patient data and security: an overview

International Journal of Medical Informatics 49 (1998) 19–30

Patient data and security: an overview

Barry Barber

Health Data Protection, Mal6ern WR14 4AA, UK

1. Data protection in medical informatics

1.1. Early concerns about confidentiality

The requirement for the confidentiality ofpersonal medical information was clearly un-derstood nearly two and a half millennia agoand has since been embodied in the Hippo-cratic Oath. More recently, this requirementhas been evident from the earliest develop-ment of medical informatics. It derives di-rectly from the professional code of ethics ofall health professionals and it has provided abasic underpinning for discussions betweenclinicians and informaticians in their develop-ment of all computer based systems holdingpersonal health information. This concern isexemplified by Peterson and Turn [1], Freed[2], Acheson [3], Witts [4] and Curran [5].Collen [6] sets out this requirement in hisbook on hospital computer systems. At thisstage, computing systems were restricted innumber and power and the worries werethose of a breach of privacy and the Or-wellian concerns about ‘Big Brother’. Theavailable systems were difficult and tedious touse, the software took a great deal of time todevelop and the major concern of the techni-

cal staff was to develop a system that wouldwork satisfactorily within a practical healthcare environment. Project control was, andremains, a major issue for the development ofcomplex systems.

In reviewing the approach taken when thesystem at the London Hospital had beendeveloped it was recorded by Barber et al. [7]that the system had been developed suchthat:� in terms of confidentiality the computer

system should be at least as effective as theprevious manual system;

� and that the measures employed to furtherconfidentiality of information should notbe so cumbersome as to destroy the ad-vantages of the system.

1.2. Early data protection legislation

The worries about confidentiality were ex-emplified in a legal setting by the Hesse DataProtection Act 1970 and the Swedish DataAct 1973 and the US Privacy Act 1974 whichcovered federal agencies and set out require-ments but without a central data protectionauthority. In the UK, the Younger [8] andLindop [9] committees considered the issues

1386-5056/98/$19.00 © 1998 Elsevier Science Ireland Ltd. All rights reserved.

PII S1386-5056(98)00006-9

B. Barber / International Journal of Medical Informatics 49 (1998) 19–3020

of privacy in general and data protection inparticular and a white paper [10] was devel-oped as a basis for legislation that did notemerge at that time.

1.3. Data protection at MEDINFO ‘74

These concerns were reflected in the firstMEDINFO congress in 1974 where therewere papers by Dinklo [11], Thome [12],Bohm [13], Fischer [14] and Yanez [15]. Thefirst three papers are concerned with techni-cal measures for securing confidentiality withBohm’s paper addressing some of the issuesassociated with cryptographic protection ofdata as compared with a simple scramblingprocess. The last two papers address the is-sues at a higher policy level in Kiel and ElCamino respectively.

1.4. The establishment of IMIA WG4

The special interest group of the Interna-tional Federation for Information Processing(IFIP) concerned with medical informaticswas Technical Committee 4 (TC4), the pre-cursor of the International Medical Informat-ics Association (IMIA). IFIP TC4 establishedthe Working Group on Data Protection andSecurity which became IMIA WG4. Thisgroup was responsible for focusing the medi-cal informatics community’s interests in theseissues under the leadership of Gerd Griesserand subsequently, David Kenny. The groupran working conferences which were respon-sible for producing the two early specialistmonographs on these topics [16,17]. It isclearly impossible to embrace the whole ofdata protection and security in health care intwo short monographs but they provide avery good starting point for much of thesubsequent work and they have a very good

bibliography in respect of the early work inthis field.

2. International legal instruments

2.1. Council of Europe Con6ention 108

The Council of Europe started work on thepreparation of a convention on privacy inrespect of data processing in 1976 and theOrganisation for Economic Co-operation andDevelopment started work at about the sametime considering similar issues from the eco-nomic, technical and legal point of viewrather than from the human rights stand-point. The Council of Europe’s work startedfrom Article 8 of its Convention on HumanRights [18] which requires that:1. everyone has the right to respect for his

private and family life, his home and hiscorrespondence;

2. there shall be no interference by a publicauthority with the exercise of this rightexcept such as is in accordance with thelaw and is necessary in a democratic soci-ety in the interests of national security,public safety or the economic well-beingof the country, for the prevention of dis-order or crime, for the protection ofhealth or morals, or for the protection ofthe rights and freedoms of others.

This work led to the development of Con-vention 108, ‘for the protection of individualswith regard to automatic processing of per-sonal data’ [19], which established the coun-cil’s view of the appropriate safeguards inrespect of the processing of personal data. Itdrew on the experience of existing nationallegislation and legislative thinking which hasnow been signed by 22 countries. In a veryreal sense Convention 108 has set a standardfor data protection issues.

