full text bib159

Upload: merhan-fouda

Post on 14-Apr-2018

225 views

Category:

Documents


0 download

TRANSCRIPT

  • 7/30/2019 Full Text Bib159

    1/6

    Barber B, Jensen OA, Lamberts H, Roger-France F, De Schouwer P, Zollner H. The sixsafety first priciples of health information systems: a programme of implementation .Part 1: Safety and Security. In: Data protection and confidentiality in health informatics.Brussels: IOS Press, 1991:296-301. Reprinted by permission of IOS Press.

    The Six Safety First Principles of HealthInformation Systems:

    A Programme of Implementation Part 1Safety and Security

    Barry BARBER , Ole Asbjrn JENSEN, Henk LAMBERTS,Francis ROGER-FRANCE, Peter DE SCHOUWER and Herbert ZOLLNER

    (I) NHS Information Management Centre, 19 Calthorpe Road, Birmingham B15 1RP, UK

    1 The Six Safety First Principles The AIM Requirements Board developed the following Six Safety First Principles as a basis for the futuredevelopment of Health Care Information Systems in Europe[l, 2). These requirements are set out inquite general terms in order that they may be seen apart from the computing technicalities and so thatdetailed work can be focussed appropriately rather than constrained too early by particular approaches tosolving certain problems. The key issues relate to the environment within which the Health InformationSystems should be developed, tested, operated and maintained. This environment should be:-

    1 Safe Environment for Patients and Users

    2 Secure Environment for Patients, Users and Others

    3 Convenient Environment for Users

    4 Legally Satisfactory Environment Across Europe for Users andSuppliers

    5 Legal Protection of Software Products

    6 Multi-Lingual Systems

    The fundamental requirement is for the establishment of a Co-ordinated Information Infra-structure based on these Six Safety First Principles which will positively encourage the development and use of

    Advanced Informatics Systems because Health Care Professionals and the general public have confidencein the safety and the security of the arrangements for using such systems within the EC. The Council of Europe convention 108 "For the Protection of Individuals with Regard to Automatic Processing of PersonalData" [3] was one of the pioneering ventures in the field of Data Protection. It is now possible for the EC to takeanother step in the direction of encouraging the production and utilisation of Advanced Informatics Systems

    because the problems have been thought through and a safe, regulatory, Co-ordinated Information Infra-structure has been devised to address the Six Safety First Principles listed above. Such a regime would

    provide a clear specified framework into which systems could be engineered, tested, marketed and used withconfidence and it could liberate the market throughout the EC and beyond.

  • 7/30/2019 Full Text Bib159

    2/6

    2 Establishing the Technical and Regulatory Requirements forthe Implementation of the Six Safety First Principles

    A considerable amount of detailed work will be required to establish the technical and legalrequirements of the various Safety First Principles but it is likely to involve different types of computing specialist as well as lawyers. The longer the process is delayed the more difficult the

    process will become. "Safety Critical Systems" are slowly coming into use and it is time thatadequately safe standards are established for the very demanding process of designing, developing,testing, certifying, using and maintaining them. In the following sections various proposals arelisted together under each of the first two of the Safety First Principles of the proposed HealthInformatics Infra-structure dealing with Safety and Security. The remaining Safety First Principlesare dealt with in a separate paper [4]. The UK British Computer Society and Institute of ElectricalEngineers have already embarked on some detailed examination of the requirements for suchsystems and a draft International Electrotechnical Commission [IEC] international standard [5] isalready available which should assist with the necessary work required in the area of HealthInformatics. The Requirements Board indicated a number of steps that would help to establish asafe environment and these are outlined below within the context of the various Safety FirstPrinciples.

    3 Safe Environment for Patients and Users In order to be satisfactory for safety critical applications it is necessary to utilise the right hardware,the right software and the right understanding of the clinical and design requirements. These willnot generally be add-on extras but will need to be designed into the system right from the startutilising appropriate components. The most important steps were the following:-3.1 Establish Quality Assurance Standards for Software & Hardware

    As the Health Informatics products become more complex it is important that satisfactorystandards of software design, development and testing should be specified in order toensure that these products do precisely what is intended. This, obviously, becomes crucialin respect of "Safety Critical Systems" but it is important that these issues should be takenup at an early stage as many items of information in Health Records can become significantat certain stages of care. The loss of data or its substitution by incorrect data may haveimportant consequences as Health Professional rely on their systems. It is no longer reasonable to assume that they will have additional manual systems available so that theywill be able to, or indeed can, check their computer systems. An assessment of thespecifications required for ensuring adequate performance needs to be undertaken.

