Building a Secure National Infectious Disease Database for Health Resources
Strategies, Policies, and Laws for Consideration of Health Practitioners, Insurance Providers, and Governmental Agencies
By
Shawn Harwood (editor)
Donald Neuert
Kimberly Ramsey
Michael Brown
Patrick Keane
The following document is the product of a CHDS project that asked homeland security experts to evaluate how a better use of data could improve homeland security. Because of the nature of the projects, we are making an exception to the editorial guidelines of the collection in order to leave the citations in the way they were offered, instead of using hyperlinks as we normally request.
Chapter I Introduction
Donald Neuert
1. Purpose/Background
The following chapter outlines the ‘problem space’ which serves as the foundation of this team project and will discuss varied elements germane to the topic such as: vulnerability of health data to cyber-attacks; health data and interoperability, “Big Data” in Healthcare and the role of the Federal Government with “Big Data.” These topics serve as inherited issues of data security within and between healthcare partners and speak to the issue Team “Web Rats” is researching as part of the CHDS Master’s Degree coursework.
The protection of health data, particularly Personally Identifiable Information (PII) continues to be a significant challenge for public health, healthcare providers, governmental agencies and their partners. The vast majority of the healthcare industry is fragmented and inconsistent in their approaches to healthcare data security. The purpose of this paper, in part, is to outline the benefits of creating a national platform and standardized set of rules to help in the administration, governance and handling of PII stemming from infectious disease scenarios to help minimize the health data breaches that continue to rise across the healthcare industry.
Since 2009, a full third of the US population’s health data has been compromised in more than 1,100 breaches.[1] These are just the ones that have been discovered — and reported. Cyber security experts warn that things will only get worse. On the black market, healthcare data is ten times more valuable than credit card data.[2] In addition to financial data, it includes names, birth dates, policy numbers, diagnosis codes, billing information, and often physical descriptors and ailments along with information of next of kin. These datasets can be used for identity theft, drug abuse, or the filing of false insurance claims.[3] Medical centers are trying to keep up with the uncertainties of Health Insurance Portability and Accountability Act (HIPAA) requirements and other conflicting regulations to make medical records both readily available and secure. Since sharing data is often the very thing that puts it at risk, the healthcare industry needs a sophisticated approach that allows data to be portable yet protected between entities. However, with intense budgetary pressures and a severe shortage of cyber security professionals, healthcare is “woefully behind” when it comes to cyber security.[4]
This heady combination of rich, but vulnerable data creates an irresistible target for cyber criminals. Although the challenges are daunting, there is a path forward: a sound strategy and architecture of layered security solutions that work in tandem with one another can be just what the industry needs to thwart cyberattacks. Establishing a consistent approach to data security, with back-up contingencies could be just what the proverbial doctor ordered.[5] It is this problem space that Team “Web Rats” will explore and propose cybersecurity solutions to assist in the prevention of the breaches referenced above to reestablish trust in the healthcare industry by practitioners, partners and most importantly, the patients impacted by emerging health threats or other wide-spread disease situations.
With healthcare data, employee negligence and lost or stolen devices still result in many data breaches. However, the recent trend in healthcare data breaches has shifted from accidental to intentional; criminals are increasingly targeting and exploiting healthcare data.[6] Cyber criminals recognize two critical facts about the healthcare industry: 1) healthcare organizations manage a treasure trove of financially lucrative personal information and 2) they do not have the resources, processes, and technologies to prevent and detect attacks and adequately protect healthcare data.[7]
Studies on healthcare data cybersecurity are looking at breaches beyond the healthcare domain. They now scrutinize business/financial and government associates and partners to obtain a broader, holistic view of the healthcare industry showing the impact third parties have on the privacy and security of healthcare data.[8] Again, this speaks to our ‘problem space’ and the need to establish a better method to protect PII during outbreaks or other infectious disease situations that leverage health-related datasets associated to individuals and patients seeking care and treatment in the homeland. With sensitive information flowing and new threats emerging daily, healthcare organizations and their business associates are at great risk for data breach. In fact, 91 percent of healthcare organizations and 59 percent of business associates experienced a data breach since 2010.[9] There has been a slight uptick in the investments healthcare organizations are making to protect healthcare information, but it is still not enough to address the rapidly changing cyber threat environment. Sadly, half of all healthcare organizations and business associates have little or no confidence that they have the ability to detect data loss or theft.[10]
Healthcare organizations and their business associates are a community of organizations that share vulnerable patient data — a community that provides a larger attack surface, and many points of access, for criminals who are adept at acquiring and exploiting personal information.[11] An interwoven, collaborative cybersecurity platform will provide the greatest amount of security available to protect PII during internal and external exchanges.
2. Current State of Health Data and Interoperability
In order to understand the task for the establishment of a national infectious disease database, we must understand the current state of health data and more importantly, the phases and levels of interoperability as it relates to healthcare data. In healthcare, interoperability is the ability of different information technology systems and software applications to communicate, exchange data, and use the information that has been exchanged. Data exchange schema and standards should permit data to be shared across clinicians, labs, hospitals, pharmacies, and patients, regardless of the application or vendor.[12]
Interoperability provides the ability of health information systems to work together within and across organizational boundaries in order to advance the health status of, and the effective delivery of healthcare for individuals and communities. There are three levels of health information technology interoperability: 1) Foundational; 2) Structural; and 3) Semantic.[13]
“Foundational” interoperability allows data exchange from one information technology system to be received by another and does not require the ability for the receiving information technology system to interpret the data.[14]
“Structural” interoperability is an intermediate level that defines the structure or format of data exchange where there is uniform movement of health data from one system to another such that the clinical or operational purpose and meaning of the data is preserved and unaltered. Structural interoperability defines the syntax of the data exchange. It ensures that data exchanges between information technology systems can be interpreted at the data field level.[15]
“Semantic” interoperability provides interoperability at the highest level, which is the ability of two or more systems or elements to exchange information and to use the information that has been exchanged. Semantic interoperability takes advantage of both the structuring of the data exchange and the codification of the data so that the receiving information technology systems can interpret the information. This level of interoperability supports the electronic exchange of health-related financial data, patient-created wellness data, and patient summary information among caregivers and other authorized parties (and all of these support areas would be applicable in an infectious disease event). Semantic interoperability is possible via potentially disparate electronic health record (EHR) systems, business-related information systems, medical devices, mobile technologies, and other systems to improve wellness, as well as the quality, safety, cost-effectiveness, and access to healthcare delivery.[16]
3. Big Data in Healthcare
Big Data is a big buzzword today. The topic has been making waves in other industries for some time, but its applications in healthcare are still in their formative stages. While the use of big data shows exciting promise for improving health outcomes and controlling costs, it seems to be defined somewhat differently in healthcare. The concept refers to vast quantities of data — created by the mass adoption of the Internet and digitization of all sorts of information, including health records — too large or complex for traditional technology to utilize. [17]
In healthcare, HIPAA compliance is non-negotiable. Nothing is more important than the privacy and security of patient data, including data exchanged during health emergencies such as an infectious disease outbreak. Frankly, there aren’t many good, integrated ways to manage security in big data.[18] Although healthcare cybersecurity is making progress, it has been an afterthought up to this point. If a hospital only has to grant access to a couple of data scientists, it doesn’t have too much to worry about. However, when it allows access to a large, diverse group of users, security cannot be an afterthought.[19]
Healthcare organizations are taking significant steps today to ensure better security of big data, but big data runs on open source technology with inconsistent security infrastructures. To avoid or minimize vulnerability issues, organizations need to be selective about big data vendors and stop assuming that big data distribution will be secure.[20] Privacy issues will continue to be a major concern. Although new computer programs can readily remove names and other personal information from records being transmitted into large databases, stakeholders across the industry must be vigilant and watch for potential problems as more information becomes public.[21] Healthcare organizations will need to learn from other data-driven revolutions taking place in government sectors.
