A Security Policy Mo del for Clinical Information Systems

Ross J Anderson

University of Cambridge Lab oratory

Pembroke Street Cambridge CB QG

rossandersonclcamacuk

Abstract up a numb er of centralised applications that will use

it One of them will centralise the billing of hospital

The protection of personal health information has

treatment in a single system that will pro cess large

become a live issue in a number of countries including

amounts of p ersonal health information and make

the USA Canada Britain and Germany The debate

various analyses available to administrators Do ctors

has shown that there is widespread confusion about

will remain resp onsible for the security of clinical in

what should be protected and why Designers of mil

formation which they originate yet the do ctors main

itary and banking systems can refer to Bel lLaPadula

professional organisation the British Medical Asso

and ClarkWilson respectively but there is no com

ciation BMA has b een refused information ab out

parable security policy model that spel ls out clear and

the security mechanisms that are supp osed to protect

concise access rules for clinical information systems

patient information on the new network and its appli

In this article we present just such a model It

cations

was commissioned by doctors and is driven by medical

It also b ecame clear that there was much confu

ethics it is informed by the actual threats to privacy

sion ab out the actual threats and ab out the protec

and reects current best clinical practice Its eect

tion measures that it would b e prudent to take For

is to restrict both the number of users who can ac

these reasons the BMA asked the author to study

cess any record and the maximum number of records

the threats to p ersonal health information And

accessed by any user This entails control ling infor

Andc and then to draw up a security p olicy mo del

mation ows across rather than down and enforcing

Anda and interim guidelines for prudent practice

a strong notication property We discuss its rela

Andb In this pap er we present the p olicy mo del

tionship with existing security policy models and its

The presentation is of necessity abbreviated and read

possible use in other applications where information

ers are urged to obtain a the full do cument from the

exposure must be localised these range from private

BMA or via the web Anda

banking to the management of intel ligence data

A note on terminology

Intro duction

We dene and discuss the terminology at length

in the full p olicy so it is merely summarised here

The intro duction of nationwide health information By clinician or clinical professional we mean a li

networks has caused concern ab out security Do c censed professional such as a do ctor nurse pharma

tors are worried that making health information more cist radiologist or dentist who has access in the line of

widely available may endanger patient condentiality duty to p ersonal health information by this we mean

In the USA there is controversy over a prop osed law any information concerning a p ersons health or treat

on medical privacy Ben In Ontario an attempt ment that enables them to b e identied By patient

to give the Minister of Health access to all medical we mean the patient or his representative who ever

records was defeated after intense pressure by the pub must give consent and b e notied We ignore dele

lic and the Ontario Medical Asso ciation Lan In gation of access to p ersons such as receptionists as a

Germany there has b een disquiet ab out the intro duc clinician remains resp onsible for their actions

tion of a uniform national smartcard system to handle

For economy of expression we will assume that the

health insurance payments

clinician is female and the patient male The fem

In the UK the government has commissioned a na inist versus grammarian issue is traditionally solved

tionwide health information network and is setting in the crypto literature by assigning denite gender

A numb er of exceptions to this rule have develop ed roles with the females b eing at least as high status

over time For example Britain has rules on noti as the males Our choice is not meant to assert that

able diseases adverse drug reactions nonaccidental the clinician has higher status than the patient in the

injuries and tness to drive Boy However these therap eutic partnership b etween them

exceptions are p eripheral as disclosures are rare and

Finally some authors draw a distinction b etween

are typically made on pap er

condentiality which protects the interests of the

organisation and privacy which protects the auton

Threats to clinical condentiality

omy of the individual We will rather follow the com

Many organisations have replaced disp ersed manual

mon medical usage in which b oth words interchange

record keeping systems with centralised or networked

ably mean privacy

computer systems which give b etter access to data

The ethical basis of condentiality

Their exp erience is that the main new threat comes

from abuse by insiders For example most of the big

The Hipp o cratic oath says

UK banks now let any teller access any account The

eect is that private eyes get hold of information by

Whatso ever I shall see or hear in the course

bribing tellers and sell it for $ or so LB The

of my dealings with men if it b e what should

practice was made illegal by a recent amendment to

not b e published abroad I will never divulge

the Data Protection Act but there have still b een no

holding such things to b e holy secrets

prosecutions of which we are aware

The eects of aggregating data should have b een

Do ctors in most countries interpret the words

exp ected The likeliho o d that information will b e im

should not in terms of consent In Britain for exam

prop erly disclosed dep ends on its value and the num

ple the do ctors disciplinary b o dy is the General Med

b er of p eople who have access to it Aggregation in

ical Council which expresses the duty of condence as

creases b oth these risk factors at the same time It

follows GMC

may also create a valuable resource which brings p olit

ical pressure for legalised access by interests claiming

Patients have a right to exp ect that you will

a need to know Smu

not pass on any p ersonal information which

you learn in the course of your professional

Health systems are no dierent At present privacy

duties unless they agree

dep ends on the fragmentation and scattering inherent

in manual systems and standalone remov

The GMC further stipulates that do ctors who

ing this without intro ducing eective comp ensating

record or who are the custo dians of condential infor

controls is unethical There have b een p ersistent UK

mation must make sure that it is eectively protected

press rep orts of health records b eing sold by private

against improp er disclosure when it is stored trans

detectives for as little as $ LB RL Perhaps

the most serious rep orted case is that of Dr Jackson mitted received and disp osed of GMC Other clini

cians such as nurses pharmacists and physiotherapists

a Merseyside sex stalker who wins the condence of

are under similar professional obligations Finally a

young women by discussing their family medical his

tory over the telephone urges them to examine them numb er of countries have laws on data protection and

from an EU directive on data protection will

selves tries to arrange meetings and then attempts to

comp el Europ ean countries to make patient consent

ab duct them Police b elieve that he is a health worker

the paramount principle in the protection of p ersonal

or a computer hacker ISM

health information

The US exp erience is much worse This may b e

partly due to the control exerted by HMOs and insur Consent must b e informed and voluntary For ex

