Secure Collaboration Technology for Healthcare Enterprises

Ravi S . Raman, V. Jagannathan and Ramana Reddy Concurrent Engineering Research Center

West Virginia University rsr@cerc.wvu.edu, juggy@cerc.wvu.edu, rar@cerc.wvu.edu

Abstract Healthcare organizations have a legacy of relatively isolated, vendor-proprietary, departmental systems. The cost of integrating disparate healthcare systems is a significant barrier to collaborative endeavors such as telemedicine. Recent legislative measures for the protection of healthcare information place significant responsibilities on healthcare organizations to ensure that their healthcare systems and infomation technology practices adequately protect the privacy of healthcare information in their charge. The authors, who are developing secure telemedicine applications, identifi some of these hurdles and discuss their approach to enable healthcare organizations engage in collaborative healthcare activities.

1. Collaborative healthcare

Healthcare is inherently a collaborative endeavor with many players participating in the delivery of healthcare -- healthcare providers (physicians and nurses), healthcare facilities (clinics and hospitals), and healthcare payers (insurance organizations and government agencies). Telemedicine is an ideal application of collaboration technology in the healthcare domain. The Institute of Medicine defines telemedicine as “the use of electronic information and communications technologies to provide and support health care when distance separates the participants” [ 11. Traditionally, video conference systems, pagers, fax machines and phones have been employed to overcome the distance barrier between healthcare collaborators. Computer-supported collaboration can overcome the traditional distance barrier to healthcare by enabling communications between participants and easy, rapid access to information.

The rapid growth of teleradiology is indicative of the potential for computer-supported healthcare collaboration applications. There is growing interest in the use of the World-Wide-Web for delivering

consumer health and wellness information to employees.

The growing competition in the healthcare industry could be a significant boon for telemedicine if computer-supported collaborative telemedicine is proven to be cost-effective without affecting quality of care, However, prior telemedicine experiments have not proven themselves to be economically viable, having generally been discontinued once government sponsorship or subsidies ended. One reason for that may be the high cost of developing custom telemedicine applications and, at each telemedicine site, integrating them to proprietary healthcare systems.

Healthcare informatics vendors have provided information technology (IT) solutions to manage the information at each healthcare facility. However, the piece-wise acquisition, integration and deployment of these systems within most healthcare organizations has, over the years, resulted in expensive, relatively isolated vendor-proprietary systems requiring high-priced customization and maintenance. Healthcare organizations have been tied down by their dependency on their legacy IT investments and less able to take advantage of emerging technologies.

2. Confidentiality of Healthcare Data

The “Health Insurance Portability and Accountability Act” of 1996 (PL104-191) and the proposed “Fair Health Information Practices Act” (HR 52) address the need to protect personal healthcare information. These legislative measures place significant responsibilities on healthcare organizations to ensure that their healthcare systems and IT practices adequately protect the privacy of the healthcare information in their charge. Few healthcare organizations are utilizing, or are in a position to adopt, the technological and administrative measures necessary to adequately protect electronic health information.

263 0-8186-7967-0/97 $10.00 0 1997 IEEE

Healthcare organizations are experimentally using World-Wide Web servers and browsers, within Intranets, to make information available to their employees. However, the bogey of security holds down the kinds of information that can be accessed in this manner. Numerous stories of computer break-ins, misappropriation, and misuse of information as reported in the various news media have led to a general reluctance to trust the Internet for the transport of any sensitive information. Despite the general understanding that electronic information, properly guarded using current day cryptography and related technologies, would provide an assurance of privacy and security far superior to current day practices in information handling in the healthcare arena, there is apprehension that the confidentiality of one's personal healthcare information would be compromised [2,3,4].

The advent of computer-based patient records, the increasing penetration of computers into the businesses and homes of healthcare providers and the fast growth of electronic mail and Internet-based applications and resources such as the World Wide Web have fostered hopes for improved productivity as a result of improved workflow for healthcare providers. However, concerns about the security of electronic medical information, its interception and modification during transmission, and the opportunities through aggregation for the misuse of personally identifiable healthcare records, have kept many from realizing these benefits. Encryption facilities are slowly being introduced into applications and servers, showing promise that reasonably secure business transactions may soon be safely conducted through computers on wide area networks. Given the sensitivity of patient records and the possible litigious reactions, healthcare providers have taken a wait-and-see attitude to adopting these technologies.

