National Academy of Sciences
National Academy of Engineering
Institute of Medicine
National Research Council
Office of News and Public Information
National Academy of Engineering
Back | Home
News from the National Academies
Date: March 5, 1997
Contacts: Barbara Rice, Deputy Director
Shannon Flannery, Media Relations Assistant
(202) 334-2138; Internet <news@nas.edu>

EMBARGOED: NOT FOR PUBLIC RELEASE BEFORE NOON EST WEDNESDAY, MARCH 5

Pressure Needed to Improve Security and
Privacy of Electronic Health Records


WASHINGTON -- Industry standards, regulatory action, and pressure from consumers all are needed to bolster the privacy and security of electronic patient records, says a new report* by a committee of the National Research Council.

"Solutions are available to make electronic records even more secure than paper records, including electronic audit trails that can track every access to a medical record, backed by tough penalties for violators of privacy," said committee chair Paul D. Clayton, chair of the department of medical informatics and director of clinical information services at Columbia Presbyterian Medical Center in New York City. "But today there are no strong incentives to safeguard patient information because patients, industry groups, and government regulators aren't demanding protection."

To ensure that essential patient information is available to administer care, the health care industry has concentrated its resources primarily on expanding the capabilities of automated information systems rather than protecting them from snoops. Sensitive information also is shared routinely with non-caregivers who use it legitimately for claim payments, research, and oversight. Given the ease and extent to which this information can circulate between organizations and individuals, there is potential for breaches of privacy and security, the committee said.

Computerized systems can raise the quality of medical care and reduce costs by increasing access for intended users and improving the accuracy of patient information. With proper safeguards in place, they also can guard against potential abuse. The committee urged health care organizations -- including hospitals, doctors' offices, and insurance firms -- to adopt the following technical and organizational practices for improving security, most of which can be implemented now:

> Every employee with a legitimate need to know should have a unique identifier or password that allows use of an organization's information systems. Sanctions should be in place to discipline those who share their passwords or who leave records open at unattended computers. The system itself should be programmed to "exit" applications automatically if a workstation is left idle. Procedures also should be set up to guarantee that authorized users can access records in an emergency.

> Organizations should use additional access controls to restrict employees from obtaining information not necessary for their jobs, and routinely conduct electronic audits to track all accesses to clinical information. Organizations that provide health care services to their own employees should allow them to conduct audits of accesses to their own health records. A zero-tolerance policy should be instituted for punishing violators, regardless of their job title. Currently, most hospitals allow doctors and nurses to access the files of all patients, including those not under their care. Some hospitals allow all medical staff to log onto clinical record systems using the same identification code.

> Points in the system that are vulnerable to or set up for remote access should be strongly protected through special software, encrypted passwords, or dedicated modem lines. Organizations with centralized Internet connections should install "firewalls" that deny entry to unauthorized outsiders yet grant access to legitimate users who need to tap specific information systems from a remote location.

> Transmission of a patient's health information over public networks, like the Internet, should be encrypted or coded so that only the intended receiver can decipher it. Policies also should be in place to discourage the inclusion of patient information in electronic mail.

Within a few years, health care organizations should be able to maintain logs of all internal accesses to clinical information, the committee said. In the longer term, organizations should pursue ways of tracing all patient-identifiable information that is passed around.

The practices proposed by the committee could serve as guidelines for the Department of Health and Human Services (HHS), which must develop industry standards for protecting computerized health records to comply with the Health Insurance Portability and Accountability Act of 1996. Congress has set a February 1998 deadline for HHS to propose security standards and a "universal patient identifier" capable of linking a patient's files throughout the nation's health care system.

But policy-makers should weigh the likely advantages of an identifier -- including lower administrative costs and better access to patient information -- against the potential risks to privacy, the report says. Any method used to identify patients and link records should be evaluated against a set of criteria designed to protect patient privacy. Moreover, the use of a patient identifier should be backed by policies that define improper access and specify sanctions against abusers. An identifier also should be easy to use for legitimate purposes but difficult for an unauthorized person to use to deduce a patient's identity. And it should allow easy identification of those who access a computer record without authorization.

The report notes that health care organizations and others have few incentives for improving computer security, and many believe that the risk of a major breach is low since no widespread, public catastrophe has occurred. Added pressure from consumers as well as the development of industry standards and bolstered regulatory action may provide the needed incentives.

"You don't want to make it too easy for insurers, employers, and others to peruse patient files for their own purposes," Clayton explained. "We have already seen, for example, how the Social Security number's widespread use in motor vehicle licensing, employment, banking, and medical records can be abused to collect information on specific individuals."

