Internet2 Health Sciences Security SIG Possible Collaborations

1
Internet2 Health Sciences Security SIG Possible
Collaborations

• Jere Retzer, Internet2 Health Sciences Security
  SIG Chair,
• retzerj_at_ohsu.edu
• August 3, 2003

2
Overview

• Why an Internet2 Health Sciences Initiative
• Why a Health Sciences Security SIG
• How health sciences security is different (and
  the same) as university security
• Who are the players?
• What are the opportunities?

3
Why Internet2 Health Sciences

• Internet2 Mission Develop and deploy advanced
  network applications and technologies,
  accelerating the creation of tomorrows Internet.
• Health sciences selected as a key applications
  focus due to the leading edge demands posed by
  the health sciences security, high end imaging,
  very large and complex data sets

4
The Health Sciences Challenge

• Networking Health Prescriptions for the Internet
  by the National Research Council NAP.edu, 2000
• Health care called the trillion dollar cottage
  industry -- perhaps most knowledge-intensive
  industry about where banking was in the 1960s
• Across the board, in health care, health
  education, public health, research, security
  cited as an important barrier

5
Health Sciences Challenge 2

• 1999 Institute of Medicine To Err is Human
  estimates 44,000 98,000 accidental US deaths
  annually due to medical errors
• Hospitals more dangerous than highways
• Many preventable with computer systems such as
  electronic patient records, and computerized
  physician order entry
• Culture evolved around paper records before
  privacy and security became concerns

6
Health Sciences Challenge 3

• Explosive growth of high end imaging and genetic
  data petabytes of valuable and often sensitive
  data

7
Why a Health Sciences Security SIG

• Promote policies, practices, and projects that
  overcome security and privacy-related barriers to
  the adoption of emerging Internet technologies in
  the health sciences.
• While the health sciences are especially fertile
  for advanced applications like interactive
  digital video, large-scale data mining,
  simulation, imaging and remote instrumentation
  that can benefit from Internet2, the need to
  ensure the security and privacy of patient data
  has slowed the adoption of these high value
  applications
• http//health.internet2.edu/WorkingGroups/Securit
  y.html

8
HIPAA http//www.hhs.gov/ocr/hipaa/

• Health Insurance Portability and Accountability
  Act of 1996 requires privacy and security in
  three parts transaction code sets, privacy and
  security
• Privacy rule compliance date April 14, 2003
• Final security rule published Feb 20, 2003,
  compliance required April 21, 2005 (small plans
  have extra year)
• Most of us who have been involved with security
  for a while would call these mainly good common
  sense
• Requires risk analysis, physical security, backup
  and disaster recovery in addition to system
  security

9
Health Sciences and University Security the
Same, but Different

• Both want to use leading edge applications
• Both need to protect privacy students, patients
• Both want inter-institutional access, remote and
  mobile access

• But HS often needs to add security to advanced
  apps
• Protected Health Information (PHI) is mission
  critical for HS
• HS relationships involve PHI, need RBAC and
  auditability

10
HS Need High Performance Apps

• Real-time, interactive video emerging as a
  mission critical application
• But PHI must be encrypted
• Need policies, procedures, forms
• Needs to be simple, reliable
• Needs to work through firewalls
• Emerging need real-time monitoring, supervision
  and control of high end imaging, monitoring and
  diagnostic devices

11
Complex Systems Relationships
Academic Medical Center
Physicians
Government
Patient Records (Paper)
LAB
Admitting
Research
Law Enforcement
EMR
Labs
Residents
HL7
Insurance
Accounting
Billing
Patients
Radiology
Transcription
Pharmacy
Pathology
PACS
Marketing
12
Access to Protected Health Information (PHI)

• The main order of business for health care
• An extremely valuable asset
• Must be encrypted across the Internet
• Complicated by HIPAA
• Most would like Role-Based Access and Control
  (RBAC)
• Must provide ability to audit access and tell
  patient who saw their record
• Special rules for emergencies, law enforcement,
  AIDS, or on patient request
• Researchers have special rules to de-identify
  data

13
Mobile/Wireless Devices

• Use is taking off in health care
• Present all the usual security headaches
• How do you control access to PHI once it gets
  into a PDA?
• How do you audit access?
• How do you ensure it is accurate or current?

14
Electronic Mail

• Over two thirds of surveyed patients would like
  to use e-mail to communicate with their
  physician, and physicians like it too, however
• E-mail is not secure, timely, or assured
• Generally stored and transmitted in the clear
  employer and family access issues
• How do you know the doc even read it, or when?
• How do you even know it got there and some error
  didnt get inserted in the text? (Do not take
  with aspirin)
• How do you get it into the patients record?

15
So, is HS Security Different?

• The fundamental issues are really the same
• The need for security is more critical in some
  cases, particularly for PHI
• Access issues are significantly more complex
• But weve already begun to demonstrate
  standards-based middleware can work
• In some cases, I think HS is simply the first to
  confront issues that education in general will
  need to confront in the future

16
Who are the Players?

• Educause/Internet2 Security Task Force
• Internet2 Medical Middleware - Shibboleth
• AAMC American Association of Medical Colleges
  Group on Information Resources
• NIH
• NLM National Library of Medicine
• NCRR National Center for Research Resources
• NIBIB National Institute for Biomedical Imaging
  and Bioengineering
• NCI National Cancer Institute
• HHS AHRQ Agency for Healthcare Research
  Quality

17
The Players - 2

• NIST National Institute for Standards
  Technology
• AMIA American Medical Informatics Association
• eHealthinitiative, NHII
• HL7 Health Level 7 working group
• WEDI Workgroup on Electronic Data Interchange
• HIMSS - Healthcare Information and Management
  Systems Society
• RSNA Radiological Society of North America
• Corporate GE, Phillips, Siemens, Johnson
  Johnson, EI Lilly, Pfizer

18
What are the Opportunities?

• Security at line speed
• Standards-based access between entities
• Role-based
• Auditable
• Verified integrity
• Security everywhere

19
An Invitation

• Join the healthsec_at_internet2.edu e-mail list
• Please dive in the need is great and money is
  possible for worthy projects
• Please join us at the Internet2 Fall Member
  Meeting in Indianapolis in October for an
  organizational discussion of the Internet2 Health
  Sciences SIG (to be scheduled)