Analysing eHealth systems
The specific motivations behind the use of information and communication technologies for healthcare delivery and management in developing countries and humanitarian operations are wide-ranging, and of course depend on the local context and needs. However, in general eHealth technologies are seen as holding the potential to improve health service delivery, expand the delivery of treatment and services, improve patient outcomes, facilitate the ‘leap-frogging’ of outdated health systems in other countries, and improve disease surveillance, among others.
In order to understand and try to resolve the potential threats to privacy and security introduced by the use of eHealth, we first need to differentiate the different technologies and applications.1 These include:
- Electronic health records and electronic medical records that capture and store patient information.2 These are increasingly being centralized;
- Laboratory information management systems (often used to report test results to administrators and healthcare staff);
- Prescription information systems (for ordering, dispensing, and tracking medications) within hospitals, GP offices, and pharmacies;
- Patient registration and scheduling systems (for tracking and managing the movement of patients);
- Systems for aggregating and reporting information, monitoring health programs, and tracking patients’ status (e.g. district health information systems or health management information systems);
- Clinical decision support systems;
- Patient reminder systems (e.g. for prompting patients to take medications or visit a clinic). Within the developing country context, the mobile phone is increasingly being leveraged for these purposes, introducing novel privacy issues;
- Systems for medical research (used to collect, store, manage, and report data used for research purposes).3
Each type of system, depending on the environment and context, involves the processing of different types of personal information, for different purposes. In turn each system will have varying privacy and security risks. A research-based system traditionally has less identity information compared to a patient registration system, but more diagnostic and health information. Labs and pharmacy systems tend to require data-sharing protocols with both local surgeries and national or regional insurance providers. Information becomes the lifeblood of a healthcare system as information is collected, shared, and studied.
Privacy, security and design implications
From our limited review of eHealth plans in developing countries and humanitarian operations, we see that there is some pull towards bringing all of these systems together under a single authority. If this is the case, eHealth systems may become the largest collection of information on a country’s citizenry, and in a way a de facto civilian registry.4
A national registry of citizen information is certainly useful for governments to understand and manage their populations. But these are usually better established for specific purposes through deliberative processes to ensure it is fit for purpose,5 not built as a side effect of providing healthcare. A population registry could also have many secondary effects that are not well considered while we establish a health registry, as it can for instance reveal ethnic origin or religious affiliation in a systematic manner.
As healthcare provision is not a monolithic exercise of only state actors, the information held within an eHealth infrastructure would be distributed in nature. General practitioners, hospitals, pharmacies, universities, and other institutions would seek to gain access. In some countries we heard of plans for storing all of this information in the ‘cloud’, where information on a citizenry will be stored in another country, and in turn, another legal jurisdiction. The distributed system and the institutions seeking access may not be governed by the same policies and procedures. If not carefully designed, a single record in one non-state entity could provide the key to gaining access to the entire health record of an individual or even a whole community.
Considering privacy and security at the earliest stages of system design helps to better understand the operational environment. For example, no health researcher would ever demand for carte blanche access to an EHR database, so the system should be designed as such.6 Similarly, the managers of a laboratory that has an existing system of registration will not want to re-design their entire system based on a different registration system from a hospital, or even the national system, so persistent and unique identifiers may not be ideal.7 Equally, granting each user of a given system-component complete access to all information held therein could result in information overload, could be resource-intensive, and if a device is lost or left vulnerable, could result in the loss of important information.8
Considering how to implement identifiers, access controls, sharing and disclosure protocols, amongst other system-design decisions is therefore integral to protecting privacy and security. Fortunately there is a growing body of literature within the computer science world on privacy and security of medical informatics, and emerging best practices. These methods include:
- using directed identifiers rather than global identifiers so that a given institution recognises the same patient in different ways, preventing one institution from having the key by which it can access all health information across the system;9
- implementing access controls based on roles and privileges so that only some members of staff have access to the relevant personal information, while providing audit trails to make this verifiable;10
- considering the use of digital rights management-type systems to secure eHealth records infrastructures, protecting information persistently throughout an enterprise and across organisational boundaries;11
- encrypting the databases to ensure that third parties – even those providing cloud services – may not gain access to the information;12
- ensuring minimal sharing and disclosure through provable means to ensure that only the necessary information is disclosed and shared;13
- rendering pseudonymous every single transaction made in a healthcare environment through encryption, where all the institutions that need to know information can access that information, but unauthorised institutions may not;14
Because of the massive investment into eHealth and growing concerns about privacy and security, the thinking on these issues will expand significantly in the coming years. eHealth developers and policy-makers must be aware of these developments to ensure that their design choices result in systems that are, in fact, fit for purpose.