These observations are in line with the findings of the United States' National Research Council's Computer Science and Telecommunications Board's study on the privacy and security of healthcare infomation [5] . They found that some of the risks for electronic health information include:

0 improper or inadvertent disclosure of sensitive information by privileged healthcare providers

0 unauthorized access to healthcare information by persons taking advantage of inadequate protective measures to computer and communication systems and repositories

0 insidious use of computer database aggregation and inferential analysis to identify individuals, using correlation to other known characteristics unauthorized alterations and modifications due to inadequate measures for ensuring the authenticity and data integrity of electronic health information.

Administrative measures Procedural measures Employee screening Password policy Training Chain of responsibility Disaster recovery Disciplinary measures

Backup and restoration

Secure and remote storage of archives

Patient disclosure and review "Irus Fair-use policy Access log review

Intrusion event handling

Technical measures /-----l Identification Encryption Access cmtrol Audit trails Non-repudiation Firewalls Dial-back modems Screen locks

Electronic Patient Records w Implementation of Security Policies for Electronic Patient Records

Figure 1. Patient Record Security Measures

These risks can be addressed through a combination of technical, organizational and legislative measures that protect the confidentiality and integrity of electronic health information. Below is a partial list of measures for dealing with the data security issues in telemedicine.

1. Electronic healthcare records can be protected by applications and servers that incorporate and abide by authenticated, authorized and audited access control facilities.

Link encryption can be employed to ensure the privacy and integrity of information while it is in transit over communication links.

2.

3. Security at the point of service can include such measures as user authentication and screen locks to prevent improper access and accidental disclosure.

4. Protection measures, in accordance with enterprise and legislative measures, can be employed to prevent the inadvertent export of information, reducing the risk of aggregation and inferential analysis. Emerging data exchange standards allowing selective record

264

exchanges between healthcare systems will also help address this issue.

5. Enterprise security policies consistent with emerging recommendations can help ensure that appropriate technical, administrative and procedural measures are employed to maintain the privacy of electronic health information.

6. Legislative and regulatory measures can provide broad guidelines that increase the protection provided for electronic health information and provide punitive measures for violations.

Collectively, these measures will ensure the confidentiality of electronic health information stored in the nation’s healthcare organizations. Such forms of protection will enable individual measures to be reinforced or relaxed, depending on the capabilities of the others to provide the desired level of security.

In order to adequately secure healthcare transactions, the emerging computer-based security facilities must be utilized in the healthcare organization’s computing and network infrastructure, integrated into their servers and applications, and incorporated into their operating procedures. Such measures will provide end-to-end security for healthcare transactions and will have a profound effect on the healthcare delivery system, engendering acceptance and confidence in users. In turn, this could be instrumental in fostering entirely new forms of healthcare transactions beyond business transactions, such as Electronic Data Interchange (EDI) or the emerging electronic referral, to the formation of entirely new virtual healthcare enterprises.

3. Standards-based Integration

A collaborative telemedicine system must be integrated with the patient record service services and related applications at each of the point of care facilities in which it is operational. Proprietary healthcare information systems have made such integration expensive and limited in scope and scale. Open standards based interfaces to healthcare systems would enable healthcare organizations to more easily and less expensively integrate these systems. HL7 and DICOM are two important standards in the healthcare domain.

Object Management Group’s (OMG) Common Object Request Broker Architecture (CORBA) standard has

brought interoperability to distributed object computing. OMG’s CORBAMed Task Force is actively pursuing the creation of reference interface specifications of selected subsystems (e.g., MPI services, CPR services, HL7 interfaces) which will later be commercially available from vendors.

The Andover Working Group (AWG), led by Hewlett Packard, has developed components for the HL7 interface via an HL7 bridge using CORBA and DCOM technologies and plans to support DICOM and MIB standards in a similar manner. The Koop Foundation’s consortium for the Health Object Library ON-line (HOLON) project is developing “middleware” for diverse knowledgebases, “wrappers” to interface with legacy, and multimedia “healthcare domain ” objects.

The advent of computer security measures such as encryption and authentication introduces the need for standards for interoperability of secure applications and services by authorized users. Intel’s Common Data Security Architecture addresses the need for multi- platform crypto-aware solutions.