B. Barber / International Journal of Medical Informatics 49 (1998) 19–30 21

2.2. Council of Europe RecommendationR(81)1

At the same time the council was workingon the special safeguards that would be re-quired by the processing of personal healthdata, as was envisaged in Article 6 of Conven-tion 108, and it developed the Recommenda-tion R(81)1 On Automated Medical DataBanks [20], which curiously has not been giventhe international recognition that it deserved.The main features of Convention 108 havebecome very familiar to everyone involved indata protection because they have been em-bodied in much national legislation but Rec-ommendation R(81)1 did have some specialfeatures that were interestingly advanced. Itrequired that medical data banks should havea set of regulations governing its operationsand the recommendation specified a minimumset of contents for these regulations—suchregulations would be described as a securitypolicy currently. It established the concept ofselective access to the identification, adminis-trative, medical and social parts of the medicalrecord and it addressed issues of record link-age. It established the exceptions to subjectaccess as being ‘data banks which are usedonly for statistics or scientific research pur-poses where there is obviously no risk of aninfringement of the privacy’ and to ‘informa-tion the knowledge of which might causeserious harm to the data subject’. It madeprovision for the subject access to be handledthrough the intermediary of a physician. It,also, allowed erroneous data to be kept afterit had been corrected ‘so far as a knowledgeof the error may be relevant to further medicaltreatment or useful for research purposes’.The only aspect of the recommendation thatproved unworkable as computing facilitiesbecame much more widely available was therequirement to give advance public notice ofthe establishment of a medical data bank.

2.3. Council of Europe RecommendationR(97)5

The Council of Europe’s work in the areaof biomedicine and bioethics led to the beliefthat there might be some problems betweenthe requirements of genetic counselling anddata protection and they followed up an ini-tial ad hoc meeting with a full scale commit-tee to revise the Recommendation onAutomated Medical Data Banks. This workwas an attempt to summarise the desirablesituation for health care in Europe and en-sure that staff met these standards in theirhandling of medical data and patients couldbe sure that their medical data were uni-formly protected.

This work was adopted on 12 February1997 and Recommendation R(97)5 on theprotection of medical data [21] now formallyreplaces the earlier recommendation and it islikely to become the basis for handling per-sonal health information, including personalgenetic information, for a generation. Thestatus of the Council of Europe’s conventionsis that of an international treaty and it isbinding on signatory states, although it is notclear what sanctions might be broughtagainst recalcitrant states. Unlike the conven-tion on human rights, it did not set up acourt. Certainly, this recommendation recom-mends governments to ensure that its princi-ples ‘are reflected in their law and practice’and to ensure wide circulation of its princi-ples ‘among persons professionally involvedin the collection and processing of medicaldata’. In addition it provides the core of thematerial required in a code of conduct forthis sector as envisaged in article 27 of theEC Directive 95/46/EC [22] ‘On the Protec-tion of Individuals with Regard to the Pro-cessing of Personal Data and on the FreeMovement of such Data’.


2.4. Issues addressed in RecommendationR(97)5

The recommendation concerns all process-ing of personal medical data except wherenational law provides other appropriate safe-guards in a specific area outside the health-care sector. The scope specifically includespersonal genetic data, as a component ofpersonal medical data. Genetic data are datarelating to individuals within a specific ge-netic line. The key areas addressed by therecommendation relate to the collection andprocessing of medical data, the provision ofinformation to data subjects, the issues ofconsent to processing and disclosure of dataand the rights of the data subject to accessand rectify data. In addition the recommen-dation deals with the security of personalmedical data, its long term retention, trans-border data flows and the use of data forscientific research.

The text, also, addresses issues relating tothe personal data of unborn children, legallyincapacitated persons, unexpected findings ingenetic analyses and various permitted ex-emptions from specific requirements. Thistext provides clear guidance to these issues inthe health care sector and may be expected toreceive widespread support from the healthcare community as the correct way of ad-dressing these issues.

2.5. Security of personal medical data inR(97)5

The recommendation is more prescriptiveand detailed than the other instruments inrespect of security issues. As well as requiringcontrollers to draw up a security policy (‘in-ternal regulations’), it requires the securitymeasures should be appropriate to the techni-cal state of the art, the sensitive nature ofpersonal medical data and the evaluation of

potential risks. The recommendation sets outcategories of protective control where mea-sures are required as access to installations,handling of data media, access to systemmemory, utilisation of systems, separation ofcategories of medical data, access to network-ing facilities, data entry, transport of datamedia and back up arrangements. The gen-eral approach is similar to the approach inother documents but it is much more detailedin its requirements.

