AMIA '97: Internet Access to Patient Data
Michael Jacobson, MD, MPH, FACP
Cardiology and Internal Medicine
New York, New York
Editor, Journal Club on the Web

accepted for publication in Medical Computing Today December 1997

Security: (risks - solutions) - Projects - Discussion

Each year the American Medical Informatics Association's Annual Fall Symposium, regarded by many as the premier event in the United States for medical informatics, highlights a specific topic in depth. This year, two such topics were chosen: "Systems That Really Work" and the subject of this article, "The Emergence Of 'Internetable' Health Care."
'Internetable' Health Care can be subdivided into patient data and generic healthcare information. Patient data refers to healthcare information on potentially identifiable individuals. Ensuring privacy and introducing adequate security measures, the major issues with such data, should be in the forefront of any attempt to use the Internet for transactions related to individual patients. These issues are of far less concern in the case of generic healthcare information that cannot be traced to a single individual.
Although the technojargon of medical informatics can deter even the most computer-savvy clinician, the relatively narrow and abstract research focus of today may well evolve into tomorrow's systems, thus affecting all of us. The following article -- based on time spent in Nashville and on the published proceedings of the symposium -- briefly summarizes the main Internet-related presentations having to do with the application of the Internet to patient data.
U sing the World Wide Web to access computerized medical records is the prototypical application of Internet technology to patient data. Other examples abound, such as e-mail discussion among colleagues of patient problems, or using the Internet for transferring laboratory data. However, Web-based access to medical charts best illustrates the potential and the pitfalls of using a publicly accessible network to transmit confidential patient information.
Papers dealing with these issues are principally of two types: those discussing security issues, and presentations of specific implementations allowing access to patient data via the Internet (often via a Web interface).
Sections General Security Issues
Security on the Internet is a very complex issue requiring solutions that go well beyond username and password protection. A number of important points are raised in symposium papers.
Sections Security Risks
The online availability of patient data poses significant threats to privacy and confidentiality. Some of these threats are obvious while others are less self-evident.
The so-called "scrubbed" databases1 are a good example of a security method that contains hidden potential for breaches. These are databases in which patient identifiers have been removed to preclude identification of individual patients. Such databases are often used for quality control or epidemiological research. If enough nonspecific information is present, however, it may be possible to unequivocally determine individual identities, particularly through linkage with other databases. For example, if there is only one Asian female of a certain age in a specific zip code, this seemingly innocuous collection of demographic data will uniquely identify that individual. Simply removing obvious identifiers is not always enough.
Another example is the so-called Trojan horse program,2 which appears to the user to do one thing while secretly performing another task. For example, a free downloadable Internet browser could be programmed to send a copy of everything that it receives to a specified Internet address without the user being aware of this. Thus, viewing a patient's medical record using a Web browser that is a Trojan horse would allow all the data to be simultaneously sent to a third party. Hacker skills used for nefarious purposes on business and military databases can be just as easily applied to medical information.
Finally, a particularly crass example of breached security that was cited involved a bank officer who used a database of cancer patients to call in loans.1
Sections Proposed Security Solutions
From the University of Missouri comes an excellent review3 of the most common technical methods for protecting the confidentiality of patient information in networked systems. These include authentication (ensuring that the user is indeed an authorized user), access control (allowing users access only to information that they need to know) and auditing (keeping a record of who has accessed what). Each of these general methods can be implemented in different ways and with different degrees of security. For example, authentication can be limited to the familiar username and password, or can require that the user insert a smart card into a preauthorized terminal. Access control, at its most sophisticated, should allow only authorized users access to only the specific information required; how to accomplish this automatically is the subject of ongoing research. Auditing and recording of user activity as traceable audit trails can be used as deterrents to unauthorized browsing as well as to document breaches of security.
Most technical methods for securing medical information on the Internet do not directly involve those who should be the most concerned: patients. One system that does is PCASSO (Patient-Centered Access to Secure Systems Online), presently under development at UCSD.2 This system allows patients to "own" their healthcare data. Patients will not only be able to view their own data, but also to see who has accessed it and to be notified by e-mail whenever new accesses to the data occur. PCASSO has not yet been tested in the real world but, as one of the few technical approaches that directly involve patients, it is a project worth following.