It is worth even considering why identifiable information is actually needed in the first place. For instances, in many contexts, such as sexual health clinics, no personal information would be collected at all; or walk-in clinics might ask for name and contact details but patients could provide false identities. There is a drive towards collecting identifiable information, however. Sometimes this is intentional through policy choices, e.g. a government requiring the reporting of HIV cases;15 or by system design where the individual patient has to be verified against a national registry prior to receiving treatment. At the outset, system designers and policy professionals need to ask why information is necessary before they start deciding which information is to be collected.
Policies also provide an opportunity to deliberate on a technology or technique in a more open manner. For instance, biobanks are spreading around the world16 yet there is relatively limited debate in developing countries about this practice of linking biological tissues to an individual’s medical record. As they expand, these collections will raise additional issues due to the dual-use of DNA as a biometric identifier -- giving rise to governments’ interest in gaining access to such data for policing purposes -- and as an indicator of familial relationships. A policy framework and a policy discussion will help to ensure that techniques like these are deployed as is strictly necessary for the desired purpose.
Technologies are not the only solutions as thorough procedures are also required to make sure these protections are enforceable. For instance, role-based access control is not a perfect stand-alone system. These access control systems are often designed in such a way that if there is an emergency and medical practitioners need to access medical information that is encrypted or otherwise secured, then they may ‘break the glass’ and gain emergency access. While this sounds reasonable, the glass is very often broken: one study in Norway found that 54% of 99,352 patient records were accessed through such means; over a single month 295,000 ‘emergency’ cases were logged, and the practice was widespread amongst staff where over 40% of the over 12,000 authenticated users had ‘broken the glass’.17
Policies are therefore necessary to ensure against abuse, to provide safeguards, and to ensure adequate remedies. As mentioned above, national legislation on patient privacy and comprehensive data privacy laws are key first steps. Individuals’ rights are then made clear, as is the legal basis for any eHealth system, and the qualification of consent.18 Legislation will help to ensure that every institution is aware of the responsibilities to keep information private and secure. Importantly, legislation can also require that privacy is built into the system through the required use of the ‘privacy impact assessments’, ‘privacy by design’ principles, and ‘privacy-enhancing technologies’ that are growing more popular around the world.
At a more local level, each organisation also needs policies to ensure that staff members are aware of their responsibilities. This includes extensive training for staff, and the creation of security and privacy champions within organisations that will review audit trails, and monitor for compliance with policies. Of course these are more challenging within resource-constrained environments,19 but these responsibilities can be combined with other management initiatives.
The ‘normative’ regard for privacy and security within the medical profession is an essential safeguard that must be adequately sustained. It is essential that medical schools continue to ensure that medical students are trained in ethics and confidentiality. We were heartened to discover that a number of schools in Africa and Asia include lessons on confidentiality, but the material is in need of updating to consider the latest technological developments and attendant privacy and security risk dynamics.20
Even the best policies and the best auditing techniques will still fail. Audit logs may be audited regularly but this must be done at the local point of care where abuses can be more clearly identified. Staff members may be authorised to access a file and yet may be abusing their rights of access nonetheless.21 Accredited organisations may not appropriately enforce their policies and even if all the techniques are in place, it would still be very difficult to verify any wrongdoing.22
One of the most promising developments in eHealth for the protection of privacy and security of information is the opportunity for giving patients control over their information.23 There are two emerging solutions to the challenge of patient empowerment. First is the use of ‘locking’ where patients’ may choose to have their medical records locked or sealed and only used in very specific circumstances. This would mean that every access to the record would require the consent of the individual or an exceptional note on the log. Second is the empowerment of the individual to allow him or her to gain access to the audit logs to better understand how the patient records are used, thus forcing a degree of transparency on the healthcare organisation. Both of these approaches help to manage the consent of the patient, and would help patients set their preferences, access their own information, receive breach notification alerts, request that errors can be corrected, and make informed decisions about the secondary use of the information.24
- 1. See for instance, ‘What is eHealth: A Systematic Review of Published Definitions’, H Oh, C Rizo, M Enkin, A Jadad, Journal of Medical Internet Research, 7, e1, 2005.
- 2. The use of this terminology varies. To some, the ‘health record’ is the larger statement of the individuals’ state of health, sometimes deployed at an organisational, regional or even national scale; while the ‘medical record’ is often generated by a health organisation or professional.
- 3. ‘E-Health Technologies Show Promise In Developing Countries’. J. A. Blaya et al., Health Affairs, 29(2): 244-251, 2010.
- 4. For a discussion of national identity registries, see ‘Global Challenges for Identity Policies’ Edgar A. Whitley and Gus Hosein, Palgrave Macmillan, 2009.
- 5. See ‘Identity Policy: Risks & Rewards: a report prepared for the U.S. Federal Trade Commission’, Simon Davies and Gus Hosein, April 2007, available at http://www.ftc.gov/bcp/workshops/proofpositive/ftc-identity-final.pdf
- 6. See the risks of health research and personal information in ‘Pan-Canadian De-Identification Guidelines for Personal Health Information’, Khaled El Emam et al., a report produced for the Office of the Privacy Commissioner of Canada, April 2007.
