Ebook: Implementing Secure Healthcare Telematics Applications in Europe

Introduction to the ISHTAR Project

Petra Wilson

Shortly after joining the Health Telematics Applications Unit Directorate General XIII (as it was then called) of the European Commission I was charged with the responsibility of acting as Project Officer to the three projects working on security and legal issues in health telematics at that time. Coming from an academic legal background I had a ready understanding of some of the more arcane legal issues in health telematics, but I faced a very steep learning curve in the wider practical application of telematics in the day to day life of Health Care Establishments (HCEs). In this context ISHTAR came to me as a gift - it provided a readily accessible introduction to the wide range of issues which must be considered if HCEs are to meet the security challenges associated with a full implementation of Health Information Systems. Many of the lessons I learnt from ISHTAR are well reflected in the chapters of this volume and will provide the reader with a similar easily accessible introduction to the issues of security in health telematics applications.

This volume presents the results of the ISHTAR project, and to some extent of its predecessor, SEISMED, in a clear and accessible manner, covering the political and policy issues (see chapter one); legal issues (see chapters three and four), various technical issues (see secure architectures in chapter five and incident reporting schemes in chapter eight); the clinical perspective (see chapter two); as well as providing an introduction to the training and information needs and the ways in which such needs may be met through courses and WWW based information services. Each chapter is self-contained and serves well as a background document for anyone seeking to understand a given issue within security in health telematics.

Yet it is only after reading the book as a whole that the reader will appreciate the many facets of security in health telematics, and the interdependence of those many facets. The way one perceives security issues in health telematics depends greatly on ones perspective. For the technician the structure of a system, its components and architectures must be capable of secure handling of information - authorisation systems and access control must be catered for and security devices such as firewalls and external access LANs must be integrated into the system. For the lawyer, on the other hand, the system itself is often incomprehensible, the key issue for the legal expert is that all players understand their duties and obligations: the legal requirements of data protection, the legal duties of healthcare provider to the patient and the steps necessary to execute those duties. The healthcare administrator, coming from yet another perspective, will emphasise the human and ergonomic elements – the necessity of training for all players in their duties, and the meeting of wider policy and non-legal requirements.

While this book cannot cover all the areas in exhaustive detail, the many disciplines and professions represented amongst its authors give a depth to its coverage which is often missing in health telematics security texts.

However, notwithstanding the fact that this book covers a wide range of issues of security in health telematics, it is important to note that one particular issue arises again and again in different guises: that is the issue of ethical use of health telematics applications. Whether this is addressed from the perspective of policy, law, technical specification, incident reporting, training or guidelines, all authors accept the underlying concept of an ethical dimension to the doctor/patient relationship which extends to the way in which telematics tools and applications are integrated into the healthcare setting.

Since Hippocrates it has been accepted that respect for autonomy of both the patient and practitioner, lies at the heart of ethical medical practice. A key element of respect for autonomy is maintaining confidentiality of patient information which is cited in both the Hippocratic Oath and the International Code of Medical Ethics, and requires that the medical practitioner maintains the secrecy of information entrusted to him by the patient. In using telematic tools the medical practitioner will have to ensure that the medium she or he uses to store it or transmit it to another treating practitioner is safe from those who might intercept it. That means that the computer and telecommunications systems used must be secure, that all who handle information must have a high duty of confidentiality, that they must have been trained in meeting that duty, and that guidelines on how to achieve these aims must have been set. Concern for the ethical principle of autonomy does not end here, however, for in order to respect the autonomy of the individual it is important not only to respect the confidentiality of data stored about a patient, but also the integrity and availability of such data. This means that as well as ensuring that unauthorised people do not have access to patient data, the data controller must also ensure that any data she or he sends to or receives from another has ‘integrity’ ie, that that which she is receiving is exactly what the sender sent, similarly the controller must also be able to be sure that the data has really been sent by the individual shown as sender [1].

How to set about meeting all these ethical demands is well documented in the chapters that follow, reading this text is thus a first step in meeting the new ethical challenges posed by the increasingly wide use of health telematics applications in the healthcare provision.

Petra Wilson

Scientific Officer

European Commission

DG Information Society – Application relating to Health

[1] For an introductory overview of these simple security issues see Benson and Neame (1994) or Barber Treacher and Louwerse (1996), or ‘Security in Medical Information Systems’ in van Bemmel and Musen (1997).

This work is intended to provide an assessment of the E.U. Directive and how the legal obligations imposed on Member States will impact upon European health care activities within the European Union. The main features of the Directive are described and the author provides a summary of the main features of the Directive with recommendations as to the way ahead. Apart from the provisions found in the Directive, attention has been paid to the two Council of Europe Recommendations in the field, Recommendation R(81), Regulations for Automated Medical Data Banks, and Recommendation R(97)5, The Protection of Medical Data. Particular attention has been paid to this latter document, and references to the text of R(97)5 are made whenever R(97)5 provides valuable additional insights into key issues of definition, law or procedure.