From the patient's perspective, widespread flows of information beyond the health care provider -- often without explicit patient consent -- pose the greatest privacy concerns, the committee concluded. Self-insured employers, for example, are not systematically prevented from using health data to deny promotions or even dismiss employees, nor are holders of patient information prevented from selling data to marketing firms for use in targeted direct mailings. Insurers, pharmaceutical benefits managers, medical equipment suppliers, and oversight organizations routinely exchange health data on patients when managing care, conducting quality and utilization reviews, processing claims, combating fraud, or analyzing markets for new business. Yet they are subject to few regulations in the process.

To address these concerns, the committee also recommended:

> a government-industry push to develop and update industry standards for protecting electronic health records, coordinated by a committee of the National Center for Vital and Health Statistics specially assembled by HHS;

> establishment of a new organization that would share information about computer threats and best practices within the health care community, just as the computer emergency response team at Carnegie Mellon University does for the Internet community;

> a government-industry effort to promote national debate on patient privacy issues, raise consumer awareness, and designate a federal "privacy ombudsman" for consumers; and

> adoption of fair information practices, similar to those contained in the federal Privacy
Act of 1974, by organizations that collect, analyze, or disseminate health information.

Additional research is needed on methods for linking patient information, ways of allowing anonymous care, audit tools, and management practices to limit the distribution of information to outsiders. The federal government also should fund experiments that mimic actual environments to explore effective and inexpensive ways to control access. Doctors, hospital administrators, and others in the health community also need to become more connected to security efforts at the national level.

The study was funded by the National Library of Medicine, the Warren Grant Magnuson Clinical Center of the National Institutes of Health, and the Massachusetts Health Data Consortium. The National Research Council is the principal operating agency of the National Academy of Sciences and the National Academy of Engineering. It is a private, non-profit institution that provides science and technology advice under a congressional charter. A committee roster follows.

*Pre-publication copies of For the Record: Protecting Electronic Health Information are available from the National Academy Press at the mailing address in the letterhead; tel. (202) 334-3313 or 1-800-624-6242. The cost of the pre-publication is $35.00 (prepaid) plus shipping charges of $4.00 for the first copy and $.50 for each additional copy. Reporters may obtain copies from the Office of News and Public Information at the letterhead address (contacts listed above).


      National Research Council
      Commission on Physical Sciences, Mathematics, and Applications
      Computer Science and Telecommunications Board

      Committee on Maintaining Privacy and Security in Health Care Applications
      of the National Information Infrastructure

      Paul D. Clayton * (chair)
      Professor and Chair
      Department of Medical Informatics, and
      Director, Clinical Information Services
      Columbia Presbyterian Medical Center
      New York City

      W. Earl Boebert
      Sandia National Laboratories
      Albuquerque, N.M.

      Gordon H. DeFriese*
      Professor of Social Medicine, Epidemiology, and
      Health Policy and Administration, and
      Director, Cecil G. Sheps Center for Health Services Research
      University of North Carolina
      Chapel Hill

      Susan P. Dowell
      Executive Vice President and Chief Operating Officer
      Medicus Systems Corp.
      Evanston, Ill.

      Mary L. Fennell
      Professor of Sociology and Community Health
      Brown University
      Providence, R.I.

      Kathleen Frawley
      Vice President, Legislative and Public Policy Services
      American Health Information Management Association
      Washington, D.C.

      John Glaser
      Vice President and Chief Information Officer
      Partners HealthCare System Inc.
      Boston

      Richard A. Kemmerer
      Professor and Chair
      Computer Science Department
      University of California
      Santa Barbara

      Carl E. Landwehr
      Head, Computer Security Section
      Center for High Assurance Computer Systems
      U.S. Naval Research Laboratory
      Washington, D.C.

      Thomas C. Rindfleisch
      Director, Center for Advanced Medical Informatics
      Stanford University School of Medicine
      Stanford, Calif.

      Sheila A. Ryan*
      Dean and Professor
      School of Nursing, and
      Director, Medical Center Nursing
      University of Rochester
      Rochester, N.Y.

      Bruce J. Sams Jr.*
      Executive Director
      The Permanente Medical Group Inc. (retired)
      Independent Consultant
      Belvedere, Calif.

      Peter Szolovits
      Professor of Computer Science and Engineering
      Massachusetts Institute of Technology, and
      Head, Clinical Decision-Making Group
      Laboratory for Computer Science
      Boston

      Robbie G. Trussell
      Senior Project Manager, Pharmacy Information Systems
      Presbyterian Healthcare System
      Dallas

      Elizabeth Ward
      Assistant Secretary of Epidemiology, Health Statistics, and
      Public Health Laboratories
      Washington State Department of Health
      Olympia

      SPECIAL ADVISER

      Paul M. Schwartz
      Professor
      School of Law
      University of Arkansas
      Fayetteville

      RESEARCH COUNCIL STAFF

      Jerry R. Sheehan
      Program Officer

      Herbert S. Lin
      Senior Staff Officer

      (*) Member, Institute of Medicine