    3.2 Set Up a Pilot Evaluation and Certification Scheme for AdvancedInformatics Systems in Health Care

    No clinician can place great confidence in Medical Informatics Systems where he, or she,cannot personally test the key aspects unless it has been adequately tested by some specialistagency. Once Health Care facilities become so complex that they are outside the skill and specialist expertise of individual practitioners, it becomes necessary to develop additionalspecialists to handle this complexity or else to support the practitioners with certificationfacilities that will enable him, or her, to practice as safely. This is the situation in respect of drugs where extensive testing is undertaken before drugs are released for the treatment of

    patients and where specialist pharmacists are available to support the practising clinician.When Medical Informatics facilities become really effective in clinical decision-making and treatment, some form of certification will be required which will indicate the circumstancesin which it has been tested and the degree of reliability with which its conclusions may betreated, together with any contra-indications. Experimental Test Faculties will be required toestablish certification procedures. A considerable amount of serious research will have to becarried out to establish the most profitable approaches and it is desirable that some centresshould be encouraged to acquire expertise in this area rather than simply waiting for somedisaster after which the public will demand action. The minimum number of centres is one but it would probably be preferable to designate, at least, 3 in order to ensure useful resultsaccording to the expertise that can be made available in this area in the various countries.

  • 7/30/2019 Full Text Bib159

    3/6

    4 Secure Environment for Patients. Users and Others There are a large number of issues that require attention before the environment can be considered secure for users. A number of specific issues are discussed below that require attention.

    4.1 Complete the Coverage of Data Protection in Health Care byEstab lishi ng Detailed Data Protection Standards and Audit Facilities forHealth care SystemsThe fundamental requirements of Data Protection are fortunately well established and agreed but they need to be developed and interpreted with a common understanding of theimplications of the Data Protection Principles. Furthermore, it can be expected that

    progressive refinement of the Convention will gradually improve the weaknesses that arediscovered in its practical application. The basic requirements of the European Conventionfor the Protection of Individuals with Regard to Automatic Processing of Personal Data and the Regulations for Automated Medical Data Banks should be fully implemented throughoutEurope. In particular, it should be noted that erroneous data should not be overwritten butthat a copy should be kept for future reference [6p21]. The widespread transfer of PersonalMedical and Health Information to support the Integrated Health Environment will requirethe adoption by the Health Services of techniques, such as encryption and access controlthat are currently utilised mainly by the financial and security services. At the present timeonly the lowest grade of security systems will be required but such counter-measures are notcurrently used on any large scale in the Health Services.

    Despite all this work there is still a lot of work to do before our Health Information systemscan be regarded as secure. Few people regard Data Protection requirements as other thanunnecessary administrative matters and this approach will have to be tightened up before thenext generation of systems become available or there will be some very expensive legalactions faced by the Health Services. The easiest way of achieving this is to establish someform, of independent Data Protection and Computer Security Audit within the Health CareServices. This will have to be organised in such a way that it is complementary to theexisting Data Protection arrangements. New technological developments are constantlyraising other issues that were not considered when the Convention was drafted and it isimportant that the detailed measures required by the Data Protection Principles should bethought through carefully to ensure that the protective measures remain in step with thesetechnical changes. Widespread computing allows information to be downloaded into themicrocomputers and thus frees the Personal Data from the access controls built into the mainsystems. It, also, leads to difficulties in the basic Data Protection functions of locatingPersonal Data, integrating it with other Personal Data, updating it as well as administeringthe Data Protection laws, ensuring Data Security and Disclosure control. Bedside terminals,also, raise questions as to patients access to the hospital systems. Greater sizes of storagemedia lead to additional problems of locating required Personal Data

    4. 2 Develop Awareness of Other Aspects of Computer Security in Health CareSystems The implications of Article 7 of Convention 108 [3] dealing with Data Security requires that"Appropriate security measures shall be taken for the protection of Personal Data stored inautomated data files against accidental or unauthorised destruction or accidental loss as wellas against unauthorised access, linking, alteration or dissemination". The implications of these requirements are considerable. This involves much more than the need for theoccasional "back-up" and Article 7 places an unambiguous responsibility on thoseresponsible for and using the systems.

    4.3 Establish Standards of Risk Analysis and Management

    Standards need to be set to enable all systems to comply with appropriate data securitycounter-measures. It is desirable that some easily accessible approach could be introduced to assessing risks and managing the appropriate counter-measures. In the UK a Risk Analysis and Management Methodology [CRAMM - 7] has been devised for governmentcomputing installations and is currently being explored for utilisation within the NationalHealth Service. It is hoped that this approach will be useful for Health Authorities and

  • 7/30/2019 Full Text Bib159

    4/6

    independent hospitals generally. In addition, it is hoped that it will prove valuable rightfrom the design phase of a system through to implementation and routine operations.

