The Four Building Blocks of Security

There can be no doubt that the health care system as it exists today in the United States has some severe problems. Many of these problems are aggravated by the manner in which information is typically managed. Paradoxically, this mismanagement has contributed to protecting the integrity and privacy of medical records by making the information difficult to retrieve and use. As we enter the age of computerized medical information, this situation will change dramatically, and threats to individual privacy and health will become more serious unless systems are designed and managed intelligently. It is therefore important that during the design of such systems, we give appropriate level of attention to these security issues, and carry out some careful planning for the future.

There are four key components required for the protection of computerized medical information. They are:

Technology

A wide range of technologies exist that can be used to protect medical information from improper use, dissemination, or modification. This will be the major topic of discussion in the paper. I will attempt to describe how technologies currently work, some current trends, and how I expect them to evolve in the future. Briefly, I expect a lot of money to be wasted on ``closed systems'' that are later discarded in favor of systems that adhere to open, non-proprietary standards.

Legislation

When automobiles were first invented, they represented very little physical threat to humans because they were rare and the threats were very small. As automobiles became woven into the fabric of our society, so too did the threats, including pollution and threats to our personal safety. Legislation was drafted to regulate their use in order to protect society from autos. As our society becomes more dependent upon information, so too will we be vulnerable to threats from the abuse of information, and it is natural to expect some legislation and regulation of its use in order to protect society against this abuse. This was the basis for the enactment of the Privacy Act of 1974, which governs how government must protect information that it holds about individuals. It is time to revisit the rights of the individual regarding the use of information about them by other parties. An obvious place to start is with medical information.

Institutional Policies

Technology alone cannot protect against abuse of information, since it is only a tool to enable proper handling of information. Legislation cannot and should not regulate every aspect of how information is treated. These gaps can be filled by crafting appropriate institutional policies to govern the use of technology and accomplish the broad guidelines established by legislation. On the other hand, if institutional policies alone are relied upon without legislation, then it will remain tempting for institutions to use very weak protections, particularly if it requires them to invest time or money (just as physical security against crime and invasion is not free, so too is security against invasions to our privacy). If institutional policies are used without appropriate technology, then the policies can be broken too easily. It should be mentioned that ongoing system administration of these policies will be required for effective use. Standards such as the ASTM 31.20 authentication standard should play an important role in forming such policies.

Education and training

When appropriate technologies, legislation, and policies are put in place, users must still become informed of the proper use of technologies as well as their responsibilities. This will be an ongoing activity within each organization, particularly as new technology is added to enhance the capabilities of the system and new users enter the system.