Clinical System Security Interim Guidelines 1. Introduction Recent press articles have illustrated a number of acute threats to the confidentiality of personal health information. Many medical records can be easily obtained by private detectives who typically phone the general practice, FHSA or hospital and pretend to be the secretary of a doctor giving emergency treatment to the subject of the investigation. One article found that most patients' personal health information could be compromised in this way, and was routinely sold by agencies for as little as \pounds 150 [1] [2]. There is also concern that nationwide health networking may further harm confidentiality by making health records available to many more people. The BMA therefore asked the author to draw up these interim guidelines to help tackle the pressing short term concerns; they are supplementary to existing documentation such as `The Handbook of Information Security' [3]. 2. Careless disclosure The main threat to the confidentiality of clinical records is carelessness about telephone enquiries if the kind described above. This threat may be largely eliminated by following a number of commonsense rules that the best practices have used for years, and that are now agreed by the NHS Executive. Whether records are computerised or not, these best practice rules can be summed up as clinician --- consent --- call back --- care --- commit: * only a clinician should release personal health information. It should not be released by a receptionist or secretary; * the patient's consent must be obtained, except when the patient is known to be receiving treatment from the caller, or in the case of emergency or the statutory exemptions. In the latter two cases, the patient must be notified as soon as reasonably possible afterwards; * the clinician must call back if the caller is not known personally --- and the number must be verified (e.g. in the Medical Directory). This procedure must be followed even when an emergency is claimed, as private investigators routinely claim emergencies; * care must be taken, especially where the information is or may be highly sensitive, such as HIV status, contraceptive status, psychiatric history, or any information pertaining to celebrities; * the clinician must commit a record of the disclosure to a ledger. This should have the patient's name, whether consent was sought at the time and the date and means of notification if not, the number called back and how it was verified, and whether anything highly sensitive was disclosed. False-pretext telephone calls are not unique to medicine; they are also widely used in industrial espionage, whether to obtain information directly or to get passwords for computer systems [4]. Experienced investigators will be completely convincing, so it is important to have rules that are always followed. It is often asked whether personal health information may be sent by fax. We reiterate the BMA's established advice that it is only prudent to fax personal health information to a fax machine that is known to be secure during working hours [5]. In addition to this, the guidelines given above for disclosures by telephone also apply to faxes. It is just as important to verify the identity, or failing that the location, of the caller as it is when disclosing personal health information over the telephone. 3. Equipment theft, loss and damage The most serious threat to the continued availability of computerised clinical information in general practice is theft of the computer; this has been experienced by over 10\% of general practices surveyed [6]. Data can also be destroyed in other ways such as by fire, flood, equipment failure, and computer viruses. Physical security measures must be taken, as well as hygiene rules to control the risk of computer virus infestation. But even if these were completely effective (which they never are), the risk of equipment failure still makes it essential to have a tested recovery plan. Unfortunately, most organisations do not perform realistic tests of their procedures, with the result that when real disasters strike, recovery is usually held up for lack of manuals, suppliers' phone numbers and other things whose criticality had simply not been foreseen. It is thus prudent to have an annual drill based on a realistic scenario, such as the complete destruction of a surgery or hospital computer room by fire, and perform a full system recovery to another machine from offsite backups. It is also prudent to keep several generations of backups, since with equipment failure and with some viruses it may take time to notice that something has gone wrong. A typical schedule in a well run establishment might involve backups aged one, two, three, four, eight and twelve weeks, as well as daily incremental backups. 4. Access control A serious threat to the confidentiality of personal health information in hospitals and health authorities is the poor design and lax administration of access controls [7] [8]. In many hospitals, all users may access all records; it is also common for users to share passwords, or to leave a terminal permanently logged on for the use of everyone in a ward. This causes a breakdown of clinical and medico-legal accountability, and may lead to direct harm: we are aware of one case in which a psychiatric patient altered prescription information from a terminal that was left logged on. The introduction of networking may turn local vulnerabilities into global ones. If systems with ineffective access controls are connected together in a network then instead of the data being available merely to all staff in the hospital, it might become available to everyone on the network. Effective access controls are thus a prerequisite for networking. Access controls must also be harmonised among networked systems, or moving information from one system to another could result in leaks. The basis for this should be a common security policy that says who may access what records, under what circumstances. In order to facilitiate clinical computer networking, the BMA has developed such a security policy [9]; its principles are listed in the appendix. Pending agreement on a common security policy, connecting clinical systems to the NHS wide network is not advised. Meanwhile much can be achieved to control local threats by careful management of existing access controls. It is prudent practice, for example, to cover the following points. * A senior person such as a hospital manager or partner in general practice must be responsible for security, especially if routine administration is delegated