Internet2 Health Sciences Security SIG – Possible Collaborations

Jere Retzer, Internet2 Health Sciences Security SIG Chair,retzerj@ohsu.edu August 3, 2003

Overview

• Why an Internet2 Health Sciences Initiative

• Why a Health Sciences Security SIG

• How health sciences security is different (and the same) as university security

• Who are the players?

• What are the opportunities?

Why Internet2 Health Sciences

• Internet2 Mission: Develop and deploy advanced network applications and technologies, accelerating the creation of tomorrow’s Internet.

• Health sciences selected as a key applications focus due to the leading edge demands posed by the health sciences – security, high end imaging, very large and complex data sets

The Health Sciences Challenge

• Networking Health: Prescriptions for the Internet by the National Research Council – NAP.edu, 2000

• Health care called the “trillion dollar cottage industry” -- perhaps most knowledge-intensive industry about where banking was in the 1960s

• Across the board, in health care, health education, public health, research, security cited as an important barrier

Health Sciences Challenge – 2

• 1999 Institute of Medicine “To Err is Human” estimates 44,000 – 98,000 accidental US deaths annually due to medical errors

• Hospitals more dangerous than highways

• Many preventable with computer systems such as electronic patient records, and computerized physician order entry

• Culture evolved around paper records before privacy and security became concerns

Health Sciences Challenge – 3

• Explosive growth of high end imaging and genetic data – petabytes of valuable and often sensitive data

Why a Health Sciences Security SIG

• Promote policies, practices, and projects that overcome security and privacy-related barriers to the adoption of emerging Internet technologies in the health sciences.

• While the health sciences are especially fertile for advanced applications like interactive digital video, large-scale data mining, simulation, imaging and remote instrumentation that can benefit from Internet2, the need to ensure the security and privacy of patient data has slowed the adoption of these high value applications

• http://health.internet2.edu/WorkingGroups/Security.html

HIPAA: http://www.hhs.gov/ocr/hipaa/• Health Insurance Portability and Accountability Act of

1996 requires privacy and security in three parts: transaction code sets, privacy and security

• Privacy rule compliance date April 14, 2003

• Final security rule published Feb 20, 2003, compliance required April 21, 2005 (small plans have extra year)

• Most of us who have been involved with security for a while would call these mainly good common sense

• Requires risk analysis, physical security, backup and disaster recovery in addition to system security

Health Sciences and University Security – the Same, but Different

• Both want to use leading edge applications

• Both need to protect privacy – students, patients

• Both want inter-institutional access, remote and mobile access

• But HS often needs to add security to advanced apps

• Protected Health Information (PHI) is mission critical for HS

• HS relationships involve PHI, need RBAC and auditability

HS Need High Performance Apps

• Real-time, interactive video emerging as a mission critical application

• But PHI must be encrypted

• Need policies, procedures, forms

• Needs to be simple, reliable

• Needs to work through firewalls

• Emerging need: real-time monitoring, supervision and control of high end imaging, monitoring and diagnostic devices

Complex Systems & Relationships

AdmittingPatient

Records(Paper)

InsuranceHL7

Radiology

EMR

PACSPathology

LAB

Physicians

Research

Labs

Transcription

Government

Law Enforcement

Residents

Patients

Marketing

Accounting

Pharmacy

Academic Medical Center

Billing

Access to Protected Health Information (PHI)• The main order of business for health care

• An extremely valuable asset

• Must be encrypted across the Internet

• Complicated by HIPAA• Most would like Role-Based Access and Control

(RBAC)• Must provide ability to audit access and tell patient

who saw their record• Special rules for emergencies, law enforcement,

AIDS, or “on patient request”• Researchers have special rules to “de-identify” data

Mobile/Wireless Devices

• Use is taking off in health care

• Present all the usual security headaches

• How do you control access to PHI once it gets into a PDA?

• How do you audit access?

• How do you ensure it is accurate or current?

Electronic Mail

• Over two thirds of surveyed patients would like to use e-mail to communicate with their physician, and physicians like it too, however

• E-mail is not secure, timely, or assured

• Generally stored and transmitted in the clear – employer and family access issues

• How do you know the doc even read it, or when?

• How do you even know it got there and some error didn’t get inserted in the text? (“Do [not] take with aspirin”)

• How do you get it into the patient’s record?

So, is HS Security Different?

• The fundamental issues are really the same

• The need for security is more critical in some cases, particularly for PHI

• Access issues are significantly more complex

• But we’ve already begun to demonstrate standards-based middleware can work

• In some cases, I think HS is simply the first to confront issues that education in general will need to confront in the future

Who are the Players?

• Educause/Internet2 Security Task Force

• Internet2 Medical Middleware - Shibboleth

• AAMC – American Association of Medical Colleges Group on Information Resources

• NIH – • NLM – National Library of Medicine• NCRR – National Center for Research Resources• NIBIB – National Institute for Biomedical Imaging and

Bioengineering• NCI – National Cancer Institute

• HHS AHRQ – Agency for Healthcare Research & Quality

The Players - 2

• NIST – National Institute for Standards & Technology

• AMIA – American Medical Informatics Association

• eHealthinitiative, NHII

• HL7 – Health Level 7 working group

• WEDI – Workgroup on Electronic Data Interchange

• HIMSS - Healthcare Information and Management Systems Society

• RSNA – Radiological Society of North America

• Corporate: GE, Phillips, Siemens, Johnson & Johnson, EI Lilly, Pfizer …

What are the Opportunities?

• Security at line speed

• Standards-based access between entities

• Role-based

• Auditable

• Verified integrity

• Security everywhere

An Invitation

• Join the healthsec@internet2.edu e-mail list

• Please dive in – the need is great and money is possible for worthy projects

• Please join us at the Internet2 Fall Member Meeting in Indianapolis in October for an organizational discussion of the Internet2 Health Sciences SIG (to be scheduled)