Guidelines for the Security Management of Health information Systems Edition 4 (Draft version in English) March 2009 Ministry of Health, Labour and Welfare
Revision History Edition Date Description 1 March 2005 These guidelines were created by integrating the guidelines based on "Notice Concerning the Electronic Storage of Clinical and Other Records Legally Subject to Storage" (April 1999) and "Place for Storing Clinical and Other Records" (March 2002). These guidelines include those for the electronic storage of clinical and other records legally subject to storage (including the external storage of hard copies) and those for information system operation management relating to the protection of personal information at medical and nursing care institutions. 2 March 2007 The Strategic Headquarters for the Promotion of an Advanced Information and Telecommunications Network Society (IT Strategic Headquarters) stated the Establishment of a safe network infrastructure in the New IT Reform Strategy (January 2006). In "Basic Proposal Concerning Information Security Measures for Critical Infrastructures" determined by the Information Security Conference (September 2005), health care was positioned as a Critical infrastructure that seriously affects the lives of citizens if its service deteriorates or is stopped by a serious fault in the IT infrastructure, and a request was made to systemize and clarify measures of protecting health care from IT infrastructure disasters and cyber attacks. In these circumstances: (1) For the security of a network suitable for use at medical institutions, the requirements for a network linking medical institutions were defined from various viewpoints, such as: assumed uses, threats to a network, measures against the threats, and measures of diffusion and their subjects. These requirements were compiled into 6.10, "Security
Management at External Exchange of Health information Including Personal Information." (2) For measures against IT faults due to natural disasters and cyber attacks, 6.9, "Emergency Response to Disasters and Other Incidents" was created to give guidelines to protect health care from disasters and cyber attacks while appropriately evaluating the dependence of health care on IT. 3 March 2008 After the second revision, various measures were further discussed concerning the handling of personal information related to health care. In these circumstances: (1) For "Handling of health information," the responsibility and rules of handling health care and health information were worked out and compiled into Chapter 4, "Responsibility for Handling Electronic Health information." Based on these proposals, 8.1.2, "Standards for Selecting External Information Storage Organization and Handling Information" was revised. (2) For "Technical requirements using wireless and mobile services," guidelines were added to related positions in Chapters 6 and 10 based on wireless LAN handling notes and the threat analysis of each type of network connection for mobile access. Requirements were added to 6.11, "Security Management at External Exchange of Health information Including Personal Information" regarding networks especially for mobile use and 6.9, "Taking out Information and Information Equipment" was added regarding new risks related to storing and taking information externally. 4, 2009 After the third revision, the following issues were pointed out: "For the security management of health information, medical institutions and medical professions require expertise on information technologies and also great
financial expenses such as facility investments." "Considering the recent severe health care provision system, the limited human and financial health care resources should be spent for providing high-quality health care that is the substantial work of medical institutions and medical professions, and excess labor and resources should not be spent for computerization." "On the other hand, with the recent progress of medical computerization, people are expected to browse, collect, and present their own health information for health enhancement." Consequently, to construct a more appropriate information infrastructure for the health care field: (0) For the Ideal management of electronic information in the health care field, these guidelines were revised for easy reading and to meet the request from various parties for consistent guidelines on health information by systematically studying security management and operation policies based on not only physical location but also health information to handle such information according to the technological progress. To clarify notes, 3.3, "Documents Requiring Careful Handling" was newly added. Chapter 5 was totally reviewed and revised as Chapter 5, "Interoperability and Standardization of Information." Items C and D were added to 6.1, "Establishment and Announcement of Policies" and 6.2, "Implementation of Information Security Management System (ISMS) at Medical Institution." The matter concerning access from outside was added to 6.11 "Security Management at External Exchange of Health information Including Personal Information." Items B, C, and D were greatly reviewed throughout Chapter 7, "Requirements relating to Electronic Storage." To 8.1.2, "Standards for Selecting External Information Storage Organization and Handling Information," a provision
was added concerning the compliance with guidelines from the Ministry of Economy, Trade and Industry and the Ministry of Internal Affairs and Communications when the information recipient is a private business operator. These guidelines were totally revised by reviewing the technical requirements and also relations between various ordinances and notices and Item A.
[Contents] 1 Introduction... 1 2 How to Interpret the Guidelines... 9 3 Applicable System and Information Regarding the Guidelines... 12 3.1 Applicable Documents of Chapters 7 and 9... 12 3.2 Applicable Documents of Chapter 8... 14 3.3 Documents Requiring Careful Handling... 15 4 Responsibility for Handling Electronic Health information... 16 4.1 Manager's Responsibility for Information Protection at Medical Institutions... 17 4.2 Demarcation of Responsibility in Entrustment and Provision to Third Party... 19 4.2.1 Demarcation of Responsibility in Entrustment... 19 4.2.2 Demarcation of Responsibility in Provision to a Third Party... 21 4.3 Summary of the Demarcation Point of Responsibility by Exemplification... 22 4.4 Demarcation Point of Responsibility in Technical and Operational Remedies... 27 5 Interoperability and Standardization of Information... 28 5.1 Basic Datasets, Standard Glossaries, and Code Sets... 29 5.1.1 Basic Datasets... 31 5.1.2 Glossaries and Code Sets... 31 5.2 Compliance with International Standards for Data Exchange... 32 5.3 Other Matter Related to the Application of Standards... 33 6 Basic Security Management of an Information System... 34 6.1 Establishment and Announcement of Policies... 34 6.2 Implementation of Information Security Management System (ISMS) at a Medical Institution... 37 6.2.1 ISMS Construction Procedure... 37 6.2.2 Grasp of Handled Information... 39 6.2.3 Risk Analysis... 39 6.3 Systematic Security Management Measures (System and Operation Management Regulations)... 43 6.4 Physical Security Measures... 45 6.5 Technical Security Measures... 47 6.6 Human Security Measures... 55 6.7 Discard of Information... 57 6.8 Alteration and Maintenance of Information System... 58
6.9 Taking out Information and Information Equipment... 61 6.10 Emergency Action in Disasters or Other Incidents... 64 6.11 Security Management at External Exchange of Health information Including Personal Information... 67 6.12 Electronic Signature for Compulsory Signing and Sealing... 86 7 Requirements for Electronic Storage... 90 7.1 Securing Authenticity... 90 7.2 Securing Human Readability... 98 7.3 Securing Storability... 101 8 Standards for the External Storage of Clinical and Other Records... 106 8.1 External Storage Using Electronic Media through a Network... 106 8.1.1 Observance of the 3 Standards for Electronic Storage... 107 8.1.2 Standards for Selecting External Information Storage Organization and Handling Information... 108 8.1.3 Protection of Personal Information... 117 8.1.4 Clarification of Responsibility... 119 8.1.5 Notes... 119 8.2 External Storage of Electronic Media Using Portable Media... 119 8.3 External Storage of Hard Copies... 119 8.4 General Notes on External Storage... 120 8.4.1 Operation Management Regulations... 120 8.4.2 At the End of External Storage Contract... 120 8.4.3 External Storage of Clinical Records Not Legally Subject to Storage... 121 9 Electronic Storage of Clinical Records Using Scanner or Other... 122 9.1 Common Requirements... 122 9.2 Electronic Storage after Every Clinical Consultation Using Scanner or Other Equipment... 125 9.3 Electronic Storage of Past Hard Copies Using Scanner or Other... 126 9.4 (Supplement) Electronic Storage Using Scanner and Hard-copy Storage for Convenience... 128 10 Operation Management... 130 Additional Clause 1 External Storage of Electronic Media Using Portable Media... 140 Additional Clause 2 External Storage of Hard Copies... 149 Attached Table 1 Operation Management Items for General Management Attached Table 2 Operation Management Items for Electronic Storage Attached Table 3 Example of Operation Management for External Storage
Appendix (Reference) Contents of Agreement on Interlinking Clinical Information with External Institution
1 Introduction Requirements related to the electronic storage of clinical and other records and the storage location were clarified by the notice in April 1999: "Electronic Storage of Clinical and Other Records" (Health Service Publication No.517, Pharmaceutical and Food Safety Publication No.587, and Health Insurance Publication No.82 dated April 22, 1999 under the joint signatures of the Ministry of Welfare s director generals for the Health Service Bureau, Pharmaceutical and Food Safety Bureau and Health Insurance Bureau), and the notice in March 2002: "Location for Storing Clinical and Other Records (Health Policy Publication No.0329003 and Health Insurance Publication No.0329001 dated March 29, 2002 under the joint signatures of the Ministry of Health, Labor and Welfare s director generals for the Health Policy Bureau and the Health Insurance Bureau, revised by Health Policy Publication No.0331010 and Health Insurance Publication No.0331006 dated March 31, 2005). The progress of information technology since then has been remarkable and the demands for integrated computerization beginning with e-japan Strategy and other projects are gradually increasing even on a social level. In November, 2004, the Utilization of Information and Communications Technology for Document Storage by Private Business Entities Act. (2004 Law No.149, hereinafter e-document Law ) was established to allow the electronic handling of documents which are legally obligated to be created or stored. For health information, the "Ordinance for Enforcement of Act on Utilization of Information and Communications Technology for Document Storage by Private Business Entities Pertaining to Laws and Regulations Under the Jurisdiction of the Ministry of Health, Labour and Welfare" (MHLW Ordinance No.44 dated March 25, 2005) was issued. The Committee on Health information Network Infrastructure established within the Ministry of Health, Labour and Welfare Health Policy Bureau had been studying an institutional infrastructure to solve technical and operational management problems and promote the computerization of health information since June 2003 compiling the final report in September 2004. In response to the above situation, the Guidelines for the Electronic Storage of Clinical and Other Records Legally Subject to Storage (Health Service Publication No.517, Pharmaceutical and Food Safety Publication No.587, and Health Insurance Publication No.82 dated April 22, 1999 under the joint signatures of the director generals of Health Service Bureau, Pharmaceutical and Food Safety Bureau, and Health Insurance Bureau, Ministry of Welfare) and the Guidelines for the External Storage of Clinical Records" (Health Policy Publication No.0531005 dated May 31, 2002 under the signature of the director general of Labour and Welfare Health Policy Bureau, Ministry of Health, Labour and Welfare Health) were reviewed and it was decided to create integrated guidelines for the operation 1
management of information systems contributing to the protection of personal information and compliance with the e-document Law. In December 2004, the Guidelines for the Appropriate Handling of Personal Information by Medical and Nursing Care Providers were announced for the total enforcement of the Act Concerning Protection of Personal Information (2003 Law No.57, hereinafter, the Personal Information Protection Act ) in April 2005. The guidelines assigned the implementation of an information system and the handling of external storage accompanying the system implementation. These guidelines are intended for those responsible for the electronic storage of clinical and other records at hospitals, clinics, pharmacies, and midwifery centers (hereinafter, Medical Institutions ) and refers specifically to technologies now available and considers the ease of understanding such technologies. To prevent technical descriptions from becoming obsolete, these guidelines will be reviewed periodically. Be sure to use the latest edition of these guidelines. These guidelines are paired with the Guidelines for the Appropriate Handling of Personal Information by Medical and Nursing Care Providers. The protection of personal information can not be achieved simply by measures related to information systems. When using these guidelines, therefore, even those in charge of information systems only should clearly understand the Guidelines for the Appropriate Handling of Personal Information by Medical and Nursing Care Providers and confirm the achievement of measures relating to the protection of personal information even where no information systems are concerned. 2
Outline of Revision [Edition 2] In January 2006, after the first edition of these guidelines (March 2005) was published and the Strategic Headquarters for the Promotion of an Advanced Information and Telecommunications Network Society (IT Strategic Headquarters) announced the New IT Reform Strategy. Compared with the e-japan Strategy, the New IT Reform Strategy gives priority to the utilization of health information. By stating that various interlinking health information will prove advantageous, the New IT Reform Strategy devised a range of proposals relating to interlinking methods and their elemental technologies, one of which is the "Establishment of Safe Network Infrastructure." In "Basic proposal Concerning Information Security Measures for Critical Infrastructures" determined by the Information Security Conference (September 2005), health care was positioned as a Critical Infrastructure that seriously affects the lives of citizens if its service is deteriorated or stopped by a serious fault in the IT infrastructure, and a request was made to systemize and clarify measures of protecting health care from IT infrastructure disasters and cyber attacks. In these circumstances, the Committee on Health information Network Infrastructure discussed (1) "Definition of security requirements concerning network suitable for use at Medical Institutions" and (2) "Measures against IT faults by natural disasters and cyber attacks" and revised these guidelines With respect to (1) ("Definition of security requirements concerning network suitable for use at Medical Institutions,") the requirements of a network linking Medical Institutions were defined from various viewpoints, such as assumed uses, threats to a network, measures against the threats, and measures of diffusion and their subjects. These requirements were compiled into 6.10, "Security Management at External Exchange of Health information Including Personal Information." For the network-related requirements in Chapter 8, "Standards for the External Storage of Clinical and Other Records," Section 6.10 was referred to. Chapter 10, "Operation and Management," was partially revised as operational guidelines for the said network at Medical Institutions. For (2) ("Measures against IT faults by natural disasters and cyber attacks,") 6.9 "Emergency Response to Disasters and Other Incidents" was created to provide guidelines to protect health care from disasters and cyber attacks while appropriately evaluating the dependence of health care on IT. As an idea for the practical operation of information security, the concept of 6.2, "Implementation of Information Security 3
Management System (ISMS) at Medical Institution," was incorporated and some additions were made to the related section in Chapter 10, "Operation and Management." The renewal of ordinances and notices amended after the publication of these guidelines was also executed as an institutional requirement. The basic requirements have not changed, however modifications to requested laws etc. based on institutional requirements, etc. should be noted. 4
[Edition 3] Edition 2 of these guidelines was published to ensure security regarding a network infrastructure. Since then, discussions on various measures have been in progress regarding personal information related to health care. In these circumstances, it is envisioned that access to information will not be limited to only medical and healthcare professionals as it had been in the past. In the exchange of health information through a network, for example, an information-processing service provider which accumulates the information temporarily is envisioned. If such a provider is to be used, clear rules for the handling of information are necessary. Now that work systems are diversifying, medical and health information may be processed not only within Medical Institutions, but also externally through a network. In these circumstances, the Committee on Health information Network Infrastructure discussed (1) "Handling of health information," (2) "Computerization of prescriptions," and (3) "Technical requirements for using wireless and mobile services" and reflected on the results of discussing (1) and (3) in Edition 3 of these guidelines. Medical and health information used to be handled by medical and healthcare professionals obligated to maintain confidentiality by their professional licenses. However, the progress of information technology is now producing circumstances where the information may be handled by those who do not have such licenses. Therefore, the Committee discussed (1) "Handling of health information" to establish rules for information handling. Only patients are permitted to handle their medical and health information, with the exception of authorized physicians and other medical professions who analyze it. However, due to the computerization of information numerous people can obtain access to such information and it is necessary to clarify the responsibility of those concerned and also the demarcation points of responsibility. Through discussion, the idea of responsibility was summarized in Chapter 4 "Responsibility for Handling Electronic Health information and, based on this idea, 8.1.2, "Standards for Selecting External Information Storage Organization and Handling Information" was also revised. To meet the recent diversification of work systems, (3) "Technical requirements for using wireless and mobile services" was also discussed. Using radio wireless LAN allows network connection in restricted areas. Depending on its use, however, wireless LAN also threatens communications by tapping, illegal access, and interference. Mobile networks allow connection to the information system from within the facilities and outside the facilities, which improves convenience, however, since there are 5
various networks permitting mobile access threats were analyzed by each form of connection. Necessary guidelines based on these discussions were added to the related sections in Chapter 6. In particular, the idea of a network was summarized in 6.11, "Security Management at External Exchange of Health information Including Personal Information." If information is removed by mobile terminals or portable media new risks such as theft and loss can also be anticipated; therefore 6.9, "Taking out Information and Information Equipment" was created. 6
[Edition 4] Edition 3 of these guidelines prescribed clear rules of information handling for professionals of various occupations dealing with medical information and, in particular, clarified the demarcation points of responsibility. This was expected to further promote computerization, however the following issues were pointed out: "For the security management of health information, Medical Institutions and medical professions require expertise on information technologies, as well as further financial expenses for facility investments etc." "Considering the recent severe health care provision system, the limited human and financial health care resources should be spent for providing high-quality health care that is the substantial work of Medical Institutions and medical professions, and excess labor and resources should not be spent for computerization. On the other hand, with the recent progress of medical computerization, people are expected to browse, collect, and present their own health information for health enhancement." To construct a more appropriate information infrastructure for the health care field, the Committee on Health information Network Infrastructure discussed (1) "Ideal management of electronic information in the health care field" and (2) "Measures for personal management and use of own health information." For (1), "Medical treatment information guidelines should be revised for easy reading and to meet the request from various parties for consistent guidelines on health information by systematically studying security management and operation policies based on not only physical location but also health information to handle such information according to the technological progress," the results of discussion are reflected in the guidelines of Edition 4. The outline is as follows: As part of the systematic review, 3.3, "Documents Requiring Careful Handling," was added to Chapter 3 to clarify the handling of the following documents in accordance with these guidelines: 1 Documents not mentioned in enforcement notices but covered by the e-document Law and containing personal information of patients (narcotics account book, etc.), 2 Documents after the legal storage period, 3 Physiological examination records and images, such as ultrasonic images, referred to at every clinical examination for description in clinical records, and 4 Various documents necessary for calculating health care fees (medication records at pharmacies, etc.). By considering the importance of interoperability and standardization of health information, Chapter 5 was totally reviewed to review the system and support the latest technologies and revised as Chapter 5, "Interoperability and Standardization of Information." Chapter 6 clarified the basic policy items of announcement in 6.1, "Establishment and Announcement of Policies," by quoting JIS Q 15001:2006 and explained the security 7
management policies specifically by quoting JIS Q 27001:2006. Then C Minimum guidelines" was added. Similarly, C Minimum guidelines" and D Recommended guidelines" were added to 6.2, "Implementation of Information Security Management System (ISMS) at Medical Institution." To 6.11, "Security Management at External Exchange of Health information Including Personal Information," Items B and D were added in relation to access from outside parties concerned. To Chapter 7, a preamble about electronic storage was added and the principles of requirements and measures were stated. Throughout Chapter 7, Item A clarified the relationship between ordinances and notices of the Ministry of Health, Labour and Welfare. In 7.1, "Securing Genuineness," Item B was greatly simplified, Item C was reviewed, and Item D was totally deleted. In 7.2, "Securing Human Readability," Item B was simplified, Item C was reviewed after statement by the type of storage place was cancelled, and predicted emergency cases were added to Item D. Similarly in 7.3, "Securing Storability," Items C and D were greatly reviewed. Note that Items C and D in Chapter 7 were reviewed and many corrections were made. Regarding the request from various parties for consistent guidelines on health information, no changes were made about the requirements for risk management when private business entities store health information externally. Chapter 8, "Standards for the External Storage of Clinical and Other Records," however, clarifies the idea of operation and information management to information-receiving business entities on the condition of complying with guidelines issued from the Ministry of Economy, Trade and Industry and the Ministry of Internal Affairs and Communications. Edition 4 was created by general revision in accordance with the technological progress, such as changing the scanner requirements in Chapter 9, and making the descriptions easy to understand. 8
2 How to Interpret the Guidelines These guidelines are organized as explained below. Persons responsible at Medical Institutions, information system administrators and implementers are expected to take individual measures after understanding their related sections. In these guidelines, the terms "health information" and "health information system" refer to health information including patient information (personal ID information) and a system to deal with the information. [Chapters 1 to 6] The contents of these chapters are to be referred to at all Medical Institutions where data including personal information is dealt with. [Chapter 7] This chapter describes guidelines for the electronic storage of clinical records legally subject to storage. [Chapter 8] This chapter describes guidelines for the storage of clinical and other records outside Medical Institutions that are legally subject to storage. [Chapter 9] This chapter describes guidelines for electronic storage based on the e-document Law using a scanner. [Chapter 10] This chapter describes matters concerning operation and management regulations. Most of these guidelines aim to present measures about requirements, such as laws, MHLW ordinances, and other guidelines. They are roughly divided into the following items and explained individually. A Institutional requirements This item describes requirements based on laws, notices, and other guidelines. B Concept 9
This item explains the requirements and gives basic measures. C Minimum guidelines This item describes what must be done to satisfy the requirements of A. Actual measures may differ depending on the scale of Medical Institution or one of several measures may be selected. However, appropriate measures must be selected by using the attached operation management table and actually executed. D Recommended guidelines This item describes measures not essential for satisfying requirements but recommended for easy understanding from the viewpoint of accountability. It also describes some notes that should be taken when using technology not adopted in the minimum system. The three attached tables at the end of these guidelines summarize technical and operational measures to satisfy security management requirements. They were created for use in creating operation and management regulations. The security management measures become effective only when both technical and operational measures were taken. Technical measures often have multiple choices and corresponding operational measures are necessary for adopted technical measures. The attached tables are organized from the following items: 1 Operation and management item: Security management requirements needing some operational measures 2 Implementation item: Classified further from the above management item into the implementation level 3 Object: Standard scale of Medical Institutions 4 Technical measures: Technically possible measures enumerated for selection about one implementation item 5 Operational measures: Summary of operational measures necessary for technical measures in 4 6 Model sentence for operation and management regulation: Sample when stating operational measures in regulations Each institution prescribes operational measures corresponding to technical measures adopted for an Implementation item in operation and management regulations and confirms 10
the actual observance of the regulation to achieve the implementation item. Before selecting technical measures, each institution discusses corresponding operational measures to allow the selection of technical measures in the possible range of their own institutional operation. In general, if priority is given to operational measures, information system introduction costs decrease. If priority is given to technical measures, the user's operational burden decreases. Since their appropriate balancing is very important, these attached tables will be very helpful. 11
3 Applicable System and Information Regarding the Guidelines These guidelines are aimed at both storage systems and all information systems which deal with medical information, as well as all people and organizations involved in the implementation, operation, use, maintenance, and discard of the systems. The applicable documents, however, are partially limited in Chapter 7, "Requirements for Electronic Storage," Chapter 8, "Standards for the External Storage of Clinical and Other Records," and Chapter 9, "Electronic Storage of Clinical Records Using Scanners or Other equipment." 3.1 Applicable Documents of Chapters 7 and 9 Documents concerning health care can roughly be divided into those which are legally subject to creation or storage and those which are not. The applicable documents of Chapters 7 and 9 are documents which are legally subject to creation or storage. More specifically, these chapters deal with the following documents prescribed in "Ordinance for Enforcement of Act on Utilization of Information and Communications Technology for Document Storage by Private Business Entities Pertaining to Laws and Regulations Under the Jurisdiction of the Ministry of Health, Labour and Welfare" (2005 MHLW Ordinance No.44) and "Notice Concerning the Enforcement of Act on Utilization of Information and Communications Technology for Document Storage by Private Business Entities (Health Policy Publication No.0331009, Pharmaceutical and Food Security Publication No.0331020, and Health Insurance Publication No.0331005 dated March 31, 2005 under the joint signatures of the directors general of Health Policy Bureau, Pharmaceutical and Food Safety Bureau, and Health Insurance Bureau, Ministry of Health, Labour and Welfare: hereinafter, Enforcement Notice ) as health care documents for which the e-document Act applies. Applicable documents of Chapters 7 and 9 (*For prescriptions, the requirements of (4) in Enforcement Notice No.2-2 shall be satisfied.) 1. Clinical records in Article 24 of the Medical Practitioners Law (1948 Law No.201) 2. Clinical records in Article 23 of the Dental Practitioners Law (1948 Law No.202) 3. Midwifery records in Article 42 of the Law of Public Health Nurses, Midwives and Nurses (1948 Law No.203) 4. Business reports and other reports reserved for audit based on the provisions of Clauses 1 and 2 in Article 51-2 of the Medical Care Law (1948 Law No.205) 12
5. Instructions in Article 19 of the Dental Technicians Law (1955 Law No.168) 6. Prescription records in Article 28 of the Pharmacists Law (1960 Law No.146) 7. Clinical records in Article 11 of the Law Concerning the Exceptional Cases of the Medical Practitioners Law and Dental Practitioners Law, Article 17, on the Advanced Clinical Training of Foreign Medical or Dental Practitioners (1987 Law No.29) 8. Emergency life saving records in Article 46 of the Emergency Life Guards Law (1991 Law No.36) 9. Documents of Clauses 1 and 2 in Article 30-23 of the Enforcement Regulations for the Medical Care Law (1948 Ministry of Welfare Ordinance No.50) 10. Clinical records in Article 9 of the Insurance Medical Institution and Physician Healthcare Management Regulations (1957 Ministry of Welfare Ordinance No.15) (Article 22 for creation) 11. Prescription records in Article 6 of the Insurance Pharmacy and Pharmacist Healthcare Management Regulations (1957 Ministry of Welfare Ordinance No.16) (Article 5 for creation) 12. Documents in Article 12-3 of the Enforcement Regulations for the Clinical Laboratory Technicians Law (1958 Ministry of Welfare Ordinance No.24) (Paragraphs 14 and 15 of Article 12 for creation) 13. Records of Clause 1 in Article 21 of the Medical Care Law (1948 Law No.205) (of various clinical records prescribed in Paragraph 9 of the said clause, only prescriptions of Paragraph 10 of Article 20 of the Enforcement Regulations for the Medical Care Law Enforcement Regulation), records in Article 22 (of various clinical records prescribed in Paragraph 2 of the said article, only prescriptions of Paragraph 2 in Article 21-5 of the Enforcement Regulations for the Medical Care Law), and records in Article 22-2 (of various clinical records prescribed in Paragraph 3 of the said article, only prescriptions of Paragraph 2 in Article 22-3 of the Enforcement Regulations for the Medical Care Law) * 14. Prescriptions in Article 27 of the Pharmacists Law (1960 Law No.146)* 15. Prescriptions in Article 6 of the Insurance Pharmacy and Pharmacist Healthcare Management Regulations (1957 Ministry of Welfare Ordinance No.16)* 16. Records of Clause 1 in Article 21 of the Medical Care Law (1948 Law No.205) (excluding the prescriptions of Paragraph 10 in Article 20 of the Enforcement Regulations for the Medical Care Law), records in Article 22 (excluding the prescriptions of Paragraph 2 in Article 21-5 of the Enforcement Regulations for the Medical Care Law), and records in Article 22-2 (excluding the prescriptions of Paragraph 2 in Article 22-3 of the Enforcement Regulations for the Medical Care Law) 13
17. Works records of dental hygienists in Article 18 of the Enforcement Regulations for the Dental Hygienists Law (1989 Ministry of Welfare Ordinance No.46) 18. Irradiation records of Clause 1 in Article 28 for the Radiology Technician Law (1951 Law No.226) Within the documents legally subject to creation or storage, health care documents not prescribed in the e-document Act shall be excluded even when converted into electronic information. 3.2 Applicable Documents of Chapter 8 Chapter 8 covers the following documents prescribed in "Notice Concerning Partial Amendment of 'Place for Storing Clinical and Other Records'" (Health Policy Publication No.0331010, Health Insurance Publication No.0331006 dated March 31, 2005 under the joint signatures of the directors general of Health Policy Bureau and Health Insurance Bureau, Ministry of Health, Labour and Welfare: hereinafter, External Storage Amendment Notice ). 1 Clinical records in Article 24 of the Medical Practitioners Law (1948 Law No.201) 2 Clinical records in Article 23 of the Dental Practitioners Law (1948 Law No.202) 3 Midwifery records in Article 42 of the Law of Public Health Nurses, Midwives and Nurses (1948 Law No.203) 4 Business reports and other reports reserved for audit based on the provisions of Clauses 1 and 2 in Article 51-2 of the Medical Care Law (1948 Law No.205) 5 Various clinical records in Articles 21, 22, and 22-2 of the Medical Care Law (1948 Law No.205) and various hospital management and operation records in Articles 22 and 22-2 6 Instructions in Article 19 of the Dental Technicians Law (1955 Law No.168) 7 Clinical records in Article 11 of the Law Concerning the Exceptional Cases of the Medical Practitioners Law and Dental Practitioners Law, Article 17, on the Advanced Clinical Training of Foreign Medical or Dental Practitioners (1987 Law No.29) 8 Emergency life saving records in Article 46 of the Emergency Life Guards Law (1991 Law No.36) 9 Documents of Clauses 1 and 2 in Article 30-23 of the Enforcement Regulations of the Medical Care Law (1948 Ministry of Welfare Ordinance No.50) 10 Clinical records in Article 9 of the Insurance Medical Institution and Physician Healthcare Management Regulations (1957 Ministry of Welfare Ordinance No.15) 14
(Article 22 for creation) 11 Documents in Article 12-3 of the Enforcement Regulations for the Clinical Laboratory Technicians Law (1958 Ministry of Welfare Ordinance No.24) (Paragraphs 14 and 15 of Article 12 for creation) 12 Work records of dental hygienists in Article 18 of the Enforcement Regulations of the Dental Hygienists Law (1989 Ministry of Welfare Ordinance No.46) 13 Irradiation records in Article 28 of the Radiology Technicians Law (1951 Law No.226) 3.3 Documents Requiring Careful Handling In addition to the documents listed in 3.1, the following documents require careful handling to protect personal information: Documents not mentioned in enforcement notices but covered by the e-document Act and containing personal information of patients (narcotics, account book, etc.), Documents after the legal storage period, Physiological examination records and images, such as ultrasonic images, referred to at every clinical examination for description in clinical records, and Various documents necessary for calculating health care fees (medication records at pharmacies, etc.) With a full understanding of laws related to the protection of personal information, the documents from to shall be handled in compliance with Articles 7 and 9 by referring to various guidelines and Chapter 6, "Security Management" of these guidelines which are also used for securing an information management system, as long as personal information, including backup information, is stored and not discarded. Also refer to Chapter 9.4, "Electronic Storage Scanner for Convenience and Hard-copy Storage " as required. For the external (continuous) storage of a document prescribed in 3.2, Chapter 8 shall be adhered to even when the Enforcement Notice or External Storage Amendment Notice no longer applies due to the expiration of the legal storage period. 15
