AMIA13 Featured Presentation: The SHARP Program: Security and Privacy (SHARPS)

Welcome AMIA 2013! This is a page developed to introduce participants at the AMIA 2013 SHARP panel to SHARPS by describing the goals of the project at a high level and offering a selection of materials that illustrate work that has been done at a deeper level.

Security and Privacy (S&P) are critical to the success of Health Information Technology (HIT). The other SHARP projects, which touch on key themes that arise throughout HIT, cannot function with assurance or gain public acceptance without adequate S&P protections and mechanisms. SHARPS has addressed many of these barriers both for the other SHARP project scopes and for HIT in general. The project address four major clusters of problems. These are access controls and audit, encryption and trusted base, automated policy, and telemedicine. For each of these clusters we give links to selected work done by SHARPS. The following work provides a general overview of HIT S&P issues that discusses SHARPS and other work.

Access Controls and Audit

Workflows at Health Care Organizations (HCOs) are complex and safety critical; this makes it difficult to achieve least privilege in assigning access to HCO personnel. HCOs react to this by allowing broad access and relying on accountability and education to control insider threats. These strategies can be augmented by auditing computer records; this is currently done largely in reaction to specific complaints. These procedures are increasingly inadequate because they do not scale to developments like broader sharing of records in Health Information Exchanges (HIEs) or to emerging threats like large-scale fraud. SHARPS research provides better automation so that large volumes of records can be examined by computer algorithms that are thorough and flexible enough to learn and infer threats quickly and feed experience from operational behavior back into preventative measures. 

Selected SHARPS work in this cluster

Encryption and Trusted Base

HCOs are struggling with rapid changes in the systems they need to secure. Early HCO computing systems used mainframe computers that could be accessed from terminals located in a hospital facility. This trusted base was relatively easy to secure until the Internet offered remote access, but standard enterprise protections such as firewalls were accepted as being sufficiently effective. Now the situation is increasingly complicated by technology changes such as: Bring Your Own Device (BYOD) arrangements in which HCO employees put sensitive data on their own cell phones and tablets, the use of cloud services in which Electronic Health Records (EHRs) are held by third parties, participation in HIE systems that move data between a changing collection of HCOs, and the deployment of patient portals, which provide a new attack surface for access to the EHR. Encryption is a powerful tool for addressing challenges with trusted base. SHARPS research is making strategies encrypting medical data efficient and convenient enough to enable their universal deployment, particularly to protect data at rest (that is, in storage).

Selected SHARPS work in this cluster

Automated Policy

 A key challenge faced by many HCOs is the need to share EHRs securely though HIEs such as those being set up by many states and regions, and the need to share them though rapidly evolving partnerships with various business associates. Current techniques are too informal and manual to provide the desired efficiency and convenience. For instance, if it is necessary to get an attorney to review each interstate data exchange, then a high level of exchange of EHR data will lead to a high level of expense (and delayed access). Enabling computers to settle policy decisions automatically can lead to reduced costs, improved care (though timely information exchange), and better support for secondary use of data. SHARPS research is developing  reliable ways to express policies and providing strategies to integrate and enforce formally expressed policies into common HCO and HIE information architectures.

Selected SHARPS work in this cluster


Mobile devices, including intelligent medical implants, cell phones that sense and process health data, and a variety of new types of sensors and actuators that can be worn on the body, are creating a changing landscape for managing health information. Data are collected everywhere, not just in an HCO facility, and are collected by just about everyone, not just HIPAA-compliant HCOs. Participants include HCOs and patients themselves together with large and small companies that specialize in health guidance, sensor hardware, information technology, communications, and other areas. This diversity, the pervasiveness of the information collection, and the rapid rate of technology and regulatory change in this area raise security and privacy concerns that range from modest risks to the privacy of activity data (like data collected by a pedometer) to safety-critcal risks (like the integrity of software in an insulin pump). These changes have also blurred the distinction between areas like medical devices and the EHR, with corresponding overlaps between government regulatory agencies. SHARPS research is determining threats and requirements and addressing these features of mobile and implanted medical systems.

Selected SHARPS work in this cluster