Barbara Simons
Chair, U.S. Public Policy Committee of ACM (USACM)
666 Pennsylvania Ave.
Suite 302-B
Washington, DC 20003
202:298-0842
202:547-5482 (fax)
http://www.acm.org/usacm/

I appreciate the opportunity to appear before you today to discuss the important issue of medical privacy.

INTRODUCTION

I speak today on behalf of the USACM, the U.S. Public Policy Committee of the Association for Computing (ACM). ACM, founded in 1947, is an international non-profit educational and scientific society dedicated to the development and use of information technology, and to addressing the impact information technology has on our lives. ACM's activities include the publication of scholarly journals, the sponsorship of special interest groups (SIGS) in numerous disciplines, and activities that address social issues. 60,000 ACM members reside in the U.S. They are academic, professional scientific, and other developers users of information technology. Many of them have a strong interest in the development of secure and private methods for obtaining, storing, and using medical information. USACM, which I chair, is particularly concerned with U.S. policy and social issues, including privacy and security. The USACM was created by ACM to promote dialogue on technology policy issues with U.S. policy makers and the general public. We provide a World-Wide-Web site located at http://www.acm.org/usacm/.

At the site we make available government documents, reports, policy statements, and links to other science policy resources.

We hope you will consult with independent computer scientists who are respected and knowledgeable researchers in the areas of security, medical databases, and cryptology. USACM would be very pleased to provide the committee with names of suitable experts.

THE NEED FOR IMPROVED PRIVACY AND SECURITY OF MEDICAL DATABASES

Expanded scientific knowledge, especially in fields such as genetics and microbiology, combined with the development of the net and widespread use of computers have increased the need for strong privacy protection for medical records.

We have all heard stories of harassment that has resulted because of the lack of adequate privacy protection of medical records. But the problem can even result in abstention from recommended medical care. I have a friend who has refused to take a drug prescribed by his therapist, simply because he feared the impact that having this prescription on his record might have on his ability in the future to obtain medical insurance, or even employment.

And we can easily imagine situations in which information that a person has been tested for AIDS or even for pregnancy could be used against that person.

Unfortunately, as reported in the public draft of "Options for Promoting Privacy on the National Information Highway," written by the National Information Infrastructure Task Force:

"...medical information is routinely shared with and viewed by third parties who are not involved in patient care .... The American Medical Records Association has identified twelve categories of information seekers outside of the health care industry who have access to health care files, including employers, government agencies, credit bureaus, insurers, educational institutions, and the media." (1)
Technology can be used to prevent unauthorized access to medical information, and standards can be used to drive the development and deployment of that technology. We have included below some security recommendations made in a National Research Council report on health care applications. But there are other issues for which well-reasoned standards could impact technology development in a positive fashion. For example, it could be required that any database that is used to store patient health information have patient identifiers that are easily removed without viewing the unencrypted data. Such a requirement would both increase privacy and facilitate the use of the data for analytical purposes.

We have been asked to comment on data standards, health confidentiality, and medical/clinical coding and classification issues associated with the requirements of the Health Insurance Portability and Accountability Act of 1996. I represent a professional society that is uniquely qualified to comment on the relevant technological aspects of these issues.

Standards

Not all transactions mentioned in Section 1173(a)(2) require the same level of security. For example, health plan premium payments do not have the same sensitivity as health claim attachments. Nonetheless, any standards should heed the following warning from the NIITF draft policy paper:

"Moreover, owing to the rising demand for access by third parties, coupled with the expense of limiting disclosure to that which is specifically requested by the non-medical user, there appears to be no natural limit to the potential uses of medical-record information for purposes quite different from those for which it was originally collected." (1)

We urge the development of standards under the HIPAA that will be designed with the goal of limiting third party access to medical records for non-medical uses. In a properly designed system limiting disclosure need not create significant added expenses.