Big-data initiatives have the potential to transform healthcare. Stakeholders that are committed to innovation and willing to invest in expanding their capabilities will reap the rewards of big data security, helping their patients achieve better outcomes without making them vulnerable to data theft.[22] Larger governmental entities such as the Center for Disease Control and Prevention (CDC), the World Health Organization (WHO), and other technically advanced healthcare partners can assist the healthcare industry by promoting innovative security technologies and sharing in-house data security expertise. By engaging in interagency partnerships across the healthcare industry to leverage existing cybersecurity expertise and address industry-wide cyber security needs, the U.S. healthcare institution at large could establish a National Infectious Disease Database (NIDD) to serve as a single, accessible repository for healthcare data. This Big Data archive would be the Fort Knox of healthcare data, implementing the latest cybersecurity innovations to protect against accidental data loss and intentional data theft and cyber intrusion.
a. Federal Government and “Big Data”
In March 2012, the federal government launched the Big Data Research and Development Initiative with $200 million in new spending to improve the tools/techniques needed to track, access, organize, store, model, and analyze information and glean discoveries from huge volumes of digital data.[23] This initiative is focused on government’s use of Big Data for scientific discovery, environmental and biomedical research, healthcare, education, and national security and includes the following:
- The Department of Defense (DOD) is investing approximately $60 million annually for new projects that will harness and utilize massive data in new ways and bring together sensing, perception, and decision support to make truly autonomous systems that can learn from experience, maneuver and make decisions on their own, and understand the limits of their knowledge. DOD is also planning to improve situational awareness to help warfighters and analysts and provide increased support to operations. Healthcare entities could benefit from these annual investments.[24]
- The Defense Advanced Research Projects Agency (DARPA) is beginning the XDATA program, with $25 million annually for four years to develop computational techniques and software tools for analyzing large volumes of data, both semi-structured and unstructured (text documents and message traffic).[25]
- The National Institutes of Health (NIH) and the National Science Foundation (NSF) are investing in Big Data science and engineering. This research is focused on managing, analyzing, visualizing, and extracting useful information from large data sets; the NIH is particularly interested in those relating to health and disease — molecular, cellular, electrophysiological, chemical, behavioral, epidemiological, and clinical.[26]
- The Department of Energy will provide $25 million in funding to establish the Scalable Data Management, Analysis, and Visualization (SDAV) Institute. Led by Lawrence Berkeley National Laboratory, the SDAV Institute will bring together the expertise of six national laboratories and seven universities to develop new tools to help scientists manage and visualize data on the department’s supercomputers.[27]
- The U.S. Geological Survey (USGS) launched Big Data for Earth System Science. This initiative will improve understanding of species response to climate change, earthquake recurrence rates, and the next generation of ecological indicators.[28]
In their revised Open Government 2.0 plans, agencies were required to address their plans for using Big Data. For example, the U.S. Department of Health & Human Services, with an estimated waste, fraud, and abuse cost of approximately $66 billion in 2011 (see paymentaccuracy.gov), created plans that look into new insights and interactions of linked data sets to better understand healthcare expenditure, use of services, and cost of care at the community and provider levels.[29]
This chapter described the fragmented and inconsistent methodologies by which the healthcare industry maintains and shares healthcare data. This weakness represents a soft target for cyber intruders looking to profit from the theft of this rich information resource. Government has the technology, partnerships and expertise to protect this Big Data and thwart cyberattacks aimed at compromising health/patient information. To remedy this flaw in our healthcare system, the Webrats propose the creation of the NIDD, a cyber fortress behind which the nation can securely store, control, and protect the nation’s healthcare information.
Chapter II Policy and Data Overview
Kimberly Ramsey
The need for a National Infectious Disease Database to contain and protect healthcare Big Data is quite obvious — it is a leading cause of illness and death around the world. The challenge is in how we get there. The current reality of today is that if there were an outbreak or other infectious disease scenario that struck the homeland, we would be inadequately prepared to treat those individuals seeking care. However, before we recommend how to go about creating the NIDD, we must first consider competencies, digital data decision-making, and how the policies we implement may impact service providers. As a nation we have a lot to learn — we must scrutinize current initiatives and guiding policies, implement an application-programming interface (API), evaluate past failures, and explore ‘best practice’ from countries like France.
Currently, there is no centralized database for Infectious Disease. The American healthcare system is comprised of individual electronic medical records (EMRs) from multiple providers. In order to allow your family doctor to see results from your specialist doctor, a consent form for medical record release must be signed. However, some initial steps have been made to transition our healthcare into a paperless connected network. The Office of National Coordinator for Health Information Technology (ONC) provided funding to develop the Nationwide Health Information Network (NwHIN) — “a set of standards, services, and polices to securely exchange health information over the Internet”.[30] This effort will eventually allow the U.S. to transition from paper medical records to a paperless electronic health information exchange (HIE). In a 2009 electoral speech outlining his economic plan President Obama stated, “We will make the immediate investments necessary to ensure that within five years all of America’s medical records are computerized.” He pointed out that “digital medical records could prevent medical errors, save lives and create hundreds of thousands of jobs.”[31]
In 2011, the CDC released an IT Framework for Infectious Disease, titled the Framework for Preventing Infectious Diseases: Sustaining the Essentials and Innovating for the Future. In it, the CDC outlined three critical elements needing to be addressed. They included:
1.) Strength public health fundamentals, including infectious disease surveillance, laboratory detection, and epidemiologic investigation.
a. Modernize infectious disease surveillance to drive public health action
b. Expand the role of public health and clinical laboratories in disease control and prevention
c. Advance workforce development and training to sustain and strengthen public health practice
2.) Identify and implement high-impact public health interventions to reduce infectious diseases
a. Identify and validate high-impact tools for disease reduction, including new vaccines; strategies and tools for infection control and treatment; and interventions to reduce disease transmitted by animals or insects
b. Use proven tools and interventions to reduce high-burden infectious diseases, including vaccine-preventable diseases; healthcare-associated infections; HIV/AIDS; foodborne infections; and chronic viral hepatitis
3.) Develop and advance policies to prevent, detect, and control infectious diseases
a. Ensure the availability of sound scientific data to support the development of evidence-based and cost-effective policies
b. Advance policies to improve prevention, detection, and control of infectious diseases to help integrate clinical infectious disease preventative practices into U.S. healthcare; increase community and individual engagement in disease prevention efforts; strengthen global capacity to detect and respond to outbreaks with the potential to cross borders; address microbial drug resistance; and promote “One Health’ approaches to prevent emergence and spread of zoonotic diseases.[32]
The integration of data across healthcare systems must also follow tight guidance and policy, to ensure the security of patient’s data. As Representatives Edward J. Markey of Massachusetts pointed out, “Without strong safeguards, the dream of electronic health information networks could turn into “a nightmare for consumers.”[33] Our database must manage risk and achieve regulatory compliance by adhering to HIPPA and HITECH compliance. Using a unique health identifier (UHI) is a must. It will not only ensure HIPAA security measures are implemented, but it will also help ensure the accuracy of a patients file when transmitted across the network. Fragmentation of patient data, without the use of a UHI, can lead to medical errors and adverse events.[34]
The need for a national health information infrastructure is not a new concept. In 2004, the Institute of Medicine stated, “A national health information infrastructure is needed (1) to provide immediate access to complete patient information and decision support tools for clinicians and their patients and (2) to capture patient safety information as a by-product of care and use this information to design even safer delivery systems”.[35] Our National Infectious Disease database for health resources would follow the same principles. However, we must first agree upon data standards applicable to the collection, coding, and classification of patient safety information, ensure patient safety remains a priority, and improve information systems. American’s should be able to count on optimal healthcare.
