Background and litterature review For the CDW Risk Management research project

By MarcAndré Léger, MscA (MIS)

Clinical Data warehouses

An Electronic Health Record (EHR) is defined as a repository of information regarding the health of a subject of care in computer processable form, stored and transmitted securely, and accessible by multiple authorised users [ISO-20514] [Ledbetter, 2001] [ Bakker, 2004] [ Schloeffel, 2002] [ Rector,1991] [Infoway, 2003]. The emerging importance of the EHR as well as increase in the informatisation of other health system activities including administration and research is progressively providing the access to large quantities of data concerning patients, health care delivery and biomedical research [Anderson, 2000] [Safran, 2000] [Sujansky, 2001 ] [Takeda, 2000] [Zviran, 1998]. Electronic patient records are increasingly using multimedia format, and they are being aggregated into clinical data repositories and warehouses by many medical centers [Humpreys, 2000].

Data warehousing is a collection of decision support technologies, aimed at enabling the knowledge worker (executive, manager and analyst) to make better and faster decisions [Chaudhuri, 1997]. Data warehouses contain data consolidated from several operational databases and tend to be orders of magnitude larger than operational databases, often hundreds of gigabytes to terabytes in size. Typically, the data warehouse is maintained separately from the organization’s operational databases because analytical applications’ functional and performance requirements are quite different from those of operational databases. Data warehouses exist principally for decision support applications and provide the historical, summarized, and consolidated data more appropriate for analysis than detailed, individual records [Chaudhuri, 2001].

A Clinical Datawarehouse or CDW is an information system that functions as a repository (warehouse) of health data, from different sources including the EHR, which together reflect the business processes of a healthcare organisation, or of several linked organisations, for example within a regional healthcare organisation[Ledbetter, 2001]. The Clinical Datawarehouse (CDW) can be regarded as conceptually distinct from the repository that is part of an operational EHR.  The HER data, made accessible through a single portal, becomes a   CDW.

Data warehousing offers the health care industry an opportunity to accumulate and assimilate information from numerous data feeds (e.g., laboratory, pharmacy, radiology, finance, etc.) and make it available for decision-making [Miller, 2002][Berndt, 2003]. A CDW can contain information and knowledge that can significantly improve patient care, help reduce medical errors, enhance quality measures, improved clinical research and increase organisational efficiency [Sujansky, 2001] [CIHR, 2002] [AAMC, 2002] [ Wismiewski, 2003] [Ledbetter, 2001] [Puhr, 2003] [Miller, 2002] [Bates, 1999] [Hatcher, 1998] [Marsh, 1998] [Summers, 1996].Clinical datawarehouses have demonstrated important benefits to the various stakeholder groups [Pedersen, 1998] [Kachur, 2000] [HIMMS, 2000] [Schubart, 2000] [Watson, 2003] [Einbinder, 2001] [Snee, 2004].

Some of the benefits of implementing a CDW in a healthcare organisation are [Kerkri, 2001][Miller, 2002][Puhr, 2003]:

  • to make an organization’s information accessible;
    • improving data quality
    • improving production database productivity
    • allowing users to retrieve necessary data by themselves
    • Improved clinical research;
    • Improved patient services;
    • Reduction of medical errors;
    • Enhanced quality measures;
  • to make the organization’s information consistent;
    • allowing existing legacy systems to continue in operation
    • consolidating inconsistent data from various legacy systems into one coherent set
  • to be an adaptive and resilient source of information;
  • to be a secure bastion that protects the information assets; and
  • to be the foundation for decision-making[1], enhancing organisational effectiveness and enabling cost reductions.

Stakeholders

From our preliminary analysis, we believe the stakeholders groups are composed of the following stakeholder categories (See Annex B for a detailed list with the source references):

  • Patients
  • Data users
  • Healthcare organisations
  • Professional associations
  • IT staff
  • Healthcare industry
  • Insurers
  • Government
  • Non Governmental organisations and Community groups
  • Educational
  • IT industry

Risk

Risk is defined the combination of the probability of an event and its consequence [Burt, 2001] [Berryman, 2002] [ISO, 2002] [Hillson, 2003]. Risk should be viewed as a natural occurrence, a force that results from the pressures of the environment [Novosyolov, 2002] [Damodaran, 2001] [Darlington, 2001]. Everywhere there is an opportunity for change, there is a risk. In risk there is the notion of discontinuity often associated with disasters and unexpected outcomes [Lagadec,2003]. Implementing change in the form of an information system, such as a CDW, is subject to risk.

There are many different types, or categories, of risk such as: financial risks [Glaessner, 2002], environmental risks [Shortreed, 2003], operational risks, and insurance risks[Darlington, 2001] [ Haimes, 1999] and Information Security risks.  An organization must identify the activities where risks are the most significant for the organization [ISO 17799].  This may be motivated by several factors such as its legal obligations, the expectations of its stakeholders or for other reasons considered significant by managers in the organization.

Risk = threat x likelihood x impact
mitigation

Risk can be defined in the mathematical fashion by a simple equation [Novosyolov, 2002].  While risk is directly proportional to the likelihood of their realization of a threat and is directly proportional to the impact, it is inversely proportional to risk mitigation measures that are implemented. In information systems, risk is generally perceived in relation to requirements, or expectations, of confidentiality, integrity, availability, non repudiation and access controls, what we refer to as the attributes of risk.

While several theories have been developed in the past [Edwards, 1996][Laibson, 1998], particularly in relation to gains and financial investments, there is no single representation of risk that can apply to all situations. The prominent risk theory at this time, Prospect Theory [Kahneman, 1979], depicts decision makers underweigh probable outcomes in comparison to perceived certainties, demonstrate risk aversion in situation where the expected outcome is a financial gain, and demonstrate risk seeking behaviours in situations where the expected outcome is a financial losses [Edwards, 1996] [Chateauneuf, 1999] [Lloyd, 2003] [Kahneman, 1979] [Olsen, 1997]. Thus, in a risk assessment senario where the expected outcome has no or little financial losses, such as is the case in loss of privacy in general, the risk tends to be underweighted.

Total risk is composed the individual risks and categories of risks that exist within the organization [Léger, 2004].  We can look at risk from an organizational point of view but also in relation to an activity, an information system or a business process.  We can also look at risk in relation to data managed and used within an organization.  Whatever way we choose to look at it, the existing risk is the sums of the various risks that are present. Each individual risk requires the presence of a threat or of several threats that have some probability to materialize and have a negative effect in relation to the expected outcome. When considering that CDW are complex, expensive and timely to implement [Kerkri, 2001], it would infer that there is potential for risk.

The attributes of risk

Risk in informations systems is generally perceived in relation to attributes. proposes the attributes of confidentiality, integrity and availability, aswell other attributes such as authenticity, accountability, non-repudiation and reliability may also be involved [ISO 17799]. [Zhou, 1999] proposes confidentiality, integrity, availability, non repudiation and authentification. We present here some definitions.

Confidentiality

Confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes.[2] Confidentiality exists when information is communicated in the context of a special relationship (such as doctor-patient, lawyer-client, etc.) where the information is intended to be held in confidence or kept secret [CIHR, 2002]. It is an ethical concept that regulates communication of information between individuals [Roger, 1998]. The status of confidential is accorded to data or information indicating that it is sensitive for some reason, and therefore it needs to be protected against theft, disclosure, or improper use, or both, and must be disseminated only to authorized individuals or organizations with a need to know.’[3]Individuals have a right to the privacy and confidentiality of their health information [Buckovich, 1999].

Confidentiality is at the heart of medical practice and is essential for maintaining trust and integrity in the patient-physician relationship. Knowing that their privacy will be respected gives patients the freedom to share sensitive personal information with their physician [WMA, 2002]. The Declaration of Geneva, that requires physicians to « preserve absolute confidentiality on all he knows about his patient even after the patient has died » [WMA, 2002].

Confidentiality is a managerial responsibility: it concerns the problems of how to manage data by rules that are satisfactory to both the managers of data banks and the persons about whom the data pertain [Thompson, 2001]. The enforcement of classification-clearance matching is mandated by directives and regulations: an individual may not exercise his own judgement to violate it [Bell, 1976]. In the same way, as health professionals do not belong to the same structures, which are independent to each other, confidentiality of the activity of each structure must be ensured as well [Kerkeri, 2001]. In [Pace, 2003], confidentiality is maintained by de-identifying reports and eliminating elements within the database that would facilitate linking a report to a specific event identified by other means, such as through the patient’s medical record.

