Barber B, Jensen OA, Lamberts H, Roger-France F, De Schouwer P, Zollner H.
The six safety first priciples of health information systems: a programme of implementation . Part 1: Safety and Security. In: Data protection and confidentiality in health informatics. Brussels: IOS Press, 1991:296-301. Reprinted by permission of IOS Press.
The Six Safety First Principles of Health Information Systems:
A Programme of Implementation Part 1 Safety and Security
Barry BARBER, Ole Asbjrn JENSEN, Henk LAMBERTS, Francis ROGER-FRANCE, Peter DE SCHOUWER and Herbert ZOLLNER (I) NHS Information Management Centre, 19 Calthorpe Road, Birmingham B15 1RP, UK
The Six Safety First Principles
The AIM Requirements Board developed the following Six Safety First Principles as a basis for the future development of Health Care Information Systems in Europe[l, 2). These requirements are set out in quite general terms in order that they may be seen apart from the computing technicalities and so that detailed work can be focussed appropriately rather than constrained too early by particular approaches to solving certain problems. The key issues relate to the environment within which the Health Information Systems should be developed, tested, operated and maintained. This environment should be:1 2 3 4 5 6 Safe Environment for Patients and Users Secure Environment for Patients, Users and Others Convenient Environment for Users Legally Satisfactory Environment Across Europe for Users and Suppliers Legal Protection of Software Products Multi-Lingual Systems
The fundamental requirement is for the establishment of a Co-ordinated Information Infra-structure based on these Six Safety First Principles which will positively encourage the development and use of Advanced Informatics Systems because Health Care Professionals and the general public have confidence in the safety and the security of the arrangements for using such systems within the EC. The Council of Europe convention 108 "For the Protection of Individuals with Regard to Automatic Processing of Personal Data" [3] was one of the pioneering ventures in the field of Data Protection. It is now possible for the EC to take another step in the direction of encouraging the production and utilisation of Advanced Informatics Systems because the problems have been thought through and a safe, regulatory, Co-ordinated Information Infrastructure has been devised to address the Six Safety First Principles listed above. Such a regime would provide a clear specified framework into which systems could be engineered, tested, marketed and used with confidence and it could liberate the market throughout the EC and beyond.
Establishing the Technical and Regulatory Requirements for the Implementation of the Six Safety First Principles
A considerable amount of detailed work will be required to establish the technical and legal requirements of the various Safety First Principles but it is likely to involve different types of computing specialist as well as lawyers. The longer the process is delayed the more difficult the process will become. "Safety Critical Systems" are slowly coming into use and it is time that adequately safe standards are established for the very demanding process of designing, developing, testing, certifying, using and maintaining them. In the following sections various proposals are listed together under each of the first two of the Safety First Principles of the proposed Health Informatics Infra-structure dealing with Safety and Security. The remaining Safety First Principles are dealt with in a separate paper [4]. The UK British Computer Society and Institute of Electrical Engineers have already embarked on some detailed examination of the requirements for such systems and a draft International Electrotechnical Commission [IEC] international standard [5] is already available which should assist with the necessary work required in the area of Health Informatics. The Requirements Board indicated a number of steps that would help to establish a safe environment and these are outlined below within the context of the various Safety First Principles.
