engineer

INFORMATION POLICY FOR THE U.S. HEALTH SECTOR:
ENGINEERING, POLITICAL ECONOMY, AND ETHICS

ENGINEERING ISSUES

Current data security

While definable in a variety of ways, "data security" can be broadly conceived as the collection of technical and non-technical (administrative, organizational) measures that structure access to, and assure the integrity and availability of, an organization’s information (Russell and Gangemi, 1991).

A variety of "technical" measures are available to achieve these goals, such as: "identification and authentication" regimes for users (e.g., by unique userids and associated passwords); data access controls (allowing system users to view/modify only data appropriate to their job functions); software/hardware controls (limiting what can be installed and used in a network); "audit trails" (recording important system activity); physical security of computer and communications devices, and protection of remote access points (by authentication processes and physical barriers); protection of electronic communications (by physical security of network linkages, and encryption of transmitted data); and disaster recovery procedures (if physical security is violently compromised). "Organizational" practices include formal, on-going system assessments against security threats (ideally by outside auditors); security and confidentiality policies, and institutional data protection committees (to generate, and review compliance with, policy); user education and training programs, and sanctions for violations of policy (when training and education are not enough). To these the recent NRC report on security adds improved authorization forms (to improve patients’ understanding of data practices), and patient access to audit logs (so that individuals can "police" access to their own files if desired), as practices that should be implemented "immediately" by all organizations handling patient-identifiable data (National Research Council, 1997).

These technical and non-technical mechanisms do not come free. Moreover, many of the technologies, such as advanced audit trail mechanisms and encryption, are just now being deployed on a large scale. Their affordability, availability, and suitability for health care applications is not yet assured (Barrows and Clayton, 1996). Although good empirical data are lacking, there is reason to believe that security resources are neglected in many health care organizations, given the competitive pressures under which institutions like hospitals now operate. The NRC found deficits even in the six sites selected for their "reputed leadership" in electronic systems deployment (National Research Council, 1997). The GAO found security neglected even in the US military’s world-wide electronic medical record system, once of the largest deployed to date (General Accounting Office, 1996). Limits on human resources are also potentially significant. Information security personnel are increasingly in demand, and may be unavailable at prices health care institutions feel they can afford. Overall, there is a lack of strong incentives for upgrading security practices. Current law does not provide strong sanctions; there is a persistent "it can’t happen here mentality in many organizations"; and data security is not perceived as a "market differentiator" that will attract business in any case, particularly since no data security violations to date have attracted sustained public attention (National Research Council, 1997; Cushman, 1997).

Future data security While it is impossible to predict the course of public awareness, and thus the "market sanctions" that might emerge, all of the current federal legislative proposals include substantial fines for information security violations. "Information practice standards" are also emerging, albeit slowly. The NRC recommendations can be seen as a first, tentative step to articulate concrete institutional requirements. The Joint Commission on the Accreditation of Health Care Organizations has since 1995 had information standards as part of it evaluative processes, though they care still considered "recommendations" at this point (NCVHS Hearings, 1997). The National Center for Quality Assurance (NCQA), which concentrates on evaluations of HMOs and health plans, has indicated it will promulgate an information practices standard as well (NCVHS hearings, 1997). Formal government oversight of data handling practices is virtually non-existent, and the degree of delegation to private regulatory bodies like JCAHO and NCQA remains a major policy issue.

For future deployment, the NRC report lists "strong authentication," based on the use of tokens (such as credit-card-sized devices) or biometric identification (fingerprints, retinal patterns, speech recognition), to replace notoriously vulnerable password-based controls; enhanced access controls (masking records and fields of records selectively, in real time, based on a user’s characteristics); enhanced audit trails (that support automatic scanning for suspicious access patterns, and trace access across organizational boundaries); and electronic authentication of records (real-time monitoring, to ensure integrity/accuracy of data, and precisely authenticate individuals accessing/changing critical information) as priorities (National Research Council, 1997). The cost of widespread use of such technologies, or when they might be available on a large scale, can only be guessed. Security requires integration of new protective technologies at all levels, and protective organizational arrangements as well. The much-discussed "year 2000 problem" suggests how long institutions tend to live with "legacy" information systems. Bureaucratic inertia is also not unknown in large health care organizations. The NRC suggests that expense and practicality, and "fail-safe" reliability, be established by testing, and that such testing be supported by government "testbeds" (National Research Council, 1997). Funding for such facilities has not yet been provided.

Future standardization The Kassebaum-Kennedy (PL104-191) directives on administrative simplification are in large measure directed at increasing the efficiency and lowering the costs of information exchange through increased use of standardized electronic transactions. Befitting a market-oriented health system, a large number of standard-setting groups are in the process of developing standards, such as the American National Standards Institute Healthcare Informatics Standards Board (ANSI HISB), Health Level 7 (HL7), the American Society for Testing and Materials (ASTM E31 Committee), the American Standards Committee (ASC X12, X12N and Z80 committees), the International Electronic and Electrical Engineers (IEEE P1157 and P1073 committees) as well as various divisions of the federal government and international organizations such as the European Committee for Standardisation (CEN Technical Committee 251). Standards abound: for "claims" forms (UB-92, HCFA 1500) and associated data sets (UHDDS, UACDS), classifications for diagnoses and procedures (ICD-9, ICD-9-CM, CPT-4), vocabularies (UMLS, UNL), and messaging formats (from ANSI, IEEE and HL7), with new promulgations coming at a rapid pace. (For further details on public and private-sector standards activities, see Agency for Health Care Policy and Research, 1996a, 1996b.)

Given the magnitude of information technology development in health care today, substantial advantages potentially accrue to vendors whose standards propositions gain favor. But the particular subset that "wins" this competition may be a matter of minor concern for policy, provided the number is reduced to a manageable few. Not so for the issue of a standard health identifier. Linkage of records in distributed data warehouses is ideally achieved via the use of a unique "health identifier" (HID). Today, the social security number (SSN) serves as the HID by default: it is the only effectively universal identifier in the US. However the SSN is flawed, in that it is not unique (especially in areas where traffic in fraudulent identification materials is common), and has no "checksum" feature by which to detect errors. Privacy advocates also strenuously object to the use of the SSN on grounds that it is already in widespread use for many non-health functions, broadly available from a variety of private-sector sources, and would serve to make abuse of personal information much easier.

Alternative candidates for a health identifier include use of an "expanded" SSN with a checksum feature, or generation of a whole new health identifier for the population. The former option is objectionable to privacy advocates; the latter is considerably more expensive. Though this is one of the most contentious areas of health information policy, it is in many ways a misplaced debate. Any new identifier would be quickly mapped to SSN and other demographic information to facilitate linkages, presenting the same privacy problems in short order. Indeed, linkages of records can be made even in the absence of a unique HID, using probabilistic mappings based on demographic information alone (e.g., name, date and place of birth, parents’ names). In the end, the only standards that matter will be those established by law and regulation – that separate legitimate information practices from illegitimate ones. Arguments over HID alternatives are, consciously or not, proxy wars over the nature of health information policy itself.