Integrity

Integrity is the property of safeguarding the accuracy and completeness of assets [ISO 13335-1]. Integrity is a property determined by approuved modification of information [Bell, 1976].

Individuals have the right to the integrity of their health information. Entities and/or persons that create, maintain, use, transmit, collect, or disseminate individual health information shall be responsible for ensuring this integrity [Buckovich, 1999].

Continuity of care might imply a complete communication of medical data, respecting its integrity and its availability [Roger, 1998]. For example, in a picture archiving and communication system (PACS), the data integrity is essential for passing the correct information to the doctor [Tsong, 2003].

Outside of signing checksums on large fields (such as medical images), integrity can only be partially guaranteed by authenticating the individual at the source site responsible for transferring the information, and trusting the individual to verify the data [Cody, 2003].

Data integrity includes minimization of data redundancy, improvement of data maintenance, and elimination of multiple versions of data [Candler, 1999].

In addition to malicious threats, the threats that come from software, hardware, or network failure, or the threats that come from simple human error can affect the integrity of an information system [Cody, 2003].

Availability

Availability is the property of being accessible and usasable upon demand by an authorized entity (ISO 7498-2:1989).

The availability of intelligently integrated and verified, operational information could have a profound effect on decisionmaking in a wide range of contexts [Brender, 1999]. Health research, particularly in the areas of health services and policy, population and public health, critically depends on the ready availability of existing data about people [CIHR, 2002].

Non repudiation

Non-repudiation refers to the ability to prove an action or event has taken place, so that this event or action cannot be repudiated later.[4]

[ISO13888-1] identifies the following non repudiation services:

  • Non repudiation of creation: to protect against an entity’s false denial of having created the content of a message.
  • Non repudiation of delivery: to protect against a recipient’s false denial of having received the message and recognised the content of a message.
  • Non repudiation of knowledge: to protect against a recipient’s false denial of having taken notice of the content of a received message.
  • Non repudiation of origin: to protect against the originator’s false denial of having approved the content of a message and of having sent a message.
  • Non repudiation of receipt: to protect against a recipient’s false denial of having received a messagenon-repudiation of sending: This service is intended to protect against the sender’s false denial of having sent a message.
  • Non repudiation of submission: to provide evidence that a delivery authority has accepted the message for transmission.
  • Non repudiation of transport: to provide evidence for the message originator that a delivery authority has delivered the message to the intended recipient.

Non-repudiation technologies, such as digital signatures, are used to insure that a person performing an action cannot subsequently deny performing that action. This is useful for digital contracts, statements and anywhere else that a signature would be used in the physical world. Digital signatures are commonly used for non-repudiation, and are normally based on PKI, which uses asymmetric cyphers [Helvey, 2004].

Digital signature safeguards can provide protection to enable non-repudiation [ISO 13335-2].

Cryptographic techniques (e.g. based on the use of digital signatures) can be used to prove or otherwise the sending, transmission, submission, delivery, receipt notification, etc. of messages, communications and transactions [ISO 13335-2].

Access controls

Access control technologies are used to protect information by restricting access to information or operations, according to the identity of the accessor. Common mechanisms for access control are discretionary (DAC), mandatory (MAC), and role-based (RBAC). DAC is based on the identity or group membership of the user, and allows the user to specify which other users may access the information. MAC is common in secure operating systems, and uses labels and access control lists to protect information. RBAC allows access control policies to be defined according to the user’s role in an organization, such as administrator, supervisor, researcher, and so on [Helvey, 2004].

Health care organisations have knowingly compromised information security through less than satisfactory access controls simply in order to encourage all staff to use the computer systems. Once such compromise has been adopted, it is subsequently very difficult to convince users of the need to strengthen access control..Once appropriate access control and auditing is installed, staff scepticism soon turns to acceptance as they come to realise their importance and benefit [Gaunt, 2000].

In a HIPAA mandated PACS environment, from an application point of view, there should be a log mechanism to keep track the access information such as [CAO, 2003]:

  • Identification of the person that accessed this data
  • Date and time when data has been accessed
  • Type of access (create, read, modify, delete)
  • Status of access (success or failure)
  • Identification of the data.

The model for authorisation and access control in distributed health information systems has to deal with policy description and negotiation including policy agreements, authentication, certification, and directory services but also audit trails, altogether forming the privilege management infrastructure [Blobel, 2004].

Technology can help ensure the granting and restriction of access to those users with legitimate needs, by means of passwords, access codes, and other identifying mechanisms [Buckovich, 1999].

Privacy vs security

The right to privacy entitles people to exercise control over the use and disclosure of information about them as individuals. The privacy of a patient’s personal health information is secured by the physician’s duty of confidentiality [WMA, 2002].

Privacy is a social, cultural and legal concept, all three aspects of which vary from country to country [Thompson, 2001]. While security of personal data may be instrumental for this purpose, ‘data security is a very different thing from privacy’.[5]

Privacy: ‘‘The right of individuals to be left alone and to be protected against physical or psychological invasion or the misuse of their property. It includes freedom from intrusion or observation into one’s private affairs, the right to maintain control over certain personal information, and the freedom to act without outside interference.’’[6]

Information privacy can be thought of as a set of controls placed upon organizations over the uses of personal information in their custody and control, and the rights conferred upon individuals over their personal information. What becomes clear in mapping out these security and privacy elements is that some of the components of privacy protection can be addressed by security safeguards, while others cannot. Some security functions may actually hinder or even threaten necessary privacy protection. Some privacy measures may weaken or threaten justified security measures.Hence the security–privacy paradox [Cavoukian, 2003].

The Declaration of Helsinki states: « It is the duty of the physician in medical research to protect the life, health, privacy, and dignity of the human subject » [WMA, 2002].

A recurring idea is that a research database of patient data can and should be ‘‘scrubbed’’ of personal identifying information, and thereafter the ‘‘clean’’ database can be made available for research on a less restricted basis.

[Behlen, 1999] argues that such complete scrubbing is not feasible, and even if it were feasible, it would not be appropriate ethically. A troublesome requirement for exemption is that of ‘‘throwing away the key’’ that links data to a patient. This requirement presents some practical, scientific, and ethical problems:

  • It forecloses the possibility of benefit to the patient.;
  • The requirement greatly complicates the maintenance of a current database;
  • The requirement eliminates some checks against scientific fraud.

Quality of data is crucial to privacy protection. Security is necessary, but far from sufficient, to ensure privacy. Computer scientists and others often take ‘privacy’ to mean (only) ‘data security’ against risks of unauthorized access, physical damage to databases or transmissions, and the like. However, it is no comfort to a privacy-aware individual to be told that inaccurate, outdated, excessive and irrelevant data about her are encrypted and stored behind hacker-proof firewalls until put to use by (say) a credit-granting organization in making decisions about her [Raab, 2004]. Following intense scrutiny in some research projects, it may be necessary to conduct an independent reanalysis of the data and results to confirm the quality of the original data [Shortreed, 2003].

Privacy of information collected during health care processes is necessary because of significant economic, psychologic, and social harm that can come to individuals when personal health information is disclosed [Barrows, 1996].

Privacy and confidentiality of the patient record has attracted extensive debate and analysis, including discussion of research. Although policy issues regarding research access to public health databases have been analyzed in detail, less attention has been paid to the problem of how to oversee and administer, within the framework of applicable public policy, multicenter research using privately held patient records. In addition to public policy, the policies of each participating institution must be considered [Behlen, 1999].

The relationship between health care provider and patient is one characterized by intimacy and trust, and confidentiality is embedded at least implicitly in patient-provider interactions. The notion of confidentiality in health care has a strong professional tradition that has suffered progressive erosion due to thirdparty reimbursement schemes, managed care and other health care organizational structures, and the perceptions and culture of professionals within modem health care systems. One third of medical professionals have indicated that information is given to unauthorized people “somewhat often”. [Barrows, 1996]

Ethical issues in healthcare database risk management

Clinical research must be done in the utmost respect of ethical concerns [Beecher, 1966].The rights to privacy and confidentiality are intimately connected with the right to respect for one’s dignity, integrity and autonomy are constitutionally enshrined in the Canadian Charter of Rights and Freedoms and Quebec’s Charter of Human Rights and Freedoms [CIHR, 2002]. Privacy and confidentiality lie at the root of international and national ethics guidelines, as well as professional codes of deontology [CIHR, 2002] [CIHR, 2004]. They are the principal drivers of the requirement for adequate treatment of risk in healthcare organisations [Senate, 2002]. Legal uncertainty also makes it difficult for consumers to be aware of and understand their privacy and confidentiality rights [Buckovich, 1999].

