I want a "Red Teaming"
Michael Schneider
The trend towards digitization of healthcare is obvious. It’s summed up by eHealth, a term now ubiquitous in the media and which refers to all the digital and information technologies that affect healthcare. This can encompass a multitude of different processes, services and resources that make use of information technology to structure and support healthcare functions. These digitization activities have taken place under the label of eHealth.
The term can also reflect a broad diversity of goals. The coordinating body of the federal eHealth Suisse uses the term: My healthcare information. At the right time, at the right place., also refers in a general sense to an increase in efficiency, improved quality, heightened security and promotion of the economic sustainability of existing health service processes. Here – and this is a point that is often misunderstood – technology should not be the primary focus. Information security and data protection should assume the highest priority.
Technical innovations should indeed support and strengthen existing processes and structures through electronic imaging. But eHealth is also positioned and established as a substantial driver for overall considerations, improvements and innovation within the structure of healthcare services.
In more specific terms, we can expect opportunities for improvement in the following areas:
The implementation activities in these action areas are expected to create the essential organizational, normative and technical foundations that are key to the development of eHealth. They are:
This is not about vision or strategy, but a rapidly advancing reality. The Swiss parliament adopted the federal legislation on the electronic patient record (EPDG) on June 19, 2015. The law is set to come into force in 2017, and paves the way for new opportunities in electronic health services:
Although it has come much later, the healthcare sector is currently experiencing the kind of explosive expansion and penetration that revolutionized the finance sector.
We can draw a broad analogy here with developments in the finance sector. Analog approaches were digitized, transferred to mobile platforms and automated as far as possible.
Analog | ⇒ | Digital | ⇒ | Mobile | ⇒ | Automated |
---|---|---|---|---|---|---|
Analog banking | ⇒ | eBanking | ⇒ | Mobile banking (mBanking) | ⇒ | Fintech |
Analog health care | ⇒ | eHealth | ⇒ | Mobile health (mHealth) | ⇒ | Health-tech (vision) |
The difference is most apparent in the perspective of risk: in the finance sector, risk means the loss of money; in the healthcare sector, extreme risk can mean the loss of lives. This fact should be borne in mind when considering eHealth.
Clearly, the healthcare sector has a lot of catching up to do when it comes to digitization in medical and healthcare administrative areas. The networking of such a sensitive and complex area as the healthcare sector is associated with considerable risks. This is particularly true when digital usage is expanded and intensified in every direction, bringing it closer to the patient and closer to the doctors, specialists and healthcare personnel in general.
At the same time, we must not ignore the complex issues and risks implicit in this approach of IT and medicine. It will require a comprehensive paradigm shift on the part of all concerned. Hospitals, clinics, medical practices, administrative functions in the healthcare sector, and doctors and patients must all accept the new conditions, and recognize their potential and benefits in order to generate added value and an overriding sense of purpose for themselves and for society.
This means that questions concerning the minimum requirements for security standards must be treated categorically. And we must remember that ultimately it all comes down to people. The implementation of new technical systems alone will amount to little if we do not introduce clarity around the high security requirements that the sensitive nature of health data demands.
Technology should follow process. It is important that processes are first mapped in their entirety and allotted to clearly defined specialist requirements in order to stimulate public discourse.
Data protection assumes a particular importance when it comes to the sensitive health data of patients in digital form. Clearly, with the expanded availability of patient data, a categorical assurance should be given that all health professionals and involved parties with access to electronic patient data must comply with the same strict rules of medical professional confidentiality and data protection.
The basic problem is readily apparent – the more people with knowledge of sensitive, confidential data, the less secure it is and the more difficult it is to maintain privacy. The rights of patients in relation to their health data must also be rigorously secured. Here, data protection advocates and experts see diverse risks and challenges. Data protection violations may occur through (Swiss eHealth Forum, paper by Dr. Georg Sasse):
It is worth bearing in mind that hospital employees are both the most frequent offenders and the most likely victims in terms of data protection violations.
We know that information processes between patients, general practitioners, clinics, hospitals, laboratories and pharmacists, etc, are not always efficient or error-free. This raises the risk of medical error and unnecessary duplication of treatment.
As the complexity of procedures in the healthcare sector increases, so too does the volume of information about patients and the number of professionals and authorities that require access to this data to ensure efficient treatment. The electronic patient record aims to compensate for this loss of efficiency by enabling proper access.
An important point is that patients must be able to decide themselves whether they want an electronic patient record. They must also retain the right to determine who can view and access their records, and to what extent. As this affects sensitive data in particular, neither employers nor health insurance authorities should have access to this data. A new identification number will be introduced to clearly identify patients and attending doctors.
The electronic patient record has the potential to improve the quality, safety and efficiency of treatment. Its introduction is a response to a pressing current need, but proper data protection is vital. Patients must have control over their own data at all times.
In the US, for instance, advances in data protection repeatedly emerge as a consequence of previous data protection incidents. But a comprehensive, overarching federal law on data protection does not exist. Consequently, regulations to determine the way companies and organizations use, store and process personal data, and the safeguards that should be in place, are lacking.
Instead, individual collections of various laws, regulations and standards exist both at federal and state level. One notable example of this kind of regulation in the healthcare sector is the HIPAA standard.
HIPAA stands for the US Health Insurance Portability and Accountability Act, which codifies the strict specifications that companies in the healthcare sector must observe in order to guarantee the protection of patient data. The HIPAA specifications have a broad scope that extends from health insurers and settlement agents to all healthcare service providers. It thus applies to all entities that come into contact with patient information.
