Title: Internet2 Health Sciences Security SIG Possible Collaborations
1Internet2 Health Sciences Security SIG Possible
Collaborations
- Jere Retzer, Internet2 Health Sciences Security
SIG Chair, - retzerj_at_ohsu.edu
- August 3, 2003
2Overview
- Why an Internet2 Health Sciences Initiative
- Why a Health Sciences Security SIG
- How health sciences security is different (and
the same) as university security - Who are the players?
- What are the opportunities?
3Why Internet2 Health Sciences
- Internet2 Mission Develop and deploy advanced
network applications and technologies,
accelerating the creation of tomorrows Internet. - Health sciences selected as a key applications
focus due to the leading edge demands posed by
the health sciences security, high end imaging,
very large and complex data sets
4The Health Sciences Challenge
- Networking Health Prescriptions for the Internet
by the National Research Council NAP.edu, 2000 - Health care called the trillion dollar cottage
industry -- perhaps most knowledge-intensive
industry about where banking was in the 1960s - Across the board, in health care, health
education, public health, research, security
cited as an important barrier
5Health Sciences Challenge 2
- 1999 Institute of Medicine To Err is Human
estimates 44,000 98,000 accidental US deaths
annually due to medical errors - Hospitals more dangerous than highways
- Many preventable with computer systems such as
electronic patient records, and computerized
physician order entry - Culture evolved around paper records before
privacy and security became concerns
6Health Sciences Challenge 3
- Explosive growth of high end imaging and genetic
data petabytes of valuable and often sensitive
data
7Why a Health Sciences Security SIG
- Promote policies, practices, and projects that
overcome security and privacy-related barriers to
the adoption of emerging Internet technologies in
the health sciences. - While the health sciences are especially fertile
for advanced applications like interactive
digital video, large-scale data mining,
simulation, imaging and remote instrumentation
that can benefit from Internet2, the need to
ensure the security and privacy of patient data
has slowed the adoption of these high value
applications - http//health.internet2.edu/WorkingGroups/Securit
y.html
8HIPAA http//www.hhs.gov/ocr/hipaa/
- Health Insurance Portability and Accountability
Act of 1996 requires privacy and security in
three parts transaction code sets, privacy and
security - Privacy rule compliance date April 14, 2003
- Final security rule published Feb 20, 2003,
compliance required April 21, 2005 (small plans
have extra year) - Most of us who have been involved with security
for a while would call these mainly good common
sense - Requires risk analysis, physical security, backup
and disaster recovery in addition to system
security
9Health Sciences and University Security the
Same, but Different
- Both want to use leading edge applications
- Both need to protect privacy students, patients
- Both want inter-institutional access, remote and
mobile access
- But HS often needs to add security to advanced
apps - Protected Health Information (PHI) is mission
critical for HS - HS relationships involve PHI, need RBAC and
auditability
10HS Need High Performance Apps
- Real-time, interactive video emerging as a
mission critical application - But PHI must be encrypted
- Need policies, procedures, forms
- Needs to be simple, reliable
- Needs to work through firewalls
- Emerging need real-time monitoring, supervision
and control of high end imaging, monitoring and
diagnostic devices
11Complex Systems Relationships
Academic Medical Center
Physicians
Government
Patient Records (Paper)
LAB
Admitting
Research
Law Enforcement
EMR
Labs
Residents
HL7
Insurance
Accounting
Billing
Patients
Radiology
Transcription
Pharmacy
Pathology
PACS
Marketing
12Access to Protected Health Information (PHI)
- The main order of business for health care
- An extremely valuable asset
- Must be encrypted across the Internet
- Complicated by HIPAA
- Most would like Role-Based Access and Control
(RBAC) - Must provide ability to audit access and tell
patient who saw their record - Special rules for emergencies, law enforcement,
AIDS, or on patient request - Researchers have special rules to de-identify
data
13Mobile/Wireless Devices
- Use is taking off in health care
- Present all the usual security headaches
- How do you control access to PHI once it gets
into a PDA? - How do you audit access?
- How do you ensure it is accurate or current?
14Electronic Mail
- Over two thirds of surveyed patients would like
to use e-mail to communicate with their
physician, and physicians like it too, however - E-mail is not secure, timely, or assured
- Generally stored and transmitted in the clear
employer and family access issues - How do you know the doc even read it, or when?
- How do you even know it got there and some error
didnt get inserted in the text? (Do not take
with aspirin) - How do you get it into the patients record?
15So, is HS Security Different?
- The fundamental issues are really the same
- The need for security is more critical in some
cases, particularly for PHI - Access issues are significantly more complex
- But weve already begun to demonstrate
standards-based middleware can work - In some cases, I think HS is simply the first to
confront issues that education in general will
need to confront in the future
16Who are the Players?
- Educause/Internet2 Security Task Force
- Internet2 Medical Middleware - Shibboleth
- AAMC American Association of Medical Colleges
Group on Information Resources - NIH
- NLM National Library of Medicine
- NCRR National Center for Research Resources
- NIBIB National Institute for Biomedical Imaging
and Bioengineering - NCI National Cancer Institute
- HHS AHRQ Agency for Healthcare Research
Quality
17The Players - 2
- NIST National Institute for Standards
Technology - AMIA American Medical Informatics Association
- eHealthinitiative, NHII
- HL7 Health Level 7 working group
- WEDI Workgroup on Electronic Data Interchange
- HIMSS - Healthcare Information and Management
Systems Society - RSNA Radiological Society of North America
- Corporate GE, Phillips, Siemens, Johnson
Johnson, EI Lilly, Pfizer -
18What are the Opportunities?
- Security at line speed
- Standards-based access between entities
- Role-based
- Auditable
- Verified integrity
- Security everywhere
19An Invitation
- Join the healthsec_at_internet2.edu e-mail list
- Please dive in the need is great and money is
possible for worthy projects - Please join us at the Internet2 Fall Member
Meeting in Indianapolis in October for an
organizational discussion of the Internet2 Health
Sciences SIG (to be scheduled)