Safe Environment for Patients and Users
In order to be satisfactory for safety critical applications it is necessary to utilise the right hardware, the right software and the right understanding of the clinical and design requirements. These will not generally be add-on extras but will need to be designed into the system right from the start utilising appropriate components. The most important steps were the following:3.1 Establish Quality Assurance Standards for Software & Hardware As the Health Informatics products become more complex it is important that satisfactory standards of software design, development and testing should be specified in order to ensure that these products do precisely what is intended. This, obviously, becomes crucial in respect of "Safety Critical Systems" but it is important that these issues should be taken up at an early stage as many items of information in Health Records can become significant at certain stages of care. The loss of data or its substitution by incorrect data may have important consequences as Health Professional rely on their systems. It is no longer reasonable to assume that they will have additional manual systems available so that they will be able to, or indeed can, check their computer systems. An assessment of the specifications required for ensuring adequate performance needs to be undertaken. Set Up a Pilot Evaluation and Certification Scheme for Advanced Informatics Systems in Health Care No clinician can place great confidence in Medical Informatics Systems where he, or she, cannot personally test the key aspects unless it has been adequately tested by some specialist agency. Once Health Care facilities become so complex that they are outside the skill and specialist expertise of individual practitioners, it becomes necessary to develop additional specialists to handle this complexity or else to support the practitioners with certification facilities that will enable him, or her, to practice as safely. This is the situation in respect of drugs where extensive testing is undertaken before drugs are released for the treatment of patients and where specialist pharmacists are available to support the practising clinician. When Medical Informatics facilities become really effective in clinical decision-making and treatment, some form of certification will be required which will indicate the circumstances in which it has been tested and the degree of reliability with which its conclusions may be treated, together with any contra-indications. Experimental Test Faculties will be required to establish certification procedures. A considerable amount of serious research will have to be carried out to establish the most profitable approaches and it is desirable that some centres should be encouraged to acquire expertise in this area rather than simply waiting for some disaster after which the public will demand action. The minimum number of centres is one but it would probably be preferable to designate, at least, 3 in order to ensure useful results according to the expertise that can be made available in this area in the various countries.
3.2
�4
4.1
Secure Environment for Patients. Users and Others
Complete the Coverage of Data Protection in Health Care by Establishing Detailed Data Protection Standards and Audit Facilities for Health care Systems The fundamental requirements of Data Protection are fortunately well established and agreed but they need to be developed and interpreted with a common understanding of the implications of the Data Protection Principles. Furthermore, it can be expected that progressive refinement of the Convention will gradually improve the weaknesses that are discovered in its practical application. The basic requirements of the European Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data and the Regulations for Automated Medical Data Banks should be fully implemented throughout Europe. In particular, it should be noted that erroneous data should not be overwritten but that a copy should be kept for future reference [6p21]. The widespread transfer of Personal Medical and Health Information to support the Integrated Health Environment will require the adoption by the Health Services of techniques, such as encryption and access control that are currently utilised mainly by the financial and security services. At the present time only the lowest grade of security systems will be required but such counter-measures are not currently used on any large scale in the Health Services. Despite all this work there is still a lot of work to do before our Health Information systems can be regarded as secure. Few people regard Data Protection requirements as other than unnecessary administrative matters and this approach will have to be tightened up before the next generation of systems become available or there will be some very expensive legal actions faced by the Health Services. The easiest way of achieving this is to establish some form, of independent Data Protection and Computer Security Audit within the Health Care Services. This will have to be organised in such a way that it is complementary to the existing Data Protection arrangements. New technological developments are constantly raising other issues that were not considered when the Convention was drafted and it is important that the detailed measures required by the Data Protection Principles should be thought through carefully to ensure that the protective measures remain in step with these technical changes. Widespread computing allows information to be downloaded into the microcomputers and thus frees the Personal Data from the access controls built into the main systems. It, also, leads to difficulties in the basic Data Protection functions of locating Personal Data, integrating it with other Personal Data, updating it as well as administering the Data Protection laws, ensuring Data Security and Disclosure control. Bedside terminals, also, raise questions as to patients access to the hospital systems. Greater sizes of storage media lead to additional problems of locating required Personal Data
There are a large number of issues that require attention before the environment can be considered secure for users. A number of specific issues are discussed below that require attention.