4 Responsibility for Handling Electronic Health information The Medical Care Law and other laws prescribe that any medical practice shall be conducted under the responsibility of a manager at the medical institution concerned. This also applies to the handling of health information. Health information should be collected, stored, and discarded appropriately to maintain the duty of confidentiality prescribed in the Penal Code and to comply with various laws and guidelines related to the protection of personal information, and should meet requirements prescribed in laws, notices, and guidelines pertaining to clinical information. Intentional conduct which contravenes these requirements may be punishable as the disclosure of confidential information in accordance with the Penal Code. Unintentional leakage or unintended use of clinical information may also pose a critical problem. To avoid such circumstances, appropriate management is necessary. A manager should take due care as a good manager (duty of care). This management differs depending on the information and circumstances. The value and criticality of health information does not vary significantly with media. The manager at a medical institution should take at least equal care for hard-copy storage (paper or film) and electronic storage within the institution. However, electronic information also has the following peculiarities: Compared with hard-copy information, such as paper or film, the movement of electronic information is difficult to perceive for ordinary people. It is very possible that a great amount of information could leak instantaneously. Medical professionals are often unfamiliar with the safe protection of information because they are not necessarily specialists in information-handling. Consequently, each medical institution should: discuss the scope of computerization and its methods by considering advantages and disadvantages based on the circumstances, select system functions to implement and an operation plan, and determine actions to comply with the expected security standards. For circumstances in which computerized health information does not remain within the medical institution but is exchanged or shared through a network, both the medical institution and the network space provider and network communication carrier shall also be responsible for management. With respect to the handling of electronic health information between the parties concerned, this chapter summarizes "contents and scope of the manager's responsibility for 16
information protection at a medical institution" and responsibility when information processing is entrusted to another medical institution or business operator or when health information is entrusted with other work or provided to a third party" by using the concept of Demarcation of Responsibility. 4.1 Manager's Responsibility for Information Protection at Medical Institutions For the appropriate management of health information at a medical institution, the manager has normal responsibility for constructing and managing a system for the protection of health information in operation, as well as the responsibility for coping with any inconveniences (typically, information leakages). These guidelines refer to the former as "operational responsibility" and the latter as "post-event responsibility." 1 About operational responsibility Operational responsibility means pertinent information management to protect health information appropriately. However, this responsibility is not limited to appropriate information management but includes the following 3 kinds of responsibility: Accountability This is to clarify to a patient that the functions and operation plan of a system electronically handling health information satisfy handling standards. To satisfy this responsibility, a medical institution should do the following: Clearly document system specifications and an operation plan Conduct periodic audits to confirm that the specifications and plan are proceeding in accordance with the initial policy Document audit results with no ambiguities Cope sincerely with problems found by the audit Document action records for verification by a third party Responsibility for management This responsibility is for operating and managing a system that deals with health information. Entrusting the management of the said system to a subcontractor is not sufficient. To satisfy the responsibility, a medical institution should do the following: Produce a management status report periodically at least Conduct supervision by clarifying where the final responsibility for management lies 17
The Personal Information Protection Act prescribes the selection of the following persons to deal with a subcontractor: Persons responsible for protecting personal information Persons with certain knowledge relating to the protection of electronic personal information Responsibility for periodic review and necessary improvement Since information protection technology is advancing rapidly, the current information protection system may become outdated. To review and improve the system as required, a medical institution should do the following: Audit the operation management status of the said information system periodically Extract problems and make necessary improvements The manager of a medical institution should always consider improvements of the protection mechanism for health information and periodically evaluate and thoroughly study the current operation management. 2 Post-event responsibility For any inconveniences (typically, leakages) relating to health information, the responsibilities are as follows: Accountability In particular, Medical Institutions have a certain public feature and naturally have a responsibility to account to individual patients. In addition, Medical Institutions are expected to offer explanations and notifications to the supervising governmental agency and society. To satisfy this responsibility, a medical institution should do the following: Announce incidents through the manager of the medical institution Explain the cause and action Responsibility for devising remedial measures The manager of a medical institution is also responsible for devising remedial measures. The responsibility can be classified as follows: 1) Responsibility for pursuing and clarifying a cause 2) Responsibility for compensating for damage when caused by the institution 18
3) Responsibility for preventing recurrence 4.2 Demarcation of Responsibility in Entrustment and Provision to Third Party For the transmission of health information to an outside medical institution or business operator, the Personal Information Protection Act prescribes entrustment (entrustment to a third party) and provision to a third party. In accordance with the previous section, this section summarizes the responsibility of the manager of a medical institution for information protection. 4.2.1 Demarcation of Responsibility in Entrustment Upon entrustment, the manager of a medical institution is responsible for management. With assistance from an entrusted business operator, the manager of a medical institution is obligated to satisfy "Accountability," "Responsibility for management," and "Responsibility for periodic review and necessary improvement" referred to in the previous section. If any inconvenience should occur, the said manager should also satisfy "Accountability" and "Responsibility for devising remedial measures" with an entrusted business operator and therefore should state the duty of the entrusted party in a contract of entrusted management. In addition, a contract of entrustment should state how the responsibility for devising remedial measures against inconveniences should be shared between the medical institution and the operator. Here are the basic rules of entrustment for a medical institution to satisfy the responsibility for management: (1) Operational responsibility Accountability The manager of a medical institution is responsible for explaining the mechanism of health information protection and its functions. For the manager of a medical institution to satisfy accountability, information from the entrusted business operator may be essential in some cases. The entrusted business operator is accountable to the manager of the medical institution. Therefore, the contract of entrustment should state the responsibilities of the entrusted business operator for providing information and making appropriate explanations. Responsibility for management 19
The main entity responsible for management is the manager of a medical institution. In actual information processing, however, an entrusted business operator may often do safe maintenance work. The manager of a medical institution should understand management by the entrusted business operator and state the establishment of appropriate supervision in the contract of entrustment. Responsibility for periodic review and necessary improvement The contract of entrustment with an entrusted business operator should: state the shared-responsibility for periodically auditing the operation management status of the said system, eliminate problems, make necessary improvements and also perform periodic evaluations and examinations which consider technological advances related to protection. (2) Post-event responsibility Accountability As stated in the previous section, the manager of a medical institution is responsible for announcing the occurrence of any incident related to health information explaining its cause and the action to be taken. In many cases of information incidents, information provision and analysis by an entrusted business operator are indispensable for providing explanations. Therefore, as far as possible, events should be predicted and the sharing of accountability with the entrusted business operator should be included in the contract. Responsibility for devising remedial measures If any incident occurs relating to health information, the manager of a Medical Institution becomes responsible for devising remedial measures as stated in the previous section. If the problem is attributable to the business operator entrusted with the processing of health information, however, the manager of the medical institution may be legally understood as fulfilling the duty of care only if due care was taken in selecting and supervising an entrusted business operator. As stated at the beginning of this chapter, medical information at a medical institution should be managed under the responsibility of the manager of the institution. Therefore, the manager must take part of the responsibility for determining the cause of an incident related to health information, compensating for damage and preventing recurrence. Since an entrusted business operator does not always manage everything relating to health information, the manager of the medical 20
institution is unavoidably responsible for devising remedial measures in an incident which is related to the entire mechanism of health information protection. The manager of a Medical Institution cannot evade the responsibility for devising the following remedial measures for patients: 1) Pursuing and clarifying a cause, 2) Compensating for damage when caused, and 3) Preventing recurrence. The manager of a Medical Institution shall never be totally exempt from his/ her responsibility to patients. However, shared-responsibility with an entrusted business operator is a different matter. In particular, if an incident occurs due to a fault of the entrusted business operator, the manager of the Medical Institution, in principle, shall not take full responsibility. If any incident occurs relating to health information, however, it is important to pursue and clarify its cause and take preventive measures before discussing shared responsibility between the Medical Institution and the entrusted business operator. Therefore, the contract of entrustment should clearly stipulate that the Medical Institution and the entrusted business operator give priority to these measures by mutual cooperation. Depending on the contents of entrustment, the contract of entrustment should stipulate more clearly the duty of pursuing the cause and propose the responsibility of the business operator regarding preventive measures. With respect to shared-responsibility for compensation, if an incident is attributable to a fault of the entrusted business operator, the operator should, in principle, take ultimate responsibility. There are many factors to consider in regards to this matter, such as the type and complexity of a cause that may make it difficult to determine the cause, the shared-responsibility for compensation that may hinder determination of the cause, and the possibility of dispersing damage by insurance. It is necessary to clearly stipulate shared-responsibility for compensation in the contract of entrustment upon consideration of these factors. 4.2.2 Demarcation of Responsibility in Provision to a Third Party When providing health information to a third party, a Medical Institution should observe Article 23 of the Protection of Personal Information Act (Law No.57 on May 30, 2003) and the Guidelines for the Appropriate Handling of Personal Information by Medical and Nursing Care Providers. Health information is provided to a third party for particular purposes. As a rule, the appropriateness of this provision concerns only the manager of the Medical Institution. As 21
long as provision to a third party is appropriate, the responsibility for subsequent information protection shifts from the manager of the Medical Institution to the third party who has received the information. The medical institution, however, may be exempt from providing information, if it is aware that the recipient will not handle the information appropriately. Regarding the area of electronic information, it is considered as stored information even when it is provided to a third party unless deleted by the Medical Institution. Therefore, the responsibility for managing the information remains. When providing a third party with electronic health information by transmission and reception through a network, information may not be provided from the Medical Institution to the recipient directly but through a business operator involved in information processing. This generates a new concept of clarifying the demarcation point of responsibility with the information processing business operator where the condition of third-party provision is satisfied. Once health information has been provided appropriately and legally, the Medical Institution sending such information is no longer responsible as previously stated. Considering that the main entity of third-party provision is the sending medical institution connected with the patient, the sending medical institution is, in principle, responsible at least until the information reaches the recipient. Consequently, it is preferable to discuss and clarify in advance the aforementioned shared-responsibility for devising remedial measures between the information processing business operator and the sender. The information processing business operator, in principle, shall take full responsibility for an incident attributable to its own fault unless stated otherwise and providing that the medical institution is fulfilling the duty of selection and supervision. 4.3 Summary of the Demarcation Point of Responsibility by Exemplification This section explains the demarcation point of responsibility with some examples. See Chapters 6, 7, and 8 for the security management of a health information system, the idea of networking for external connection, and the standards for selecting an organization where the external storage of documents legally subject to storage can be entrusted. 1 Exchanging patient information through local health care linkage a Idea for Medical Institutions Demarcation point of responsibility for exchanging patient information between a 22
Medical Institution sending health information and another medical institution receiving it through a network provided by an information processing business operator. "Network provided by an information processing business operator" refers to a case in which the network channel security is ensured under the responsibility of the information processing business operator. The sender Medical Institution and the receiver Medical Institution shall determine the demarcation point of responsibility within the network channel and agree to it in a contract, including action in case of a communication failure or incident. Regarding shared-responsibility for management with information processing business operators, the demarcation point of responsibility shall be determined within the scope of its own responsibility. In addition, the scope of responsibility for entrusted management and the main business operator to take action in case of a service problem shall be clarified. In case of entrustment, however, the sending Medical Institution, in principle, has operational responsibility and post-event operational responsibility. If information is provided appropriately to a third party, the receiving medical institution, in principle, has responsibility. For cases in which no fault is attributed to the information processing business operator, the information processing business operator shall be partially responsible for management only. Demarcation point of responsibility in case of unique connection between sending and receiving Medical Institutions "Unique connection" here refers to Medical Institutions 1:1 or 1:N connecting through the network of an information processing business operator by setting their router or other connection equipment themselves or by making connection through the telephone network or any other public network. If the receiver Medical Institution or possible receiver Medical Institution can be identified in advance, both institutions must fulfill their duty in accordance with the requirements of entrustment or third-party provision. No responsibility for management is assigned to an information processing business operator. Apart from the responsibility for ensuring communication quality, the information processing business operator only has the general responsibility stated in the agreement of the parties. Health information, in principle, cannot be provided by 1:N communication of 23
information sender and receiver institutions, if one of the receiver Medical Institution cannot be identified, excluding exceptional, legally prescribed cases. b Idea for information processing business operators Demarcation point of responsibility when health information is appropriately encrypted by the sender and decrypted by the receiver A Medical Institution sending patient information (sender) encrypts information by their information system before transmission and a Medical Institution receiving patient information (receiver) decrypts the received information by their information system. In this case, the information processing business operator has no duty of protecting personal information from tapping threats and responsibility is limited. The information processing business operator is only responsible for management. Therefore, the scope of responsibility for management against the threats of tampering, intrusion, and interference to information in a network and the network quality, such as availability, should be clarified in the contract. For encryption and other ideas related to network and minimum guidelines, see 6.11, "Security Management at External Exchange of Health information Including Personal Information." Demarcation point of responsibility when health information is encrypted appropriately at the beginning of the management range of an information processing business operator Some information processing business operators provide encrypted safe network line as their main services. If this kind of network line is used, the business operator is responsible for management against the tapping, tampering, and intrusion of information on their network line externally and the quality of this network line, such as service availability. Therefore, the responsibility should be clarified in the contract. However, a medical institution is responsible for management until information reaches a network line provided by a business operator and for information flowing through the network line. Therefore, the idea should be reviewed in accordance with "I. Idea for Medical Institutions: Demarcation point of responsibility between Medical Institutions sending and receiving health information." For ideas about network line and network line flowing information and minimum guidelines, see 6.11, "Security Management at External Exchange of Health information Including Personal Information." 24
c Proposal when an external storage organization is used Since information storage is entrusted to an external storage organization, a Medical Institution has operational responsibility and post-event operational responsibility. When sharing information with another Medical Institution, it is necessary to clarify the shared-responsibility for management between the institutions and obtain patients' approval for information-sharing. With an external storage organization, action against a service problem shall be clarified in the contract. For details about the proposals for Medical Institutions and external storage organization when Medical Institutions exchange patient information through an external storage organization, see "2. Handling of information" and "3. Provision of information" in 8.1.2, "Standards for Selecting External Information Storage Organization and Handling Information." 2 When accessing an information system at a medical institution from outside as required for work For a general overview concerning access to an information system externally through a network, see 6.11, "Security Management at External Exchange of Health information Including Personal Information," particularly B-2, "Proposal of Network Security for selection III, Connection from outside medical institution using mobile terminal." Here, the idea about the demarcation point of responsibility is explained. a Teleworking - Work by accessing an information system at own institution Recently, so-called teleworking is also becoming popular at Medical Institutions. Personnel at Medical Institutions work externally by accessing information systems at their own institutions. From the viewpoint of the demarcation of responsibility, teleworking is enclosed within an institute s own facilities. However, personnel at a Medical Institution are on both ends of a communication line with an information processing business operator between them. In this case, various methods to protect personal information are necessary because not only Internet but also mobile phone and public networks are used for communication lines. Note particularly that even personnel not responsible for management at a Medical Institution may be required to take responsibility for management. 25
Since teleworking is enclosed within an institution s own facilities, the demarcation point of responsibility shall, in principle, comply with 4.1, "Manager's Responsibility of Information Protection at Medical Institutions." b Remote maintenance - Access by third party for maintenance For remote maintenance, a maintenance agent accesses a system by remote login. Without appropriate information management or information access control, health information temporarily stored on a disk, including personal information, may be tampered with or read illegally. If the remote login function is completely prohibited, remote maintenance shall be disabled and the maintenance time and costs shall increase. Therefore, the convenience of maintenance and the protection of information should be balanced. However, the medical institution still has operational responsibility and post-event responsibility. Therefore, the medical institution should satisfy the responsibility for management through supervision by receiving a management report periodically and clarifying where the final responsibility lies. For the idea of maintenance, including remote login, see 6.8, "Alteration and Maintenance of Information System." 1 When information is temporarily stored externally as part of work at a Medical Institution is entrusted "Entrustment" here means to entrust remote image diagnosis and clinical examination to a third party for clinical purposes. Accordingly, a third party shall store information, though this may be temporary. The manager of a Medical Institution is responsible to a subcontractor for selecting an entrusted business operator and should manage and supervise regulations relating to an information storage period and others, with the responsibility for management including improvement instructions (security, etc.). Naturally, the entrusted business operator takes measures to prevent the leakage and tampering of stored information. However, it is also necessary to determine and state clearly the handling method and storage period of such delicate information as infection information and gene information upon mutual consultation. When providing health information externally for experiment and not the above entrusted work it is necessary to agree in advance with the experiment requester about the mutual responsibility and the handling of information. 26
2 When legally stipulated When non-encrypted health information is transmitted to an information processing business operator under special legally stipulated circumstances, the information processing business operator or network should take measures against tapping threats. Therefore, a Medical Institution with the responsibility for managing the said health information on a communication channel must clarify the responsibility for managing health information with the information processing business operator. To entrust part or all of the responsibility for management to an information processing business operator, a contract of entrustment concerning personal information must be concluded and managed appropriately with each business operator. 4.4 Demarcation Point of Responsibility in Technical and Operational Remedies The security of an information system should be ensured by a comprehensive combination of technical measures and systematic (operational) measures. Technical measures are taken mainly by a system provider (vendor) under the synthetic judgment of a Medical Institution and systematic (operational) measures are taken by a user (Medical Institution). Synthetic judgment is used to ensure security of a certain level by risk analysis based on device specifications, or system requirements and operation and management regulations, including financial factors. This selection differs depending on technical changes concerning threats to security and their countermeasures and also social environmental changes, including organizational changes of Medical Institutions. Attention should be paid to the changes. To achieve responsibility by synthetic judgment, a Medical Institution should clarify technical requirements to a vendor or operational conditions required from a vendor to set a clear demarcation point of responsibility with the vendor. Operation and management regulations may be created synthetically for a Medical Institution or individually for each division or device, such as those relating to the electronic storage of medical images. As criteria for judging whether standards are satisfied, a compliance checklist should be created for summarization by referring to Chapter 10 and its attached table. This checklist can be used as reference for accountability to a third party. 27
5 Interoperability and Standardization of Information At Medical Institutions, various work information is exchanged and intentions are shared by instructions, reports, and notices based on information exchange to perform work. Information exchange can be computerized by simply adding information input to the conventional process. However, if the electronic information can be reused, it is unnecessary to enter the same information repeatedly and the total workload decreases. This also contributes to the safety of health care by preventing errors when hard-copy information is interpreted and reentered and when instructions are written and read. In fact, electronic information processing systems were initially implemented at Medical Institutions to streamline paperwork processing. Now, however, the systems contribute to the promotion of information-sharing, the safety of health care, and consequently the improvement of health care quality. Interoperability is required to exchange electronic information between systems implemented at Medical Institutions by phases or between systems provided from various system vendors to each division. For the safe management and operation of information systems, priority should be given to "availability" which is an important factor for information security. "Availability" here refers to information can be used when necessary. Availability at the time of using information must be secured. This means that interoperability should be secured as stipulated in: 7.2 Securing Human Readability 7.3 Securing Storability More specifically, when health information is stored at a medical institution for a long period, health information stored in an old system should be available even after a system update. For local interlinks, the idea of interoperability is important even when information is shared, accumulated, analyzed, rebuilt, returned, and re-transmitted between Medical Institutions. For the interoperability of health information, it is preferable to store information which is available to anybody in compliance with standards (glossaries, code sets, storage formats, message exchange protocols, etc.) and it should be maintained in a format which is easy to convert to current or future standards. This chapter describes such standards. The Ministry of Economy, Trade and Industry and the Ministry of Health, Labour and 28
Welfare has recommended and promoted consistency with international standards with regards to standards concerning health information, including: the Health Level Seven (HL7) relating to message exchange, Digital Imaging and Communications in Medicine (DICOM) concerning medical images and their reports, and International Organization for Standardization (ISO). Contrary to these governmental activities, the Health Information and Communication Standards Board (HELICS Board) works from the standpoint of the private sector. The HELICS Board, which is made up of various standardization and regulation bodies, recommends standards to be adopted for each purpose of use and presents guidelines for standardizing health information accordingly. From the standards presented by the HELICS Board as guidelines, the Ministry of Health, Labour and Welfare decided to deliberate on those which were deemed essential for Japan at the Health Information Standardization Meeting. This is expected to further promote standardization. It may be rare that Medical Institutions maintain terms and codes or implement standards themselves. To secure interoperability based on standards, however, this should be a requirement for system vendors to satisfy. Upon the implementation of a health information system or the operation of an existing health information system, the following items should be clarified with a system vendor for an equal understanding: Basic stance on standardization Reason for not satisfying the standards referred to below Plan to secure interoperability during a future system update or connect to another manufacturer's system In addition, it is preferable that a medical institution develops a medium or long-term plan concerning interoperability when an existing system is being updated or implemented. 5.1 Basic Datasets, Standard Glossaries, and Code Sets As previously stated, the standardization activities are in progress. By using the standard information items established to a certain level, however, high data compatibility can be now secured in regard to the following clinical information. This requires the highest-level interoperability as a health information system. 29
Medical institution information History of treatment at the medical institution Patient basic information and disease name Insurance information Prescription (including usage) Specimen test (instruction and result) Radiological image information Physiological examination graphic information Endoscopic image information Injection Operation technique 30
The following standards are necessary for the interoperability of the above information and so far have been established. 5.1.1 Basic Datasets User information Patient information (basic information) Patient information (infection information, allergy information, hospitalization history, and consultation history) Order information (prescription, specimen test, and radiology) Examination result information (specimen test) Disease name information Injection-related instruction and execution information, etc. Treatment and operation In 2008, the Ministry of Economy, Trade and Industry established guidelines for data export and import between basic data sets and systems using them at the Demonstration Project for Interoperability between Health information Systems (Interoperability Demonstration Project). For details about the basic datasets, access the following website which introduces the Interoperability Demonstration Project: Report on Demonstration Project for Interoperability between Health information Systems http://www.jahis.jp/sougounyou/sougounyou_top.html For the guidelines to secure data compatibility by basic datasets, refer to: JAHIS Basic Dataset Application Guidelines http://www.jahis.jp/standard/seitei/st07-102/st07-102.htm 5.1.2 Glossaries and Code Sets By using the basic datasets in combination with the standard masters of The Medical Information System Development Center (MEDIS-DC), data compatibility can be secured easily. Disease name: Standard Disease Name Master for ICD10 Compatible Electronic Chart Operation and treatment: Standard Operation and Treatment Master Clinical examination: Standard Clinical Examination Master (Including Physiological Function Examination) Pharmaceuticals: Standard Pharmaceuticals Master 31
Medical equipment: Standard Medical Equipment Database Nursing terms: Practical Nursing Term Standard Master Symptoms and remarks: Symptoms and Remarks Standard Master Dental disease name: Standard Dental Disease Name Master Dental operation, etc.: Standard Dental Operation and Treatment Master Image examination: Standard Image Examination Master J-MIX: Data item set to exchange electronically stored clinical records MEDIS Standard Masters http://www.medis.or.jp/4_hyojyun/medis-master/index.html In the aforementioned Interoperability Demonstration Project, MEDIS-DC developed a tool for mapping standard terms and codes relating to pharmaceuticals and clinical examinations from unique terms and codes used at each medical institution. The tool may be used as required. 5.2 Compliance with International Standards for Data Exchange For health information, the Health Level Seven (HL7) and the Digital Imaging and Communications in Medicine (DICOM) are the international standards as previously stated. To make these international standards available in Japan, the Japanese Association of Health information Systems Industry (JAHIS) established the standard data exchange protocols. 1. JAHIS Clinical Examination Data Exchange Protocol 2. JAHIS Prescription Data Exchange Protocol 3. JAHIS Medical Checkup Data Exchange Protocol 4. JAHIS Radiological Data Exchange Protocol 5. Care Message Specifications 6. Message Standard Protocol for Audit Trail in Health Care Field 7. JAHIS Physiological Examination Data Exchange Protocol 8. JAHIS Disease Name Information Data Exchange Protocol 9. JAHIS Electronic Signature Standards for Medical Documents Using Health Care PKI 10. JAHIS Endoscopic Data Exchange Protocol These protocols are available from the following website: http://www.jahis.jp/standard/index.html 32
5.3 Other Matter Related to the Application of Standards Lastly, the problem of external characters should be noted. External characters are unique notation characters defined in individual systems. If external characters are used in a system their list should be created in advance to prevent notation problems during a system alteration or when information is exchanged with other systems 33
6 Basic Security Management of an Information System The security management of an information system is legally obligated by the Penal Code, of secrecy applicable to medical professions, and also by provisions pertaining to security management and assurance in laws related to the personal information protection (the Personal Information Protection Act, the Protection of Personal Information Owned by Governmental Organs Act (2003 Law No.58), and the Protection of Personal Information Owned by Independent Administrative Organizations Act, etc. (2003 Law No.59)). The obligation of secrecy is imposed on such individuals as medical professionals and personnel of administrative organizations. The obligation of security management and assurance is imposed on the chiefs of operators handling personal information and of administrative organizations. Negligence of security management violates the above laws. Responsibility to patients is of upmost importance in health care, not only to prove no violations but also to sufficiently clarify security management or to fulfill accountability. The institutional requirements in this chapter are from the Personal Information Protection Act. A. Institutional Requirements (Security Management Measures) Law Article 20 An operator handling personal information shall take necessary and appropriate measures for the prevention of leakage, loss, or damage, and for other security management of the personal data. (Supervision of Personnel) Law Article 21 When an operator handling personal information has an employee handle personal data, it shall exercise necessary and appropriate supervision over the employee to ensure the security management of the personal data. (Supervision of Entrusted Party) Law Article 22 When an operator handling personal information entrusts the handling of personal data in whole or in part, it shall exercise necessary and appropriate supervision over the trustee to ensure safe management of the entrusted personal data. (the Personal Information Protection Act) 6.1 Establishment and Announcement of Policies B. Concept The Guidelines for the Appropriate Handling of Personal Information by Medical and Nursing Care Providers stipulates policies pertaining to personal information protection. Since the security management of the information system in these guidelines can be 34