    4.4 Ensure the Adoption of OSI Standards Suitable for the Data Protectionneeds of the Health Open Systems Environment The wide variety of medical computing systems, the advent of hospitals and HealthAuthorities with a wide range of different equipment and software suppliers, the need to

    change hardware relatively frequently, all tend to emphasise the need for utilising OpenSystems Interconnection (OSI) standards. In order to support these protocols specified above it will be necessary to ensure that appropriate standards are adopted and implemented for the 7 layer OSI model so that computer systems can be safely inter-connected. This may

    be a simple matter of verifying that existing modules are adequate but it is more likely toinvolve the development of modules suitable for the Open Health Environment. Appropriatecontact should be established with the USA Institute of Electrical & Electronic EngineersPI 157 Medx initiative which is already exploring the problems of developing a standard for medical data interchange.

    4.5 Secure Agreement to a Detailed Code of Confidentiality in Health CareSystemsAlthough the requirements of "Medical Confidentiality" are widely known and adopted, thewider involvement of many Health Care Professions in the care of patients, the need for Governmental and other organisations concerned with the funding and the monitoring of Health Care Services and the extensive involvement of many specialists in the informaticsfields all give rise to the need for some contractual definition of the standards of confidentiality required to be observed in handling Personal Health Data.

    4.6 Set up Mechanisms to Review the Threats to Data Protection and DataSecurity There are a large variety of changes, technical advances and security threats since the lastmonograph of the International Medical Informatics Association [IMIA] Working Group 4[8,9] and it is time that the field was reviewed to establish what additional security

    precaution should be taken or what practical and experimental work should be attempted.Special steps should be taken by the EC to keep this fast moving field under review duringthe next decade when major systems are likely to be installed in order to ensure that effectivecounter-measures are set up before major catastrophes occur. Little attempt has been madeat the integration of Personal Data within a large Health organisation which might allow theorganisation to fulfil all its obligations under the European Convention in terms of theaccuracy of Personal Data. Problems arise from the increasing number of terminals linked

    to hospital information systems and the way that they can be accessed from externalterminals and networks. Portable, handheld, computers or terminals also pose new risks asdo the use of smart cards for holding Personal Health Data. It is necessary to developagreed rules for handling Health Records within computer systems in terms of access rulesfor both reading, creating and amending various types of record. Indeed it it believe thatrecords should never be overwritten but should be amended by adding correct data and indicating its source and a marker on the original erroneous data indicating its errors.Ideally an updateable Data Protection Handbook should be developed so that the currentsituation is readily accessible to Health Professionals and system suppliers alike. The field is currently moving very fast so a conventional monograph would soon become obsolete.However, an updateable text presupposes some mechanism for becoming aware of changesacross Europe, assessing them and, then, updating the Handbook.

    4. 7 Develop an Agreed Protocol for the Exchange of Health Records A genuinely Integrated Health Environment in which Open Systems Interconnection wasoperating will make considerable demands on our technology and managerial ability if thiswere to be managed safely. Adequate standards for medical data exchange, identification,authentication and authorisation of individuals would be needed. At present much of theconfidentiality of Health records is supplied by the fact that the records rarely leave theoriginating institution. Any serious attempt to produce a situation in which there is a freeflow of patients, health professionals and medical records across the European Community

  • 7/30/2019 Full Text Bib159

    5/6

    will require that agreed standards are laid down as to who can authorise the acquisition and release of clinical records, how composite records from several institutions may be managed and what levels of security and encryption are required. The use of a standard "smart card"held by the patient has considerable advantages in terms of consent and control. Theadvantage of the smart card might be that it returns control of the record to the patient instead of having to have elaborate procedures for handling it on his behalf. However, thisapproach exposes the patient to pressure from third parties that may have an interest in the

    information. It is, therefore, imperative that the patient is made fully aware of theadvantages and disadvantages of this approach.

    4. 8 Establish Standards for Contingency Planning in Health Care Systems Contingency planning follows directly after the examination of risks and the appropriatemeasures required for varying degrees of system loss and failure depend on the value of thesystems to the organisation and its ability to continue functioning safely with reduced or non-existent computer systems. The value of mobile, or networked, computer support or the reservation of back-up facilities for "hot-start", "warm start" or "cold-start" need all to becarefully explored and planned as much detail as the hospital's "major Emergency Plan".Standards in risk analysis, measurement and management will lead to the need for standardsfor developing contingency plans within the Health Informatics environment.