2.6. European Community directi6e95/46/EC

The European Community Directive 95/46/EC, ‘On the Protection of Individuals withRegard to the Processing of Personal Dataand on the Free Movement of such Data’ [22]was adopted somewhat earlier than Recom-mendation R(97)5, on 24 October 1995. Itsstatus is rather different from the conventionand the recommendations of the Council ofEurope in that the directive is mandatory forall countries within the European Union butits scope is restricted to the legal competenceof the European Union law. Member statesare required to install legislation implement-ing the directive by 24 October 1998 but thetransition arrangements in Article 32 allowthe full rigor of the national legislation re-quired by the directive to be implemented instages. ‘Processing that is already under waywhen the national legislation enter(s) intoforce’ must comply with these requirementswithin three years from that date, i.e. by 24October 2001 at the latest. It would appearthat any new processing must comply withthe legislation immediately it is brought intoforce. The manual ‘personal data filing sys-tems’ are allowed until 24 October 2007 tocomply fully but the data subject’s rights ofaccess, rectification, erasure and blocking ap-pear to start not later than 24 October 2001,


assuming that such data are likely to be‘processing already under way’. Recital 69complicates these arrangements as it re-quires that ‘whereas, where data containedin such manual filing systems are manuallyprocessed during this extended transitionperiod, those systems must be brought intoconformity with these provisions at the timeof processing’. This suggests that the wholemedical records system must be broughtinto conformity immediately a single recordis processed. This would be quite impracti-cal for any large collection of manualrecords; a more practical suggestion wouldbe for each record to be brought into con-formity as it is processed. The directive isstill being examined to assess its implica-tions and a number of papers have beendrafted outlining various aspects of itswording [23–25].

2.7. Particular issues arising in Directi6e95/46/EC

The directive is currently being imple-mented in EU member states but it will besome while before it is possible to judgehow much it has changed the data protec-tion environment within the EuropeanUnion and beyond. The directive is basedon Convention 108 but it goes beyond therequirements of the convention in a numberof respects. The convention makes provisionfor signatory states to extend its scope byapplying its requirements to manual infor-mation systems or to legal persons but thedirective includes manual systems directlyby the definition of ‘personal data filing sys-tems’—although with a longer transitionperiod. The security requirements in Article17 are similar to those required by the rec-ommendation except that the cost of imple-menting security measures is explicitly

included in the process of assessing the ap-propriate security measures. It allows forthe ‘blocking’ of personal data ‘which doesnot comply with the provisions of this di-rective, in particular because of the incom-plete or inaccurate nature of the data’. Thisprovision is a general extension of that es-tablished in Recommendation R(81)1 in thesecond paragraph of section 6.2. Perhapsthe most extensive change is the require-ment in Article 12(c) that ‘third parties towhom data have been disclosed should benotified of any rectification, erasure orblocking of data’ carried out as outlinedabove ‘unless this proves impossible or in-volves a disproportionate effort’.

2.8. Disclosure registers

Fundamentally, this requires that systemsshould include a disclosure register so thatthird party disclosures can be tracked [26].Few existing systems will have such facilitiesbut increasingly they are likely to be re-quired. It will not be long accepted thatinadequate systems should be continued inuse or installed and allow controllers to relyon the ‘disproportionate effort’ exemptionto escape appropriate action. Furthermore,the increasingly diverse and dispersed healthcare system will include more third partiesand an effective approach to user authenti-cation will become mandatory. The situa-tion was quite different when much of anindividual’s care was handled within thecontext of a single organisation and wherethat organisation was responsible for anyfailures whoever had caused the problem.Large scale networking and the utilisationof personal data by many third parties willrequire effective user authentication in orderto establish a proper audit trail of clinicaland organisational responsibility.


2.9. The issue of consent to processing

Consent is a major issue in health care, soit is likely to become necessary to recordconsents to processing and trans-border dataflows in order to show that the processingwas legal. The fundamental basis of the pro-cessing of personal health data is that ofconsent but there are a variety of interpreta-tions apart from the obvious issues where anindividual is physically or legally incapable ofgiving such consent. Article 8 of the directiverequires ‘explicit consent’ unless the personalhealth data are required for the ‘purposes ofpreventive medicine, medical diagnosis, theprovision of care or treatment or the manage-ment of health-care services and they areprocessed by a health professional subject toan obligation of professional secrecy or byanother person also subject to an equivalentobligation of secrecy’. The recommendationlikewise requires ‘free, informed and expressconsent’ unless domestic law providesotherwise.