considered as part of personal information protection policies, these policies should also refer to the security management of an information system. The contents of policies pertaining to personal information protection are specified in JIS Q 15001:2006 (Personal Information Protection Management System - Requirements) as follows: a) Appropriate acquisition, utilization, and provision of personal information by considering the contents and scale of business b) Observance of laws, governmental guidelines, and other codes pertaining to the handling of personal information c) Prevention and correction of personal information leakage, loss, or damage d) Dealing with grievances and consulting e) Continuous improvement of a personal information protection management system f) Representative's name The security management of information system is prescribed in JIS Q 27001:2006(Information Security Management System - Requirements) as follows: ISMS basic policy shall be defined from the viewpoints of business, organization, location, assets, and technology to satisfy the following: 1 Establishing the general recognition and principles of orientation of activities related to information security, including a framework for setting purposes 2 Considering the workplace, legal or regulatory requirements, and the obligation of security in a contract 3 Coordinating with the strategic risk management of an organization where ISMS is established and maintained 4 Establishing a standard for risk evaluation 5 Acquiring an approval of the management By considering these requirements, an organization operating an information system handling personal information should establish basic policies suitable for the organization and publish them using an appropriate method. C. Minimum Guidelines 1. Policies pertaining to personal information protection shall be established and published. 35
2. Policies shall be established relating to the security management of an information system handling personal information. The policies shall at least specify: the range of information handled by the information system, the methods and periods of information handling and storage, secure user identification, prevention of unnecessary or illegal access, the person responsible for security management, and a section to deal with grievances and inquiries. 36
6.2 Implementation of Information Security Management System (ISMS) at a Medical Institution A. Institutional Requirements (Security Management Action) Law Article 20 An operator handling personal information shall take necessary and appropriate measures for the prevention of leakage, loss, or damage, and for other security management of the personal data. (Personal Information Protection Act) B. Concept A standard management system for appropriate security management is prescribed in ISO (ISO/IEC 27001:2005) and JIS (JIS Q 27001:2006). Adopting an appropriate management system is useful for implementing security management. 6.2.1 ISMS Construction Procedure ISMS is constructed in accordance with the PDCA model. JIS Q27001:2006 prescribes the PDCA steps as follows: Plan (ISMS establishment) Do (ISMS implementation and operation) Outline of PDCA Model Applicable to ISMS Process In relation to the improvement of risk management and information security, ISMS basic policies, purpose, processes, and procedure are established to output results meeting the general policy and purpose of the organization. The ISMS basic policies, management measures, processes, and procedure are implemented and operated. Check (ISMS supervision and review) Act (ISMS maintenance and improvement) Process performance assessed (measured where applicable) with the ISMS basic policies, purpose, and actual experience and the results are reported to the management for review. For the continuous improvement of ISMS, corrective and preventive actions are taken on the basis of the results of ISMS internal audit and management review and other related information. P: Framework documents for ISMS construction (basic policies, the operation and management regulations, etc.) and a documented ISMS construction procedure are established. 37
D: ISMS is constructed by using the documents and procedure prepared at P. C: ISMS is supervised and reviewed for appropriate operation. A: If improvement is found necessary, corrective and preventive measures are discussed to maintain ISMS. To make the above steps more familiar, the ISMS User's Guide for Medical Institution by Japan Information Processing Development Corporation (JIPDEC) offers the following example of security management steps in health care: [Security Management Flow in Health care] Finding and Reporting of Accident or Error An accident or error is found and reported in accordance with "Potentially serious medical errors" and "Incident report." Analysis of Cause By "Process approach," health care is considered as a flow of processes. In the case of an accident or error, the entire health care is decomposed into processes (operations) and a flowchart is drawn. (For example, injection can be decomposed into processes: Prescription writing by a physician, Prescription sending to the pharmaceutical department, Medicine delivery from the pharmaceutical department to the ward, Correct preparation by a nurse on the ward, Execution of injection) The created flowchart is analyzed to investigate the causal process. Preventive/Corrective Measures Measures are studied and taken to prevent recurrence. (Procedure change, installation of an error check mechanism, thorough staff education, etc.) Judging from the above, the main flow is D C A. In the medical field, the procedures of clinical examination, diagnosis, treatment, and nursing have already been established from past cases. If an accident or error is found, therefore, analyzing the causal procedure will clarify necessary improvement and executing the improvement will enhance security. Meanwhile, the remarkable advance of IT technology may always produce new problems or vulnerable points concerning information security that cannot be assumed from the accumulation of past experiences. Therefore, a unique management method is necessary 38
for information security, and ISMS was devised. In the same way as security management in the medical field, ISMS is constructed and maintained by the PDCA cycle. For medical staff, if only framework documents and procedures for ISMS are established by appropriately executing Step P, ISMS will naturally develop. The following sections describe the actions necessary for executing Step P. 6.2.2 Grasp of Handled Information All information handled by an information system should be listed, classified by the degree of importance for security management, and always kept up to date. This list must be managed to allow immediate checking by the security manager of the information system. The degree of importance for security management is determined in accordance with the degree of influence of security impairment. The degree of influence should be considered at least from the viewpoints of patient and continuous work. The degree of importance is classified by adding the viewpoints of administration and personnel management at the Medical Institution. If a security problem arises relating to health information that permits personal identification, patients may be seriously affected. Therefore, health information is classified as the most critical information. 6.2.3 Risk Analysis For each category of information, threats by management errors, equipment faults, external intrusion, user's malice, and user errors are enumerated. The staff at Medical Institutions generally works with mutual reliance and is reluctant to assume malice or errors on the part of colleagues or other staff. However, to achieve security management and fulfill accountability, measures should be prepared even for a threat of low possibility. To fulfill accountability, the results of risk analysis should be documented and managed. The measures prescribed in 6.3 to 6.11 are taken against threats clarified by analysis. It should be noted in particular that mere system functions are not enough to ensure security management and to prevent use for unintended purpose prohibited in principle in the Personal Information Protection Act. A system cannot do more than assuring safe performance by clearly recording operators who operated the system correctly. Therefore, it is important to assume threats, including human behaviors, and take measures, including the operation and management regulations. From the above point of view, a health information system requires protective measures not only for electronic data stored in the system but also for personal information subject to threats, such as exposure at input or output. Threats assumed under various situations are 39
enumerated below. Electronic data stored in a health information system (a) Illegal access, tampering, damage, loss, or leakage by an unauthorized person (b) Access, tampering, damage, loss, or leakage for an unjust purpose by an authorized person (c) Access, tampering, damage, loss, or leakage by illegal software, such as a computer virus Memo, script, examination data, etc. used for input (a) Peering at memos, scripts, examination data, etc. (b) Taking out memos, scripts, examination data, etc. (c) Copying memos, scripts, examination data, etc. (d) Inappropriate discard of memos, scripts, and examination data Information terminal, such as a notebook PC storing personal information and other data (a) Taking out an information terminal (b) Access, tampering, damage, loss, or leakage through a network by illegal software, such as a PC (c) Information leakage by inappropriate handling of software (Winny and other file exchange software, etc.) (d) Theft or loss of an information terminal (e) Inappropriate discard of an information terminal Portable media, etc. storing data (a) Taking out portable media (b) Copying portable media (c) Inappropriate discard of portable media (d) Theft or loss of portable media Browsing screen of terminal, etc. (a) Peering at a terminal screen Data printed paper, film, etc. (a) Peering at paper, film, etc. 40
(b) Taking out paper, film, etc. (c) Copying paper, film, etc. (d) Inappropriate discard of paper, film, etc. Health information system itself (a) IT faults by cyber attacks Illegal intrusion Tampering Illegal command execution Information disturbance Virus attack Denial of Service (DoS) Information leakage, etc. (b) IT faults by unintentional factors System specification or program bug Operational error Fault Information leakage, etc. (c) IT faults due to disasters Power failure due to a disaster, such as an earthquake, flood, lightning, fire, etc. Communication failure due to a disaster, such as an earthquake, flood, lightning, fire, etc. Computer facility damage due to a disaster, such as an earthquake, flood, lightning, fire, etc. IT malfunction in an important infrastructure operation, etc. due to a disaster, such as an earthquake, flood, lightning, fire, etc. By taking measures against these threats, the possibility of occurrence can be reduced and risks can be lowered to a minimal level. C. Minimum Guidelines 1. All information handled by an information system shall be listed. 2. The listed information shall be classified by the degree of importance on security 41
management and always kept up to date. 3. This list shall be managed to allow immediate checking by the security manager of the information system. 4. Risk analysis shall be made on the listed information. 5. The measures prescribed in 6.3 to 6.11 shall be taken against threats clarified by analysis. D. Recommended Guidelines 1. The above results shall be documented and managed. 42
6.3 Systematic Security Management Measures (System and Operation Management Regulations) B. Concept Regarding security management, the responsibility and authority of an operator shall be prescribed clearly, security management regulations and procedures shall be prepared and implemented, and the implementation status shall be confirmed by daily self-inspection. The requirements should be satisfied whether or not an information system is used within the organization. The systematic security management measures include the following: Establishing a system for security management measures Establishing regulations which prescribe security management measures and operating the system in accordance with the regulations Creating a ledger for handling health information Evaluating, correcting, and improving security management measures for health information Establishing rules for taking out information or an information terminal Establishing information terminal management regulations for remote, external access to a system at a Medical Institution by using an information terminal, etc. Coping with an accident or violation Operation and management regulations are extremely important for fulfilling responsibility for management and accountability and must always be prescribed. For details about taking information and information equipment out of a Medical Institution for outside use, see 6.9, "Taking out Information and Information Equipment." C. Minimum Guidelines 1 A person responsible for information system operation shall be appointed and operators (including the system administrator) shall be limited. However, clear regulations are not always necessary at small-scale Medical Institutions where the roles are clear. 2 Where personal information can be browsed, access shall be controlled by recording and identifying visitors and limiting entries. 3 Access control regulations shall be created to prescribe information system access limit, recording, inspection, etc. 4 When the handling of personal information is entrusted, the contract of entrustment shall include a provision relating to security management. 43
5 The operation and management regulations shall prescribe the following: (a) Philosophy (statement of basic policies and management purpose) (b) System of the Medical Institution (c) Management of contracts, manuals, and other documents (d) Risk preventive and corrective measures (e) Management of equipment when used (f) Method of managing (storing and passing) personal information recording media (g) Method of providing an information to a patient, etc. and obtaining an approval (h) Audit (i) Section to cope with grievances and inquiries 44
6.4 Physical Security Measures B. Concept Physical security measures are to physically protect information terminals, computers, and information media of an information system where personal information is entered, browsed, and stored. More specifically, several security areas should be defined in accordance with the information type, importance, and way of use and managed appropriately by considering the following: Management of room access (managing entry authority by office hours, late night, and other hours) Prevention of theft and prying Physical protection and measures, including the prevention of theft or loss of equipment, devices, information media, etc. For details about taking information and information equipment out of a Medical Institution for external use, see 6.9, "Taking out Information and Information Equipment." C. Minimum Guidelines 1 A place shall be locked where equipment storing personal information is installed or recording media of such information is stored. 2 An area where a terminal allowing the input and browsing of personal information is installed shall be locked except during office hours or kept off limits by other measures except for those authorized on the basis of the operation and management regulations. This guideline does not apply when there are other measures of an equivalent level to the prescribed measures. 3 Access to an area where personal information is physically stored shall be controlled, for example, as follows: Those accessing the area shall be obligated to wear nameplates and write in a ledger for recording of access. The access records shall be checked periodically for verification. 4 A computer or important equipment storing personal information shall be chained to prevent theft. 5 Anti-prying measures shall be taken. D. Recommended Guidelines 45
1. Security cameras and automatic intrusion monitors shall be installed. 46
6.5 Technical Security Measures B. Concept Technical measures alone cannot guarantee security from threats. In general, they must be taken with operational measures. However, technical measures can be powerful security measures if applied appropriately by considering their range of effect. Here, the following items are explained as technical measures applicable to threats enumerated in 6.2.3, "Risk Analysis." 1 User identification and authentication 2 Information classification management and access authority management 3 Access log 4 Illegal software measures 5 Illegal access from network For details about taking information and information equipment out of a Medical Institution for outside use, see 6.9, "Taking out Information and Information Equipment." (1) User Identification and Authentication To allow access users only, an information system shall have both user identification and authentication functions. At small-scale Medical Institutions where information system users are limited, identification and authentication may not always be essential for everyday work. In general, however, these functions are essential. For authentication, all staff and those accessing to an information system shall be provided with IDs, passwords, IC cards, electronic certificates, biometrics, etc. for identification and authentication, and shall be managed in unification. In addition, updating shall be done immediately on each occasion. Information used for personal identification and authentication should allow only the said person to know or have such information. To prevent the leakage of information concerning personal identification and authentication to a third party, measures must be taken against the following examples of risks: A notice stating an ID and a password is affixed which a third party can easily understand. Anybody can log into the system because no password has been set. An ID and a password are given to another person for proxy work and the worker 47
cannot be identified from a work record in the system. Several users are sharing one ID. A password is too easy to guess or too short. The same password is used without periodic changes and may very possibly be guessed. A security device storing personal information for identification and authentication (IC card, USB key, etc.) is lent or used without the owner's permission. Therefore, the worker cannot be identified. The ID of a retired person is left valid and allows login. A password is stolen from a printed document left in a health information section. An ID or password is stolen and maliciously used by a computer virus. <Proposal for Authentication Strength> Combining an ID and a password has been used widely so far. However, authentication with only an ID and a password is subject to great risks enumerated above. To firmly maintain authentication, system implementation and operation should be devised by obligating a person to change the initial password when presented with it and periodically so that people can know their own information only. These measures are generally considered difficult to implement thoroughly and not recommended from the viewpoint of feasibility. The general means of authentication are the combination of an ID and a password using the memory of the user, biometrics using the body characteristics of the user, such as a fingerprint, veins, and iris, and physical media like an IC card (security device). Considering the strength of security authentication, it is generally difficult to maintain sufficient authentication strength if the measures are used individually. Therefore, it is preferable to adopt two independent elements (two-element authentication), for example, IC card or other security device + password and biometrics + IC card. If an operator leaves a terminal for a long time, clearing the screen and other measures should be taken to prevent other people from operating the terminal. <Notes on Distributing IC Cards and Other Security Devices> Upon the distribution of identification information, encryption keys, and electronic certificates in IC cards or other security devices for user identification, authentication, or signature, measures should be taken to prevent the security devices from reaching third parties by mistake. It is also important to make the devices not usable easily even when acquired illegally by third parties. 48
Therefore, the risk would be high if user identification, authentication, and signature are possible with such a security device alone. A mechanism or method shall be adopted to make them valid only with information that only the said person knows. Since identification information may become unavailable due to IC card damage or any other factor, temporary access by substitute means should be permitted in the case of an emergency. However, the use of substitute means shall be permitted after full identification so as not to lower the security management level easily. It is also preferable to check the emergency operation log with the person's formal identification information issued again later. <Notes on Using Biometrics> When a fingerprint, iris, voiceprint, or other biometrics is used for identification and authentication, the measurement accuracy should also be noted. The measurement accuracy of various existing biometrics equipment likely to be generally available for a health information is not sufficient for 1:N comparison (input sample matching one of several registered samples) but appropriate for 1:1 comparison (input sample matching specified sample). Therefore, biometrics should not be used alone for identification and authentication but with a user ID or other that can identify the person. Authentication with biological information has also the following unique problems: Loss of a part used for authentication due to an accident, disease, etc. Change of a part used for authentication due to growth, etc. Similar values between identical twins "Spoofing" with infrared ray photo (equivalent of counterfeit IC card) By considering the above, features of biological information should be examined and an appropriate method should be used. If an authentication part is lost, a different method or biological information of a different part shall be used. To prevent spoofing, two-element authentication (combination of IC card or password and biometrics, etc.) shall be used. (2) Information Classification Management and Access Authority Management When using an information system, information should be classified and managed by the type, necessity, and way of use of information and the authority of use shall be assigned to each classification, user or user group (unit of work) in the organization. What 49
is important here is to minimize the assigned authority. Risks can be reduced by not releasing unnecessary information or assigning unnecessary authority. If the information system has a function to set authority in detail for browsing, update, execution, and addition, risks will further decrease. The access authority should be reviewed as required when the user's work is changed due to reassignment. This requirement must be prescribed in the regulations of the organization. 3 Access Log Regarding resources, including personal information, all access logs must be collected and checked periodically to confirm no illegal use. The protection of access logs is essential because they may contain personal information and also provide very useful information for investigation in the case of a security accident. Therefore, measures must be taken to limit access to access logs and prevent their unjust deletion, tampering, addition, etc. To secure the effectiveness of access logs as evidences, recording time is important. All managed systems must be synchronized by accurate time recording. 4 Illegal Software Measures Illegal software of various forms, called virus, worm, etc. may enter an information system through e-mail, network, portable media, etc. Without appropriate protective measures against intrusion of illegal software, serious problems, such as security mechanism destruction, system failure, information disclosure or tampering, information destruction, or illegal use of resources may be caused. Intrusion by illegal software will be noticed only after certain problems occur. The most effective measures may be illegal software scan software. Illegal software can be detected and removed by keeping the scan software resident in terminals, servers, and network equipment of the information system. This is also true for information terminals and PCs used outside a Medical Institution. For proposals and measures, see 6.9, "Taking out Information and Information Equipment." Since computer viruses are always changing, it is essential to keep the pattern files up to date for detection. Even if excellent scan software is implemented and used appropriately, not all illegal software can be detected. Therefore, it is important to minimize the vulnerabilities of the information system. If security holes are reported concerning the operating system, security patches shall be applied. It is also effective to disable services and communication 50
ports not used and to suppress macro execution. 5 Illegal Access from Network For security from a network, a firewall is a means of protection from a hacker, computer virus, or software attack for illegal access. Firewalls can be classified into "packet filtering," application gateway," and "stateful inspection." Since the operating functions also differ depending on the settings, an information system may not always be safe simply by installing a firewall. Do not consider simple packet filtering as sufficient. It is preferable to use other methods together to cope with external attacks. The system administrator should know what and how each method protects. This is also true for PCs and other information terminals connected externally to an information system at Medical Institutions. For proposals and measures, see 6.9, "Taking out Information and Information Equipment." The adoption of intrusion detection system (IDS) should also be discussed in accordance with the relationship between the health information system and external network. It is also important to diagnose the system (security diagnosis) periodically concerning security holes (vulnerabilities, etc.) in a network environment and to take patches and other measures. If a wireless LAN or information wall socket may allow physical network connection by an outsider, it will be possible to connect an illegal computer for virus infection, an attack to a server or network equipment (DoS: Denial of Service, etc.), or illegal data monitoring or tampering on a network. To prevent access from an illegal PC, PC identification with MAC address is generally used. Since a MAC address can be tampered, however, necessary measures should be taken with this in mind. The prevention of illegal access depends on the secure identification of the person accessing the system and spoofing in particular must be prevented. To prevent the peeping of information flowing through a network, encryption and other measures against information leakage are also necessary. (6) Other A wireless LAN is very useful when a nurse uses an information terminal at the side of a patient's bed. On the other hand, since there are also concerns regarding a communication failure, information availability should be ensured. Due care is also necessary for uses around equipment that may be affected seriously by radio waves. These days, power line communication (PLC) is available but its security on medical equipment has not been confirmed. When using PLC at a Medical Institution, therefore, both availability and security of medical equipment must be noted in accordance with 51
"Concerning Inquiries from Medical Staff on the Influences of Broadband Power Line Communication Equipment on Medical equipment" (Pharmaceutical and Food Security Notice No.1109002 dated November 9, 2006) from Pharmaceutical and Food Safety Bureau, Ministry of Health, Labour and Welfare. C. Minimum Guidelines 1 Upon access to an information system, the user shall be identified and authenticated. 2 When the combination of a user ID and a password is used for personal identification and authentication, a measure shall be taken so that only the said person knows the information. 3 If an operator leaves a terminal for a long time, clear screen and other measures shall be taken to prevent other people from operating the terminal. 4 When data including personal information is used for performance check, due care shall be taken about leakage, etc. 5 The range of accessible clinical records shall be specified for each medical profession or related profession to control access by the level. Operation and management regulations shall prescribe the review of access authority as required when the user's work is changed due to reassignment. A system accessed by users of several professions should have a function to control access by profession. If this kind of function is not available, the operation and management regulations should prescribe an accessible range and ensure security with the operation record in the next section until the system is updated. 6 Access shall be recorded and logs shall be checked periodically. Access records shall at least allow the identification of user login time, access time, and patient processed during login. This is based on the assumption that the information system has an access record function. Without this function, operation (operator and contents) shall always be recorded with a business record or other. 7 Access to access logs shall be limited and measures shall be taken to prevent the illegal deletion, tampering, or addition of access logs. 8 Time information used for access recording shall be reliable. Time information used internally at a Medical Institution should be synchronous. By periodic adjustment with the standard time, the time should be maintained sufficiently accurate for clinical records. 52
9 When a system is constructed, media not under appropriate management is used, or information is received externally, no infection with a virus or any other illegal software shall be confirmed. Media that is possibly not under appropriate management shall be used with due care after a full security check. Appropriate measures shall always be taken to prevent infection with a virus or any other illegal software. The effectiveness and security of the measures shall be checked and maintained (for example, by checking and maintaining pattern file update). 10 When using a password for user identification The system administrator shall note the following: (1) Passwords shall always be encrypted (preferable one-way encryption) and managed and used appropriately in a password file of the system. (If an IC card or any other means is used together for user identification, the password operation method suitable for the system shall be prescribed in the operation and management regulations.) (2) Since users may forget passwords or passwords may be stolen, the system administrator shall identify a user when changing the user password, record the way of identification in a ledger (attaching a copy of personal identification, etc.), and reregister the password in a way of not letting any other people know it. (3) Even the system administrator shall prevent means allowing the estimation of a user password. (No passwords shall be written in a setting file.) Each user shall note the following: (1) The password shall be changed periodically (not longer than 2 months) and extremely short character strings shall not be used. A string of 8 or more alphanumeric characters and symbols is preferable. (2) Passwords which are easy to guess shall not be used. 12. When using a wireless LAN The system administrator shall note the following: (1) The use of a wireless LAN shall not be identified by anybody other than the user. For, example stealth mode or ANY connection denial shall be used. (2) Measures shall be taken against illegal access. At least, access shall be limited by SSID and MAC address. (3) Illegal information acquisition shall be prevented. For example, communication shall be encrypted by WPA2/AES or other to protect information. (4) Since radio emitting equipment (portable game device, etc.) may cause interference, due care shall be taken when the use of such equipment is 53
permitted at a Medical Institution. (5) For the application of a wireless LAN, refer to "For Safe Use of Wireless LAN" issued by the Ministry of Internal Affairs and Communications. D. Recommended Guidelines 1 Information shall be managed and access shall be controlled by classification. 2 An operator shall execute close processing (clear screen: log-off, screen saver with password, etc.) when leaving the seat. 3 A firewall (including the stateful inspection or equivalent function) shall be installed at critical points for security management, such as an external network connection point and a DB server and an access control list (ACL) shall be set appropriately. 4 When a password is used for user identification, the following standards shall be observed: 1 A certain no-response time shall be set for a retry after unsuccessful password input. 2 If unsuccessful password input exceeds a specified number of times, a retry shall not be accepted for a certain period. 5 For authentication, an effective method shall be adopted, such as the two-element authentication of ID + biometrics, or IC card or another security device + password or biometrics that is unique to each user. 6 If several wireless LAN access points are installed, the complexity of management may increase as well as the risk of intrusion. Installation increases the risk of intrusion, so security shall be strengthened, for example, by combining 802.1x and electronic certificate. 54
6.6 Human Security Measures B. Concept To reduce the risks of information theft or illegal behaviors, illegal use of information facilities, a Medical Institution needs to work out human security measures for preventing human errors. These measures include regulations about penalties on violating the obligation of secrecy and also matter concerning education and training. In relation to a health information system, the following 5 types of parties shall be assumed: (a) Physician, nurse, or any other party handling clinical information in business and legally obligated to keep secrecy (b) Medical affairs division staff or paperwork entrusted party engaged in paperwork at a Medical Institution or handling health information and obligated to keep secrecy under a contract of employment (c) System maintenance agent or other party engaged in work at a Medical Institution with no contract of employment (d) Visitor or any other third party not authorized to access health information (e) Party engaged in data management business under external storage entrustment of clinical records, etc. Of the above, (a) and (b) are explained as human security management measures from the viewpoint of an employee at a Medical Institution and (c) is explained as human security management measures from the viewpoint of an entrusted party obliged to keep secrecy. The third party prescribed in (d) should not touch the health information system at a Medical Institution. Therefore, system access should be prohibited by physical and technical security management measures. If information should leak from a system by a third party, appropriate measures must be taken as specified by the laws and other regulations prohibiting illegal access. (e) is an organization entrusted with external storage. This is detailed in Chapter 8. 1 Human Security Management Measures to Employee C. Minimum Guidelines The manager at a Medical Institution must ensure that measures pertaining to the security management of personal information shall be taken appropriately and supervise the status of measurement. Therefore, the following actions shall be taken: 55
1 At the employment of persons not legally obligated to keep secrecy as office staff, a confidentiality contract and no disclosure shall be concluded for security management. 2 Staff shall be educated and trained periodically about the security management of personal information. 3 Personal information protection regulations shall be prescribed for staff after retirement. D. Recommended Guidelines 1 In a server room or any other place important for management, the behaviors of staff shall be controlled by monitoring. 2 Supervision of Paperwork Entrusted Party and Confidentiality Contract C. Minimum Guidelines 1 When paperwork or operation at a Medical Institution is entrusted to an external operator, the following actions shall be taken for appropriate personal information protection inside a Medical Institution: Conclude a confidentiality contract endorsed by working rules and other that stipulates comprehensive rules of punishment on entrusted operator Check workers, work contents, and work results at direct access to a health information system for maintenance, etc. Make a periodic check after work, such as cleaning where a health information system is not accessed directly Clarify whether the entrusted operator will re-entrust the work and ensuring measures and a contract on personal information protection equivalent of an entrusted operator in the case of re-entrusting 2 If external maintenance staff inevitably accesses a clinical record or other personal information to relieve saved data from a program error, the confidentiality contract endorsed by working rules with a provision of punishment shall be observed. 56
