Educating the Medical Community about Medical Information Security
by M. E. Kabay, PhD, CISSP
Director of Education, ICSA
Copyright © 1998 International Computer Security Association. All rights reserved.
Security in the Medical Context
In today's rapidly changing world
of health maintenance organizations, telemedicine, computerized patient
records, close linkages between medical-care delivery and insurance companies,
security of medical information is growing in complexity and importance.
Multidisciplinary teams take care of an aging population; litigation is
at an all-time high in the United States; and governments, professional
bodies and accreditation organizations all concur that the security of
patient information -- and even of information about care-givers -- must
be safeguarded. Medical informatics -- the high-tech handling of medical
information -- has become a challenging new specialty of information-technology
management.
This White Paper summarizes some of the key issues of medical information security and is intended to spark discussion and generate comments for improvement. On behalf of the ICSA Medical Information Security Consortium, I solicit your suggestions; please contact the author at mkabay@icsa.net by e-mail or send your Consortium Manager, Steve Reutter, faxes and paper mail at ICSA Headquarters in Carlisle, PA.
The International Computer Security Association
(ICSA) was the National Computer Security Association (ICSA) from
1989 to 1997. The name changed on January 1, 1998 to reflect our growing
international business.
Data security ... [involves] the protection of information
from unauthorized or accidental modification, destruction and disclosure."
Another classic triad names confidentiality, integrity
and availability. Donn B. Parker, a respected author, teacher and thinker
in the security field and formerly a principal in the SRI high-tech consultancy,
has added to this triad the concepts of possession, authenticity and utility.
These six fundamental and irreducible components of information security
are sometimes called the Parkerian Hexad.
Information is protected by caring for its form, content and storage
medium.
Unauthorized means forbidden or undocumented. The very concept
of authorization implies classification: there must be some definition
of which data are to be protected and at what level.
Accidents account for a major proportion of data damage. Accidents
are due mostly to ignorance or to carelessness. Management must either
hire well trained, knowledgeable staff or provide appropriate on-the-job
training. In either case, part of the task facing all managers is to create,
maintain and enhance motivation to do a good job. These basic management
issues profoundly affect enterprise security.
Modification means changes of any kind. The ultimate modification
is destruction. However, you can usually spot destruction fairly
easily. With adequate backups copies, data can be restored quickly. A more
serious problem is small but significant changes in data. The work required
to find the changes is often a greater problem than the changes themselves.
Computer viruses that wipe a hard disk identify themselves at once and
can be removed quickly. Viruses that make small random changes can persist
for months, ruin the integrity of backups, and end up costing the victim
more than the virulent disk destroyers.
Disclosure means allowing unauthorized people to see or use data.
Again, this word implies the need for a system of data classification.
Who can see which data and when? This is a particularly important issue
for medical informatics.
Confidentiality is a wider concept than disclosure. For example,
certain files may be confidential; the data owner may impose operating
system controls to restrict access to the data in the files. Nevertheless,
it may be possible for an unauthorized person to see the names of these
files or find out how often they are accessed. Changing a file's security
status may be a breach of confidentiality. Copying data from a secure file
to an unsecured file is a breach of confidentiality. When a supervisor
at a Florida clinic stole the list of HIV+ patients and used it to tell
people in bars whether to go out with individuals based on their status,
he committed a breach of confidentiality. Another confidentiality issue
is the growing concern over sharing medical information with insurance
companies and health-maintenance organizations.
Possession means control over information. When thieves copy
proprietary software without authorization, they are breaching the owner's
possession of the software. When two security guards at a different Florida
clinic stole a pair of PCs containing the names and addresses of 4,000
people registered as HIV+, they caused a breach of possession; in fact,
they never did breach confidentiality because they reformatted the hard
drives without looking at the contents.
Integrity refers to internal consistency. A database is termed
structurally corrupt when its internal pointers or indexes no longer correspond
to the actual records they point to. For example, if the next record in
a group is in position 123 but the index pointer refers to position 234,
the structure lacks integrity. Surreptitiously using a disk editor to bypass
security and alter pointers in such a data structure would impair integrity
even if all the data records were left intact. Logical corruption occurs
when data are inconsistent with each other or with system constraints.