2.10. Automated decision-making

Finally, the directive gives a right not to besubject to a ‘decision which produces legaleffects concerning him or significantly effectshim and which is based solely on automatedprocessing of data’. The key areas noted arerelated to performance and creditworthiness.However, it is difficult at present to envisagethe use of medical expert systems except asan aid to the clinician and clinical consulta-tion process. However, a ‘rationing process’for health care services might be envisagedand Article 15 would give rights to humanconsultation within the decision-making pro-cess and to know the logic of any such auto-mated decision making [Art 12].

3. How are things developing?

3.1. Human rights and security

The effect of all of this work is to providea series of rights to those whose personaldata is processed which can be deemed tointerpret the requirements of certain aspectsof the Article 8 of the convention on humanrights. However, these requirements reflectthe use of personal data by our current infor-mation processing systems and it must beanticipated that as these systems are devel-oped, integrated and made more intelligentadditional rights may be expected to beneeded. Certainly, when intelligent mobilerobots of the type envisaged by Asimov [27]are developed it will be necessary to providehuman support, possibly in the format of thethree laws of robotics as outlined by Asimov.The convention on human rights has pro-vided the basis for a European model ofhuman rights which has been adopted by 35European states. Subsequently, it has pro-vided the basis for the development of amodel data protection regime which is beingstrengthened as the implications of its princi-ples are developed in the context of the ex-plosion in the growth of powerfulinformation processing facilities and novelapplications of those powerful facilities.

3.2. What can go wrong?

Although the main security pre-occupationof the early system designers related to confi-dentiality issues, the success of informationsystems processing personal medical data hasled to applications directly concerned withthe clinical care of patients rather than withsystems designed to assist with the adminis-tration of that care (patient administrationsystems). This development necessarily givesrise to questions about what might happen to


those patients if or when these systems fail invarious ways. In practice much will dependon the clinicians concerned with the patient’scare. The clinician may be envisaged as in-habiting the ‘airgap’ between the patient andthe clinical information system and it is his orher responsibility to utilise the systems in asafe fashion carrying out whatever checks areconsidered necessary to achieve the appropri-ate level of safety. The key issue is: what cango wrong? This will vary according to thedata held in the system and the way in whichclinicians and their associated staff utilise thesystem.

3.3. The issue of confdentiality

Although the concept of the confidentialityof personal medical data is well accepted bythe general public and by health profession-als, the detailed practice is under potentiallyserious attack by governments that want ac-cess in order to combat fraud or seriouscrime or to improve efficiency of services, bybig business that wishes to improve its com-petitive edge or reduce its costs by utilisingdetailed personal data in order to focus thepromotion of its product and services and byhealth care organisations that do not keeptheir security measures up to the ‘state of theart’ required by the information processingfacilities available and the attacks on its per-sonal medical data. All security measuresneed to be under constant review.

3.4. The issue of integrity

However, as systems are brought into rou-tine use, staff will become much more confi-dent of the information that it provides and itis possible for the information to appear soconvincing that the normal checks of reason-ableness appear superfluous or are left out asa result of the pressures of time. In this

context it is clear that the integrity of thesystem and its data become key issues. Forwhatever reason, it must be accepted thaterrors in the medical information system canhappen both in respect of the patient’s medi-cal record and in respect of advisory systemsdesigned to assist clinicians in deciding oneither diagnoses or treatment. If either typesof system provide incorrect information, theninappropriate treatment may result and thepatient may be damaged to a minor degreeor, in extreme cases, suffer premature death.This is never likely to be a frequent occur-rence and in many cases the clinicians ownknowledge will prevent a dangerous situationfrom arising. However, when clinicians areworking under extreme pressure or are verytired, they are less likely to pick up suchproblems and are more likely to accept theinformation from the system withoutquestion.

3.5. The issue of a6ailability

A similar situation may arise if the relevantinformation cannot be obtained from a sys-tem when it is needed. In these circumstancesthe clinician must start from the beginningand attempt to assemble the necessary infor-mation for safe practice but there may not betime in an emergency to receive responses toall the relevant questions or to carry out allthe desirable tests and, again, availability fail-ures may lead to inappropriate care. Gener-ally, availability failures will not be quite sosevere as integrity failures because the failurewill generally be known to the clinician whileintegrity failures may not be so obvious.However, availability issues must be takenseriously. Worst case scenarios were put in aclinical perspective by Barber, Vincent andScholes [28] making the case that the issues ofintegrity and availability will probably de-serve more attention than the issues of confi-


dentiality as medical information systems be-came more inter-twined with clinical practice.