6.7 Discard of Information B. Concept Electronic information related to health care requires the assurance of security even after being discarded. Information should be discarded securely. If information exists with mutual relations as in a database, it must also be noted that the inappropriate discard of partial information may make other information unavailable. For actual discard, a discard procedure should be clarified in advance. C. Minimum Guidelines 1 A discard procedure shall be prescribed for each information type classified in 6.1, "Establishment and Announcement of Policies." The procedure shall include discard conditions, identification of employees capable of discard, and a specific discard method. 2 A person with expertise shall discard information processing equipment itself after checking that no readable information remains. 3 If discard is entrusted to an external storage organization, the entrusting Medical Institution shall confirm the secure discard of information in accordance with "(2) Supervision of paperwork entrusted party and confidentiality contract" in 6.6, "Human Security Measures." 4 The operation and management regulations shall prescribe the following: (a) Creation of regulations prescribing the discard of unnecessary media including personal information 57
6.8 Alteration and Maintenance of Information System B. Concept To maintain the availability of a health information system, periodic maintenance is necessary. The main scope of maintenance work is troubleshooting, preventive maintenance, and software revision. Particularly in regards to troubleshooting, trouble occurrence data may be used to identify or analyze a cause. In this case, a sufficient number of measures are necessary because system maintenance staff may directly touch health information in manager mode. More specifically, the following threats exist: In terms of personal information protection, exposure by removing repairing records or a third party prying or removing data during analysis at a maintenance center, etc. In terms of genuineness, intentional data tampering by malicious use of the manager authority, erroneous data alteration, etc. In terms of human readability, intentional machine stop, erroneous service stop, etc. In terms of storability, intentional destruction or initialization of media or erroneous initialization of media or data overwrite, etc. For data protection from these threats, maintenance works must be executed under appropriate management by a Medical Institution. In other words, mainly operational measures are necessary: Conclusion of a confidentiality contract with the maintenance company, Registration and management of maintenance workers, Management of work plans and reports, Supervision of workers by staff of the Medical Institution, etc. Since the maintenance company may re-entrust some maintenance work to an external operator, it is important to state in the contract with the maintenance company that a re-entrusted operator should conclude an equivalent contract for thorough personal information protection. C. Minimum Guidelines 1 When data including personal information is used for performance check, an obligation of confidentiality shall be set clearly and the secure deletion of data shall also be requested. 2 When a worker from a maintenance company accesses a server for maintenance, a dedicated account prepared for the individual maintenance worker shall be used. When workers access personal information a work record shall be created which 58
describes the accessed personal information. This also applies to identification and authentication for operation check by simulating a system user. 3 The appropriate management of the account shall be demanded to prevent its illegal use due to an outflow, etc. 4 Reporting from a maintenance company shall be required so that a maintenance account can be deleted immediately if the maintenance worker quits the job or is assigned to a different position. For this purpose, an account management system shall be created. 5 For maintenance, a maintenance company shall be demanded to submit a written daily work application in advance and a work report immediately at the end. These documents require approval by the person responsible at the Medical Institution each time. 6 A confidentiality contract shall be concluded with and observed by a maintenance company. 7 A maintenance company should not take data including personal information out of the organization. If this is inevitable, however, operation and management regulations shall be demanded to prescribe handling, including measures against mislaying. Taking out such data requires approval by the person responsible at the Medical Institution each time. 8 At system alteration or maintenance by remote maintenance, an access log shall always be collected and the person responsible at the Medical Institution shall check work contents immediately after the said work. 9 In the case of re-entrustment, the maintenance company shall confirm that re-entrusted operator shall have an equivalent obligation to the maintenance company. D. Recommended Guidelines 1 A detailed operation record shall be created as a maintenance operation log. 2 Maintenance work shall be done with a witness from the Medical Institution. 3 Each worker and the maintenance company shall be demanded to conclude a confidentiality contract 4 A maintenance company should not take data including personal information out of the organization. If this is inevitable, however, the maintenance company shall be demanded to create a detailed work record and receive audit by the Medical Institution as required. 5 As a means of checking logs related to maintenance work, there shall be a 59
mechanism of displaying accessed clinical records and other identification information in a time-series order from which it is possible to check which patient and how many times the information was accessed within a specified time. 60
6.9 Taking out Information and Information Equipment B. Concept The leakage of personal information is now reported when an employee of a Medical Institution or a maintenance worker removes information or information equipment. Information may be removed from an information terminal such as a notebook PC, or portable information recording media like a floppy disk or a USB memory. The information equipment may also include that which hardly stores information but handles it by accessing a server through a network. It is important to grasp information appropriately as prescribed in 6.2.2, Grasp of Handled Information of 6.2, "Implementation of Information Security Management System (ISMS) at a Medical Institution" and to conduct risk analysis as prescribed in 6.2.3, Risk Analysis. Then it should be judged whether the grasped information or information equipment may or may not be removed from the Medical Institution. For information or information equipment that may be removed, necessary measures shall be taken. If information is appropriately grasped and analyzed concerning risks, the information or information equipment management status becomes clear. For example, if information requires approval for removal and information equipment requires registration, the management status can be checked. If information is removed and stored in portable media and handled by a private PC or other type of information equipment not under control by the Medical Institution, information may leak due to a computer virus, inappropriately set software (Winny, etc.), or illegal external access. In this case, since the information equipment is basically a private property, it is difficult to grasp or regulate handling of such information equipment. However, the person responsible for information at the Medical Institution should grasp the handling of information. Under these circumstances, organizational measures are necessary for the removal of information or information equipment. A Medical Institution requires policies as an organization relating to the removal of information or information equipment. Even a small-scale Medical Institution with no organizational information management system should conduct risk analysis and discuss measures since information may be removed in portable media or information equipment. The risks unique to the removal of information in portable media or information equipment should be noted. Removal of information produces relatively greater risks, such as the theft, loss, or mislaying of portable media or information equipment due to human carelessness or mistake, than the vulnerabilities of an information system installed at a Medical Institution. Therefore, organizational policies should be determined and human security measures 61
should be taken regarding the removal of information or information equipment. C. Minimum Guidelines 1. The organization shall conduct risk analysis and prescribe policies concerning the removal of information and information equipment in operation and management regulations. 2. The operation and management regulations shall prescribe how to manage the removal of information and information equipment. 3. The operation and management regulations shall prescribe actions to take when portable media or information equipment storing information is stolen or lost. 4. Employees shall be well notified of and educated about the actions at theft or loss prescribed in the operation and management regulations. 5. A Medical Institution or information manager shall locate portable media or information equipment with a ledger or by other means. 6. A boot password shall be set to information equipment. For this setting, necessary measures shall be taken, such as avoiding a password which is easy to guess or changing the password periodically. 7. As measures against theft and loss, the information shall be encrypted or access password shall be set so that the contents cannot be read easily. 8. When information equipment taken out is connected to a network or other external media, anti-virus software shall be installed or a personal firewall wall shall be used to protect the information terminal from information leakage or tampering. For network connection, the provisions in 6.11, "Security Management at External Exchange of Health information Including Personal Information" shall be observed. 9. Information that has been removed shall not be handled with information equipment where file exchange software (Winny, etc.) is installed. This kind of software shall not be installed in information equipment under control of a Medical Institution. 10. When information is removed from a Medical Institution, even private information equipment (PC, etc.) shall satisfy the above requirements equivalent to the above 6 to 9 under the responsibility of the manager. D. Recommended Guidelines 1. To avoid information exposure by external spying, an anti-spy film shall be affixed to the display of information equipment. 62
2. At information equipment login or information access, several authentication elements shall be used in combination. 3. All portable media and information equipment for information storage shall be registered and the removal of information in equipment not registered shall be prohibited. 63
6.10 Emergency Action in Disasters or Other Incidents B. Concept Even if a health information system fails, a Medical Institution must give top priority to a health care service that gives careful consideration of patients safety. This section describes the situation when a health information system is put out of ordinary use by an IT fault due to natural disasters or cyber attacks listed in " Health information system itself" of 6.2.3, "Risk Analysis." "Out of ordinary use" means that the system itself malfunctions or stops, or that the operating environment becomes unsteady. In the former case, the health information system is damaged and its reduced operation or stop may disturb the health care service. In the latter case, a natural disaster causes many casualties and necessitates more health care service. Even when the health information system is normal, a serious work inconvenience may occur under ordinary access control. In this case, personal information protection can be interpreted as "life and physical protection without personal consent." Business continuity plan (BCP) in emergencies Since appropriate decision making cannot be expected during an emergency, it is preferable to do decision making and preparation as much as possible in advance. It is difficult to classify emergency situations appropriately and preferable to verify planned contents wherever possible by preliminary practice, etc. BCP at health care facilities requires general consistency, including a plan regarding a health information system. For your reference, the general items for developing and implementing BCP are given below. Items to be known in advance for BCP Notification of measures should be given in advance for reliance. Policy and plan Emergency situations should be understood and defined. Means of detecting emergency situations Disaster or fault detection function and means of checking occurrence information Emergency team contact list, means of contact, and handling tools Documents and information to be published in the case of an emergency BCP implementation phase 64
When the occurrence (or possibility) of a disaster or accident is detected, BCP execution or normal disorder execution is judged. If BCP execution is judged, relevant persons are gathered, emergency headquarters are set up, parties concerned are contacted and with a request for cooperation, and the system is switched or reduced for preparation. For example, the system may be disconnected from a network for standalone use or use on paper. A system of liaison with an entrusted operator and a troubleshooting method with the entrusted operator shall be clarified. Specific items are "working out basic policy," "checking phenomena," "ensuring and confirming security," and "checking the degree of influence." Work restart phase This phase is from the initial execution of BCP until the work is restarted and restored to the normal level by substitute means, such as a backup site and manual work. Points at this phase are secure switching to substitute means, promotion of recovery, shifting of necessary personnel and other human resources, checking of BCP execution status, and reviewing of the BCP basic policy. The most urgent work (key work) is restarted first. Specific items are "securing human resources," "securing substitute facilities and equipment," "compatibility of restart and recovery activities," and "measures against new risks caused by risk measures." Work recovery phase This phase is to further extend the work range after the most urgent work and function are restarted. Since the work range is extended with the substitute equipment and substitute means, careful judgment with field disorder in mind is an important point at this phase. Specific items are "estimating the range of extension," "checking the influence of work continuation," "checking the total recovery plan," and "checking limits." Total recovery phase This phase is for switching from substitute equipment to the measures regarding regular equipment. Careful actions are necessary because a judgment or procedural error in total recovery may cause a new work interruption. Specific items are "judging switching to regular operation, "rechecking the recovery procedure," "framing check items," and "generalization." 65
BCP review After returning to a normal situation, problems related to BCP should be reviewed and discussed. In an emergency, it is not rare that events not usually predicted occur. Successful and unsuccessful points concerning actual actions should be evaluated and reflected frankly and BCP should be reviewed to prepare for a potential emergency. Use of health care system in an emergency Preparation of user account for emergency As in the case of power failure, fire, or flood, certain measures are necessary to cope with a problem where normal user authentication is disabled. Even when the health information system is not disabled, measures should be prepared when access by a formally authorized user may not be possible if the user situations are significantly different from normal situations. For example, in the break glass method, a user account is prepared for use in the case of an emergency so that access limit to patient data will not cause deterioration of health care service. In this method, an emergency user account is usually sealed explicitly. Use of the account is notified of and recorded. After returning to the normal state, the account is in principle changed to a new emergency user account. In a disaster, human behavior will differ from ordinary behavior. Functions to deal with emergency cases shall be implemented as required. For example, registration of patients at the reception may be made unnecessary in the case of an emergency. The above emergency functions should be notified to relevant persons and used appropriately in the case of an emergency. To the contrary, however, they may result in more risks. They must be managed and operated carefully to prevent careless use. C. Minimum Guidelines 1. As part of BCP to maintain the provision of a health care service, a mechanism to judge emergency situation and a procedure for the return to a normal situation are necessary. In other words, judgment criteria and procedure shall be determined in advance, as well as a judge. 2. Rules shall be prepared for data consistency with the substitute means after a 66
return to the normal situation. 3. Operation of information system in emergencies Management procedures shall be framed for emergency user account and emergency functions. Emergency functions shall be managed and audited appropriately so that they are not used in normal situations and many people will know their use. If used, an emergency user account is changed to disable its continuous use after the return to a normal situation. 4. If a cyber attack disturbs a health care service system, for example, disabling partial health care in a wide area, it shall be reported to the competent authorities. 6.11 Security Management at External Exchange of Health information Including Personal Information B. Concept This section describes what should be particularly noted regarding personal information protection and network security when information is exchanged outside an organization. The information exchange is not only a two-way transmission but a one-way transmission also. Examples of external clinical information exchange are: Medical Institutions, pharmacies, and test companies which are interlinked through a network for the exchange of local health care clinical information, ASP and SaaS type services connected to an audit and payment organization through a network used to charge medical insurance fees, or by an employee of a Medical Institution who connects a mobile terminal, such as a notebook PC, to an information system at the institution for work or following permission for access from a patient. For external health information exchange through a network, information should be delivered accurately from a sender to a receiver by satisfying the requirements of "correct destination," "correct contents," and "method not allowing peeping." In other words, the above requirements should be ensured on a communication channel from the sender's transmission equipment to the receiver's reception equipment. The medical information must be protected from such threats as spoofing the sender or receiver, the tapping and tampering of communication data and the intrusion into or interference with the communication channel. These guidelines are not written on the assumption of all these scenarios but several cases concerning a network connection for the exchange of health information exchange through a network. Personal information protection and network security in information exchange through a network are described separately because their points of view are 67
different. For information transportation using portable media or paper, see Additional Clauses 1 and 2. B-1. Notes at Medical Institutions Within the responsibilities described in 4.2, "Demarcation of Responsibility in Entrustment and Provision to Third Party" in Chapter 4, "Responsibility for Handling Electronic Health information," this section summarizes what a Medical Institution should note when transmitting health information including clinical information through a network. Medical Institutions should be clearly aware that the sender Medical Institution is responsible for the management of health information until the information is transmitted. This applies throughout the flow of appropriate information delivery from the sender Medical Institution to the receiver institution through a network provided by a communication operator. To clarify, the responsibility of management is the validation of the contents of electronic information (securing authenticity) and of the creator. In other words, the coping method is different from that described later in "B-2. Proposal of Network Security for Selection." For example, encryption here is a measure conducted for the health information itself so that a third party cannot read communication data transmitted from a sender to a receiver even when the data is tapped on a communication channel. Giving an electronic signature to detect tampering is also one of the measures. This security relating to information contents may be called object security. Encryption in "B-2. Proposal of Network Security to Be Selected" is measure conducted for a network channel so that information cannot be spied on during information transmission. This security relating to information on a line may be called channel security. From this point of view, a sender Medical Institution is responsible for appropriately protecting the information when transmitting information, and should note the following: Measures Against the Threat of Tapping Tapping should be reported when information is transmitted through a network. Information is tapped in various ways. For example, a detour is formed in the middle of transmission through a network or a physical device is attached to network equipment. These are obviously crimes and Medical Institutions cannot always be blamed, though they may be responsible for an unintentional leak of information or for a transmission error due to inappropriate setting of network equipment. Since there are a large number of possible scenarios, appropriate action should be taken 68
by the Medical Institution to protect health information even in the case of information tapping during transmission, an unintentional leak of information, or transmission error. One of the methods may be to encrypt health information. Encryption here refers to the aforementioned encryption of information itself (object security). The encrypt type and timing are difficult to prescribe uniformly in guidelines because they depend on the confidentiality of information to be transmitted and the operation method of the information system at the Medical Institution. However, it is preferable that information is encrypted at least before transmitted from the facilities at a Medical Institution. This prevention of tapping also applies to maintenance by remote login. In this case, the Medical Institution shall be responsible for confirming the above notes and supervising the entrusted maintenance operator. Measures Against the Threat of Tampering For information transmission through a network, proper contents must be delivered to the receiver. Transmitting encrypted information reduces the risk of tampering. However, it is important to note that a communication channel fault may alter data whether intentionally or not. Depending on the network configuration described later in "B-2. Proposal of Network Security to Be Selected," the network itself may not have sufficient functions to maintain confidentiality. Therefore, secure measures should be taken against tampering. To detect tampering, an electronic signature may also be used. Measures Against the Threat of Spoofing For information transmission through a network, the sender Medical Institution must check that the receiver is the intended institution. Conversely, the receiving institution must check that the sender is the intended Medical Institution and the received information is actually from the sender Medical Institution, since a network is not a face-to-face communication transmission. As an example of a method to appropriately identify the institutions at the communication start and end points, authentication can be made mutually before and after the network by using an established authentication mechanism, such as public key cryptosystem and shared key cryptosystem. To verify the sender while preventing tampering, an electronic signature may also be used on health information. To cope with the above threats from cyber attacks, see 6.10, "Emergency Action in Disasters or Other Incidents." B-2. Proposal of Network Security to Be Selected 69
In B-1, Notes at Medical Institutions," object security was mainly explained as information protection from threats. Here, channel security is explained as communication channel protection from threats. Regarding the network security that should be selected for external health information exchange through a network, the demarcation point of responsibility should first be clearly stated and the proposal should be discussed from a viewpoint different from "Notes at Medical Institutions." Here, the network is from an external network connection point of an information sender Medical Institution to an external network point of an information receiving Medical Institution or to an external connection point of access to an information system at a Medical Institution for work or following access permission from a patient. This does not refer to a LAN within a Medical Institution. As mentioned in 4.2, "Demarcation of Responsibility in Entrustment and Provision to Third Party" in Chapter 4, "Responsibility for Handling Electronic Health information," however, it is obligatory to note and check the possibility of unintentional information leakage due to the network configuration or channel design of the connected Medical Institution. When setting up a network for external health information exchange, a Medical Institution should check the confidentiality of information to be exchanged. Secure security measures are essential for exchanging health information. However, excess security measures for information of a low confidentiality status, such as treatment reservation data handled by a reservation system, will increase costs or make operations impractical. In other words, an appropriate network for costs and operations should be selected after an analysis of information security. Based on the above, it should be clarified in a contract whether the demarcation point of responsibility for network security is at the operator providing the network, at the Medical Institution, or shared between them. The proposal can roughly be categorized into the following two: Line operator and online service provider ensuring security on network channel Line operators and online service providers provide these network services by ensuring security on networks. Most of them are of the closed network connection type mentioned later. Now even an open network may be provided by the communication operator as a network of encrypted communication channel like the Internet-VPN service. For this kind of network, a Medical Institution can entrust most of the responsibility for management of security on a communication channel to these operators. Certainly, the Medical Institution itself must check the security management of their own system with due care as a good manager in accordance to the regulations of organizational, physical, technical, and human security management. 70
Line operator and online service provider not ensuring security on network channel Medical Institutions, for example, may implement network connection equipment upon consent and connect to each other through the Internet. In this case, the line operator and online service provider do not take responsibility for security of the network. In addition to the above security management, the appropriate management of implemented network connection equipment, the appropriate encryption of a communication channel, and other measures are necessary. Therefore, all possible measures should be taken to prevent persons without accurate network knowledge from building a network or from causing threats to health information. Consequently, it is necessary to establish a means of securely verifying equipment installed at information sender and receiver institutions, information terminals installed within a Medical Institution, as well as the functions installed in these terminals, and also terminal users. Institutions which exchange information with each other must establish a contract regarding the handling of information, create stricter operation and management regulations against threats than when security on a network channel is entrusted to a communication operator, and appoint a dedicated person in charge. When exchanging health information through a network, a Medical Institution should select a network upon understanding the demarcation point of responsibility. After understanding the characteristics of security technology to be selected and recognizing the acceptable range of risks, it is also necessary to explain the risks to patients as required from the viewpoint of accountability. Since there are various forms of network provided services, some of them are assumed below with a description given. Even in the assumed cases, there are several connection forms depending on the mobile terminal, network connection service, or their combination when a Medical Institution is accessed from outside by using a so-called mobile terminal, such as a mobile phone, PHS, portable computer, etc. The idea is summarized in "III. External Connection to a Medical Institution with Mobile Terminals, etc." I. Connection by Closed Network Closed network here refers to a network dedicated for specific work. This is defined as a network not connected to the Internet. The forms of connection for this kind of network are Leased line, Public network, and Closed-area IP communication network. These networks are in principle not connected to the Internet and the risks of tapping, 71
intrusion, tampering, and interference during communication are comparatively low. Since the risks of information tapping by the physical techniques described in B-1, "Notes at Medical Institutions," cannot always be eliminated, the encryption of transmission information itself should be considered. It is also necessary to apply anti-virus software pattern definition files and OS security patches appropriately and to confirm the security of computer system. The features of each connection method are explained below: Connection by Leased Line Leased line connection is a 24-hour network connection to a contracted organization with quality maintained between two points. Since the communication operator guarantees network quality, communication speed (band), and other, a leased line keeps connecting the two sites and is used to transmit a great volume or large capacity of information. The quality is good but the network connection form is poor in extensibility and generally costs are high. Therefore, the implementation should be determined by balancing the importance and volume of information being exchanged. Medical Institution Medical Institution (Sender) (Receiver) Leased Line Fig.B-2- Connected by leased line Connection by Public Network Public network is a form of connection on a public network through a switching system, like integrated services digital network (ISDN) and dial-up connection form. The connection form assumed here requires no connection to an Internet service provider (hereinafter, ISP) but an information sender specifies a phone number for direct connection with the information receiver. In the case of connection through ISP, the part after ISP becomes the so-called Internet connection. Therefore, the requirements described later in "II. Connection by Open Network" apply. In this connection form, a destination is directly dialed to establish a network connection. If a mechanism of checking a phone number before network connection, therefore, communication can be set up securely with a destination. 72
Meanwhile, the range of application should be identified appropriately because this connection is not suitable for transmitting a large volume of information or a large capacity of information like images due to such disadvantages as risks of connection or transmission errors without a phone number check mechanism, low extensibility like a leased line connection, and low communication speed, compared with the current broadband connection. Medical Institution (Sender) Public Network Medical Institution (Receiver) ISDN Dial-Up ISDN Dial-Up Fig.B-2- Connection by public network Connection by Closed-Area IP Communication Network Closed-area IP communication network defined here is a connection form where a communication line linking a wide-area network owned by a communication operator and communication equipment installed at a Medical Institution is not shared with another network service. In these guidelines, this kind of connection service is called an Internet Protocol-Virtual Private Network (IP-VPN) and handled as a closed network. Any connection form not complying with this is assumed as an open network. A closed network is mainly used as a corporate LAN, covering also remote places, when an information sharing network is constructed between the main and branch offices of a company. A single entity is often responsible for this kind of network. This connection form can be implemented at a lower cost than leased-line connection. Depending on the types of contract and service, a wide band can be secured to transmit a large volume and capacity of information. Medical Institution (Sender) Medical Institution (Receiver) Fig.B-2- -a Connection by closed-area network of single communication operator 73
Medical Institution (Sender) Connection Point Medical Institution (Receiver) Fig.B-2- -b Interconnection of closed-area networks in the middle These three types of closed networks are very safe because there is no possibility of intrusion from outside. However, closed area networks of different communication operators may be interconnected through a connection point. In the case of interconnection through a connection point, the address of the receiver of information may be interpreted once at a connection point or new information me be added for information delivery from a sender to a receiver. We cannot deny the possibility of an accidental leak of information at this point. Although accidentally leaked information will not spread because of the Telecommunications Business Law, such an accident must be avoided from the viewpoint of medical professions' obligation of confidentiality. In addition, a Medical Institution is connected to a closed-area IP communication network. Since the degree of security may generally change at the demarcation point of responsibility, special care is necessary. For these connection services, information to be sent is generally not encrypted. Even when a closed network is selected, however, information to be sent to another institution should be encrypted to make it illegible in accordance with B-1, "Notes at Medical Institutions." In addition, a mechanism of tampering detection should be implemented. II. Connection by Open Network This is a form of connection by the Internet. Considering the current popularity of broadband, open network is increasing its application range to reduce implementation costs and construct a mechanism of broad local medical linkage. In this case, adequate security measures are necessary because a communication channel is subject to various threats, such as tapping, intrusion, tampering, and interference. In addition, health information itself must be encrypted. In other words, measures complying with the proposal of object security should be taken. As mentioned at the beginning of B-2, line operators and online service providers may provide an open network service by ensuring the security of network channels against these threats. When using this kind of service, a Medical Institution can entrust most of the responsibility for management on communication channel to these operators. Therefore, it is also possible to use such a service after clarifying the demarcation point of responsibility for 74