For example, if the summary field in an patient record claims that the
patient has been under treatment for 20 days when the individual treatment
records clearly show a total of only 5 days, the data structure is logically
corrupt; it lacks integrity.
Authenticity refers to correspondence between data and what the
data represent. For example, if a field is supposed to contain the ID of
the current treating physician, it should not informally be used to show
the ID of the nurse in charge of the unit. Another example is electronic
mail fraudulently sent in the name of a hospital administrator; the only
breach of security in such a case is loss of authenticity.
Availability means that data can be gotten to; they are accessible
in a timely fashion, convenient, handy. If a server crashes, the data on
its disks are no longer available; but if a mirror disk is at hand, the
data may still be available. When a nurse in the ICU cannot access a patient
record within seconds because the local area network is clogged with traffic
because the medical students are playing interactive games on the network,
the nurse is experiencing a problem in availability. Smart cards have been
proposed to carry large amounts of a patient's recent medical history as
a method of increasing availability of information in an emergency even
if the person is unconscious.
Utility refers to the usefulness of data for specific purposes.
Even if the information is still intact, it may have been transformed into
a less useful form. Parker gives as an example the unauthorized conversion
of monetary values in a database; seeing employees' salaries in foreign
currency reduces the utility of the data. One of my colleagues was called
in to help a firm whose source code had all been encrypted by a departing
programmer. The programmer claimed to have done so to protect his ex-employer's
security, but unfortunately claimed to have forgotten the encryption key.
In a formal sense, the data were authentic, accurate and available--they
just were not useful.
Legal and Professional Requirements for Medical Information Security
Both historical standards of medical ethics and modern legal requirements
impel everyone involved in health care to safeguard the security of medical
records. In the United States, federal regulations explicitly require agents
of the federal government to protect medical confidentiality. State laws
vary in the degree of protection afforded patients. The Joint Commission
on Accreditation of Healthcare Organizations (JCAHO) publishes extensive
guidelines that include sections on information management. Failure to
conform to these minimal standards of information security may lead to
withdrawal of JCAHO accreditation. In addition, civil law in most jurisdictions
permits patients and anyone else affected by failures of information protection
to sue in civil court for redress; individual administrators, physicians,
nurses and other staff may be named in such lawsuits.
Impediments to Medical Information Security
Security experts concur that corporations and government have only partly
succeeded in implementing even modest programs for information security.
However, in my experience in large metropolitan hospitals, I have found
a generally poor level of security even by the meager standards of industry
and commerce. There seem to be relatively few full-time information security
specialists working in the medical field; security awareness programs are
few; and health professionals and medical administrators seem relatively
unconcerned about the issues.
In a case reported in February 1997 from Sheffield, England, a hospital
handed over 50,000 confidential gynecological records to a data processing
firm that hired people off the street and set them to work transcribing
the unprotected data. The scandal resulted in withdrawal of the contract,
but thousands of records were exposed to a wide variety of people with
no background checking to ascertain their reliability.
What accounts for such cavalier attitudes? In the absence of thorough
survey and interview data to study this question, we can only surmise that
several factors contribute to this lackadaisical attitude. The following
sections suggest areas that would benefit from thorough study but that
can reasonably be expected to play a role in determining the behavior of
medical personnel.
The medical environment in clinics and hospitals imposes a responsibility
for rapid response to medical emergencies; in some cases, seconds can make
the difference between life and death. Staff in intensive care units and
the emergency room cannot afford to waste time logging on and off hospital
systems in order to protect confidentiality and integrity.
In addition to the required speed of information access, medical personnel
also have to share systems that are used for many brief sessions; one member
of the treating team may have to use the terminal or workstation for a
minute to enquire about one patient or a lab result, then another person
has to do the same for a different patient.
A typical logon and logoff take at least 30 seconds; if a network is
slow, the wait can extend to over a minute. Few medical personnel could
tolerate the repeated delays caused by their episodic use of their computer
systems. In the aggregate, insisting on such logon/logoff cycles for every
request for every person would add to the already heavy load on overworked
personnel and very likely increase the likelihood of errors in patient
care.
Many of the terminals and workstations in the medical environment are
not protected against unauthorized consultation or even unauthorized modification
of medical and administrative data. Workstations seem to lack screen savers
that would blank the screen after a minute of inactivity; even those that
have screen savers seem to have the password disabled.