ample patients must b e made aware that information

ance companies and partly b ecause networking has

may b e shared b etween memb ers of a care team such

advanced somewhat more than in Britain

1

as a general medical practice or hospital department

 a banker on a state health commission had access

and if researchers want access to records which cannot

to a list of all the patients in his state who had

eectively b e made anonymous then every eort must

b een diagnosed with cancer He crossreferenced

b e made to inform the patient and gain his consent

it with his client list and called in the patients

which must b e renewed every ve years Som

loans HRM

1

the UK general practitioner or GP is the primary care

physician or family do ctor  a Harris p oll on health information privacy

showed that of resp ondents were worried AIDS suerers to assist in estimating the need for

ab out medical record privacy and a quarter had lo cal community services is b eing resisted by the pro

p ersonal exp erience of abuse GTP fession

In addition the EU directive is ab out to enforce the

 Forty p ercent of insurers disclose medical infor

principle of consent throughout Europ e So adminis

mation to lenders employers or marketers with

trators are scrambling to redene consent

out customer p ermission CR and over half of

The UK governments initial p osition was that a

Americas largest companies admitted using

patient gave implied consent to information sharing

medical records to make hiring and other p erson

by the mere act of seeking treatment More recently

nel decisions Bru

ocials have tried to redene informed consent as the

consequence of putting up notices informing patients

The problem was studied by the US governments

that their p ersonal health information may b e shared

Oce of Technology Assessment which conrmed

with ocials Consent as understo o d by the layman

that the main threats come from insiders and are

has b een renamed explicit consent and derided as

exacerbated by the data aggregation that networked

unpractical The struggle continues

computer systems encourage OTA There is

now controversy over a bill intro duced into the US

However the purp ose of this do cument is normative

Congress which would remove the patients right to

more than descriptive Our goal is to describ e things

sue should his privacy b e breached and harm result

as they should b e and as they would b e if attention

Ben This bill is sp onsored by a credit reference

were paid to the ethical rulings of the GMC the EU

agency that is currently building a large network for

directive and surveys showing that most patients are

trading health information

unwilling to share their p ersonal health information

with administrators Haw CB

However do ctors do not accept and in many coun

tries administrators do not even claim that the uncon

trolled aggregation of data is ethically p ermissible In

Other threats to clinical information

the words of David Bellamy Principal Medical Ocer

The integrity and availability of medical informa

at the UK Department of Health

tion are also imp ortant for the obvious safety and

medicolegal reasons While mail fax and telephone

It is a commonly held view that I as a

messages are just as prone to failure as computer sys

do ctor can discuss with another do ctor any

tems their failure mo des are more evident Software

thing ab out a patient b ecause a do ctor has a

bugs could alter the numb ers in a lab oratory rep ort

duty to maintain condentiality by reason of

without changing it so grossly that it would b e re

his ethical obligations It is just not true and

jected viruses have already destroyed clinical infor

it no longer holds water Even if it helps pro

mation and concern has b een expressed that the lack

fessionals discussing individual patients with

of standards in clinical EDI may lead to data b eing

their colleagues they must discuss only on

interpreted dierently by dierent systems with life

the basis of the information the colleague

threatening eect Mar

needs to know WHC

Turning from random to malicious failure it is

clearly p ossible in the absence of comsec mechanisms

The real p olitical struggle here is over control and

for outsiders to intercept or mo dify messages But

in particular whether access decisions should b e taken

most rep orted attacks on clinical information systems

by the patient as is required by the GMC or by ad

consist of the physical theft of the computer from a

ministrators as is implicit in the use of the phrase

surgery with over of British GPs having suered

needtoknow After all while it is the patient who

this PK The ma jority of other attacks on sys

gives consent it is the administrator who decides who

tem integrity are likely to b e carried out by insiders

needs to know Recent court cases have ero ded the

In typical cases of which we are aware attackers have

strength of needtoknow arguments it has b een

tried to shift liability by altering a record of malprac

ruled that even a do ctors HIV status may not b e dis

tice Ald to abuse prescription systems JHC or

closed as the small risk to patients health do es not

to commit straightforward theft or fraud by changing

outweigh the public interest in maintaining the con

records of sto cks or contracts

dentiality that enables infected p ersons to seek help

DGMW In this context a recent government at There are also system level eects For example

tempt to get do ctors to disclose details of HIV and attacks on integrity may b e made more likely by loss of

condentiality if medical records b ecome widely used ure mo des private detective agencies routinely obtain

outside of clinical practice for purp oses such as hiring p ersonal health information by making false pretext

and credit decisions as in the USA then there will b e telephone calls to the patients do ctor or health au

motives to alter them Wo o The same can happ en thority Here to o the global threat can only b e coun

if system comp onents are shared with systems having tered by lo cal measures and the BMA recommends

purp oses other than healthcare A Spanish healthcard the use of callbackbased authentication proto cols to

doubles as a bankcard Bro so criminals might try ensure that p ersonal health information is only shared

to break it and if a health card came to b e used as an with clinicians or with suitably accredited clinical sys

identity card then civil lib ertarians might also join tems Andb

in DPR Health information might also b ecome

This brings us back to our central problem which

entangled with civil lib erties issues through the use

is to examine what sort of systems might prudently

of escrowed cryptography and there is concern ab out

b e trusted with p ersonal health information Before

how electronic records may b e made reliable enough

we can evaluate the security of particular systems we

to b e used as evidence in court

need to know what the security mechanisms are sup

However the greatest concern of b oth clinicians p osed to achieve This means having a security p olicy

and the courts is that if patients cease to b elieve that that says who can access what