management in the contract, etc. When using a unique open network to exchange health information, including an external exchange of personal information, a Medical Institution is almost totally responsible for management. Therefore, Medical Institutions should implement unique open networks at their own discretion. It should be noted that it is the responsibility of institutions themselves to ensure technical security. When an open network is used, the proposal of security concerning network channel differs depending on which of the 7 layers defined in "Open System Interconnection (OSI) Hierarchical Model (*) are ensured security." For details relating to the security of a network channel based on the OSI hierarchical model, refer to the report on the implementation of the Guidelines for the Security Management of Health information Systems at the Healthcare and Welfare Information Secure Network Consortium (HEASNET) in February 2007. *Open System Interconnection (OSI) Hierarchical Model OSI, meaning interconnection between open systems, is an international standard protocol to realize connection between different systems. Layer 7 Application Layer Provides services such as FTP, Mail, etc. to users Layer 6 Presentation Layer Translates data for human understanding, and adequate for communication Layer 5 Session Layer Layer related to establishment and opening of data channel Layer 4 Transport Layer Layer prescribed to send data definitely Layer 3 Network Layer Layer for management of address and selecting channels Layer 2 Data Link Layer Layer prescribed to establish physical communication channel Layer 1 Physical Layer Translates pit data electronically and physically. Layer prescribing the form and characteristic of equipment When SSL-VPN is used, for example, a channel encryption procedure is taken at the session layer of Layer 5. There is no problem if the channel is encrypted correctly. However, there is also a latent risk of tapping during channel encryption that may create an inappropriate channel. When IPSec is used, a channel encryption procedure is taken at the network layer of Layer 2 or 3 or lower layer and therefore the risk is lower than SSL-VPN. However, it is necessary to secure security by using a standard procedure called Internet Key Exchange (IKE) at channel encryption or by taking other measures. For this kind of open-network connection, there are various security technologies and latent risks depend on the implemented technology. Therefore, when implementing this kind of connection Medical Institutions should discuss thoroughly and identify the acceptable 75
range of risks. In many cases, this is entrusted to business operators upon network implementation. Medical Institutions should also request explanations of risks in order to understand them clearly. Medical Institution Medical Institution (Sender) (Receiver) Internet Fig.B-2- Connection by open network III. Connection from Outside Medical Institution with Mobile Terminal, etc. Here, security requirements are summarized which relate to the external connection to the internal network of a Medical Institution with a so-called mobile terminal, such as a mobile phone, PHS, or portable computer. Regarding external connection, various cases can be considered, including access for maintenance or for business by staff at a Medical Institution described in 6.8, "Alteration and Maintenance of Information System" and access from a patient described in B3, "Proposal of a Network for Providing Health information to Patients and Others" of this chapter. Therefore, it is important to clarify correspondence between mobile terminals and network connection services in actual use and connection forms which are explained in this chapter. Fig.B-2- shows a bird's-eye view of connection forms now available for connecting the internal network of a Medical Institution externally. 76
Internal Network of a Medical Institution Access Point Access Point Access Point Public Network Internet Closed-Area Network (IP-VPN) Mobile Phone, PHS Network Fig.B-2- Connection forms in mobile environment As Fig.B-2- shows the connection forms can be categorized into the following three (the circled figures in the parentheses correspond to the ones in Fig.B-2- ): 1) Direct dial-up connection via public network (telephone network) (, ) 2) Connection via Internet (,, ) 3) Connection via closed-area network (IP-VPN) (,,, ) This section explains which categories the cases explained in "I. Connection by Closed Network" and "II. Connection by Open Network" of this chapter belong to and also gives security notes in each case. 1) Direct dial-up connection via public network (telephone network) 77
Internal Network of a Medical Institution Access Point Access Point Access Point Closed-Area Network Internet (IP-VPN) Public Network Mobile Phone, PHS Network Fig.B-2- Connection form in mobile environment (via public network) shows a case where a mobile terminal is connected to a telephone line at a home, hotel, or anywhere a telephone line is available and the direct dialing up to an access point of a Medical Institution. shows a case where a mobile phone, PHS, or communication card using their carrier waves is connected to a mobile terminal, instead of a telephone line in, to connect a mobile phone or PHS network. The difference between the cases of and is whether or not the communication is set up through a mobile phone or PHS network. Since both cases correspond to " Connection by public network" in "I. Connection by Closed Network," the security requirements there should be applied. The security is comparatively high because all connections are made via a closed network. 2) Connection via Internet 78
Internal Network of a Medical Institution Access Point Access Point Access Point Closed-Area Network Internet (IP-VPN) Public Network Mobile Wireless LAN Phone, PHS Fig.B-2- Connection form in mobile environment (via Internet) shows a case in which a mobile terminal is connected to a telephone line at home, hotel, or anywhere a telephone line is available and an access point of an Internet service provider is dialed up to connect to the access point of a Medical Institution via the Internet. shows a case in which a LAN is connected instead of a telephone line in ( ) at home, hotel, or anywhere an Internet connection interface is available. Instead of a cable LAN, a wireless LAN may be used. Connection by a public wireless LAN belongs to this category. shows a case in which the Internet is connected via a mobile phone or PHS network by using the service of a mobile phone or PHS service provider. Since all cases from to correspond to "II. Connection by Open Network," the security requirements there should be applied. Measures should be taken to ensure object security and channel security described in B-1, "Notes at Medical Institutions," because connections are made via an open network. More specifically, when a terminal device (smart phone, etc.) more functional than a mobile phone or PHS is used as a mobile terminal, it is necessary to check whether SSL/TLS is available on the terminal, whether IPSec and IKE are used on a connection channel, and also other service contents. In all of these cases, operation is based on the assumption of connection with the user's own terminal. However, a terminal at a network cafe may be used to access information at a Medical Institution. This kind of access method is very risky. Medical Institutions should study carefully whether to permit this kind of access as an organizational policy. 79
3) Connection via closed-area network Internal Network of a Medical Institution Access Point Access Point Access Point Internet Closed-Area Network (IP-VPN) Public Network Mobile Phone, Wireless LAN PHS Network Fig.B-2- Connection form in mobile environment (via closed-area network) Both and show a case where a mobile terminal is connected to a telephone line at home, hotel, or anywhere a telephone line is available and an access point of a closed-area network service provider is dialed up to connect the access point of a Medical Institution via a closed-area network. is very similar to. However, the dial-up connection goes through an open network (Internet) provider in whereas in, the dial-up connection is made directly to a closed-area network. shows a case where a LAN is connected instead of a telephone line in at home, hotel, or anywhere an Internet connection interface is available. Instead of a cable LAN, a wireless LAN may be used. Connection by a public wireless LAN belongs to this category. shows a case where a closed-area network is connected via a mobile phone or PHS network. Connection from the mobile phone or PHS network to the closed-area network is supported by the mobile phone or PHS service provider. Since all cases correspond to " Connection by closed-area IP communication network" in "I. Connection by Closed Network," the security requirements there should be applied. The security is comparatively high because all connections are made via a closed network. In the cases of and, however, connection goes through an open network (Internet) before reaching a closed-area network. Therefore, some service providers may not be able 80
to ensure channel security in this section. When setting up a network to ensure channel security by a closed-area network, a Medical Institution should check a service provider contract thoroughly in advance so that channel security will be ensured securely. In addition to the security requirements for the above mobile connection forms, there are unique risks accompanying information access itself from outside a Medical Institution. These risks include management risks, such as the theft or loss of a mobile terminal storing confidential information, as well as leakage risks, such as spying by a third party when information is being browsed in a public place. For details, see 6.9, "Removing Information and Information Equipment." B-3 Proposal of Access by Staff from Outside A Medical Institution may permit its staff to access its health information system from home for work, including telework. Security management requirements have already been described in regards to a network in this situation, however the security management of a PC is also important. Technical measures must be taken even on a private PC and other non-managed terminals for a certain level of security management. It is also important to prescribe the security management of equipment used for access from outside in the operation and management regulations. There are 3 points to consider: Even on a PC, the confirmation of security management measures requires certain knowledge and skill. However, it is difficult to expect such knowledge and skill from staff. Appropriate operational inspection and audit are necessary to explain secure compliance with the operation and management regulations. However, it is usually difficult to inspect and audit access externally. Unanticipated effects may be experienced if a private PC is not managed by a Medical Institution or, in an extreme case, if a PC is shared among an unspecific number of people, or if equipment managed by a medical institution is used as required but in a different environment. The above uses should be avoided. If such uses are inevitable to cope with the problem of over-worked medical professionals and the shortage of physicians, virtual desktop and other technologies should be adopted. Virtual desktop is prevalent as a technology that realizes an environment of virtual security management in a PC operating environment with VPN technology. Operational requirements must be strictly followed. 81
B-4.Proposal of Network for Providing Health information to Patients and Others With a rise in the disclosure of clinical information, it is becoming possible to provide patients (or their families, etc.) with clinical information through a network and allow clinical information at a Medical Institution to be browsed. These guidelines deal with the exchange of health information between Medical Institutions. Since the provision of information to patients can also be assumed, its proposal is mentioned here. The proposal is based on a principle that a Medical Institution itself consents to the provision of information to patients. An operator entrusted with the external storage of clinical and other records shall never provide information without such consent. When providing clinical information to patients through a network, a Medical Institution must at least understand the great discrepancy between the environment and the knowledge of the patients browsing the information in regards to security. Once information has been provided, not only the Medical Institution but the patient also becomes responsible for the information. Since a significant discrepancy now exists regarding knowledge of security, a Medical Institution which provides information is responsible for explaining the risks sufficiently and clarifying the purpose of provision. Medical Institutions should understand that they will be responsible if information leakage or any accident occurs due to insufficient explanation. The leased-line and other network connection forms described so far are not practical for providing patients with information because patients need to lay leased lines in their homes. For information provision, an open network is generally used, though tapping and other risks are extremely high and it is difficult to ensure patients avoid the risks. Basic notes at Medical Institutions have already been discussed in Chapter 4 and B-1. For open network connection, security measures which consider aspects of convenience and security are essential. In particular, systems and applications should be isolated so that internal systems at a Medical Institution will not be invaded illegally through the computer system which provides information to patients. Therefore, the firewall, access monitoring, communication SSL encryption, PKI personal authentication, and other technologies should be used. When providing information to patients, a Medical Institution must take both network security measures and information system security measures within the institution. The Medical Institution must provide detailed explanations concerning the risks and purpose of the provision of information to patients who become the main object of information. In addition, a range of measures must be developed with various non-it legal grounds and implemented after respective responsibilities are clarified. 82
C. Minimum Guidelines 1 Measures shall be taken to prevent message insertion, virus infection, and other tampering on a network channel. Measures shall be taken to prevent a hacker from tapping a password or text on a channel between facilities. Measures shall be taken to prevent session hijacking, IP spoofing, and other spoofing. Measures that satisfy the above requirements may be those which reserve a secure communication channel by using IPSec and IKE. When setting up a network to ensure channel security by a closed-area network, a Medical Institution shall confirm the area closing range of the selected service with the operator. 2 At each necessary unit, such as the site entrance or exit, the data sender and receiver should check the equipment used, functional unit of equipment used, and user of the other party. A means of authentication shall be determined from the adopted communication system and the operation and management regulations. As a means of authentication, it is preferable to use PKI, Kerberos key, pre-distributed common key, one-time passwords, and other means not easy to decipher. 3 Measures shall be taken to prevent spoofing to formal users and permitted equipment within facilities. For details, refer to comprehensive description 6.5, "Technical Security Measures" in the Guidelines on Security Management of Health information. 4 Security-confirmed router and other network equipment shall be used and channels shall be set which disable communication between VPNs linking different facilities via a router within the facilities. Security-confirmed equipment means that their documents prescribing security targets of ISO15408 or similar security measures comply with these guidelines. 5 Security measures, such as encryption of the said information itself, shall be taken between the sender and receiver. Such measures shall include SSL/TLS, S/MIME, and file encryption. An encrypt key of the e-government recommended ciphers shall be used. 6 Not only Medical Institutions but also a large number of organizations such as communication operators, system integrators, operation entrusted operators, equipment maintenance companies for remote maintenance are involved in 83
information communication between Medical Institutions. Therefore, the demarcation point of responsibility for these organizations and the location of responsibility for the following shall be clarified in a written contract. Determination of the receiver Medical Institution at the time of sending health information, which includes clinical information, and also the initial operation relating to a series of information exchange operations Action when the sender Medical Institution cannot be connected to a network Action when the receiver Medical Institution cannot be connected to a network Action when a network channel is blocked during transmission or when there is a significant delay. Action when the receiver Medical Institution cannot store received information correctly Action in the case of a transmission information encryption problem Action in the case of an authentication problem at the sender or receiver Medical Institution Responsibility for isolating a faulty section Action when the sender or receiver Medical Institution suspends information exchange A Medical Institution shall also prescribe the following items in the internal operation and management regulations: Clarification of the responsibility for managing communication equipment, encryption devices, and authentication device. Coordination and conclusion of a contract, including the demarcation point of responsibility, when management is entrusted to an outside operator Clarification of accountability to patients Appointment of a dedicated manager for recovery work in the case of an accident and for liaison with other facilities or vendors Clarification of the responsibility for managing exchanged health information and also the post-event responsibility Notification items to both the sender and receiver Medical Institutions in the case of a patient's inquiry concerning the handling of personal information, and also confidential items concerning the handling of personal information 7 For remote maintenance, appropriate access points shall be set, protocols shall be 84
limited, and access authority shall be managed as required to prevent unnecessary login. For maintenance, see 6.8, "Alteration and Maintenance of Information System." 8 When concluding a contract with a line operator or online service provider, a Medical Institution shall check the scope of the responsibility for managing threats, line availability and other quality factors. Confirmation shall be given when the above requirements from 1 to 4 have been satisfied. 9 When allowing patients to browse information, a Medical Institution shall isolate systems and applications and use the firewall, access monitoring, communication SSL encryption, PKI personal authentication, and other technologies so that internal systems will not be invaded illegally through the computer system publishing information. The Medical Institution shall provide detailed explanations concerning the risks and purpose of the provision of information to patients who become the main objects of information. In addition, a range of measures shall be developed with various non-it legal grounds after respective responsibilities are clarified. D. Recommended Guidelines 1 When allowing external access to staff, a Medical Institution shall set operational requirements, as well as using technologies such as virtual desktop, which realizes an environment of virtual security management in a PC operating environment with the VPN technology. 85
6.12 Electronic Signature for Compulsory Signing and Sealing A. Institutional Requirements The term "Electronic Signature" used in this Act refers to a measure taken with respect to information that can be recorded in an electromagnetic record (a record that is prepared in electronic form, magnetic form or any other form not perceivable by human senses and that is used for information processing by computers; hereinafter the same shall apply in this Act), and which falls under both of the following requirements: (1) A measure to indicate that the information was created by the person who has taken such a measure; and (2) A measure to confirm whether such information has been altered. ("Electronic Signatures and Authentication Services Act" Article 2 - Clause 1) B. Concept Documents legally subject to signature or sealing were excluded from "Notice Concerning the Electronic Media Storage of Clinical and Other Records Legally Subject to Storage" in April 1999 because the Electronic Signatures and Authentication Services Act (hereinafter, the e-signature Act") had not been established at that time. In May 2000, the e-signature Act was established. This act enabled the documents, specified in "Ordinance of the Ministry of Health, Labour and Welfare for Enforcement of Act on Utilization of Information and Communications Technology for Document Storage by Private Business Entities Pertaining to Laws and Regulations" as health care related documents in the e-document Act, to be created and stored with the electronic signature of "A. Institutional requirements," instead of signature or sealing. However, health care related documents should allow reliable verification of a signature for a fixed period. Unlike hard-copy signatures or sealing, electronic signatures allow the strict verification of (1) and (2) in "A. Institutional requirements" but not when the electronic certificate has expired or become invalid. With advancements in deciphering technology and computer processing speed, the encryption technology, in which an electronic signature is technically based, is gradually becoming vulnerable. In the medium or long term, transition to a stronger encryption algorithm shall be required. For example, the cryptosystem 1024bit RSA and hash function SHA1 currently popular for electronic signatures are scheduled to be withdrawn from governmental information systems. In April 2008, the Information Security Conference determined "Guidelines for Transition of Encryption Algorithms SHA1 and 86
RSA1024 in Information Systems of Governmental Organizations." According to the guidelines, the algorithms will be changed to 2048-bit RSA and SHA2 in fiscal 2014 and later. Electronic signatures should allow verification for a fixed period, such as the legal storage period, whether or not the electronic certificate expires or becomes valid or the encryption algorithm becomes vulnerable. The documents are supervised by governmental organizations and their electronic signatures must allow verification by governmental organizations. In recent years, long-term signature systems using digital time stamp technologies have been standardized to enable long-term signature verification and established as JIS standards (JIS X 5092:2008 Long-term Signature Profile of Electronic Signature Using CMS (CAdES), JIS X 5093:2008, Long-term Signature Profile of Electronic Signature Using XML (XAdES)). The long-term signature systems have enabled the continuation of signature verification as follows: 1 Ensuring the signature time with a time stamp provided together with the signature (to prove that the signature existed before and at the time of stamping) 2 Storing the verification information (related certificates, expiration information, etc.) at the time of signature 3 Protecting the signed data, signature value, and verification information entirely by a stronger encryption algorithm with a time stamp Some health information is stored for five years or longer. Also from the aspects of system update and verification system compatibility, it is preferable to use standard technologies. By using the aforementioned standard technologies verification of electronic signatures should be supported for the necessary period. C. Minimum Guidelines To substitute signature or sealing on documents legally subject to signature or sealing, electronic signatures must satisfy the following conditions: 1 Electronic signature with an electronic certificate issued by a PKI certificate authority of the health and welfare field or an acknowledged specific authentication operator that satisfies the complying audit standards specified by the Ministry of Health, Labour and Welfare 1 The PKI certificate authority of the health and welfare field was constructed as an 87
authentication foundation to store health and welfare related qualifications, such as those of physicians, in electronic certificates. For documents that must certify national qualifications in the health and welfare field, it is preferable to use electronic signatures issued by the PKI certificate authority of the health and welfare field. However, authentication operators supposed to verify the said electronic signatures should correctly verify electronic certificates containing national qualifications. 2 The requirement of A can be satisfied even without an electronic certificate issued by an acknowledged specific authentication operator by a provision of the e-signature Act. Personal identification of equal accuracy is necessary with the verification of an electronic signature by a supervising administrative organization. 3 Based on the Authentication of Electronic Signature by Local Government Act (2002 Law No.153), the public personal authentication service which began in January 29, 2004 can be used. In this case, however, all operators supposed to verify the said electronic signatures should be able to verify them by using the public personal authentication service, with the exception of administrative organizations. 2 Time stamping on an entire document including an electronic signature 1. A time stamp, complying with the time authentication work standards specified in "Time Business Related Guidelines - For Safe Network Use and Safe Long-term Storage of Electronic Data" (Ministry of Internal Affairs and Communications, November 2004) and acquired from a time authentication operator approved by Japan Data Communications Association, shall be used and allow verification by a third party. 2. Measures shall be taken to keep a time stamp effective throughout the legal storage period. 3. For the use and long-term storage of a time stamp, appropriate measures should be taken in the future also, in accordance with notices from related ministries and precept contents, standard technologies, and relevant guidelines. 3 Using an electronic certificate effective at the aforementioned time stamping 1. An effective electronic certificate is always essential for an electronic signature. During a legal storage period, an electronic signature itself is expected to provide 88
verification. However, by using a time stamp plus electronic signature for verification it is possible to prove that no alterations were made. If an electronic signature can be verified when time stamping is carried out electronic signing can be verified. More specifically, while an electronic signature is valid, information necessary for its verification (related electronic certificate, expiration information, etc.) should be collected and time-stamped thoroughly, including the signed document and the signature value. 89
7 Requirements for Electronic Storage When documents legally subject to storage are electronically stored, it must be ensured that the electronic documents can be handled for everyday health care or audit with no problem. In addition, the contents must be sufficiently accurate for use in lawsuits. Since incorrect clinical information is a matter of a patient's life or death, the utmost effort is necessary regarding the accuracy of clinical information. The storage period of documents related to health care is prescribed in various laws and regulations and documents must be stored safely in the specified period. The three standards of authenticity, human readability, and securing storability are presented as the requirements for electronically storing documents legally subject to storage. These requirements should be satisfied from both operational and technical aspects. If either aspect has a greater emphasis placed on it than the other, the satisfaction of requirements may not be good from the point of view of cost or the operation may not be streamlined. Comprehensive measures balanced between the aspects are important. Each Medical Institution is expected to study operational and technical measures capable of satisfying the requirements most effectively upon clearly identifying their own scale and the characteristics of departmental and existing systems 7.1 Securing Authenticity A. Institutional Requirements Action shall be taken to enable the identification of alteration or erasure about an electromagnetic record in the due period of storage, including its contents, and to clarify the location of responsibility for the creation of the electromagnetic record. (Ordinance for Enforcement of the Act for the Utilization of Information and Communications Technology for Document Storage by Private Business Entities Pertaining to Laws and Regulations Under the Jurisdiction of the Ministry of Health, Labour and Welfare (Article 4, Section 4 (2), March 25, 2005) Securing authenticity Action shall be taken to enable the identification of alteration or erasure of an electromagnetic record in the storage period, including its contents, and to clarify the party responsible for the creation of the electromagnetic record. (A) Preventing false input, rewriting, erasure, and confusion by intention or by mistake (B) Clarifying the location of the responsibility for creation (Enforcement Notice: Article 2 (3)) 90
"The standards for securing authenticity, human readability, and storability of clinical records and other shall be satisfied." (External Storage Amendment Notice: No.2-1 (1)) B. Concept Authenticity refers to a record created with legal authority which is protected from false input, rewriting, erasure, and confusion and the location of the responsibility for creation is clear to a third party. Confusion refers to recording which mixes up patients or misunderstands the connection between recorded information. For external storage through a Network, great care is necessary so that clinical records will not be rewritten or erased during transfer from an entrusting Medical Institution to entrusted external storage facilities and also that information will not be confused with any other. Therefore, for storage outside a Medical Institution through a Network, authenticity must be secured while stored inside a Medical Institution, and Network-unique risks must be noted. B-1. Prevention of False Input, Rewriting, Erasure, and Confusion When storing documents legally subject to storage, the system administrator shall take measures to prevent electronic clinical information from being entered falsely, rewritten, erased, or confused without formal proceedings or by mistake. Before storing information, the person responsible for creation (creating, rewriting, or erasing information) should confirm that the information has been entered correctly and not rewritten, erased, or confused by mistake. False input, rewriting, erasure, and confusion on intention or by mistake can be classified into two types: those attributable to the intention or mistake of the inputter or any other system operator and those attributable to equipment and software. Example cases of the former are when an inputter intentionally tampers clinical records and other information and when incorrect information is entered by an input error. An example case of the latter is when, despite correct input by an inputter, the input information is not saved correctly in the system due to equipment malfunction or software bug. False input, rewriting, erasure, and confusion are difficult to prevent by mere technical measures on equipment and software. Operational measures should also be discussed. 91
1 Prevention of false input, rewriting, erasure, and confusion on intention or by mistake Intentional false input, rewriting, erasure, and confusion are illegal. For their prevention, the following must be observed: 1 The person responsible for creation of information shall be clear and can be confirmed at any time. 2 The person responsible for creation shall be identified and authenticated securely. In other words, a spoofing-proof operating environment shall be established. 3 Accessible information shall be limited in accordance with the authority of the operator. 4 Input and confirmation procedures shall be specified in the operation management regulations. 5 Regarding operation by the person responsible for creation, the time, person, place, information and type of operation shall be recorded and the record shall be audited in relation to the appropriateness of operation as required. 6 Confirmed and stored information shall not allow alteration or erasure for a storage period prescribed in the operation management regulations without any log. 7 If clinical records may be accessed for system alteration or maintenance, authenticity shall be secured and the proceedings in 6.8, "Alteration and Maintenance of Information System" shall be followed. False input, rewriting, erasure, and confusion by mistake are attributable to simple input error, preconception, or an information mix-up. Since there are no technical methods capable of reducing erroneous input to an ignorable level, preventive measures should be taken from both operational and technical aspects on the assumption that input errors will always occur. For example, the full checking of contents before the confirmation of information should be prescribed in the operation management regulations. It is also preferable to conduct sufficient education and training and to take technical measures, such as coloring easy-to-err positions based on potentially serious medical errors to arouse the operator s attention. (2) Prevention of false input, rewriting, erasure, and confusion attributable to equipment and software False input, rewriting, erasure, and confusion attributable to equipment and software refer to risks which, despite correct input by the person responsible for creation, cause unintended situations due to a system problem. The problem may be due to the following: 92
1 The system equipment or software itself has a problem (failure, thermal run-away, software bug, version inconsistency, etc.). 2 The equipment and software are normal but do not function as intended because they are not set correctly. 3 The equipment or software is replaced with another by a malicious third party. 4 A virus or other illegal software causes data to be rewritten or erased illegally and software to malfunction. These threats can probably be prevented by careful verification at system implementation and appropriate system maintenance and management. It is important that Medical Institutions themselves take the lead in system quality control. For specific measures, see C and D. B-2. Clarification of the Location of the Responsibility for Creation Regarding information to be stored electronically, the person responsible for the creation of each record should be clarified. Information once recorded may be added, corrected, or erased daily. For each addition, correction, or erasure, however, the person responsible should be clarified. Depending on the scale and management form of the Medical Institution, the person responsible for creation, addition, and correction may be obvious. In this case, an operation method that clarifies the person responsible for creation shall be determined and stated clearly in the operation management regulation with the operation recorded in some form. The person responsible for creation, involved in the health care, shall in principle input information. However, a proxy may have to perform the input to record the progress of a surgical operation when the person responsible for creation cannot do so because of the surgical operation. In these circumstances, regulations for proxy input must be devised and their implementation recorded. Here, the following 4 requirements are discussed and explained: (1) Identification and authentication of the person responsible for creation (2) Confirmation of record (3) Recording of identification information (4) Storage of update history 1 Identification and authentication of the person responsible for creation 93
See 6.5, "Technical Security Measures - (1) User identification and authentication" in Chapter 6 of these guidelines. <Notes on proxy input> When proxy input is permitted for an operational reason at a Medical Institution, an ID must be issued to each person performing the input and the system must be accessed with the ID. During daily operation, allowing other persons to know the ID or password or access the system with an ID of another person must be prohibited because workers cannot be identified from work records stored in the system. 2 Confirmation of record Confirmation of record means that the person responsible for creation completes input or capture of output results from the examination or measuring equipment. From this point, authenticity is to be ensured and storage is to be confirmed. It is necessary to clarify the time and creator of a record and to prove that the stored information is free of addition, change, or erasure. If addition, change, or erasure becomes necessary after confirmation, the contents must be created as a new record related to the confirmed information and saved separately after confirmation. The person responsible for creation of a record created by manual input, (including information capturing from a scanner, digital camera, or any other peripheral), shall perform a confirmation operation by checking that the record is free of erroneous input or confusion by mistake and clearly distinguishing information added at a later date, rewriting, and erasure. If the confirmation of record is assumed after a fixed time from final input or at the passage of a specific time even without explicit confirmation operation, a method of identifying the person responsible for creation shall be determined with an operation method and stated clearly in the operation management regulations. When registering information from external equipment, other than by manual input, the person responsible for the work shall make confirmation after checking that the target information precision and accuracy are achieved at capturing or registration. For records created using a specific device or system under proper management by the person responsible for management, output from the said device or system may be handled and used as confirmed information. Such devices and systems include a clinical examination system, medical imaging device (modality), or filing system (PACS). In this case, the confirmed information should clarify the combination of system function and operation when each record was created and by whom. 94