The core principles at the heart of Canadian privacy legislation form the basis of the Canadian Standards Association [CSA, 2003] Model Code for the Protection of Personal Information are [CIHR, 2004], this with [WMA, 1994] [WMA, 1995] [WMA, 2002] [Buckovich, 1999] [CIHR, 2004], identifies the following areas of risk that need to addressed in a CDW:

  • Policies
  • Confidentiality;
  • Privacy;
  • Integrity;
  • Availability
  • Safeguards;
    1. Limiting Collection
    2. Management controls;
    3. Processes to enable Challenging Compliance; and
    4. De-identification of data;
    5. Secure transmission of data;
    6. Accountability;
  • Openness;
    1. Informed consent;
    2. Identifying Purposes;
    3. Access to information by patients (right to withhold, segregate, amend and copy);
    4. Limiting Use, Disclosure, and Retention;
    5. Full disclosure (No secret databases shall exist);
    6. Non-commercial use (No medical record shall be sold, utilized for marketing purposes without the prior informed consent of the individual);
  • Documentation and training

This is in accord with the requirements of the declarations of Lisbon [WMA, 1995], Geneva [WMA, 1994], Helsinki [WMA, 2002], as well as [Belmont, 1979] [Helsinky, 1964] [Nuremberg, 1949] [Harkness, 2001].

Challenge: The selection and categorization of the different areas of risk that comprise the overall risk and areas of threats that should be considered in the implementation and use of a clinical data warehouse.

This would be a significant improvement when compared to the commonly used approaches that are mainly concerned with confidentiality, integrity and availability.  This would also be better suited to the identified requirements that we have found in literature.

Combining the requirements

If we put this in the form of a table, the requirements could be represented as:

Risk Requirement category

Stakeholder category

Confidentiality

 

Integrity

 

Availability

 

Privacy

 

Policies

 

Openness

 

Safeguards

 

Documentation and training

 

Patients 1, 14, 35, 54, 57, 58, 60 7, 47, 66 2, 3, 4, 8 1b, 5, 6, 9, 11, 38, 39 14, 29, 30, 35, 36, 37 24, 50 49
Data users 53, 7b, 64, 65, 69, 70 72 13 40, 43 17, 18, 19, 35 19, 24, 42, 44, 45, 75, 76, 77, 78, 79, 80, 81, 82, 84 25, 48
Healthcare organisations 14, 33, 54, 56, 60, 61 7b, 66 9, 10, 12, 13 26, 40, 61 14, 15, 16, 17, 18, 29 24, 50, 87 25, 48, 51
Healthcare professionals 32, 58, 59, 62 46 73 9, 59 33 31, 33 32 25
Professional associations 13 52 25
Healthcare industry 13 26 15, 16
Insurers 13, 20 26 15, 18,
Government 13 26 15, 16, 18, 22, 29 28, 50 48
NGOs and Community groups 13 26
Educational 74 13 41 17
IT staff 34, 56, 60, 61, 63 7b, 66, 69, 71 10 26, 40, 61 35 19, 23, 24, 27, 34, 83, 85, 86, 88, 89, 90 25, 48
IT industry 15
Other 21

The requirements presented in this table were identified in our literature review a complete list of the requirements with the references are presented in Annex a.

Challenge: further work could identify additional requirements that have been missed, further analysis may be needed.  As well the list of stakeholders and the categorization of stakeholder groups requires validation.


Risk management

Organizations need to identify the predictable [Watkins, 2003] to perform optimaly, with regularity, over time. They need to manage risk. Fundamentally, risk management encompasses three processes: recognition of threats, priorization and mobilization of ressources (RPM processes)[Watkins, 2003]. Formal methods as the most successful way to implement change in IS[Clarke, 1996], this supports [Landwehr , 1981], that formal risk management methods are the best course of actions for organisations. Managing risks in information system is paramount to accurate financial reporting and the provision of timely and relevant information required in organisations for optimal decision-making [Stoneburner, 2002].

The use of an abstract security model is necessary, without adequate models it is not possible to design secure systems [Anderson, 1972]. Formal Risk Management methodologies generally implement the RPM processes (recognition of threats, priorization and mobilization of ressources) through the formal processes of risk assessment, risk evaluation, and risk mitigation [BS-7799-2] [ Hancock, 2002] [ISO 13335-2] [Alberts, 1999] [Clusif, 2000] [Canada, 2004] [Léger, 2004] [HM Treasury, 2001] [GRC, 1994] [ISO 17799] [COSO,2003] [ Schumacher, 1997]. The main objective of the methodologies being to balance the operational and economic costs of risk mitigation measures and achieve organisational benefits by protecting  systems and data that support their missions [Stoneburner, 2002] [Myerson, 1999].

The four possible treatments of risk are [BS-7799-2] [ISO 13335-2]:

Transfer risk

e.g. purchase insurance or outsource

Avoid risk

e.g. choose not to proceed or implement

Accept risk

e.g. decide that the level of risk identified is within the tolerence capabilities of an organisation

Mitigate risk

e.g. implement technical risk mitigation controls, such as a firewall

Figure 1: Risk treatment options

For example, [ISO17799] does not define exact requirements for how to proceed, it requires an organization to put in place a formal process to identify, quantify and prioritize risks against criterias and objectives relevant to the organization. This implies that an organization must first define what these criteria and objectives are, expressed in relation to the seven attributes of risk (confidentiality, integrity, availability, non repudiation, control of the origins of data, controls of the origin of user access and access controls).  Once these objectives have been identified, the organisation can determine the presence of a threat or of several threats (recognition of threats) that have some probability to materialize.

The likelihood that a threat may materialize and the significance of the impact taken together, should help the organisation priorizatize its risk treatment options, as identified in figure 1, and mobilize resources as required.  [BS-7799-2] [ISO 13335-2] [Alberts, 1999][Clusif, 2000][Senate of Canada, 2004] [Léger, 2004] [HM Treasury, 2001] [GRC, 1994] [ISO 17799] [COSO, 2003]

[ISO17799] and [BS 7799-2] require that the results of risk assessment processes guide the organization and help it determine appropriate actions and priorities.  It requires organizations to put in place management controls to ensure that risks are mitigated to an acceptable level taking into account:

  • Organizational objectives;
  • Requirements and constraints of legislation;
  • Operational requirements and constraints;
  • Cost in relation to the risks being reduced, and remaining proportional to the organization’s requirements;
  • The need to balance the investment against the harm likely to result.

A risk management framework is a description of an organizational specific set of functional activities and associated definitions that define the risk management system in an organization and the relationship to the risk management organizational system, it defines the processes and the order and timing of processes that will be used to manage risks [Shortreed, 2003]. The integration of an on-going RPM processes, with the addition of tools and accelerators, comprise what we define as a Risk Management Framework (RMF). To provide the complete requirements, we shoul to consider the elements included in the above list to the requirements presented in the combined requirements table, presented on pages 15-16. RMF’s, such as COBIT [COSO, 2003] or ISMS [BS-7799-2], implement some form of continuous quality improvement model based on the Demming PDCA (or PDSA) model and include management guidelines, a management system, some form of risk assessment process and tools [Fulford, 2003]. Many of these have been used in healthcare [Collmann, 2003][Janczewski, 2002] [Tsong, 2003][Léger, 2004].

Risk management requirements in healthcare

According to [Barrows, 1996], the goals of information security in healthcare are:

  • To ensure the privacy of patients and the confidentiality of health care data (prevention of unauthorized disclosure of information)
  • To ensure the integrity of health care data (prevention of unauthorized modification of information)
  • To ensure the availability of health data for authorized persons (prevention of unauthorized or unintended withholding of information or resources)

Risk management of Healthcare Information Systems (HIS), such as a CDW, is generally a subset of information system risk management [Watson, 2004]. Past research we have performed [Léger, 2003] in the Québec healthcare system indicates that the same risk management techniques are used. Current standards initiatives [ISO 27799] are promoting the adaptation of existing standards [ISO 17799] to be used in healthcare internationally. We are also aware of the same risk management standards [BS 7799-2][ISO 17799] being used healthcare [Toyoda, 1998].