Secure standards-based healthcare system interfaces could enable healthcare organizations to leverage telemedicine in innovative ways that drive down costs - - for example redeploying certain services and consolidating operations or even outsourcing them.

4. Secure Collaborative Telemedicine

Concurrent Engineering Research Center (CERC), an interdisciplinary research unit of West Virginia University, has been developing generic collaboration technologies using computers and communications networks since 1988. The generic technologies developed to facilitate concurrent engineering were adapted to the healthcare domain via the ARTEMIS project [6,7]. Funded jointly by the U.S. Department of Defense’s DARPA and the U.S. National Library of Medicine (NLM), ARTEMIS was the first to enable healthcare providers access distributed clinical patient records utilizing the World Wide Web.

Under the sponsorship of the U.S. National Library of Medicine, CERC is now developing applications for secure collaborative telemedicine in rural areas. Three telemedicine scenarios illustrate the utility of collaborative telemedicine technologies to improve the delivery of healthcare at rural hospitals, clinics, and home care sites:

265

1. Secure telemedicine for intensive care providers enabling remote access of Intensive Care Unit electronic patient data.

Secure telemedicine for mid-level providers (such as physician assistants and nurse practitioners) providing computer- aided diagnosis and collaboration with remote supervising physicians.

2.

3 . Secure telemedicine for home care patients through patient counseling information resources and support for near-time monitoring of patients with chronic ailments.

These telemedicine applications could be realized with current technology using vendor proprietary solutions. However, the challenges being addressed by this research effort are to enable these services while ensuring security of information, and ensuring their evolution with technology without being locked in to expensive, sole source systems.

We are developing a Secure Collaborative Telemedicine Architecture (SCTA) using an open systems approach utilizing vendor-supported and standards-compliant components and technologies. Distributed services are implemented using CORBA enabling scalability and multi-platform deployment. Object Request Brokers with intrinsic support for secure transactions, such as Suite Software and Iona Technologies are now emerging. IBM, Netscape, Sun and Oracle have announced broad support for CORBA. We believe that CORBA, in conjunction with allied encryption technologies offers the best-cost solution for implementing secure distributed systems. In addition, we are employing vendor-supplied bridge facilities to accommodate other standards, such as Microsoft’s Distributed Component Object Model (DCOM) for site- specific integration and customization with essential applications and systems on client and server systems.

An infrastructure to support secure collaborative telemedicine transactions should provide as its core capabilities:

a security infrastructure that supports authentication and the secure transmission of private and confidential patient information transparent and easy access to distributed patient information a secure workflow in the context of patient treatment

0

a secure consultation service in the context of patient information and patient treatment plan.

In our view, support for the above services constitutes the core backplane for telemedicine applications. Other services can be plugged into this backplane to provide a variety of custom support features to a variety of specific providers including:

0 real-time or near real-time access to information gathered by instruments monitoring a patient; seamless access to clinical decision support systems and on-line knowledge repositories such as MedLine.

0

The authentication services of the SCTA will support measures to restrict access to authenticated and authorized personnel. We are adopting industry- standard, multi-platform, cryptography solutions to develop a secure, open, collaborative technology infrastructure which supports the distributed components of our telemedicine applications. A number of promising solutions in this arena are being introduced, and we are evaluating these offerings, developing initial prototypes with commercial tools, for integration with our CORBA-based services.

At this stage of the project we are concentrating our efforts on the development of the SCTA which will provide the underpinning and essential services to be used in the telemedicine applications. We had been gathering site-specific requirements for the telemedicine applications. We are currently developing prototype applications to demonstrate secure healthcare transactions through integration with public key certificate servers and smart cards.

We expect the SCTA services to be incorporated into our telemedicine applications which will be customized to meet the individual and organizational needs of the healthcare facility. For secure operation it must work in concert with technological and administrative procedures in compliance with the security policies of the healthcare network. External intrusion can be detected and curtailed through measures such as firewalls, dial-back modems, and strict monitoring of external incursions to the network. Internal misuse of private patient information can be deterred through the use of encryption, authentication measures, screen locks, audit trails and through enabling application- level security facilities. Periodic inspections of security

266

policies and procedures will determine the efficacy of these measures and enable corrective action to be taken.

