Universal Internet security policy addresses worldwide concerns

The communications capability of the Internet may be the sliced bread of modern healthcare, but it comes at great risk to the confidentiality and integrity of medical data.

The U.S. Health Insurance Portability and Accountability Act (HIPAA) regulations provide guidelines for domestic medical data security, but elsewhere in the world security issues are still largely unaddressed.

A universal high-level security policy (HLSP) has been proposed (Ilioudis C, Pangalos G. A framework for an institutional high level security policy for the processing of medical data and their transmission through the Internet, J Med Internet Res 2001;3(2):e14).

The authors, Christos Ilioudis and George Pangalos of Aristotle University in Thessaloniki, Greece, developed a security policy that includes a set of seven generic principles and 45 guidelines. These provide flexibility and adaptability for local environments and establish the basic security requirements to be addressed when using the Internet to safely transmit medical data.

Some U.S. observers question the proposal's efficacy.

"It would be extremely difficult to write a high-level international healthcare security policy due to conflicting national regulations," said Robert Johnson, an IT security expert at Information Advantage Group. "A work like this needs to build on things like GASSP, BS7799, Common Criteria, and Cobit."

GASSP is a 10-year old International Information Security Foundation-sponsored committee to develop and promulgate Generally Accepted System Security Principles; BS7799 is a new British standard providing more than 127 guidelines to identify appropriate security controls; Common Criteria is a 1993 ISO effort to define general concepts and principles of IT security; Cobit is a 1996 IT goverance tool.

There is concern that guidelines applicable in one country may apply in another.

For example, HLSP guideline G1.1 states that the data will be used for healthcare purposes only, when in fact it sometimes needs to be used by law enforcement and government, as set forth in HIPAA exceptions, Johnson said.

Another HIPAA expert, Kristen K. Hughes, a Florida healthcare attorney, said HLSP seems to focus merely on Internet data transmission.

"In this respect, it covers a smaller field than HIPAA," she said. "The Principles and Guidelines do consistently address the overall handling of 'personal health information,' however."

One major difference between HLSP and HIPAA is HLSP's failure to specifically address third-party relationships -- a necessity in the CYA and liability-avoidance climate in the U.S., Hughes said.

The more general principles in HLSP requiring "appropriate measures" and adoption of establishment-specific "regulations regarding circulation of personal health data" could address third-party access to protected information. But in a litigious environment like the U.S., more specific direction with respect to implementation of such laudable objectives is likely the safer route, she said.