The requirements for risk management in HIS or CDW are different that those of Management Information Systems (MIS) [Butler, 2002][Kane, 1998]. [Buckovich, 1999] mentions that many organizations are struggling to develop principles addressing the privacy, confidentiality, and security of health information. A complex mixture of organisational, ethical, legal and deontological requirements must be met in HIS [Demers, 2004] [Barber, 1998] [Behlen, 1999] [Blobel, 2000] [Buckovich, 1999] [Smith, 1998] [Boudreau, 2001] [CAI, 1992] [CAI, 2001] [CAI, 2002] [Wagner, 1999] [Freeman, 1999] [Toyoda, 1998]. In business environments the requirement for security is different than the requirement for privacy [Cavoukian, 2002].

Used inappropriately, a CDW can cause ethical, privacy, legal, financial and even criminal risks [Miller, 2002] [Blobel, 2000] [Snee, 2004] [Cody, 2003] [CIHR, 2002] [Senate, 2002]. Trustworthiness in stakeholder communication and co-operation throughout the complete lifecycle[7] of health data, starting with an informed consent, while respecting an individual’s rights [Belmont, 1979] [Helsinky, 1964] [Nuremberg, 1949] [Harkness, 2001] (including the right to privacy) is fundamental [Kerkri, 2001][Blobel, 2004] [CIHR, 2002], expected by the stakeholders [Roger, 1998] and necessary in clinical research [Beecher, 1966][Helvey, 2004]. Two of the biggest challenges in the planning process of the CDW desbribed in [Wisniewski, 2003] were accommodating the security and confidentiality mandates of regulatory agencies and obtaining institutional approvals.

Challenge: we must define the principal components of the risk management framework, how they interact with the various stakeholders and stakeholder groups, identify and defined the principal processes involved in the implementation of an RPM process and how these can be modeled.

Ethical issues, and in particular privacy issues, are not addressed in current RMF [Thompson, 2001]. Recent jurisprudence, in Québec[8], indicates that in cases of loss of privacy, that do not involve damages, the financial impact for an organisation is low [Wellman c. Québec, 2002], however this may be changing[9]. Risk of loss of privacy (Privacy risks) and risk that ethical uses of health data (Ethical risks) tend to be underweighted. As these are underweighted, the logical result is that Ethical risks and Privacy risks will receive less attention.