Secure middleware components must utilize authentication services that support measures to restrict access to authenticated and authorized personnel. Such authentication services, based on industry-standard cryptography solutions, can provide the infrastructure to support distributed component healthcare applications.

Through the use of X.509~3 digital certificates and Certificate Server and Directory Server, a healthcare organization can authenticate its healthcare providers and enable their credentials to be verified on-demand by crypto-aware applications and servers.

r - - f

f

. -..

cards contain patient demographics, insurance information as well as clinical information for clinical emergencies. Role-based access measures distinguish between the needs of administrators, physicians and nurses.

Remote viewing of patient vital signs information is an important element in all three telemedicine applications where healthcare providers are separated from the patient. We have developed Java-based client applications for the remote viewing of vital signs information as well as Java-based CORBA vital signs servers. This service is modeled along the lines of a proposed CORBAMed vital signs standard.

We are developing experimental prototypes of CORBA filters and transformers to ensure secure communications between client applications, and server and middleware services.

An experimental prototype of the ARTEMIS system was migrated to S-HTTP, albeit without the use of C O D A security measures.

We will be deploying initial prototypes of our telemedicine application in selected pilot sites by the end of 1997. Periodic releases of applications with additional functionality are planned at three month intervals through 1998.

Figure 2. Telemedicine application integration

5. Conclusion A smart card resembles a credit card in size and shape, and stores information and instructions on an integrated microprocessor chip located on the card.. Smart cards can store around 8 Kbytes of information and, in some cards, perform on-chip encryption. PIN protected smart cards can store an individual’s private keys and certificates enabling authenticated use at any point of care system as well as digital signature operations.

New crypto-aware applications can incorporate these security measures to ensure the privacy and security of healthcare information. Legacy systems can be “wrapped” to make them accessible by these new applications.

We are planning on using PIN protected smart cards in our telemedicine applications for the identification and authentication of providers, and the storage of limited patient medical information. Using Schlumberger’s Multiflex smart cards we have developed experimental prototypes of healthcare professional and patient cards. Based on the EU/G7 healthcard format, the patient

The infrastructure and tools to develop secure interoperable telemedicine applications are slowly beginning to emerge. Multi-platform cryptography standards such as CDSA enable platform independent applications to be developed and deployed. Multi- vendor consortia such as the PC/SC Working Group bode well for the development of non-proprietary and multi-application smart card solutions. CORBA Security solutions from ORB vendors are now beginning to appear.

Healthcare organizations can utilize these standards and technologies to protect the privacy of electronic health information on their systems. Telemedicine applications utilizing such measures can enable secure collaboration among healthcare providers. Configured and customized to their operational needs, such telemedicine solutions can provide timely access to healthcare professionals without sacrificing information security.

267

Acknowledgments

This work has been sponsored by the U.S. National Library of Medicine under Contract No. NOl-LM-6- 3549. Other CERC employees who have contributed to this research effort include Rahul Singhal, Srivatsan Kannan, William Hunt, Cristi Goina, K. Joseph Cleetus and Sumitra Reddy.

References

1.

2.

3.

4.

5.

6.

7.

Field, Marilyn J. (Ed.). Telemedicine -- A Guide to Assessing Telecommunications in Health Care. Washington, DC: National Academy Press; 1996.

Rothfeder, J. Privacy for Sale: How Computerization Had Made Everyone's Life an Open Secret. New York: Simon; 1992.

Donaldson MS, and Lohr KN, editors. Health Data in the Information Age: Use, Disclosure, and Privacy. Washington, DC: National Academy Press; 1994.

Alderman E, and Kennedy C. The Right to Privacy. New York: Knopf; 1995.

Computer Science and Telecommunications Board, National Research Council. For The Record: Protecting Electronic Health Information. Washington, DC: National Academy Press; 1997.

Jagannathan V, Reddy R, Srinivas K, et al. An Overview of the CERC ARTEMIS Project. Proceedings of the 19' Annual Symposium on Computer Applications in Medical Care (SCAMC);

Reddy S, Shank R, Jagannathan V, Merkin B. A Virtual Enterprise for Rural Health Care Through Advanced Communication and Information Technologies. Proceedings of the Annual Review of Communications. International Engineering Consortium; 1996. p. 631-36.

1995. P. 12-16.

268