Journal of Informatics in Primary Care 1996 (March):15-17

Privacy and security of personal health information

Ian R Cheong, BMedSc, MB BS, GradDipCompSc, AACS

Information Management Fellow, Royal Australian College of General Practitioners

email cheongi@acslink.net.au

Abstract

Privacy and security of personal health information continue to generate much discussion and debate. Significant international initiatives appear to be little known. "Privacy" and "security" in terms of information are poorly understood terms. The keys to a solution are: education of the medical profession, leadership by medical professional bodies, and multidisciplinary co-operation.

Introduction

Privacy of personal information is widely believed to be threatened by computer databases and electronic networks. In Australia, privacy concerns are one significant reason GPs have shied away from using computers for clinical care. The privacy implications of the NHS-Wide Network have generated much discussion on the gp-uk electronic mailing list.

Security is often thought to be the cure for privacy problems. Countries all over the world are struggling to deal with these issues in a satisfactory manner. This paper discusses information privacy and security with an Australian flavour.

Definitions

There is no generally accepted simple definition of privacy. It is clear that privacy is more than just "confidentiality". Australia's Privacy Commissioner states that privacy is considerably more encompassing than either "security" or "confidentiality"[1]. He believes most privacy concerns can be classified as either unwanted intrusions into an individual's private life, or the right to control the uses of personal information about oneself.

The Australian Privacy Charter lists eighteen general privacy principles, which it describes as a group of related rights which are accepted nationally and internationally. They can be found on the World Wide Web[2]. These principles are much broader than the Organisation for Economic Co-operation and Development's (OECD) "information privacy principles"[3]. It is these OECD principles which have formed the basis for privacy and data protection legislation around the world, including the UK's Data Protection Act 1984.

The objective of security of information systems is to protect Confidentiality, Integrity and Availability (acronym: security = CIA[4]). The following definitions are used by the OECD[5]: "Confidentiality" means the characteristic of data and information being disclosed only to authorised persons, entities and processes at authorised times and in the authorised manner. "Integrity" means the characteristic of data and information being accurate and complete and the preservation of accuracy and completeness. "Availability" means the characteristic of data and information and information systems being accessible and usable on a timely basis in the required manner. "Authentication" is considered part of "integrity".

The Privacy Problem

The problem of maintaining privacy is partly a human issue and partly a technology issue. Clearly, it is information technology which has created the perceived threat to privacy. Humans have been able to threaten privacy for a long time, but we are all comfortable with that. It seems logical for technology to solve a new problem for which it is largely responsible, hence the prominent place of "security" alongside any discussions on electronic information privacy. Many informal discussions among GPs on privacy appear to focus on the confidentiality issue as being privacy in toto. This tends to focus the debate on breaches of security by outsiders, particularly hackers. This is a jaundiced view.

When we consider the likely uses of health information, it may be that organisational data collectors, like research organisations or government, create the invasion of privacy. The public seem more concerned with linkage of multiple databases. Between 1985 and 1987, the debate raged over the Australian Government's proposal for an Australia Card. This was to be a unique identifier for every Australian. The Australian public rejected the idea and it has not resurfaced. Clearly, sections of government would like to have massive data collections to be able to address problems like social security fraud and tax evasion. The public sees this as being less of a problem than potential invasion of their privacy.

In the USA, central patient data warehouses are maintained by pharmaceutical companies and health maintenance organisations, who use the data for corporate research and even sell it to insurance companies. Secondary uses of aggregated health data represent a pseudo-legitimate cause which might easily breach information privacy principles. It is this sort of activity which is facilitated by unrestricted transmission of electronic patient data. How is the individual supposed to know who holds data about them? Kluge[6] argues that electronic patient data should be afforded the same sorts of rights as the patient, because the accumulated data represents an 'electronic patient analogue'. The principle of consent is a recognition of this right.

Privacy protection - an Australian perspective

In Australia, there is no legislation which protects privacy across all jurisdictions. There is only a Commonwealth Privacy Act 1988, which does not apply outside Commonwealth organisations or to any private sector organisation. The Australian states do not have any privacy legislation, though New South Wales is working on a bill. Data protection legislation in other countries is similar to Australia's Privacy Act, reflecting their common origin in the OECD privacy guidelines. To address the need for privacy in health care information systems, Australia has developed an Australian Standard: "Personal privacy protection in health care information systems". It will be released in early October 1995. It draws on the information privacy principles stated in Australia's Privacy Act 1988, but goes much further towards a practical solution.

The Australian Standard is similar in concept to the ISO9000 quality standards, being a statement of general principles and procedures. It is not currently a prescriptive technical document, though technical issues do eventually need to be addressed.