Bibliography

Reference Class.
Anderson JG. Security of the distributed electronic patient record: a case-based approach to identifying policy issues, International Journal of Medical Informatics, 2002, pages 111–118 1
Association of American Medical Colleges, Information Technology Enabling Clinical Research, Findings and Recommendations from a Conference Sponsored by the Association of American Medical Colleges with Funding from the National Science Foundation, October 30-31, 2002 2
Alberts, Christopher J., 1999, Octave Framework version 1.0, technical report, Carnegie Mellon University, 2001, http://www.atis.org/tg2k/t1g2k.html 4
Bakker, Ab, Access to EHR and access control at a moment in the past: a discussion of the need and an exploration of the consequences, International Journal of Medical Informatics, 2004 3
Barber, B, Patient data and security: an overview, international journal of medical informatics, no 49, 1998, pages 19-30 1
Bates, D.W., Pappius, E., Kuperman, G.J., Sittig, D., Burstin, H., Fairchild, D., Brennan, T.A., Teich, J.M., Using information systems to measure and improve quality, International Journal of Medical Informatics, 1999, pages 115–12 2
Barrows, RC Jr, Clayton, PD, Privacy, confidentiality, and electronic medical records,Journal of the American Medical Informatics Association, 1996, pages 139-148 2
Beecher, HK. Ethics and clinical research, The New England Journal of Medicine, 1966, 274: 1354–1360. 2
Behlen, Fred M., Johnson, Stephen B., Multicenter Patient Records Research, Journal of the American Medical Informatics Association, Volume 6, Number 6, Nov / Dec 1999 1
Bell, D.E., LaPadula, L.J., Secure computer system: Unified exposition and multics interpretation, MITRE report 2997, March 1976 2
Belmont Report, Ethical , Principles and Guidelines for the Protection of Human Subjects of Research, The National Commission for the Protection of Human Subjects of Biomedical andBehavioral Research, April 18, 1979 3
Berryman, Paul, Risk Assessment: The Basics, Mémoire présenté comme exigence partielle pour l’obtention de la certification de Global Information Assurance Certification du GIAC, http://www.giac.org/, Février 2002 4
Berndt, Donald J, Hevner, Alan R, Studnicki, James, The Catch data warehouse: support for community health care decision-making, Decision Support Systems, Vol 35, 2003, pages 367– 384 3
Blobel, Bernd, Advanced toolkits for EPR security, International journal of medical informatics, no 60, 2000, pages 169-175 2
Blobel, Bernd, Authorisation and access control for electronic health record systems, International Journal of Medical Informatics, 2004,  pages 251—257 3
Boudreau, Christian et la CAI, Étude sur l’inforoute de la santé au Québec : Enjeux techniques, éthiques et légaux, document de réflexion, octobre 2001 4
British Standard BS-7799-2:2002, Information Security Management System – Specification with Guidance for use, September 2002 3
Buckovich, Suzy A. et als, Driving Toward Guiding Principles: A Goal for Privacy, Confidentiality, and Security of Health Information, Journal of the American Medical Informatics Association Volume 6 Number 2 Mar / Apr 1999, Pages 122-133 1
Burt, Dr. Brian A., DEFINITIONS OF RISK, Department of Epidemiology, School of Public Health, University of Michigan, 2001 3
CSA (Canadian Standards Association), Model Code for the Protection of Personal Information (Q830-96) , 2003, http://www.csa.ca/standards/privacy/code/Default.asp?language=english 2
Chateauneuf, A., Wakker, P., An Axiomatization of Cumulative Prospect Theory for Decision Under Risk, Journal of Risk and Uncertainty, 1999, pages 137-145 4
Cavoukian, A., The Security-Privacy Paradox: Issues, Misconceptions, and Strategies, A Joint Report by the Information and Privacy Commissioner of Ontario and Deloitte & Touche, Information and Privacy Commissioner of Ontario, August 2003, http://www.ipc.on.ca/docs/sec-priv.pdf 2
Chaudhuri, Surajit. Dayal Umeshwar, An overview of data warehousing and OLAP technology, ACM SIGMOD Record,  Volume 26 Issue 1 March 1997 2
Chaudhuri, S.; Dayal, U.; Ganti, V. Database technology for decision support systems, IEEE computer, Volume 34, Issue 12, Dec 2001, Pages 48-55 2
CIHR (Canadian  Institutes of Health Research), Guidelines for Protecting Privacy and Confidentiality in the Design, Conduct and Evaluation of Health Research: BEST PRACTICES, CONSULTATION DRAFT, April 2004 2
CIHR (Canadian Institutesof Health Research), Secondary use of personal information in health research: Case studies, Canadian Institute of Health Research, November 2002 2
CLARKE, EDMUND M., WING, JEANNETTE M., Formal Methods: State of the Art and Future Directions, ACM Computing Surveys, Vol. 28, No. 4, December 1996, pages 626-643 2
Clusif, MÉHARI, Club de la sécurité des informations français, August 2000 3
Cody, Patrick M, Dynamic Security for Medical Record Sharing, Submitted to the Department of Electrical Engineering and Computer Science in Partial Fulfillment of the Requirements for the Degrees of Bachelor of Science in Computer Science and Engineering and Master of Engineering in Electrical Engineering and Computer Science at the Massachusetts Institute of Technology, August 28, 2003 3
Collmann, Jeff, Alaoui, Adil, Nguyen, Dan, Lindisch, David, Safe teleradiology: information assurance as a project planning methodology, Elsevier Science International Congress Series 1256, 2003, pages 809– 814 3
Commission d’accès à l’information du Québec, Exigences minimales relatives à la sécurité des dossiers informatisés des usagers du réseau de la santé et des services sociaux, Avril 1992 4
Commission d’accès à l’information du Québec, Avis concernant le cadre global de gestion sur la sécurité des actifs informationnels du réseau de la santé et des services sociaux, décembre 2001 4
Commission d’accès à l’information du Québec, Guide en matière de protection des renseignements personnels dans le développement des systèmes d’information à l’intention des ministères et organismes publics, Décembre 2002 4
COSISS, Politique intérimaire de sécurité visant les actifs informationnels du réseau de la santé et des services sociaux, Québec, 1999 4
COSO, Enterprise Risk Management Framework, Executive Summary,  Committee of Sponsoring Organizations of the Treadway Commission, 2003 3
Damodaran, A., The basics of risk, http://pages.stern.nyu.edu/~adamodar/ , 2001 2
Darlington, A., Grout, S., Whitworth, J., How safe is safe enough? An introduction to risk management, Presented to The Staple Inn Actuarial Society, June 2001 3
Demers, DL., Fournier, F, Lemire, M, Péladeau, P, Prémont, M-C et Roy, DJ, Le réseautage de l’information de santé : Manuel pour la gestion des questions éthiques et sociales, Montréal, Centre de bioéthique, IRCM, 2004 2
Edwards, K., Prospect Theory: A Literature Review, International Review of Financial Analysis, Vol. 5, No. 1, 1996, pages 19-38 2
Einbinder,J.S., Scully, K.W.,Pates, R.D.,Schubart, J.R., Reynolds, R.E., Case Study: A Data Warehouse for an Academic Medical Center, JOURNAL OF HEALTHCARE INFORMATION MANAGEMENT, vol. 15, no. 2, Summer 2001, pages 165-175 1
Freeman, P, Robbins, A. The U.S. health data privacy debate: Will there be comprehension before closure?, International Journal of Technology Assessment in Health Care, 1999, pages 316-331. 3
Fulford, Heather, Doherty, Neil F., The application of information security policies in large UK-based organizations: an exploratory investigation, Information Management & Computer Security, 2003, pages 106-114 3
Gendarmerie Royale du Canada, Guide d’évaluation de la menace et des risques pour les technologies de l’information, Novembre 1994 4
Glaessner, T., Kellermann, T., McNevin, V., Electronic Security: Risk Mitigation In Financial Transactions, Public Policy Issues, The World Bank, June 2002
Godbout, L’Honorable Juge Bernard, j.c.s., jugement de la cause Wellman c. Québec (Ministère de la Sécurité du revenu-secrétariat) Cour Supérieure, Québec, District de Chicoutimi, N°:150-05-000416-950, 19 juillet 2002 4
Gordon, Laurence A. et Loeb, Martin, The economics of Information security investment, ACM Transactions on information and system security, vol 5, no 4, Novembre 2002, pages 438-457 3
Haimes, Yacov Y., The Role of the Society for Risk Analysis in the Emerging Threats to Critical Infrastructures , Risk Analysis, Blackwell Science, UK, April 1999, Volume 19, Issue 2, pages 153-157 3
Hancock, Bill, COMMON SENSE GUIDE FOR SENIOR MANAGERS, Top Ten Recommended Information Security Practices, 1st Edition, July 2002 3
Harkness, J., Lederer, S.E., Wikler, D., Laying ethical foundations for clinical research, Bulletin of the World Health Organization, 2001 2
Hatcher, M., Decision-Making With and Without Information Technology in Acute Care Hospitals: Survey in the United States, Journal of Medical Systems, Vol. 22, No. 6, 1998 2
Helvey, T., Mack, R., Avula, S., Flook, P., Data security in Life Sciences research, Drug Discovery Today: BIOSILICO, Vol. 2, No. 3, May 2004 3
Hillson, Dr David, RISK MANAGEMENT FOR THE NEW MILLENNIUM, http://www.risk-doctor.com/ ,1999 4
Hillson, D., What is risk? Towards a common definition, http://www.risk-doctor.com/pdf-files/def0402.pdf , Inform, Journal of the UK Institute of Risk Management, April, 2002, pages 11-12 3
HIMMS, The Eleventh Annual HIMSS Leadership Survey, http://www.himss.org/survey/2000/survey2000.html , 2000 2
HM Treasury (UK), MANAGEMENT OF RISK, A STRATEGIC OVERVIEW, WITH SUPPLEMENTARY GUIDANCE FOR SMALLER BODIES, January 2001 2
