Overview of Health Care Security and Confidentiality Standards Development Efforts and Status - January 1997
Standards Development Organizations (SDOs) and governmental entities in the United States, Europe, Japan, Singapore, Australia, and New Zealand are currently developing standards to insure the security, confidentiality, and privacy of health care data as it resides in systems or as it is being passed in message transactions between systems. The focus of these groups is to develop security policies and procedures related to threats to system security and also to define security services. Threats to system security include disclosure, deception, disruption, and usurpation. Security services include authentication, confidentiality, integrity, availability, authenticity, authorization, non-repudiation, security administration, audit and digital signatures.
Health care specific security efforts have primarily focused on the utilization of security technologies from the general computer industry, adopting existing technologies, and providing further definition and clarification only in regard to specific domains and attributes that are unique to health care. In analyzing threat, security services, and confidentiality in the health care environment, there are only five key areas where health care security differs somewhat in analysis, definition, or requirements outside of existing non-health care specific security technologies:
- Health care documents can have multiple signatures and have specific signature rules defined by user role;
- Health care is a domain where a common framework for interoperability requires a greater degree of uniformity over access control (confidentiality) than most other domains;
- Auditing in health care serves a legal as well as a security function.
- Threats to privacy and confidentiality in health care are primarily from inside the domain ("insider threat" is greater than 75 to 80% of risk in health care), rather than from outside the domain.
- Security, privacy and confidentiality of existing records (essentially paper records) is provided by a generally uniform, across state, and informal set of ethics of professional practice among the associated health care professions.
In addressing these health care specific "exceptions" the following steps are underway, or require action:
a) In setting standards for digital signatures in the health care domain additional signature attributes to support multiple signatures and signature rules are being defined;
b)Comprehensive adoption of security standards in health care, not piecemeal implementation, is advocated to provide security to data that is excahnged between health care entities;
c)Audit and audit trail data (so called, "derivative data" from direct data access, and system use) needs to be considered in the legal establishment of privacy and access rights under privacy legislation;
d)Again, in addressing threat, as under (b) above, a comprehensive implementation of security standards across a domain or system is important, as a piecemeal approach, such as the implementation of point-to-point security alone (message-based security), will not provide privacy and confidentiality protection from insider threat within a domain;
e)Confidentiality policy, as well as access control and authorization policies are an essential part of secure systems. Their establishment is being addressed within the framework of security standards efforts through the direct participation of health care specialty representatives composed of clinical health care professional organizations and societies, medical records professionals, health care transcription professionals, regulatory organizations, government agencies, the JCAHO and NCQA, insurance providers and health plans, and health care information system vendors and consultants.
Even taking into account the above issues, health care security standards efforts are perhaps best analyzed and reviewed in relation to a general system security framework, not essentially oriented to health care, as follows:
a) Identification and Authentication
b)Authorization and Access Control (Confidentiality)
c)Accountability (Non-Repudiation and Auditing)
d)Integrity and Availability
e)Security of Communication
By definition, if a system, or communications between two systems (such as health care transactions), where implemented with technology(s) meeting standards in each of the categories of this framework, that system would be essentially secure. This is an important distinction in that no single SDO is addressing all aspects of health care information security and confidentiality, and specifically, no single SDO is developing standards that cover every category of this framework. Cooperation between SDOs developing health care security standards, coordinated in the US through ANSI HISB, and between ANSI HISB and CEN TC251 regarding European standards efforts, is very active at this time, in an attempt to end up with a comprehensive standards framework to match the security framework outlined above. Please note that there is security standards work underway in each category of the framework above that should be completed by the middle to end of 1997, providing, when taken together, a complete set of standards for security in the health care domain.
The most comprehensive health care security standards development is currently being carried out by CEN TC251 in Europe and by the ASTM E31 in the United States. The American Standards Committee (ASC X12), Health Level 7 (HL7), and ACR NEMA / DICOM are currently involved in the development of standards for secure transmission of data and transactions. Health care organizations that are not accredited SDOs, such as the Computer-based Patient Record Institute (CPRI) and CORBAmed are active in assisting and promoting the standards development process through their participation in ANSI HISB and through the development of policy within documents (CPRI) and standards certification by (CORBAmed).
What follows is an overview of work being done by SDOs and other entities in the United States and Europe (in alphabetic order, by organization):