Security by Design for eHealth

How secure is your home, your car, your office? Do you use double bolt lock or have bars on your windows? How about internal alarms?

For the most part your answer to these questions depends on where you live and the value of your possessions. At the very least you have locks on your door, but you may leave the door unlocked from time to time. This is risky yet unlikely to result in major loss. If you do it too often and become lax in your home security then you give a thief opportunity that puts your possessions at risk.

Bank Vault

The level of security and privacy is dependent on the risk tolerance related to the value of what you are protecting and personal risk avoidance. When in comes to our personal health information the value of which is questionable, security can vary. Critical details about us and identifying information that can be used to obtain fraudulent documents or prescription must be treated with great care with the highest level of security. Our less personal details are not likely to be used to gain access to our money or take possession of our personal goods; these pieces of data are less important. While you may need the security of a “fort knox” to secure critical data, a simple key and lock is all that is need for other less critical details.

How do you secure data in your health information? Data that is stored must be encrypted with restricted access; when viewed it must only be displayed to a verifiable user with correct permission. Even with high-level security it is impossible to prevent a wandering eye on a screen. Early in our development of health information access the question of security and privacy always came up. Usually asked by doctors and nurses who raised this objection as a means to slow adoption. My quick response to questions on the security of electronic data was to point out that; currently fax machines in the hallway had patient data displayed, that behind the nurses station a white board with patient names and other identifying data was displayed for anyone visiting their unit; and that carts of patient charts are routinely rolled around the hospital and that these paper folders routinely would be left unattended. Electronic health information systems are much more secure than paper and non-electronic means. When records are electronic it means you can get access to your data much more easily than paper folders locked in a doctors cabinet or the basement of the hospital health records department.

Ideally we would want full control and access to all our own health information and be confident that it is not being misused or shared without consent. We currently don’t have that control. We rely on our doctors, our hospitals and other government agencies to maintain and control access to our health information. In the province of Ontario and many other jurisdictions individuals have the right to access and control permission to all their health information. Of course the practicality of receiving all this information from a hospital or doctors’ office makes it difficult. How would we get the paper forms and input them ourselves into our own health application? If records were electronic patient have better opportunity to access and control premission to their own information.

We need to ensure that proper percautions are being taken to store our information. To secure our health information the personal identifying data must be encrypted and only viewable by verified access. While user name and password is relatively simple, there are better ways to ensure privacy and security. A smartcard with proper token identification would be a strong method to secure access.

The NEXUS system is used by the US, Mexico and Canada for “trusted travelers”. The system issues a card for this program that uses several layers of security. First a person registers online and their user name and password is issued; then a face-to-face interview is conducted and documents verified (passport, driver’s license etc.); photo id is made and a retina scan is taken along with other details; then a card is issued with an RFID. When entering the country, rather then wait in a lineup, the “trusted traveler” uses the NEXUS card; unsheathed from the RFID blocking cover to access a self-help KIOSK. The traveler positions themselves in front of a device that takes a retina scan, which is compared to that on file, the proximity of the card is all that is required to match the individual to the online file. No swiping or entering of card number or pin is needed. The system verifies who you are by something you are carrying (the card) and your physical attribute; your retina scan. The process is quick and easy. The difficult part was in the verification and issuing of the card.

In Ontario the government issues an OHIP (Ontario Health Insurance Plan) card that is used for payment of services. Many individuals still have the old “red and white” card that is simply an embossed plastic card with only a 10-digit number on it.

OHIP Card

Individual refuse to part with this because the newer cards contain a “version code” and has an expiry date. Neither of these has embedded security, although the newer cards have a photo and a magnetic stripe that contains some personal identifying information that can be read by swipe machines. Other provinces and territories in Canada also issue health cards to citizens, due to our universal health care and the Canada Health Act a citizen could receive care in Ontario using their Alberta health card. Except for layout and check-digit calculation most systems in hospitals and clinics don’t verify health cards. It is unlikely that a fraudulent card would be detected or rejected until well after services have been provided. In the past it was known that some individuals would use the old “red and white” to obtain services for family members that were not eligible for OHIP, this type of abuse is minimal. Replacing all cards with a common standard and using smartcard token or RFID would be beneficial for all healthcare providers and consumers.