- 7. For instance, see an interesting discussion regarding the use of Social Security Numbers in the U.S. as patient identifiers: AHIMA e-HIM Work Group on Regional Health Information Organizations (RHIOs). ‘Using the SSN as a Patient Identifier.’ Journal of AHIMA 77, no.3 (March 2006): 56A-D, available at http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_03097...
- 8. ‘The inadvertent disclosure of personal health information through peer-to-peer file sharing programs’, Khaled El Emam et al., JAMIA 17:148e158, 2009. It just so happens that these very same decisions are important to privacy and security.
- 9. This is an explicit concern of the Canadian Health Infoway Privacy Impact Assessment: “Do safeguards prevent internal identifiers from becoming public (and hence creating new de-facto public identifiers)”. ‘A ‘Conceptual’ Privacy Impact Assessment on Canada’s Electronic Health Record Solution’, Blueprint Version 2, Canada Health Infoway, February 12, 2008.
- 10. These must be flexible enough so that workarounds exist for staff to gain access to records to which they have not yet been granted access, e.g. A&E clinicians can be granted greater access by using a shared credential.
- 11. ‘A Secure Electronic Healthcare Record Infrastructure in the Digital Rights Management Model’, Nicholas Paul Sheppard et al., 2009. Available at: http://dspace.ucalgary.ca/bitstream/1880/47561/1/2009-939-18.pdf
- 12. ‘Deployment of a Highly Secure Clinical Data Repository in an Insecure International Environment’, Henry Feldmana et al., presented at MedInfo South Africa 2010.
- 13. One health information systems project in Malawi encountered such issues with their use of two-dimensional bar code stickers on the Malawi 'health passport'. To facilitate the quick processing of patients at the clinic, these stickers were affixed on the cover of passports. However, the project provided HIV/AIDS patients with specially coloured stickers, and so their status was unintentionally disclosed whenever patients would reveal their passports. A simple yet elegant solution to this problem was putting the stickers inside the passport, thereby reducing the risk of unintentional disclosure.
- 14. ‘An anonymous healthcare system’, Melissa Chase & Kristin Lauter, Microsoft Research, presented to the USENIX 2010 Workshop on Health Privacy and Security, August 2010.
- 15. e.g. ‘New State Law on HIV and AIDS Names Reporting’, available at http://www.cchealth.org/services/hiv_aids/hiv_names_reporting_2006_05.php
- 16. ee for instance ‘Global Directory of Biobanks, Tissue Banks, and Biorepositories’, available at http://www.specimencentral.com/biobank-directory.aspx
- 17. ‘Access Control and Integration of Health Care Systems: An Experience Report and Future Challenges.’ L. Rostad et al., Presented at the Second International Conference on Availability, Reliability and Security in Vienna: 871-878, 2007. Available at: http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=4159886
- 18. ‘Never heard of it - Understanding the public’s lack of awareness of a new electronic patient record’, Tanja Bratan et al., Health Expectations, 13(4): 379-391, December 2010.
- 19. 48 ‘Policy Management for E-Health Records’, Maritza Johnson & Steven M. Bellovin, HealthSec 2010, Usenix Security Workshop. Available at: http://www.cs.columbia.edu/~maritzaj/publications/2010_healthSec_positio...
- 20. See ‘Online Posting of Unprofessional Content by Medical Students’, Katherine C. Chretien, S. Ryan Greysen, Jean-Paul Chretien, and Terry Kind. JAMA, 302(12): 1309-1315, 2009. Available at: http://jama.ama-assn.org/cgi/content/abstract/302/12/1309
- 21. For a good example, see the results of the Investigation Report for the Office of the Information and Privacy Commissioner of Saskatchewan, where staff members of an accredited institution gained unauthorised access to patient files: ‘L&M Pharmacy Inc., Sunrise Regional Health Authority, Ministry of Health’, Report H-2010-001, March 23, 2010, available at http://www.oipc.sk.ca/Reports/H-2010-001,%20March%2023%202010.pdf
- 22. See for instance, ‘Order HO-002 from the Information and Privacy Commissioner of Ontario’ regarding The Ottawa Hospital’, July 2006, available at http://www.ipc.on.ca/images/Findings/up-HO_002.pdf
- 23. See ‘The Promise of Personal Health Records: A Resolution of Canada’s Privacy Commissioners and Privacy Enforcement Officials’, September 9-10 2009, available at http://www.priv.gc.ca/media/nr-c/2009/res_090910_eh_e.cfm
- 24. See ‘Use of Data from the Electronic Health Record for Health Research – current governance challenges and potential approaches’, Donald J. Willison, commissioned by the Office of the Privacy Commissioner of Canada, available at http://www.priv.gc.ca/information/pub/ehr_200903_e.cfm