All of the data needed to develop a NIDD for health resources already exists, there’s just no means to transfer and fuse the data from one system to another. The lack of common data standards has prevented the sharing of medical information between patients, healthcare providers, pharmacies, and insurance companies alike. The system must also incorporate a robust safety reporting system and be able learn from near misses and adverse events. This will allow for developers to continuously increase a safer and more comprehensive database. Other considerations include: common file type based on size, prioritization for the transfer of data, connectivity speeds, and transfer restrictions.
When building a NIDD for Health Resources, one must take into consideration, the need for an API that will enable programmers and organizations to coalesce across projects and established databases. It also provides the federal government an avenue to open up data to public and private sectors for development. By forcing developers to use a consistent programming interface, a breakdown of data, and a standardization of terms and units — API’s could help move the industry towards a single National Infectious Disease Database.[36]
The second advantage of creating an API is that it requires sites to package data into tiny bits, making it easy to transfer medical information across the network. These tiny, atomistic chunks of data can be used to exchange information in the form of discharge summaries and continuity of care documents, to name a few. It will also ensure that no matter which electronic health record (HER) system is being used or how that data is defined, it can still be shared in a standard format such as XML, PDF, and DOCX.[37]
The third advantage is the implementation of data standards, such as key terms and units. Data standards are the “principal informatics component necessary for information flow through the national health information infrastructure”.[38] While clinicians’ narratives and patient observations are extremely important — often used as a key component for diagnosis — they are compiled in an unstructured and unusable format for APIs. By utilizing an integrated information infrastructure, the data collected can be searchable, retrievable, and transferable across the network. The fact is clinician decision support, public health, and research is all dependent upon quantifiable data, which APIs contribute to. Furthermore, natural language processing can be used to automate the “binning” of key terms into its appropriate field. The common data standards also help to support the effective integration of new data into decision support tools, allowing for overall improved healthcare.
One API project currently in use and supported by the government is the Substitutable Medical Apps, Reusable Technology (SMART).[39] In 2010, the U.S. government, through the Office of the National Coordinator, signed a four-year $15 million dollar contract to fund the creation and development of SMART in an effort to push Meaningful Use standardization requirements forward.[40] Since then numerous investors have joined the SMART Advisory Committee and are supporting SMART through philanthropy, strategic guidance, and deployments. Additionally, the five largest EHR vendors partnered with SMART and the HL7 organization, through a project called Argonaut, to implement SMART into their products and standardize the SMART API in HL7[41] specifications.[42]
Today, SMART affords healthcare providers a simple, modern, and consistent API for data exchange. SMART Health IT is an open, standards based technology platform that enables developers to create apps to run seamlessly and securely across the healthcare system. Its use of Fast Healthcare Interoperable Resource (FHIR) combines the best features of HL7 V2, HL7 V3, and CDA, while leveraging the latest web service technologies.[43] With read-only capability clinicians’ are only able to extract data from SMART sites, not write data back in. Dr. Kenneth Mandl, leader of the SMART and Indivo projects, said, “we did not want to encourage the loading of data into proprietary and non-standard records, where it could get trapped”.[44]
Using SMART as the backbone for the NIDD would enable patients to have virtual control of their medical records at the click of a button. The patient portal would provide clinicians’ access to a patient’s full medical history near real-time, thus enabling them to provide better comprehensive care. The patient would also have the ability to easily share their medical case with researchers. Software developers, healthcare providers, healthcare institutions and public health would also reap benefits from SMART by reducing cost and complexity of integration of customers’ EHR systems, adding new capabilities and data fusion to existing systems, improving return on EHR investments, and allowing the transfer of ideas, functionality, and workflow.[45]
The French Healthcare System is also an example of best practices in action. When you walk into a doctor’s office, medical center, or hospital in France you will find no filing cabinets, only computers and tablets. The French medical system is paperless. Patients are issued a chip enabled green plastic card — similar to a credit card — that has direct access to their entire medical records. Once the clinician slides the card, the patient’s full medical history such as prior diagnoses, lab tests, prescriptions, and x-rays appear. The medical card is also used to track medical expenses, insurance claims, and payments made. Furthermore, encryption is used to prevent privacy breaches and hacking.[46]
While the push to develop a HIE began around the same time, the U.S. has lagged in development and implementation. One significant tradeoff has surrounded patient privacy. Unfortunately, the U.S.’s primary focus has been on the NwHIN infrastructure and technology standards at the expense of patient privacy. France, on the other hand, focused on the development of a fully integrated electronic Health Record Program that prioritized patient privacy when implementing the Dossier Médical Personnel (DMP) system in 2004 — their national, interoperable health information exchange.[47] The U.S. should look to French privacy laws when developing national privacy law and ensure stakeholders are educated on limitations imposed by these new privacy laws and other laws that will govern EHR adoption.[48]
Chapter III Legal Framework
Michael Brown
1. Overview
A National Infection Disease Database for Heath Resources, as the title suggests, must focus on the protection of personal identifiable information (PII). Several national and international organizations have recognized the need to provide both the legal and policy frameworks for all of the issues surrounding infectious diseases. The International Health Regulations have served to provide these frameworks for over 45 years and have been revised by the World Health Organization for use on a global scale.[49] Nationally, HIPAA in 1996 along with the Turning Point Model State Public Health Act (MSPHA) in 2003 marked the latest efforts for a model health law reform that states use to reform their laws. It has been used in at least 22 different states since being signed into law in 2003.[50],[51] One of core tenets of public health law, at least in the United States, is that the, “Government (particularly state government) is compelled by its role as the representative of the community to act affirmatively to protect the public’s health, but cannot unduly invade individual rights in the name of the communal good.”[52] The MSPHA and subsequent state legislation based on the MSPHA protects individual rights and their PII through the articles within the statutes that expressly cover public health information privacy. This is based on the 1999 Model State Public Health Privacy Act (MSPHPA) that, “addresses privacy and security issues arising from the acquisition, use, disclosure, and storage of identifiable health information by public health agencies at the state and local levels.”[53] This act helps regulate the handling of identifiable, health-related information by public health agencies without significantly limiting the ability of these agencies to use such information for legitimate public health purposes.[54] This chapter will specifically outline the national and international legal frameworks that impact the creation of a national infections disease database and will help shape how our proposed national database will protect individual rights, PII, and health agencies’ abilities to use infectious disease-related data for public health purposes.
