On Canadian developments in Electronic Health Record Management and the need for cross-disciplinary action
By: Stefan Brands
February 16, 2005
In September 2000, Canada’s First Ministers committed “to work together to strengthen a Canada-wide health infrastructure to improve quality, access and timeliness of health care for Canadians. ” As a result, in 2002 the Canadian provinces and federal government created Canada Health Infoway, which includes on the board of directors all Canadian deputy ministers of health. The core priority of Canada Health Infoway is the electronic health record. As defined by Canada Health Infoway, “An Electronic Health Record (EHR) is a secure and private lifetime record of an individual’s key health history and care. It creates significant value, providing a longitudinal (i.e. “cradle to grave”) view of clinical information. The record is available electronically to authorized health care providers and the individual anywhere and anytime in support of care. ”
Privacy and security are of utmost importance in the design of the Canadian EHR infrastructure. According to unpublished private polling data collected in May 2003 by the Courtyard Group, the two main reasons Canadians would oppose the development of EHRs are (1) confidentiality and privacy [54%] and (2) safety of information [31%]. [Source: “The State of the EHR and Electronic Healthcare in Canada - The Unvarnished Version,” presentation by the Courtyard Group, November 13, 2003.] Privacy is also sought by medical practitioners: notably, many doctors strongly oppose solutions that would give central parties (such as health insurance organizations) the real-time power to monitor all their actions.
If privacy and security are not properly addressed, Canadians may stay away from the resulting EHR infrastructure, in which case hundreds of millions (if not billions) of taxpayer dollars will have gone down the drain. Unfortunately, there are currently no technologies on the market that can protect access to electronic health records without creating the equivalent of a digital surveillance infrastructure. For example, while PKI technology does a good job at message encryption and authentication, it roots inescapable systemic identification deeply into the infrastructure. This makes it impossible for individuals and medical service providers alike to control the flow of personal data and to limit the opportunity for unauthorized secondary uses of that data. Studies confirm that the most frequent breaches of patient information confidentiality do not come from unauthorized outsiders, but from uncontrolled secondary usage, accidental disclosures, curiosity, and subordination by insiders.
In spite of the awareness of Canada Health Infoway and many of its stakeholders that privacy is absolutely critical to the adoption and spread of EHRs, currently its stakeholders seem to be blissfully unaware of the profound privacy implications of the specific choice of authentication technologies to protect access to EHRs. There is a misconception that privacy risks must be dealt with by means of data protection legislation and sectorial regulations. While legislation and regulations will always be an absolute necessity, they lose most of their power if at the electronic data flow level everything would be instantaneously traceable and linkable; for instance, how can organizations limit the collection of personal information if the infrastructure technology they use does not make it possible for them to do so?
At the same time, there seems to be virtually no awareness among Canada Health Infoway and other stakeholders of the existence of privacy-enhancing security technologies. A fundamental discovery of modern cryptography is that there is no need to rely on central parties for one’s privacy, and that this can be guaranteed by technical (cryptographic) means. Over the course of the past two decades, the cryptographic research community has developed a wide range of techniques for minimizing the disclosure of personal information at different stages in its life-cycle, including zero-knowledge proofs, privacy-preserving data-mining, private information retrieval, privacy-preserving digital credentials, homomorphic encryption, and so on.
At McGill University, my students and I are researching how these privacy-enhancing technology building blocks can be used to build secure EHR systems that preserve privacy. We believe this is an important area of research not only from an academic perspective, but also in light of the billions of dollars of tax payers money that now and in the next years are being poured into the creation of the Canadian EHR management infrastructure.
Needless to say, I would most pleased to be joined in our efforts by other researchers in the anonequity project. Electronic health is one of the primary areas where the cross-disciplinary nature of our project can be truly powerful.
On that note, this Friday (February 18) I will be giving a lecture at the School of Computer Science of McGill University on the topic of privacy-by-design in health record management systems and other applications of “federated identity management.” (Abstract online.) The atmosphere will be relaxed, and there will be lots of opportunity for informal discussions on the topic afterwards. If you happen to be near Montreal that day and are interested in attending, send an e-mail to the colloquium organizer.