Privacy by Design: improving data security with RFID15 May 2012
Healthcare providers are recognising the benefits of adopting RFID technology into their operations. But widespread use of RFID raises serious questions about data security and confidentiality, and patient privacy and dignity. Healthcare professionals need to understand the steps that can be taken to mitigate potential threats to privacy using the Privacy by Design approach, writes Dr Ann Cavoukian.
Radio frequency identification (RFID) is a wireless technology that uses radio frequency signals to transmit and receive data from RFID 'tags' to tag readers, allowing remote identification. This information technology can automate manual processes, and results in new forms of data collection and processing. An RFID system is typically composed of:
- RFID tags that contain a unique set of characters, like a serial number
- RFID readers that can be wireless handheld or fixed devices
- a communications infrastructure, including middleware, that permits RFID readers to process the data from the RFID tags, manage communications, control physical access and security, connect to back-office applications, and take actions on the basis of the data.
There are advantages to using RFID-based systems:
- identification is accurate without the need to touch the RFID tag
- manual data-collection processes can be automated, freeing up valuable resources
- wireless data transmissions can be protected against eavesdropping
- data stored in RFID tags can be protected against unauthorised access, modification or duplication
- special devices are required to read RFID tags, increasing privacy in some cases (compared with visible information)
- more sophisticated RFID tags can have their data payloads reprogrammed, and actively broadcast their presence.
Originally, RFID applications were confined to supply chain management, physical access control and even card payment applications. Now that RFID tags are smaller and less expensive, and have expanded in terms of their communications capabilities, the possibilities for improving bedside care and patient safety are endless.
RFID in healthcare
RFID technology is already being used or tested in a variety of healthcare contexts. Medical and surgical equipment, specimens and laboratory results are being located and tracked within healthcare facilities, leading to more effective use of resources - the UK Nursing Standard magazine notes that a nurse spends 26 days a year simply hunting for equipment. The technology is being successfully used to tag pharmaceutical products to reduce the risk of counterfeit medications, and improve stock rotation and recalls - all to ensure that the right medicine, in the right dosage, is given to the right person at the right time.
RFID is also increasing safety during operations by helping to ensure that all surgical equipment is accounted for and is reducing incidents of mistaken identity during critical surgery. A major strength of RFID is its ability to call up data from the patient's file, accurately and instantly. Other applications include matching newborn infants with their parents, and triggering a lockdown if an infant has been improperly removed from a secured area.
RFID has had success with locating patients needing extra care (for example, Alzheimer's disease patients). The technology is also being effectively used to help enhance patient registration and management processes at hospitals, leading to analysis of bottlenecks, improvement in flow and reduction in wait times through increased data availability.
RFID offers many potential benefits in a wide variety of healthcare contexts for improving the safety, efficiency and effectiveness of healthcare delivery; however, if not implemented with due care, it can also affect privacy interests in profound and negative ways.
Privacy is about exercising control over the collection, use, disclosure and retention of personal information, recorded or otherwise. The definition of personal information is broad in scope, making the challenges for privacy and data protection equally broad.
Personal health information is among the most sensitive types of personal information. It requires higher justification for its collection, use and disclosure; rigorous protections against theft, loss, and unauthorised use and disclosure; strong security around retention, transfer and disposal; and more extensive accountable governance mechanisms. Unauthorised identification, tracking, surveillance and profiling of individuals are serious privacy issues. Security issues related to RFID tags - including skimming, eavesdropping, interception, interference, tampering, cloning and misuse - can also have a profound impact on privacy.
The following fundamental properties of all RFID information systems are particularly relevant to privacy, regardless of the application type or deployment scenario.
- Healthcare providers must realise that RFID systems are a key part of an overall information system. A holistic systems approach to privacy is warranted rather than a strict focus on the interaction between tag and reader.
- RFID tags contain a unique alphanumeric string, indicating not only the presence of an object, like an anti-theft tag, or a class of objects, like a product barcode, but also an individualised serial number. The ability to uniquely identify individual items has privacy implications when those items can, through inference or linkage, be associated with people.
- RFID tag data can be read at a distance, without 'line-of-sight' and through many camouflaging materials, potentially without the knowledge or consent of the individual who may be carrying the tag. This has serious implications for informed consent.
- RFID information systems can also capture time and location data, on which item histories and profiles can be constructed, making accountability for data use critical. When such systems are applied to people, it may be viewed as surveillance.
