Privacy and Health Research. Basic security measures

05/01/1997

Security has many dimensions. The challenge is to keep data sequestered and protect its integrity, but at the same time to keep it accessible for authorized users who have legitimate need to use it.

In its provocative recent report on these issues, For the Record: Protecting Electronic Health Information, a committee of the National Research Council recommended immediate implementation of these technical practices and procedures:115

  • Individual authentication of users
  • Access controls based on legitimate need-to-know
  • Audit trails (maintaining access logs)
  • Physical security and disaster recovery (limiting physical access, carefully storing backup data)
  • Protection of remote access points (controlling external access)
  • Protection of external electronic communications (not sending personally identifiable data over public networks)
  • Software discipline (virus-checking, controlling software installation)
  • System assessment (testing security on an ongoing basis).

The committee also recommended adoption of these organizational practices:

  • Security and confidentiality policies
  • Security and confidentiality committees
  • Information security officers
  • Education and training programs
  • Sanctions
  • Improved authorization forms
  • Patient access to audit logs.

The report discussed all of these, and more advanced future practices, in detail. The committee "believes that adoption of these practices will help organizations meet the standards to be promulgated by the Secretary of Health and Human Services in connection with the Health Insurance Portability and Accountability Act—or can inform the development of such standards."

A special problem for the management of data in research is: How are various consents and differential access conditions to be trailed along with various data as the data are moved around, combined with other data, linked to other data, split apart into new combinations of data, and processed by different users for different purposes?


(115) NRC, Computer Science and Telecommunications Board, as cited in endnote (9).