Conceptually, the Standard comprises:

1. References to generally accepted international privacy and information security principles and other recognised guidelines. These are the OECD "Guidelines on the protection of privacy and trans-border flows of personal data"[3] and the OECD "Guidelines for the security of information systems"[5] and the National Health and Medical Research Council's guidelines on privacy protection in research[7]
2. Management principles and procedures broadly applicable to protect privacy of both paper and electronic records
3. An approach to the technical implementation of information security services for the protection of privacy, based on international standards. At the moment, British Standard BS7799, A Code of Practice for Information Security Management[8], is the referenced document. In future, it will be the appropriate Australian or international standard

By extending to management principles and an approach to technical implementation, the Standard addresses more than Australia's Privacy Act 1988. Any future state legislation is unlikely to make the Standard obsolete, because it is unlikely to address more than the Commonwealth Act. No other country has a similar standard. Data protection or privacy legislation in other countries does not address the management or technical levels of the Australian Standard. It will be interesting to see how the standard is implemented in practice over the coming years, and whether other countries parallel its implementation.

Information security and privacy

Information security is still an important part of a total privacy protection solution, as well as being important in its own right. Information security is dependent on human and technical factors. To address the human issues is no more difficult than any other management challenge. It requires understanding of the issues, commitment to a solution, and sound implementation. Education is a key component.

An acceptable technical solution to information security in the health care setting is our holy grail. We know that information security is best designed into an information system from the outset. We know that no system is completely secure. We know that more secure systems generally cost more. We know that information technology continues to advance at breakneck speed. We know that GPs don't want to spend a lot on information security. We know that transmission, aggregation and secondary uses of electronic data add significant value and are highly desired by clinicians, government, researchers, and corporations. We also know that the transmission and aggregation pose significantly greater risks to privacy and security.

The fundamental difficulty arises from trying to balance all of these conflicting requirements. Risk assessment seems to be the key to sorting out a reasonable solution. Thoughtful consideration of all of the risks to information privacy and security and their consequences can result in a reasonably balanced solution. The problem with risk assessment is that it is not an exact science. It is similar to economics, in that somewhat arbitrary values, weightings and judgments contribute to the process and eventual outcome. Continued technological advancement makes predicted costings of technical solutions in the medium term quite uncertain.

Privacy, security and the GP

It is important to distinguish between management and technical issues in the protection of privacy and security. Management issues are firmly within the control of GPs in their practices and the professional bodies who are responsible for overseeing 'best practice'. In Australia, awareness of privacy and security management appears to be poor. Education is paramount. Professional bodies must demonstrate leadership.

The Royal Australian College of General Practitioner's "Code of Practice for Medical Records", currently being prepared from an interim draft, aims to set the 'best practice' guidelines for Australian GPs to manage both paper and electronic records. The Australian Standard on "Privacy protection in health care information systems" raises the bar for all health care providers. Technical issues, on the other hand, are largely the responsibility of the system vendors. It is the vendors who must build in the smart card access control, the secure operating system patches, the encrypted audit trails and messages, the automatic backup procedures, and whatever else is deemed appropriate for a reasonable implementation of information system security in general practice. Clearly, no vendor will spend time implementing security solutions if there is no demand. We as GPs must arrive at a means for letting the vendors know what is required of them. (I have hinted at the sorts of things which might be reasonable above. A future paper will discuss this in more detail.)

On the other hand, it is absolutely imperative that a solution be realistic and practical. GPs will not spend many thousands of dollars securing a computer system just for kicks. It unlikely we will see large numbers of time-locked, smart-card-protected, secure computer rooms in general practice. Secure operating systems and trusted systems appear to be pure fantasy in our environment. Solutions which are onerous will be bypassed. For example, trying to enforce GPs use of secure passwords that are impossible to remember breeds the post-it note attached to the screen saying what the password is.

A good solution will be almost transparent to the user. In the end, it will be the open dialogue that occurs between the disciplines of medicine, information technology and law that will help us to realise a workable system for the community[10].

References

1. O'Connor K. Confidentiality, privacy and security concerns in the modern healthcare environment. Australian Computer Journal 1994;26(3):70-77
2. The Australian Privacy Charter. Australian Privacy Charter Council, Faculty of Law, University of New South Wales, Australia (also available at http://commerce.anu.edu.au/comm/staff/RogerC/RogersHome.html)
3. Guidelines on the protection of privacy and trans-border flows of personal data. Organisation for Economic Co-operation and Development, Paris, 1981
4. Caelli WJ. Professor and Head of School of Data Communications, Faculty of Information Technology, Queensland University of Technology, [personal communication]
5. Guidelines for the security of information systems. Organisation for Economic Co-operation and Development, Paris, 1992
6. Kluge EHW. Advanced patient records: some ethical and legal considerations touching medical information space. Meth Inf Med 1993;32(2)(Apr):95-103
7. Aspects of privacy in medical research. National Health and Medical Research Council, Canberra, 1993
8. BS7799: A code of practice for information security management. British Standards Institution, Watford, 1995
9. Australian Standard: Personal privacy protection in health care information systems. Standards Australia, Sydney, 1995
10. Cheong IR, Mackenzie GI. The chicken or the egg - standards or solutions for electronic records. In Proceedings of the Second National Health Informatics Conference, HIC'94. Health Informatics Society of Australia, Melbourne, 1994

Back to Medical Records, Privacy & Confidentiality

Back to the Health Law Resource