Globally, the World Health Organization’s (WHO) Division of Emerging and Other Communicable Disease Surveillance and Control is the principal body that revises and issues the International Health Regulations. This is the, “central legal framework for addressing the international spread and control of infectious disease.”[55] The WHO and its International Health Regulations (IHR) are simultaneously working to improve detection of infectious disease outbreaks by improving on diagnostic facilities around the world while improving access to the data that these facilities generate, especially in isolated parts of the world. How these facilities access and share infectious disease data and the legal frameworks that will apply to each country that supports/participates with the WHO, has direct implication’s for our team’s proposed national infectious disease database (NIDD). However, by design the IHR are very broad The majority of the WHO’s World Health Assembly legal frameworks focus on security and prevention of international outbreaks within the context of member state implementation and not necessarily on big data security and privacy protections.[56] However, the WHO has recently published the following resource for all of its 194 member states, “Strategizing national health in the 21st century: a handbook.”[57] Chapter 10 of the handbook focuses on the legal and regulatory frameworks for national health systems but only provides an outline of types of legal frameworks and examples of member state laws but falls short of providing specific guidance to member states on the use and protection of big data related to infectious diseases.[58] But the latest ratified and implemented version of its IHR, Article 45 Treatment of personal data does outline guidance for member state national law:
1. Health information collected or received by a State Party pursuant to these Regulations from another State Party or from WHO which refers to an identified or identifiable person shall be kept confidential and processed anonymously as required by national law.
2. Notwithstanding paragraph 1, States Parties may disclose and process personal data where essential for the purposes of assessing and managing a public health risk, but State Parties, in accordance with national law, and WHO must ensure that the personal data are: (a) processed fairly and lawfully, and not further processed in a way incompatible with that purpose; (b) adequate, relevant and not excessive in relation to that purpose; © accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete are erased or rectified; and (d) not kept longer than necessary.
3. Upon request, WHO shall as far as practicable provide an individual with his or her personal data referred to in this Article in an intelligible form, without undue delay or expense and, when necessary, allow for correction.[59]
Therefore any national healthcare database, including our team’s proposed NIDD, would have to comply with WHO IHR guidance from 2005 and with national law.
Domestically, HIPAA and its subsequent revisions in 2003, 2009 and 2013, codifies our national health law.[60] Its establishment of the Privacy Rule regulates the use and disclosure of Protected Health Information (PHI). Additionally, HIPAA defines protected health information as, “Health information means any information, whether oral or recorded in any form or medium, that (A) is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of healthcare to an individual, or the past, present, or future payment for the provision of healthcare to an individual.”[61] Further HIPAA defines personally identifiable information for the healthcare community: “Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:
(1) Is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of payment for the provision of healthcare to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.”[62]
Lastly, HIPAA sets into national law the definition of protect health information: “Protected health information means individually identifiable health information [previously defined]: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium.”[63]
While any national database designed to be a one-stop shop for national infectious disease data will have to comply with the HIPAA federal law that describes how protected health information is to be defined and protected under HIPAA’s Privacy and Security Rules.[64] HIPAA does not expressly mention infectious disease data management. However, as infectious disease patients are protected under HIPAA, the NIDD will have to incorporate HIPAA implementation specifications. These requirements stipulate the process for “de-identification” by stating which individually identifiable health information is to be removed from records/databases like the NIDD. Specifically, HIPAA states that the following identifiers must be removed for effective “de-identification” to take place: names; all geographic address information except for the initial three digits of zip code; all elements of dates (except year) for dates directly related to an individual; telephone and fax numbers; email addresses; social security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers, including license plate numbers; device identifiers and serial numbers; web Universal Resource Locators (URLs); Internet Protocol (IP) address numbers; biometric identifiers, including finger and voice prints; full face photographic images and any comparable images; and any other unique identifying number, characteristic, or code.[65]
This list of PII is extensive and may lead some to conclude that a NIDD would be rendered useless by existing HIPAA laws regardless of any state legislation under MSPHA or foreign legal frameworks promoted by WHO. However, HIPAA does afford for the use of healthcare date through a “re-identification” process:
© Implementation specifications: re-identification. A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that: (1) Derivation. The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and (2) Security. The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.[66] [67]
In conclusion, our team’s proposed National Infectious Disease Database will have to comply first and foremost with our nation’s healthcare law, HIPAA, while also offering the functionality to facilitate information sharing across local, state, federal, and international boundaries. The NIDD will also have to comply with the WHO’s IHR since the United States is one of the 194 member states of the WHO. This means that the data contained within our database will have to be shared internationally through the WHO and with other member states. Our database will have to protect PII of individuals while also providing data for healthcare practitioners, researchers, research institutes, etc. Our database can achieve this through existing technology within the existing legal frameworks that HIPAA, WHO, and organizations like the CDC provides. However, as Figure 2 suggests, most compromises of healthcare data does not happen within these databases themselves but through theft of data at the user end.[68]
Figure 2: HIPAA Data Breaches
This means that our database will likely have to comply with individual states’ public health laws that outline use in each state of healthcare data and with HIPAA violations. To do this our database should provide a mechanism for identification (de and re) of the data for individuals to comply with any legal proceedings related to any violations. Our database should also provide a mechanism where users of the data can report any HIPAA violations.
Chapter IV Cyber Security Recommendations for an NIDD Cyber Fortress
Shawn Harwood
From a security standpoint, the NIDD will be a cyber fortress to warehouse and manage healthcare Big Data. The foundation for this bastion of healthcare Big Data must be advanced cyber security. In order to protect the NIDD from cyberattack, from both remote intrusion attempts and internal theft efforts, network administrators must employ a number of upgrades to standard system protections. The following chapter recommends service options to implement new or upgrade existing cyber security features. In order to fully describe their potential merits in securing the NIDD from illegal access and theft, each section will not only describe the specific functionality of the recommended security option, but also describe its value within the cyber security doctrines of Critical Security Controls, the Intrusion Kill Chain, and Defense-in-Depth.
Critical Security Controls (CSC) are described by the Center for Internet Security as a “concise, prioritized set of cyber practices created to stop today’s most pervasive and dangerous cyber attacks.”[69] This list of 20 security practices is compiled by cyber experts from around the world, who claim the ability to reduce a network’s vulnerability to cyber-attack by up to 94 percent, depending on the number of CSC practices implemented.[70] The Intrusion Kill Chain framework is a cyber security defense tool developed by Lockheed Martin network security in 2011 and subsequently adopted by public and private cyber security sectors. The framework identifies seven steps that comprise a successful cyber intrusion:[71]
The framework argues that successful network security employs methodologies that break a cyber intrusion effort at one or more of these seven levels.[72] The Defense-in-Depth (DID) concept is based on the National Security Agency’s cyber security paradigm: “Protect, Detect, React.” This doctrine argues for a comprehensive, layered security platform that protects a network at all levels of cyber infrastructure.[73]
The cyber security recommendation for the NIDD is a two-tiered approach. At the macro level, this means cyber security will maintain a watchful eye for both internal and external threats. The systems protection for internal threats will focus on the implementation of a robust Data Loss Prevention security suite. The systems protection for external threats will focus on an upgraded Endpoint Protection suite that incorporates Artificial Intelligence and an algorithmic approach to identifying remote cyber intrusion attempts.
1. Data Loss Prevention
Data Loss Prevention (DLP) applications guard against insider threats — authorized users with the intention of accessing and leaking/stealing sensitive, proprietary information.[74] This is a particularly relevant issue with regard to the protection of healthcare data, as many healthcare databases do not employ any form of internally focused security application. Access points to the NIDD will be maintained in unclassified areas and may be easy to access without credentials depending on the efficiency of end user security practices. As mentioned in Chapter 1, it is entirely plausible in the current climate of insider cyber theft that an employee or contractor would attempt to exfiltrate NIDD information for the purposes of exploiting the data for profit. The absence of a DLP protection platform makes this theft too easy.