3 Storage of update history Clinical information, for example, increases with progress of health care. When new information is obtained, confirmed and stored records are often added or corrected. This kind of record update based on health care must be easy to distinguish from illegal record tampering. Therefore, the contents and time of record update must be recorded and the updated contents must be stored with identification information of the person responsible for confirmation to prevent tampering and allow verification even in the case of tampering. C. Minimum Guidelines [Storage at Medical Institutions] 1 Identification and authentication of creator a. In case of record creation using an electronic chart system with a PC or any other general-purpose input terminal 1. Users shall be identified and authenticated correctly. 2. For all input to the system, authority management (access control) shall be determined for all applicable information on the basis of necessary classification, such as the inputter's profession and section. In addition, creation, addition, or change by other than by authorized person, shall be prevented. 3. Terminals where business applications can run shall be managed to prevent access from unauthorized person. b. For record creation using a specific device or system, such as a clinical examination system or medical image filing system 1 The person responsible for management and the operators of the device shall be clarified in the operation management regulations and device operations by anyone other than the person responsible for management and the operators shall operationally be prevented. 2 A record by the said device shall be clarified by the combination of system function and operation when the record was created and by whom. 2 Establishment of record confirmation procedure and recording of identification information of the person responsible for creation a. Record creation using an electronic chart system with a PC or any other general-purpose input terminal 95
1 For the creation and storage of clinical records, the system shall have a mechanism to register confirmed information. A record shall include the name and other identification information of the person responsible for creation and the date of creation based on a reliable time source. 2 For confirmation of record, the person responsible for creation should be able to sufficiently check the contents. 3 Measures shall be taken to prevent the intentional false input, rewriting, erasure, or confusion of a confirmed record and a recovery procedure shall be discussed in advance. b. Record creation using a specific device or system, such as a clinical examination system or medical image filing system 1. The operation management regulations shall define the rules of confirming a record created by the said device. A record shall include the name and other identification information of the person responsible for creation (or identification information of the device) and the date of creation based on a reliable time source. 2. Measures shall be taken to prevent the intentional false input, rewriting, erasure, or confusion of a confirmed record and a recovery procedure shall be discussed in advance. 3 Storage of update history 1 If a clinical record once confirmed is updated, an update history shall be stored to allow the collation of contents before and after update as required. 2 Even if the same clinical record is updated several times, the update sequence shall provide a reference for the identification of updates. 4 Proxy operation approval function 1 When proxy operation is permitted for an operational reason, the operation management regulations shall specify the permitted work and also who may be a proxy and for whom. 2 At every proxy operation, management information shall be recorded regarding the time of the proxy operation, who was the proxy, and for whom. 3 A clinical record by proxy operation shall receive confirmation operation (approval) by the person responsible for creation, as soon as possible. 4 For operation such as the automatic confirmation of a record after a fixed time, 96
clear rules of identifying the person responsible for creation shall be worked out and stated clearly in the operation management regulations. 5 Equipment and software quality control 1 Equipment and software configuration, as well as the circumstances and purposes of use of the system, shall be clear and the system specifications shall be defined clearly. 2 Processes shall be prescribed to verify adequacy of equipment and software revision histories and work actually done at implementation. 3 The contents of work relating to equipment and software quality control shall be reflected in the operation management regulations and staff shall be educated. 4 Internal audit shall be conducted periodically on the system configuration and software operation status. [External Storage at Medical Institutions through Network] In addition to the minimum guidelines for storage at Medical Institutions, the following is necessary: 1 Mutual authentication to recognize communication parties as correct A mutual authentication function is necessary for a Medical Institution and an external organization entrusted with the online storage of clinical records to recognize each other as correct communication parties. 2 Ensuring "no tampering" on Network It shall be possible to ensure that clinical records have not been tampered during Network transfer. Tampering does not include reversible information compression and decompression or tagging, encryption, or conversion into plain text for security. 3 Limiting the remote login function To limit remote login on inevitable occasions, such as maintenance, function must be established to allow only appropriately controlled remote login. For specific requirements, see 6.11, "Security Management at External Exchange of Health information Including Personal Information." 97
7.2 Securing Human Readability A. Institutional Requirements Action shall be taken to enable the immediate display of an electromagnetic record on a use-related computer or other equipment in a clear and orderly form by output when required, and also the creation of its document. ("Ordinance for Enforcement of Act on Utilization of Information and Communications Technology for Document Storage by Private Business Entities Pertaining to Laws and Regulations Under the Jurisdiction of the Ministry of Health, Labour and Welfare" Article 4, Clause 4-1, March 25, 2005) Securing human readability Action shall be taken to enable the immediate display of an electromagnetic record on a use-related computer or other equipment in a clear and orderly form by output when required, and also the creation of its document. (A) Information contents can be converted easily for reading by the naked eye. (B) Information contents can be displayed in a hard-copy form immediately when required. (Enforcement Notice: Article 2 (3)) "The standards for securing the authenticity, human readability, and storability of clinical records and other shall be satisfied." (External Storage Amendment Notice: No.2-1 (1)) B. Concept At the request of an authorized owner for "clinical care," "explanation to patient," "audit," or "lawsuit," the contents stored in electronic media can be converted for human reading at a response time, throughput, and operation method suitable for each purpose. The e-document Act demands security of human readability on a screen. Some authorized owners, however, may request the immediate display of applicable information immediately in a hard-copy form. Therefore, the satisfaction of this request should be considered as required. Unlike information recorded on paper, information stored in electronic media may not be readable for the following reasons: Some application is necessary to call stored information from electronic media for display on a screen. Many records are created by referring to other databases or masters and cannot be 98
read clearly without the references adopted at the creation. Mutual relations of information recorded separately in several media are difficult to understand at a glance. By appropriately handling the above, human readability equal to that of paper records can be secured. To prevent a system fault from seriously affecting clinical care, measures to secure minimum human readability should also be considered. In addition to these measures for external storage through Network, the impairment of human readability must be considered well under the circumstances of the entrusted external storage organization. By referring to 4.2, "Demarcation of Responsibility in Entrustment and Provision to Third Party," the responsibility should be clarified in advance for consideration of immediate recovery. If stored information should be damaged despite these considerations, utmost effort must be made for immediate recovery to secure human readability meeting the request for "clinical care," "explanation to patient," "audit," or "lawsuit." C. Minimum Guidelines (1) Management of information location Regarding information distributed and managed in various media, including hard-copy information, every location for information relating to each patient shall be managed daily. (2) Management of means of human readability All information stored in electronic media shall be managed with a means of making it readable. Equipment, software, and related information shall always be prepared to make information readable. (3) Response time depending on the purpose of readability Information shall allow immediate search and display or display in a document form in accordance with the purpose. (4) Securing Redundancy as measures against system fault A system shall be made redundant or a substitute means of making information readable shall be prepared so that clinical records will be sufficiently readable for ordinary clinical care even in the case of a partial system fault. 99
D. Recommended Guidelines [Storage at Medical Institutions] (1) Backup server Even in case of a system stop, the minimum clinical records necessary for daily clinical care shall be readable with a backup server and a general-purpose browser. (2) External output for human readability Even in the case of a system stop, information output to an external file in a human readable form shall not be disabled so that a series of clinical records for a patient can be read with a general-purpose browser. (3) Readability using remote data backup As measures against a disaster such as a large-scale fire, electronic storage records shall be backed up in a remote place so that the minimum clinical records necessary for daily clinical care can be read from the backup data with a general-purpose browser. [External storage through Network] In addition to the recommended guidelines for storage at Medical Institutions, the following is necessary: (1) Ensuring human readability of clinical records likely to become necessary urgently Clinical records that may become necessary urgently shall be stored within a Medical Institution or may be stored outside with their copies or the same contents held in the Medical Institution. (2) Ensuring human readability of records not likely to become necessary urgently For information that may not become necessary urgently also, measures shall be taken against a fault of a Network or organization entrusted with external storage. 100
7.3 Securing Storability A. Institutional Requirements Action shall be taken to enable the storage of an electromagnetic record in a restorable form within the due period of storage. ("Ordinance for Enforcement of Act on Utilization of Information and Communications Technology for Document Storage by Private Business Entities Pertaining to Laws and Regulations Under the Jurisdiction of the Ministry of Health, Labour and Welfare" Article 4, Clause 4-3, March 25, 2005) Securing storability Action shall be taken to enable the storage of an electromagnetic record in a restorable form within the due period of storage. (Enforcement Notice: Article 2 (3)) "The standards for securing the authenticity, human readability, and storability of clinical records and other shall be satisfied." (External Storage Amendment Notice: No.2 1(1)) B. Concept Storability means that recorded information be stored maintaining authenticity and in a readable condition for a legally prescribed period. When clinical records and other information are stored electronically, their storability may be threatened by the following: 1 Information corruption or confusion due to a virus or inappropriate software 2 Information loss or corruption due to inappropriate storage of handling 3 Reading failure or incomplete reading due to the deterioration of recording media or facilities 4 Recovery failure due to incompatible media, equipment, or software 5 Data inconsistency at data storage due to a fault To eliminate these threats, various technical and operational measures should be taken on each cause. 1 Information corruption or confusion due to a virus or inappropriate software A virus or bug causing inappropriate software operation may corrupt clinical records 101
and other information stored electronically. Therefore, access to these kinds of information by a virus or any other inappropriate software operation must be prevented. It must also be checked that information processing software is not tampered and functions in accordance with the specifications. It is also preferable to set up a mechanism of checking that stored information is not tampered. 2 Information loss or corruption due to inappropriate storage or handling Information may be lost or corrupted if the media storing the information electronically is stored inappropriately or the equipment storing the information is handled inappropriately. To prevent this problem, technical and operational measures must be taken to ensure the appropriate storage and handling of media and equipment storing information. It is necessary to grasp the environmental conditions of recording media or equipment in use and maintain appropriate temperature, humidity, and other environmental conditions of a server room where media or equipment storing electronic information is placed. Access to a server room should be prohibited except for permitted persons. In the case of information unavailability due to loss, tampering or corruption, it is necessary to prepare a mechanism for the periodical back-up of clinical records and other information, managing backup with a history, and restoring the information as required. For this purpose, it is preferable to clarify procedures for recovering information from the backup and use the recovered information for clinical care by clarifying the obligation of storage. (3) Reading failure or incomplete reading due to the deterioration of recording media or facilities Clinical records and other information stored electronically may be lost or corrupted if reading fails or is not completed due to the deterioration of recording media or equipment. To prevent this problem, information should be copied to new recording media or equipment before deterioration by considering the deterioration characteristics of recording media or equipment. (4) Recovery failure due to incompatible media, equipment, or software Incompatible media, equipment, or software may disable information recovery of 102
clinical records and other information stored electronically. More specifically, information cannot be recovered completely or read due to the inconsistency of master or index database and the incompatibility of equipment or media at system transition. To prevent this problem, it is necessary to create a work plan appropriately upon system alteration or transition. (5) Data inconsistency at data storage due to a fault During the transfer of clinical records for external storage through a Network, a system may stop or a Network may become faulty, disturbing the storage of correct data at an external party entrusted with storage. This makes it necessary to transfer data again from the Medical Institution entrusting external storage. When erasing Medical Institution data, therefore, the entrusting Medical Institution needs to confirm the storage of the said data at the organization entrusted with external storage before erasure. C. Minimum Guidelines [Storage at Medical Institutions] (1) Prevention of information corruption or confusion due to a virus or inappropriate software 1. Software, equipment, and media used by a system shall be managed to prevent inappropriate software, including a computer virus, from causing information corruption or confusion. (2) Prevention of information loss or corruption due to inappropriate storage or handling 1 Regarding the storage and handling of recording media and equipment, operation management regulations shall be established and relevant persons shall be educated for a full understanding about appropriate storage and handling. In addition, storage and handling shall be recorded. 2 Information storage places (inside the system or portable media) shall be clarified with the storage capacity (size and period), risks, responses, backup frequency, and backup method of each place. These items shall be prescribed as operation management regulations and its operation shall be disseminated among relevant persons. 3 Measures shall be taken to allow only permitted persons to enter where recording media are stored or a server is installed. 103
4 Access to clinical records and other information stored electronically shall be recorded and managed. 5 In the case of information damage in each storage place, information recovery from backup data shall be possible. If the status before damage cannot be recovered, the range of damage shall be obvious. 3 Prevention of reading failure or incomplete reading due to the deterioration of recording media or facilities 1 Before the deterioration of recording media, information shall be copied to new recording media or equipment. The service periods, when information can be stored normally with no deterioration, shall be clarified relating to the recording of media and equipment. The start and end days of use shall be managed and checked once a month. From recording media or equipment close to the end of its service life, data shall be copied to new recording media or equipment. This operational flow shall be prescribed as operation management regulations for dissemination among relevant persons. 4 Prevention of recovery failure due to incompatible media, equipment, or software 1. For quick transition at update, a system shall have a function to output and input items of clinical records or other information in a standard format, if any such format exists, or in an easy-to-change format if there is no standard format. 2. The system shall have a function to prevent past clinical records or other information from changing when a master database is changed. [External Storage at Medical Institutions through Network] In addition to the minimum guidelines for storage at Medical Institutions, the following is necessary: (1) Managing data format and transfer protocol version and securing continuity In the legal storage period, the data format or transfer protocol may be upgraded or changed. In this case, the old data format or transfer protocol must be supported as long as they are used at Medical Institutions. (2) Taking measures against the deterioration of a Network or facilities at an organization entrusted with external storage 104
By considering a Network and facilities at an organization entrusted with external storage, measures shall be taken such as renewing lines or facilities when deteriorated. D. Recommended Guidelines [Storage at Medical Institutions] (1) Prevention of information loss or corruption due to inappropriate storage or handling 1. Recording media or equipment or a server shall be stored in a room accessible to permitted persons only and a record of access to the room shall be created stored with a work history relating to storage and handling. 2. For a server room, a key, as well as other physical measures, shall be used to allow access only by permitted persons. 3. The system shall have a function to back up clinical records and other information periodically for a periodic check that the information is not corrupted by tampering or other. (2) Prevention of reading failure or incomplete reading due to the deterioration of recording media or facilities 1. When storing clinical records and other information in recording equipment like a hard disk, RAID-1, RAID-6, or higher measures shall be taken against disk faults. [External Storage at Medical Institutions through Network] Securing compatibility with a Network or facilities at an organization entrusted with external storage If lines or facilities are renewed, it may become difficult to acquire equipment supporting the old system and may cause problem reading the recorded information. Therefore, an organization entrusted with external storage shall ensure future compatibility when selecting lines or facilities, and adopt new lines or facilities compatible with the old system upon system renewal to ensure safe data storage. 105
8 Standards for the External Storage of Clinical and Other Records The storage location standards for clinical records are presented for two kinds of cases: The external storage using electronic media and external storage of hard copies. External storage using electronic media is prescribed particularly in relation to storage through a telecommunication line (hereinafter, Network ). This external storage can be considered in regard to the following three cases: 1 External storage using electronic media through a Network 2 External storage using portable electronic media, such as magnetic tape, CD-R, and DVD-R 3 External storage of paper, film, and other media Note that the descriptions in up to Edition 2 have been corrected as follows: [Edition 2] 8.1.1 Observance of the 3 Standards for Electronic Storage The standards have been separated into authenticity, human readability, and storability and prescribed and consolidated in 7.1, "Securing Authenticity," 7.2, "Securing Human Readability," and 7.3, "Securing Storability." [Edition 2]8.1.4 Clarification of Responsibility For integrated proposals, see Chapter 4, "Responsibility for Handling Electronic Health information" and 6.11, "Security Management at External Exchange of Health information Including Personal Information." [Edition 2] 8.2, "External Storage of Electronic Media Using Portable Media" and [Edition 2] 8.3, "External Storage of Hard Copies," respectively about (2) external storage using portable media and (3) external storage of paper, film, and other media, have been moved to Additional Clauses 1 and 2 because they are different from the handling of electronic health information explained in these guidelines. 8.1 External Storage Using Electronic Media through a Network If the current technologies are taken advantage of and used with due care, clinical records can be stored outside a Medical Institution through a Network. If an organization entrusted with the external storage of clinical records secures authenticity and manages security appropriately, the entrusting Medical Institution can save expenses and the security 106
operation may become easier. External storage through a Network has many advantages but requires due care regarding security, communication technology, and operation method. If an information leak or an accident disturbing clinical care occurs and causes social distrust, the trend of allowing public access to health information may decline, impairing the benefit to national citizens. Therefore, external storage should be executed carefully and steadily. When storing clinical records outside through Network by using electronic media, a Medical Institution is expected to promote security management appropriately on their own responsibility. 8.1.1 Observance of the 3 Standards for Electronic Storage For the 3 standards, see 7.1, "Securing Authenticity, 7.2, "Securing Human Readability," and 7.3, "Securing Storability." 107
8.1.2 Standards for Selecting External Information Storage Organization and Handling Information A. Institutional Requirements "For external storage through a telecommunication line, a host computer, server, or any other information processing equipment related to storage shall be installed in a place managed appropriately by a health care institutes as a hospital prescribed in Clause 1, Article 1-5 of the Medical Care Law, a clinic prescribed in Clause 2 of the same article, or other equivalent facilities, at a data center opened by an administrative organization, or in a safe place secured by Medical Institutions for risk management against disasters." (External Storage Amendment Notice: No.2-1 (2)) B. Concept If clinical records are stored outside Medical Institutions through a Network, information storage in safe places of high information security will improve security measures and risk management during disasters, and Medical Institutions are expected to promote the electronic storage of clinical records by reduction of the storage costs. External storage, however, has a risk of inappropriate information-handling at a storage organization which may result in a significant leak of patient information. Consequently, it may become difficult to locate the leak or to identify the person responsible. Therefore integral measures based on risk analysis are always necessary, and the responsibility of Medical Institutions will grow relative to such measures. There is also a concern regarding the illegal use of information for the benefit of an organization or their personnel entrusted with information storage. Meanwhile, the storage and management of financial information, credit information, and communication information are still entrusted to external operators where the information is operated appropriately. Information related to financing, credit, and communication cannot be handled in the same way as health information. However, generally experienced data centers and other operators entrusted with information storage and management are taking careful and thorough security measures for stricter management than Medical Institutions. If the rights or benefits of persons are infringed on by the leak or illegal use of personal information related to health care occurs, it is often difficult to reassure victims or restore their rights. Therefore, laws and guidelines prescribe that Medical Institutions and relevant parties should take more thorough security management measures. For the external storage of clinical records through a Network, a Medical Institution shall secure a higher security management system than usually expected and take responsibility for using the said information to provide patients with health and health care services. 108
Therefore, when selecting an organization corresponding to " Storage at a data center established by an administrative organization" or " Storage at a private data center storing information by entrustment from Medical Institutions" prescribed in "C. Minimum Guidelines," the provisions of "C. Minimum Guidelines" shall be strictly observed. In addition, information processing operators at data centers shall confirm compliance with "Guidelines for Managing Entrusted Health information" prescribed by the Ministry of Economy, Trade and Industry and "Guidelines for Information Security Measures in ASP and SaaS" prescribed for certain business forms by the Ministry of Internal Affairs and Communications and clarify the status of compliance in a contract. This chapter summarizes the proposals of "1. Regulations pertaining to storage place," "2. Handling of information," and "3. Provision of information." Chapter 4, "Responsibility for Handling Electronic Health information" and 6.11, "Security Management at External Exchange of Health information Including Personal Information" are inseparable and as such shall also be observed during operation. 1. Regulations Pertaining to Storage Location Storage at a hospital or clinic or in a place managed appropriately by a health care institutes When a hospital or clinic itself prepares very solid facilities and environment and provides an ASP or SaaA service to store clinical records of neighboring hospitals and clinics. An example of "place managed appropriately by a health care institutes" equivalent to a hospital or clinic is a place managed on the joint responsibility of the managers of Medical Institutions in an office of the Japan Medical Association that is a public benefit corporation. Storage at a data center established by an administrative organization This refers to storage at a data center established by a national organization, independent administrative corporation, national university corporation, or local government. In this case, all other requirements in this chapter should be satisfied, including those mentioned in other chapters of these guidelines, and for responsibility, security management measures, authenticity, human readability, storability, and security of information management system prescribed in C. 109
Storage at a private data center storing information by entrustment from Medical Institutions This refers to storage in a place by an organization other than or entrusted by Medical Institutions. A Medical Institution, having a legal obligation of storage, should aim to improve security measures and promote risk management during disasters by securing a safe information storage place of great system solidity. The information storing organization should satisfy all other requirements in this chapter, including ones mentioned in other chapters of these guidelines and for responsibility, security management measures, authenticity, human readability, storability, and security of information management system prescribed in C. 2. Handling of Information Storage at a hospital or clinic or in a place managed appropriately by a health care institutes Even a hospital or clinic may analyze entrusted clinical records only with the consent of the entrusting hospital or clinic and the patients and not for unjust profit or benefit. For this purpose, an internal team shall be set up within the institution for objective evaluation. Even anonymous information may easily result in personal identification depending on the scale of the area or entrusting Medical Institution. For consideration of personal information protection, therefore, a verification team should discuss the validation of anonymity and the patients should be notified of the fact of handling through a bulletin board. Storage at a data center established by an administrative organization When information is stored at an administrative organization, the handling of information is restricted to some extent because the operator is obliged to maintain confidentiality as a public organization. Since the information is stored by entrustment from Medical Institutions, however, the organization entrusted with external storage may not analyze such data without consent of the Medical Institution and the patients. When selecting an operator to entrust with external storage, a Medical Institution should confirm the execution of no analysis in future or conclude a contract to that effect. A possible technical method is to allow in principle only Medical Institutions to browse 110
the content of data, except when a trouble occurs, as in the case of emergency such as data recovery. In addition, personal identification information stored at an operator entrusted for external storage is managed appropriately by encryption and a control mechanism is set up to prevent access normally even by the manager of the operator entrusted for external storage. Storage at a private data center storing information by entrustment from Medical Institutions As mentioned at the beginning, when information is stored by an operator entrusted with external storage from Medical Institutions prescribed in this section, the entrusted information shall not be browsed or analyzed for an unjust profit or benefit. There are now guidelines for restricting these behaviors by private and other operators entrusted with external storage. However, full study should be made by considering their suitability and observation status. A possible technical method of external storage is to ensure that in principle only Medical Institutions are allowed to browse data, except when a problem occurs, as in the case of emergency such as data recovery. In addition, personal identification information stored with an operator entrusted for external storage is managed appropriately by encryption and a control mechanism is set up to prevent access even by the manager of the entrusted operator. More specifically, the following methods may be possible: (a) Encryption (b) Distributed storage of information By assuming an unexpected accident, information availability must be clearly noted. If a Medical Institution itself stores an encryption key after encryption, all health information entrusted for storage may become unavailable when the encryption key becomes unavailable due to a fire or accident. To avoid this problem, the encryption key may be deposited to the operator entrusted with external storage or to other reliable Medical Institutions. The guarantee of similar availability is also necessary for distributed storage. When the encryption key is deposited to the operator entrusted with external storage, however, its use requires strict management. The use of an encryption key shall be limited to emergency cases only. For the use, measures must be taken to prevent the unjust use of information by an operator entrusted with external storage, such as devising operation management regulations, 111
using sealing that leaves trace of use, and executing trail management in the information system appropriately. 3. Provision of Information Storage at a hospital or clinic or in a place managed appropriately by a health care institutes When providing a mechanism for patients to access stored information and browse their own records, a hospital, clinic, or health care institutes entrusted for storage of information shall set appropriate access authority to prevent information leakage and erroneous browsing, such as showing information to a patient who is not the subject of that information, or allowing a patient to see prohibited information. Such information should in principle be provided on agreement between patients and their Medical Institution. A hospital, clinic, or health care institutes entrusted for storage of information must not provide information without consent of patients. Storage at a data center established by an administrative organization In any form, an operator entrusted with external storage shall not independently provide stored information to any Medical Institution other than the storing Medical Institution. Information stored through an operator entrusted with external storage may be provided to a Medical Institution other than the storing Medical Institution only with the mutual consent of the Medical Institutions and the consent of the patients. If the right to set access authority is also entrusted to the operator entrusted with external storage, however, the party shall set appropriate authority at the request of a Medical Institution or their patients to prevent information leaks and erroneous browsing, such as showing information to a patient who is not the subject of that information, or allowing a patient to see prohibited information. When storing clinical records externally in this form, therefore, a Medical Institution should prescribe the provision of such information in a contract with the operator entrusted with external storage. Storage at a private data center storing information by entrustment from Medical Institutions In any form, an operator entrusted with external storage shall not independently provide stored information to any Medical Institution other than the storing Medical Institution. This applies also to anonymous information. 112
Information stored through an operator entrusted with external storage may be provided to a Medical Institution other than the storing Medical Institution only with the mutual consent of the Medical Institutions. As a matter of course, the consent of the patients is also required in accordance with the Personal Information Protection Act. If the right to set access authority is also entrusted to the operator entrusted with external storage, however, the party shall set appropriate authority at the request of a Medical Institution or their patients to prevent information leaks and erroneous browsing, such as showing information to a patient who is not the subject of that information, or allowing a patient to see prohibited information.. When storing clinical records externally in this form, therefore, a Medical Institution should prescribe the provision of such information in a contract with the operator entrusted with external storage. C. Minimum Guidelines Storage at a hospital or clinic or in a place managed appropriately by a health care institutes (A) Clinical records shall be stored within the hospital or clinic. (B) Entrusted clinical records shall not be handled for analysis without the permission of the entrusting hospital or clinic and the patient. (C) Even the hospital or clinic may analyze entrusted clinical records only with the consent of the entrusting hospital or clinic and the patients and not for unjust profit or benefit. (D) Also when handling anonymous information, a verification team should discuss the validation of anonymity and the patients should be notified of the handling through a bulletin board for personal information protection. (E) When providing a mechanism for patients to access stored information and browse their own records, the hospital or clinic entrusted with information storage shall set appropriate access authority to prevent information leaks and erroneous browsing, such as showing information to a patient who is not the subject of that information, or allowing a patient to see prohibited information. (F) Information shall be basically provided on agreement between patients and their Medical Institution. Storage at a data center established by an administrative organization (A) According to laws and ordinances, individuals who are engaged or used to be engaged in storage work shall be obliged to maintain confidentiality regarding the 113