Humpreys, BL.,Electronic Health Record Meets Digital Library A New Environment for Achieving an Old Goal, J Am Med Inform Assoc, 2000, Sep; 7(5), pages 444-452 2
Infoway, Canada Health Infoway. EHRS Blueprint, an interoperable EHR Framework. V1.0, July 2003 2
International Standards Organisation (ISO), ISO/DTR 20514, Health informatics — Electronic health record — Definition, scope, and context, 2004
International Standards Organisation (ISO), JTC1-SC27, A Comparison of Terminology: ISO Guide 73 (Draft November 2001), PDTR 13335-1 (for terms used in all parts of TR 13335), Draft 17799 (N 3184) and compared to IS 17799:2000, and SC 27 SD 6 (2002-03-31), 2002 2
International Standards Organisation (ISO), ISO/EIC TR 13335-1, Information technology – Guidelines for the management of IT Security, Part 1: Concepts and models for IT security, 1996 2
Janczewski, Lech, and Shi, Frank Xinli, Development of Information Security Baselines for Healthcare Information Systems in New Zealand, Computers & Security, Volume 21, Issue 2, 31 March 2002, pages 172-192 2
Kachur, R. J., The Data Warehouse Management Handbook, Upper Saddle River, N.J., Prentice Hall, 2000 3
Kahneman, D., Tversky, A., Prospective theory: An analysis of decision under risk, Econometrica, 1979, pages 263–291 4
Kane, Beverly Guidelines for the Clinical Use of Electronic Mail with Patients, Journal of the American Medical Informatics Association, Volume 5, Number 1, Jan / Feb 1998, pages 104-111 3
Keil, Mark, Wallace, Linda, Turk, Dan, Dixon-Randall, Gayle, Nulden, Urban, An investigation of risk perception and risk propensity on the decision to continue a software development project, The Journal of Systems and Software, 2000, pages 145-157 3
Kerkri, E. M. Quantin, C., Allaert F.A., Cottin, Y., Charve, P.H., Jouanot, F., Yétongnon, K., An Approach for Integrating Heterogeneous Information Sources in a Medical Data Warehouse, Journal of Medical Systems, Vol. 25, No. 3, 2001 1
Kim 2003…
Kremer, S. et als, An tensive survey of non-repudiation protocols, Computer Communications, no 25,2002, pages 1606-1621 3
Lagadec, Patrick, Risques, Crises et Gouvernance: ruptures d’horizons, ruptures de paradigmes, Réalités Industrielles, Annales des Mines, numéro spécial: “Sciences et génie des activités à risques”, Mai 2003, pages 5-11 3
Laibson, D., Zeckhauser, R., Amos Tversky and the Ascent of Behavioral Economics, Journal of Risk and Uncertainty, 1998, pages 7–47 3
Landwehr, Carl E., Formal models for computer security, ACM Computing serveys, vol 13, no 3, Septembre 1981pages.247-278 2
Ledbetter, Craig S., Morgan, Matthew W., Toward Best Practice: Leveraging the Electronic Patient Record as a Clinical Data Warehouse, JOURNAL OF HEALTHCARE INFORMATION MANAGEMENT, vol. 15, no. 2, summer 2001 1
Léger, Marc-André, Un processus d’analyse des vulnérabilités technologiques comme mesure de protection contre les cyber-attaques, Rapport d’activité de synthèse, Maîtrise en Informatique de Gestion, UQAM, Juin 2003, 110 pages 3
Léger, Marc-André, Méthodologie IVRI de gestion du risque en matière de sécurité de l’information, Éditions Fortier Communications, Montréal, Septembre 2003 3
Lloyd, Andrew J, Threats to the estimation of benefit: are preference elicitation methods accurate?, Health Economics, 2003, pages 393–402 3
Maguire, Stuart (2002), Identifying risks during information system development: managing the process, Journal of Information Management & Computer Security, Volume 10 Number 3, pages 126-p134
Marsh, Andy, The Creation of a global telemedical information society, International Journal of Medical Informatics, 1998, pages 173–193 3
Miller, Gerald C., Ph.D., Data warehousing and information management strategies in the clinical immunology laboratory, Clinical and Applied Immunology Reviews, 2002 2
Misslin, René, The defense system of fear: behavior and neurocircuitry, Neurophysiologie clinique 33, 2003, pages 55–66 5
MSSS, Ministère de la Santé du Québec, Le réseau RTSS C’est, site internet du MSSS, http://www.msss.gouv.qc.ca/rtss/, 2003 4
MSSS, Ministère de la Santé du Québec, Le réseau de télécommunication sociosanitaire en bref, document interne du TCR, 2002 3
Myerson, Judith, Risk Management, INTERNATIONAL JOURNAL OF NETWORK MANAGEMENT, 1999, pages 305-308 2
Neumann, Peter G., Risks to the Public in Computers and Related Systems, ACM SIGSOFT Software Engineering Notes, vol 26 no 1, January 2001, Pages 14-38 3
Novosyolov, A., Risk Theory: Basic Concepts of Risk Theory, Lecture for math department students, Institute of Computational Modeling, Academgorodok, Krasnoyarsk, Russia, January 2002 3
Nuremberg code, Directives for Human Experimentation, 1947 3
Pace, Wilson D, Database Design to Ensure Anonymous Study of Medical Errors: A Report from the ASIPS Collaborative, Journal of the American Medical Informatics Association, Volume 10, Number 6, Nov / Dec 2003, pages 531-540 3
Puhr, Claus, OPIS – A web enabled clinical data warehouse prototype, presentation, University of Vienna, 2003 2
Pedersen, T.B., Jensen, C.S., Research issues in clinical data warehousing, Proceedings of SSDBM’98, July 1-3 1998 in Capri, Italy 1
RAAB, Charles D., The future of privacy protection, Cyber Trust & Crime Prevention Project, 2004 2
Rector, A.L., Nowlan, W.A. , Kay, S., Foundations for an electronicmedical record, Methods of Information in Medicine, 1991, pages 179–186 2
Safran, Charles, Goldberg, Howard, Electronic patient records and the impact of the Internet, International Journal of Medical Informatics, 2000, pages 77–83 2
Senate (Canada), The Standing Senate Committee on Social Affairs, Science and Technology, The Health of Canadians – The Federal Role, Interim Report, Volume Five: Principles and Recommendations for Reform – Part I, Governement of Canada, 2002 3
Schloeffel, P., Electronic Health Record Definition, Scope and Context: ISO/TC 215 Discussion Paper, October 2002, available at https://committees.standards.com.au/COMMITTEES/IT-014-09-02/N0004/IT-014-09-02-N0004.DOC 2
Shortreed, J., Hicks, J., Craig, L., Basic Frameworks for Risk Management, Final Report, Prepared for The Ontario Ministry of the Environment, Network for Environmental Risk Assessment and Management, March 28, 2003 2
Schubart, Jane R., Einbinder, Jonathan S, Evaluation of a data warehouse in an academic health sciences center, International Journal of Medical Informatics, 2000, pages 319–333 2
Schumacher, H. J., Ghosh, S., A fundamental framework for network security, Journal of Network and Computer Applications, 1997, pages 305–322 2
Smith, E. Eloff, J.H.P., Security in health-care information systems – current trends, International journal of medical informatics, no 54, 1999, pages 33-54 2
Snee, N.L., The Case for Integrating Public Health Informatics Networks, An Overview of the Elements Required for an Integrated Enterprise Information Infrastructure for Protecting Public Health, IEEE Engineering in Medicine and Biology Magazine, January/February 2004 2
Stoneburner, Gary, Goguen, Alice, Feringa, Alexis, NIST Special Publication 800-30 Risk Management Guide for Information Technology Systems, Recommendations of the National Institute of Standards and Technology, July 2002 1
Sujansky, Walter, Heterogeneous Database Integration in Biomedicine, Journal of Biomedical Informatics, 2001, pages 285–298
Summers, K.H., Measuring and Monitoring Outcomes of Disease Management Programs, Clinical Therapeutics, volume 18, NO. 6, 1996 One12
Sweltz ,Ken, Network Vulnerability Assessment Strategy for Small State and Local Government Agencies, SANS Institute, GIAC practical repository, 2003 3
Takeda, H., Matsumura, Y., Kuwata, S., Nakano, H., Sakamoto, N., Yamamoto, R., Architecture for networked electronic patient record systems, International Journal of Medical Informatics, 2000, pages 161–167 2
Thompson, Paul B., Privacy, secrecy and security, Ethics and Information Technology, 2001, pages 13–19 1
Tong, C.K.S., Implementation of ISO17799 and BS7799 in picture archiving and communication system: local experience in implementation of BS7799 standard, Elsevier Science B.V International Congress Series 1256, 2003,  pages 311–318
Toyoda, Ken, Standardization and security for the EMR, International Journal of Medical Informatics, 1998, pages 57–60 2
Tregear, Jonathan, Risk Assessment Information Security Technical Report , Volume 6, numéro 3, septembre 2001, pages 19-27
Wagner, I., Ethical issues of healtcare in the information society, Opinion of the European group on ethics in science and new technologies to the european comission, No 13, July 1999 2
Watkins, Michael D., Bazerman, Max H., Predictable Surprises: The Disasters You Should Have Seen Coming, Harvard Business review Online, 2003 2
Winter 2
Wismiewski, M.F., A Clinical Data Warehouse for Infection Control, Journal of the American Medical Informatics Association Volume 10 Number 5 Sep / Oct 2003 1
WORLD MEDICAL ASSOCIATION, DECLARATION OF HELSINKI, Ethical Principles for Medical Research Involving Human Subjects, Helsinki, Finland, June 1964 2
Yoshihara, H., Development of the electronic health record in Japan, Int. J. Med. Inf., 1998, pages 53–58 (***) 3
Zhou, Lidong, Haas Zygmunt J., Securing Ad Hoc Networks, IEEE Network, 1999 3
Zviran, M., Armoni, A., Glezer, C., HIS/BUI: A Conceptual Model for Bottom-Up Integration of Hospital Information Systems, Journal of Medical Systems, Vol. 22, No. 3, 1998, Pages 147-159 2
Code Significance
1 Very important
2 Less significant
3 Helps define subject
4 Informative or less significant
5 Not that significant


