CT6

Purpose

Strong security and systems requirements are essential to maintain trust among all network participants handling personal health information. Without such protections, consumer adoption will likely be hampered out of concern about the security of their data,¹  and Health Data Sources may continue to view the release of consumer data to Consumer Access Services as too great of a privacy risk to implement.² Although this practice area notes the need for strong security, detailed recommendations are beyond the scope of this paper. The HIPAA Security Rule is a good starting point. Another valuable reference is the government's recommended security protocols for federal information systems.³  Below, we outline a few basic security considerations:

Data Stores

• Facilities that house equipment (e.g., servers, backup devices, etc.) that store health data must be physically secured and attended at all times. Access to such equipment should be limited to individuals who require it for authorized, legitimate, and documented (i.e., auditable) purposes.
• Individuals who access user data may only access the minimum amount of data necessary to fulfill their authorized purpose(s).
• Sensitive user data should be encrypted within the equipment that holds the data so as to prevent unauthorized access and disclosure in the case of a physical loss.
• Because most security breaches occur from within an organization (whether intentional or not), it is important to require that all persons who have access to such data receive regular training and appropriate reminders about system security and the need to follow related protocols to protect the confidentiality of user information. In addition, policies should be in place (and regularly communicated) to handle persons who violate stated security protocols.
• Strong system security for Consumer Access Services and networked PHRs also entails regular risk assessments and system audits.

Transactions

• When information is presented to a user's web browser from equipment that holds this data (i.e., a data server), all reasonable steps should be taken to ensure a secure transmission of the user's data, including use of encryption protocols such as Secure Socket Layer (SSL) technology.
• Consumer Access Services should comply with industry best practices for transmission of health data over the Internet even if they are not subject to information security regulations governing the health care industry.

The following are other considerations in the emerging PHR industry:

• In addition to data storage and transactional security, it is also important to apply security and systems requirements to electronic mobile storage devices such as smart cards, memory sticks, and mobile devices offered as consumer access platforms and/or data portability options (Note that security requirements applicable to mobile storage devices that hold personal health data should be in place not only for the benefit of the consumer, but also for the benefit of care providers who may wish to connect the device to their own computer and/or network in order to access and/or update a user's health information.) Without strong security and systems requirements guaranteeing protection, the benefit these devices may offer to care providers may be outweighed by the security threat posed by viruses, trojan horses, or other malware that may be "hiding" within.⁴ 

Recommended Practice

Consumer Access Services should adopt industry best practices for data transaction and storage security. Security requires continuous monitoring of industry practices and threats, as well as initial and ongoing personnel training and strict policies regarding who can access consumer data, limitations on data that can be accessed by authorized purpose, and consequences of and for security violations. Services will need to adapt to emerging practices to ensure the security of information entrusted to them, with special attention to additional protections for sensitive data. Services must be accountable for export and storage of information in applications that they have endorsed, whether those applications are browser-based or mobile devices.

__________

1. Win, Susilo, Journal of Medical Systems, Personal Health Record Systems and Their Security Protection. 30:4, p. 309-315, August 18, 2006.
2. R. Lecker et al., Review of the Personal Health Record (PHR) Service Provider Market. March 14, 2007 (http://www.hhs.gov/healthit/ahic/materials/05_07/ce/chin.html, "2.4.2.2 Interoperability Challenges").
3. NIST Special Publication 800-53, Revision 1, National Institute of Standards and Technology, Recommended Security Controls for Federal Information Systems. December 2006. Accessed online on May14, 2008, at the following URL: http://csrc.ncsl.nist.gov/publications/nistpubs/800-53-Rev1/800-53-rev1-final-clean-sz.pdf.
4. Sittig and Wright, USB Flash Drives Pose Threat To Health Care Provider Computer Systems. February 20, 2007. Accessed online on August 28, 2007, at the following URL: http://www.ohsu.edu/ohsuedu/newspub/releases/022007flash.cfm.