contents of personal information, prohibited from using such information for an unjust purpose and punished for violation. (B) The technical and operational abilities necessary for appropriate external storage shall be verified periodically by a qualified external auditor, such as a system audit engineer or Certified Information Systems Auditor (ISACA certified). (C) Medical Institutions shall conclude a contract stating the confirmation of no analysis of stored information by the operator entrusted with external storage and also the prohibition of such analysis. (D) Medical Institutions shall restrict information provision in a contract so that the operator entrusted with external storage shall not independently provide stored information. When setting access authority for information provision, the operator entrusted with external storage shall set appropriate access authority to prevent information leakage and erroneous browsing, such as showing information to a patient who is not the subject of that information, or allowing a patient to see prohibited information. Storage at a private data center storing information by entrustment from Medical Institutions (A) To supervise the handling of stored information, Medical Institutions shall conclude a contract of entrustment with an operator entrusted with external storage and their manager and workers engaged in electronic storage, including the obligation of confidentiality and penalties in case of violation. (B) The security of a Network line linking a Medical Institution and an operator entrusted with external storage shall be secured by observing 6.11, "Security Management at External Exchange of Health information Including Personal Information." (C) The observance of guidelines imposed on private operators shall be clarified in a contract with an entrusted operator and confirmed by periodic reporting. (D) An operator entrusted with external storage shall not browse stored information beyond the range necessary for maintenance prescribed in a contract. (E) An operator entrusted with external storage shall not analyze stored information, regardless of whether such information is anonymous. This shall be stated clearly in a contract and observed strictly by Medical Institutions. (F) Medical Institutions shall restrict information provision in a contract so that the operator entrusted with external storage will not independently provide stored information. When setting access authority for information provision, the entrusted 114
operator shall set appropriate access authority to prevent information leaks and erroneous browsing, such as showing information to a patient who is not the subject of that information, or allowing a patient to see prohibited information. (G) Medical Institutions shall determine standards for selecting an operator to entrust external storage to. At least the following 4 items shall be confirmed: a Establishment of basic policies and rules related to the handling of health information for security management b Establishment of an implementation system for the security management of health information c Reliability of personal data security management based on achievements d Soundness of management by financial statements D. Recommended Guidelines (A) For storage in a place appropriately managed by health care institutes of " Storage at a hospital or clinic or in a place managed appropriately by a health care institutes," an institution as a whole entrusted with storage shall acquire Privacy Mark, ISMS, or other certification of personal information protection or information security management by a third party as a means of exhibiting their efforts to patients and citizens. (B) For " Storage at a data center established by an administrative organization," a data center is subject to institutional supervision and evaluation. As part of further evaluation, certification by a third party mentioned in (A) shall be acquired. (C) " Storage at a data center established by an administrative organization" and " Storage at a private data center storing information by entrustment from Medical Institutions." A possible technical method is to ensure that in principle only Medical Institutions are allowed to browse data, except when trouble occurs, as in case of emergency such as data recovery. (D) Personal identification information stored at an operator entrusted for external storage is managed appropriately by encryption and a control mechanism is set up to prevent access normally even by the manager of the operator entrusted for external storage. More specifically, the probable methods are "(a) encryption" and "(b) distributed management of information." By assuming emergency or unusual access, a mechanism of explicitly identifying such access at a Medical Institution shall also be prepared. 115
116
8.1.3 Protection of Personal Information A. Institutional Requirements "The protection of personal information shall be ensured with due care about the protection of patient privacy." (External Storage Amendment Notice: No.2-1 (3)) B. Concept For external storage through a Network, the authority and scope of responsibility for a Medical Institution s manager applies not only to their own facilities but other facilities and those of communication operators also. Therefore, personal information protection should be further considered. Items pertaining to the protection of patients' personal information should be considered as long as the personal information exists, even after the legal storage period of clinical records or the end of contract with an operator entrusted with external storage. A similar operation system is also expected relating to the handling of personal information in backup information. Personal information protection during transit through a Network should be considered individually by the means of communication. For securing confidentiality of information by the means of communication, see 6.11, "Security Management at External Exchange of Health information Including Personal Information" and "B-2. Proposal of Network Security Selection." C. Minimum Guidelines (1) Personal information protection for an external operator entrusted with the storage of clinical records Appropriate supervision of entrusted operator For the proposal of personal information protection in an operator entrusted with the external storage of clinical records, refer to "Guidelines for the Appropriate Handling of Personal Information by Medical and Nursing Care Providers." Appropriate management shall be conducted by referring to "4. Security Management Actions and Supervision or Staff and Entrusted Party (Articles 20 to 22)" of "III. Obligations of Medical and Nursing Care Providers" and also to Chapter 6 of these guidelines. (2) Explanation of external storage to patients An institution entrusting the external storage of clinical records should explain the 117
storage system to patients via an internal bulletin board or other means including an explanation of the security and risks and a request for their understanding in advance with respect to sending patient information to external facilities and its storage there.. Explanation before the start of clinical care Explanation should be made before personal information is collected from a patient, including the clinical conditions and history. Clinical care should begin with the understanding of the patient after external storage has been explained via an internal bulletin board, etc. Explanation to patient difficult and clinical care urgent Prior explanation is not always necessary if urgent clinical care is necessary but it is difficult to provide a patient with an explanation because of a mental disorder or dementia. The explanation may be given later, if the patient becomes lucid, to obtain their understanding on the matter. Explanation to patient difficult but clinical care not urgent If it is difficult to provide the patient with an explanation because the patient is an infant or the like, though urgent clinical care is not necessary and an explanation shall be made in principle to a person in parental authority or a guardian. If it is difficult to provide an explanation because of suspected abuse by the person in parental authority or the patient has no guardian. The reason for no explanation is expected to be clarified in a clinical record. 118
8.1.4 Clarification of Responsibility A. Institutional Requirements "External storage shall be conducted under the responsibility of a hospital or clinic obligated to store clinical and other records. The demarcation of responsibility should be clarified in case of an accident." (External Storage Amendment Notice: No.2-1 (4)) See Chapter 4, "Responsibility for Handling Electronic Health information" and 6.11, "Security Management at External Exchange of Health information Including Personal Information." 8.1.5 Notes When an operator entrusted with external storage stores data received through a Network on portable media, due care shall be taken as prescribed in "Additional Clause 1 External Storage of Electronic Media Using Portable Media." 8.2 External Storage of Electronic Media Using Portable Media See Additional Clause 1. 8.3 External Storage of Hard Copies See Additional Clause 2. 119
8.4 General Notes on External Storage 8.4.1 Operation Management Regulations A. Institutional Requirements "The manager of a hospital or clinic of external storage shall work out operation management regulations and execute external storage accordingly. If operation management regulations have already been created in relation to the electronic storage of clinical records, they shall be amended as required." (External Storage Amendment Notice: No.3-1) B. Concept The establishment of operation management regulations is a requirement for external storage. For the proposal and specific guidelines, see 6.3, "Systematic Security Management Measures." For the responsibility, see Chapter 4, "Responsibility for Handling Electronic Health information." If operation management regulations have already been established, it will be sufficient to correct or add items related to external storage as required. 8.4.2 At the End of External Storage Contract Since clinical records are sensitive personal information, both the entrusting Medical Institution and the entrusted operator must make some consideration at the end of external storage. The Medical Institution entrusting the external storage of clinical records shall fulfill the obligation of periodically checking clinical records stored with the entrusted operator and auditing clinical records to be discarded for immediate and fair processing. The operator entrusted with external storage also needs to clarify the fair handling and processing of stored clinical records to the Medical Institution at the request of the Medical Institution. Provisions pertaining to their discard needs to be stated clearly in a contract of entrustment before the start of external storage. For actual discard, regulations clarifying a discard program and other procedures should be established in advance. These strict rules are imposed on both parties because retaining personal information beyond a period of agreement itself may become a problem in terms of personal information protection. This must be clearly understood. If data is stored externally through a Network, the external storage system itself is a kind of database and must be discarded carefully, including index files. For electronic media, similar considerations are also necessary in relation to backup files. 120
If data is stored externally through a Network, the storage form is electronic media and any information leak would probably produce enormous damage because of the volume of information. Therefore, due care should be taken regarding personal information protection and the Medical Institution entrusting external storage and entrusted operator must be able to confirm the secure discard of information. 8.4.3 External Storage of Clinical Records Not Legally Subject to Storage See 3.3, "Documents Requiring Careful Handling." 121
9 Electronic Storage of Clinical Records Using Scanner or Other This chapter describes the handling of clinical records legally subject to storage. In this chapter, hard-copy records received, stored, or used are converted into electronic data by using a scanner or other equipment, for storage or use. This chapter does not apply to schema input to an electronic chart where a drawing on paper is input with a scanner or digital camera. For this kind of input, see "Securing Authenticity" in Chapter 7. A. Institutional Requirements When storing electromagnetic records instead of the documents at the lower columns of Attached Table 1-1 and (2), pertaining to the laws in the upper columns of the tables, in accordance with Clause 1, Article 3 of the Law, and when storing electromagnetic records at the lower columns of Attached Table 1-4, pertaining to the laws in the upper columns of the table, a private operator shall use one of the following methods: (1) (Omitted) (2) Reading the items written in a document with a scanner (or similar image reading device) and saving its electromagnetic record in a file of a computer used by the private operator or in a file prepared using a magnetic disk ("Ordinance for Enforcement of Act on Utilization of Information and Communications Technology for Document Storage by Private Business Entities Pertaining to Laws and Regulations Under the Jurisdiction of the Ministry of Health, Labour and Welfare" Article 4, March 25, 2005) 9.1 Common Requirements B. Concept Regarding conversion into electronic data using a scanner, the following 2 scenarios can be assumed: 1 Most clinical care information is computerized by the use of electronic charts but paper and film documents of clinical information are received from other Medical Institutions. 2 Electronic charts have been implemented for electronic storage but there are still paper or film documents of old clinical records remaining. Thus, integrated operation is not possible. Only the order entry and medical affairs systems are 122
computerized since it is difficult to store hard copies. This section describes measures applicable to both scenes written above, or common to 9.2, "Electronic Storage after Every Clinical Consultation Using Scanner or Other" and 9.3, "Electronic Storage of Past Hard Copies Using a Scanner or Other Equipment." Regardless of the precision of the technology, scanning cannot produce data which is equivalent to its original hard copy. Therefore, due care is necessary when entering the information of a hard copy data source onto a computer using a scanner and should be limited to cases when the mixture of electronic and hard-copy information significantly disturbs operation. Nevertheless, the storage of electronic information with original hard copies is extremely effective from the viewpoints of securing authenticity and storability. If possible, external storage should also be discussed. For measures in this kind of case, see 9.4 (Supplement), "Electronic Storage Using Scanner and Hard-copy Storage for Convenience." C. Minimum Guidelines 1 A scanner satisfying certain standards related to optical resolution and sensor sensitivity shall be used to prevent a decrease in the volume of information by scanning and to secure an information volume necessary for fulfilling the obligation of storage so that health care will not be disturbed. To prevent a loss of information by scanning, each document shall be checked in advance to verify that there is no other document pasted to it or information outside the scanning range. Paper documents of clinical information shall be scanned with adequate precision for clinical use. For high-definition information like a radiology film, refer to "Guidelines for Handling Digital Images Edition 2.0 (April 2006) announced by Electronic Information Committee, Japan Radiological Society. These guidelines do not deal with mammography, however the committee is scheduled to discuss it. Other probable objects of scanning include wave information, such as electrocardiogram, and polarized information which require sufficient accuracy to ensure correct health care and due care should be taken. Scanned image information from general documents shall be stored in a general-purpose format supported by abundant visualizing software. Since irreversible compression lowers the image precision the image precision of the scan should be sufficiently high for health information and the paper should be not be 123
damaged or stained to the extent of disabling readability. Scanned information from radiology films and other medical images shall be stored in an appropriate format such as DICOM. 2 To prevent tampering, the person responsible for management at a Medical Institution shall take the following measures: Devise operation management regulations for scanning Selecting an information creation manager to ensure that scanned electronic information is equal to the original document information Clarifying the responsibility for scanned information immediately with the electronic signature of the responsible worker (person in charge or manager) which conforms to the e-signature Act and also with a time stamp For the electronic signature, see 6.12, "Electronic Signature for Compulsory Signing and Sealing." 3 Based on the above operation management regulations, the information creation manager shall take measures to ensure that scanning is executed securely by appropriate proceedings. 124
9.2 Electronic Storage after Every Clinical Consultation Using Scanner or Other Equipment B. Concept This is assumed when most clinical care is computerized by the use of electronic charts but the paper and film documents of clinical information are received from other Medical Institutions and the mixture of different media may impair health care safety. Once the common requirements referred to in 9.1 have been satisfied, documents should be converted into electronic data within hours since tampering inducement is unlikely to occur in this period. C. Minimum Guidelines In addition to the measures in 9.1, information shall be scanned in a fixed period after its creation or reception to prevent tampering. The fixed period means a period specified in the operation management regulations, not longer than one or two days since tampering inducement is unlikely to occur in this period. Scanning must be done without delay. If a document cannot be scanned due to an inevitable reason, such as unavailability of equipment for overtime clinical care, it shall be scanned immediately when scanning becomes possible. 125
9.3 Electronic Storage of Past Hard Copies Using Scanner or Other B. Concept This is assumed when integrated operation is not possible because electronic charts have been implemented for electronic storage but there are still paper or film documents of old clinical records remaining. Appropriate measures to achieve accountability should be taken, unlike in the circumstances of 9.2, "Electronic Storage after Every Clinical Consultation Using Scanner or Other" where tampering inducement is unlikely to occur. Once all the common requirements of 9.1 have been satisfied, strict audit should be made with the prior consent of patients. C. Minimum Guidelines In addition to the measures of 9.1, the following measures shall be taken: 1 Before conversion into electronic data, the patients concerned shall be notified by a bulletin board or other means that their information will be scanned and stored as electronic data. If an objection is raised, scanning shall not be executed. 2 Before execution, an execution plan shall always be devised. The execution plan shall include the following: Establishment and validation of operation management regulations. At a large-scale Medical Institution, the regulations shall be validated by a fair committee, including external academic experts (ethics committee acceptable). Identification of the responsible worker Means of notification to patients and dealing with objections Execution system, including mutual supervision Recording of execution and record items (A record sufficient for audit on the next page shall be created.) Post-auditor selection and audit items Period from scanning until paper or film discard and also discard method 3 A scanner at a Medical Institution shall be audited by a qualified external auditor, such as a system audit engineer or Certified Information Systems Auditor (ISACA certified). 4. For entrustment to an external operator, an appropriate operator satisfying the requirements of 9.1 shall be selected. The operator should at least have Privacy Mark and never have caused a problem relating to security management or personal information protection. For execution, adequate security management shall be stated 126
clearly in a contract, including audit by a qualified external auditor, such as a system audit engineer or Certified Information Systems Auditor (ISACA certified). 127
9.4 (Supplement) Electronic Storage Using Scanner and Hard-copy Storage for Convenience B. Concept Information, significantly inconvenient to be handled as hard copies, may be converted into electronic data using a scanner, with the original hard copies retained. In this case, the electronic information is for reference only and its storage is not obligatory. In terms of personal information protection, however, such information should be handled equally and adequate precision for health care should be secured upon conversion into electronic data by scanning. C. Minimum Guidelines 1 A scanner satisfying certain standards relating to optical resolution and sensor sensitivity shall be used to prevent a decrease of information volume by scanning from disturbing health care. Paper documents of clinical information shall be scanned with adequate precision for clinical use. Although the paper documents are retained, they may be stored externally because they are not easily accessible, compared with electronic information. For convenience of use, therefore, the electronic information is expected to maintain the human readability of original documents as much as possible. However, printed information may not lose human readability even if the scan precision is lowered to some extent. In this case, the scan precision may be lowered as long as the human readability adequate for clinical care is maintained. For high-definition information like a radiology film, refer to "Guidelines for Handling Digital Images Edition 2.0 (April 2006) announced by Electronic Information Committee, Japan Radiological Society. These guidelines do not deal with mammography though the committee is scheduled to discuss it. Other probable objects of scanning include wave information such as electrocardiogram other information and polarized information. They require sufficient accuracy for health care and due care should be taken. Scanned image information from general documents shall be stored in a general-purpose format supported by abundant visualizing software. Since irreversible compression lowers the image precision, it should be ensured that when performing irreversible compression the precision is sufficiently high for health care and the paper to be scanned is not damaged or stained badly to the extent of disabling readability. 128
Scanned information from radiology films and other medical images shall be stored in an appropriate format such as DICOM. 2 The manager shall develop operation management regulations and take measures to ensure that scanning is executed securely by appropriate proceedings. 3 For urgent browsing in the case of an emergency, stored paper documents, to some extent, should be kept easily accessible. 4 Security management shall be conducted on the original paper or film after electronic conversion. 129
10 Operation Management For operation management regulations are essential to meet the responsibility of management and accountability and operation management must always be prescribed. A. Institutional Requirements 1) "Guidelines for the Appropriate Handling of Personal Information by Medical and Nursing Care Providers" in 2004 I 6. Securing and externally clarifying the transparency of actions by medical and nursing care providers ---The development of clear and proper rules in relation to the handling of personal information and the announcement of such rules externally. ---The rules for the handling of personal information may specifically prescribe an outline of security management actions pertaining to personal information, proceedings for self-disclosure by the person, handling of third-party provisions, and dealing with grievances. III 4(2) Developing and announcing regulations on personal information protection ---Regulations on personal information protection shall be created, ---. Regulations on security management actions shall be developed also for an information system handling personal data. 2) Other requirements Notes one storing clinical records electronically (1) The manager of facilities shall create and follow operation management regulations on the electronic storage of clinical records. (2) The operation management regulations shall prescribe the following: Items pertaining to the organization, system, and facilities of generalizing operation management Items pertaining to the protection of patient privacy Other items necessary for proper operation management (Enforcement Notice: No.3) 130
Notes on external storage using electronic media (1) The manager of a hospital or clinic of external storage shall work out operation management regulations and execute external storage accordingly. If operation management regulations relating to the electronic storage of clinical records have already been devised they shall be amended as required. (2) When developing operation management regulations for (1), items necessary for the operation management regulations pertaining to the electronic storage of clinical records shall be specified. (External Storage Amendment Notice: No.3) B. Concept Medical Institutions have various forms depending on the scale and contents of their work and, accordingly, their operation management regulations may also have various styles and contents. In accordance with Chapters 4 to 9 of these guidelines, this chapter describes management items to be defined: general management items necessary for electronic storage or not in (1), operation management items for electronic storage in (2), operation management items for external storage in (3), conversion into electronic data with scanner in (4), and the procedures for creating operation management regulations at the end. For electronic storage, Medical Institutions must adopt the management items of (1), (2), and (4). For external storage of electronic data, Medical Institutions must adopt the management item of (3) as well. C. Minimum Guidelines The operation management regulations shall include the following items. In Chapters 4 to 9 of these guidelines, "D. Recommended Guidelines" may be omitted. 1 General management items General rules a) Philosophy (Declaration of the basic policies and purposes of management) b) Applicable information Listing of all information handled by an information system Classification according to importance in security management Risk analysis c) Changes relating to standards to be adopted and followed for an information system 131
Management system a) System administrator, equipment manager, person responsible for operation, security manager, person responsible for personal information protection, etc. b) Management system for manuals, contracts, and other documents c) Audit system and person responsible for audit d) System to accept grievances and questions from patients and system users e) Troubleshooting responsibility system f) Education and training system on system users for full understanding Duties of manager and user a) Duties of system administrator, equipment manager, and person responsible for operation b) Duties of person responsible for audit c) Duties of user: For audit trail, refer to "Audit Trail Guide for Personal Information Protection" - For Personal Information Protection at Your Hospital - (Foundation of Medical Information System Development Center). Operation management items in general management a) Access management regulations to record and identify visitors and to limit access b) Management and supervision regulations for the installation areas of information storage devices and access equipment c) Policies of determining information access authority d) Regulations for the management (storage, exchange, etc.) of recording media, including personal information e) Regulations for the discard of media, including personal information f) Risk prevention and handling method g) Document management regulations prescribing the assignment of technical and operational measures relating to the security of information system. Regulations to determine technical or operational measures at system implementation and document and manage the contents h) Technical security measures User identification and authentication method IC card and other security device distribution method Information classification, access authority management, and review accompanying personnel reassignment 132
Access log acquisition and audit procedure Time synchronization method Measures against virus and other illegal software Measures against illega l access from a Network Password management i) Items pertaining to wireless LAN Wireless LAN setting (access limit, encryption, etc.) Limit on using equipment suspected to cause jamming j) Regulations for electronic signature and time stamp Regulations for handling applicable issue documents and received documents with signature and daily operation management regulations Security management actions at work entrustment (system operation, maintenance, and alteration) a) Provisions of security management and confidentiality in a contract of work entrustment b) Security management actions for re-entrustment c) Work management and supervision of system alteration and maintenance by relevant persons at Medical Institution and confirmation of work report Creation and operation management of an exclusive account for maintenance personnel Confirmation of data access range at work Collection and check of access logs *For remote maintenance, see also below. Taking out information and information equipment a) Regulations for information and information equipment to be removed b) Operation management regulations for information and information equipment to be removed c) Security management actions for information and information equipment to be removed d) Measures against theft and loss e) Method of dissemination to users Provision, entrustment, or exchange of health information with external organization a) Regulations on the confirmation of security from technical and operational aspects 133
b) Management regulations for documents to be studied for risk measures c) Management for contract documents which define the demarcation point of responsibility with an information processing operator during normal operation and during incidents and maintenance, as well as management regulations for contract status d) Basic policy of remote maintenance Security confirmation of remote maintenance system by maintenance operator e) Operation management regulations on access by staff from outside Medical Institution ( ) Security management of equipment used for access Emergency Action in the Case of Disasters or Other Incidents a) Section of health information system in BCP regulations b) Management regulations on degraded system operation c) Functions and operation management regulations in case of emergency d) List of report destinations and contents Education and training a) Preparation of manuals b) Periodic or non-periodic training on system handling, privacy protection, and enhancement of security awareness c) Human security management measures for employees Confidentiality contract with those other than medical professionals Regulations for personal information protection after staff retirement Audit a) Contents of audit b) Duties of the person responsible for audit c) Audit of access log Review of regulations Procedure for reviewing operation management regulations periodically 2 Operation management items for electronic storage Securing authenticity a) Identification and authentication of creator b) Information confirmation procedure and recording of identification information of 134
the person responsible for creation c) Storage of update history d) Proxy operation approval record e) Regulations for equipment and software quality control and internal audit of operation status Securing human readability a) Management of information location b) Management of means of readability c) Response time and throughput for the purpose of human readability d) System troubleshooting Redundancy Backup Emergency action Securing storability a) Management of software, equipment, and media (installation place, lock management, periodic inspection, virus check, etc.) Preventive measures against information destruction and confusion due to a virus or inappropriate software b) Preventive measures against information loss and destruction due to inappropriate storage or handling Backup and work history management c) Preventive measures against reading failure or incomplete reading due to the deterioration of recording media or facilities d) Preventive measures against recovery failure due to incompatible media, equipment, or software Rules for work that entails planning to deal with database inconsistency at system transition and with data incompatibility of equipment and media at system alteration or transition Securing interoperability a) Measures for securing data compatibility during system repairs b) Measures for securing data compatibility during system renewal 135
3 "Management items as Medical Institution" for external storage through Network For external storage using portable media or paper, management items shall be created by referring to this section. Management system and responsibility a) Operator selection rules for entrustment and regulations stating grounds for the judgment of compliance at selection If the entrusted operator is other than a Medical Institution, refer to the requirements prescribed in 8.1.2, "Standards for Selecting External Information Storage Organization and Handling Information." Regulations to confirm compliance with "Guidelines for Managing Entrusted Health information" prescribed by the Ministry of Economy, Trade and Industry and with "Guidelines for Information Security Measures in ASP and SaaS" prescribed by the Ministry of Internal Affairs and Communications for some forms of business b) Person responsible for management at the Medical Institution c) Entrusted operator audit system d) Demarcation point of responsibility with the entrusted operator and line operator e) Creation and storage of a contract or similar document, clearly stating the scope of responsibility for management, accountability, as well as responsibility for periodic review and necessary improvement with the entrusted operator and line operator f) Creation and storage of a contract or similar document, clearly stating the demarcation of responsibility for dealing with an inconvenience and the responsibility for isolating a fault If the entrusted operator is other than a Medical Institution, refer to the requirements prescribed in 8.1.2, "Standards for Selecting External Information Storage Organization and Handling Information." g) Standards for selecting documents to be entrusted for external storage Processing at the end of external storage contract Regulations for processing method to ensure no clinical records remain with the entrusted operator a) Confirmation by the manager and a contract which ensures no clinical records remain with the entrusted operator Securing authenticity a) Adoption of mutual authentication function 136
b) Function to ensure no tampering on a telecommunication line Securing human readability a) Confirmation of the same item as in ((2) ) for storage within the facilities b) Means of securing human readability for health information likely to be required urgently (Recommended) c) Means of securing human readability for health information not likely to be required urgently (Recommended) Securing storability a) Function to confirm storage at the operator entrusted with external storage Confirmation of the same item as in ((2) ) for storage within the facilities b) Adoption of the standard data format and transfer protocol (Recommended) c) Managing data format and transfer protocol version and securing continuity Protection of personal information during the transmission of the information such as clinical records through a telecommunications line a) Appropriate encryption to secure confidentiality b) Authentication to identify the start and end points of communication Protection of personal information within the organization entrusted with the external storage of clinical records a) Protection of personal information at organization entrusted with external storage b) Prohibition of access to clinical records at organization entrusted with external storage If the entrusted operator is other than a Medical Institution, refer to the requirements prescribed in 8.1.2, "Standards for Selecting External Information Storage Organization and Handling Information." c) Notification of access when troubleshooting d) Integrity of access log and prohibition of access Explanation to patient a) Method of explanation before the start of clinical care b) Explanation to patient difficult but clinical care urgent c) Explanation to patient difficult but clinical care not urgent 137