3.6. The issue of accountability

The health care environment has beencharacterised by its co-operative nature andtrust in the judgement and activities of healthprofessionals. This has been conducive to theuse of group passwords and the sharing ofpasswords even when individually allocated.The health care environment is not the onlyone where security is not taken seriously butit is an important issue because there is nopossibility of establishing a proper audit trailof system interactions unless each individualis properly authenticated and accountable fortheir activities in respect of the utilisation ofthe information systems. The whole contextof both Recommendation R(97)5 and Eu-ropean Community Directive 95/46/EC isthat individual users are properly known andauthenticated to the system. The more seri-ous the result of a breach of security withinthe use of a system, the more rigorous theauthentication must be. In the health careenvironment, the security measures must beas unobtrusive as possible but they must nev-ertheless be in place and properly observedand monitored.

4. Examining the issues

4.1. The types of security problems

The need for high integrity in medical in-formation systems is clear but it is worthnoting that, although individual incidentsmay be infrequent, software or system errorscould affect a large number of patients beforethey become evident as was the case with theerror in the isocentric radiation treatmentplanning system at the North Staffordshire

Royal Infirmary [29]. The European Com-mission, in its program of advanced infor-matics in medicine began to appreciate theimplications of these issues [30–33] despitenot having any knowledge of such IT securityfailures in health care at that time. TheTherac 25 incident only became more gener-ally known outside those concerned withsafety critical systems at a later date; thisincident, together with other nonhealth careincidents is well described in Peterson’s book:‘Fatal Defect: Chasing Killer ComputerBugs’ [34].

The problem of hacking into informationsystems, like the problem of viruses, appearsto be well known although not as seriouslyaddressed as the emerging networked envi-ronment requires, Stoll’s book [35] clearlyillustrates the issues. Regular surveys are car-ried out on various types of security incident[36,37] but many designers, suppliers, man-agers and users of health information systemsare more concerned with ‘getting the systemworking’ rather than ensuring its security.

4.2. Risk analysis

Following from the consideration of whatmay go wrong, the next question is to con-duct a serious risk analysis to explore theissues in a specific setting. The UK govern-ment’s Risk Analysis and ManagementMethodology (CRAMM) [38], has beenutilised within the English NHS Executiveand in a number of EU projects. The mostrecent version, 3.0, is much more useful andup-to-date with current technology and appli-cations. However, the earlier versions allowedthe method to be tested within the health careenvironment and it provided some useful in-sights on the security issues involved [39]confirming the intuitive views on the implica-tions of security breaches. The SEISMEDproject, [40–42], also, led to the development


of a simplified manual system of risk analysisthat can be helpful where the systems in use,the ways in which those systems are used andthe general environments are similar to thosetested in the project. This project has beensucceeded by ISHTAR [43], THIS [44] andTrusthealth 1 [45].

5. Developing security standards

5.1. European standards

In order to facilitate the process of in-stalling appropriate security Working Group6 of the Medical Informatics Technical Com-mittee (TC251) of the European Standardsbody, CEN, has developed a standard for thesecurity categorisation and protection forhealth care information systems [46]. Thisstandard, ENV 12924, has now been voted asa formal standard. It provides six categoriesof health information systems according tothe criticality of the confidentiality, integrityand availability requirements of the systemtogether with a set of basic security measures,again seeking to simplify the process of de-ciding on appropriate security measures.ENV 12388 [47] has already been adoptedand it prescribes the RSA algorithm for theuse with digital signatures in health care. Apassword standard [48] has been developed inorder to improve the password managementof health care information systems beforestronger authentication arrangements areadopted. Work is in hand on the develop-ment of a standard for secure authenticationusing smart cards and on the whole area ofhandling secure communications. In addition,work is being commissioned on aspects of thesecurity of the electronic patient record andthe quality of software. It can be expectedthat the health care community will be ableto look forward to having access to more

standards available to facilitate the inter-op-erability of security services across informa-tion systems and to provide a basis forinstalling appropriate security within systems.

5.2. European standards acti6ities

The EU MEDSEC [49] project is develop-ing a handbook of health care security stan-dards as well as testing some of the existingstandards. In addition, the SEMRIC project[50] is concerned with ensuring data integrityby the use of digital signatures. Within theUK a British Standard has been developedfor the management of information systemssecurity, BS7799 [51] which has been widelywelcomed and work is currently being under-taken to address the issues of conformance inan effective fashion.

