Making security and privacy a priority: The benefits of establishing a secure communications network

1
Making security and privacy a priority The
benefits of establishing a securecommunications
network

• Chris Showell 1,2, Liz Cummings 2,3,4,
• Associate Professor Paul Turner 2,3,4

• Department of Health and Human Services, Tasmania
• School of Information Systems, University of
  Tasmania
• Smart Internet Technology CRC
• Tasmanian e-Health Association

2
Scope

• Development of a public hospital / general
  practice internet interface
• Key achievements and lessons learned in the trial
  in Northern Tasmania
• Importance of informed consent to communication
• The use of Public Key Infrastructure (PKI) to
  transfer information securely
• Incorporating secure messaging into patient
  healthcare management systems

3
Outline

• What do patients expect?
• How well do we do?
• Why should we bother?
• Models for implementation
• Project background
• Implementation
• Subsequent work
• Reflection and advice

4

• What do patients expect?
• How well do we do?
• Why should we bother?
• Models for implementation
• Project background
• Implementation
• Subsequent work
• Reflection and advice

5
What do patients expect?

• Definitions (Bluml BM et al 1999)
• Privacy - The right of the patient that
  information be kept secret and not shared with
  any other person
• Confidentiality - Protection of that private
  informationfrom being shared with others
• Security - policy, procedures, and technologies
  that prevent the disclosure of confidential or
  sensitive information
• Balanced with access
• Information shared when appropriate
• Consent
• Permission obtained before information is shared

6
GP Virtual Amalgamation

• Survey in GP waiting rooms (Cummings 2002)
• 243 subjects
• Would patients agree to
• Automatic transfer of demographic data between
  practices with consent? 97
• Viewing of record at another practice during a
  consultation, with consent? 98
• Copy of consultation records sent to usual
  doctor, with consent? 99

7

• What do patients expect?
• How well do we do?
• Why should we bother?
• Models for implementation
• Project background
• Implementation
• Subsequent work
• Reflection and advice

8
How well do we do?

• Patients overestimate the privacy controls we
  apply
• Patients arent aware that administrative staff
  in general practice have access to their records
  (Carman et al 1995)
• 108 of 3,013 respondents (3.6) reported that
  healthcare providers had released their
  information without consent (Mulligan 2001)
• Limited research into provider attitudes
• Evidence (Elger et al 2005) that theoretical
  knowledge does not always translate to practical
  application

9
Attitudes of medical and clerical staff

• Clinical staff
• Know and understand the ethical constraints
• Sometimes forget to apply them
• Can be led astray through enthusiasm or ignorance
• Anecdotally, breaches occur

10

• What do patients expect?
• How well do we do?
• Why should we bother?
• Models for implementation
• Project background
• Implementation
• Subsequent work
• Reflection and advice

11
Why should we bother?

• Patient perception of the risk of exposure
• Patients expect that information will only be
  released with their consent (Hallows et al 1998)
• May lead patients to
• Withhold information (Sankar et al 2003)
• Delay or avoid seeking care
• Loss of trust
• Projects ignore patient concerns at their peril
• A crash through approach may lead to delay,
  rework or failure

12

• What do patients expect?
• How well do we do?
• Why should we bother?
• Models for implementation
• Project background
• Implementation
• Subsequent work
• Reflection and advice

13
Models for implementation

• Creation manual/automatic admin or clinical
• System standalone or integrated
• Content free text or structured
• Authentication site or individual
• Transmission fax/email/broker/point to point
• Routing manual or automated
• Consent send all / all unless asked not to /
  only with consent / remote or retrospective
• Control creation, sending or viewing

14
How can we do it?

• Internal controls to limit access to information
  internally
• Restricted file stores
• Encrypted storage
• Network security
• Encryption/decryption for transmission
• Reliably identify where the information is being
  sent
• Keep a log of what happens
• Ask first

15

• What do patients expect?
• How well do we do?
• Why should we bother?
• Models for implementation
• Project background
• Implementation
• Subsequent work
• Reflection and advice

16
Early Collaboration

• Discussions between DHHS and GP Divisions about
  communications priorities
• Consultants report - protocols (ARTD 2002)
• Informed consent
• Secure transfer (AS400)
• Replacement of existing PAS imminent
• Little potential for system modification
• Contemporary ED system
• Focus on ED messages
• Significant level of mutual trust between GPs and
  DHHS established over time

17
Existing Systems

• Homer patient administration system
• Statewide Client Registration System
• Sun Microsystems (SeeBeyond) eGate (integrator)
  and eIndex (single patient view)
• iSOFT (HAS Solutions) EDIS

