1. Introduction

Security of privacy and confidentiality is a critical matter in hospital information system (HIS) or computerized patient records system (CPRS). On the other hand, patient data/information shall be shared between various clinical staffs for the quality of care [2,6]. Therefore, it is necessary to give the healthcare practitioners enough security level flexibly to access data need to pursue their job and/or role [2,3,4], and at the same time, to suppress the illegal access in addition to urge strict observance to the secrecy obligation. In order to meet with these two conflicting requirements, the traditional static security control system is insufficient, too rigid and tight [2,6]. In fact, the unreasonable scene has occurred at the points of care as follows;

Case 1 : "could not access, although the information was necessary for clinical care"
Case 2 : "was able to access, without valid reasons for patient care or management"

These problems are caused by such a security system representing neither the patient-doctor relation nor the clinical situation at the points of care in actual. Although changes of "relation and situation" frequently arise at point-of-care, traditional mechanism is based on "account and password", and/or static "access control matrix (ACM)" at the most. These models have been focused on the prevention of the attacks from un-authenticated or the access limitation by job name. Consequently, data access has been controlled only by "Who" of the 5W1H (who, when, where, what, why, and how). Therefore, traditional security control system has the disability to evaluate the validity or justification of the access because it does not hold the access reason, "Why" of the 5W1H.

To overcome those problems, the author has designed the new access control method based on the "relation and situation" model, and indicates the possibility of system audit.

2. Methods

2.1. Environments

In Dental Hospital (NOTE) of Tokyo Medical and Dental University, CPRS is installed and data entry is directly performed by the clinical staffs themselves at their job points, i.e., point-of-care. The CPRS is designed as the access platform to the whole data/information, and at the same time the operational platform for all order/entry procedures in the integrated HIS. The HIS has some subsystem but the network of the HIS is air-gapped from the campus network or from Internet. Authentication mechanism is fundamentally homogeneous, and the terminal software has an automatic timeout-logoff function.

Under this condition, the new access control method is going to be applied to the inside access in the hospital, especially targeted to medical staffs at point-of-care.

2.2. Strategy

2.2.1. Declaration of the Reason for Access

Authentication is primarily performed by "account and password" for logon as with ordinary procedure. Then, CPRS built-in access control system determines the basic access right according to "Who" and his/her profile (ex. license, job name). This procedure is performed based on pre-set multi-dimensional ACM but rather roughly.

Right before opening the CPR of a certain patient in CPRS, staff is required to make a declaration on the patient-doctor relation or the clinical situation at the point-of-care as the reason for the access. Operation of declaration is so simple that all he/she has to do is to select one of the "relation and situation" items from listed menu.

2.2.2. Access Right Granting

The authorization module manages the validity to access, from the point of view that "Why" he/she is going to access. The basic access right is dynamically reduced or expanded based on "Why". This module is separated from the logon procedure (i.e. authentication) module.

1. authentication- identification- account - certification- password
2. authorization- (profile)- (ACM) - validation- reasons

2.2.3. "Relation and Situation" Model

The "relation and situation" is classified into the followings;

• in charge of pre-examination
• in charge
• as a member of the treating team
• on behalf of (when the staff in charge is off duty)
• on night coverage
• as a request for consultation
• in an ambulance
• in an emergency
• as an auditor

Items are pre-set in the system, and free text entry is not permitted. The items of classification may vary between hospitals but in any way, the "relation and situation" in a clinical scene will be clarified and specified.
Note that "relation and situation" model has the axis of time, as follows;

• constant (ex. main doctor or treating team staff)
• periodical (ex. anesthetist or ICU staff)
• intermittent (ex. some kinds of therapeutic support)
• unsettled (ex. consultation)

Therefore, valid period or duration is also able to be controlled, when needed.

2.2.4. Access Log Recording for Audit and Disclosure

In ordinary HISs, log file would only have the records "when, who (includes his/her profile), whom (i.e. to which patient), what order/entry was performed", and they rarely have "where (i.e. from which terminal), what record was displayed or output".

