor health insurance authorities should have access to this data. A new identification number will be introduced to clearly identify patients and attending doctors.

The electronic patient record has the potential to improve the quality, safety and efficiency of treatment. Its introduction is a response to a pressing current need, but proper data protection is vital. Patients must have control over their own data at all times.

HIPAA digression

In the US, for instance, advances in data protection repeatedly emerge as a consequence of previous data protection incidents. But a comprehensive, overarching federal law on data protection does not exist. Consequently, regulations to determine the way companies and organizations use, store and process personal data, and the safeguards that should be in place, are lacking.

Instead, individual collections of various laws, regulations and standards exist both at federal and state level. One notable example of this kind of regulation in the healthcare sector is the HIPAA standard.

HIPAA stands for the US Health Insurance Portability and Accountability Act, which codifies the strict specifications that companies in the healthcare sector must observe in order to guarantee the protection of patient data. The HIPAA specifications have a broad scope that extends from health insurers and settlement agents to all healthcare service providers. It thus applies to all entities that come into contact with patient information.

Companies or organizations subject to the HIPAA may deviate from the guidelines only with the express consent of the patient. The HIPAA requires affected entities to take adequate measures to protect patient information from conceivable threats and risks, and unauthorized access, usage or disclosure.

Violation of the rules may result in severe civil and criminal penalties. So despite the ad hoc emergence of US guidelines, it would be a mistake to assume that a guideline violation or a data breach are regarded in the US as only a minor offense.

HIPAA standard at a glance

The primary requirements of the HIPAA are captured under Part 164 – Security and Privacy. Among the top-level extracts of this specification are (extract from Part 164):

The most important measures that companies subject to the HIPAA (covered entities) must fulfill:

• Evaluation of potential risks and vulnerabilities
• Protection from threats to information security in relation to integrity, and against unauthorized use or disclosure
• Implementation and maintenance of adequate security measures
• Guarantee of compliance by all employees

The HIPAA security measures focus on protection of data integrity, confidentiality and availability of electronic personal health information (EPHI):

• Procedures and documentation: Formal procedures for efficient administration of security measures
• Physical security: Protection of systems and related buildings and facilities from hazards and intrusion
• Technical security services: Processes for the protection and supervision of access to information
• Technical security measures: Processes that prevent unauthorized access to data, including through networks.

Parallels with other known standards (e.g. ISO)

However, ISO has already launched standards intended to address the more specific security requirements of the healthcare sector. For example, ISO 27799 for IT security in health based on ISO 27001 and 27002 – Guidelines for information security management.

These standards have been developed to reflect the specific requirements of the highly sensitive healthcare sector beyond the normal IT security sphere. The healthcare sector is subject to a strong dynamic in the field of IT, not least because much medical equipment is now directly connected to IT networks and marked by a hugely enhanced accessibility.

Numerous advances in eHealth development have led to the digital performance and shared networks of many functions and processes in medical practices, hospitals and clinics, and medical supply centers, and, as we have seen, traditional patient records and files are gradually being digitized:

• Introduction of the electronic patient record and gradual digitization
• Fully electronic billing
• Digital capture and storage of diagnoses, treatment, therapies
• Digital transfer of diagnostic data, clinical data, etc.
• Digital storage, transfer, processing and archiving of reports and imaging
• Networking of previously isolated systems, PCs, medical systems and databases
• Regional networking of systems (e.g. clinical systems, medical practices, hospitals, central and coordinating functions)

As we have seen, these developments have a significant data protection component. From this perspective, the establishment of such minimum standards appears to be common sense.

With eHealth this results in new aspects of IT security for the healthcare sector. Despite the broad scope and the cross-sector nature of the ISO 27001 family, the relevant standards and specifications related to IT security must acknowledge and adapted accordingly to the specific nature of the healthcare sector.