There have been cases of unauthorized read-access to patient records
because of such weaknesses in security policies. For example, in one case,
an orderly called an attractive patient at home after her discharge. When
the offended patient demanded to know how the orderly had obtained her
home number, he answered guilelessly that he had looked it up on an unattended
terminal at the nursing station on her floor. In another case, a psychologically
disturbed member of the cleaning staff used an unattended terminal to make
changes to the medications prescribed for several patients, endangering
their welfare.
All I&A depends on one or more of the following characteristics:
Passive tokens of this kind usually cost only a few dollars each; the
equipment for writing them may cost a thousand dollars or so, and the readers
usually cost in the hundreds of dollars or less.
In recent years, security specialists have been particularly impressed
by cards containing a microprocessor: the smart cards so useful
in storing patient and other data. Some smart cards serve as password generators;
they create a unique encrypted sequence that depends on the particular
date and time plus the serial number of the particular card. This encrypted
sequence is decrypted by software running on the host computer or network
server and allows unique identification of which card is being used to
generate the unique sequence. No other card can generate the same sequence
at the same time; and the password expires after about a minute or so.
Because each password is useless after its one-minute lifespan, even someone
seeing or intercepting the password finds it impossible to use for unauthorized
entry to the system.
Some smart cards are made in the shape of a normal 3.5" diskette; such
devices can be inserted into most workstations and left in place while
the assigned health-care worker does his or her job on the system.
Most of these smart cards cost in the range of a few tens of dollars
up into about a hundred dollars; they usually have a fixed lifespan (due
to the combination of a battery and a case that precludes tampering) of
a few years. Readers cost in the hundreds of dollars (or are standard equipment
on PCs in the case of diskette-shaped smart cards).
Although all these tokens have advantages over normal physical keys,
they all share the same problem from the medical worker's point of view:
they either get read once (which means they can be taken away and the session
they initiate left unattended) or they have to be placed in some sort of
reader while one works -- with potentially disastrous results when the
worker hurriedly gets up and forgets to remove the token. Ripped clothing,
yanked wrists, damaged readers or cards and a spate of blue language usually
follow. The most promising technology of this class is proximity cards,
either using the Wiegand effect or interactions with a smart card. Even
such tokens, however, can be left at the workstation deliberately or by
mistake, again causing difficulties of access control and errors in the
audit trail.
Retinal scans, iris scans, fingerprint recognition, and hand-geometry
readers and signature dynamics recognition all take at most a few seconds
to operate -- perhaps 30 seconds in all. Unfortunately, the equipment for
reading these biometric attributes costs at least hundreds on up to thousands
of dollars per station. Even speech recognition requires specialized equipment
and relatively expensive software.
The same problem interferes with effective application of most biometric
methods in the medical sphere: they are great for establishing I&A
and starting a session, but they don't solve the problem of having the
user disappear and another take his or her place at the open session, thus
fouling up access controls and trashing the audit trail.
There is, however, a particularly promising biometric technology that
has recently been demonstrated at trade shows and implemented in a few
situations: facial recognition. Small cameras in enclosures about 6-8"
high can be positioned at workstations. When the user simply looks at the
mirror, the camera can analyze the face and match special parameters of
the face with stored and encrypted data about the authorized user. With
such a system, it is unnecessary to do anything other than sitting down
at a terminal or workstation in order to gain access to data. It is also
impossible to step away from the workspace without having the camera detect
the departure and lock down the session until the next user appears.
In the medical context, this system would be ideal; there is no interference
with the user -- the system appears to know who you are instantly and provide
access to just the records for which you are authorized. There is no delay
in accessing the information you have a right to see and work with; you
cannot leave the terminal unlocked even for a moment; and the audit trails
are precise and complete.
The only problem is that the current price of this new technology is
about $4,000 per workstation -- more than the cost of the computer itself.
Perhaps as the volume of units goes up, the price will go down. Another
possibility is that cooperation from medical malpractice insurance companies
may help defray the costs of such equipment on the grounds that it could
reduce the actuarial risk of malpractice.
The sense of collegiality may also contribute to disdain for security.