DLP application goals and methodologies are different from Endpoint Protection suites, which rely on antivirus and firewalls to protect sensitive data. The DLP approach prevents data loss by defining the way information can be shared and blocking unauthorized, unprotected endpoint (CD/DVD or USB drive) and Web access.[75] A typical DLP suite such as the Symantec Data Loss Prevention Solution suite performs the following actions to secure against data loss:[76]
• Identifies the locations where data is stored in the cloud, mobile, network, endpoint, and storage systems
• Monitors how data is used, whether employees are on or off the network
• Controls access to the system via endpoint devices and direct Web access.
a. Critical Security Controls and the Impact on the Intrusion Kill Chain
DLP applications support two Critical Security Control (CSC) elements. DLP software supports the CSC element Inventory of Authorized and Unauthorized Devices by applying and enforcing rules to device-driven and web-based data retrieval/forwarding methodology, which limits the unauthorized theft of proprietary data. This software approach also supports the CSC element Continuous Vulnerability Assessment and Remediation by logging access and data retrieval/forwarding attempts, which monitors the system activity of authorized users and limits potential system vulnerabilities.
DLP software breaks the Intrusion Kill Chain in two primary areas. At the Data Exploitation stage, DLP accounts for how and where information is stored, how it is normally used, and with whom it is normally shared. This allows the system to identify authorized users accessing or storing data in unauthorized or abnormal ways. At the Actions on Objective stage, DLP software prevents authorized users from exfiltrating data via e-mail or endpoint devices that contravene established and approved methodology.
b. Contribution to Defense-in-Depth
Implementing a DLP software platform addresses the Defense-in-Depth requirements of people, operations, and technology, with a particular focus on controlling the flow of information through the technology element. Standard Endpoint Protection Suites primarily defend against remote intrusions, but are ineffective when the attack comes from inside the walls. DLP software is designed to stop losses from the insider threat, the “high risk” employee with authorized access and bad intentions. The NIDD network administrators could employ one of several commercially available solution products such as Symantec’s Data Loss Prevention Solution or McAfee’s Total Protection to implement the Data Loss Prevention security feature.
2. Artificial Intelligence and Algorithmic Endpoint Protection
While most government network security platforms employ a version of Endpoint Protection, the NIDD would benefit from enhancing the standard approach by implementing a software application that uses artificial intelligence (AI) and algorithms to identify malware in time to inhibit successful remote intrusion. Traditional endpoint protection attempts to recognize the “signature” of known malware code and block its operation, which leaves the network vulnerable to new code that is not unrecognizable as a threat. The AI/algorithmic approach is NextGen endpoint protection, applying a more dynamic method to endpoint protection by mapping existing network files in order to recognize outside code and prevent its execution on the protected network.[77] This approach protects the system regardless of any prior knowledge of the particular malware code.
In addition to mapping the network code, intelligent endpoint protection is able to detect active hacking efforts targeting system passwords and permissions. These “authentication attacks” develop a pattern which the AI can recognize through passive monitoring of system activity. As a rule, AI is particularly suited to pattern recognition. Therefore, AI cyber security is able to identify the patterns of a hacker’s attempts to scan for password/permission vulnerabilities and alert network administrators or prevent the scan with security countermeasures.[78]
a. Critical Security Controls and the Impact on the Cyber Kill Chain
AI/algorithmic endpoint protection is a smarter, more dynamic approach to identifying and blocking attempts at cyber intrusion. This software supports the CSC elements of Continuous Vulnerability Assessment and Remediation as well as Inventory of Authorized and Unauthorized Software by engaging in regular monitoring of network code and active review of system activity for identification of intrusion patterns. By mapping the network to locate the signature of outside code and recognizing the patterns of active hacking attempts, this application creates a protective shield that addresses hacker behavior rather than relying on malware updates. This method breaks the Intrusion Kill Chain in two primary areas. At the Command and Control stage, the software maintains control over acceptable, known system code and blocks any non-system code. At the Actions on Objective stage, the AI/algorithmic software recognizes the active scanning attempts of hackers searching for system vulnerabilities and alerts or actively blocks the activity.
b. Contribution to Defense-in-Depth
The AI/algorithmic endpoint protection contributes to the Defense-in-Depth concept by providing layers of smart security. This unique security application is integrated into the network infrastructure, knowing the signature of acceptable, known system code and actively looking for any application that doesn’t belong. Additionally, the AI’s ability to monitor for “hacker patterns” provides a layer of protection that equates to a 24/7 cyber security guard checking the access points of the network. The NIDD network administrators could employ one of several commercially available products such as Cisco’ FirePower protection suite or Cylance’s CylancePROTECT to implement AI/Algorithmic Endpoint Protection.
3. Conclusion
In order to provide enhanced cyber protection to secure the healthcare Big Data contained in the NIDD, network administrators must elevate their game. Tomorrow’s cyber protection depends on an awareness of both internal and external threats to the network. In today’s era of malified insiders like Edward Snowden and Thomas Martin III, network security must scrutinize the behavior of its authorized users as carefully as it watches for outside hackers. The data loss protection recommendation in this chapter integrates a watchful eye that can effectively monitor employee/contractor behavior for potential data theft.
Traditionally, endpoint protection solutions have depended on a static firewall suite to defend against outside intrusion efforts, a defense that was only as intelligent as its last malware patch. The NextGen endpoint protection recommendation in this chapter argues for an upgrade to this approach. Network administrators should arm their security platform with dynamic, intelligent applications that can actively recognize and respond to remote cyber-attacks by their patterns of behavior and code signatures.
Chapter V Strategy for Improvement
Patrick Keane
1. Implementing Improvements in Healthcare Data Handling
As we have demonstrated, there are some significant deficiencies in regard to the protection and transmission of healthcare data among healthcare providers. This brings us to a fork in the road, where we will need to choose where to go with healthcare safety information. Shall we continue going down the present road, and suffer the consequences that will inevitably occur as our information is hacked, stolen, or compromised by increasingly talented cyber intruders? Or can we choose a different path — one that protects our healthcare and personal information, while still allowing access to healthcare providers.
