SHARP Focus: Center for Health Information Privacy and Security

SHARP Security

The Strategic Healthcare IT Advanced Research Projects on Security (SHARPS) project is a multi-institutional and multidisciplinary research project, supported by a grant from the Office of the National Coordinator, aimed at reducing security and privacy barriers to the meaningful use of health information technology. The grant is one of the four awarded through the Strategic Health IT Advanced Research Projects (SHARP) program to address key challenges in adoption and meaningful use of health IT. I wrote previously about the University of Texas Health Science Center at Houston research which will focus on Patient-Centered Cognitive Support, and the Harvard research program on new health care application and network-platform architectures. Now we will look at the SHARPS research project on security of health IT.

The SHARPS project will advance the sophistication, development, and deployment of security and privacy for health IT through research that is strategically managed for fundamental impact with some incremental short-term benefits. The Center for Health Information Privacy and Security has been established under the direction of Carl A. Gunter (see interview below). The Center houses the multi-institutional and multidisciplinary SHARPS research project. For continuing updates on the Center's work visit the SHARPS project web site. SHARPS is organized around three major environments:

• Electronic Health Records (EHRs) 
• Health Information Exchanges (HIEs) ~ with Personal Health Records (PHRs) included as a major subtopic
• Telemedicine (TEL)

The EHR project focuses on issues related to the security and privacy of health records within a single enterprise, such as a hospital or doctor's office. The EHR project includes three components:

1. Self-Protecting EHRs addresses defense-in-depth protection of records within an enterprise or in outsourcing by using attribute-based encryption to enforce SHARPS-developed protection requirements
2. Policy Terrain and Implications of HIT addresses the inadequacy of existing frameworks for formulating and understanding privacy policies by developing contextual integrity underpinnings for application-enabling privacy practices
3. Privacy-Aware Health Information Systems meets needs for highly assured conformance to privacy policies by developing new strategies for building such systems based on trust management systems

The HIE project is concerned with security and privacy of health records that are exchanged between enterprises or individuals or held by individuals (PHRs). The HIE project has three components:

1. Responsive, Secure Health Information Exchange addresses the inadequacy of current service models for exchanges by demonstrating how model-based design can be applied to HIT
2. Experience-Based Access Management addresses the need for an engineering model for the evolution of access controls limiting insider threats with a lifecycle model based on strategies from attribute-based rule sets and machine learning
3. Personal Health Records addresses the inadequacy of privacy standards for third-party PHRs through policy exploration with PHR stakeholders, leading to development and transition of supporting technology

The TEL project addresses security and privacy in the control of implants, remote monitoring, multimedia communications, and medical device risk assessment. The TEL project has four components:

1. Implantable Medical Devices addresses control operations on implanted medical devices without proper authorization by developing techniques for achieving measurable security for such devices relative to specified infrastructure
2. Remote Monitoring for Mobile and Assisted Living addresses usable security for remote monitoring and home healthcare with an mHealth security framework and service model
3. Tele-immersion addresses the need for efficient provisioning for security and privacy in tele-immersion by linking classification to encryption
4. Patient Safety Assessment addresses inadequate quantification of safety risks for medical devices in the face of security threats with a plan based on using Food and Drug Administration (FDA) adverse event reports to develop risk assessments

Each project will be staffed by a multi-institutional, interdisciplinary team consisting of researchers at universities in collaboration with industrial partners, consultants, and advisors. These teams provide coordination among researchers with the highest level of expertise in security and privacy for HIT. The universities involved are Carnegie Mellon University, Dartmouth College, Harvard University, Johns Hopkins University, New York University, Northwestern University, Stanford University, the University of California at Berkeley, the University of Illinois at Urbana-Champaign, the University of Massachusetts at Amherst, the University of Washington, and Vanderbilt University. Principals from these universities are grouped into teams that associate PhD security and privacy computer science researchers with MD researchers and high-level information officers in healthcare organizations. These teams are supported by industrial partners and consultants. The overall project is advised by a distinguished project advisory committee that draws on leaders in academic research, industrial research, healthcare delivery organizations, developers of HIT, government healthcare, policy leaders, and stakeholder groups. The project organization assures project synergy and the capacity to act as an effective collaborator with a Federal Steering Committee at Health and Human Services.

The first anticipated outcome of the project is to improve the maturity of security and privacy technologies and policies to remove a key range of security and privacy barriers that prevent current HIT systems from moving to higher HIT Meaningful Use Stages. The second anticipated outcome of the project will be the creation of an integrated multidisciplinary research community in security and privacy for HIT that will carry progress forward beyond the scope and duration of the SHARPS project.

I spoke with Carl today and he gave a great overview of the project and shared some of his insights as to how this research project will move forward. The audio of the conversation is below:

Download