their clinical condences will b e resp ected they will

suppress relevant information leading not just to in

Security Policy

accurate records but to p o or treatment of individual

patients and to an increased risk to others eg from

We will now set out a security p olicy mo del for

the spread of infectious disease DGMW

clinical information systems in a form comparable

with the BellLaPadula mo del for military systems

Protection priorities

BL and the ClarkWilson mo del for banking sys

For all these reasons the condentiality and in

tems CW Our p olicy is based on the rules set out

tegrity of medical systems may not b e considered in

by the General Medical Council GMC GMC and

isolation and have to b e considered at two levels

the British Medical Asso ciation Som which incor

At the lo cal level we are concerned with the threats

p orate much clinical exp erience It has also informed

to information held on a single system such as that

by extensive discussions with clinical professionals

of a general practice or hospital department Exam

As usual with p olicy mo dels we will attempt to

ples are theft of the computer and the unauthorised

translate the application requirements into a set of

disclosure of information by a dishonest or careless em

rules that say which sub ject can access which ob ject

ployee The asso ciated risks can b e controlled by more

Here a sub ject may b e a computer user such as a

or less well understo o d techniques such as sta train

do ctor health administrator or outside hacker or a

ing regular backup and audit the BMA has issued

computer program acting on b ehalf of a user the ob

guidelines on this Andb

jects are the information held in the system and may

However in this do cument our main concern is the

include b oth programs and data and access may in

security p olicy used to control global threats those

clude the ability to read write and execute ob jects

threats to the privacy integrity or availability of the

We also make a numb er of simplifying assumptions

medical records of large numb ers of p eople which arise

These are discussed in the full p olicy the most imp or

from the illconsidered aggregation of systems the ero

tant is that records p ertain to only one p erson at a

sion of patient consent and various other causes We

time When this assumption breaks down things get

are not overly concerned that a GPs receptionist can

complicated sp ecial rules need to b e made for environ

access the records of his patients but we would

ments such as obstetrics p ediatric psychiatry and ge

b e extremely concerned if a network gave the recep

netics where records often contain clinical facts ab out

tionists of Britains GPs access to the records

more than one identiable p erson

of all residents

The global and lo cal domains are linked Where the

Access control lists

aggregation threat arises from networking many small

systems together rather than from building large cen Since a typical patient has fewer do ctors than a

tral databases then most of the global protection typical do ctor has patients it is convenient to state

mechanisms must b e implemented lo cally Another the p olicy in terms of access control lists rather than

example is that lo cal systems may have common fail capabilities

Principle Each identiable clinical knowledge while a Jehovahs witness might consider

record shall b e marked with an access con even a blo o d transfusion to b e profoundly shameful

trol list naming the p eople or groups of p eo GC For this reason patients must b e informed of

ple who may read it and app end data to it a care teams access control p olicy when they rst en

The system shall prevent anyone not on the rol and have the opp ortunity to restrict access further

access control list from accessing the record if they wish Since consent must b e voluntary systems

in any way must b e designed so that the standard of care received

by patients who do not consent to information sharing

will b e degraded as little as p ossible

In many current systems the access control lists

are implicit If a record is present on the practice

Finally there are some users such as auditors and

database then all the clinicians in that practice may

researchers who have no write access at all to the pri

read it and app end things to it Such practices typi

mary record We will discuss their sp ecial problems

cally keep their few highly sensitive records on pap er

b elow but for simplicitys sake we will not make sep

in a lo cked drawer However patients whose records

arate provisions for readonly access We will rather

are kept in this way fall outside many of the safety

assume that they get full access to a temp orary copy

mechanisms and with the intro duction of network

of the primary record and this is a b etter mo del of

ing access control lists need to b e made explicit and

how they actually work

consistent across a range of systems

Record op ening

Groups and roles may b e used instead of individual

Rather than trying to deal with multilevel ob jects

names For example if Dr Jones Dr Smith and Nurse

we will assume that there are multiple records Thus

Young together sta the Swaham practice then the

a patient might have

records to which they all have access might simply b e

marked Swaham If they make frequent use of a

 a general record op en to all the clinicians in the

lo cum then they might add lo cum to the ab ove list

practice

and assign individuals to the role at appropriate times

The problem is that sometimes the only sensible

 a highly sensitive record of a treatment for de

groups include a large numb er of p eople In large hos

pression which is only op en to his GP

pitals and community health trusts there might b e

 a record of heart disease op en to all casualty sta

hundreds of nurses who could b e assigned to duty in

a summary of which might b e carried on an emer

a particular ward or service Extra restrictions may

gency medical card

then b e needed and roles may b e preferable to groups

for example one might use active badges WHFG

This is logically equivalent to having a record with

to limit access to any clinical sta on duty in the same

three dierent elds each with its own access control

ward as the patient This would create the electronic

list but is much simpler for us to deal with

equivalent of a traditional note trolley but with the

added advantage that a record can b e kept of who con

So the clinician may op en a new record when an ex

sulted what We will discuss attribution more fully b e

isting patient wishes to discuss something highly sen

low here we will merely remark that groups and roles

sitive or when a new patient registers with her or

are not virtual clinicians but mechanisms that sim

when a patient is referred from elsewhere The access

plify the access mapping b etween identied clinicians

control list on a new record is as follows

and identied patients

Principle A clinician may op en a record

There are clearly some kinds of clinical information

with herself and the patient on the access

that are highly sensitive and should only b e available

control list Where a patient has b een re

to a restricted access list The paternalistic approach

ferred she may op en a record with herself

is to lump into this category all psychiatric records

the patient and the referring clinicians on

records of sexually transmitted disease information

the access control list

given by or ab out third parties and records of em

ployees and their families But the actual sensitiv

ity of a record is always a decision for the patient The reason for this is that it would seem unnatural

and there is little correlation b etween the ab ove list for a patient who had b een referred to hospital for

and patients actual priorities CB An AIDS cam tests to have to give explicit consent at the hospital

paigner might consider his HIV status to b e public for the test results to b e sent back to his GP

