Grille d’analyse des déterminants de la sécurité de l’informationdans la santé

Dans le contexte de la santé, la gestion du risque informationnel doit prendre en compte:

Dimension Definition(s) issues de la littérature
La confidentialité de l’information Confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

[ISO/IEC 7498-2] as described in [ISO 13335-1]

Individuals have a right to the privacy and confidentiality of their health information

[Buckovich, 1999]

Confidentiality is a managerial responsibility: it concerns the problems of how to manage data by rules that are satisfactory to both the managers of data banks and the persons about whom the data pertain

[Thompson, 2001]

Confidentiality exists when information is communicated in the context of a special relationship (such as doctor-patient, lawyer-client, etc.) where the information is intended to be held in confidence or kept secret

[CIHR, 2002]

It is an ethical concept that regulates communication of information between individuals

[Roger, 1998]

The Declaration of Geneva, that requires physicians to « preserve absolute confidentiality on all he knows about his patient even after the patient has died »

[WMA, 2002]

The status of confidential is accorded to data or information indicating that it is sensitive for some reason, and therefore it needs to be protected against theft, disclosure, or improper use, or both, and must be disseminated only to authorized individuals or organizations with a need to know.’

[Buckovich, 1999]

Confidentiality is maintained by limiting the set of individuals that belong to a domain and by controlling to which other domains results can be transferred.

Schneider(2000)

Confidentiality is at the heart of medical practice and is essential for maintaining trust and integrity in the patient-physician relationship. Knowing that their privacy will be respected gives patients the freedom to share sensitive personal information with their physician

[WMA, 2002]

The enforcement of classification-clearance matching is mandated by directives and regulations: an individual may not exercise his own judgement to violate it

[Bell, 1976]

In the same way, as health professionals do not belong to the same structures, which are independent to each other, confidentiality of the activity of each structure must be ensured as well

[Kerkeri, 2001]

In the United States, a variety of state and federal statutes and common law rules establish legal obligations of physicians to protect patient

confidentiality.3 Potential threats to patient confidentiality from electronic health care transactions were the impetus for US federal regulations recently implemented under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Muskop(2005)

As noted above, confidentiality is closely related in meaning to one of the major uses of the term ‘‘privacy,’’ namely,

informational privacy. In health care interactions, patients communicate sensitive personal information to their caregivers

so that the caregivers can understand patients’ medical problems and treat them appropriately. By calling such information

confidential, we indicate that those who receive the information have a duty to protect it from disclosure to others who have no

right to the information. Caregivers can breach confidentiality intentionally by directly disclosing patient information to an

unauthorized person or inadvertently by discussing patient information in such a way that an unauthorized person can

overhear it.

Muskop(2005)

L’intégrité de l’information Integrity is the property of safeguarding the accuracy and completeness of assets

[ISO 13335-1]

Integrity is a property determined by approuved modification of information

[Bell, 1976]

in a picture archiving and communication system (PACS), the data integrity is essential for passing the correct information to the doctor

[Tsong, 2003]

Individuals have the right to the integrity of their health information. Entities and/or persons that create, maintain, use, transmit, collect, or disseminate individual health information shall be responsible for ensuring this integrity

[Buckovich, 1999]

Data integrity includes minimization of data redundancy, improvement of data maintenance, and elimination of multiple versions of data

[Candler, 1999].

In addition to malicious threats, the threats that come from software, hardware, or network failure, or the threats that come from simple human error can affect the integrity of an information system

[Cody, 2003]

Individuals have the right to the integrity of their health information.

Buckovich, 1999

Entities and/or persons that create, maintain, use, transmit, collect, or disseminate individual health information shall be responsible for ensuring this integrity.

Buckovich, 1999

Physicians are responsible for ensuring, as far as practicable, that the information they provide to, and hold on, databases is accurate and up-to-date.

WMA, 2002

Continuity of care might imply a complete communication of medical data, respecting its integrity and its availability

[Roger, 1998]

Outside of signing checksums on large fields (such as medical images), integrity can only be partially guaranteed by authenticating the individual at the source site responsible for transferring the information, and trusting the individual to verify the data

[Cody, 2003]

La disponibilité de l’information Propriété d’être accessible et utilisable sur demande par une entité autorisée. La

disponibilité est une des quatre propriétés essentielles qui constituent la sécurité.

ISO 7498-2 (1999). AFNOR.

Commission de Normalisation (Fr)

Availability is the property of being accessible and usasable upon demand by an authorized entity

(ISO 7498-2:1989).

The availability of intelligently integrated and verified, operational information could have a profound effect on decisionmaking in a wide range of contexts

[Brender, 1999].

Health research, particularly in the areas of health services and policy, population and public health, critically depends on the ready availability of existing data about people

[CIHR, 2002]

La non répudiation des transactions informationnelles: Non-repudiation refers to the ability to prove an action or event has taken place, so that this event or action cannot be repudiated later [ISO 13335-1]

Non-repudiation technologies, such as digital signatures, are used to insure that a person performing an action cannot subsequently deny performing that action. This is useful for digital contracts, statements and anywhere else that a signature would be used in the physical world. Digital signatures are commonly used for non-repudiation, and are normally based on PKI, which uses asymmetric cyphers

[Helvey, 2004]

Digital signature safeguards can provide protection to enable non-repudiation

[ISO 13335-2].

Cryptographic techniques (e.g. based on the use of digital signatures) can be used to prove or otherwise the sending, transmission, submission, delivery, receipt notification, etc. of messages, communications and transactions

Non répudiation de la création Non repudiation of creation: to protect against an entity’s false denial of having created the content of a message.

[ISO 13335-1]

Non répudiation de la livraison Non repudiation of delivery: to protect against a recipient’s false denial of having received the message and recognised the content of a messag

[ISO 13335-1]

Non répudiation de la connaissance Non repudiation of knowledge: to protect against a recipient’s false denial of having taken notice of the content of a received message.

[ISO 13335-1]

Non répudiation de l’origine Non repudiation of origin: to protect against the originator’s false denial of having approved the content of a message and of having sent a message.

[ISO 13335-1]

Non répudiation de la réception Non repudiation of receipt: to protect against a recipient’s false denial of having received a messagenon-repudiation of sending: This service is intended to protect against the sender’s false denial of having sent a message.

[ISO 13335-1]

Non répudiation de la soumission Non repudiation of submission: to provide evidence that a delivery authority has accepted the message for transmission.

[ISO 13335-1]

Non répudiation du transport Non repudiation of transport: to provide evidence for the message originator that a delivery authority has delivered the message to the intended recipient.

[ISO 13335-1]

L’authentification:
des utilisateurs Confirmation de l’identité de l’entité déclarée. L’authentification correspond à l’action de vérifier une identité déclarée de manière à contribuer à l’authenticité d’actions à venir ou documents, ressources destinées à être traitées

ISO/IEC 9798-1, ISO/IEC 11770-2, ISO/IEC 11770-3. AFNOR. Commission de Normalisation Informations de Santé (FR)

Outside of signing checksums on large fields (such as medical images), integrity can only be partially guaranteed by authenticating the individual at the source site responsible for transferring the information, and trusting the individual to verify the data

[Cody, 2003]

de l’origine des données
Contrôle des accès Ensemble des moyens garantissant que seules les entités autorisées peuvent accéder aux ressources d’un système informatique, et seulement d’une manière autorisée.

ISO/IEC 2382-08

Access control technologies are used to protect information by restricting access to information or operations, according to the identity of the accessor. Common mechanisms for access control are discretionary (DAC), mandatory (MAC), and role-based (RBAC). DAC is based on the identity or group membership of the user, and allows the user to specify which other users may access the information. MAC is common in secure operating systems, and uses labels and access control lists to protect information. RBAC allows access control policies to be defined according to the user’s role in an organization, such as administrator, supervisor, researcher, and so on

[Helvey, 2004].

Health care organisations have knowingly compromised information security through less than satisfactory access controls simply in order to encourage all staff to use the computer systems. Once such compromise has been adopted, it is subsequently very difficult to convince users of the need to strengthen access control..Once appropriate access control and auditing is installed, staff scepticism soon turns to acceptance as they come to realise their importance and benefit

[Gaunt, 2000].

(In a HIPAA mandated PACS environment), from an application point of view, there should be a log mechanism to keep track the access information such as: Identification of the person that accessed this data, Date and time when data has been accessed, Type of access (create, read, modify, delete), Status of access (success or failure), Identification of the data.

[CAO, 2003]:

The model for authorisation and access control in distributed health information systems has to deal with policy description and negotiation including policy agreements, authentication, certification, and directory services but also audit trails, altogether forming the privilege management infrastructure

[Blobel, 2004].

Technology can help ensure the granting and restriction of access to those users with legitimate needs, by means of passwords, access codes, and other identifying mechanisms

[Buckovich, 1999].

Individuals have a right to control the access and disclosure of their health information and to specify limitations on period of time and purpose of use.

Buckovich, 1999

Le respect de l’intégrité des individus:
Consentement éclairé Patients’ consent is needed if the inclusion of their information on a database involves disclosure to a third party or would permit access by people other than those involved in the patients’ care, unless there are exceptional circumstances as described in paragraph 11.

WMA, 2002

Under certain conditions, personal health information may be included on a database without consent, for example where this conforms with applicable national law that conforms to the requirements of this statement, or where ethical approval has been given by a specially appointed ethical review committee. In these exceptional cases, patients should be informed about the potential uses of their information, even if they have no right to object

WMA, 2002

Personally identifiable information collected for one purpose shall not be used for another purpose without prior informed consent of the patient.

Buckovich, 1999

Protection des renseignements personnels ou protection de la vie privée (Privacy) Individuals have a right to the privacy and confidentiality of their health information.

Buckovich, 1999

Outside the doctor–patient (other health care provider) relationship, health information that makes a person identifiable shall not be disclosed without prior patient informed consent and/or authorization.

Buckovich, 1999

Individuals harmed by the abuse or misuse of their health information shall be afforded individual redress through civil and criminal penalties.

Buckovich, 1999

Health care providers have the right to maintain private recordings of observations, opinions, and impressions whose release they consider could be potentially harmful to the well-being of the patient. They shall not disclose this information without due reflection on the impact of such release.

Buckovich, 1999

The obligation of health care providers to maintain confidentiality and privacy of medical records shall not be undermined by outside organizations such as insurers, suppliers, employers, or government agencies (i.e., forced disclosure without informed consent).

Buckovich, 1999

Individuals have the right to withhold their health information from electronic format including being stored, managed, or transmitted electronically.

Buckovich, 1999

Individuals have the right to segregate their health information from shared medical records.

Buckovich, 1999

Employers have a right to collect and maintain health information about employees allowable or otherwise deemed necessary to comply with state and federal statutes. However, employers shall not use this information for job or other employee benefit discrimination.

Buckovich, 1999

Insurers have the right to access only that health information deemed necessary for claims administration and/or claims resolution.

Buckovich, 1999

Confidentiality is maintained by de-identifying reports and eliminating elements within the database that would facilitate linking a report to a specific event identified by other means, such as through the patient’s medical record.

[Pace, 2003)

Privacy

Defined simply in an early and influential law review article by Warren and Brandeis10 as ‘‘the right to be let alone,’’ privacy is often characterized as freedom from exposure to or intrusion by others. Allen11 distinguishes 3 major usages of the term ‘‘privacy’’: physical privacy, informational privacy, and decisional privacy. Physical privacy refers to freedom from contact with others or exposure of one’s body to others. In contemporary health care, physical privacy is unavoidably limited. Patients grant their caregivers access to their bodies for medical examination and treatment, but expect caregivers to protect them from any unnecessary or embarrassing bodily contact or exposure. Informational privacy refers to prevention of disclosure of personal information. Informational privacy is also limited in health care by the need to communicate information about one’s condition and medical history to one’s caregivers. In disclosing this information, however, patients expect that access to it will be carefully restricted. This use of the term ‘‘privacy’’ is most closely related to the concept of confidentiality. Decisional privacy refers to an ability to make and act on one’s personal choices without interference from others or the state. The US Supreme Court has relied on a constitutional right to privacy to protect freedom of choice about contraception 12 and abortion,13 and state courts have used it as the basis for termination of life-sustaining medical treatment.14 Because decisional privacy is closely linked to the principle of respect for autonomy and the doctrine of informed consent to treatment, and because these latter topics have already been widely discussed in the medical and bioethics literature,15 the remainder of this article will focus on the physical and informational aspects of privacy.

Muskop(2005)

Privacy and confidentiality also figure prominently in the ‘‘Principles of Ethics for Emergency Physicians,’’ part of the

Code of Ethics of the American College of Emergency Physicians. Principle 5 states: ‘‘Emergency physicians shall

respect patient privacy and disclose confidential information only with consent of the patient or when required by an

overriding duty such as the duty to protect others or to obey the law.’’

Muskop(2005)

Limites de la collecte (nécessité) Information gathered from available aggregate data shall not be used to the detriment of any individual in employment, access to care, rate setting, or insurability.

Buckovich, 1999

Accès à l’information Individuals have a right to access in a timely manner their health information.

Buckovich, 1999

Access to health information shall be limited to that information necessary for the entities or individual’s legitimate need and/ or purpose.

Buckovich, 1999

In rare, limited circumstances, information may be withhold from a patient if it is likely that disclosure cause serious harm to the patient or another person. Physicians must be able to justify any decision to withhold information from a patient.

WMA, 2002

A warrant requirement shall exist for law enforcement to obtain health information.

Buckovich, 1999

Patients have the right to know what information physicians hold about them, including information held on health databases. In many jurisdictions, they have a right to a copy of their health records.

WMA, 2002

Patients should have the right to decide that their personal health information in a database (as defined in 7.2) be deleted.

WMA, 2002

Droit de retenir, ségréger, corriger et copier Patients who have seen their information and believe there are inaccuracies in it have the right to suggest amendments and to have their comments appended to the information.

WMA, 2002

Individuals have a right to copy, in a timely manner, their health information.

Buckovich, 1999

Individuals have a right to amend and/or correct their health information.

Buckovich, 1999

Dénominalisation des données Une anonymisation, quelle que soit sa forme technique (organisationnelle, manuelle, électronique), permet d’éliminer toute relation directe ou indirecte entre un ou plusieurs éléments d’information à caractère personnel et la personne physique à laquelle ils correspondent.

AFNOR CG IS 072 (1998). AFNOR. Commission de Normalisation (Fr)

Access to aggregate data shall be made available to support public health research and outcome studies as long as individuals are not and can not be reasonably identified.

Buckovich, 1999

Health information and/or medical records that make a person identifiable shall be maintained and transmitted in a secure environment.

Buckovich, 1999

Wherever possible, data for secondary purposes should be de-identified. If this is not possible, however, the use of data where the patient’s identity is protected by an alias or code should be used in preference to readily identifiable data.

WMA, 2002

The use of de-identified data does not usually raise issues of confidentiality. Data about people as individuals, in which they retain a legitimate interest, for example a case history or photograph, require protection.

WMA, 2002

La transparence: Patients should be informed if their health information is to be stored on a database and of the purposes for which their information may be used.

WMA, 2002

If patients object to their information being passed to others, their objections must be respected unless exceptional circumstances apply, for example where this is required by applicable national law that conforms to the requirements of this statement or necessary to prevent a risk of death or serious harm.

WMA, 2002

The balance between openness and confidentiality is the subject of much debate, which, while it remains

unresolved, prevents application of a consistent approach to the protection of clinical

information.

