Book Review

D-Lib Magazine
February 1998

ISSN 1082-9873

For the Record

"The expanding use of information technology in health care --electronic medical records, networked health information systems, and telemedicine -- promises to both improve the quality and reduce the costs of health care in the United States. At the same time, it raises new questions about the ability of health-related organizations to ensure the security of health information and to protect the privacy of their patients."
By Amy Friedlander, D-Lib Magazine

For the Record
Protecting Electronic Health Information

Computer Science and Telecommunications Board, National Research Council
264 pages. Index, appendices, bibliography. Washington, DC:
National Academy Press 1997, $29.95.

For the Record is the outcome of a study organized under the auspices of the Computer Science and Telecommunications Board (CSTB) of the National Research Council (NRC) and conducted between October 1995 and the end of 1996. It was initiated by the National Library of Medicine and supported by the Warren Grant Magnuson Clinical Center of the National Institutes of Health and the Massachusetts Health Data Consortium. The fifteen-member committee represented a broad range of backgrounds and exertise: medical informatics, health information management, health care privacy, law, medical sociology, and health information systems. The committee was assisted by a specialist in computing and security. The members of the committee were formed into sub-groups that conducted site visits to six organizations, considered leaders in the development of electronic medical records, networked clinical systems, and privacy and security policies. These findings were then discussed at five full group meetings, supplemented by additional briefings with groups working on medical applications under the National Information Infrastructure (NII), representatives of European groups, and staff from the Massachusetts Health Data Consortium. In total, the committee was briefed by twenty-six experts in allied fields.

Chapters in the study cover public policy, privacy and security concerns, technical approaches, organizational approaches, findings and recommendations. Wisely, the report focuses on a discussion of underlying issues and solutions rather than on specific technologies and applications. Sidebars, tables, and scenarios render the complex information more easily accessible. Much of the discussion of the technological mechanisms covers topics common to a more general discussion of information systems: authentication, access control, audit trails, physical security, backup and recovery, to name a few (see Table 4.1, p. 85). These are functions appropriate to protecting information within an institution, as the report points out, and do not address the implications of data mining and inappropriate use of information by individuals authorized to access it for other, legitimate purposes. The latter is a growing concern (p.4).

Americans, as Arthur Allen writes in the Washington Post Magazine (Sunday, February 1998), believe that medical information is personal and confidential even while digital networks and electronic records enable a surprising number of people to access this information and potentially to expose it.[1] Indeed, financial and educational records are in many ways equally vulnerable. Still, the value placed on the privacy of health-related information creates an emotional resonance in more people than the spectres of pilfered credit card numbers or identity theft.

Although the digital networks are, perhaps, more porous than may be generally realized, neither the causes nor the remedies are purely technological. In well-chosen examples, the authors describe vulnerabilities to data in electronic and paper form that arise from ordinary and innocent behaviors -- e.g., not logging off and clearing a screen display or walking away from a desk leaving an open file behind. Thus, the report calls for organizational and technological systems in which there are both deterrence (e.g., sanctions ranging from dismissal to criminal prosecution) and obstacles. The strategy is to encourage responsible behavior among people entrusted with confidential information.

Greater concern arises from the information flows among the separate entities in the health care system than within any given institution where training programs and disciplinary policies encourage compliance with privacy and security policies. Still, the report acknowledges that there has not yet been "a widespread and public catastrophe regarding information security in the health care industry", which has reduced the incentive for upgrading security practices (p. 5). But discussions on Capitol Hill concerning confidentiality and medical information suggest that this well-written report is prescient. Networked electronic medical information enables transactional efficiencies and can support epidemiological research of a scope and granularity hitherto difficult to obtain. The trick, as the report concludes, will be to "obtain the benefits of electronic medical records" and "address and mitigate concerns regarding the privacy and security of electronic health care information" (p. 160). Solutions lie in a range of technical and organizational practices in a framework of law and incentives that heighten interest in privacy and security.

[1] As of this writing, this story is available on-line at: <>. We have been informed that it is the policy of the Washington Post to transfer articles to their archives, <>, 14 days from publication. This story was published on February 8, 1998.

Copyright © 1998 Corporation for National Research Initiatives

Top | Magazine
Previous Story | Next Story
Comments | E-mail the Editor