An Illustrative Scenario

Julia's Circle of CareThe following healthcare scenario is intended to help map research barriers and objectives of SHARPS to a realistic clinical scenario. It illustrates both the scope of SHARPS efforts and their specific value.

Julia Smith is a 12-year-old Type I brittle diabetic with a history of hypoglycemia, ketoacidosis, and emotional disturbances. Her diabetes is worsened by her asthma and the medications she receives for that disorder. She actively participates in her own care and is slowly learning how to manage her diet, exercise, emotional state, insulin levels, and asthma levels to maintain tight control of her blood glucose. Other participants in her care include her school nurse, her parents, her primary care physician, a nutritionist, a diabetes nurse practitioner, a diabetologist in an urban center 60 miles from her home, and a social network of diabetics with whom she communicates through an Internet site. A self-conscious youngster, she is reluctant to share her health conditions with her classmates, and her school nurse does what she can to maintain her confidentiality. She is a sophisticated and highly independent diabetic who is very involved in her own care. She and her family routinely participate in clinical studies and look forward to pilots for closed-loop diabetes monitoring and automatic blood glucose monitoring transmitted to caregivers in an advanced, tele-immersive home environment.

As Julia ages, advanced Healthcare Information Technology (HIT) will become even more critical as more data sources are collected electronically and are made easily accessible as appropriate. Julia’s blood-glucose levels are automatically submitted to a Personal Health Record (PHR). She adds information about her insulin doses, diet, exercise, lifestyle, and emotional state. Her school nurse also keeps records, as does her primary physician, each in a separate Electronic Health Record (EHR). Her pharmacy maintains records of her prescription medication patterns and, as part of an extensive health information exchange effort, provides additional clinical guidance and alerts for adherence issues. Emergency department notes, ambulatory visit summaries, and laboratory data are distributed across separate EHRs, but through exchange can communicate with one another to provide a comprehensive summary to authorized individuals. A core clinical team periodically reviews Julia’s case using telemedicine videoconferencing. Key data are collected to monitor the quality of her care. Julia’s providers change over time as new personnel serve her as diabetes nurse practitioners, nutritionists, school nurses, and so on. Her parents are going through a divorce and one is remarrying; the parents will have joint custody. Her preferences for sharing her health information also change as her ability to manage her diabetes matures and her lifestyle choices become more private. The health information system adjusts effectively with these changes to maintain steady availability of information to parties that need it while limiting access to those who do not.

Julia’s case exemplifies the broad range of participants and data required to manage complex diseases. Large volumes of data are collected and distributed according to her preference, those of her parents (she is a minor), and the needs of various practitioners. Because of the complexity of her disorder, each provider must spend as much time as possible addressing her clinical concerns and as little time as possible accessing data through their EHR. Often, simple matters like adherence to her asthma medications or obvious deficiencies in her care plan are not self-evident because of lack of a complete data set or an inability to process the large data feeds potentially available. To maximize her care, data must be available automatically with little intrusion on workflow but with strong emphasis on the protection of her health information.

Maintaining appropriate security and privacy protections is essential for Julia’s care, yet her digital health information resides in an imperfect and sometimes hostile digital landscape full of unanticipated or even active threats.

Julia’s quandary is representative of a range of concerns and research challenges facing successful HIT introduction. She is a regular Internet user and participant in social networks and other tools proven useful to enabling more effective diabetes self-care. Accordingly, some risks arise through more generic, Internet-based threats leading to access outages (e.g., collateral damage when a foreign government modifies Internet routes to block a social network). Others are very specific to healthcare (e.g., unauthorized access, breach, or failure to honor consent commitments). Still others are expected to arise as our healthcare system becomes even more interconnected and pervasive (e.g., inadvertent or deliberate reprogramming of a closed-loop diabetes management device). The challenges addressed by the research objectives of SHARPS are exactly those that patients like Julia face today or will face in the near future. And although we may not share some of Julia’s medical conditions, we live in the same digital world and share the same risks to our own health care.

In the following table, we identify a few privacy barriers confronting Julia and provide some examples of how SHARPS is working to address these barriers.

Table: Key to caring for Julia and the potential of SHARPS to enable security.

Barrier Enabling SHARPS technology
EHR A Privacy Framework. Julia is a minor with some control over her own affairs. Consent is important and controversial when minors are asked to exercise autonomy but want to ensure privacy and concealment of their condition from peers. As she ages, Julia may not want to share some lifestyle events with her parents. Contextual Integrity research will explore various privacy and consent issues that must be honored by all providers and intermediaries as Julia receives care. This research will drive the models for ensuring access and support evolution over time.
Assurance of conformance with policies. Minors – especially those in foster care – present unique challenges when assurance of conformity to privacy policies is essential. Privacy Aware Health Information Systems based on trust management frameworks.
Breach and delegation. Julia – like all of us – needs to be assured that her records are protected across the continuum of settings in which her data reside. She also wants to be sure that her providers can delegate care when required. Attribute-Based Encryption enforcement of SHARPS-developed protection requirements will help ensure protection. Attribute-based proxy re-encryption will help her doctors delegate their decryption rights to other providers without revealing secret keys. Threshold attribute-based encryption will develop methods to allow “break the glass” access should she present to a new institution in diabetic ketoacidosis.
HIE Secure exchange. Julia and her caregivers exchange information across a range of settings and for differing purposes. They use Web portals, PHRs, and, perhaps someday, implantable closed-loop insulin infusion systems or blood glucose monitors capable of automatic transmission. Model-Based Design methods will provide a generalized framework to ensure secure exchange. Were Julia cared for at Vanderbilt and in the Nashville community, such methods would ensure consistent, preference-based exchange.
Evolving access controls. Julia’s preferences and providers will change over time. It will be important to assure access only to those who are currently involved in her care. Experience-Based Access Management, role-based authorization, and workflow logics will help provide these assurances and over time allow better management both for Julia and for other diabetics.
PHRs. Privacy standards for PHRs will evolve. They must be integrated into a broader “trust fabric” so that they do not become the “weakest link” in assuring Julia of her privacy rights. Flow mapping and model policy design (developed with the core team and the Palo Alto Medical Foundation) will address the relationships among EHR, PHR, and HIE.
TEL Remote monitoring. Remote monitoring for Julia’s home monitoring must be consistent with the same security expectations as other technologies. The mHealth security framework and service model offers one model relevant to PHRs and, with other efforts described, creates a uniform approach to Julia’s privacy rights.
Closed-loop devices. These devices are computers, and hence are susceptible to malicious security attacks or other interventions that could in the worst case be lethal. As these devices become integrated into broader tele-immersion systems in the home, these risks increase even more. The SHARPS research will define an approach to measurable security relative to closed-loop devices and other specified infrastructure elements and systems. Classification linked to encryption will add greater assurances in future tele-immersion environments.
Safety risks of diabetes management devices. As new technologies are rapidly introduced and adopted by diabetics like Julia, the risk of defects rises. The overall clinical safety risk assessments must be complemented with a rigorous analysis of security threat risks. Research must exploit FDA adverse event reports and other sources to assess overall risk. From this overall risk and in combination with other research efforts described, the security threat risks can be ascertained.