As new threats to privacy emerge, new technologies to combat them will be needed. For example, the Datafly system, developed at MIT, 1 helps resolve the loopholes that threaten the anonymity of even "scrubbed" databases. Datafly manipulates database queries in such a way that relative anonymity can be preserved.
Sections Patient Data Projects
Approximately 20 papers and poster presentations describe specific implementations of Internet-based access to patient data, in particular Web-based access to components of the electronic medical record (EMR).
Several papers report on relatively circumscribed projects, enabling access to subsets of patient data via the Internet, such as: Other papers report more ambitious projects: using the Internet to construct a complete medical record, or to integrate patient data with decision support. Sections Discussion
In many ways, the Web is an ideal medium for delivering electronically stored patient data. Computerized healthcare information is currently located on many diverse and incompatible systems and in equally diverse and incompatible databases. Given the decentralized nature of the American healthcare system and the intense competition among systems vendors, this situation is unlikely to change. However, if each database system includes a Web interface (not a terribly difficult thing to accomplish), universal access is assured. Hypertext could become the universal language of the electronic medical record.
Another major advantage of using a Web interface to provide access to patient data is the growing ubiquity of the Web. Any physician who becomes familiar with the Web--perhaps at home, taught by his or her children--will be able to transfer this skill to the work environment. By analogy, if you learn how to use the telephone to call your friends, it's no big deal learning how to use it to communicate with colleagues.
A third advantage is that many security and transmission problems arising in the medical setting have, in most cases, already been solved for other applications of the Internet. Ensuring secure access to systems is vital to the business community; there is no need to reinvent the wheel for medical applications.
Despite the host of advantages to transmitting and sharing patient data on the Internet, it presents the potential for misuse through inappropriate linkages and distribution. Large-scale medical databases, particularly if a universal patient identifier is implemented, will link information from multiple sources and disseminating this information across the network. The specter of vast, legally mandated databases containing health information on most citizens looms large.
The problems created by the interorganizational flow and regulation of healthcare data are rooted more in society than in technology. Not surprisingly, societal issues were not high on the agenda of this conference. It behooves all physicians to be aware of them, however, and to participate in the debate over healthcare privacy legislation, which is sure to become louder as the Internet becomes more pervasive and patients become increasingly sensitive to the potential for its abuse.
  1. Sweeney L. Guaranteeing anonymity when sharing medical data, the Datafly System. Proceedings of the 1997 AMIA Annual Fall Symposium. JAMIA 1997;4(suppl):51-55 Back to text
  2. Masys DR, Baker DB. Patient-Centered Access to Secure Systems Online (PCASSO): A secure approach to clinical data access via the World Wide Web. Proceedings of the 1997 AMIA Annual Fall Symposium. JAMIA 1997;4(suppl):340-343 Back to text
  3. Bowen JW, Klimczak JC, Ruiz M, Barnes M. Design of access control methods for protecting the confidentiality of patient information in networked systems. Proceedings of the 1997 AMIA Annual Fall Symposium. JAMIA 1997;4(suppl):46-50 Back to text
  4. Tumey CT, Kohls MR. The evolution of a cardiology information system: from mainframe to Web. Proceedings of the 1997 AMIA Annual Fall Symposium. JAMIA 1997;4(suppl):895 Back to text
  5. Norris PR, Dawant BM, Geissbuhler A. Web-based data integration and annotation in the Intensive Care Unit. Proceedings of the 1997 AMIA Annual Fall Symposium. JAMIA 1997;4(suppl):794-798 Back to text
  6. Waitman LR, Higgins MS, King PK, Miller ML, Patel NP. Perioperative information via the Web enables efficiency in patient care. Proceedings of the 1997 AMIA Annual Fall Symposium. JAMIA 1997;4(suppl):1014 Back to text
  7. Sanders NW, Mann NH, Spengler DM. Web client and ODBC access to Legacy Database Information: A Low Cost Approach. Proceedings of the 1997 AMIA Annual Fall Symposium. JAMIA 1997;4(suppl):799-803 Back to text
  8. Halamka JD, Safran C. Virtual consolidation of Boston's Beth Israel and New England Deaconess Hospitals via The World Wide Web. Proceedings of the 1997 AMIA Annual Fall Symposium. JAMIA 1997;4(suppl):349-353. Back to text
  9. Tarczy-Hornoch P, Kwan-Gett TS, Fouche L, Hoath J, Fuller S, Ibrahim KN, et al. Meeting clinician information needs by integrating access to the medical record and knowledge resources via the Web. Proceedings of the 1997 AMIA Annual Fall Symposium. JAMIA 1997;4(suppl):809-813 Back to text

Comments or questions for posting?
Archives of other articles
Other MCToday articles on Electronic Medical Records: