The attributes of risk in healthcare

The attributes of risk

Risk in informations systems is generally perceived in relation to attributes. proposes the attributes of confidentiality, integrity and availability, aswell other attributes such as authenticity, accountability, non-repudiation and reliability may also be involved [ISO 17799]. [Zhou, 1999] proposes confidentiality, integrity, availability, non repudiation and authentification. We present here some definitions.


Confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes.1 Confidentiality exists when information is communicated in the context of a special relationship (such as doctor-patient, lawyer-client, etc.) where the information is intended to be held in confidence or kept secret [CIHR, 2002]. It is an ethical concept that regulates communication of information between individuals [Roger, 1998]. The status of confidential is accorded to data or information indicating that it is sensitive for some reason, and therefore it needs to be protected against theft, disclosure, or improper use, or both, and must be disseminated only to authorized individuals or organizations with a need to know.’2Individuals have a right to the privacy and confidentiality of their health information [Buckovich, 1999].

Confidentiality is at the heart of medical practice and is essential for maintaining trust and integrity in the patient-physician relationship. Knowing that their privacy will be respected gives patients the freedom to share sensitive personal information with their physician [WMA, 2002]. The Declaration of Geneva, that requires physicians to « preserve absolute confidentiality on all he knows about his patient even after the patient has died » [WMA, 2002].

Confidentiality is a managerial responsibility: it concerns the problems of how to manage data by rules that are satisfactory to both the managers of data banks and the persons about whom the data pertain [Thompson, 2001]. The enforcement of classification-clearance matching is mandated by directives and regulations: an individual may not exercise his own judgement to violate it [Bell, 1976]. In the same way, as health professionals do not belong to the same structures, which are independent to each other, confidentiality of the activity of each structure must be ensured as well [Kerkeri, 2001]. In [Pace, 2003], confidentiality is maintained by de-identifying reports and eliminating elements within the database that would facilitate linking a report to a specific event identified by other means, such as through the patient’s medical record.


Integrity is the property of safeguarding the accuracy and completeness of assets [ISO 13335-1]. Integrity is a property determined by approuved modification of information [Bell, 1976].

Individuals have the right to the integrity of their health information. Entities and/or persons that create, maintain, use, transmit, collect, or disseminate individual health information shall be responsible for ensuring this integrity [Buckovich, 1999].

Continuity of care might imply a complete communication of medical data, respecting its integrity and its availability [Roger, 1998]. For example, in a picture archiving and communication system (PACS), the data integrity is essential for passing the correct information to the doctor [Tsong, 2003].

Outside of signing checksums on large fields (such as medical images), integrity can only be partially guaranteed by authenticating the individual at the source site responsible for transferring the information, and trusting the individual to verify the data [Cody, 2003].

Data integrity includes minimization of data redundancy, improvement of data maintenance, and elimination of multiple versions of data [Candler, 1999].

In addition to malicious threats, the threats that come from software, hardware, or network failure, or the threats that come from simple human error can affect the integrity of an information system [Cody, 2003].


Availability is the property of being accessible and usasable upon demand by an authorized entity (ISO 7498-2:1989).

The availability of intelligently integrated and verified, operational information could have a profound effect on decisionmaking in a wide range of contexts [Brender, 1999]. Health research, particularly in the areas of health services and policy, population and public health, critically depends on the ready availability of existing data about people [CIHR, 2002].

Non repudiation

Non-repudiation refers to the ability to prove an action or event has taken place, so that this event or action cannot be repudiated later.3

[ISO13888-1] identifies the following non repudiation services:

  • Non repudiation of creation: to protect against an entity’s false denial of having created the content of a message.

  • Non repudiation of delivery: to protect against a recipient’s false denial of having received the message and recognised the content of a message.

  • Non repudiation of knowledge: to protect against a recipient’s false denial of having taken notice of the content of a received message.

  • Non repudiation of origin: to protect against the originator’s false denial of having approved the content of a message and of having sent a message.

  • Non repudiation of receipt: to protect against a recipient’s false denial of having received a messagenon-repudiation of sending: This service is intended to protect against the sender’s false denial of having sent a message.

  • Non repudiation of submission: to provide evidence that a delivery authority has accepted the message for transmission.

  • Non repudiation of transport: to provide evidence for the message originator that a delivery authority has delivered the message to the intended recipient.

Non-repudiation technologies, such as digital signatures, are used to insure that a person performing an action cannot subsequently deny performing that action. This is useful for digital contracts, statements and anywhere else that a signature would be used in the physical world. Digital signatures are commonly used for non-repudiation, and are normally based on PKI, which uses asymmetric cyphers [Helvey, 2004].

Digital signature safeguards can provide protection to enable non-repudiation [ISO 13335-2].

Cryptographic techniques (e.g. based on the use of digital signatures) can be used to prove or otherwise the sending, transmission, submission, delivery, receipt notification, etc. of messages, communications and transactions [ISO 13335-2].