Companies or organizations subject to the HIPAA may deviate from the guidelines only with the express consent of the patient. The HIPAA requires affected entities to take adequate measures to protect patient information from conceivable threats and risks, and unauthorized access, usage or disclosure.
Violation of the rules may result in severe civil and criminal penalties. So despite the ad hoc emergence of US guidelines, it would be a mistake to assume that a guideline violation or a data breach are regarded in the US as only a minor offense.
The primary requirements of the HIPAA are captured under Part 164 – Security and Privacy. Among the top-level extracts of this specification are (extract from Part 164):
Subpart | Description |
---|---|
102 | Statutory basis |
103 | Definitions |
104 | Applicability |
105 | Organizational requirements |
106 | Relationship to other parts |
306 | Security standards: General rules |
308(a)(1) | Administrative safeguards: Security management process: Preventing, detecting, containing and correcting security violations |
308(a)(3) | Workforce security |
308(a)(4) | Information access management – implementation of policies and procedures for the authorization of access to electronic protected health information |
310 | Physical safeguards |
312 | Technical safeguards |
312(a)(1) | Access control |
312(b) | Audit controls – recording and examination of activities in information systems that contain or use electronic protected health information. |
314 | Organizational requirements |
316 | Policies and procedures, and documentation requirements |
316(b)(1) | Documentation – maintenance of written (which may be electronic) reports on actions, activities and assessments. |
502 | General rules: Uses and disclosures of protected health information |
504 | Uses and disclosures: Organizational requirements |
506 | Uses and disclosures to carry out treatment, payment or healthcare operations |
508 | Uses and disclosures for which an authorization is required |
510 | Uses and disclosures that require patient consent |
512 | Uses and disclosures that do not require patient consent |
514 | Other requirements relating to uses and disclosures of protected health information |
520 | Notice of privacy practices for protected health information |
522 | Rights to privacy of protected health information |
524 | Access of individuals to protected health information |
526 | Amendments to protected health information |
528 | Logging and tracking of disclosures of protected health information |
530 | Administrative requirements |
532 | Transition provisions |
The most important measures that companies subject to the HIPAA (covered entities) must fulfill:
The HIPAA security measures focus on protection of data integrity, confidentiality and availability of electronic personal health information (EPHI):
However, ISO has already launched standards intended to address the more specific security requirements of the healthcare sector. For example, ISO 27799 for IT security in health based on ISO 27001 and 27002 – Guidelines for information security management.
Standard | Title |
---|---|
ISO 27799:2014 | Health informatics – information management in health using ISO/IEC 27002 |
ISO 27789:2013 | Health informatics – audit trails for electronic health records |
ISO/TS 14265:2011 | Health Informatics – classification of the purpose of processing personal health information |
ISO/TS 17975:2015 | Health informatics – principles and data requirements for consent in the collection, use and disclosure of personal health information |
These standards have been developed to reflect the specific requirements of the highly sensitive healthcare sector beyond the normal IT security sphere. The healthcare sector is subject to a strong dynamic in the field of IT, not least because much medical equipment is now directly connected to IT networks and marked by a hugely enhanced accessibility.
Numerous advances in eHealth development have led to the digital performance and shared networks of many functions and processes in medical practices, hospitals and clinics, and medical supply centers, and, as we have seen, traditional patient records and files are gradually being digitized:
As we have seen, these developments have a significant data protection component. From this perspective, the establishment of such minimum standards appears to be common sense.
With eHealth this results in new aspects of IT security for the healthcare sector. Despite the broad scope and the cross-sector nature of the ISO 27001 family, the relevant standards and specifications related to IT security must acknowledge and adapted accordingly to the specific nature of the healthcare sector.
For the standard ISO 27799:2008 Health informatics – information security management, this results in the following structure and breakdown. Sections 3, 5 and 7, and annexes A and B reflect guidelines that acknowledge the specific nature of the healthcare sector:
Although data security plays a central role in the eHealth debate and is currently the subject of widespread discussion among experts, it is striking that many people know little about the topic. This applies to patients as well as many other stakeholders in the healthcare sector. Precautions to increase data security at the technical, organizational and normative levels are of little use if the information and training aspects are ignored.
Data protection violations can be one of the most significant security problems a company faces. With the introduction of the electronic patient record, this applies all the more to hospitals, clinics, medical practices, etc. Infrastructure suppliers and IT service providers in the healthcare sector should therefore collaborate and define a robust and rigorously observed minimum standard.
As benefits increase, so too do the challenges associated with data security arising from the free movement of data between the networks of all relevant parties. In the future, technologies such as cloud computing and mobile computing (mHealth) are likely to assume even greater significance, in turn heightening the risk even more.
When we consider the breakneck progress of the mobile health field (Keyword IoT, Internet of Things), further problems emerge, such as a massive increase in data volumes (Big Data), as well as the need for legal provisions that allow data evaluation (data mining) in line with legal and ethical standards (prevention of profiling, etc.). Since the fundamental right to protect one’s own health data naturally applies, and particularly in mass data processing.
Furthermore, in the longer term, joint interoperability standards and procedures should be established in a national, European and international context to ensure that electronic health services can exchange information across borders and communicate with each other as required, in compliance with agreed minimum standards of data protection, for the benefit of the patient.
Our experts will get in contact with you!
Michael Schneider
Marisa Tschopp
Michèle Trebo
Andrea Covello
Our experts will get in contact with you!