Annexe A: EMR Risk Management requirements from our litterature review

No Cat Description of requirement SOURCE
1 C Individuals have a right to the privacy and confidentiality of their health information. Buckovich, 1999
1b Pv Individuals have a right to the privacy and confidentiality of their health information. Buckovich, 1999
2 Ac Individuals have a right to access in a timely manner their health information. Buckovich, 1999
3 Ac Individuals have a right to copy, in a timely manner, their health information. Buckovich, 1999
4 Ac Individuals have a right to amend and/or correct their health information. Buckovich, 1999
5 Pv Individuals have the right to withhold their health information from electronic format including being stored, managed, or transmitted electronically. Buckovich, 1999
6 Pv Individuals have the right to segregate their health information from shared medical records. Buckovich, 1999
7 I Individuals have the right to the integrity of their health information. Buckovich, 1999
7b I Entities and/or persons that create, maintain, use, transmit, collect, or disseminate individual health information shall be responsible for ensuring this integrity. Buckovich, 1999
8 Ac Individuals have a right to control the access and disclosure of their health information and to specify limitations on period of time and purpose of use. Buckovich, 1999
9 Pi Outside the doctor–patient (other health care provider) relationship, health information that makes a person identifiable shall not be disclosed without prior patient informed consent and/or authorization. Buckovich, 1999
10 Pi Informed consent and/or authorization for release of personal health information shall include identification of requester, declaration of purpose and boundaries, restriction of redisclosure, and explanation of potential harmful risks that could result from the release of this information. Buckovich, 1999
11 Pi Individuals harmed by the abuse or misuse of their health information shall be afforded individual redress through civil and criminal penalties. Buckovich, 1999
12 Pi Health care providers have the right to maintain private recordings of observations, opinions, and impressions whose release they consider could be potentially harmful to the well-being of the patient. They shall not disclose this information without due reflection on the impact of such release. Buckovich, 1999
13 Pi The obligation of health care providers to maintain confidentiality and privacy of medical records shall not be undermined by outside organizations such as insurers, suppliers, employers, or government agencies (i.e., forced disclosure without informed consent). Buckovich, 1999
14 Ic Personally identifiable information collected for one purpose shall not be used for another purpose without prior informed consent of the patient. Buckovich, 1999
15 Op No secret databases shall exist. Buckovich, 1999
16 Ic No medical record demographics or other potential patient identifiers shall be sold, utilized for marketing purposes, or utilized for other commercial or financial gain without the prior informed consent of the individual. Buckovich, 1999
17 Pi Access to aggregate data shall be made available to support public health research and outcome studies as long as individuals are not and can not be reasonably identified. Buckovich, 1999
18 Ot Information gathered from available aggregate data shall not be used to the detriment of any individual in employment, access to care, rate setting, or insurability. Buckovich, 1999
19 Ot Access to health information shall be limited to that information necessary for the entities or individual’s legitimate need and/ or purpose. Buckovich, 1999
20 Pi Insurers have the right to access only that health information deemed necessary for claims administration and/or claims resolution. Buckovich, 1999
21 Pi Employers have a right to collect and maintain health information about employees allowable or otherwise deemed necessary to comply with state and federal statutes. However, employers shall not use this information for job or other employee benefit discrimination. Buckovich, 1999
22 S A warrant requirement shall exist for law enforcement to obtain health information. Buckovich, 1999
23 S Health information and/or medical records that make a person identifiable shall be maintained and transmitted in a secure environment. Buckovich, 1999
24 S An audit trail shall exist for medical records and be available to patients on request. Buckovich, 1999
25 Ot All entities involved with health care information have a responsibility to educate themselves, their staff, and consumers on issues related to these principles (e.g., consumers’ privacy rights). Buckovich, 1999
26 S All entities with exposure or access to individual health information shall have security/privacy/confidentiality policies, procedures, and regulations (including sanctions) in place that support adherence to these principles. Buckovich, 1999
27 S Current and new technologies should be continually incorporated in the design of information systems to support the implementation of these principles and compliance with them. Buckovich, 1999
28 S Support for these principles needs to be at the federal level. Buckovich, 1999
29 Ai Patients have the right to know what information physicians hold about them, including information held on health databases. In many jurisdictions, they have a right to a copy of their health records. WMA, 2002
30 Ai Patients should have the right to decide that their personal health information in a database (as defined in 7.2) be deleted. WMA, 2002
31 Ai In rare, limited circumstances, information may be withhold from a patient if it is likely that disclosure cause serious harm to the patient or another person. Physicians must be able to justify any decision to withhold information from a patient. WMA, 2002
32 C All physicians are individually responsible and accountable for the confidentiality of the personal health information they hold. Physicians must also be satisfied that there are appropriate arrangements for the security of personal health information when it is stored, sent or received, including electronically. WMA, 2002
33 C In addition, medically qualified person(s) should be appointed to act as guardian of a health database, to have responsibility for monitoring and ensuring compliance with the principles of confidentiality and security. WMA, 2002
34 C Safeguards must be in place to ensure that there is no inappropriate or unauthorised use of or access to personal health information in databases, and to ensure the authenticity of the data. When data is transmitted, there must be arrangements in place to ensure that the transmission is secure. WMA, 2002
35 C Audit systems must keep a record of who has accessed personal health information and when. Patients should be able to review the audit record for their own information. WMA, 2002
36 Pc Patients should be informed if their health information is to be stored on a database and of the purposes for which their information may be used. WMA, 2002
37 Pc Patients’ consent is needed if the inclusion of their information on a database involves disclosure to a third party or would permit access by people other than those involved in the patients’ care, unless there are exceptional circumstances as described in paragraph 11. WMA, 2002
38 Pc Under certain conditions, personal health information may be included on a database without consent, for example where this conforms with applicable national law that conforms to the requirements of this statement, or where ethical approval has been given by a specially appointed ethical review committee. In these exceptional cases, patients should be informed about the potential uses of their information, even if they have no right to object WMA, 2002
39 Pc If patients object to their information being passed to others, their objections must be respected unless exceptional circumstances apply, for example where this is required by applicable national law that conforms to the requirements of this statement or necessary to prevent a risk of death or serious harm. WMA, 2002
40 Pc Authorization from the guardian of the health database is needed before information held on databases may be accessed by third parties. Procedures for granting authorization must comply with recognised codes of confidentiality. WMA, 2002
41 Pc Approval from a specially appointed ethical review committee must be obtained for all research using patient data, including for new research not envisaged at the time the data were collected. An important consideration for the committee in such cases will be whether patients should be contacted to obtain consent, or whether it is acceptable to use the information for the new purpose without returning to the patient for further consent. The committee’s decisions must be in accordance with applicable national law and conform to the requirements of this statement. WMA, 2002
42 Pc Data accessed must be used only for the purposes for which authorization has been given. WMA, 2002
43 Pc People who collect, use, disclose or access health information must be subject to an enforceable duty to keep the information secure WMA, 2002
44 S Wherever possible, data for secondary purposes should be de-identified. If this is not possible, however, the use of data where the patient’s identity is protected by an alias or code should be used in preference to readily identifiable data. WMA, 2002
45 S The use of de-identified data does not usually raise issues of confidentiality. Data about people as individuals, in which they retain a legitimate interest, for example a case history or photograph, require protection. WMA, 2002
46 I Physicians are responsible for ensuring, as far as practicable, that the information they provide to, and hold on, databases is accurate and up-to-date. WMA, 2002
47 I Patients who have seen their information and believe there are inaccuracies in it have the right to suggest amendments and to have their comments appended to the information. WMA, 2002
48 Do There must be documentation to explain: what information is held and why; what consent has been obtained from the patients; who may access the data; why, how and when the data may be linked to other information; and the circumstances in which data may be made available to third parties. WMA, 2002
49 Do Information to patients about a specific database should cover: consent to the storage and use of data; rights of access to the data; and rights to have inaccurate data amended. WMA, 2002
50 Mg Procedures for addressing enquiries and complaints must be in place. WMA, 2002
51 Mg The person or persons who are accountable for policies, procedures, and to whom complaints or enquiries can be made must be identified. WMA, 2002
52 P National medical associations should co-operate with the relevant health authorities, ethical authorities and personal data authorities, at national and other appropriate administrative levels, to formulate health information policies based on the principles in this document. WMA, 2002
53 C Confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes. [ISO/IEC 7498-2] as described in [ISO 1335-1]
54 C Confidentiality exists when information is communicated in the context of a special relationship (such as doctor-patient, lawyer-client, etc.) where the information is intended to be held in confidence or kept secret [CIHR, 2002]
55 C It is an ethical concept that regulates communication of information between individuals [Roger, 1998]
56 C The status of confidential is accorded to data or information indicating that it is sensitive for some reason, and therefore it needs to be protected against theft, disclosure, or improper use, or both, and must be disseminated only to authorized individuals or organizations with a need to know.’ [Buckovich, 1999]
57 C Individuals have a right to the privacy and confidentiality of their health information [Buckovich, 1999]
58 C Confidentiality is at the heart of medical practice and is essential for maintaining trust and integrity in the patient-physician relationship. Knowing that their privacy will be respected gives patients the freedom to share sensitive personal information with their physician [WMA, 2002]
59 C The Declaration of Geneva, that requires physicians to « preserve absolute confidentiality on all he knows about his patient even after the patient has died » [WMA, 2002]

60 C Confidentiality is a managerial responsibility: it concerns the problems of how to manage data by rules that are satisfactory to both the managers of data banks and the persons about whom the data pertain [Thompson, 2001]
61 C The enforcement of classification-clearance matching is mandated by directives and regulations: an individual may not exercise his own judgement to violate it [Bell, 1976]
62 C In the same way, as health professionals do not belong to the same structures, which are independent to each other, confidentiality of the activity of each structure must be ensured as well [Kerkeri, 2001]
63 C Confidentiality is maintained by de-identifying reports and eliminating elements within the database that would facilitate linking a report to a specific event identified by other means, such as through the patient’s medical record. [Pace, 2003]
64 I Integrity is the property of safeguarding the accuracy and completeness of assets [ISO 13335-1]
65 I Integrity is a property determined by approuved modification of information [Bell, 1976]

66 I Individuals have the right to the integrity of their health information. Entities and/or persons that create, maintain, use, transmit, collect, or disseminate individual health information shall be responsible for ensuring this integrity [Buckovich, 1999]
67 I Continuity of care might imply a complete communication of medical data, respecting its integrity and its availability [Roger, 1998]
68 I in a picture archiving and communication system (PACS), the data integrity is essential for passing the correct information to the doctor [Tsong, 2003]
69 I Outside of signing checksums on large fields (such as medical images), integrity can only be partially guaranteed by authenticating the individual at the source site responsible for transferring the information, and trusting the individual to verify the data [Cody, 2003]

70 I Data integrity includes minimization of data redundancy, improvement of data maintenance, and elimination of multiple versions of data [Candler, 1999].

71 I In addition to malicious threats, the threats that come from software, hardware, or network failure, or the threats that come from simple human error can affect the integrity of an information system [Cody, 2003]

72 A Availability is the property of being accessible and usasable upon demand by an authorized entity (ISO 7498-2:1989).