Control as noted ab ove but even where a do ctor is obliged to

pass to a third party some information such as a

Apart from the patient himself only clinicians may

diagnosis of a notiable disease the patient must

have access to his records The reasons for placing the

still b e notied of this information sharing The legis

trust p erimeter at the professional b oundary are b oth

lation presently b efore the US Congress would p ermit

traditional and practical The clinical professions do

notication to b e delayed for days in the case of

not consider the mechanisms of the civil and criminal

law enforcement access but not to b e omitted

law to give adequate protection whether for the pa

These strong notication requirements ow from

tient or for the clinician If a do ctor gave a record to

the principle of consent They also help control fraud

a so cial worker who then passed it to a third party

as medical b enets are cash limited in many countries

without consent or merely kept it in a lo cal gov

and patients with exp ensive treatment needs may im

ernment computer that was hacked then she could

p ersonate other patients when their budget runs out

still b e liable and might have no eective recourse

A letter to an unsusp ecting victim that his records

So only clinicians are trusted to enforce the prin

had b een op ened by a physician of whom he had never

ciple of informed consent and control of any identi

heard is often how fraud is detected and an eective

able clinical record must lie with the clinician who

way of identifying abusive access may b e to screen for

is resp onsible This might b e a patients GP or the

clinicians who read a patients record without subse

consultant in charge of a hospital department

quently sending in a bill Sim

Most imp ortantly notication provides an endto

Principle One of the clinicians on the ac

end audit mechanism that is not op en to capture by

cess control list must b e marked as b eing re

governments and healthcare managers

sp onsible Only she may alter the access con

trol list and she may only add other health

Principle The resp onsible clinician must

care professionals to it

notify the patient of the names on his

records access control list when it is op ened

Where access has b een granted to administrators

of all subsequent additions and whenever re

as in the USA the result has b een abuse In the UK

sp onsibility is transferred His consent must

the tension b etween clinical condentiality and admin

also b e obtained except in emergency or in

istrative needtoknow has b een assuaged by regula

the case of statutory exemptions

tions that health authorities must have safehavens

protected spaces under the control of an indep en

The mechanics of this are not as onerous as they

dent clinician to which copies of records may b e

might seem In most cases the patient will consent to

sent if there is a dispute NHS In b oth Germany

the default access control list all the clinicians in

and Ontario medical asso ciations buer billing infor

the practice and that will b e the end of the matter

mation they have access to detailed item of service

When patients are referred to sp ecialists in the nor

claims but pass on only aggregate information to the

mal course of events there will also b e consultations

government agencies that pay for treatment

with the GP at which consent and notication can b e

When information is sought by and may lawfully

dealt with The GP will usually only send a written

b e provided to a third party such as a so cial worker

notication in the case of emergency access eg after

a lawyer a p olice or security service ocer an in

an emergency hospital admission access by p olice or

surance company or an employer then it should b e

others under court authority or following a security

provided on pap er In the UK computer records are

failure which we treat as the mistaken addition of an

not usable as evidence unless they come with a pap er

unauthorised p erson to the access control list

certicate signed by the system owner or op erator di

But even so notication is not entirely straight

rect electronic access is of little evidential value and

forward Recently GPs were asked to notify a p ossi

a signed statement on pap er can b est satisfy a b ona

ble sideeect to women using certain contraceptives

de requirement for evidence

this raised issues of how to deal with young girls who

Consent and notication

were having sex without their parents knowledge and

The patients consent must b e sought for other p er women whose sp ouses had had a vasectomy and were

sons such as the clinicians colleagues to b e added to taking the pill in a new extramarital relationship The

the access control list and he must b e notied of ev solution which is already practised in STD clinics is

ery addition There are some exceptions to consent for the clinician to ask the patient at the outset of the

relationship how to send any notices rst to the clinicians attention Deletion should b e

reserved for records that are time expired

A more dicult problem arises when the patient

clinician relationship ceases to exist This may hap

Attribution

p en when a private practice is dissolved or a pa

We must next ensure that all record accesses

tient dies or go es abroad Concerns have b een raised

whether reads app ends or deletions are correctly at

ab out the government garnering emigration data from

tributable

records returned by GPs to health authorities for stor

age under current arrangements it has b een suggested

Principle All accesses to clinical records

that the Data Protection Registrar have custo dy of

shall b e marked on the record with the sub

all dead electronic records However this raises the

jects name as well as the date and time An

question of who would watch the watchman

audit trail must also b e kept of all deletions

Persistence

Systems develop ed under the present UK require

There are rules on how long records must b e kept

ments for accreditation will typically record all write

Most primary records must b e kept for eight years

accesses even if material is removed from the main

but cancer records must b e kept for the patients life

record the audit trail must enable the state of the

time and records of genetic diseases may b e kept

record at any time in the past to b e reconstructed

even longer Prudence may dictate keeping access to

and all changes to b e attributed RFA If imple

records until after a lawsuit for malpractice could b e

mented prop erly this will have the same eect as re

brought So our next principle is

stricting write access to app endonly and marking all

app end op erations with the clinicians name Our new

requirements are that read accesses b e logged so that

Principle Noone shall have the ability

breaches of condence can b e traced and that dele

to delete clinical information until the appro

tions b e logged so that the delib erate destruction of

priate time p erio d has expired

incriminating material can b e attributed

Some applications have particularly stringent at

The rules are still not fully worked out and so

tribution requirements For example a DoNot

our use of the word appropriate glosses a numb er of

Resuscitate notice on the record of a patient in hospi

op en issues There are cases such as chronic illness

tal must b e signed by the consultant in charge and by

in which records must b e kept for longer than usual

the patient to o if he is comp etent to consent Som

There are also disputes ab out whether they could b e

When such life critical functions are automated the

retained against the patients wishes to defend p ossible

mechanisms including those for attribution must

lawsuits In some countries eg Germany clinicians

b e engineered to the standards required in life supp ort

may claim a copyright in records they create while in

systems

others eg Britain they are routinely transferred to

Rarely invoked requirements may b e supp orted by

the patients new do ctor

manual mechanisms For example in most countries

In general patient consent is not immutable but

patients may read their records and app end ob jections

rather a continuing dialogue b etween the patient and

if they wish The common pro cedure is for the clini

the clinician Som So a patient might withdraw

cian to print out the record for the patient and then

consent and insist that a record b e destroyed No

if there are any comments to app end them and print

case has come to our attention yet p erhaps such cases

them out to o for conrmation

might b e dealt with by transferring the record to a

clinician of the patients choice for the rest of the

Information ow

statutory p erio d

Where two records with dierent access control lists

Finally we do not want information that has b een

corresp ond to the same patient then the only informa

identied as inaccurate such as simple errors and sub

tion ow p ermissible without further consent is from

sequently revised diagnoses to b e mistakenly acted

the less to the more sensitive record

on But we do not want to facilitate the traceless era

sure of mistakes as this would destroy the records Principle Information derived from

evidential value So as with many nancial systems record A may b e app ended to record B if and

information should b e up dated by app ending rather only if Bs access control list is contained in

than by deleting and the most recent versions brought As

This rule naturally gives rise to a lattice Den Principle There shall b e eective mea

in which domination is equivalent to the inclusion of sures to prevent the aggregation of p ersonal

access control lists Information ow can thus b e con health information In particular patients

trolled using mechanisms that are well understo o d must receive sp ecial notication if any p er

from the world of multilevel security Amo A pro son whom it is prop osed to add to their ac

cesss access control list should b e set to the intersec cess control list already has access to p er

tion of the access control lists of the records it has sonal health information on a large numb er