4.2
Develop Awareness of Other Aspects of Computer Security in Health Care Systems The implications of Article 7 of Convention 108 [3] dealing with Data Security requires that "Appropriate security measures shall be taken for the protection of Personal Data stored in automated data files against accidental or unauthorised destruction or accidental loss as well as against unauthorised access, linking, alteration or dissemination". The implications of these requirements are considerable. This involves much more than the need for the occasional "back-up" and Article 7 places an unambiguous responsibility on those responsible for and using the systems. Establish Standards of Risk Analysis and Management Standards need to be set to enable all systems to comply with appropriate data security counter-measures. It is desirable that some easily accessible approach could be introduced to assessing risks and managing the appropriate counter-measures. In the UK a Risk Analysis and Management Methodology [CRAMM - 7] has been devised for government computing installations and is currently being explored for utilisation within the National Health Service. It is hoped that this approach will be useful for Health Authorities and
4.3
�independent hospitals generally. In addition, it is hoped that it will prove valuable right from the design phase of a system through to implementation and routine operations. 4.4 Ensure the Adoption of OSI Standards Suitable for the Data Protection needs of the Health Open Systems Environment The wide variety of medical computing systems, the advent of hospitals and Health Authorities with a wide range of different equipment and software suppliers, the need to change hardware relatively frequently, all tend to emphasise the need for utilising Open Systems Interconnection (OSI) standards. In order to support these protocols specified above it will be necessary to ensure that appropriate standards are adopted and implemented for the 7 layer OSI model so that computer systems can be safely inter-connected. This may be a simple matter of verifying that existing modules are adequate but it is more likely to involve the development of modules suitable for the Open Health Environment. Appropriate contact should be established with the USA Institute of Electrical & Electronic Engineers PI 157 Medx initiative which is already exploring the problems of developing a standard for medical data interchange. Secure Agreement to a Detailed Code of Confidentiality in Health Care Systems Although the requirements of "Medical Confidentiality" are widely known and adopted, the wider involvement of many Health Care Professions in the care of patients, the need for Governmental and other organisations concerned with the funding and the monitoring of Health Care Services and the extensive involvement of many specialists in the informatics fields all give rise to the need for some contractual definition of the standards of confidentiality required to be observed in handling Personal Health Data. Set up Mechanisms to Review the Threats to Data Protection and Data Security There are a large variety of changes, technical advances and security threats since the last monograph of the International Medical Informatics Association [IMIA] Working Group 4 [8,9] and it is time that the field was reviewed to establish what additional security precaution should be taken or what practical and experimental work should be attempted. Special steps should be taken by the EC to keep this fast moving field under review during the next decade when major systems are likely to be installed in order to ensure that effective counter-measures are set up before major catastrophes occur. Little attempt has been made at the integration of Personal Data within a large Health organisation which might allow the organisation to fulfil all its obligations under the European Convention in terms of the accuracy of Personal Data. Problems arise from the increasing number of terminals linked to hospital information systems and the way that they can be accessed from external terminals and networks. Portable, handheld, computers or terminals also pose new risks as do the use of smart cards for holding Personal Health Data. It is necessary to develop agreed rules for handling Health Records within computer systems in terms of access rules for both reading, creating and amending various types of record. Indeed it it believe that records should never be overwritten but should be amended by adding correct data and indicating its source and a marker on the original erroneous data indicating its errors. Ideally an updateable Data Protection Handbook should be developed so that the current situation is readily accessible to Health Professionals and system suppliers alike. The field is currently moving very fast so a conventional monograph would soon become obsolete. However, an updateable text presupposes some mechanism for becoming aware of changes across Europe, assessing them and, then, updating the Handbook. Develop an Agreed Protocol for the Exchange of Health Records A genuinely Integrated Health Environment in which Open Systems Interconnection was operating will make considerable demands on our technology and managerial ability if this were to be managed safely. Adequate standards for medical data exchange, identification, authentication and authorisation of individuals would be needed. At present much of the confidentiality of Health records is supplied by the fact that the records rarely leave the originating institution. Any serious attempt to produce a situation in which there is a free flow of patients, health professionals and medical records across the European Community
4.5
4.6
4.7
�will require that agreed standards are laid down as to who can authorise the acquisition and release of clinical records, how composite records from several institutions may be managed and what levels of security and encryption are required. The use of a standard "smart card" held by the patient has considerable advantages in terms of consent and control. The advantage of the smart card might be that it returns control of the record to the patient instead of having to have elaborate procedures for handling it on his behalf. However, this approach exposes the patient to pressure from third parties that may have an interest in the information. It is, therefore, imperative that the patient is made fully aware of the advantages and disadvantages of this approach. 4.8 Establish Standards for Contingency Planning in Health Care Systems Contingency planning follows directly after the examination of risks and the appropriate measures required for varying degrees of system loss and failure depend on the value of the systems to the organisation and its ability to continue functioning safely with reduced or non-existent computer systems. The value of mobile, or networked, computer support or the reservation of back-up facilities for "hot-start", "warm start" or "cold-start" need all to be carefully explored and planned as much detail as the hospital's "major Emergency Plan". Standards in risk analysis, measurement and management will lead to the need for standards for developing contingency plans within the Health Informatics environment. Establish Standards in Information Audit As Health Informatics facilities become integrated with the professional activities of practising clinicians, it is important that adequate standards of Information Audit should be established. This is implied in the Data Protection Principles as inaccurate information might lead to legal action under Data Protection or other legislation. This will be more important if more information is held in coded form without corresponding text. The most effective safeguard is the basic Data Protection one of making the data available to those who are most likely to be concerned with its accuracy and usage.