Access controls

Access control technologies are used to protect information by restricting access to information or operations, according to the identity of the accessor. Common mechanisms for access control are discretionary (DAC), mandatory (MAC), and role-based (RBAC). DAC is based on the identity or group membership of the user, and allows the user to specify which other users may access the information. MAC is common in secure operating systems, and uses labels and access control lists to protect information. RBAC allows access control policies to be defined according to the user’s role in an organization, such as administrator, supervisor, researcher, and so on [Helvey, 2004].

Health care organisations have knowingly compromised information security through less than satisfactory access controls simply in order to encourage all staff to use the computer systems. Once such compromise has been adopted, it is subsequently very difficult to convince users of the need to strengthen access control..Once appropriate access control and auditing is installed, staff scepticism soon turns to acceptance as they come to realise their importance and benefit [Gaunt, 2000].

In a HIPAA mandated PACS environment, from an application point of view, there should be a log mechanism to keep track the access information such as [CAO, 2003]:

  • Identification of the person that accessed this data

  • Date and time when data has been accessed

  • Type of access (create, read, modify, delete)

  • Status of access (success or failure)

  • Identification of the data.

The model for authorisation and access control in distributed health information systems has to deal with policy description and negotiation including policy agreements, authentication, certification, and directory services but also audit trails, altogether forming the privilege management infrastructure [Blobel, 2004].

Technology can help ensure the granting and restriction of access to those users with legitimate needs, by means of passwords, access codes, and other identifying mechanisms [Buckovich, 1999].

Privacy vs security

The right to privacy entitles people to exercise control over the use and disclosure of information about them as individuals. The privacy of a patient’s personal health information is secured by the physician’s duty of confidentiality [WMA, 2002].

Privacy is a social, cultural and legal concept, all three aspects of which vary from country to country [Thompson, 2001]. While security of personal data may be instrumental for this purpose, ‘data security is a very different thing from privacy’.4

Privacy: ‘‘The right of individuals to be left alone and to be protected against physical or psychological invasion or the misuse of their property. It includes freedom from intrusion or observation into one’s private affairs, the right to maintain control over certain personal information, and the freedom to act without outside interference.’’5

Information privacy can be thought of as a set of controls placed upon organizations over the uses of personal information in their custody and control, and the rights conferred upon individuals over their personal information. What becomes clear in mapping out these security and privacy elements is that some of the components of privacy protection can be addressed by security safeguards, while others cannot. Some security functions may actually hinder or even threaten necessary privacy protection. Some privacy measures may weaken or threaten justified security measures.Hence the security–privacy paradox [Cavoukian, 2003].

The Declaration of Helsinki states: « It is the duty of the physician in medical research to protect the life, health, privacy, and dignity of the human subject » [WMA, 2002].

A recurring idea is that a research database of patient data can and should be ‘‘scrubbed’’ of personal identifying information, and thereafter the ‘‘clean’’ database can be made available for research on a less restricted basis.

[Behlen, 1999] argues that such complete scrubbing is not feasible, and even if it were feasible, it would not be appropriate ethically. A troublesome requirement for exemption is that of ‘‘throwing away the key’’ that links data to a patient. This requirement presents some practical, scientific, and ethical problems:

  • It forecloses the possibility of benefit to the patient.;

  • The requirement greatly complicates the maintenance of a current database;

  • The requirement eliminates some checks against scientific fraud.

Quality of data is crucial to privacy protection. Security is necessary, but far from sufficient, to ensure privacy. Computer scientists and others often take ‘privacy’ to mean (only) ‘data security’ against risks of unauthorized access, physical damage to databases or transmissions, and the like. However, it is no comfort to a privacy-aware individual to be told that inaccurate, outdated, excessive and irrelevant data about her are encrypted and stored behind hacker-proof firewalls until put to use by (say) a credit-granting organization in making decisions about her [Raab, 2004]. Following intense scrutiny in some research projects, it may be necessary to conduct an independent reanalysis of the data and results to confirm the quality of the original data [Shortreed, 2003].

Privacy of information collected during health care processes is necessary because of significant economic, psychologic, and social harm that can come to individuals when personal health information is disclosed [Barrows, 1996].

Privacy and confidentiality of the patient record has attracted extensive debate and analysis, including discussion of research. Although policy issues regarding research access to public health databases have been analyzed in detail, less attention has been paid to the problem of how to oversee and administer, within the framework of applicable public policy, multicenter research using privately held patient records. In addition to public policy, the policies of each participating institution must be considered [Behlen, 1999].

