Balancing privacy and security with health records

In the past few years the government has undertaken an ambitious effort to transform health records with information technology (IT). Currently the Defense Department is offering an $11 billion contract to modernize its current electronic health record (EHR) program. Health IT systems such as EHR are expected to produce large benefits through improving care delivery and lowering the costs. However, by digitizing and centralizing health data, EHR systems now contain valuable information not only health care providers, but also for criminals. As privacy and cybersecurity rise on the political agenda, they are also becoming a great concern for health care policy makers. A recent paper from the International Journal of Applied Information Systems provides reviews on several past efforts to improve privacy security and privacy in EHR systems.

Privacy vs. security

Rigorous security and privacy protections are necessary for the long-term success of EHR systems. If patients believe that EHR systems are insecure, they will be reticent to use them. Privacy describes the ability to understand and exercise control over how information may be used by others. Whereas, security is the degree to which information is accessible to unauthorized parties. They are strongly related but have important differences. For example, privacy can be violated by authorized parties when they use the information in ways that are not wanted by the information owner. In that situation, the system security is not breached but there is a privacy violation. If a hacker gains access to health care records, then security is breached. Normally privacy is violated in this situation, but if each record were completely pseudonymized, then privacy remains protected.

Ownership of the information

Traditionally health records systems are provider or hospital based. In a provider based EHR system, access control, which is the process of granting or denying requests for obtaining information, is proposed as a method for enforcing privacy of patients. More specifically, past studies suggested using Role Based Access Control (RBAC). In RBAC, rather than giving full control of EHR to all practitioners, different degrees of access are granted to different people based on pre-defined roles. System administrators define each role and its corresponding accessibility. However, other studies have suggested that such systems are impractical. Even considering the minimum access requirement, the complexity of real world health care systems will render defining role restraints impractical.

Others propose a more patient centric approach. One of the studies developed a system called Patient Controlled Encryption (PCE) system. In PCE model, patients generate and store encrypted medical data on personal encryption keys on mobile devices or cryptography tokens. In the event of a data breach, patient privacy is protected because the intruders lack access to the encryption keys. Patients can generate sub keys to grant specific personnel access to health records. This approach is criticized for potential time and overhead in requesting access per patient, which could have grave consequences during an emergency. Some studies suggest combining both systems with the use of a prior access delegation mechanism to mitigate these risks. During an emergency, doctors could obtain an encryption key from family members. This model ensures timely access to data while also protecting patient privacy.

What to encrypt

Beyond the debate about ownership, encryption is generally accepted as a method to strengthen the privacy and security of medical information. But, determining what should be encrypted is a more difficult question to answer. Due to the variety and size of digital medical files, encryption may be practically infeasible. Current common encryption methods rely on Public Key Infrastructure (PKI). PKI verifies that the sender of information is who he or she claims to be. Public keys in the PKI system are unique identifiers. PKI requires the use of these identifiers to transfer information. However, the practice of using a unique identifier to protect security violates privacy.

One alternative solution is Pseudonymization of Information for Privacy in e-Health (PIPE). Instead of encrypting medical data, PIPE transforms an identification tag, which disassociates the patient’s name with their data and uses a secret key stored in a smartcard to grant or revoke access. PIPE enables academic use of medical data and renders it useless to private firms for marketing or price discrimination purpose.

Privacy and security must be built into new EHR systems for consumers to accept them, whereas current systems involve tradeoffs between privacy and security. Future research should investigate schemes that incorporate privacy, security, and accountability, with considerations to data ownership, management and encryption.

Yikun Chi contributed to this post.

More TechTank posts are available here