Security and Privacy Considerations for Health IT Systems

First posted: 3 March 2010
Last updated: 26 March 2010

Preface

We seek to understand the nature and distribution of risks to security and privacy inherent in designing and deploying health information technology (HealthIT, eHealth; we use both terms interchangeably). We posit that achieving the appropriate balance of these risks and potential costs (to doctors, patients, hospitals, and the American taxpayer) requires careful, deliberate study to understand the nature of this new problem.

Although health care reform in the United States is a highly-charged political issue, this Web page is not meant to be a political document or support a particular political point of view or legislative agenda. Instead, this page supplies a collection of information detailing the pitfalls and challenges involved in deploying a large-scale information infrastructure around the recording, tracking, and maintanence of patient and other medical information.

We are interested in the technical security and privacy issues that emerge from what we believe is a fundamentally different data acquisition and storage problem than previous industry efforts at record keeping for other forms of data. Our central hypothesis is that the government and private sector are rushing into the deployment of eHealth technology without careful consideration of the design criteria necessary to ensure accurate and private data collection and without a realistic understanding of the costs of such a large software deployment. We certainly agree that improving the efficiency and efficacy of health care delivery while reducing the cost to the taxpayer and patients is an important and critical activity. Achieving this goal, however, demands a more careful approach than has heretofore been adopted.

Introduction

The application of information technology (especially back-office data storage applications) to various facets of medical care in the U.S.A. and other countries has often promised decreased cost, increased quality of health care, and no risk to privacy, among other benefits. Such belief in the reliability and integrity of information systems is an unwarranted leap of faith on behalf of legislators and the general public. Designing health IT systems for medical environments requires careful, thoughtful analysis. Yet, Health IT (particularly EMR systems) are de facto seen as a solution to the problem of costs, waste, fraud, and needlessly duplicated medical tests. The White House web site comments on ARRA funding for EMR work: "The Recovery Act also invests $19 billion in computerized medical records that will help to reduce costs and improve quality while ensuring patients’ privacy."

The scientific community has largely been silent on this issue, although the political rhetoric can be quite intense. Yet, most every side of the health care debate currently raging in the US accepts without question the benefits of health IT while ignoring the potential pitfalls and downsides of such technology. We use the terms "eHealth" and "Health IT" interchangeably. In large part, we consider the application of computer technology in medical devices and procedures (such as remote operating rooms, advances in digital imaging, etc.) as a related but separate area from our criticism of the management of healthcare and patient information. Those systems pose different risks to patients; we comment on them only insofar as their use is driven by analysis of data held in IT systems.

General Resources

  1. Patient Privacy Rights website (added 26 March 2010, G. Weaver)
  2. Scot Silverstein's Healthcare IT Failure and Difficulties Case Examples: Medical Informatics Perspectives on Clinical Information Technology (added 24 March 2010)
  3. Health Information Technology Reference Guide -BusinessWeek
  4. The Privacy Rights Website on Medical Privacy
  5. OpenMRS an open-source medical records system
  6. Another MRS
  7. Learning From Software Failures (frontmatter prefacing the IEEE Spectrum analysis of the FBI's Virtual Case File system) [PDF]
  8. Capability Maturity Model
  9. A workshop on Health Security and Privacy, sponsored by the USENIX Association

Risks to the Public Trust in Computer Professionals

Hastily undertaking the transformation of the information infrastructure behind health care systems with little forethought or oversight entails the risk of the public rejecting the expertise and credibility of the computing profession. Just because we could do something does not mean that we should. There is an imperitive to study the new problems posed by large-scale EMR, particularly one of national scope or connectivity. No imperitive exists, however, to aggressively adopt the current generation of solutions that are little more than back-office data management applications dressed up with new terminology. Furthermore, academics and scientific professionals have a conflict of interest in this area. Indeed, academics stand to benefit tremendously from money being spent on this area: schools (GMU included) are quick to set up research centers dealing with various aspects of medical IT and eHealth. While there is a need for careful research into the many security, privacy, and functionality aspects of large medical IT systems, academics can be in the uncomfortable position of being funded by government or corporate money and trying to formulate an unbiased opinion as to the quality and efficacy of the state of the art in eHealth systems and practices.
  1. Dartmouth received $3 million under ARRA for an NSF-funded TISH program
  2. GMU's internally funded Mason Center for Health Information Technology
  3. Reflections on Trusting Trust (reputation is important in designing infrastructure)

