National Committee on Vital & Health Statistics

September 9, 1997

The Honorable Donna Shalala
Secretary
Department of Health and Human Services
200 Independence Avenue, SW
Washington, DC 20201

Dear Madam Secretary:

The National Committee on Vital and Health Statistics is pleased to provide recommendations on the adoption of security standards as mandated by the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).

The Subcommittee on Health Data Needs, Standards and Security held a hearing on August 5 and 6 to receive testimony from a wide range of industry representatives on issues regarding security. Twenty-five individuals representing professional associations, providers, managed care organizations, vendors, consultants and standards development organizations provided input. A copy of the witnesses is attached to this letter.

While there was consensus among the witnesses regarding the need for security standards, testimony highlighted the evolutionary development of information security in the health care industry. Currently, there are poor practices in the handling of paper-based health information and the move towards electronic storage and transmission heightens concerns. Health care organizations have been slow to adopt strong security practices due largely to lack of strong management and organizational incentives. Additionally, the lack of national privacy legislation or regulation to ensure confidentiality of health information creates additional tensions.

Based on the testimony received and discussion at the Committee meeting on September 8 and 9, the NCVHS has developed a series of principles and recommendations for your consideration. Since the standards in this area are not fully mature and have not been extensively implemented by the health care industry, we are not recommending adoption of specific standards.

The Committee believes that any standard that is adopted must be technology neutral and should promote interoperability among information systems. There are a number of factors that must be considered in this area: the cost of implementing specific solutions and the need for scalability based on the size of the health care entity.

In order for health information systems to be secure, there must be:

· individual authentication of users

Every individual in an organization should have a unique identifier for use in logging onto the organization's information systems and each organization should have policies and procedures in place to enforce the appropriate use and maintenance of access methods.

· access controls

Procedures should be in place that restricts users' access to only that information for which they have a legitimate need. Individual organizations will have to determine the appropriate approach that will work within their organization and balance the interests between access and privacy.

· monitoring of access

Organizations should develop audit trails and mechanisms to review access to information systems to identify authorized users who misuse their privileges and perform unauthorized actions and detect attempts by intruders to access systems.

· physical security and disaster recovery

Organizations should immediately take steps to limit unauthorized physical access to computer systems, displays, networks and medical records. Disaster recovery plans should include procedures for providing basic system functions and ensuring access to health information in the event of a natural disaster or computer failure.

· protection of remote access points

Organizations must protect their information systems from intruders who try to access their systems through external communication points such as the Internet or dial-in telephone lines.

· protection of external electronic communications

Organizations need to protect sensitive communication that is transmitted electronically over open networks so that it cannot be easily intercepted and interpreted by parties other than the intended recipient.

· software discipline

Organizational procedures and educational programs should be implemented to protect against viruses, Trojan horses and other forms of malicious software and to raise users' awareness of the problem.

· system assessment

Organizations should formally assess the security and vulnerabilities of their information systems on an ongoing basis.

· monitoring of integrity of data

The integrity of health information is critical to providing quality care to patients. Organizations must implement a process to ensure that information systems do not compromise data integrity.

There are a series of organizational practices that the Committee believes are imperative:

• scalable confidentiality and security policies and procedures
• security/confidentiality committees
• designation of an information security officer in health care organizations
• education and training programs for all employees, medical staff, agents and contractors
• organizational sanctions for violation of policies and procedures
• improved patient authorization forms for disclosure of health information
• patient access to audit logs

Many of these recommendations and practices are based on the National Research Council's report For the Record: Protecting Electronic Health Information. In the short-term, it is recommended that health care organizations institute a risk assessment of their current state of compliance with these organizational and technical practices. As industry experience evolves, the Committee suggests that criteria be developed to evaluate and monitor compliance with these recommendations. Organizations that license or accredit health care organizations should consider incorporating these requirements into their standards.

The Committee plans to continue to monitor industry compliance and the development and maturation of technology and standards. As standards that are fully mature and tested become available, we will review and recommend for adoption.

Thank you for the opportunity to provide assistance.

Sincerely,

/s/

Don E. Detmer, M.D.
Chair