Confidentiality

The storage and the transmission of sensitive health care data should be protected by the use of strong encryption. (For a good general discussion of encryption - which is the scrambling of information to make it unreadable by anyone who does not know the "key" for unscrambling - please see the 1994 ACM study "Codes, Keys and Conflicts: Issues in U.S Crypto Policy"2). We recommend that sensitive health information be provided with significant protection, including encryption, limited access, and rigorous maintenance of audit trails. For less sensitive data efficiency and cost considerations might result in less stringent controls.

Unique Health Identifiers

There are a number of well documents problems with the social security number, including the sharing of a single name and number by multiple individuals. In addition, it is far too easy to obtain a person's SSN and other standard identifying information, such as mother's maiden name. Consequently, the SSN cannot be used as a method for authenticating an individual, as was recently illustrated when the Social Security Administration was forced to remove its on-line system for providing Personal Earnings and Benefit Estimate Statement (PEBES). The widespread availability of a person's SSN also facilitates cross-correlation of databases.

Both because there will be times when authentication will be needed for medical purposes and because of the general insecurity of the social security number, we urge the Secretary to eliminate the social security number as a candidate patient identifier. We hope that if a different identifier is developed for medical records that precautions will be taken to prevent that identifier from becoming easily available from other sources, as has happened with the social security number. Ideally, the use of any medical identifier should be restricted to medically related purposes only. Whether or not the social security number or some other number is used as a medical identifier, we shall need legislation to prevent database cross-correlation and other abuses of privacy.

SOME MORE DETAILED RECOMMENDATIONS: THE NATIONAL RESEARCH COUNCIL REPORT

The Computer Science and Telecommunications Board of the National Research Council recently issued a report entitled "Protecting Electronic Health Information"(3). We urge the Committee to support the recommendations of the NRC report, listed below:

Security Practices Recommended for Immediate Implementation

This box summarizes a discussion of practices recommended in Chapter 6 of this report. Readers should read Chapter 6 in full for the complete detail, argumentation, and support for these measures.

Technical Practices and Procedures

Individual authentication of users. To establish individual accountability, every individual in an organization should have a unique identifier (or log-on ID) for use in logging onto the organizations information systems. Strict procedures should be established for issuing and revoking identifiers. Where appropriate, computer workstations should be programmed to automatically log off if left idle for a specified period of time.

Access controls. Procedures should be in place for ensuring that users can access and retrieve only that information that they have a legitimate need to know.

Audit trails. Organizations should maintain in retrievable and usable form audit trails that log all accesses to clinical information. The logs should include the date and time of access, the information or record accessed, and the user ID under which access occurred. Organizations that provide health care to their own employees should enable employees to conduct audits of accesses to their own health records. Organizations should establish procedures for reviewing audit logs to detect inappropriate accesses.

Physical security and disaster recovery. Organizations should limit unauthorized physical access to computer systems, displays, networks, and medical records; they should plan for providing basic system functions and ensuring access to medical records in the event of an emergency (whether a natural disaster or a computer failure); they should store backup data in safe places or in encrypted form.

Protection of remote access points. Organizations with centralized Internet connections should install a firewall that provides strong, centralized security and allows outside access to only those systems critical to outside users. Organizations with multiple access points should consider other forms of protection to protect the host machines that allow external connections. Organizations should also require a secure authentication process for remote and mobile users such as those using home computers. Organizations that do not implement either of these approaches should allow remote access only over dedicated lines.

Protection of external electronic communications. Organizations should encrypt all patient-identifiable information before transmitting it over public networks, such as the Internet. Organizations that do not meet this requirement either should refrain from transmitting information electronically outside the organization or should do so only over secure dedicated lines. Policies should be in place to discourage the inclusion of patient identifiable information in unencrypted e-mail.

Software discipline. Organizations should exercise and enforce discipline over user software. At a minimum, they should install virus-checking programs on all servers and limit the ability of users to download or install their own software. These technical practices should be supplemented with organizational procedures and educational campaigns to provide further protection against malicious software and to raise users awareness of the problem.