    4. 9 Establish Standards in Information Audit As Health Informatics facilities become integrated with the professional activities of

    practising clinicians, it is important that adequate standards of Information Audit should beestablished. This is implied in the Data Protection Principles as inaccurate informationmight lead to legal action under Data Protection or other legislation. This will be moreimportant if more information is held in coded form without corresponding text. The mosteffective safeguard is the basic Data Protection one of making the data available to thosewho are most likely to be concerned with its accuracy and usage.

    5 Conclusion The situation within EC as the Single Market approaches and as steps are taken towards closer collaboration between the EC member states is moving almost as fast as the InformationTechnology itself. Promising measures are already being taken to handle a number of the issueslocated by the AIM Requirements Board. The EC has given a mandate to its standards bodies,CEN/CENELEC/ETSI to carry out work on standards in Medical Informatics and the first items of this work are in hand. The AIM secretariat has sponsored a working conference on "HandlingHealth Data in Europe in the Future", 19-21 March 1990, Brussels [10] at which medicalinformaticians, Health Professionals, lawyers and computer security specialists which examined the

    issues and elaborated a programme of activity in the areas of Data Protection and Computer Security. The Council of Europe is examining its recommendations [6] in respect of Automated Medical Databanks [working party 12] in the light of changes in technology as well as the increased interest in exchanging Health Records throughout EC. The International Medical InformaticsAssociation [IMIA] working conference on Primary Care held at Brighton 2-5 April 1990 paid special attention to the issues of Data Protection, Confidentiality and Computer Security [3,11].The second of these references gives a more detailed progress report than is possible here. It isnow clear that there is a strong will to clear the way for the development and use of really effectiveinformation systems in Health Care within Europe by developing an appropriate environment for this purpose.

    Acknowledgements This material has been taken directly from work undertaken for the European Commission'sAdvanced Informatics in Medicine [AIM] Requirements Board elaborated in a few places to makethe context clearer and with additional material relating to subsequent activities.

    References 1 AIM Requirements Board, Impact Assessment and Forecasts of Information and

    Communications Technologies Applied to Health Care, Volumes I-!V, December 1989,ref XHI/F/A10966C, AIM Secretariat, 61 Rue de Treves, Brussels

  • 7/30/2019 Full Text Bib159

    6/6

    2 The Six Safety First Principles of Health Information Systems, Barber B, Jensen, O A,Lamberts H, Roger F, de Schouwer P & Zollner H, in HC90: Current Perspectives inHealth Computing 1990 pub British Journal of Health Care Computing 1990 ISBN 0948198 09 5

    3 Council of Europe Convention "For the Protection of Individuals with Regard toAutomatic Processing of Personal Data" No 108, Strasbourg, 28/1/81 ISBN 92 8710022 5 Explanatory Report on the Convention for the Protection of individuals with

    Regard to Automatic Processing of Personal Data Strasbourg 19814 The Six Safety First Principles of Health Information Systems: A Programme of Implementation Part 2 The Environment, Convenience & Legal Issues, de Schouwer P,Barber B, Jensen, O A, Lamberts H, Roger France F H & Zollner H, in MIE90 Springer Verlag 1990

    5 International Electro-Technical Commission, Draft Standard on Software for Computersin the Application of Industrial Safety-Related Systems, ref 65A(Secretariat) 94,

    November 19896 Council of Europe Regulations for Automated Medical Data Banks Recommendation No

    R [81] I Strasbourg 19817 CCTA Guide for Management & User Guide for CRAMM - Risk Analysis &

    Management Methodology, CCTA IT Security & Privacy Group, Riverwalk House,Millbank, London SW1P 4RT

    8 Data Protection in Health Information Systems: Considerations and Guidelines, ed Griesser, G., Bakker, A., Danielsson, J., Hirel, J-C, Kenny, D. J., Schneider, W. and Wassermann, A. I. for IMIA Working Group 4, North Holland Publishing Co, 1980,ISBN 0 444 86052 5

    9 Data Protection in Health Information Systems: Where do we Stand?, ed Griesser, G.,Jardel, J. P., Kenny, D. J. and Sauter, K. for IMIA Working Group 4, North Holland Publishing Co, 1983, ISBN 0 444 86713 9

    10 EC AIM Conference on Data Protection and Confidentiality in Health Informatics:"Handling Health Data in Europe in the Future", 19-21 March 1990, Brussels, vols I &II in press.

    11 The Six Safety First Principles of Health Information Systems: Progress Report,Barber B & O'Moore R, IMIA Working Conference, Springer Verlag 1990 in press.