To create a secure and private electronic health application one could use the credit card and banking industry model. A credit card is issued from a specific institution, with the first grouping of numbers uniquely identifying the bank and card issuer, then there is a unique number associated with the individual. The card also has security features like check-digit algorithm, and security code. Other features like holograms, photos and smartcard and magnetic swipe all can be implemented on cards. The ability to add RFID would further enhance such an access verification tool.

Each card would be associated with an individual. Also with this model a card can have sub-accounts so that a parent can access records for child of other family member that has granted them access. This would be useful for better service traking. Take for example a child whose parent are divorced, each parent can have their child added to their card so that access to care is unencumbered when the child is with the other parent. This is also useful for family members such as elderly parents. The card has the ability to be a security key into an electronic health application. It isn’t the only consideration, it is a good start.

eHealth Application Design

The concept of a personal health information application is compelling. As individuals we want our health information accessible by our doctor, pharmacists and other care providers when needed. We also want security and privacy when the information is not being used.

Today your doctor maintains a file folder with your health information in it in their office. If your doctor is like 80% of doctors today they keep your records in paper form. If you go see another doctor only if information is communicated from one physician to the other. Usually by phone doctor to doctor, or nurse to nurse or even by fax.

Should you be hospitalized the facility will start another file folder for your data. Your family doctor may be notified, but unless he has privileges at the hospital they are unlikely to participate in your care there. And it is unusual that your family doctors’ files will be transferred or shared with the hospital staff.

Health Information Gap

Pharmacies will fill prescriptions received from your doctor or from any legitimate board certified doctor. Because you can take a prescription to any pharmacy it is unlikely that the pharmacy has a record of all your medication. Since you get prescriptions from your family doctor, specialist or hospital physician it is unlikely that anyone of these sources has a complete history of your prescription or medication. If you use over-the-counter, alternative remedies or vitamins it is unlikely that anyone will review these within your health information.

How can we communicate our health concerns or issues effectively and reliably even when we can speak for ourselves? Ideally we want the care provider to have all the information they need, we don’t want them to be guessing. The best way to provide your doctor with all they need is to bring it yourself and have it available for them right then and there.

There are many paper based personal health journals that you can buy. These are notebooks that are sectioned off with categories about your conditions, medication, daily diet and activities. For people with ongoing or chronic conditions like diabetes these notebooks may have specific sections for glucose levels and lab tests related to the disease.

Patient Centric

Today’s technology allows you to access your money anywhere in the world through bank machines. You can share photos of your vacation instantly with family members and friends from around the world. Web technology and the global infrastructure it is based on allow us to access information from both reliable and unreliable sources alike. We also walk around with technology on smart phones that is more sophisticated then business computers of 10-15 years ago that were tethered to our desks.

The ideal of having a secure, private health information available anywhere in the world is not just theoretically possible it is technically feasible.

Syncronized Health information

To begin we need to secure data both at rest and in motion. The latter is the simple solution; using SSL (Secure Socket Layer) and encrypted end-to-end transmission of data we can prevent interception and misappropriation of personal data. For secure data being stored we can use encryption of personal data based high-level cryptology. While it is recognized that there is no perfect solution for encrypting data there are techniques used that will make the theft and decryption of this personal data un-economical for hackers. After all how important is it to be able to determine a specific individual’s ailment? What needs to be secured is personal identifying details that could be used for identify theft.

Two security levels must be considered – the physical security and the access security. Physical security can be addressed by the location of the database. Is it the physical machines that store the data in a safe place? And if the machines are compromised physically by someone entering the datacenter and taking the machine will the information still be safe? Therefore the means to decrypt the data and the actually physical files can not be together. This way multiple sources need to be compromised to unlock the information. Think of this like a safety deposit box that needs two unrelated people to have keys to enter, if you only have one it’s still not possible to break into the safe. This is similar to the access security as well.

Permission to access that data can be secured by userID and password. But this is only a minimum. Usernames and passwords are often simple, people tend to use the same user name and password on several applications for easy of recall. Strong passwords are easy to create but few people follow the basics on how to establish password, even more critical is that many users don’t change their passwords frequently. There are techniques to force strong passwords, to expire passwords at regular intervals and to improve user access.

To return to the banking example when accessing you money online you use a physical card and secret pin. When using online banking without a card reader device, you use a login with the card number as well as potentially a security code that is printed physically on the card. Can a similar method be used for health care systems?