The relationship between health care provider and patient is one characterized by intimacy and trust, and confidentiality is embedded at least implicitly in patient-provider interactions. The notion of confidentiality in health care has a strong professional tradition that has suffered progressive erosion due to thirdparty reimbursement schemes, managed care and other health care organizational structures, and the perceptions and culture of professionals within modem health care systems. One third of medical professionals have indicated that information is given to unauthorized people “somewhat often”. [Barrows, 1996]

Ethical issues in healthcare database risk management

Clinical research must be done in the utmost respect of ethical concerns [Beecher, 1966].The rights to privacy and confidentiality are intimately connected with the right to respect for one’s dignity, integrity and autonomy are constitutionally enshrined in the Canadian Charter of Rights and Freedoms and Quebec’s Charter of Human Rights and Freedoms [CIHR, 2002]. Privacy and confidentiality lie at the root of international and national ethics guidelines, as well as professional codes of deontology [CIHR, 2002] [CIHR, 2004]. They are the principal drivers of the requirement for adequate treatment of risk in healthcare organisations [Senate, 2002]. Legal uncertainty also makes it difficult for consumers to be aware of and understand their privacy and confidentiality rights [Buckovich, 1999].

The core principles at the heart of Canadian privacy legislation form the basis of the Canadian Standards Association [CSA, 2003] Model Code for the Protection of Personal Information are [CIHR, 2004], this with [WMA, 1994] [WMA, 1995] [WMA, 2002] [Buckovich, 1999] [CIHR, 2004], identifies the following areas of risk that need to addressed in a CDW:

  • Policies

  • Confidentiality;

  • Privacy;

  • Integrity;

  • Availability

  • Safeguards;

    1. Limiting Collection

    2. Management controls;

    3. Processes to enable Challenging Compliance; and

    4. De-identification of data;

    5. Secure transmission of data;

    6. Accountability;

  • Openness;

    1. Informed consent;

    2. Identifying Purposes;

    3. Access to information by patients (right to withhold, segregate, amend and copy);

    4. Limiting Use, Disclosure, and Retention;

    5. Full disclosure (No secret databases shall exist);

    6. Non-commercial use (No medical record shall be sold, utilized for marketing purposes without the prior informed consent of the individual);

  • Documentation and training

This is in accord with the requirements of the declarations of Lisbon [WMA, 1995], Geneva [WMA, 1994], Helsinki [WMA, 2002], as well as [Belmont, 1979] [Helsinky, 1964] [Nuremberg, 1949] [Harkness, 2001].

Challenge: The selection and categorization of the different areas of risk that comprise the overall risk and areas of threats that should be considered in the implementation and use of a clinical data warehouse.

This would be a significant improvement when compared to the commonly used approaches that are mainly concerned with confidentiality, integrity and availability. This would also be better suited to the identified requirements that we have found in literature.

Combining the requirements

If we put this in the form of a table, the requirements could be represented as:

Risk Requirement category

Stakeholder category








Documentation and training


1, 14, 35, 54, 57, 58, 60

7, 47, 66

2, 3, 4, 8

1b, 5, 6, 9, 11, 38, 39

14, 29, 30, 35, 36, 37

24, 50


Data users


7b, 64, 65, 69, 70



40, 43

17, 18, 19, 35

19, 24, 42, 44, 45, 75, 76, 77, 78, 79, 80, 81, 82, 84

25, 48

Healthcare organisations

14, 33, 54, 56, 60, 61

7b, 66

9, 10, 12, 13

26, 40, 61

14, 15, 16, 17, 18, 29

24, 50, 87

25, 48, 51

Healthcare professionals 32, 58, 59, 62 46 73 9, 59 33 31, 33 32 25
Professional associations 13 52 25
Healthcare industry 13 26 15, 16


13, 20


15, 18,




15, 16, 18, 22, 29

28, 50


NGOs and Community groups








IT staff 34, 56, 60, 61, 63 7b, 66, 69, 71 10 26, 40, 61 35 19, 23, 24, 27, 34, 83, 85, 86, 88, 89, 90 25, 48

IT industry




The requirements presented in this table were identified in our literature review a complete list of the requirements with the references are presented in Annex a.

Challenge: further work could identify additional requirements that have been missed, further analysis may be needed. As well the list of stakeholders and the categorization of stakeholder groups requires validation.

1 [ISO/IEC 7498-2] as described in [ISO 1335-1]

2 American Society for Testing and Materials Committee E31 on Healthcare Informatics, Subcommittee E31.17 on Privacy, Confidentiality, and Access. Standard guide for confidentiality, privacy, access, and data security principles for health information including computer-based patient records. Philadelphia, Pa.: ASTM, 1997:2. Publication no. E1869-97. As cited in [Buckovich, 1999]

3 (ISO/IEC 13888-1:1997; ISO IS 7498-2:1989) as defined in [ISO 13335-1]

4 Calvin C. Gotlieb. Privacy: A Concept Whose Time Has Come and Gone, In D. Lyon and E. Zureik, editors, Surveillance,

Computers and Privacy, pp. 156–171. University of Minnesota Press, Minneapolis, 1995 as cited in [Thompson, 2001]

5 American Society for Testing and Materials Committee E31 on Healthcare Informatics, Subcommittee E31.17 on Privacy, Confidentiality, and Access. Standard guide for confidentiality, privacy, access, and data security principles for health information including computer-based patient records. Philadelphia, Pa.: ASTM, 1997:2. Publication no. E1869-97. As cited in [Buckovich, 1999]