5.3. International standards work

The International Electro-Technical Com-mission has been in the process of developingstandards for safety related information sys-tems and the latest drafts were issued forpublic consultation in 1995 IEC standard1508 parts 1–7 [52]. These standards arelikely to be relevant to health informationsystems in the future as the key to achievinghigh integrity systems is to utilise effectivemethods during the development phase. Thestandards committee of Australia on healthinformatics developed a standard on ‘per-sonal privacy protection in health care infor-mation systems’ [53] which addresses thewhole area of the use of personal healthinformation in the context of the AustralianPrivacy Act and the OECD Security Guideli-nes [54]. The development of an ‘inventory ofhealth care information standards’ [55] byANSI/HISB indicates the seriousness withwhich the issues of standardisation are beingtaken in the US. They have developed a


guide for electronic privacy access and datasecurity principles for health care information[56], a guide for electronic authentication ofhealth care information [57] and work on theuniversal health care identifier [58]. A com-parison of these various standards is pro-vided in the MEDSEC deliverable Handbookof Standards for Security and Privacy inHealth Care [59].

6. Conclusion

The paper seeks to set out the variousdevelopments in data protection and datasecurity in health care systems leading to theinitial stages of developing security standardsfor such systems. The scientific work on thesetopics is continuing and exploding. Mostconferences on medical informatics or elec-tronic medical records give considerable [5]attention to these issues as they are increas-ingly part of key agenda for developing, im-plementing and operating health informationsystems. In addition, specialist meetings onthese issues include the conference organ isedby the AIM secretariat of the EuropeanCommission, in conjunction with EuropeanFederation for Medical Informatics (WG2)which included lawyers and data protectioncommissioners as well as security specialistsand medical informaticians [60]. In addi tion,the International Medical Informatics Associ-ation’s Working Group 4 continues to havesuccess in its specialist area with the meetingsin Heemskerk [61] and Helsinki [62].

It took some time before it became widelyrecognised that maintenance was a significant issue in respect of the implementation ofinformation processing systems because thisrequirement was often obscured by the largecapital costs of the early systems. Informa-tion Systems Security is currently un dergo-ing the same process and it will eventually be

accepted as a significant issue that needs tobe addressed as part of the process of devel-oping, implementing and utilising systems. Itis only a subsidiary part of the process buteveryone needs to know some thing about itand some specialists need to know a lotabout it.

References

[1] H.E. Peterson, R. Turn, System implications ofinformation privacy, in: Proc. AFIPS FJCC, 30,1967.

[2] R.N. Freed, Legal aspects of computer use inmedicine, Law and Contemporary Problems 32,674–706.

[3] E.D. Acheson, Linkage of medical records, Br.Med. Bull. 24 (1968) 206–209.

[4] J.L. Witts, People in confidence; the expandingcircle, in: E.D. Acheson (Ed.), Record Linkage inMedicine, Livingstone, 1968, pp. 333–338.

[5] W.J. Curran, et al., Privacy, confidentiality andother legal considerations in the establishment ofcentralised health-data systems, N. Eng. J. Med.281 (1969) 241–248.

[6] General requirements for implementing hospitalcomputer systems, in: M. Collen (Ed.), HospitalComputer System, Wiley, New York, 1974, pp.14–15, ISBN 0-471-16510-7.

[7] B. Barber, et al., Some problems of confidentialityin medical computing, J. Med. Ethics 2 (1976)71–73.

[8] K. Younger, Report of the Committee on Privacyto the UK Parliament, chaired by K. Younger,Cmnd 5012, HMSO, London, July 1972.

[9] N. Lindop, Report of the Committee on DataProtection to the UK Parliament, chaired by N.Lindop, Cmnd 7341, HMSO, London, December1978.

[10] Computers and Privacy, UK Parliament Whitepaper, Cmnd 6353, HMSO, London, December1975.

[11] J.A. Dinklo, Confidentiality of medical data in theusage of data Banks, in: J. Anderson and J.M.Forsythe (Eds.), MEDINFO 74, North–Holland,Elsevier, Amsterdam, 1974, pp. 181–187.

[12] R. Thome, Protection and confidentiality of medi-cal data: I efficient data protection through pro-ject-specific combination of methods, in: J.


Anderson and J.M. Forsythe (Eds.), MEDINFO74, North–Holland, Elsevier, Amsterdam, 1974,pp. 189–191.

[13] K. Bohm, Protection and Confdentiality of Medi-cal Data: II Simple Methods for Meeting UsersNeeds.

[14] T.H. Fischer, J.M. Helmbock, Data privacy anddata security in Kiel KIS, in: J. Anderson and J.M.Forsythe (Eds.), MEDINFO 74, North–Holland,Elsevier, Amsterdam, 1974, pp. 197-199.

[15] L.M. Yanez, Introduction of a user-oriented THISinto a community hospital setting: confidentialityand security, in: J. Anderson and J.M. Forsythe(Eds.), MEDINFO 74, North–Holland, Elsevier,Amsterdam, 1974, pp. 201–206.

[16] G.G. Griesser et al., Data Protection in HealthInformation Systems: Considerations and Guideli-nes, Elsevier, Amsterdam, 1980, ISBN 0 444 860525.