read and it should only b e able to write to a record of p eople

whose access control list is included in its own

The secondorder problems of multilevel secure sys

Some hospitals systems contain p ersonal health in

tems such as p olyinstantiation have an interesting

formation on a million or more patients with all users

counterpart in clinical systems Where two records

having access The typical control at present is a dec

with dierent access control lists corresp ond to the

laration that unjustied access will result in dismissal

same patient should the existence of the more sensi

but enforcement is sp oradic and incidents such as the

tive record b e agged in the other one

Jackson case continue to b e rep orted Networking

such systems together could b e disastrous Having

This is a known dilemma on which there is still no

sta each with access to a million records is bad

consensus GC If the existence of hidden infor

enough but the prosp ect of such hospitals con

mation is agged whether explicitly or by the con

nected together giving sta access to records

spicuous absence of information then inferences can

on most of the p opulation is profoundly unsettling

b e drawn For example do ctors in the Netherlands

removed health records from computer systems when

However even if crossdomain access is restricted to

ever a patient was diagnosed with cancer The result

a few trusted sta at each hospital p erhaps an ocer

was that whenever insurers and p ension funds saw a

of the watch in the emergency ro om there must b e

blank record they knew that with high probability

controls that protect b oth patients and clinicians

the sub ject was a cancer suerer Cae Visible ags

In this p olicy mo del the primary control is noti

have also led to a UK case that is currently sub judice

cation and the secondary control is to keep a list

In the absence of ags other problems arise Sup

somewhere of who has accessed what record outside

p ose for example that a psychiatric outpatient go es

their own team Users who access many records or

for an AIDS test and requests that the result b e kept

a numb er of records outside the usual pattern may

secret Before the result is known the stress causes a

just b e lazy or careless but they could still b e exp os

breakdown and his psychiatrist marks him as no longer

ing themselves and their colleagues patients to harm

comp etent to see his records However the psychia

The natural lo cation for the secondary controls might

trist is unaware of the test and so do es not tell the STD

b e with a professional disciplinary b o dy such as the

clinic of the patients new status It is not p ossible to

GMC

solve this problem by having a world readable regis

There are applications in which some aggregation

ter of which patients are currently not comp etent as

may b e unavoidable such as childho o d immunisation

mental incapacity is b oth condential and a function

programmes Systems to supp ort them will have to

of circumstance

b e designed intelligently and the same go es for sys

We exp ect that clinicians will decide in favour of

tems that deidentify and aggregate records for re

discrete ags that indicate only the presence of hidden

search purp oses We shall discuss them b elow

information These will prompt the clinician to ask is

there anything else which you could tell me that might

The Trusted Base

b e relevant once some trust has b een established

Finally we must ensure that the security mecha

nisms are eective in practice as well as in theory

Aggregation control

The use of access control lists and strong notica

tion are helpful against aggregation threats but are Principle Computer systems that han

not quite enough to prevent them The clinician in dle p ersonal health information shall have a

charge of a safehaven might b e added to the access subsystem that enforces the ab ove principles

control lists of millions of hospital patients making in an eective way Its eectiveness shall

her vulnerable to inducements or threats from illegal b e sub ject to evaluation by indep endent ex

information brokers p erts

The Bundesamt fur Sicherheit in der Informa cumvented when a record is sent from one computer

tionstechnik has recently recommended that systems to another This might happ en for example if an ob

which pro cess clinical diagnoses of identiable p ersons ject is sent to a system that corrupts its access control

should b e evaluated to EE BSI We have rec list or that do es not enforce the principle of consent

ommended that the evaluation level should dep end on It might also happ en if clear data were intercepted by

the numb er of p eople whose p ersonal health informa wiretapping or if clinical information in an electronic

tion was at risk we suggested E for small systems mail message were sent by mistake to the wrong do ctor

such as those used in general practice and E for large or even to a mailing list or newsgroup

systems such as those used in district hospitals where

The secondary purp ose of comsec mechanisms is to

a million patients records could b e on le Anda

protect the integrity of data sent through a network

As schemes such as ITSEC are oriented towards Records such as pathology rep orts might as discussed

military systems and evaluations under them are ex ab ove b ecome accidentally corrupted in ways which

p ensive some industries run their own schemes For are not obvious to the recipient There is also contro

example UK insurers evaluate the security of burglar versy in some countries on whether electronic records

alarms using the lab oratories of the Loss Prevention are adequate for legal purp oses For these reasons

Council which they jointly fund Similar industry it may b e desirable to use digital signatures or other

wide arrangements might b e made for clinical systems strong integrity checks

but would have to enjoy the supp ort of b oth clincians

Trust structures

and patients Britains current accreditation system

Digital signatures also allow the creation of trust

for clinical software is run by the NHS and so do es

structures For example the General Medical Coun

not inspire universal condence

cil might certify all do ctors by signing their keys and

As always the most imp ortant factor in achieving

other clinical professionals could b e similarly certied

a workable security solution is often not so much the

by their own regulatory b o dies This is the approach

choice of mechanisms but the care which is taken to

favoured by the government of France AD An al

ensure that they work well together and that the sys

ternative would b e the trust structure bundled with

tem can b e managed by a clinician whose computer

PGP in which a web of trust is built from the ground

literacy and administrative tidiness are less than av

up by users signing each others keys A halfway

erage It must b e less trouble to manage the system

house b etween these two approaches might involve key

prop erly and care should b e taken to evaluate sys

certication by a senior do ctor in each natural com

tems under realistic assumptions ab out the skills and

munity a district hospital plus the several dozen gen

discipline of their op erators

eral practices that feed patients to it

Protection Mechanisms All of these options p ossess strengths and weak

nesses and are the sub ject of current discussion The

The TCB of a clinical information system may in

centralisers may argue that even if certication were

clude computer security mechanisms to enforce user

substantially lo cal one would still need a backup cen

authentication and access control communications se

tral service for crossdomain trac and that this cen

curity mechanisms to restrict access to information in

tral service should b e computerised since if it were

transit across a network statistical security mecha

merely a key ngerprint next to each clinicians name

nisms to ensure that records used in research and au

in the professional register it would not let clinicians

dit do not p ossess sucient residual information for

verify signatures on enclosed ob jects

patients to b e identied and availability mechanisms

However it is vital that electronic trust structures

such as backup pro cedures to ensure that records are

reect the actual nature of trust and authority in the

not deleted by re or theft

application area Ros In the practice of medicine

The compusec mechanisms used to build a TCB

authority is hierarchical but tends to b e lo cal and

that enforces information ow controls in a single ma

collegiate rather than centralised and bureaucratic If

chine are fairly well understo o d The more interesting

this reality is not resp ected then the management and

part concerns the comsec mechanisms needed in dis

security domains could get out of kilter and we could

tributed heterogeneous systems

end up with a security system which clinicians consid

Comsec mechanisms

ered to b e a central imp osition rather than something

trustworthy under professional ownership and control

In our view the primary purp ose of comsec in

medicine is to ensure that access controls are not cir It is by no means clear that clinical systems can b e