In the proposed method this function is expanded, and "relation and situation" as "why (i.e. reason, or under what role in the relation/situation)" is added. The granularity control of displayed data/information is also available; (1) by data items, or (2) by windows (which contains multiple items). Furthermore, the outflowing pathway or media (display, print out, download) is recorded at the same time.

3. Results

3.1. Automatic Control of Available Functions in CPRS

With this model and mechanism, the CPRS acquires the abilities to control accessible data/information and operable order/entry functions flexibly, dynamically and practically.

The available order/entry tools, data/information browsers, management utilities and other detailed functions in CPRS can be controlled both way; by pre-set multi-dimensional ACM according to license/job and data type, and by dynamic override according to the "relation and situation" as the reason to access.

3.2. Log with Validating Reasons

The CPRS environment is prepared to be able to offer enough 'chronicle' to assess and evaluate the validity or justification of the access, because the displayed data/information and operated order/entry will be recorded to the log with the "relation and situation" as the access reason, and with the outflowing pathway or media.

3.3. Disclosure

3.3.1. Mutual Watch of Access History

On the chart of CPRS, the "relation and situation" is disclosed just below the medical records (i.e. contents of treatment orders and clinical findings, so forth), in addition to the operator 's name and department/service.

Also, the disclosing function of the access history is added to each items/windows in case of need. The time stamp, operator's name and "relation and situation" can be listed in the sub-window of the accessed items/windows. Therefore, clinical staffs are able to keep the watch mutually on the "inappropriate behavior" in the system. With these functions, and by legal restriction and morality of the medical staffs, the unreasonable access can be suppressed for a reasonable degree.

3.3.2. Security Assessment by Patient him/herself

Patient can also inspect the access history related to him/herself when the permission is given. Patient is able to assess how his/her clinical information is dealt with and the security status of his/her personal or social information by him/herself.

4. Discussion

4.1. Requisites for Security Control

Subjects on security control was reported by "Committee for Security and Personal Data Protection of Health Care Information" of Japan Association of Medical Informatics (JAMI). Those listed below were included;

1. Security of privacy (and Secrecy control by the patient him/herself)
2. Balance between the benefit protection of the patient and that of the community in hospital
3. Cost management of the security level control
4. Prevention of leakage / theft / inappropriate use of hospital information

The author considers that the following two should be added to the above;

1. Protection of doctor's intellectual productions
2. Protection of the doctor's own privacy

This paper describes one of solution to the items #1, #2, #3 within the same institution, but it does not cover the items #4, #5, #6. And it is not regarding security for hardware nor network, nor the alternative to these security mechanism.

4.1.1. Balance of Benefit Protection

Hospital is, something like a community consisting from various patients and hospital staffs. The benefit protection of 'other patients' and the protection of clinical staffs' safety is important as well as the privacy security of 'the objective patient'. The staffs such as doctors and nurses, are also required to access to CPR even if he/she is not in charge, for the duty of ward management (ex. infection control), or for the responsibility of self management of his/her health, at least in Japan.

Therefore, such HIS cannot be considered as appropriate, when it lose the benefit protection balance caused by too much focus on the objective patient, or when only rigid or tight access control is possible.

4.2. Defects of Static and Tight Security Model

4.2.1. Explosion of the Security Level Management Cost

Patient-doctor relation and each clinical situation is not stable but rather changes successively at hospital. System administrators may logically cope with the management of adequate security level according to each clinical scene in the static security control system. But in actual, this is not realistic in a large-scale HIS [2,6]. Consequently, "Case 1" described in the Introduction will occur.

It may be also impossible to make automatic judgment of security level change, even though system intelligence is available. This is not because the number of rules and nodes are too much, but because; (1) examples which the rules cannot be formulated may occur [2], and (2) changes of clinical scene is not able to detect only with "account and password" and/or 'profile'.

4.2.2. Validity of Access Cannot be Verified

It is very difficult to make accurate judgment on validity of the access only by account/password and 'profile'. Despite the access in "Case 2" is illegal, it is impossible to suppress such access with the traditional security control system. Even with the audits being made, the validity of the access cannot be accurately assessed since there is no access reason recorded in a log file. These defects and disabilities are all related to the lacks of the relationship between patient and the clinical staffs, and of the situation at each clinical scene.