System assessment. Organizations should formally assess the security and vulnerabilities of their information systems on an ongoing basis. For example, they should run existing hacker scripts and password crackers against their systems on a monthly basis.

Organizational Practices

Security and confidentiality policies. Organizations should develop explicit and clear security and confidentiality policies that express their dedication to protecting health information. These policies should clearly state the types of information considered confidential, the people authorized to release the information, the procedures that must be followed in making a release, and the types of people who are authorized to receive information.

Security and confidentiality committees. Organizations should establish formal points of responsibility (standing committees for large organizations, a single person or a small committee for small organizations) to develop and revise policies and procedures for protecting patient privacy and for ensuring the security of information systems.

Information security officers. Organizations should identify an information security officer who is authorized to implement and monitor compliance with security policies and practices. The security officer should maintain contact with relevant national information security organizations.

Education and training programs. Organizations should establish programs to ensure that all users of information systems receive some minimum level of training in relevant security practices and knowledge regarding existing confidentiality policies before being granted access to any information systems.

Sanctions. Organizations should develop a clear set of sanctions for violations of confidentiality and security policies that are applied uniformly and consistently to all violators, regardless of job title. Organizations should adopt a zero-tolerance policy to ensure that no violation goes unpunished.

Improved authorization forms. Health care organizations should develop authorization forms that will improve patients understanding of health data flows and limit the time period for which authorizations are valid. The forms should list the types of organizations to which identifiable or unidentifiable information is commonly released.

Patient access to audit logs. Health care providers should give patients the right to request audits of all accesses to their electronic medical records and to review such logs.

ACM and PRIVACY

Computer professionals tend to be very sensitive to privacy issues - probably because we realize how easy it is to compromise information that is stored in a computer or transmitted over the Internet unless special steps are taken to protect that information. Because of our concern, ACM issued the following statement in 1991:

Whereas the ACM greatly values the right of individual privacy;

Whereas members of the computing profession have a special responsibility to ensure that computing systems do not diminish individual privacy;

Whereas the ACM's Code of Professional Conduct places a responsibility on ACM members to protect individual privacy; and

Whereas the Code of Fair Information Practices places a similar responsibility on data holders to ensure that personal information is accurate, complete, and reliable;

Therefore, be it resolved that:

(1) The ACM urges members to observe the privacy guidelines contained in the ACM Code of Professional Conduct;

(2) The ACM affirms its support for the Code of Fair Information Practices and urges its observance by all organizations that collect personal information; and

(3) The ACM supports the establishment of a proactive governmental privacy protection mechanism in those countries that do not currently have such mechanisms, including the United States, that would ensure individual privacy safeguards.

If a strong proactive privacy protection entity had existed in the United States, we almost certainly would have better privacy protection of medical information, outside the medical-care relationship, as well as inside it.

SUMMARY

The USACM believes that computer related technology could significantly improve the quality and delivery of medical care. We also believe that inadequate or poorly designed standards, regulations, and legislation could have a serious negative impact on the privacy of medical records. Consequently, the USACM strongly supports the goal of the Health Insurance Portability and Accountability Act of 1996 to expand privacy protection for medical databases. We would be very pleased to assist those charged with designing the standards called for in the HIPAA in whatever way we can. In particular, we are prepared to provide a list of recognized computer scientist experts in relevant areas such as medical databases, privacy, and security.

References:

(1) Options for Promoting Privacy on the National Information Infrastructure, Draft for Public Comment, Information Policy Committee, National Information Infrastructure Task Force, Washington, D.C., April 1997, p. 15.

(2) Codes, Keys and Conflicts: Issues in U.S Crypto Policy, Report of a Special Panel of the ACM U.S. Public Policy Committee, ACM, New York, N.Y., June 1994.

(3) Protecting Electronic Health Information; Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure; Computer Science and Telecommunications Board; Commission on Physical Sciences, Mathematics, and Applications; National Research Council; National Academy Press; Washington, D.C., 1997.