accommo dated by the certication structures consid The test results might then b e transmitted in clear

ered in X and X For example a do ctor might with suitable integrity checks

want to have a numb er of dierent keys eg where

The imp ortance of eective audit

she works in a hospital a prison and a general prac

tice some of these will b e signed by organisations

When records are moved from pap er to electronic

and others might not b e eg for her private prac

form abuse can b ecome orders of magnitude easier

tice Yet we will need to keep a dep endable count of

Previously an intruder might have had to walk into

the total numb er of crossdomain records she accesses

an oce where he has no business and lo ok in a ling

and this might b e linked to key certication

cabinet at risk of b eing challenged but for a hospi

tal employee to lo ok at a clinical record on screen is

Propagation of access control

an intrinsically inno cuous act as far as bystanders are

In any case once clinicians have acquired suitably

concerned In this way computerisation eliminates

certied key material the integrity of access control

one of the ma jor controls on information leakage

lists across a network can b e enforced by means of a

Comp ensating controls are needed and access con

ruleset such as the following

trols alone are not enough A clinician can always

falsely declare that a patient has b een admitted un

p ersonal health information may not leave a clini

conscious and request a copy of the record if there is

cal system unless it is encrypted with a key which

no systematic eort to detect and punish such abuse

is reasonably b elieved to b elong to a clinician on

then it can b e exp ected So our comp ensating con

its access control list

trols must include an audit system that presents the

intruder with a credible chance of b eing caught Oth

life critical information that has b een transmitted

erwise systems will fail to meet the agreed goal that

across a network should b e treated with caution

electronic records must b e at least as secure as the

unless it has b een signed using a key which is

pap er records that they replace

reasonably b elieved to b elong to an appropriate

clinician

Now one of the interesting facts ab out clinical sys

tems is that authority is not trusted When building

reasonable b elief in the ab ove contexts means

a military system we can assume that the President

that ownership of the key has b een authenticated

or Prime Minister is on our side and banking systems

by p ersonal contact by certication or by some

are not usually designed to prevent frauds by senior

other trustworthy means

executives

Medicine is dierent For generations and in many

decrypted information must b e stored in a trusted

countries the authorities have striven to increase their

system with an access control list containing only

access to p ersonal health information while b oth pa

the names of the patient the clinician whose

tients and clinicians have resisted this In the UK for

key decrypted it and the clinicians if any who

example the argument over who owns the record has

signed it

b een going on since at least

Abuse can also b e made harder by a rule that This complicates the design of an audit system

records must b e given rather than snatched access Where shall the audit trail b e kept and who shall

requests should never b e granted automatically but b e trusted to act on it

sub ject to patient consent or in the case of emer

Under the current UK arrangements the resp onsi

gency to a case by case clinical decision

bility for detecting and reacting to security incidents

Accreditation can b e enforced in the usual way by is left to lo cal line management In the words of the

not supplying key material until the do cumentation resp onsible minister there is no central collection of

is complete This is one advantage of central or at statistics on recorded instances of unauthorised access

least structured certication over the weboftrust ap to p ersonal health information whether via computer

proach systems or pap er records Hor Similarly patients

are unlikely to b e told There may b e external au

Encryption is by no means the only comsec option

dits but their ineectiveness at detecting abuse is well

anonymity may often b e simpler For example a sys

known After all the auditors main desire is to b e

tem for delivering lab oratory rep orts to GPs might re

reapp ointed So what can b e done

place the patients name with a onetime serial num

b er which could b e barco ded on the sample lab el Our approach has b een to provide two auditors

b oth of whom have an interest in detecting abuse and CreutzfeldJakob disease in the last years she can

acting on it The rst is the patient who must b e request consent from the deceased p ersons relatives

informed of all the p eople who get access to his record In fact she needs to do this if she is to get vital back

This notication will also cover security breaches as ground information on the victims lifestyles

we treat them as additions to the access control list

Medical records or patient records

The second is the central b o dy that records which

So far most electronic clinical record systems have

clinician accessed which record outside her own care

mirrored the pap erbased practice in that each clin

team We suggest that this b e the b o dy resp onsible

ical team has its own ling system and information

for clinical discipline such as the GMC for UK do c

ows b etween them in the form of referral letters dis

tors Its function will b e to lo ok for p otentially abusive

charge letters opinions test results and so on The

access patterns

whole record may b e copied to another team if the

The exact balance b etween distributed and cen

patient is transferred but otherwise the records are

tralised audit will b e a function of how healthcare

do ctorbased rather than patientbased information

is organised in the country in question For exam

ows b etween them in the form of summaries and

ple Simmons idea of agging for investigation all ac

the lifetime record that links them all together is the

cesses that are not followed by an invoice may b e very

record kept by the patients GP

eective but it might have to b e implemented in a

There has b een interest recently in a dierent mo del

distributed way in the US and centrally in the UK in

of clinical information namely that there should b e a

order to get access to payment information

single unied patient record that is op ened on con

rmation of pregnancy closed on autopsy and ac

Statistical security

cumulates all the clinical notes and data in b etween

Our security p olicy relates to p ersonal information MRI Prop onents of this mo del often claim that

and records may b e removed from its scop e if they the records are patient based rather than do ctor based

are deidentied and aggregated as often happ ens for though in practice it may mean moving the primary

research or census purp oses The problem is that the record from the patients GP to a hospital health au

pro cess is often incomp etently designed for example thority HMO or even insurer

a recent survey of HIV and AIDS prop osed that pa

Many p eople will consider this to b e rather un

tients names b e replaced by Soundex co des of their

desirable it will also b e in conict with the inertia

surnames and accompanied by their birth dates and

of tradition and of installed systems There are also

p ostco des MS

many data management problems that aect security

This is clearly inadequate Britain has established Records may b e very large such as CAT scans and