Entrusted operator audit items a) Stored record (contents, period, etc.) b) Audit about management measures at the entrusted business operator and their implementation status (4) Electronic storage using scanner or other Regulations for scanned documents Appointment for an information creation manager to ensure that scanned electronic information is equal to the original Electronic signature and time stamp on scanned electronic information by the responsible worker (doer or manager) in compliance with the Electronic Signatures and Authentication Services Act (e-signature Act) Regulations on scan timing at every clinical care Regulations on procedure for converting past accumulated documents into electronic data <Creation of operation management regulations> Operation management regulations are created at each Medical Institution for optimum system operation. In other words, Medical Institutions devise their own regulations according to circumstances and their own judgment. Since it may be difficult to cover all necessary items, however, Attached Tables 1 to 3 give samples of operation management regulations for help. Attached Table 1 gives an example of general operation management items for electronic storage or no electronic storage. Attached Table 2 gives an example of operation management items for electronic storage. Attached Table 3 gives an example of additional operation management items for external storage. For external storage, operation management regulations should include all items from Attached Tables 1 to 3. "Operation management regulations" does not have to be compiled into an independent document. It is sufficient if the contents stated in these guidelines and summarized in this chapter are stated in documents of management regulations used for actual operation. Considering daily use, review, and revision, however, the regulations should be grouped by work for easy understanding. The recommended procedure for creating operation management regulations is as follows: 138
Step 1: Creation of general configuration and contents Organize the general configuration from chapters and sections by referring to the items in this chapter and also "Operation management item" and "Implementation item" in the attached tables, not impairing the identity of the Medical Institution. The operation management regulations should not be limited to electronic storage and external storage but cover the entire health information system. Step 2: Creation of operation management regulation texts Create the texts of operation management regulations by referring to "Model sentence for operation management regulations" in the attached tables. The attached tables have Category columns based on the assumption that the expressions of operation management regulations differ greatly between large or medium-scale hospitals and small hospitals or clinics. A large or medium-scale hospital is recommended to select model sentences of Categories A and B and a small hospital or clinic is recommended to select model sentences of Categories A and C. Step 3: General review and evaluation for confirmation Review the created operation management regulations with relevant persons at the Medical Institution to evaluate general feasibility and make necessary improvements. Operation management regulations should not simply be planned. The plan for management regulations must be applied to actual operation (Do), audited (Check) appropriately, and improved (Action) as required. It is important to continue applying and improving the regulations appropriately by the PDCA cycle. 139
Additional Clause 1 External Storage of Electronic Media Using Portable Media For the external storage of electronic information in portable media, the entrusting Medical Institution and the entrusted organization are not linked online. This system is not subject to any significant risk of information leaks or rewriting by such threats as spoofing, tapping, and tampering on a telecommunication line. Therefore, careful operation may make it easy to secure authenticity. Compared with paper and film, portable media is excellent for safe storage. Since the contents of portable media cannot be viewed by the naked eye, confidentiality during transportation is comparatively easy to secure. Media limiting access by passwords on security MO or other will secure an even greater level of confidentiality. Therefore, there will be no serious problems if the standards for external storage of hard copies in Additional Clause 2 are observed. However, due care is necessary in relation to the aging of portable media. In addition, careful handling is necessary because portable media can store an extremely large amount of information and its loss may cause serious information loss or leakage. For personal information protection, backup clinical record and other documents not legally subject to storage should be stored equally as obligatory documents. Additional Clause 1.1 Observance of the 3 Standards for Electronic Storage A. Institutional Requirements "The standards for securing the authenticity, human readability, and storability of clinical records and other shall be satisfied." (External Storage Amendment Notice: No.2-1 (1)) B. Concept It may be sufficient if only the requirements for securing authenticity, human readability, and storability at the electronic storage of clinical records within a Medical Institution are satisfied. However, due care should be taken during transportation and the handling at the organization entrusted with external storage to prevent an accident. More specifically, the following actions are expected: (1) Securing authenticity during transportation and a disturbance at organization entrusted with external storage (2) Securing human readability during transportation and a disturbance at organization entrusted with external storage 140
(3) Securing storability during transportation and a disturbance at organization entrusted with external storage C. Minimum Guidelines 1 Securing authenticity during transportation and disturbance at organization entrusted with external storage The entrusting Medical Institution, transporter, and entrusted organization shall record the transfer and receipt of portable media. Secure transfer and receipt and storage of portable media are important to prevent an accident, loss, or theft. In addition, portable media must be distinguished from other stored documents to prevent confusion. Media change or update shall be recorded clearly. 2 Securing human readability during transportation and disturbance at organization entrusted with external storage Clinical care shall not be disturbed. When patient information is stored externally in portable media, some transportation time is necessary for information access. In the case of a sudden change of a patient's conditions or for first aid, it is necessary to assume situations when clinical records and other information may be required urgently. In general, "specific clinical information becomes necessary for immediate clinical care" when clinical care is continued. Therefore, information relating to continuous clinical care which is likely to be requested urgently and will require time for transportation, must be stored internally. If it is inevitable to store such information externally, its copy or substantially equivalent information shall be stored within the entrusting Medical Institution. Audit shall not be disturbed. The schedule for an audit is generally known in advance and not urgent. Therefore, there may not be any problem unless information is stored in a remote place and significant time is necessary for transportation. 3 Securing storability during transportation and disturbance at organization entrusted with external storage Adoption of standard data format 141
To secure interoperability during system renewal, it is preferable to use a standard data format for reliable data transition. Measures against media deterioration After consideration of the media storage conditions, anti-aging measures may be necessary, such as the periodic reading of magnetic tapes. Measures against media and equipment superannuation If media or equipment is superannuated, it may become impossible to read recorded information. To cope with superannuation of media and equipment, it is preferable to transfer information to new media or equipment. Additional Clause 1.2 Protection of Personal Information A. Institutional Requirements "The protection of personal information shall be ensured with due care regarding the protection of patient privacy." (External Storage Amendment Notice: No.2-1 (3)) B. Concept The Personal Information Protection Act was established. In the health care field, "Guidelines for the Appropriate Handling of Personal Information by Medical and Nursing Care Providers" were devised. Since health information handled in health care is extremely sensitive with respect to its privacy, it is necessary to take adequate security management measures by referring to the above guidelines. When clinical records are stored within a Medical Institution, personal information is protected under the administration of the manager (hospital director, etc.) at the Medical Institution. When storing information externally using portable media, the scope of authority and responsibility of the manager of an entrusting Medical Institution applies not only to their own facilities but other facilities as well. Therefore, personal information protection should be considered further. Items pertaining to the protection of patients' personal information should be considered as long as the personal information exists, even after the legal storage period of clinical records or the end of contract with an organization entrusted with external storage. A similar operation system is also expected regarding the handling of personal information in backup information. 142
More specifically, the following actions are expected: 1 Protection of personal information when portable media storing clinical records are transported 2 Protection of personal information within organization entrusted with the external storage of clinical records C. Minimum Guidelines 1 Protection of personal information when portable media storing clinical records are transported When transporting clinical records stored in portable media, due care should be taken regarding a loss of portable media or confusion with other transport items. Preventing the loss of portable media storing clinical records The risk of loss shall be reduced by locking the transportation vehicle and sealing the transportation casing. Preventing the confusion of portable media storing clinical records with other transport items If confusion with other transport items is predicted, the risk of confusion shall be reduced by packing or transporting portable media separately from other transport items or systems. Concluding a confidentiality contract with the transporter A Medical Institution entrusting external storage shall have an obligation of management to ensure the entrusted organization and transporter observes the Personal Information Protection Act. The sharing of responsibility between both parties shall be clarified and the obligation of confidentiality shall be stated clearly in a contract. 2 Protection of personal information within organization entrusted with the external storage of clinical records It may become necessary for an organization entrusted with external storage to access entrusted clinical records for searching personal information among entrusted clinical records and, when returning the result at the request of the entrusting Medical Institution, for recording the transfer and receipt of portable media storing clinical records, or in the case of a fault at the entrusted organization. In this case, the following should be noted: 143
Prohibition of access to health information at an organization entrusted with external storage An organization entrusted with the external storage of clinical records should strictly protect clinical records and other personal information. A mechanism is necessary to prevent even the manager of the entrusted organization from accessing entrusted personal information for no just reason. Notification of access in the case of a fault If it is inevitable to access clinical records due to a fault of the facility storing the records or for other reasons, it shall be protected in the same way as personal information stored at Medical Institutions, such as clinical records, and the Medical Institution entrusting external storage must be asked for permission. Contract regarding the obligation of confidentiality with an organization entrusted with external storage An organization entrusted with the external storage of clinical records is legally obligated to maintain confidentiality. Therefore, the sharing of responsibility between the entrusting Medical Institution, entrusted organization, and transporter should be clarified and the obligation of confidentiality should be stated in a contract. Responsibility of a Medical Institution entrusting external storage For the protection of clinical records and other personal information, the Medical Institution obligated to store the clinical records shall take the final responsibility. Therefore, the entrusting Medical Institution should demand by contract the entrusted organization to take personal information protection measures and supervise the execution of the measures. D. Recommended Guidelines In addition to the minimum guidelines of C, the following measures shall be taken: Explanation of external storage to patient An institution entrusting the external storage of clinical records should explain the storage system to patients via an internal bulletin board or other means including an explanation of the security and risks and a request for their understanding in advance with respect to 144
sending patient information to external facilities and its storage there. Explanation before the start of clinical care An explanation should be made before personal information is collected from a patient, including the clinical conditions and history. Clinical care should begin with the understanding of the patient after external storage is explained by means of an internal bulletin board, etc. Explanation to patient difficult and clinical care urgent Prior explanation is not always necessary if urgent clinical care is necessary but it is difficult to provide a patient with an explanation because of a mental disorder or dementia. The explanation may be given later, if the patient becomes lucid, to obtain their understanding on the matter. Explanation to patient difficult but clinical care not urgent If it is difficult to provide the patient with an explanation because the patient is an infant or the like, though urgent clinical care is not necessary and an explanation shall be made in principle to a person in parental authority or a guardian. If it is difficult to provide an explanation because of suspected abuse by the person in parental authority or the patient has no guardian. The reason for no explanation is expected to be clarified in a clinical record. Additional Clause 1.3 Clarification of Responsibility A. Institutional Requirements "External storage shall be conducted under the responsibility of a hospital or clinic obligated to store clinical and other records. It shall be clarified where responsibility for an accident lies." (External Storage Amendment Notice: No.2-1 (4)) B. Concept Even when portable media storing clinical records electronically is stored at an external organization, the responsibility is as described in 4.1, "Manager's Responsibility of Information Protection at Medial Institutions" and 4.2, "Demarcation of Responsibility in Entrustment and Provision to Third Party." In accordance with these ideas, there will be no problem with respect to sharing part of actual management and partial explanation with the entrusted organization or transporter. In the case of an accident, the responsibility for patients is the post-event responsibility described in 4.1 and the entrusting Medical Institution should fulfill accountability. If only the 145
responsibility for devising remedial measures and the demarcation of responsibility is clarified as in 4.2, however, the entrusted organization and transporter shall take the responsibility for the entrusting Medical Institution as prescribed in the contract and also for any violation of a law. More specifically, the following actions are expected: (1) Clarification of usual operational responsibility (2) Clarification of post-event responsibility C. Minimum Guidelines 1 Clarification of usual operational responsibility Accountability The entrusting Medical Institution is mainly responsible for making adequate explanation to patients and the society regarding the operation and management of a storage system and its users. Based on this presupposition, there should be no problem with respect to ensuring that the transporter or the entrusted organization provides the actual explanation while noting personal information protection. Responsibility for management The entrusting Medical Institution is mainly responsible for the selection, implementation, operation, and management of devices used for recording and storing information in media, including users. Based on this presupposition, there should be no problem with respect to ensuring that the transporter or the entrusted organization provides the actual explanation while noting personal information protection. Responsibility for periodic review and necessary improvement Information should not be merely transported in portable media and left stored outside. The operation management status must be audited periodically to extract problems and make necessary improvements. Therefore, the manager of a Medical Institution should take every occasion to reevaluate and review the current operation management entirely. 2 Clarification of post-event responsibility The entrusting Medical Institution, entrusted organization, and transporter shall clarify the management and responsibility regarding the external storage of clinical 146
records by referring to 4.2, "Demarcation of Responsibility in Entrustment and Provision to Third Party," and conclude a contract regarding the following items: Determination of timing when clinical records created at the entrusting Medical Institution are stored at an external organization and the initiation of a series of external storage related operations Method of transferring and receiving portable media between the entrusting Medical Institution and the transporter and managing such a transfer Action in the case of a portable media transportation problem due to an accident, etc. Action in the case of an information leak during transportation Method of transferring and receiving portable media between the entrusted organization and the transporter and managing such a transfer Regulations on work recording and audit for personal information search service by the entrusted organization, with the obligation of confidentiality during and after employment, and responsibility for an inquiry from a patient regarding an information leak Action when the entrusted organization cannot return portable media at the request of the entrusting Medical Institution Action when the organization entrusted with external storage receives an inquiry, grievance, or disclosure request directly from a patient. Additional Clause 1.4 At the End of External Storage Contract Since clinical records contain sensitive personal information, both the entrusting Medical Institution and the entrusted organization must give consideration to this matter at the end of external storage. Some kind of time limit should be indicated in relation to the initiation of external storage, and the termination of external storage should also be based on this. The term may be a specific date or a condition, such as a fixed number of years after a series of clinical care ends. The Medical Institution entrusting the external storage of clinical records shall fulfill the obligation of periodically checking clinical records stored with the entrusted operator and auditing clinical records to be discarded for immediate and fair processing. The organization entrusted with external storage must also clarify the fair handling and processing of stored clinical records to the Medical Institution at the request of the Medical Institution. Provisions pertaining to their discard must be stated clearly in a contract of entrustment 147
between the entrusting Medical Institution and the entrusted organization before the start of external storage. For actual discard, regulations clarifying a discard program and other procedures should be devised in advance. These strict rules are imposed on both parties because retaining personal information beyond a period of agreement itself may become a problem with respect to personal information protection. This must be clearly understood. If a service for the search of a patient s personal information is provided, ledgers for search and search records must also be discarded in such a way as to prevent an information leak. Despite storage in portable media, the entrusting Medical Institution and entrusted organization are not exempt from the responsibility relating to discard. This should be clearly understood. 148
Additional Clause 2 External Storage of Hard Copies Hard copies refer to not only paper documents but also X-ray films and other physical media that are not electronic media. With the progress of inspection technologies, clinical records which must be stored at Medical Institutions are increasing and it is often difficult to secure their storage places. There is a legal obligation for stored clinical records to be used as evidence and also used effectively. Therefore, clinical records should be stored in order. Under certain conditions, it is permitted to store hard-copy clinical records in a place other than the said Medical Institution. Like portable media, the storage place for hard copies is not limited to a Medical Institution. However, clinical records have very confidential personal information and should be available without delay when required. If clinical records are stored externally with the said Medical Institution, the existing place of personal information is extended and it is then necessary to clarify an operation management system pertaining to external storage. As the storage place becomes further away, it naturally takes more time to transport clinical records for use. Therefore, the location of the storage place must be considered not to disturb clinical care. Paper and film documents need to be transported with care because some devices are necessary for viewing the contents of portable media but paper and film documents show personal information easily when exposed. Additional Clause 2.1 Securing Usability A. Institutional Requirements "Considering that clinical and other records are provided for health care, a system shall be secured to allow immediate use as required. (External Storage Amendment Notice: No.2-2 (1)) B. Concept In general, clinical records are used for clinical care, providing explanations to patients, audits, and lawsuits. If clinical records were made available immediately and at any time for a variety of cases, however, external storage would be impossible. For clinical care, specific clinical records can be provided urgently for patients under continuous clinical care when an urgent requirement for them is predictable. More specifically, the following actions are expected: (1) Clinical record transport time (2) Storage method and environment 149
C. Minimum Guidelines 1 Clinical record transport time When clinical records are stored externally, measures should be taken not to disturb clinical care by a transportation delay. External storage place Clinical records shall not be stored externally at an organization that necessitates a long transportation time. Storage of copy or summary Information relating to continuous clinical care which is likely to be required urgently must be stored internally. If it is inevitable to store such information externally, a copy of it or summary shall be stored internally. Even in the case of continuous clinical care, the urgency for using clinical records upon hospitalization will be low if an appropriate summary is created when leaving the hospital after treatment. External storage after a certain period of time may not disturb clinical care. 2 Storage method and environment Prevention of confusing clinical records with other stored documents Clinical records must be stored and managed separately from other documents for selection in necessary units. Construction of appropriate storage environment An appropriate storage environment and conditions must be constructed and maintained to prevent the deterioration, damage, loss, of theft of clinical records. Additional Clause 2.2 Protection of Personal Information A. Institutional Requirements "The protection of personal information shall be ensured with due care regarding the protection of patient privacy." (External Storage Amendment Notice: No.2-2 (2)) B. Concept 150
The Personal Information Protection Act was established and in the health care field the "Guidelines for the Appropriate Handling of Personal Information by Medical and Nursing Care Providers" were devised. Since health information handled in health care is extremely sensitive to privacy, it is necessary to take adequate security management measures by referring to the above guidelines. When clinical records are stored within a Medical Institution, personal information is protected under the administration of the manager (hospital director, etc.) at the Medical Institution. When storing paper, film, etc. externally, the scope of authority and responsibility of the manager of a Medical Institution applies not only to their own facilities but other facilities as well. Therefore, personal information protection should be considered further. Items pertaining to the protection of patients' personal information should be considered as long as the personal information exists, even after the legal storage period of clinical records or the term of contract with an organization entrusted with external storage ends. A similar operation system is also expected in relation to the handling of personal information in backup information. More specifically, the following actions are expected: (1) Protection of personal information during clinical record transportation (2) Protection of personal information within organization entrusted with the external storage of clinical records C. Minimum Guidelines 1 Protection of personal information during clinical record transportation Clinical records should be transported with due care regarding loss or confusion with other transport items. Sealing clinical records and preventing loss Information leaks from prying shall be prevented by locking the transportation vehicle and sealing the transportation casing. The risk of loss shall be reduced by recording the transfer and receipt of clinical records. Prevention of confusing clinical records with other transport items The risk of confusion shall be reduced by packing or transporting clinical records separately from other transport items or systems. Confidentiality contract with transporter 151
An agent transporting clinical records is obligated to maintain confidentiality in accordance with the Personal Information Protection Act. Therefore, the sharing of responsibility should be clarified between the entrusting Medical Institution, entrusted organization, and transporter, and the obligation of confidentiality shall be stated clearly in a contract. 2 Protection of personal information within organization entrusted with the external storage of clinical records It may be necessary for an organization entrusted with external storage to check the contents of clinical records or browse patients personal information when searching clinical records and returning the necessary information upon request of the entrusting Medical Institution or when recording the transfer and receipt of clinical records. Possibility exists of browsing patients personal information within the organization entrusted with external storage The organization entrusted with the external storage of clinical records and providing a search service shall limit browsing to the minimum necessary extent for the service and shall not browse any other information. Only specific persons in charge may browse information and other staff is prohibited. To fulfill the obligation of security management prescribed in the Personal Information Protection Act, the organization entrusted with external storage must conclude a contract with the entrusting Medical Institution and transporter regarding the obligation of confidentiality and the responsibility system in case of a problem. No possibility exists of browsing patients personal information within the organization entrusted with external storage The organization entrusted with the external storage of clinical records shall only manage the transportation and storage cases and shall not check the contents of clinical records or browse the personal information of patients. The entrusted organization must conclude a contract regarding these points with the entrusting Medical Institution and transporter. The responsibility of Medical Institutions entrusting external storage For the protection of clinical records and other personal information, the Medical Institution obligated to store the clinical records shall take final responsibility. Therefore, the entrusting Medical Institution should stipulate in a contract with the entrusted organization that the entrusted organization takes personal information 152
protection measures and supervises the execution of such measures. D. Recommended Guidelines Explanation of external storage to patient An institution entrusting the external storage of clinical records should explain the storage system to patients via an internal bulletin board or other means including an explanation of the security and risks and a request for their understanding in advance with respect to sending patient information to external facilities and its storage there. Explanation before the start of clinical care Explanation should be made before personal information is collected from a patient, including the clinical conditions and history. Clinical care should begin with the understanding of the patient after external storage is explained by means an internal bulletin board, etc. Explanation to patient difficult and clinical care urgent Prior explanation is not always necessary if urgent clinical care is necessary but it is difficult to provide a patient with an explanation because of a mental disorder or dementia. The explanation may be given later, if the patient becomes lucid, to obtain their understanding on the matter. Explanation to patient difficult but clinical care not urgent If it is difficult to provide the patient with an explanation because the patient is an infant or the like, though urgent clinical care is not necessary and an explanation shall be made in principle to a person in parental authority or a guardian. If it is difficult to provide an explanation because of suspected abuse by the person in parental authority or the patient has no guardian. The reason for no explanation is expected to be clarified in a clinical record. Additional Clause 2.3 Clarification of Responsibility A. Institutional Requirements "External storage shall be conducted under the responsibility of a hospital or clinic obligated to store clinical and other records. It shall be clarified where the responsibility for an accident lies." (External Storage Amendment Notice: No.2-2 (3)) 153
B. Concept Even when storing clinical records at an external organization, the responsibility is as described in 4.1, "Manager's Responsibility of Information Protection at Medial Institutions" and 4.2, "Demarcation of Responsibility in Entrustment and Provision to Third Party." In accordance with these ideas, there should be no problem with regard to sharing part of actual management and partial explanation with the entrusted organization or transporter. In the case of an accident, the responsibility for patients is the post-event responsibility described in 4.1 and the entrusting Medical Institution should fulfill accountability. If only the responsibility for devising appropriate remedial measures and the demarcation of responsibility clarified as in 4.2, however, the entrusted organization and transporter shall take the responsibility for the entrusting Medical Institution as prescribed in the contract and also be responsible for any violation of law. More specifically, the following actions are expected: 1 Clarification of usual operational responsibility 2 Clarification of post-event responsibility C. Minimum Guidelines 1 Clarification of usual operational responsibility Accountability The entrusting Medical Institution is mainly responsible for providing adequate explanation to patients and society regarding the operation and management system, and its users. Based on this presupposition, there should be no problem with regard to ensuring that the transporter or entrusted organization provides the actual explanation while noting personal information protection. Responsibility for management The entrusting Medical Institution is mainly responsible for the operation and management of external storage of clinical records. Based on this presupposition, however, there should be no problem with regard to ensuring that the transporter or entrusted organization provides actual management while noting personal information protection. Responsibility for periodic review and necessary improvement 154
Clinical records should not simply be transported and remain stored externally. The operation management status must be audited periodically to eliminate problems and make necessary improvements. Therefore, the manager of a Medical Institution should take every opportunity to reevaluate and review the current operation management entirely. 2 Clarification of post-event responsibility The entrusting Medical Institution, entrusted organization, and transporter shall clarify the management and responsibility system regarding the external storage of clinical records by referring to 4.2, "Demarcation of Responsibility in Entrustment and Provision to Third Party," and conclude a contract in relation to the following items: Determination of timing when clinical records created at the entrusting Medical Institution are stored at an external organization and initiation of a series of external storage related operations Method of transferring and receiving clinical records between the entrusting Medical Institution and the transporter and managing the transfer Action in the case of a clinical records transportation problem due to an accident, etc. Action in the case of an information leak during transportation Method of transferring and receiving clinical records between the entrusted organization and the transporter and managing the transfer Method of work recording and auditing for personal information search service by the entrusted organization Regulations concerning the obligation of confidentiality during and after employment, and responsibility for an inquiry from a patient relating to an information leak Action when the entrusted organization cannot return portable media at the request of the entrusting Medical Institution Action when the organization entrusted with external storage receives an inquiry, grievance, or disclosure request directly from a patient. Additional Clause 2.4 At the End of External Storage Contract Since clinical records are sensitive personal information, both the entrusting Medical Institution and the entrusted organization must give due consideration at the end of external storage. 155
Some kind of time limit should be indicated in relation to the initiation of external storage and the termination of external storage should also be based on this. The term may be a specific date or a condition, such as a fixed number of years after a series of clinical care ends. The Medical Institution entrusting the external storage of clinical records shall fulfill the obligation of periodically checking clinical records stored at the entrusted organization and auditing those clinical records to be discarded for immediate and fair processing. The entrusted organization must also clarify the fair handling and processing of stored clinical records to the Medical Institution at the request of the Medical Institution. Provisions pertaining to their discard must be stated clearly in a contract of entrustment between the entrusting Medical Institution and the entrusted organization before the start of external storage. For actual discard, regulations clarifying a discard program and other procedures should be devised in advance. These strict rules are imposed on both parties since retaining personal information beyond a period of agreement itself may become a problem for personal information protection. This must be clearly understood. If a search service for personal information of patients is provided, ledgers for search and search records must also be discarded in such a way that no information leak will occur. Despite storage in a hard copy format, the entrusting Medical Institution and entrusted organization are not exempt from the responsibility when discarding information. This must be clearly understood. 156