The report is not jurisdiction specific - an assessment of various national laws has already taken place under the SEISMED project. Nor is it possible to provide a model statute, for the whole structure of the Directive affords Member States a degree of latitude in relation to modes of implementation. The primary recommendation made in this report is that Member States should be anxious to encourage sectoral initiatives and solutions, within a strong legal and administrative framework, so as to facilitate responsive and flexible methods of patient care and research, as well as achieving administrative efficiency. A balanced response to data privacy issues should be the goal of health professionals everywhere with the interests of the patient being the guiding principle.

The increasing use and reliance on informatics and telematics technology in health care raises the inevitable issue of how questions of liability will be dealt with in this new technological environment. Up to a certain point the paper analogy can still be appropriate. However, it is inevitable that the introduction of new technology goes hand in hand with new and/or different types of responsibilities and liabilities that need to be dealt with away from the paper analogy. Liability is obviously a vast subject covering various spheres and a great number of legal principles. The legal study that was undertaken within the ISHTAR project has dealt with questions of liability in the telematics environment. The latter was defined as the use of information technology in combination with telecommunication technology for health care purposes. In view of the fact that a great many telematics applications originate in an informatics set-up, it is inevitable that the study considered to some extent liability in relation to informatics, but nevertheless placing the main emphasis on the telematics element.

This study adopted a two-fold approach. First of all, the principle players in the health care telematics environment were identified (i.e. persons, administrations, organizations, industry) and their potential liabilities ascertained. Secondly, and drawing on these results, practical advice in form of recommendations on questions of liability in health care telematics were drawn up.

Five main groups of people/organizations that may incur legal liability in a health care telematics scenario were identified:

(1) health care professionals, which includes mainly medical, but also paramedical professionals, as well as those under the health care professional's supervision and for whom he/she may be vicariously liable;

(2) health care providers, usually authorities and institutions, such as national or local health care authorities, health care centres and clinics, hospitals etc.;

(3) system/application producers, which encompasses those who

- design a system/application

- provide the necessary medical expertise/information

- provide the necessary technical expertise

- supply a system/application

- commercialise a system/application

- import a system/application;

(4) telecommunication providers, which includes all those who electronically carry data ranging from straight forward public telecommunications network providers to trusted third parties providing value-added services;

(5) patients, to the extent that they may increasingly be given an active role in their health care, in particular in a telemedicine set-up, such as tele-monitoring and teleassistance, there may be scope for contributory negligence on the part of patients.

This paper was structured as follows. The five main chapters correspond to the five groups of persons/organizations as outlined above. In each chapter the liability issues are discussed and recommendations are made on how the persons/organizations ought to act/behave to minimize the risk of incuring liability. For complete comprehension it is advisable to consider the recommendations in their textual context rather than separately. In view of the fact that readers may not find the entire document relevant to their situation, the main chapters have been structured in such a way so that they can be read individually and without reference to the rest of the text. A complete summary can be found in the annex at the end of the book.

As all the other contributions of this volume, the following chapter is based on earlier work like the SEISMED project results concerning comprehensive guidelines elaborated on security in Health Care Establishments' (HCE) information infrastructures. Dealing with current security issues in the healthcare domain, it consists of two parts.

Considering the challenges for increased efficiency and quality of care and the corresponding changes in philosophy and paradigm of modern health care systems, the shared care health system architecture must be supported by adequate distributed networking health information systems enabling communication and co-operation between the systems' components according to the shared care paradigm. In the first part, trends and solutions for new health information systems architecture meeting these challenges have been analysed. In that context, open solutions for decentralised HCE information infrastructures emerging from international efforts in design and standardisation have been compared especially considering the most important healthcare-related architectural approach and the resulting security issues. Professionals involved in health care information management have to rely on standard hardware and software components with the trend to decentralised information infrastructure, thereby exposing the systems to serious security threats. Communication services relevant in decentralised health care information infrastructures have been identified and their security requirements highlighted using a general security model.

Embedded in a detailed analysis of security threats for distributed health information system architectures, the policy securing such systems and the policy bridging needed for integration of the systems to provide interoperability are investigated and requirements are specified in the second part. Ongoing efforts and available solutions for specification, standardisation and implementation of security solutions in integrated health information systems are described, especially considering the results of related projects funded by the European Commission or the CEN TC251 but also referring to international work.

This paper presents the results of the interaction of the ISHTAR project with other projects of the Health Telematics Programme on the issue of implementation of information security and privacy. ISHTAR has provided three projects with appropriate consultancy teams of security experts, to assist them in the security implementation in their project development work. Moreover, ISHTAR has conducted a survey among all the projects of Health Telematics on the issue of implementation of security. The results suggest that more effort has to be spent on influencing the attitude towards security, by providing specific awareness programmes. Another key finding was that there is a need for reduction of budget and effort required for the implementation of security. Libraries of Security Guidelines are expected to provide the roadmap for the adoption of security in the near future.