International Journal of Medical Informatics 49 (1998) 135–137

Overall conclusions and recommendations

Albert Bakker a,*, Barry Barber b, Kiyomu Ishikawa c, Hiroshi Takeda d,Koji Yamamoto e

a IMIA WG 4, HISCOM, Schipholweg 97, Leiden, The Netherlandsb Health Data Protection Ltd., Mal6ern, WR14 4AA, UK

c Hiroshima Uni6ersity Medical Hospital, Hiroshima, Japand Department of Medical Information Science, Osaka Uni6ersity Medical Hospital, Osaka, Japan

e Miyazaki Uni6ersity, Miyazaki, Japan

1. The changing environment

It was recognised that the application of ITin health care is evolving rapidly. Major de-velopments are:1. the support of the primary process with

the Electronic Patient Record (EPR) asfocal point together with order manage-ment and protocols/nursing care plans;

2. increasing exchange of data beyond thewalls of the institution (shared care, trans-mural care);

3. the growing use of the Internet;4. introduction of multimedia functionality

in the health information systems.These developments have a significant impacton the security provisions required, so atten-tion for security was unanimously judged tobe more necessary than ever.

2. Access to patient’s data

Access to patient’s data should be based onexplicit informed consent of the patient. Onlywithin the health care establishment can suchconsent be assumed for access by members ofthe care team, under the condition that thepatient is informed on admission/registrationof the access policy of the health care estab-lishment and has the opportunity to choosefor a strict application of the consent princi-ple. The use of patient’s data outside thehealth care establishment or for research pur-poses is subject to explicit consent unlessthere is a legal base for such use (e.g. anational cancer registry).

Access of health care professionals to dataof their patients from locations outside thehealth care establishment was judged accept-able if sufficient security measures were im-plemented (see also points 4, 5, 7 and 8).

Whether the general practitioner has theright of access depends on the national ‘cul-ture’, the basic question being whether he isconsidered to be a member of the care team.* Corresponding author.

1386-5056/98/$19.00 © 1998 Elsevier Science Ireland Ltd. All rights reserved.

PII S1386-5056(98)00023-9

A. Bakker et al. / International Journal of Medical Informatics 49 (1998) 135–137136

3. Pseudonymous patient data

It was judged that in epidemiology the useof pseudonyms, instead of the patient iden-tifier, should be considered seriously. Thetechnology of pseudonyms should bepromoted.

4. Access control

Access control should comprise:� identification of the user;� authentication of the user;� authorisation of the user;� preferably single sign-on should be used to

allow the identified authenticated user ac-cess to all the information that he is au-thorised to use.

Cryptographic techniques offer attractive fa-cilities to achieve improved identification, au-thentication and authorisation. The use ofsuch techniques is strongly recommended.

5. Communications security

When transmitting patient’s data beyondthe health care establishment using publiccommunication facilities the security mea-sures should comprise:� strong encryption for confidentiality;� strong authentication;� digital signatures for integrity checking;

non-repudiation of origin and receipt;� trusted third parties for key management.Any traffic between the internal network ofthe health care establishment and the outsideworld should pass through a properlyconfigured and managed firewall.

Especially for the use of distributed Elec-tronic Patient Records (EPRs) the perfor-mance of encryption deserves more attention.There was a paper presented at the confer-

ence that justifies some concern because re-sponse times of many seconds woulddiscourage the use of Per’s in the careprocess.

6. Trusted third parties

It was felt that Trusted Third Parties(TTPs) should be part of the health caresystem and not assigned to a governmentalagency. There might be an hierarchy ofTTPs, but no international Mega-TTP, rathercross certification between countries and sec-tors in society.

7. Internet

Although it was felt that communication ofpatient’s data across the Internet is about tocome, several participants felt that the secu-rity provisions are not yet sufficient to allowfor such use of the Internet, others felt that ifthe security provisions are sufficient to allowfor electronic commerce then their use forhealth care is also acceptable.

Most participants felt that at the momentIntranet is the only acceptable way to useInternet technology in health care.

8. Development of security policies

There is a clear need for well-defined secu-rity policies, in line with international regula-tions like: OECD Guidelines, Council ofEurope Recommendation on the Protectionof Medical Data R(97)5 and standards beingdeveloped in Europe, Canada and Australia.It was recommended that a limited numberof policies would be defined and that eachhealth care establishment would be obliged tostate which policy it applies, this would

A. Bakker et al. / International Journal of Medical Informatics 49 (1998) 135–137 137

greatly simplify policy bridging betweeninstitutions.

9. Development of standards, tools/products

It was noticed that the development ofstandards and software to support healthcare establishments in defining and imple-menting their security policy is lagging be-hind. Such development should get a higherpriority and be stimulated by both the min-istries of health and the organisations ofhealth professionals.

10. Availability

Health care establishments are alreadyheavily dependent on their information sys-tems or will be so in the very near future. Inthis respect there is a serious security riskthat is not sufficiently recognised by the man-agement of health care establishments, thehealth professionals and the public. The func-tioning of the care process might be inter-rupted for unacceptable long periods as aresult of break-down of the hardware or thenetwork, because of software problems orcorrupted databases.

In the security plan the business continuityplanning should get special attention. Thereshould be thorough procedures for back-upof the databases and the computer configura-tions as well as the software. Such proceduresshould be tested periodically. The same holdsfor a disaster recovery plan.

11. Software quality

The quality of the software used in healthcare was judged to one of the most seriousrisks. This holds true for the ‘professional

software’ but even more for ‘home-brew soft-ware’. Although error-free software will oftennot be feasible, it was recommended thatbefore using any software for use in patientcare it should be tested thoroughly by otherpersons than the author to get a reasonableproof of integrity. Testing/development ofsoftware should take place in an environmentseparated from the production system.

12. Training and education

Security is a vital issue when applying IT inhealth care. In all training programmes forboth health care professionals and IT profes-sionals the subject should be covered. In ad-dition to that within the health careestablishments regular training should takeplace both for newcomers and as refresh/up-date. In addition to that the compliance withthe security policy of the health care estab-lishment should be checked, e.g. by audittrails.

13. Basic code of ethics for healthinformation professionals

Eike-Henner Kluge proposed a code ofethics for health information professionals.Although applying the same code of ethicswill not fully eliminate differences in interpre-tation (e.g. because of different cultural back-ground), the participants were of the opinionthat the idea to develop such a code shouldbe strongly promoted. Initially within IMIA,but through IMIA with the organisations of(health care) professionals, WMA, IHF,‘nursing’, IFIP. Medinfo 98 was consideredto be a good platform to launch the idea,follow-up should be given by a publication inone of the leading medical journals.

.