4.3. Principle : Confidentiality vs. Availability

At author's institution the decision has been made to accept certain type of security risks in exchange for encouraging availability for teamwork care and its quality with qualifications; the "need to show" requirement will be permitted when it is well defined and socially accepted [3,4], and the responsibility of level change requirement is placed on healthcare practitioners by the declaration on "relation and situation".

The system environment is rather solitary as described in the Methods, therefore, inside attack is the major risk for us. In order to minimize risk, however, we have provided, (1) disclosure function of access history in CPRS for mutual watch and the patient's assessment at any time and (2) post hoc system audit trail facility, based on the "relation and situation" model. In addition, we are developing policies and procedures.

4.4. Superiority of "Relation and Situation" Model

4.4.1. Role at point-of-care and Context of Behavior

This model has been designed to focus both on the context or coherence/consistency of clinical staffs' behavior for care in CPRS, and on the clinical role at point-of-care. The former is new and noteworthy, and details are discussed below: in Computer-based Audit Trail.

The latter itself contains parts of some dimensions [4] ; patient file, healthcare worker, access duration and emergency [1,3,4]. These dimensions is able to be easily determined by only one 'parameter' as like a compound key in DBMS, and the "relation and situation" descriptions is quite explicit.

To handle other levels and dimensions, the access control system primarily invokes pre-set ACM (ex. doctors cannot access patients' financial information). It is needless to say about DB and OS file/record permission.

4.4.2. 'Availability' and Security Management Cost

This model supports the dynamic control of operable order/entry functions and accessible data/information in CPRS as described in the Results. And more, it will not ask password each time when accessing to the sensitive data, so the immediate access will not be interfered. In these way, the "Case 1" problem is avoided.

Another advantage is that the system administrators will not suffer from the huge, frequent and troublesome works of maintaining security level. There is no need for them to be involved for each individual clinical scenes, so the #3 item of the Requisites has been cleared.

4.4.3. Suppressing Factors of Inappropriate Access

The factors preventing inappropriate access are all social or psychological, rather than technological. In this sense, this access control system depends on the morality and observance of the regulations and policies by the whole clinical staffs. However, this way is not so vulnerable but works effectively to the staffs in some social status. In fact, the author has already experienced at his hospital for five years, a marked decrease of access with uncertain reason just by announcing that operators' behavior in CPRS was kept watched by the system.

4.4.4. Credibility and Reliability of the Declaration

Criticism such as no certification of the declaration exists, or one's own declaration lacks in reliability can be anticipated. There is no room for refutation for the former. However for the latter, although the declaration reliability may be low, the assessment of the declaration credibility is possible. The reasons are mentioned as below.

4.4.5. Computer-based Audit Trail

The access log records "when, where, who, in what relation or situation, whose/what data or information were displayed, through which pathway or media". This access log itself provides rather strong audit trace capabilities, and most of the "Case 2" problem is solved. In Addition, in the system at the author's hospital, the medical history file (MHF) is prepared, which records "when, who, to which patient, for what disease/problem, what order/entry was performed".

Those two files are complementary to each other to record both medical staffs' "behavior" in CPRS and its "reason" declared by staffs themselves, with time stamp. They provide enough records to detect inappropriate access, therefore the computer-based audit trail facility has been prepared. By simultaneous/reciprocal tracing the series of the access log and MHF and by comparing "behavior" and "reason", the inconsistency of "behavior" or the conflict between "behavior" and "reason" would inevitably appear, if it exist. Because improper access lacks context of care, consistency of behavior (i.e. look and do), or appropriate reason/role, at the accessing date/time.

If one of the pair (access log and MHF) does not exist, accurate audit could not be performed because the context of "behavior in the system" will be lost. This may be one of reasons why very few 'audit analysis software tools' exist [6,7].