For the standard ISO 27799:2008 Health informatics – information security management, this results in the following structure and breakdown. Sections 3, 5 and 7, and annexes A and B reflect guidelines that acknowledge the specific nature of the healthcare sector:

• 3 Terms and definitions
  • 3.1 Healthcare terms
  • 3.2 Terms in the field of
• 5 Healthcare information security
  • 5.4 Healthcare information to be protected
  • 5.5 Threats and vulnerabilities in healthcare information security
• 7 Healthcare implications of ISO 27002
  • 7.1 General
  • 7.2 Information security policy
  • 7.3 Organization of information security
  • 7.4 Management organization of assets
  • 7.5 Human resource security
  • 7.6 Physical and environmental security
  • 7.7 Communications and operations management
  • 7.8 Access control
  • 7.9 Information system acquisition, development and maintenance
  • 7.10 Management of information security incidents
  • 7.11 Information security aspects in the management of business continuity
  • 7.12 Compliance
• Annex A (informative) Threats to healthcare information security
• Annex B (informative) Tasks and related documents of the information security management system

Challenges and priorities of eHealth

Although data security plays a central role in the eHealth debate and is currently the subject of widespread discussion among experts, it is striking that many people know little about the topic. This applies to patients as well as many other stakeholders in the healthcare sector. Precautions to increase data security at the technical, organizational and normative levels are of little use if the information and training aspects are ignored.

Data protection violations can be one of the most significant security problems a company faces. With the introduction of the electronic patient record, this applies all the more to hospitals, clinics, medical practices, etc. Infrastructure suppliers and IT service providers in the healthcare sector should therefore collaborate and define a robust and rigorously observed minimum standard.

As benefits increase, so too do the challenges associated with data security arising from the free movement of data between the networks of all relevant parties. In the future, technologies such as cloud computing and mobile computing (mHealth) are likely to assume even greater significance, in turn heightening the risk even more.

When we consider the breakneck progress of the mobile health field (Keyword IoT, Internet of Things), further problems emerge, such as a massive increase in data volumes (Big Data), as well as the need for legal provisions that allow data evaluation (data mining) in line with legal and ethical standards (prevention of profiling, etc.). Since the fundamental right to protect one’s own health data naturally applies, and particularly in mass data processing.

Furthermore, in the longer term, joint interoperability standards and procedures should be established in a national, European and international context to ensure that electronic health services can exchange information across borders and communicate with each other as required, in compliance with agreed minimum standards of data protection, for the benefit of the patient.

Source

Federal Office of Public Health FOPH

• Federal Office of Public Health FOPH
• Federal Office of Public Health FOPH – eHealth – electronic health services
• Federal legislation on the electronic patient record
• Factsheet on the electronic patient record (EPDG) 25/11/2015

Organizations, forums

• Coordination agency federal-cantonal
• Swiss eHealth Forum
• eHealth Switzerland Interest Group
• Swiss eHealth Summit

Federal Data Protection and Information Commissioner (FDPIC)

• Basic technical requirements for electronic patient records
• eHealth Switzerland and ePatient records: Current state of affairs

Standards

• HIPAA standard
• ISO standards

About the Author

Flavio Gerbino has been in information security since the late 1990s. His main areas of expertise in cybersecurity are the organizational and conceptual security of a company.

Links

• http://www.bag.admin.ch/themen/gesundheitspolitik
• http://www.bag.admin.ch/themen/gesundheitspolitik/10357/10360/index.html?lang=de
• http://www.bag.admin.ch/themen/gesundheitspolitik/10357/10360/index.html?lang=de&download=NHzLpZeg7t,lnp6I0NTU042l2Z6ln1acy4Zn4Z2qZpnO2Yuq2Z6gpJCMe4B9g2ym162epYbg2c_JjKbNoKSn6A
• http://www.bag.admin.ch/themen/gesundheitspolitik/10357/index.html?lang=de
• http://www.e-health-suisse.ch
• http://www.edoeb.admin.ch/dokumentation/00153/00378/00385/index.html?lang=de
• http://www.edoeb.admin.ch/dokumentation/00153/01073/01090/index.html?lang=de
• http://www.ehealthsummit.ch/
• http://www.hhs.gov/hipaa
• http://www.ig-ehealth.ch
• http://www.infosocietydays.ch/de/eHealth/Home
• https://www.beuth.de/de/norm-entwurf/din-en-iso-27799/215535227
• https://www.beuth.de/de/norm/din-en-iso-27789/167525494
• https://www.beuth.de/de/technische-regel/din-cen-iso-ts-14265/149023541
• https://www.beuth.de/de/vornorm/iso-ts-17975/242623838