U.S. healthcare delivery is in the midst of a profound transformation which results, at least in part, from federal policy efforts to encourage the adoption and use of health information technology, but more still needs to be done. We also need to adopt electronic health record (EHR) systems, which are often accompanied by heightened recognition of issues related to “goodness of fit.”[79] Information technology upgrades offer many potential benefits to healthcare. The use of EMRs is needed to facilitate access to more complete, accurate health data, which will yield better decisions about patient care.[80]
The implementation of advanced communications networks can enable the sharing of data among the various distributed elements of integrated healthcare delivery systems.[81] These advances in communication networks can enable telemedicine programs to overcome geographic boundaries that currently exist between patients and providers. These enhanced electronic data processing techniques can result in enabling involved parties of managed care providers, health services researchers, and also public and private oversight organizations to conduct more sophisticated analyses of healthcare utilization and outcomes.[82] Electronic billing and administration systems would help reduce the administrative costs of healthcare. Computer-based decision support tools can help reduce variation in healthcare quality across providers, improve adherence to standards of care, and reduce costs by eliminating duplicative or unnecessary tests and therapeutic procedures.[83]
The American Medical Information Association (AMIA) is an organization that has been advocating improvement of computer science and information systems, or informatics, in the healthcare industry for over 35 years.[84] The work that the AMIA produces in informatics is motivated by the need to create solutions using information technology that enhance biomedical science, the health of the populace, and the quality and safety of care that is provided to individuals when they are ill.[85] They support Translational Bioinformatics, which is the development of storage, analytic, and interpretive methods to optimize the transformation of increasingly voluminous biomedical data, into proactive, predictive, preventive, and participatory health solutions.[86]
Information technology is becoming increasingly important in improving the quality and lowering the costs of healthcare. Attempts to protect patient privacy must therefore center on finding ways to protect sensitive electronic health information in a computerized environment, rather than on opposing the use of information technology in healthcare organizations. [87] Recent reports describe the safe and effective use of EHR as a result of careful integration of multiple factors in a broad sociotechnical framework.[88] These include coordination and consideration across requirements assessment, application design, usability and human factors engineering, implementation, training, monitoring, and feedback to application developers.[89], [90]
The healthcare industry need to take a more aggressive approach to improving the security of health information systems in order to better protect electronic health information. Healthcare organizations have been slow to adopt strong security practices, due largely to a lack of strong management and organizational incentives. Fortunately, there have been no major security breaches that have occurred which might have driven regulatory improvement.[91] Thus, the information technology vendor community has not found an incentivized market for developing security features for the healthcare industry.[92]
Patients have important roles to play in addressing privacy and security concerns. Some of the greatest concerns regarding the privacy of health information derive from widespread sharing of patient information throughout the healthcare industry.[93] There needs to be adequate federal and state regulation for systematic protection of health information to authorized users in order to restrict this information in order to restrict this information to authorized users. Still, even when restricted to authorized personnel, electronic health information is vulnerable to authorized users who misuse their privileges and perform unauthorized actions such as browsing through patient records or illicit data exfiltration. Adequate protection of healthcare information depends on both technical and organizational practices for privacy and security.
Improving the protection of health information will require privacy and security improvements at both the organizational and regulatory levels.[94] Some additional recommendations to improve the roles of healthcare organizations, the healthcare industry, and the government include creating the industry-wide infrastructure needed to develop and encourage adoption of stronger privacy and security practices.[95] Also to be addressed are systemic issues related to privacy and security, and ensuring medical researchers have adequate access to meet future technical needs.[96] We also have to continue to identify the organizations best qualified to implement each recommendation. In some cases, private, public, and governmental organizations will have to sort out their respective roles so as to make the best use of their strengths and resources.[97]
Improvement in the protection of the multitude of health information accessible by electronic means addressing privacy and security concerns at both the organizational and regulatory levels.[98] Medical organizations need to start by improving their internal mechanisms for handling patient health and personal information, while the healthcare industry as a whole needs to improve its practices for controlling and enforcing systemic uses of health information.[99] There are currently little economic or social pressures to improve their handling of privacy and security, so some governmental agency regulation will likely be necessary to promote this advancement. Also needed is an industry wide effort to produce best practices in the health community for securing health information.[100] Continuing improvements of initiatives to educate patients about how health data actually flows, and what existing government regulations provide patients regarding their rights to privacy.[101] While educating the public is a good first step, they needs to be mobilized to demand from government leaders that they place a higher priority on privacy and security needs. Legislative initiatives nationally have so far been unable to achieve a national consensus, and standards organizations are fragmented, and lack the authority to introduce or enforce standards for privacy and security.[102]
Chapter VI Conclusion
This policy paper introduced the problem set of cyber security vulnerabilities in the U.S. healthcare industry. It outlined the benefits of creating standardized rules, administration, and most important a platform to protect healthcare Big Data. The principal concern is preventing large-scale data breaches (accidental or intentional) which impact patients and renders their information vulnerable to cyber theft and subsequent exploitation. Patients must be able to trust their healthcare system to keep their information safe as well as making them well.
U.S. healthcare has failed to develop effective methods to protect patient data privacy. This weakness is attributable to the industry’s focus on the development of NwHIN infrastructure and technology standards at the expense of patient privacy. To remedy this systemic flaw, American healthcare can look to the French healthcare industry as an example of an electronic health record system that puts patient privacy first. Ideally, the NIDD should model its privacy policies after the French laws and subsequently ensure stakeholders understand the new limitations imposed by enhanced privacy laws.
The NIDD must prioritize the protection of patient healthcare information. Several national and international organizations have recognized the need to provide both the legal and policy frameworks for issues surrounding infectious diseases. The International Health Regulations have served to provide these frameworks for over 45 years and have been revised by the World Health Organization for use on a global scale.[103] One of the foundations of U.S. health law is the MSPHA and subsequent state legislation, which protects individual rights and their PII.
Cyber security is the name of the game. The purpose of creating the NIDD is to provide a cyber fortress behind which we can keep our healthcare data safe from internal and external threats. To implement this level of protection, network security must be dynamic and intelligent — recognizing the emerging threats before the intrusion occurs. The Webrats recommend a two-tier cybersecurity approach that watches for threats both outside the walls and within. Data Loss Protection Suites will monitor authorized user behavior and identify any internal threats and NextGen Endpoint Protection enhanced with Artificial Intelligence capabilities will shield the NIDD against outside intrusion efforts. NIDD network administrators have to play their game at the highest level, shielding their rich data resources with innovative security applications that actively identify and respond to internal and external cyber threats.
The protection of electronically accessible health information must address privacy and security concerns at both the organizational and regulatory levels. Medical organizations need to improve their internal mechanisms for handling patient health and personal information, while the healthcare industry as a whole needs to improve its practices for controlling and enforcing systemic uses of health information. There are currently little economic or social pressures to improve healthcare data privacy and security, so governmental agency regulation will be necessary to promote this advancement. Some of these improvements include an industry wide effort to produce best practices for securing health information, as well as initiatives to educate patients about how health data flow, and what existing government regulations provide patients regarding their rights to privacy. Legislative initiatives have been unable to achieve a national consensus, and standards organizations lack the authority to introduce or enforce standards for privacy and security.
This Government Data Protection policy paper described the vulnerable methods by which the U.S. healthcare industry stores and shares healthcare Big Data. The current system is a soft target for cyber criminals able to loot this rich repository of exploitable information. The U.S. government has the technology and expertise to create a National Infectious Disease Database, a cyber fortress to protect the nation’s healthcare Big Data. The Webrats propose a two-tiered cyber protection approach that monitors internal and external threats to healthcare Big Data, focusing on the integration of dynamic, intelligent security measures. This solution proposal depends on prioritizing the protection of patient information — the existing laws and industry policies must evolve to reflect a genuine commitment to safeguard healthcare information.
A system to manage the healthcare data of its patients — especially those struggling with a high-level infectious disease — must not exacerbate their difficulties by making them vulnerable to cyberattack. Unfortunately, contemporary healthcare data protection is a soft target that exposes patient information to cyber theft and exploitation. The sick and infirm must be able to trust their healthcare providers to protect and sustain them during their recovery. The Webrats urge policymakers to fully digest the problem set explored in this paper and consider the recommendation to construct an NIDD cyber fortress to protect the healthcare Big Data of the United States.
[1] “Symantec-in-Healthcare-En.pdf.” 2016. Accessed December 4. https://www.symantec.com/content/dam/symantec/docs/data-sheets/symantec-in-healthcare-en.pdf.
[2] Ibid.
[3] “Symantec-in-Healthcare-En.pdf.” 2016. Accessed December 4. https://www.symantec.com/content/dam/symantec/docs/data-sheets/symantec-in-healthcare-en.pdf.
[4] Ibid.
[5] Ibid.
[6] “Criminal Attacks: The New Leading Cause of Data Breach in Healthcare.” 2016. Accessed December 4. http://www.ponemon.org/blog/criminal-attacks-the-new-leading-cause-of-data-breach-in-healthcare.