to junior staff. Many security failures result from delegating responsibility to people without the authority to insist on good practice. * The mechanisms for identifying and authenticating users should be managed carefully. For example, users should be educated to pick passwords that are hard to guess and to change them regularly; and terminals should be logged off automatically after being unused for five minutes. * Systems should be configured intelligently. Dangerous defaults such as manufacturer-supplied maintenance passwords and anonymous file transfer access should be removed; user access should be restricted to departments or care teams as appropriate. With hospital systems that hold records on many people, only a small number of staff should have access to the files of patients not currently receiving treatment. * Periodic audits should be carried out, and these should from time to time include penetration tests. A private detective might, for example, be paid to obtain the personal health information of a consenting patient. In this way, any channels that have developed to sell information on the black market may be identified and closed off. 5. Communications security --- dial access Some general practices have branch surgeries, and many hospitals have branch clinics; so it is frequently asked whether dial modem access from branches is permissible. In such cases, the main additional risk is that an outside hacker might dial up the main system and gain access by guessing a password. So the following would be good practice: * there should be no direct dial access to the main computer system, which should dial back the branches; * extra effort should be made to educate users to choose passwords with care, and all incidents should be investigated diligently. Great care should be taken when any form of dial-in to a clinical system is permitted. This is occasionally convenient for system maintenance; in such cases, it is prudent to enable the modem for dial-in only after arranging the service call by telephone. It is also prudent to change maintenance passwords from their default values to fresh ones, which are changed after every call. 6. Communications security --- wide area networks A growing number of clinicians transfer personal health information using electronic mail (email) across wide area networks. Examples are the mailbox systems used for GP-FHSA links for registration and item-of-service claims, GP-hospital links for pathology reports, and the use of Internet electronic mail to communicate with patients with chronic conditions that require continuing management. Exactly the same principles apply to email as to telephones and faxes. However with wide area networks, messages may pass through a number of untrusted computers en route, and so it is difficult to obtain guarantees about who might receive, or who might have transmitted, a given message. This problem may be tackled using cryptography: encryption and digital signatures can protect personal health information against disclosure and alteration, whether accidental or malicious, while in transit through a network. Standards for encryption and digital signatures are the subject of current European standards initiatives and NHSE efforts. Until then, the encryption program `PGP' may be used. This is available free for most common makes of computer, and is adequate (though not ideal). Its careful use in the meantime is suggested, and suggestions for interfacing it to access control systems may be found in [9]. However, the protection of message traffic is not the only concern. There is also the risk, when connecting clinical systems to wide area networks, that an attacker might use the network to penetrate the system. Attacks by outsiders are much rarer than insider attacks, but they still happen from time to time. Many doctors who use the Internet at present do so from home computers rather than from equipment in their clinic or office; before connecting systems that contain personal health information to wide area networks, it is prudent to study the risks. A standard book on wide area network security is Cheswick and Bellovin [10]. As noted above, systems with weak access controls are particularly at risk from outside attack. The risk can be mitigated by the use of `firewalls' --- machines that filter traffic and block the better known technical attacks. However, these are no panacea, especially if a number of systems share the same firewall, as then users of all these systems might still be able to access each others' information. In any case, reliance on the firewall facilities of the NHS wide network is not advised, as the NHS Executive has refused to allow the BMA to inspect them. 7. Disclosure to third parties Third parties such as insurers, social workers, policemen and lawyers may get access to personal health information, whether with the patient's consent or via statutory exemptions. Our advice is that personal health information should not be provided electronically to such outside bodies, but given in paper form. Quite apart from the difficulty of assessing the security of third parties' computer systems, raw electronic access is of little evidential value. Both the Civil Evidence Act and the Police and Criminal Evidence Act require that for computer evidence to be admissible, there must be a certificate from the operator of the computer. There are also practical problems with explaining Read and other codes, and preventing the accidental disclosure of information to which the recipient is not entitled. A letter containing information abstracted from the record keeping system is thus safer, simpler and more able to satisfy a bona fide requirement for evidence. 