[17] G.G. Griesser et al., Data Protection in HealthInformation Systems: Where Do We Stand?, El-sevier, Amsterdam, 1980, ISBN 0 444 86713 9.

[18] Council of Europe 1950: Convention For the Pro-tection of Human Rights and Fundamental Free-doms, 4 November 1950, and Protocols I-[20/3/52],2[6/5/63] and 4 [16/9/63], Strasbourg, ISBN 92 8710064 0.

[19] Council of Europe 1981: Convention For the Pro-tection of Individuals with regard to AutomaticProcessing of Personal Data, Convention 108, Jan-uary 1981, ISBN (1982) 92-871-00225.

[20] Council of Europe: Recommendation, R(81)1, OnAutomated Medical Data Banks, Strasbourg, 23January 1981.

[21] Council of Europe Recommendation, R(97)5, Onthe Protection of Medical Data, Council of Eu-rope, Strasbourg, 12 February 1997.

[22] European Community Directive 95/46/EC, On theProtection of Individuals with Regard to the Pro-cessing of Personal Data and on the Free Move-ment of such Data, OJ L281/31-50, 24 October1995.

[23] Louveaux, Poullet: Data Protection in HealthTelematics Projects: Compliance with the Eu-ropean Directive on the Protection of PersonalData, 1995.

[24] R. Clark, Implications of the EU Data ProtectionDirective and Council of Europe Recommendationfor HCEs, ISHTAR consortium deliverable refI04UDOlA, June 1996.

[25] B. Barber et al., The definition of data privacy foreurope, in HC97 current perspectives, in: Richards

et al. (Eds.), Health Care Computing 1997, pub forBCS by BJHC Weybridge, 1997, pp. 47–54, ISBN0 948198 26 5.

[26] B. Barber, F.-A. Allaert, Some implications of theEU data protection directive, in: C. Pappas et al.(Eds.), Medical Informatics 97, Studies in HealthTechnology and Informatics, vol. 43, IOS Press,Amsterdam, 1997, pp. 829–833, ISBN 90-5199-3439.

[27] I. Asimov, I Robot, Gnome Press, 1950. (or Dou-bleday and Co 1963 or ‘Rest of the Robots’,Dobson Books, 1967).

[28] B. Barber, R. Vincent, M. Scholes, Worst casescenarios: the legal consequences, in: B. Richardset al. (Eds.), Current Perspectives in Health careComputing 1992, British Computer Society, BJHCWeybridge, 1992, pp. 282–288, ISBN 0 948198 125.

[29] Report of the Independent Enquiry commissionedby the West Midlands Regional Health Authorityinto the Conduct of Isocentric radiotherapy at theNorth Staffordshire Royal Infirmary betvveen1982 and 1991, West Midlands Regional HealthAuthority, August 1992.

[30] AIM Requirements Board, Impact Assessment andForecasts of Information and CommunicationsTechnologies Applied to Health Care, vols. I–IV,Ref. XHI/F/A10966C, AIM Secretariat, 61 Rue deTreves, Brussels, 1989.

[31] B. Barber, O.A. Jensen, H. Lamberts, F. Roger, P.de Schouwer, H. Zollner, The six safety first prin-ciples of health information systems, in HC90:current perspectives in health computing, Br. J.Health Care Comput. (1990) 38–47, ISBN 0948198 09 5.

[32] B. Barber et al., The six safety first principles ofhealth information systems: a program of imple-mentation part 1: safety and security, B. Barber,O.A. Jensen, H. Lamberts, F. Roger, P. deSchouwer, H. Zollner, in: R. O’Moore, S.Bengtsson, J.R. Bryant, J.S. Bryden (Eds.),MIE90, vol. 40 in Lecture Notes in Medical Infor-matics, Springer Verlag, Berlin, 1990, pp. 608–613.

[33] P. de Schouwer et al., The six safety first principlesof health information systems: a program of imple-mentation part 2: the environment, convenienceand legal issues, P. Schouwer de, B. Barber, O.A.Jensen, H. Lamberts, F.H. Roger France, H. Zoll-ner, in: R. O’Moore, S. Bengtsson, J.R. Bryant,J.S. Bryden (Eds.), MIE90, vol. 40, Springer–Ver-lag, Berlin, 1990, pp. 614–619.


[34] P. Peterson, Fatal Defect: Chasing the Killer Com-puter Bugs, Vintage Books, New York, 1995, pp.27–54, ISBN 0-8129-2023-6.

[35] C. Stoll, The Cuckoo’s Egg, Pan Books, London,1991, ISBN 0-330-31742-3.