18

• What do patients expect?
• How well do we do?
• Why should we bother?
• Models for implementation
• Project background
• Project implementation
• Subsequent work
• Reflection and advice

19
GPlinkED

• HIRaD funding
• Administrative data, not clinical
• Sidestepped e-signature issue
• Minimal change in hospitals
• Provider Directory
• Automated messaging

20
(No Transcript)
21
Consent

• Each patient asked at each visit
• Who is your usual GP?
• Should s/he be informed?
• Consent stored in EDIS
• No record of consent no message sent

22
Privacy

• Fax as an option PKI encrypted email preferred
• Patient consent stored electronically
• No message without evidence of consent
• DHHS unable to control GP business practice
• Information management standards assessed in
  practice accreditation

23
Security

• History of misdirected messages
• PKI
• Active support for GP uptake
• Location certificates versus individual
• Secure fax ..

24
Provider Directory

• Principles
• Sustainability essential - minimal additional
  work in DHHS
• Contact details managed securely
• GP reservations about providing contact
  detailsto DHHS (spam avoidance)
• Details entered and controlled by GP Divisions
• Reconciliation between Provider Directory details
  and the three hospital PAS accounts
• Messaging preferences and alternates recorded in
  the Directory

25
PKI Implementation issues

• Certificate woes
• Problems with server based practice systems
• Renewals and revocations
• Financial model
• Who operates the certificate within a practice
• Personal certificates in a public hospital

26
Challenges in hospitals

• Hospital staff who dont ask for patient consent
• Hospital doctors dont always see a need to
  communicate with their primary care colleagues
• Clinicians can be dismissive of concerns over
  privacy, confidentiality and consent
• May be keen to improve communication, but unaware
  of the technical underpinnings of security and
  privacy

27
Community challenges

• Patients without a usual GP
• Doctors who dont want to receive messages
• Security practices within GP surgeries
• GPs who dont want to know
• GP Divisions views are not a GP consensus

28

• What do patients expect?
• How well do we do?
• Why should we bother?
• Models for implementation
• Project background
• Implementation
• Subsequent work
• Reflection and advice

29
Subsequent work

• HealthConnect Admission and discharge
  notifications (ENHE)
• HealthConnect Medication summary (PDMR)
• HealthConnect redevelopment of the Provider
  Directory
• Potential for integration with a national
  provider directory
• Clinical messaging (standards based) to follow

30

• What do patients expect?
• How well do we do?
• Why should we bother?
• Models for implementation
• Project background
• Implementation
• Subsequent work
• Reflection and advice

31
Traps for the unwary

• GPs are not a homogeneous group
• Not all GPs wanted the information was agreed
  upon
• GPs now want more details
• Patient attendances without a consent dont
  produce a message
• Patient not asked
• Consent withheld
• Adopting a commercial solution for communication
  may bless a particular vendor

32
Incremental Approach

• Options for uptake fax, emailed RTF, emailed
  HL7
• DHHS initiates the message, but the process is
  transport neutral
• Modular development
• Minimise additional labour required in hospitals
• Administrative data only, not clinicalno
  personal electronic signature

33
Secrets of success

• Implement a security model, dont invent one
• Trust
• Progressive development over successive projects
• One solution follows another
• Staged, stepwise go-live
• Appropriate level of user support (at the right
  time)
• Manageable steps
• Stretch, but dont over-reach

34
References

• ARTD Consultants. Review of the Tasmanian
  GP/hospital IT interface. TGPD June 2000
• Bluml BM, Crooks GM. Designing solutions for
  securing patient privacy meeting the demands of
  health care in the 21st century J Am Pharm Assn
  1999 393 402-407
• Carman D, Britten N. Confidentiality of medical
  records the patients perspective. Br J Gen
  Pract 1995 45 485-488
• Cummings E. Outcomes report to DoHA Ulverstone
  virtual practice amalgamation (unpublished). TGPD
  2002
• Elger BS, Harding TW. Avoidable breaches of
  confidentiality a study among students of
  medicine and law. Med Education 2005. 39 333-337
• Hallows N, Ryan C, Scott G et al. A love-hate
  relationship. BMA News Review April 1998 17
• Mulligan EC. Confidentiality in health records
  evidence of current performance forma population
  survey in South Australia. MJA 2001 174 637-640
• Sankar P, Moran S, Merz J, Jones, NL. Patient
  perspectives on medical confidentiality. J Gen
  Intern Med 2003 18 659-669

35
Questions