After all, when members of a medical team share crises, joy and pain, weariness
and triumph day after day, why would they think of protecting information
against unauthorized modifications or accidental damage? The sense of trust
naturally extends to trust over handling of patient records.
The unprecedented ease of access to medical records also makes information
security difficult to sell. The computerized medical record is still being
implemented in much of the medical field, and paper charts have been handled
safely for decades without much difficulty; why then should computer-based
records cause such a fuss? The main problem with computerized records is
that they provide faster and more extensive access to data than any manual
system could possibly provide. For example, if paper charts are kept at
a nursing station, it may take minutes to locate the records for any given
patient; on a computer-based system, lookups are a matter of seconds.
Paper records for patients who have moved out of a ward, for example,
are likely to move to archives, where the archivists scrutinize unusual
requests for charts; however, when the records are computerized, it may
easily happen that records remain active or accessible longer than they
used to be.
The density of information storage of today's computers generates another
threat: that large amounts of information can be copied and stolen with
virtually no chance of detection. A single 1.44 Mb diskette, for example,
can hold the equivalent of a several hundred closely-written pages; a ZIP
disk, with 100 Mb on a device the same size as a 3.5" diskette, holds thousands
of pages. A 5 Gb DAT cartridge the size of an audiocassette can hold more
information than hundreds of volumes of case reports -- and fit unnoticed
into a shirt pocket or a purse.
In 1980, I worked with 120 Mb disk drives capable of holding about the
same as a ZIP cartridge; the removable magnetic disk packs were a foot
high and two feet in diameter (and cost over $1,000). The pace of change
in technology has been so great that it seems likely that many of the people
in the medical field simply are not aware of their increased vulnerability
to data theft and other forms of compromise.
How to Motivate Medical Administrators to Pay Attention to InfoSec
One of the most difficult challenges in medical information security
is convincing upper management to pay attention to the issues described
above. The following sections suggest methods of gaining and keeping management
support for information security.
Find out by discussion with your colleagues which of the senior staff
would be most amenable to your request for a hearing on the matter of information
security. Approach each of these decision-makers simply and sincerely:
tell them you need their help and ask them for their advice and support.
Learn from them who else you should approach individually; ask if you should
mention their name when contacting others. Build a consensus one person
at a time instead of insisting on mass-production techniques.
A good start in getting upper management's attention is to address a
gathering of high-ranking authorities within the organization. If there
is a medical informatics committee in the organization, that would be a
good place to start; otherwise, one could ask for support from the highest
planning committee in the organization.
The first request should be for a modest presentation -- perhaps 30
minutes at most. Begin with a few comments on fundamentals of information
security; include a few case studies from your own organization if possible
or refer to documented cases.
Your preliminary assessment can consist of spending half an hour simply
asking managers in the different sectors of your organization to tell you
about their concerns about security. Use the Parkerian Hexad as a checklist
if you like; it may help stimulate discussion with your colleagues. Remember
to include questions about disaster preparedness. In all interviews, do
not express dismay or horror at the abysmal levels of information security
you may find; this response will not serve to enlist your colleagues' support
in future exercises. Your job right now is to find out what's wrong (and
what's right), not to fix problems.
If someone requests anonymity grant and respect it. Anonymity is not
appropriate in a thorough analysis among professionals, but it can be justified
for the first pass because there is not enough time to delve into details.
If you have the time, you can also circulate a questionnaire to colleagues
asking them about information security; however, devising a questionnaire
that conveys accurate and complete information is a difficult task. In
my experience, response rates will be low and the quality of responses
will be questionable.
The Big Six consulting firms may be able to help, as can the ICSA. Talk
to other informatics specialists at institutions similar to yours and see
if they know professionals who can help you in an assessment. Determine
approximate costs of an assessment. Typically, assessments will require
at least one week of on-site interviews, and at least twice that in analysis
and report writing. The chronological time span will exceed the time on
site and for analysis because not everyone will be available at the same
time and because there are likely to be followup questions and interviews
to fill in critical sections of the analysis. Expect to pay somewhere in
the $50,000 range and up for a professional analysis of a metropolitan
hospital. Costs will increase as a function of the complexity of data manipulation
and especially if there are many different networks, operating systems
and application programs involved.
Present the preliminary findings in a short presentation to upper management.
