Is Your Privacy Protected?

9 September 2007 (Last Updated September 9th, 2007 18:30)

How can you be sure medical information in an EPR system is secure and not susceptible to unwanted audiences?

The implementation of electronic healthcare records (EPR) is growing globally, but it is not without controversy. The merits of using IT to maintain patient records are being debated across the world, from France to the UK, Australia to Canada. An important element of the debate involves weighing the benefits of such a system against the risks to public privacy. A central electronic database of patient records may help provide more efficient and effective care, but at what risk to people's privacy and welfare?

In the UK, the implementation of the NHS Connecting for Health IT initiative lurches onwards, as cost estimates rise towards £15bn. The technological difficulties involved in implementing the first system of its size in the world are not the only challenges faced by the UK Government.

"You must be able to collate all the pieces of information and determine which are the most critical."

"It is a very ambitious programme, the largest civilian IT programme in the world, and the largest outsourced IT project in the public sector," says Naomi Fulop, professor of health and health policy at King’s College, London. "The aim is to give a ‘spine’ to the system by uploading the summary medical record of every person in the country, which can be universally accessed by healthcare professionals. If you live in London, but get run down in Newcastle, the local hospital staff will be able to access your records."

The introduction of a mass EPR system in the UK is expected to lead to similar initiatives around the world, but there are a number of issues that first need to be tackled.

SECURITY CHALLENGES

There is no question that the security challenges created through the implementation of an EPR system are immense. The first problem to be considered is compliance with regulatory frameworks. "There are lots of regulations applicable to different pieces of data, at different times," says Guy Bunker, senior director of technical strategy at Symantec, the global information security company. "These are continually changing. Companies cannot assume that because they comply with the regulations today they will be fine for the next ten years."

The regulatory framework in the UK is complex, encompassing EU- and UK-based regulations, focusing on privacy, data protection and freedom of information. For example, the EU directive 95/46/EC covers the protection of individuals with regard to the processing of personal data and the free movement of this data.

The situation is simpler in the US, where regulations are collected under the Health Insurance Portability and Accountability Act (HIPAA), passed in 1996. HIPAA’s privacy rule, which took effect in 2003, regulates the use and disclosure of protective health information (PHI) – any information about the health status, provision of healthcare or payment for healthcare that can be linked to an individual.

There is also the issue of what data to protect, and where that data is located. "There are database records with critical information, plus information coming in from email, as well as documents scanned into the system," says Bunker. "You must be able to collate all the pieces of information and determine which are the most critical."

The next step involves locating the information that needs protecting. "Most hospital authorities still have mainframes with databases containing a lot of this information," says Bunker. "At doctor’s surgeries the information might be held on small computers, or on laptops. It is also quite possible that you will have patient information stored on mobile devices, such as the BlackBerry or the new breed of smart phones."

An organisation cannot implement its security framework and policies until it understands where all the information is located and where it can go.

When systems security is the issue, often the first solution that springs to mind is encryption. "Anything that is movable will need encryption," says Bunker. "If critical data is sitting on a laptop, you should look at encrypting the laptop."

"Security becomes even more of a problem with converged devices, because you are more likely to lose a mobile phone. The IT department has to remain in control of encryption, in order to make sure that the organisation does not fall foul of regulations."

However, technology is not the only issue that needs to be taken into consideration. Implementing the correct policies and processes around security is essential – determining who is allowed access and what they are allowed to see. "Organisations need to start revisiting some of the old policies they have implemented, questioning why people have data stored on their laptops, for example," says Bunker.

Policies may not always remain effective and could cause patient record information to be leaked. There may be difficulties involved in proving the identity of the person requesting information. How is the healthcare organisation going to deal with people requesting this very personal information, which could potentially be used for blackmail? Other issues include the processes around the storage and disposal of records, such as how data storage methods might change over a patient’s lifetime.

PATIENT CHOICE

While many governments, healthcare authorities and organisations around the world support the idea of an EPR system, not everyone is convinced. One of the biggest concerns is the possibility of patient opt-in or out. While some systems involve the patient opting in to the system, many, such as in those in the UK, automatically upload patients’ records. Patients are then able to opt out of the system if they are uncomfortable with the idea of their records being available on an electronic database.

"If patients control access to their records, they can allow any doctor with whom they have a legitimate relationship to retrieve information from their personal files."

"I think the risks of moving to a system of distributed electronic records are massively underestimated," says Paul Cundy, spokesman for general practice computing at the British Medical Association (BMA). "Although people talk about privacy-enhancing technologies, including smart cards, log-ins and passwords, the reality is that human behaviour can usually outwit most of these measures, so they end up becoming virtually worthless."

The UK’s NHS has already experienced access issues, notes Cundy. These have occurred with the use of smart cards in casualty departments, and in the choose and book system, where some medical secretaries have been wrongly granted the same access rights as consultant doctors.

The BMA is concerned about the opening up of EPRs through electronic distribution. "The NHS has 1.2 million users and 350,000 terminals, and any one of those terminals can access personal health records," says Cundy. The benefits provided through universal access need to be balanced with the risk of additional exposure.

A rethink is required around the implementation of an EPR system. Patients should control access, and doctors should only be able to look at the record if there is ‘a legitimate relationship’. This is defined as the relationship a patient has with medical practitioners engaged in delivering their healthcare. If patients control access to their records, they can allow any doctor with whom they have a legitimate relationship to retrieve information from their personal files.

Interestingly, the UK government’s approach to electronic patient records seems inconsistent with its commitment to patient choice. "Everything in the NHS is now driven by patient choice,"says Cundy. You can decide what happens to you, when it happens to you, who does it to you, where it is done and which way it is done. But currently there is no way to choose who holds or has access to your records.

With the implementation of the Connecting for Health programme suffering from delays, it may be some time until it becomes clear whether the potential security risks will give rise to the problems that critics predict. Until then, however, healthcare organisations across the world will be watching the UK’s pioneering EPR experiment with considerable interest, to determine whether the introduction of such systems can be rolled out worldwide.