8. The dispute over the NHS-wide network We have already mentioned two shortcomings of the proposed the NHS wide network: the absence of an agreed common security policy enforced by all the systems that will connect to it, and lack of confidence in the technical security measures such as firewalls. A third, and equally serious, objection is that many of the applications that the NHS wide network has been designed to support are ethically objectionable, in that they will make personal health information available to an ever growing number of administrators and others outside the control of both patient and clinician, thus contravening the basic ethical principle that personal health information may only be shared with the patient's informed and voluntary consent [5]. A growing number of administrative systems fall into this category. For example, the Administrative Registers will record patients' use of contraceptive and mental health services, while the NHS Clearing System will handle contract claims for inpatient hospital treatment and contain a large amount of identifiable clinical information. According to the NHSE, pressure will be applied to clinicians to send data to it over the NHS wide network. The BMA therefore requested access to conduct an independent security review; the NHSE has so far refused. Another problem is item-of-service and other information sent over existing GP-FHSA links. While registration links are fairly innocuous, at least two suppliers are developing software for health authorities which enables individual item-of-service claims, prescriptions and contract data to be pieced together into a `shadow' patient record that is outside clinical control [11] [12]. The systems mentioned above are part of the strategy being pursued by the NHS Executive's Information Management Group, whose goals include an electronic patient record that is entirely shared throughout the NHS. We understand that the collection of GP data is to be the driving force, and that GP systems will be interrogated remotely by the NHS. These goals are in clear conflict with the ethical position of the BMA [5]. They also contravene the guidance from the Joint Computer Group of the GMSC and RCGP that no patient should be identifiable, other than to the general practitioner, from any data sent to an external organisation without the informed consent of the patient [13]. From the point of view of consent, a survey shows that most patients are unwilling to share personal health information with NHS administrators [14]. In view of the above conflicts, and of the risk that creating large aggregates of personal health information will promote the kind of abuses common in the USA [15] [16], the BMA's position remains that exposing personal health information to the NHS wide network is unethical. Dr Ross J Anderson Computer Laboratory University of Cambridge 2nd January 1996 Appendix --- The BMA Security Policy Principles In addition to these guidelines, the BMA commissioned the development of a medical information security policy [9]. This sets out nine rules which are designed to uphold the principle of patient consent, and to be independent of the details of specific equipment. They are: Principle 1: Access control. Each identifiable clinical record shall be marked with an access control list naming the people or groups of people who may read it and append data to it. The system shall prevent anyone not on the access control list from accessing the record in any way Principle 2: Record opening. A clinician may open a record with herself and the patient on the access control list. Where a patient has been referred, she may open a record with herself, the patient and the referring clinician(s) on the access control list Principle 3: Control. One of the clinicians on the access control list must be marked as being responsible. Only she may alter the access control list, and she may only add other health care professionals to it Principle 4: Consent and notification. The responsible clinician must notify the patient of the names on his record's access control list when it is opened, of all subsequent additions, and whenever responsibility is transferred. His consent must also be obtained, except in emergency or in the case of statutory exemptions Principle 5: Persistence. No-one shall have the ability to delete clinical information until the appropriate time period has expired Principle 6: Attribution. All accesses to clinical records shall be marked on the record with the subject's name, as well as the date and time. An audit trail must also be kept of all deletions Principle 7: Information flow. Information derived from record A may be appended to record B if and only if B's access control list is contained in A's Principle 8: Aggregation control. There shall be effective measures to prevent the aggregation of personal health information. In particular, patients must receive special notification if any person whom it is proposed to add to their access control list already has access to personal health information on a large number of people Principle 9: Trusted Computing Base. Computer systems that handle personal health information shall have a subsystem that enforces the above principles in an effective way. Its effectiveness shall be subject to evaluation by independent experts. A clinician who keeps personal health information on a system that enforces these principles, or sends it between such systems, may have a reasonable expectation that the record will not end up being leaked. These principles also provide the philosophical basis for the guidelines give above. References 1. Luck N, Burns J. Your secrets for sale. Daily Express 1994 Feb 16:32--3. 2. Rogers L, Leppard D. For Sale: your secret medical records for 150 pounds. Sunday Times 1995 Nov 26:1--2 3. The Handbook of Information Security. NHS Executive 1995:E5209 4. Winkler B, Dealy B. Information Security Technology? Don't Rely on It - A Case Study in Social Engineering. Proceedings of the Ninth Usenix Security Symposium 1995:1--5 5. Sommerville A. Medical Ethics Today --- Its Practice and Philosophy. BMA 1993 6. Pitchford RA, S Kay S. GP Practice computer security survey. Journal of Informatics in Primary Care 1995 Sep:6--12 7. Setting the Records Straight --- A Study of Hospital Medical Records. Audit Commission 1995 8. For Your Information --- A Study of Information Management and Systems in the Acute Hospital. Audit Commission 1995 9. Anderson RJ. Security in Clinical Information Systems. BMA 1996; also available from http://www.cl.cam.ac.uk/users/rja14#Med 10. Cheswick WR, Bellovin SM. Firewalls and Internet Security --- Repelling the Wily Hacker. Addison-Wesley 1994 11. AIS --- Advanced Information System. FHS Computer Unit 1995 12. Data Logic product information available electronically at http://www.datlog.co.uk/ 13. GMSC and RCGP guidelines for the extraction and use of data from general practitioner computer systems by organisations external to the practice. Appendix III in Committee on Standards of Data Extraction from General Practice Guidelines, Joint Computer Group of the GMSC and RCGP, 1988 14. Hawker A. Confidentiality of personal information: a patient survey. Journal of Informatics in Primary Care 1995 March:16--19 15. Anderson RJ. NHS-wide networking and patient confidentiality. British Medical Journal 1995;6996:5--6 16. Woodward B. The computer-based patient record and confidentiality. New England Journal of Medicine 1995;21:1419--1422