[36] IT Security Breaches Survey, NCC, Manchester,1994, tel +44 161 2286333.

[37] Audit Commission Report: Opportunity makes aThief: An Analysis of Computer Abuse, HMSO,London, 1994, ISBN 011 886 137 9.

[38] The CRAMM User Guide, issue 1.0 April 1996,CRAMM software 3.0, The CRAMM Manager,PO Box 1028, London Nl lUX

[39] B. Barber, J. Davey, The use of the CCTA riskanalysis and management methodology[CRAMM] in health information systems, in: K.C.Lun et al. (Eds.), MEDINFO 92, North–Holland,Amsterdam, 1992, pp. 1589–1593, ISBN 0 44489668 6.

[40] SEISMED, A Secure Environment for Informa-tion Systems in MEDicine, EU DG XIII, Projectin Advanced Informatics in Medicine program,A2033, 1992–1995.

[41] B. Barber et al., Towards security in medical tele-matics, in: B. Barber et al. (Eds.), Studies inHealth Technology and lnformatics, vol. 27,SEISMED Consortium, IOS Press, Amsterdam,1996, ISBN 90 5199 246 7.

[42] SEISMED Consortium: Data Security for HealthCare, in Studies in Health Technology and Infor-matics, vols. 31–33, IOS Press, Amsterdam, 1996.

[43] ISHTAR 1996, Implementing Secure Health careTelematics Applications in Europe, EU FourthFramework Health Telematics Project 1046, 1996–1998.

[44] Trusted Health Information Systems, THIS, IN-FOSEC Project, Requirements on Electronic Sig-nature Services and Trusted Third Party Services,Part 1, version 2, 12 January 1995.

[45] Trust Health IEU DG XIII Fourth FrameworkHealth Telematics Project, 1996–1997.

[46] Categorisation and Protection Profile Standard,ENV 12924 Medical Informatics—Security Cate-gorisation and Protection for Health care Informa-tion Systems, TC251 WG6 [PT012], ENV 12924,June 1997, CEN, Brussels, 1996

[47] Medical Informatics—-Algorithm for Digital Sig-nature Services in Health care, ENV-12388 (1997),TC251 Digital Signature Standard, CEN, Brussels,1997.

[48] Password Standard, draft prENV, Medical Infor-matics—Secure User Authentication for HealthCare: Management and Security of Authenticationby Passwords, TC251 WG6, Ref. N95-022 rev,June 1995, CEN, Brussels, 1996.

[49] MEDSEC, EU Health Care Security and Privacyproject, 1997–1998.

[50] SEMRIC, Secure Electronic Medical Record In-formation Communication, EU DG III Informa-tion Society Initiatives for Standardisation project,1997.

[51] Code of Practice for Information Security Man-agement, BS 7799, BS7799, British Standards Insti-tution, London, 1995, ISBN 0 580 23642.

[52] IEC draft Standard 1508 Functional Safety: SafetyRelated Systems issued for public comment in June1995, parts 1 to 7.

[53] Standards of Australia Committee: Personal Pri-vacy Protection in Health Information Systems,IT/14, AS4400-1995.

[54] OECD: Guidelines for the Security of InformationSystems, OECD/GD(92)190, Paris, November1992.

[55] ANSI/HISB: An Inventory of Health care Infor-mation Standards, January 1997.

[56] ASTM/E31, ASTM E1869: Guide for ElectronicPrivacy Access and Data Security Principles forHealth care Information.

[57] ASTM/E31 ASTM E1762: Guide for ElectronicAuthentication of Health Care Information.

[58] ANSI/ASTM, ASTM E1714-X: Properties of aUniversal Health Care Identifier-UHID.

[59] MEDSEC Project Ref. 52 deliverable 4, 1997.[60] European Commission: Data protection and confi-

dentiality in health informatics: handling healthdata in Europe in the future, in: EU Commission(ed.), DG XIII/F AIM, Studies in Health Technol-ogy and Informatics, vol. 1, IOS Press, Amster-dam, 1991, ISBN 90 5199 052 9.

[61] B. Barber et al., Caring for Health Information:Safety, Security and Secrecy, in: B. Barber et al.(Eds.), pub for IMIA WG4 Elsevier, Amsterdam,ISSN 00207101 [also in Int. J. BioMed. Comput.35, Supplement February 1994].

[62] A.R. Bakker et al., Communicating Health Infor-mation in an Insecure World, in: A.R. Bakker etal. (Eds.), pub for IMIA WG4 Elsevier, Amster-dam, 1996, ISSN 00207101 [also in Int. J. ofBioMed. Comput. 43, Supplement October 1996].

.

patient data and security: an overview

Documents