4.9
Conclusion
The situation within EC as the Single Market approaches and as steps are taken towards closer collaboration between the EC member states is moving almost as fast as the Information Technology itself. Promising measures are already being taken to handle a number of the issues located by the AIM Requirements Board. The EC has given a mandate to its standards bodies, CEN/CENELEC/ETSI to carry out work on standards in Medical Informatics and the first items of this work are in hand. The AIM secretariat has sponsored a working conference on "Handling Health Data in Europe in the Future", 19-21 March 1990, Brussels [10] at which medical informaticians, Health Professionals, lawyers and computer security specialists which examined the issues and elaborated a programme of activity in the areas of Data Protection and Computer Security. The Council of Europe is examining its recommendations [6] in respect of Automated Medical Databanks [working party 12] in the light of changes in technology as well as the increased interest in exchanging Health Records throughout EC. The International Medical Informatics Association [IMIA] working conference on Primary Care held at Brighton 2-5 April 1990 paid special attention to the issues of Data Protection, Confidentiality and Computer Security [3,11]. The second of these references gives a more detailed progress report than is possible here. It is now clear that there is a strong will to clear the way for the development and use of really effective information systems in Health Care within Europe by developing an appropriate environment for this purpose.
Acknowledgements
This material has been taken directly from work undertaken for the European Commission's Advanced Informatics in Medicine [AIM] Requirements Board elaborated in a few places to make the context clearer and with additional material relating to subsequent activities.
References
1 AIM Requirements Board, Impact Assessment and Forecasts of Information and Communications Technologies Applied to Health Care, Volumes I-!V, December 1989, ref XHI/F/A10966C, AIM Secretariat, 61 Rue de Treves, Brussels
5 6 7 8
9 10 11
The Six Safety First Principles of Health Information Systems, Barber B, Jensen, O A, Lamberts H, Roger F, de Schouwer P & Zollner H, in HC90: Current Perspectives in Health Computing 1990 pub British Journal of Health Care Computing 1990 ISBN 0 948198 09 5 Council of Europe Convention "For the Protection of Individuals with Regard to Automatic Processing of Personal Data" No 108, Strasbourg, 28/1/81 ISBN 92 871 0022 5 Explanatory Report on the Convention for the Protection of individuals with Regard to Automatic Processing of Personal Data Strasbourg 1981 The Six Safety First Principles of Health Information Systems: A Programme of Implementation Part 2 The Environment, Convenience & Legal Issues, de Schouwer P, Barber B, Jensen, O A, Lamberts H, Roger France F H & Zollner H, in MIE90 Springer Verlag 1990 International Electro-Technical Commission, Draft Standard on Software for Computers in the Application of Industrial Safety-Related Systems, ref 65A(Secretariat) 94, November 1989 Council of Europe Regulations for Automated Medical Data Banks Recommendation No R [81] I Strasbourg 1981 CCTA Guide for Management & User Guide for CRAMM - Risk Analysis & Management Methodology, CCTA IT Security & Privacy Group, Riverwalk House, Millbank, London SW1P 4RT Data Protection in Health Information Systems: Considerations and Guidelines, ed Griesser, G., Bakker, A., Danielsson, J., Hirel, J-C, Kenny, D. J., Schneider, W. and Wassermann, A. I. for IMIA Working Group 4, North Holland Publishing Co, 1980, ISBN 0 444 86052 5 Data Protection in Health Information Systems: Where do we Stand?, ed Griesser, G., Jardel, J. P., Kenny, D. J. and Sauter, K. for IMIA Working Group 4, North Holland Publishing Co, 1983, ISBN 0 444 86713 9 EC AIM Conference on Data Protection and Confidentiality in Health Informatics: "Handling Health Data in Europe in the Future", 19-21 March 1990, Brussels, vols I & II in press. The Six Safety First Principles of Health Information Systems: Progress Report, Barber B & O'Moore R, IMIA Working Conference, Springer Verlag 1990 in press.