guidelines which state that no patient should b e iden the records of long chronic illnesses some records

tiable other than to the general practitioner from contain other patients p ersonal information to o eg

any data sent to an external organisation without the birth records contain data on the mother and records

informed consent of the patient JCG of some treatments cannot b e transferred b ecause of

statutory prohibitions eg treatment in prisons and

This topic has b een researched extensively in the

STD clinics

context of census data Den but the problem is

even harder in the medical case If an attacker can Now supp ose that I walk into a hospital and claim

submit queries such as show me the records of all fe that my demons are b othering me When asked my

males aged with two daughters aged and b oth name I reply John Ma jor May the psychiatrist get

of whom suer from eczema then he can identify in the prime ministers record and app end a diagnosis of

dividuals A Norwegian prop osal is that researchers schizophrenia In other words do es a patientbased

should only b e granted access to linkable data on a re record force us to authenticate patients more carefully

gional rather than national basis and even then within and if so what are the implications for emergency

protected space researchers would travel to the re care for patients who wish to b e treated anonymously

gional registry present their authorisation run their such as fourteen year old girls seeking p ostcoital con

queries and come away with only statistical results traception and indeed for civil lib erties

Bo e

The ab ove is by no means an exhaustive list For a

However most research do es not involve access to discussion of some of the security p olicy complexities

large volumes of data A typical scientist might of unied electronic patient record systems see Griew

want to study the records of everyone diagnosed with and Currell GC As their pap er makes clear uni

ed electronic patient records would force us to make ever there may b e applications such as intelligence

our p olicy mo del signicantly more complex where the large numb er of security lab els makes an

access control list approach more economic Perhaps

We suggest that the unied record would b e a

strong notication to case ocers of all access to intel

bundle of disparate ob jects whose access control lists

ligence records would have led to the earlier capture

might only intersect in the patient himself It is far

of Aldrich Ames we understand that his access to the

from clear what engineering gains may b e had from

records of the agents whom he b etrayed was notied to

forcing all these ob jects to reside in the same store

senior ocials but they did nothing Perhaps the case

The onus is on prop osers of such systems to provide a

ocers would have done more we can only sp eculate

clear statement of the exp ected health b enets and to

Another application might b e to enable account exec

analyse the threats the cost of added countermeasures

utives in private banking and other high value service

and the likely eects of the residual risk

industries to control access to information ab out their

clients

Standards

The one existing p olicy mo del which can capture

Encryption of medical records has b een mandated

most of the principles set out here is ClarkWilson

by the data protection authorities in Sweden for sev

CW Let a constrained data item b e a record to

eral years and is b eing intro duced in Norway As

gether with its ACL let the initial validation pro ce

already mentioned a numb er of countries are build

dures b e rstly record op ening secondly the valida

ing trusted certication authorities which will sign

tion of lab oratory and other data by a clinicians sig

do ctors keys AD A Europ ean standardisation

nature and thirdly the pro cess of adding a new name

group for Security and Privacy of Medical Informatics

to the ACL by consultation and notication and let

CEN TC WG is working on a draft standard

the transformation pro cedures b e the acts of app end

which recommends the encryption of identiable clin

ing material to the record and of passing information

ical data on large networks

to some subset of the ACL The ClarkWilson audit re

The use of digital signatures is also discussed in

quirements are fullled as all records are app endonly

a rep ort to the Ontario Ministry of Health Smu

and all additions to ACLs are notied

The Australian standard on health information pri

Strong notication is still not completely captured

vacy Aus the New Zealand Health Information

though it could b e if each patient were also a system

Privacy Co de NZ and the Oce of Technology

user In theory secure time is required to ensure

Assessment rep ort cited ab ove may also b e referred

that an attacker do es not change the system clo ck and

to They each contribute in dierent ways to our un

cause records to b e deleted However most of our

derstanding of threats of the principle of consent and

p olicy mo del can clearly b e built on a ClarkWilson

of the technical options

base

However there is as yet no access control mo del in

This is curious as ClarkWilson is commonly

the sense understo o d by the computer security com

thought of as an integrity mo del and yet here we are

munity and it is hop ed that this mo del may help clar

using it to instantiate a security p olicy whose primary

ify what medical systems builders should b e trying to

goal is condentiality and which is strictly more ex

achieve with all these mechanisms

pressive than the lattice and BellLaPadula mo dels

The research community might care to consider the

Relation with Other Mo dels

implications

Our mo del can express BellLaPadula and lattice

mo dels where the partial order is inclusion of access

Conclusion

control lists However the converse do es not hold

since we maintain state ab out how many ob jects a We have discussed the threats to the condentiality

particular sub ject has accessed and have the exter integrity and availability of p ersonal health informa

nality of a strong notication requirement tion in the light of exp erience in the UK the USA and

elsewhere and prop osed a clinical information security

It is unlikely that our mo del will replace Bell

p olicy that enables the principle of patient consent

LaPadula in a traditional military application such

to b e enforced in the many heterogeneous distributed

as managing stores since such applications are essen

systems that are currently under construction

tially capability based there are more soldiers than

security lab els whereas medicine is access control list Its goal is to ensure that any lack of consent is prop

based there are more patients than do ctors How agated and enforced This gives rise to a privacy prop

AD Security of Health Information Systems in erty that is much stronger than the condentiality en