Such privacy-relevant properties of RFID systems need to be addressed early in the design and deployment of every RFID-enabled application in order to mitigate the privacy risks. This is achieved by applying Privacy by Design principles.
To simplify the privacy issues, RFID healthcare applications may be divided into three broad categories. The first, Tagging Things, raises few privacy concerns as it refers to keeping track of objects such as inventory, mobile hospital devices, bulk pharmaceuticals and files. The second category involves Tagging People with:
- employee identification and access cards
- patient identification cards
- ankle and wrist identification bracelets (for example, for newborns and dementia patients)
- implantable RFID chips.
The second category has the highest degree of privacy concern and requires the strictest, most rigorous and most transparent application of project management skills and risk mitigation measures. In a complex hospital environment, accurate patient identification is a desirable benefit, as long as the privacy questions have been addressed and the benefits are demonstrable; however, the use of RFID tags for tracking newborns is recommended to prevent them from being abducted from the hospital or from being given to the wrong mother, provided that the full spectrum of privacy measures are engaged.
The third category, Tagging Things Linked to People, must also be addressed very carefully. While objects alone can be tagged and tracked without much fear of raising privacy issues, the privacy question arises when objects, such as hospital access cards or blood samples, can be used to identify individuals, who may not even know they are being tracked.
When tracking and control of items is extended to individuals handling those items, privacy issues arise - more so when informed consent is lacking. In these cases, strong privacy-protective measures are necessary to ensure there are no unintended consequences.
Building privacy into information systems and technologies, whether RFID-enabled or not, begins with early commitment by the organisation's decision-makers, and at the early stages of project design and implementation. A comprehensive, multidisciplinary approach is required.
Below is a high-level approach and general framework for building privacy into information technologies and systems. As a framework, it is useful for general orientation and planning purposes, and may be used as a starting point for deeper analyses, according to the specific objectives, operational characteristics, and other parameters of the RFID proposal or project in question.
- Clearly define, document and limit purposes for collecting and using personal data. The purposes identified should meet the tests of necessity, effectiveness, proportionality, and no-less invasive alternative.
- Develop a comprehensive and realistic project management plan, with the pivotal involvement of a knowledgeable privacy officer, with sufficient authority and resources.
- Identify all information security and privacy risks throughout the data lifecycle, including inside the organisation and external threats.
- Conduct a comprehensive Privacy Impact Assessment of the entire system at the conceptual, logical and physical stages of its development, with a clear plan and timetable for addressing identified risks.
- Build in privacy and security at the outset into the design and operation of an RFID information system, and into the policies that govern its operation.
- Implement appropriate operational and systematic controls that are measurable and verifiable, ideally by independent entities.
- Regularly review the operation and effectiveness of the RFID system, as well as related networking, data storage, wireless transmission and data back-up systems.
In many cases, a one-size-fits-all approach to RFID systems will not work across all healthcare implementations. Each one may need to be highly customised to support the business processes they automate, depending on the interface with back-office, scheduling, medical information or similar support systems. Good privacy and security practices, integrated with strong project management skills, can help healthcare providers manage RFID risks to an acceptable level.
Privacy by Design
Privacy by Design (PbD), a concept developed by Commissioner Cavoukian in the 1990s, is being adopted globally by a growing number of organisations and jurisdictions. It prescribes that privacy be built directly into the design and operation of information technologies, business processes and networked infrastructures.
Instead of treating privacy as an after-thought, PbD is proactive and preventative in nature - a highly effective approach in today's world of increasingly interconnected technologies and extensive data collection. The following principles set out how to proactively make privacy the default mode of operation across an organisation, while achieving its core objectives and maintaining full system functionality:
- proactive not reactive, preventative not remedial
- privacy as the default setting
- privacy embedded into design
- full functionality, positive-sum not zero-sum
- end-to-end security - full lifecycle data protection
So, what can those in the healthcare sector do to ensure that privacy is protected when employing potentially life-saving RFID technology?
Think Privacy by Design, which essentially means that privacy needs to be built in early, at the design stage, before a system is in place where there is the potential for a privacy breach.
Everyone, from healthcare providers and patients to privacy advocates, wants the best technology possible in the health sector without needless invasion of privacy. As a patient, I welcome RFID technology that improves my healthcare; as a privacy commissioner, I firmly believe that we must also ensure that the deployment of this technology does not infringe our privacy.
RFID can improve key segments of healthcare services and protect patient privacy. It's all a matter of changing the paradigm from a zero-sum game to a positive-sum model. The resulting RFID systems will merit the confidence and trust of all users and stakeholders.