An ‘Honest Broker’ mechanism to maintain privacy for patient care and academic medical research

Abstract

Purpose From the Hippocratic Oath to the World Medical Association's Declaration of Geneva, physicians have sworn to protect patients’ privacy. However, as systems move to more integrated architectures, protecting this medical data becomes more of a challenge. The increase in complexity of IT environments, the aggregation of data, and the desire of other entities to access this data, often 24 h/day × 7 day/week × 365 day/year, is putting serious strains on our ability to maintain its security. This problem cuts across all electronic record sources from patient care records to academic medical research records. Approach In order to address this issue, we are rethinking the way we store, transmit, process, access, and federate patient data from clinical and research applications. Our groups at the University of Michigan are developing a system called the “Honest Broker” to help manage this problem. The Honest Broker will offload the burden of housing identifiable data elements of protected health information (PHI) (e.g., name and address) as well as manage data transfer between clinical and research systems. Lab results and other non-identifiable data will be stored in separate systems with either a research study ID or clinical ID number. This two-component architecture increases the burden on attackers who now need to compromise two systems, one of which is seriously hardened, in order to match health data with a patient's actual identity. Conclusions While no security system is truly intrusion-proof, this architecture provides a high security choke point reducing the likelihood of a breach. By redesigning the method of integrating clinical care and research, we have enabled projects that would be cost prohibitive to conduct otherwise. The scalability of this mechanism is dependant on nature of the heterogenous nature of the clinical systems serving patients.