Gaunt(2000)

Divulgation (No secret databases shall exist) No secret databases shall exist.

Buckovich, 1999

Authorization from the guardian of the health database is needed before information held on databases may be accessed by third parties. Procedures for granting authorization must comply with recognised codes of confidentiality.

WMA, 2002

Limites à l’utilisation, la divulgation et la rétention Data accessed must be used only for the purposes for which authorization has been given.

WMA, 2002

Justification de la collecte Approval from a specially appointed ethical review committee must be obtained for all research using patient data, including for new research not envisaged at the time the data were collected. An important consideration for the committee in such cases will be whether patients should be contacted to obtain consent, or whether it is acceptable to use the information for the new purpose without returning to the patient for further consent. The committee’s decisions must be in accordance with applicable national law and conform to the requirements of this statement.

WMA, 2002

Transmission sécuritaire des données
Usage Non commercial No medical record demographics or other potential patient identifiers shall be sold, utilized for marketing purposes, or utilized for other commercial or financial gain without the prior informed consent of the individual.

Buckovich, 1999

Processus permettant de contester la conformité; et Procedures for addressing enquiries and complaints must be in place.

WMA, 2002

The person or persons who are accountable for policies, procedures, and to whom complaints or enquiries can be made must be identified.

WMA, 2002

Responsabilisation (Accountability) People who collect, use, disclose or access health information must be subject to an enforceable duty to keep the information secure

WMA, 2002

Le principe de prudence:
Politiques organisationnelles All entities with exposure or access to individual health information shall have security/privacy/confidentiality policies, procedures, and regulations (including sanctions) in place that support adherence to these principles.

Buckovich, 1999

Current and new technologies should be continually incorporated in the design of information systems to support the implementation of these principles and compliance with them.

Buckovich, 1999

Support for these principles needs to be at the federal level.

Buckovich, 1999

National medical associations should co-operate with the relevant health authorities, ethical authorities and personal data authorities, at national and other appropriate administrative levels, to formulate health information policies based on the principles in this document.

WMA, 2002

Lois, règlements, directives, traités
Contrôles de gestion (Management controls) Safeguards must be in place to ensure that there is no inappropriate or unauthorised use of or access to personal health information in databases, and to ensure the authenticity of the data. When data is transmitted, there must be arrangements in place to ensure that the transmission is secure.

WMA, 2002

All physicians are individually responsible and accountable for the confidentiality of the personal health information they hold. Physicians must also be satisfied that there are appropriate arrangements for the security of personal health information when it is stored, sent or received, including electronically.

WMA, 2002

Audit Revue indépendante et examen des enregistrements et de l’activité du système afin de

vérifier l’exactitude des contrôles du système pour s’assurer de leur concordance avec la

politique de sécurité établie et les procédures d’exploitation, pour détecter les infractions

à la sécurité et pour recommander les modifications appropriées des contrôles, de la

politique et des procédures

ISO 7498-2 (1989), ISO/IEC

2382-8 (1998). AFNOR.

Commission de Normalisation

Informations de Santé (Fr)

In addition, medically qualified person(s) should be appointed to act as guardian of a health database, to have responsibility for monitoring and ensuring compliance with the principles of confidentiality and security.

WMA, 2002

Audit systems must keep a record of who has accessed personal health information and when. Patients should be able to review the audit record for their own information.

WMA, 2002

An audit trail shall exist for medical records and be available to patients on request.

Buckovich, 1999

Documentation There must be documentation to explain: what information is held and why; what consent has been obtained from the patients; who may access the data; why, how and when the data may be linked to other information; and the circumstances in which data may be made available to third parties.

WMA, 2002

Information to patients about a specific database should cover: consent to the storage and use of data; rights of access to the data; and rights to have inaccurate data amended.

WMA, 2002

Formation All entities involved with health care information have a responsibility to educate themselves, their staff, and consumers on issues related to these principles (e.g., consumers’ privacy rights).

Buckovich, 1999