4.4.6. Way to Secrecy Control by Patient him/herself

The CPRS which affords the assessment of access history by patient him/herself has been already reported [5]. The access control method reported in this paper is able to clarify the access reason based on "relation and situation" recorded in the log. Therefore, more accurate assessment of validity of the access will be possible.

This will be a first step to the realization of the secrecy control rights by patient [6]. In the near future, a day may come when the patient him/herself can specify him/her clinical or social information which display/output is permitted according to the "relation and situation".

4.4.7Record of Thinking Process

To record detailed access to the access log means recording of a part of the thinking process of the clinical staff. The other parts of the thinking process are stored in the MHF. This means, with this kind of CPRS, doctor's thinking process or decision making process is stored in a style as it is. When it becomes possible to extract the thinking process from those files in suitable format, this will be a great contribution to formulating clinical experience or medical knowledge, and to the construction of expert system or artificial intelligence application.

4.5. Limitation of "Relation and Situation" Model

4.5.1. File Volume and Transactions

Disk space occupied by the log becomes large day after day, and system transaction will be overloaded because details of access and operable functions are controlled and recorded. This is one of the reasons that we separate the access log and MHF.

At the author's hospital, it is relatively easy to save disk space because the HIS is built with M language (MUMPS). With a relational DBMS, the file volume would be too large for the system to work sufficiently because a relational DBMS need more disk space than M language.

Granularity of data/information displayed or output is limited to the data items. The system does not record which data value in the data item was inspected at the author's hospital. This has been determined from the intention of suppressing the traffic and the avoidance of complicated transaction [3]. These limitation arose from installation and configuration of the new method to the actual HIS.

4.5.2. Necessity of Combination with Other Security System

The security control method reported in this paper is designed only for the access control of medical staffs inside the same hospital. If HIS has this method only, security systems would be insufficient as a whole. For protection of the attacks from the un-authenticated or from the outside, other security systems are required.

5. Conclusion

Security and confidentiality are significant issues in the hospital information system. On the other hand, the data sharing between many staffs is inevitable even by whom not in charge of the patient, which is required by the teamwork care and hospital management.

Therefore it is necessary to allow flexible data access in need while suppressing immoral access. One of the solution is the access control based on "patient-doctor relation and clinical situation" and recording this to log to assess validity of access. "Relation and situation" is declared by medical staffs themselves, and the system will hold it as the reason to access.

With this method, the security system becomes possible to; (1) flexibly provide the necessary information to the clinical staffs at the points of care, (2) afford accurate audit of the access, (3) suppress inappropriate access; by the "patient-doctor relation and the clinical situation" in addition to "account and password" based on license(s) and occupation category, without increasing the management cost of security level control.

Acknowledgments

The author is grateful for the comments and suggestion provided by Dr. Yoshiyuki Sasaki, Dr. Atsuhiro Kinoshita, Mr. Akira Fujie, and thoughtful support by Ms. Ruby Tanaka in bringing the manuscript to publication.

References

1. Louwerse CP, Kouwenberg JML. Data protection aspects in an integrated hospital information system. Comput Security 1984: 4 : 286 - 289.
2. Bakker AR. Security in Medical Information Systems. IMIA Yearbook of Medical Informatics. Schattauer Verlag, 1993: 52 - 60.
3. Henkind SJ, Orlowski JM, Skarulis PC. Application of a Multilevel Access Model in the Development of a Security Infrastructure for a Clinical Information System. Proc 17th Sym Comp App Med Care 1993: 64 - 68.
4. Brannigan JD. A Framework for need to know Authorizations in Medical Computer Systems. Proc 18th Sym Comp App Med Care 1994: 392 - 396.
5. Safran C, Rind D, Citroen M, Bakker AR, Slack WV, Bleich HL.Protection of confidentiality in the computer-based patient record. MD Comput 1995: 12 (3): 187 - 92.
6. Barrows R Jr., Clayton PD. Privacy, confidentiality, and electronic medical records. J Am Med Inform Assoc 1996: 3 (2) : 139 - 48.
7. Cushman R. Serious Technology Assessment for Health Care Information Technology. J Am Med Inform Assoc 1997: 4 (4) : 259 - 65.