La capacidad de observación basada en el reconocimiento de las diferentes relaciones

The need to protect information from unintended access is not new, and the practice of encrypting communications builds on a longstanding mathematical pedigree (reprinted in (Shannon 1998) from an original paper in 1945).

(Slack 1997) points out that

"the best defence against unauthorised intrusion into the paper chart is the illegibility of the doctor's handwriting. Coupled with illegibility is the traditional disorganisation of the paper chart. Since there

Chapter 5: Published contributions to the FHR Design

is usually no index or table of contents, whatever information can be read is difficult to retrieve and use."

However, (Lincoln 1993) points out that many breaches of secure electronically-held data do not in fact take place by electronic break-in but through trading information across some informal human network, whether revealed deliberately or inadvertently. Such a threat is identical if paper or electronic record systems are in use.

(Robinson 1994) observes that ready access to information is important for patient care but also threatens the patient's privacy.

“Knowledge of some data elements can endanger employment, insurability, and even acceptance in a society. Indications of illicit drug use, sexual promiscuity, psychiatric admissions, and sexually transmitted diseases, especially infection with human immunodeficiency virus (HIV), are harmful for obvious reasons...Perhaps access should not be limited according to type of information, but according to the person attempting to retrieve it.”

(Gardner 1994) notes that hospital departments at the LDS Hospital need access to computerised information acquired by up to 15 other departments in order to manage their care process or to generate reports. Szolovits and Kohane express concern at the potential risks associated with easier database integration through the use of a common patient identifier (Szolovits and Kohane 1994). In 1995 the British Medical Association (BMA) commissioned the development of a clinical information security policy (Anderson 1996). This states nine principles designed to uphold the core principle of patient consent and to be independent of the details of specific equipment; they have significantly shaped the approach to patient confidentiality within the UK medical profession and the NHS and are reproduced below.

1 Access control Each identifiable clinical record shall be marked with an access control list naming the people or groups of people who may read it and append data to it. The system shall prevent anyone not on the list from accessing the record in any way.

2 Record opening A clinician may open a record with herself and the patient on the access control list. When a patient has been referred she may open a record with herself, the patient, and the referring clinician(s) on the access control list.

3 Control One of the clinicians on the access control list must be marked as being responsible. Only she may change the access control list and she may add only other health care professionals to it.

4 Consent and notification The responsible clinician must notify the patient of the names on his record's access control list when it is opened, of all subsequent additions, and whenever responsibility is transferred. His consent must also be obtained, except in emergency or in the case of statutory exemptions.

Chapter 5: Published contributions to the FHR Design

5 Persistence No one shall have the ability to delete clinical information until the appropriate time has expired.

6 Attribution All accesses to clinical records shall be marked on the record with the name of the person accessing the record as well as the date and time. An audit trail must be kept of all deletions.

7 Information flow Information derived from record A may be appended to record B if and only if B's access control list is contained in A's.

8 Aggregation control Effective measures should exist to prevent the aggregation of personal health information. In particular, patients must receive special notification if any person whom it is proposed to add to their access control list already has access to personal health information on a large number of people.

9 Trusted computing base Computer systems that handle personal health information shall have a subsystem that enforces the above principles in an effective way. Its effectiveness shall be evaluated by independent experts.

Denley and Weston Smith have demonstrated a practical and manageable implementation of access control lists in three UK hospitals, based on Anderson's nine principles (Denley and Smith 1999). They have also demonstrated that an emergency override facility can be safely administered if staff are warned of the presence of an audit trail which is regularly reviewed before access is granted. More recently (Buckovich, Rippen et al. 1999) have proposed a set of 28 principles, derived from ten leading US sources of privacy and security principles with respect to health data, which are similar to those proposed by the BMA.

(Safran 1996) argues that, despite concerns about confidentiality, the present position is that too little clinical information is shared between direct health care providers for a patient, resulting in missing information such as allergies, test duplication etc. He also suggests that one of the greatest threats of unauthorised disclosure arise from hospital staff themselves. (de Meyer, Lundgren et al. 1998) propose that any request for clinical information ought to include the relation between the patient and the requester, the purpose for which the information is requested and the type of consent given by the patient.

(Anderson and Brann 2000) argue that many present day threats to unauthorised disclosure arise from inside provider organisations, usually from inadvertent mis-posting of confidential databases on an Intranet or the Internet. However they cite several cases of more deliberate financially motivated disclosures, for example to employers, insurance or sales organisations. They also argue that secondary disclosures, however legitimate, may result in data being held by third parties in less stringent security conditions than the original health provider's data repository.

Chapter 5: Published contributions to the FHR Design It is difficult to specify a rigorous approach to consent and confidentiality for the EHR that is also scalable, practical and easily maintainable over a patient’s lifetime. An approach to this piloted by the author is described in Chapter 9.