[7] “Criminal Attacks: The New Leading Cause of Data Breach in Healthcare.” 2016. Accessed December 4. http://www.ponemon.org/blog/criminal-attacks-the-new-leading-cause-of-data-breach-in-healthcare.
[8] Ibid.
[9] Ibid.
[10] Ibid.
[11] Ibid.
[12] “HIMSS Interoperability Definition FINAL.pdf.” 2016. Accessed December 6. http://www.himss.org/sites/himssorg/files/FileDownloads/HIMSS%20Interoperability%20Definition%20FINAL.pdf.
[13] Ibid.
[14] Ibid.
[15] “HIMSS Interoperability Definition FINAL.pdf.” 2016. Accessed December 6. http://www.himss.org/sites/himssorg/files/FileDownloads/HIMSS%20Interoperability%20Definition%20FINAL.pdf.
[16] Ibid.
[17] “What Is ‘Big Data’ in Healthcare, and Who’s Already Doing It?” 2016. Accessed December 6. http://profitable-practice.softwareadvice.com/what-is-big-data-in-healthcare-0813/.
[18] “Big Data in Healthcare Made Simple.” 2015. Health Catalyst. April 10. https://www.healthcatalyst.com/big-data-in-healthcare-made-simple.
[19] Ibid.
[20] Ibid.
[21] Kayyali, Basel, David Knott, and Steve Van Kuiken. 2016. “The Big-Data Revolution in US Healthcare: Accelerating Value and Innovation | McKinsey & Company.” Accessed December 6. http://www.mckinsey.com/industries/healthcare-systems-and-services/our-insights/the-big-data-revolution-in-us-health-care.
[22] Kayyali, Basel, David Knott, and Steve Van Kuiken. 2016. “The Big-Data Revolution in US Healthcare: Accelerating Value and Innovation | McKinsey & Company.” Accessed December 6. http://www.mckinsey.com/industries/healthcare-systems-and-services/our-insights/the-big-data-revolution-in-us-health-care.
[23] Mountain, Iron. 2016. “The Impact of Big Data on Government.” Accessed December 6. http://www.ironmountain.com/Knowledge-Center/Reference-Library/View-by-Document-Type/White-Papers-Briefs/Sponsored/IDC/The-Impact-of-Big-Data-on-Government.aspx.
[24] Mountain, Iron. 2016. “The Impact of Big Data on Government.” Accessed December 6. http://www.ironmountain.com/Knowledge-Center/Reference-Library/View-by-Document-Type/White-Papers-Briefs/Sponsored/IDC/The-Impact-of-Big-Data-on-Government.aspx.
[25] Ibid.
[26] Ibid.
[27] Ibid.
[28] Ibid.
[29] Mountain, Iron. 2016. “The Impact of Big Data on Government.” Accessed December 6. http://www.ironmountain.com/Knowledge-Center/Reference-Library/View-by-Document-Type/White-Papers-Briefs/Sponsored/IDC/The-Impact-of-Big-Data-on-Government.aspx.
[30] “Nationwide Interoperability Portfolio (Achieve): Health Information Network (NwHIN).” HealthIT.gov. Accessed December 19, 2016. https://www.healthit.gov/policy-researchers-implementers/nationwide-health-information-network-nwhin.
[31] Pear, Robert. “Privacy Issue Complicates Push to Link Medical Data.” The New York Times. January 17, 2009. Accessed December 19, 2016. http://www.nytimes.com/2009/01/18/us/politics/18health.html.
[32] CDC Framework for Preventing Infectious Diseases: Sustaining the Essentials and Innovating for the Future. Report. October 2011. Accessed December 18, 2016. https://www.cdc.gov/oid/framework.html.
[33] Ibid. “Privacy Issue Complicates Push to Link Medical Data”, 2009.
[34] Aspden, Philip. Patient Safety: Achieving a New Standard for Care. Washington, D.C.: National Academies Press, 2004, 14.
[35] Aspden, Philip. Patient Safety: Achieving a New Standard for Care. Washington, D.C.: National Academies Press, 2004, 1.
[36] Oram, Andy . “Two Contrasting Approaches to Healthcare’s API Revolution.” The Healthcare Blog. April 11, 2013. Accessed December 18, 2016. http://thehealthcareblog.com/blog/2013/04/11/two-contrasting-approaches-to-health-cares-api-revolution/.
[37] Ibid.
[38] Aspden, Philip. Patient Safety: Achieving a New Standard for Care. Washington, D.C.: National Academies Press, 2004, 127.
[39] “SMART Health IT.” SMART Health IT. Accessed December 18, 2016. http://smarthealthit.org/.
[40] “What Is SMART?” SMART Health IT. Accessed December 18, 2016. http://smarthealthit.org/an-app-platform-for-healthcare/about/.
[41] Health Level Seven International (HL7) is a not-for-profit, ANSI-accredited standards developing organization dedicated to providing a comprehensive framework and related standards for the exchange, integration, sharing, and retrieval of electronic health information that supports clinical practice and the management, delivery and evaluation of health services. http://www.hl7.org/
[42] Ibid.
[43] Brull, Rob. “5 Things to Know About HL7 FHIR.” Health Standards. March 26, 2013. Accessed December 18, 2016. http://healthstandards.com/blog/2013/03/26/hl7-fhir/.
[44] Oram, Andy . “Two Contrasting Approaches to Healthcare’s API Revolution.” The Healthcare Blog. April 11, 2013. Accessed December 18, 2016. http://thehealthcareblog.com/blog/2013/04/11/two-contrasting-approaches-to-health-cares-api-revolution/.
[45] Ibid.
[46] Moukheiber , Zina. “France Is So Ahead of Us In Electronic Health Records.” Forbes. November 23, 2010. Accessed December 18, 2016. http://www.forbes.com/sites/zinamoukheiber/2010/11/23/france-is-so-ahead-of-us-in-electronic-health-records/#618896833f49.
[47] Grady, Amanda. Electronic Health Records: How the United States Can Learn From The French Dossier Medical Personnel. Report. December 3, 2012. Accessed December 18, 2016. http://hosted.law.wisc.edu/wordpress/wilj/files/2013/01/Grady.pdf.
[48] Ibid.
[49] Kimball, Ann Marie and Plotkin, Bruce Jay, “Designing an International Policy and Legal Framework for the Control of Emerging Infectious Diseases: First Steps.” Accessed 9 DEC 16. https://www.ncbi.nlm.nih.gov/pubmed/9126439
[50] Meier, Benjamin Mason, Hodge, James G., Jr., and Gebbie, Kristine M, “Wisconsin: A Contemporary Case Study in Public Health Law Reform.” Accessed 9 DEC 16.
[51] http://www.publichealthlaw.net/Resources/ResourcesPDFs/PHL%20TP%20Hodge.pdf. Accessed 15 DEC 16.
[52] Ibid.
[53] http://www.publichealthlaw.net/ModelLaws/MSPHPA.php Accessed 15 DEC 16.
[54] Ibid.
[55] Kimball and Plotkin, “Designing International Policy” p 1.
[56] Ibid. p 2.
[57] http://www.who.int/healthsystems/publications/nhpsp-handbook/en/. Accessed 17 DEC 16.
[58] Clarke, David, “Strategizing national health in the 21st century: a handbook,” chapter 10. pp 6–10
[59] World Health Organization, “International health regulations (2005) — 3rd ed.” Available at www.who.int . Accessed 17 DEC 16.
[60] https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act . Accessed 16 DEC 16.
