144
BARROWS, CLAYTON, Privacy, Confidentiality, and Medical Records
involved in a patient’s care, and it is difficult to pre-
dict which person in which role will validly need ac-
cess to a person’s health record at some particular
time. Provisions for emergencies, when none of the
patient’s usual care team is around, must also be
made. Thus, in an EMR setting, prohibition of access
by most medical users to most data on most patients
is often not practical. For this reason, clinical system
pioneers have usually allowed all clinical personnel
access to the computerized medical record of all pa-
tients in a hospital, and often to the records of patients
not in the hospital as well (i.e., records of discharged
patients or their ambulatory care, or both).
Improved multilevel and role-based access models for
health care that better accommodate user needs are
under development.8,12,22,23 A “need-to-show” model
(versus the military “need-to-know” multilevel secu-
rity model) and its supportive technical platform have
been proposed, with the specific intention of extend-
ing the notion of individual professional accountabil-
ity for health data to interaction with information sys-
tems.29
Such accountability may help discourage
information sharing across unauthorized informal hu-
man networks,” a problem that is difficult to address
by technology
The determination of how much effort should go to-
ward authenticating a person is a matter of institu-
tional policy. User identifiers with password authen-
tication are often employed, but other technical
solutions, such as biometric authentication by mor-
phometric hand measurements or voiceprints, system-
synchronized random-number generating cards, and
passphrase-encrypting smartcards, are more expen-
sive, but they may be more effective alternatives when
deemed compatible with policy considerations.
As an example of an approach to access control, the
CPMC Clinical Information System (CIS) implements
an access-control matrix with one axis representing
user roles (attending physicians, residents, medical
students, hospital nurses, clinic nurses, various types
of technicians, and so forth) and the other axis rep-
resenting data types (laboratory data, radiology re-
ports, discharge summaries, demographic informa-
tion, and so forth). We defined 68 user types and six
classes of data. Departmental leaders make the deter-
mination
of access privileges for each user type, sub-
ject to the approval of the hospital medical board.
Users receive a menu of options specific for their de-
fined access privileges. Login screens remind users
that information is limited to legitimate medical pur-
poses and that misuse can lead to dismissal as well
as civil and criminal penalties. Access to data on VIPs
and hospital employees invokes an additional screen
message warning that all user activities are recorded.
A similar approach at Boston’s Beth Israel Hospital,
along with a system utility that allows users to review
the names of persons who have looked at their elec-
tronic record, was reported to effectively deter “in-
sider” abuse of system privileges.”
Cryptography
Cryptographic techniques applicable to the goals of
privacy, integrity, and access control have not yet been
significantly deployed in the health care environment,
and experience is needed before establishing that they
could provide security solutions compatible with the
diversity of health care needs.”
As a trivial example of an encryption cipher, the fa-
mous Caesar Cipher uses a “shift-by-three” rule, so
that every “A” in a message is replaced by a “D,”
every “B” by an “E,” and so forth. The algorithm is
said to have been used by Julius Caesar to encode
communications with his generals via human messen-
gers whom he did not trust. Many more complicated
and secure mathematical algorithms for encryption
exist. Private-key, or “secret-key,” encryption depends
on a number or string of characters that is shared only
between the communicating parties and is used by an
encryption algorithm to encode and decode the mes-
sage. The exact ,encryption algorithm need not be a
secret. The best ‘known such encryption algorithm is
DES, mentioned above. A main problem with private-
key encryption protocols is that communicating par-
ties must somehow securely share and use the “se-
cret” key
The use of public-key encryption can avoid some of
the pitfalls of the need to share a secret key by making
use of a mathematical technique that creates an
“asymmetrical cryptosystem,” that is, the keys to en-
code and decode a message are different but inti-
mately linked, so that they are, in effect, functional
inverses of each other and can only be used together.
In public-key cryptography, one key is published, and
the other remains private to a user. To send a secret
message, the sender obtains the recipient’s public key
and uses it to scramble the message, which the recip-
ient can decode with his or her private key. In addi-
tion, the creator of a message or document can “sign”
it by encoding a piece or algorithmic “digest” of the
document with his or her secret key, so that anyone
can then verify the “signature” by decoding it with
the signer’s published key.
The New York State Community Health Management
Information System (NYSCHMIS) Confidentiality and
Data Security Policy says: