At the First Summit on the Future of Health Privacy last Monday, there was a lot talk of interesting talk about electronic health records, as these are are now being widely rolled out in the U.S. In general, I'm an advocate of technological solutions to policy problems, with the law to backup the technology where necessary. The privacy issues raised by electronic health records are no exception.
Professor Ross Anderson and several other speakers lent strong support to ensuring privacy through "system architecture". The essence of this proposal is that we should avoid central databases. Where a database is local to a particular clinic, hospital, or even municipality, the number of people with access to the database is inherently limited. Thus, the thinking is that The consequences of any data breach are likewise limited to only those patients in the database.
To illustrate the architectural problem, Ross gave a great example from the U.K. Within hours of a central health records system going live, one doctor had accessed the records of the Prime Minister, as well as that of many celebrities. With every doubling of the system size, you double the number of health professionals with access and double the likelihood of authorizing an unscrupulous individual.
This is the right type of thinking. However, although limiting the system size is one solution to this problem, it's not a great one overall. One of the key advantages of an electronic health records system is that it can allow patient data to be quickly and easily transmitted to where its needed. A doctor should be able to pull up the relevant and necessary health history data of an unconscious patient wherever it's needed. Patients should also be able to fill prescriptions at any pharmacies where they choose to give the pharmacy access to electronic prescriptions.
Fortunately, there's technological way to limit the scope of access to patient data, even while maintaining the convenience of a central database. In fact, this can be done with much better granularity than limiting access through system architecture to a particular region. The data needs to be encrypted, with careful consideration as to who is given the keys.
A first layer of encryption needs to mirror the security that architectural limits can provide. The read/write key should, in the first instance, only be accessible by a patient and her or his GP. The patient's health card should contain this key, giving the patient the ability to hand it over to any health clinic, hospital, or pharmacy that the patient visits. A patient's GP could also transmit to any health facility or pharmacy that requires it.
This effectively constrains the scope of an individual's records to only the places physically visited or otherwise authorized; this is much finer granularity than would be provided by limiting the size of a database, and with more flexibility.
No access by Data Providers
For these "location-restricting" keys, the data provider (where the records are stored) must NOT have access to them.
To illustrate, consider another great example from the U.K. that was discussed by Ross. A police officer asked a gynecologist for all health records of patients under the age of 16 years. The justification was that anyone under the age of 16 who has been involved in sexual relations has committed a crime. The doctor at the clinic rightfully refused and told the officer she'd see him in court. Problematically, could we really trust a network administrator at a data centre to do the same? It's important that the data centre itself is not able to access the records.
Additionally, where the keys are not even at the data centre, the information would not be compromised by unauthorized access. Quite frankly, I'd be very concerned about any type of electronic health record system whatsoever where the data is either unencrypted, or where the data provider has full access. With all the security breaches recently, including major banks and even the CIA, it would only be a matter of time before everyone's records would be compromised.
Of course, the scope of employees at a particular health clinic that has been given this encryption key is still a wide net. An audience member at the Health Privacy Summit, who worked at Oracle, noted that just about everyone from the top management down to the janitors at the U.S. Department of Veteran Affairs have access to the records there. There needs to be finer-grained control.
This is where a second layer of encryption comes in. The data provider needs to create services for granting and controlling access to different groups of personnel. Ideally, the data provider should provide a web portal through which a patient and a patient's doctor can monitor the various access grants.
Importantly, an access control system implemented in this manner inherently creates traceability. A data provider can easily record each access in an audit log. I think it's only reasonable that a patient should at least know who has access to this personal information records. If a medical insurance company provides health data to third parties for analysis, a patient should be able to track who this third party is and what records they are accessing. With access control, the data provider can even record what particular records any person accesses.
At the conference, there was also a lot of talk about data segregation. This technology allows different access controls on different health records. If a patient wants to hide certain records that are not relevant to a particular doctor, he or she can do so. It appears there are a lot if companies pouring a lot of money into these solutions.
A server-side access control system could seamlessly provide this type of control, although I'm not sure it's entirely necessary (and it could introduce another layer of complexity that must be dealt with by over-resourced doctors). I think it's much more important to control WHO has access, rather than WHAT they have access to.
The WHO of who has access should remain small. In fact, this WHO should only be people that can be trusted with the privacy of your health data. Primarily, this is the patients themselves and their own physicians. The law protects this trust between patients and their doctors by making it a fiduciary relationship, mandating the highest standard of care and good faith.
Doctors who are legally mandated with this high standard of care should be the only ones (other than patients) that can grant others access to health records. This is analogous to the paper-world, where doctors have physical control of health records and are responsible for who they give them to. If a doctor carelessly or needlessly distributes access to others, he or she would be in breach of fiduciary duties. A legal remedy would be available.
To recap, a first layer of encryption should provide data safety from unscrupulous law enforcement officers, compromised data centres, and anyone facility without the authority to access any particular patient's records. A second layer should provide access control on a person or group-based granularity, allowing access auditing and flexible security measures such as data segregation and the removal of previously-issued security certificates. This second layer should be controlled only by patients and their doctors, keeping control of the records within the trust circle of a fiduciary relationship.