73 A The availability of intelligently integrated and verified, operational information could have a profound effect on decisionmaking in a wide range of contexts [Brender, 1999].
74 A Health research, particularly in the areas of health services and policy, population and public health, critically depends on the ready availability of existing data about people [CIHR, 2002]

75 Nr Non-repudiation refers to the ability to prove an action or event has taken place, so that this event or action cannot be repudiated later [ISO 13335-1]
76 Nr Non repudiation of creation: to protect against an entity’s false denial of having created the content of a message. [ISO 13335-1]
77 Nr Non repudiation of delivery: to protect against a recipient’s false denial of having received the message and recognised the content of a messag [ISO 13335-1]
78 Nr Non repudiation of knowledge: to protect against a recipient’s false denial of having taken notice of the content of a received message. [ISO 13335-1]
79 Nr Non repudiation of origin: to protect against the originator’s false denial of having approved the content of a message and of having sent a message. [ISO 13335-1]
80 Nr Non repudiation of receipt: to protect against a recipient’s false denial of having received a messagenon-repudiation of sending: This service is intended to protect against the sender’s false denial of having sent a message. [ISO 13335-1]
81 Nr Non repudiation of submission: to provide evidence that a delivery authority has accepted the message for transmission. [ISO 13335-1]
82 Nr Non repudiation of transport: to provide evidence for the message originator that a delivery authority has delivered the message to the intended recipient. [ISO 13335-1]
83 Nr Non-repudiation technologies, such as digital signatures, are used to insure that a person performing an action cannot subsequently deny performing that action. This is useful for digital contracts, statements and anywhere else that a signature would be used in the physical world. Digital signatures are commonly used for non-repudiation, and are normally based on PKI, which uses asymmetric cyphers [Helvey, 2004]
84 Nr Digital signature safeguards can provide protection to enable non-repudiation [ISO 13335-2].

85 Nr Cryptographic techniques (e.g. based on the use of digital signatures) can be used to prove or otherwise the sending, transmission, submission, delivery, receipt notification, etc. of messages, communications and transactions [ISO 13335-2]

86 Ac Access control technologies are used to protect information by restricting access to information or operations, according to the identity of the accessor. Common mechanisms for access control are discretionary (DAC), mandatory (MAC), and role-based (RBAC). DAC is based on the identity or group membership of the user, and allows the user to specify which other users may access the information. MAC is common in secure operating systems, and uses labels and access control lists to protect information. RBAC allows access control policies to be defined according to the user’s role in an organization, such as administrator, supervisor, researcher, and so on [Helvey, 2004].

87 Ac Health care organisations have knowingly compromised information security through less than satisfactory access controls simply in order to encourage all staff to use the computer systems. Once such compromise has been adopted, it is subsequently very difficult to convince users of the need to strengthen access control..Once appropriate access control and auditing is installed, staff scepticism soon turns to acceptance as they come to realise their importance and benefit [Gaunt, 2000].

88 Ac (In a HIPAA mandated PACS environment), from an application point of view, there should be a log mechanism to keep track the access information such as: Identification of the person that accessed this data, Date and time when data has been accessed, Type of access (create, read, modify, delete), Status of access (success or failure), Identification of the data. [CAO, 2003]:

89 Ac The model for authorisation and access control in distributed health information systems has to deal with policy description and negotiation including policy agreements, authentication, certification, and directory services but also audit trails, altogether forming the privilege management infrastructure [Blobel, 2004].

90 Ac Technology can help ensure the granting and restriction of access to those users with legitimate needs, by means of passwords, access codes, and other identifying mechanisms [Buckovich, 1999].


Annexe B: Detailled list of stakeholders

Stakeholder category Description Source
Patients Healthcare users (patients or study subjects) [Berndt, 2003] [Snee, 2004] [CIHR, 2002] [Ledbetter, 2001] [Bates, 1999]
Data users Healthcare professionals [Sujansky, 2001] [CIHR, 2002]
Healthcare providers [AAMC, 2002]
Public health officials [AAMC, 2002]
HIS professionals [Sujansky, 2001]
Researchers [CIHR, 2002] [AAMC, 2002] [Ledbetter, 2001]
Clinical research end-users [AAMC, 2002]
Principal investigator [Wismiewski, 2003]
Healthcare organisations Healthcare organisations involved in the collection of data [Berndt, 2003] [Ledbetter, 2001]
Medical care providers [Berndt, 2003]
Hospitals [Snee, 2004] [Bates, 1999] [Hatcher, 1998]
Top management and senior medical leadership [Winter, 2001] [Ledbetter, 2001]
Medical advisory committee [Ledbetter, 2001]
Research informatics clinical advisory

committee

[Ledbetter, 2001]
Employees, e.g. physicians, nurses, administrative staff [Winter, 2001] [Sujansky, 2001]
Finance [Miller, 2002] [Bates, 1999] [Hatcher, 1998]
Admission/discharge [Wismiewski, 2003] [Ledbetter, 2001] [Puhr, 2003] [Bates, 1999] [Hatcher, 1998]
Physicians [Puhr, 2003]
Clinicians [Ledbetter, 2001] [Puhr, 2003] [Bates, 1999]
Clinical department [Winter, 2001]
Telemedecine [Marsh, 1998]
Clinical laboratory immunology [Miller, 2002]
Infectious Diseases Division [Wismiewski, 2003]
administrative department [Winter, 2001] [Sujansky, 2001]
Laboratory [Sujansky, 2001]  [Miller, 2002] [Wismiewski, 2003]
Pharmacy [Sujansky, 2001] [Wismiewski, 2003] [Miller, 2002]
Radiology [Wismiewski, 2003] [Miller, 2002] [Bates, 1999]
Surgery [Puhr, 2003]
ICU charting [Sujansky, 2001]
Service department [Winter, 2001]
Application programmers [Sujansky, 2001]
Information management department (IM department) [Winter, 2001]
Keepers of data—often self-viewed as ‘‘owners’’ of the

data

[Wismiewski, 2003]
Professional associations Ordre des Médecins (Québec)
OIIQ
IT staff Informatics Subcommittee [Wismiewski, 2003]
Informatics group [Ledbetter, 2001] [Puhr, 2003]
director [Wismiewski, 2003]
developer [Wismiewski, 2003]
database administrator [Wismiewski, 2003]
system analyst [Wismiewski, 2003]
Healthcare industry Healthcare Businesses [Berndt, 2003]
Suppliers [Sujansky, 2001]
Pharmeutical industry [Sujansky, 2001]
Insurers [Bates, 1999]
Government [Bates, 1999]
Health Canada
Provincial health autorities
Regional health authority
Public sector agencies [Berndt, 2003]
Funding institutions [Winter, 2001]
Privacy Comitee [CIHR, 2002]
Lawmakers
Non Governmental organisations and Community groups Religious communities [Berndt, 2003]
CIHR [CIHR, 2002]
CIHI
Other community organizations [Berndt, 2003]
Educational Educational institutions [Berndt, 2003]
IT industry Consultants [Winter, 2001]
hardware and software vendors [Winter, 2001] [AAMC, 2002]

[1] Kimball, R, Reeves, L, Margy, R, Thornthwaite, W., The data warehouse lifecycle toolkit, New York: John Wiley & Sons, 1998

[2]  [ISO/IEC 7498-2] as described in [ISO 1335-1]

[3] American Society for Testing and Materials Committee E31 on Healthcare Informatics, Subcommittee E31.17 on Privacy, Confidentiality, and Access. Standard guide for confidentiality, privacy, access, and data security principles for health information including computer-based patient records. Philadelphia, Pa.: ASTM, 1997:2. Publication no. E1869-97. As cited in [Buckovich, 1999]

[4] (ISO/IEC 13888-1:1997; ISO IS 7498-2:1989) as defined in [ISO 13335-1]

[5] Calvin C. Gotlieb. Privacy: A Concept Whose Time Has Come and Gone, In D. Lyon and E. Zureik, editors, Surveillance,

Computers and Privacy, pp. 156–171. University of Minnesota Press, Minneapolis, 1995 as cited in [Thompson, 2001]

[6] American Society for Testing and Materials Committee E31 on Healthcare Informatics, Subcommittee E31.17 on Privacy, Confidentiality, and Access. Standard guide for confidentiality, privacy, access, and data security principles for health information including computer-based patient records. Philadelphia, Pa.: ASTM, 1997:2. Publication no. E1869-97. As cited in [Buckovich, 1999]

[7] [KIM, 2003] defines the life cycle of data to include its capture, storage, update, transmission, access, archive,

restore, deletion, and purge.

[8] In a 100% publicly funded system.

[9] Under the Alberta Health Information Act, abusers may be subject to fines of up to $50,000 and disciplinary measures within their licensing or professional organizations.