Half an hour and 10 slides should be enough to make the main points. Lay
out the budget you need to perform a thorough assessment and describe the
options you have found for performing the assessment. Be prepared to make
a recommendation of the person or group you would prefer to work with.
In each interview, make it clear that the expert is not conducting an
external audit; there is no intention of apportioning blame. Be sure that
all interview data are sent back to the people involved for verification
and correction. Circulate the draft report from your consultant(s) to everyone
involved in the process before submitting the final draft to upper management.
You have to make this a communal effort or you will generate resistance
and hostility instead of interest and cooperation.
Present the assessment report and its detailed recommendations to the
people who authorized the study. Ask for authorization to assign a full-time
staff person to develop and implement policies and procedures for improving
information security in your organization.
How to Develop and Implement InfoSec Policies in the Medical Field
Getting from the assessment report to actual improvements is not so
easy. Expect to see efforts extending over many months of work and involving
all sectors of the organization.
The findings of social psychology have much to teach us about social
cognition (how people form judgements about issues) and effective methods
of enlisting support for a position. See chapter 11 of Kabay (1996) for
further discussion of these issues.
Successful information security policies and procedures have to be integrated
into whole-organization efforts to keep security in the foreground as a
necessary consideration in everything people do. Posters, campaigns, contests,
prizes -- all can play a role in helping to improve security awareness.
Since 1986, Kabay has specialized in consulting and training for systems
performance, systems operations, and systems security. He has written security
columns for Computer World, Network World, Computing Canada,
Secure
Computing Magazine, ICSA News, and several other trade magazines. He
teaches courses in Information Security & Ethics, Hot Topics in
Information Technology, Data Communications, Quality Assurance,
The
Art of Technical Support and Information Technology Security.
Dr Kabay has published over 170 technical papers and has completed a college
textbook, The ICSA Guide to Enterprise Security published by McGraw-Hill
in April 1996. He won the Best Paper Award at the 16th National
Computer Security Conference in 1993 for his submission, Social Psychology
and INFOSEC: Psycho-social Factors in the Implementation of Information
Security Policy.
Kabay was the volunteer Director of Education and Chief Sysop for the CompuServe ICSA Forums for the National Computer Security Association from 1991 to 1995 and became full-time Director of Education in June 1995. He received his CISSP designation (Certified Information Systems Security Professional) in January 1997. Dr Kabay particularly enjoys consulting to medical organizations and has a very personal reason for his interest: he is married to Dr Deborah N. Black, Chief of Neurology at the Hôpital Louis Hippolyte Lafontaine, the largest psychiatric institution in the Province of Québec.
For Further Reading
Dick, R. S., E. B. Steen, & D. E. Detmer (1996), eds. The Computer-Based
Patient Record: An Essential Technology for Health Care, Revised Edition.
National Academy Press (Washington, DC). ISBN 0-309-05532-6. 270 pp. Index.
Donaldson, M. S. & K. N. Lohr (1994), eds. Health Data in the
Information Age: Use, Disclosure, and Privacy. Committee on Regional
Health Data Networks, Institute of Medicine. National Academy Press (Washington,
DC). ISBN 0-309-04995-4. 272 pp. Index.
Field, M. J. (1996), ed. Telemedicine: A Guide to Assessing Telecommunications
for Health Care. Committee on Evaluating Clinical Applications of Telemedicine,
Institute of Medicine. National Academy Press (Washington, DC). ISBN 0-309-05531-8.
288 pp. Index
JCAHO (1996). An Introduction to Management of Information Standards for Health Care Organizations
Order Code: KF-100U. See JCAHO publications catalog on the World Wide
Web <http://www.jcaho.org/pubedmul/publicat/pubcat/cat_frm.htm>.
Kabay, M. E. (1996). The ICSA Guide to Enterprise Security: Protecting
Information Assets. McGraw-Hill (New York). ISBN 0-07-033147-2. xii
+ 388 pp. Index.
OTA (1993). Protecting Privacy in Computerized Medical Information.
U.S. Congress Office of Technology Assessment. U.S. Government Printing
Office #OTA-TCT-576 (Washington, DC). ISBN 0-16-042074-1. viii + 157. Index.
Retirado do site: http://www.icsa.net/library/research/med.shtml em jul/99