[61] https://www.hipaa.com/hipaa-protected-health-information-what-does-phi-include/ Accessed 16 DEC 16.
[62] Ibid.
[63] Ibid.
[64] The HIPAA Privacy Rule covers protected health information in any medium while the HIPAA Security Rule covers electronic protected health information. https://www.hipaa.com/hipaa-protected-health-information-what-does-phi-include/ Accessed 16 DEC 16. Furthermore, “The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by “covered entities” (generally, healthcare clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions.) By regulation, the Department of Health and Human Services extended the HIPAA privacy rule to independent contractors of covered entities who fit within the definition of “business associates”. https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act Accessed 16 DEC 16.
[65] https://www.hipaa.com/hipaa-protected-health-information-what-does-phi-include/ Accessed 16 DEC 16.
[66] https://www.hipaa.com/hipaa-protected-health-information-what-does-phi-include/ Accessed 16 DEC 16.
[67] https://www.privacyandsecuritymatters.com/2012/11/ocr-issues-guidance-methods-for-de-identification-of-phi-under-hipaa/ accessed 17 DEC 16
[68] https://www.hipaa.com/category/hipaa-law-administrative-simplification/ accessed 18 DEC 16
[69] Center for Internet Security, “Welcome to the CIS Controls,” https://www.cisecurity.org/critical-controls.cfm; Accessed 12/20/2016.
[70] Ibid.
[71] Committee on Commerce, Science, and Transportation, “A ‘Kill Chain’ Analysis of the 2013 Target Data Breach,” March 20, 2014: 5.
[72] Committee on Commerce, Science, and Transportation, “A ‘Kill Chain’ Analysis of the 2013 Target Data Breach,” March 20, 2014.
[73] Ernie Regalado, “Website Defense in Depth,” Bizety.com, 2015: 4; https://clareity.com/wp-content/uploads/2015/05/Bizety-IT-Security-Vendor-Analysis-Website-Defense-In-Depth.pdf; Accessed 12/20/2016.
[74] Margaret Rouse, “Data Loss Prevention,” October 2014. http://whatis.techtarget.com/definition/data-loss-prevention-DLP; Accessed 12/20/2016.
[75] Margaret Rouse, “Data Loss Prevention,” October 2014. http://whatis.techtarget.com/definition/data-loss-prevention-DLP; Accessed 12/20/2016.
[76] “Symantec Fact Sheets,” https://www.symantec.com/content/en/us/enterprise/fact_sheets/data-loss-prevention-solution-ds-21350666.pdf; Accessed 12/20/2016.
[77] Tyn Global, “How Artificial Intelligence Is Changing the Face of Cyber Security,” 11/11/2016; http://www.tynglobal.com/how-artificial-intelligence-is-changing-the-face-of-cyber-security; Accessed 12/20/2016.
[78] Ibid.
[79] Stead William W, Lin Herbert S. Computational technology for effective healthcare: immediate steps and strategic directions. Washington, DC: The National Academies Press, 2009
[80] Samuel J. Wang, Lisa A. Prosser, Christiana G. Bardon, Cynthia D. Spurr, Patricia J. Carchidi, Anne F. Kittler, Robert C. Goldszer, David G. Fairchild, Andrew J. Sussman, Gilad J. Kuperman,, David W. Bates. A Cost-Benefit Analysis of Electronic Medical Records in Primary Care. The American Journal of Medicine. 2003 114, 5. p397.
[81] Wang et al p 402
[82] National Academy of Engineering (US) and Institute of Medicine (US) Committee on Engineering and the Healthcare System; Reid PP, Compton WD, Grossman JH, et al., editors. Building a Better Delivery System: A New Engineering/Healthcare Partnership. Washington (DC): National Academies Press (US); 2005. 4, Information and Communications Systems: The Backbone of the Healthcare Delivery System. Available from: https://www.ncbi.nlm.nih.gov/books/NBK22862/
[83] National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. 160
[84] https://www.amia.org/about-amia/mission-and-history
[85] https://www.amia.org/about-amia/science-informatics
[86] https://www.amia.org/applications-informatics/translational-bioinformatics
[87] Aaron McKethan, Marisa Morrison, Mark Shepard, Nadia Nguyen, Niall Brennan, Nicole Cafarella, Reginald D. Williams II, and S. Lawrence Kocot. Improving Quality and Value in the U.S. Healthcare System. Bipartisan Policy Center. Accessed 12/16/16 at https://www.brookings.edu/wp-content/uploads/2016/06/0821_bpc_qualityreport.pdf p 31
[88] Ancker JS, Kern LM, Abramson E, et al. The Triangle Model for evaluating the effect of health information technology on healthcare quality and safety. JAMIA 2012;19:61–5
[89]Kushniruk A, Beuscart-Zéphir M-C, Grzes A, et al. Increasing the safety of healthcare information systems through improved procurement: toward a framework for selection of safe healthcare systems. Healthc Q 2010;13 Spec No:53–8
[90] Karsh BT. Beyond usability: designing effective technology implementation systems to promote patient safety. Qual Saf Healthcare 2004;13:388–94.
[91] Muhammad Nabeel Taheer. A Secure Online Medical Information System in Distributed and Heterogeneous Computing Environment. Information and Security. V 15 no 2, 2004 p 212.
[92]Williams, Patricia AH, and Andrew J Woodward. “Cybersecurity Vulnerabilities in Medical Devices: A Complex Environment and Multifaceted Problem.” Medical Devices (Auckland, N.Z.) 8 (2015): 307.
[93] Devon M. Herrick, Linda Gorman and John C. Goodman. NATIONAL CENTER FOR POLICY ANALYSIS
Health Information Technology: Benefits and Problems April 2010 v327, p 11
[94] Leon Rodriguez. Privacy, Security, and Electronic Health Records. HealthITBuzz, 2011, accessed 12/15/16 at https://www.healthit.gov/buzz-blog/privacy-and-security-of-ehrs/privacy-security-electronic-health-records/
[95] National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. 177
[96] Charles Safran, Meryl. Bloomrosen, W. Edmond Hammond, Steven Labkoff, Suzanne Markel-Fox, Paul C. Tang, Don. E. Detmer. “Toward a National Framework for the Secondary use of Health Data: An American Medical Informatics Association White Paper.” Journal of the American Medical Informatics Association : JAMIA 14, no. 1 (Jan-Feb, 2007): 6.
[97] National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. 167
[98] Charles Safran et al. “Toward a National Framework for the Secondary use of Health Data: An American Medical Informatics Association White Paper.” 6.
[99] William M Sage. “Regulating through Information: Disclosure Laws and American Healthcare.” Columbia Law Review 99, no. 7 (1999): 1753.
[100] William M Sage. “Regulating through Information: Disclosure Laws and American Healthcare.”1784.
[101] Nir Menachemi and Taleah H Collum, “Benefits and Drawbacks of Electronic Health Record Systems.” Risk Management and Healthcare Policy 4 (2011): 48.
[102] Sao, Deth, Amar Gupta, and David A. Gantz. “Interoperable Electronic Healthcare Record: A Case for Adoption of a National Standard to Stem the Ongoing Healthcare Crisis.” Journal of Legal Medicine 34, no. 1 (2013): 64.
[103] Kimball, Ann Marie and Plotkin, Bruce Jay, “Designing an International Policy and Legal Framework for the Control of Emerging Infectious Diseases: First Steps.” Accessed 9 DEC 16. https://www.ncbi.nlm.nih.gov/pubmed/9126439