Risks to Good Medicine

Health IT systems are not a panacea. Data models, systems, and user interfaces designed by computer scientists and professional software developers without much substantative input from health care professionals can lead to inefficiency and bad medicine, and risks loss of life or permanent injury to patients.
  1. The Data Model That Nearly Killed me [PDF]
  2. The Dubious Promise of Digital Medicine [PDF]
  3. Slashdot: Why Digital Medical Records Are No Panacea 28 April 2009 [PDF]
  4. http://community.livejournal.com/therightfangirl/1142946.html

Data Leakage Models and Data Corruption Issues

One risk of large-scale EMR is a misunderstanding of the data loss dynamics of large public data systems. In addition, large databases tend to have errors: errors that are insidious and easily replicated due to the amount of automation present in such systems. It is an open question whether these errors pose a lesser or greater risk than errors due to bad handwriting on transcribed paper records.
  1. Your Medical Records Aren't Secure [PDF] (March 23, 2010)
  2. Why Cloud Storage Use Could Be Limited in Enterprises [PDF]
  3. Dan Geer on Back-of-the-envelope style estimates [link is to PDF]
  4. Woman Loses Job Due to Error in FBI Criminal Database [PDF]
  5. P2P Networks Rife With Sensitive Health Care Data, Researcher Warns
  6. Medical data leakage rampant on P2P networks [PDF]
  7. The previous two links refer to this study by researchers from the Tuck School of Business at Dartmouth College
  8. A Framework for Health Care Information Assurance Policy and Compliance Communications of the ACM, 1 March 2010

Assessing the Cost of Large Software Projects and eHealth

Managing the design, construction, and delivery of a large software project is a complicated, fluid process. Government and industry can often fail in expensive and spectacular ways. Government agencies (particularly state and local government without in-house expertise), may play the role of uninformed client being sold digital snake oil at the expense of the taxpayer. Examples include the FBI's Virtual Case File system, AT&T's wireless database failure, and the Ontario eHealth scandal, among others listed below.
  1. Report: FBI wasted millions on 'Virtual Case File' CNN.com [PDF]
  2. The FBI's Upgrade That Wasn't: $170 Million Bought an Unusable Computer System by Dan Eggen and Griff Witte, Washington Post, 18 August 2006 [PDF]
  3. Who Killed the Virtual Case File? IEEE Spectrum [PDF]
  4. Project Management: AT&T Wireless Self-Destructs [PDF]
  5. Slashdot: Harvard Says Computers Don't Save Hospitals Money [PDF]
  6. Harvard study: Computers don't save hospitals money Computerworld, 30 November 2009 [PDF]
  7. The aforementioned Harvard Study
  8. EHealth scandal a $1B waste: auditor -CBC News, 7 October 2009 [PDF]
  9. Head of eHealth Ontario is fired amid contracts scandal, gets big package -CBC News, 7 June 2009 [PDF]

The Role of Health IT in Health Care Public Policy

  1. Health Care: The President's Proposal for Health Reform - whitehouse.gov [PDF]
  2. Obama's big idea: Digital health records -CNN.com, 12 January 2009 [PDF]
  3. Where's the HIT in HCR (Health Care Reform)? -ihealthbeat, 8 July 2009 [PDF]
  4. What Obama Means for Health Information Technology -HealthLeadersMedia, 11 November 2008 [PDF]
  5. The Healthcare Bill's Take on Technology -The Hill, 12 September 2009 [PDF]