France what we do will no longer b e dier

forced by multilevel mo dels but which may b e similar

ent from what we tell FA Alb ert L Duserre

in some resp ects to the compartmented mo de p olicies

International Journal of Biomedical Comput

used in the intelligence community

ing v supplement pp

One curious fact ab out our mo del is that it can b e

Ben Medical Records Condentiality Act of

most closely expressed using the machinery of Clark

B Bennett US Senate S th Octob er

Wilson to protect its access control lists This sug

gests that there may b e other links b etween the vari

Bo e Pseudonymous Medical Registries E Bo e

ous asp ects of condentiality integrity and availability

Norwegian Ocial Rep ort

as they are expressed in security mo dels and imple

Boy Draft guidance for the NHS on the conden

mented in real systems

tiality use and disclosure of personal health

Acknowledgements The research describ ed in this pa

information N Boyd DoH August

p er was funded by the British Medical Asso ciation and

Bro Sanitas launches health credit card S

valuable input was received from a numb er of clinicians

Brown Cards International Octob er

including Fleur Fisher Tony Griew Simon Jenkins Grant

p

Kelly Stuart Horner Hilary Curtis Simon Fradd John

Bru Is your health history anyones busi

Williams Iain Anderson William Anderson Roger Sewell

ness McCalls Magazine p re

Mary Hawking Ian Purves Paul Steventon Steve Ha jio

p orted by M Bruce on Usenet newsgroup

Stan Shepherd Jeremy Wright and David Watts from

compso cietyprivacy Mar

a numb er of computer scientists including Gus Simmons

BL Secure Computer Systems Mathematical

Bob Morris Stewart Lee Roger Needham Markus Dichtl

Foundations DE Bell L LaPadula Mitre

Bruce Christianson Ian Jackson Mike Ro e Mark Lo

Corp oration Technical Rep ort ESDTR

mas Jeremy Thorp Roy Dainty and Ian Keith and from

philosophers including Beverly Wo o dward Ann Somerville

and Keith Tayler I am also grateful to the Isaac Newton

BSI Chipkarten im Gesundheitswesen Bunde

Institute for hospitality while this pap er was b eing written

samt fur Sicherheit in der Informationstech

nik Bundesanzeiger May

References

Cae Personal communication WJ Caelli July

Ald Nurse sacked for altering records after babys

death K Alderson The Times Novemb er

CB Condentiality of medical records the pa

p

tients p ersp ective D Carman N Britten

British Journal of General Practice v

Amo Fundamentals of Computer Security Tech

Septemb er pp

nology E Amoroso Prentice Hall

CR Whos reading your medical records Con

And NHS wide networking and patient con

sumer Rep orts Oct pp

dentiality RJ Anderson in British Medical

CW A Comparison of Commercial and Military

Journal v no July pp

Computer Security Policies in Pro ceedings

Anda Security

of the IEEE Symp osium on Security and

in Clinical Information Systems RJ Ander

Privacy pp

son published by the British Medical As

Den The Lattice Mo del of Secure Information

so ciation January also available from

Flow DER Denning Communications of the

httpwwwclcamacukuser srja Med

ACM v no May pp

Andb Clinical system security interim guide

Den Cryptography and Data Security DER Den

lines RJ Anderson in British Medical Jour

ning AddisonWesley

nal v no Jan pp

DGMW How to Keep a Clinical Condence B Dar

Andc Patient Condentiality At Risk from NHS

ley A Griew K McLoughlin J Williams

Wide Networking RJ Anderson to appear

HMSO

in Proceedings of Healthcare March

DPR Identity Cards A Consultation Document

Aus Australian Standard Personal privacy

CM Response of the Data Protection

protection in health care information sys

Registrar Octob er

tems Standards Australia

GC A Strategy for Security of the Electronic Pa

tient Record A Griew R Currell IHI Uni ACH Keeping Information Condential Asso cia

versity of Wales Ab erystwyth th March tion of Community Health Councils for Eng

land and Wales May

NHS Hand ling condential patient information in GMC Good Medical Practice General Medical

contracting A Code of Practice NHS Infor Council Great Portland Street Lon

mation Management Group EL cata don

logue numb er c news info

GMC Condentiality General Medical Council

Great Portland Street London

NZ Health Information Privacy Code New

Zealand Privacy Commissioner

GTP Privacy and Security of Personal Informa

tion in a New Health Care System LO

OTA Protecting Privacy in Computerized Medi

Gostin J TurekBrezina M Powers et al

cal Information Oce of Technology Assess

Journal of the American Medical Asso ciation

ment US Government Printing Oce

v pp

PK GP Practice computer security survey RA

Haw Condentiality of p ersonal information a

Pitchford S Kay Journal of Informatics in

patient survey A Hawker Journal of Infor

Primary Care Septemb er pp

matics in Primary Care March pp

RFA Requirements for accreditation general med

ical practice computer systems NHS Man

Hor Personal information Mr Hormam written

agement Executive

answers Hansard Jan p

RL For Sale your secret medical records for

HRM RMs need to safeguard computerised patient

$ L Rogers D Leppard Sunday Times

records to protect hospitals Hospital Risk

pp

Management no pp

Ros Institutionellorganisatorische Gestaltung

ITSEC Information Technology Security Evaluation

informationstechnischer Sicherungsinfro

Criteria EU do cument COM June

strukturen A Ronagel Datenschutz und

Datensicherung pp

JCG GMSC and RCGP guidelines for the extrac

Sch Applied Cryptography B Schneier second

tion and use of data from general practitioner

edition Wiley

computer systems by organisations external

to the practice App endix III in Commit

Sim GJ Simmons personal communication

tee on Standards of Data Extraction from

Smu Health Care Information Access and Pro

General Practice Guidelines Joint Computer

tection RH Smuckler Institute for Primary

Group of the GMSC and the RCGP

Care Informatics

JHC Nurse Jailed for Hacking into Comput

Som Medical Ethics Today Its Practice and

erised Prescription System British Journal

Philosophy A Sommerville BMA

of Healthcare Computing and Information

ISM Telephone stalker has access to conden

Management v p

tial records Information Security Monitor

Lan Prop osed Condentiality Law Angers Cana

Septemb er p

dians The Lancet Decemb er p

USA Online medical records raise privacy fears

USA To day pp AA

LB Your Secrets for Sale N Luck J Burns The

Daily Express pp

Wo o The computerbased patient record and con

dentiality B Wo o dward New England

MRI Integrated Health Delivery Needs Integrated

Journal of Medicine v no pp

Health Record Systems Medical Records In

stitute newsletter v no Decemb er pp

WHC Workshop on Health Care Condential

Mac Letter from AW Macara to JS Metters

ity discussing current initiatives held at the

Octob er on Draft guidance for the NHS

BMA on th April

on the condentiality use and disclosure of

WHFG The Active Badge Lo cation System Roy

p ersonal health information

Want Andy Hopp er Veronica Falcao

Mar Fear of Flowing DC Markwell Pro ceedings

Jonathon Gibb ons in ACM Transactions on

of the PHCSG Conference BCS pp

Information Systems v no January

pp

MS Soundex co des of surnames provide con

dentiality and accuracy in a national HIV

database JY Mortimer JA Salathiel Com

municable Disease Rep ort v no Nov

pp RR