Health Telematics (AIM) Final Report


	Updated: Feb 1, 97
SEISMED

Secure Environment for Information Systems in Medicine

Project Code:

Project value: 2894 KECU

EC contribution: 1513 KECU

No of partners: 21

No of countries: 9

Duration: 42 months

Contact:
Dr Barry Barber
Mrs Alison Treacher
PO Box 231
Burton upon Trent DE13 8ZX, U.K.
Tel/Fax: +44-1283-57.56.92
E-mail: 100606.2753@compuserve.com

Project Objective

The objective of the project was to provide practically useful advice and guidance on security matters to all those in the health care community who are involved in the management, development, operation or maintenance of information systems, by developing a consistent and harmonised (thus transferable) framework for medical data protection throughout Europe. This framework consisted of technical guidelines and a code of ethics for health informatics.

Project Purpose

The project consisted of five main themes:

A survey to determine current practices in the areas of interest
Preparation of guidelines for:
- a high level security policy
- risk analysis for health care information systems
- security in systems design, development, procurement and implementation
- security in existing systems
- network security
- cryptography
A framework for legislation and a code of ethics
Consideration of each of the guidelines by one or more of the Reference Centres associated with the project
A project organisation structure for consultation across all consortium organisations and a formal process of quality assurance.

Results and Exploitation

The project has resulted in a comprehensive set of practical data security guidelines for European health care establishments which are supported by extensive analytical reports into the attitude and culture of health information security, the risks involved in the protection of health data and the legal aspects surrounding its protection. The results of the SEISMED project have been widely disseminated on national, European and International levels. As part of the project, SEISMED hosted a security workshop in 1994 and its results have now been published in the series of Studies in Health Telematics. In addition, the complete set of guidelines and technical reports produced by the project have recently been published to a similar standard. Many of the results have been used for reference by some of the 4th Framework Health Telematics Projects and investigations have taken place into producing some prototype software to accompany the guidelines and aid their implementation. !

Some moves have been made to establish a SEISMED Association as a legal body to maintain the work produced by the original consortium.

Industrial, Social and Health Impact

Health impact: The SEISMED guidelines provide a major step for European health care establishments (HCEs) by which they can address identified security issues in their own environment. The guidelines enable them to assess the implications of using information systems as part of the process of the delivery of care and to carry out appropriate risk analysis and install appropriate security measures. This work is compatible with EU directive 95/46/EC and current draft Council of Europe Recommendations on the protection of medical data. Modern information systems are so intimately linked in the delivery of care that the issues of integrity and availability are shown to be even more important than the traditionally accepted issues of confidentiality.

Industrial impact: The SEISMED guidelines provide a good basis for health information system suppliers to build appropriate security measures into the design, development and implementation of their systems.

Social impact: The SEISMED guidelines enable the public to be assured that HCEs are addressing security issues in the health care environment in a constructive and consistent fashion.

Difficulties, obstacles in dissemination and market invasion

The effectiveness of installed security measures depend on the activities of system suppliers, HCE managers, system managers, HCE security staff, system maintenance and system users. In order to ensure that all these different groups of people implement the appropriate security measures in their own setting, it is necessary to develop an information security culture within the HCE so that basic security measures are part of the fabric of the organisation. This cultural change inevitably takes a long time to achieve and proceeds at different speeds within different countries and institutions. However, the full security jigsaw requires appropriate participation from everyone if the information in electronic patient records is to be accurate, available and confidential. Although a lot of the technical work can be carried out in English, in order for the security culture to permeate the whole organisation it needs to be translated.

We believe that the SEISMED Guidelines are the only harmonised European security guidelines for health care.

List of Deliverables

Generic Report on the Conduct of Risk Analysis Reviews
Legal Issues in Medical Data Protection (Individual Country Reports)
High Level Security Policy for Health Care Establishments
Report on the Demonstration of the Prototype for Encryption
Report on Existing Codes of Ethics
Guidelines for Information Systems Security in Systems Development, Design, Procurement and Implementation
Guidelines for Risk Analysis of Information Systems in Health Care
Guidelines for Information Systems Security in Existing Systems
Guidelines for Security in Information System Networks
Health Informatics Deontology Code
Guidelines for Encryption in Health Care Information Systems
Guidelines for Database Security in Health Care
Recommendations for European Health Data Protection Legislation
Reference Centre Reports on Implementation and Validation of SEISMED Guidelines
Towards Security in Medical Telematics: Legal and Technical Aspects published by IOS Press, ISBN: 90 5199 246 7
Data Security for Health Care: Volume I: Management Guidelines (ISBN: 905199 2653)
Volume II: Technical Guidelines (ISBN: 90 5199 264 5); Volume III: User Guidelines (ISBN: 90 5199 266 1)

List of Participants

Dr Barry Barber, Alison Treacher NHS Executive's Information Management Centre, (Co-ordinating Partner) 15 Frederick Road Birmingham B15 1JD, U.K. E-mail: b.barber@imc.exec.nhs.uk	Prof. Ab Bakker Dr Henk Van Dorp Gieneke Van Veenen HISCOM (formerly BAZIS Foundation) Schipholweg 97 NL-2300 AX Leiden, The Netherlands
Dr Libor Stejskal Cardiac Centre Institute for Clinical & Experimental Medicine, Videnska 800 CZ-140 00 Prague 4-KRC, Czech Republic E-mail: libor.stejskal@medicon.cz	Isabelle de Lamberterie Nathalie Poujol Centre National de la Recherche Scientifique 27 Rue Paul Bert, Ivry sur Seine F-94204 Paris, France
Prof. Francis Roger France Cliniques Universitaires St Luc 10 Av Hippocrate, Box 4711 B-1200 Brussels, Belgium E-mail: roger@infm.ucl.ac.be	Mr John Davey, Mr Stephen King HEIMDALL Limited (from August 1994) 82a Richmond Rd, Kingston upon Thames Surrey KT2 5EL, U.K. E-mail: 101530.675@compuserve.com
Mr Daniel de Roulet Hopital Cantonal Universitaire de Geneve Centre d'Informatique Hospitaliere 24 rue Micheli du Crest CH-1211 Geneva 14, Switzerland	Dr. Dimitris Maroulis INDECON S.A. (until December 1993) 49 Dodekanissoy St. GR-152 35 Vrilissia, Athens, Greece
Prof. Herman Nys, Dr Stefaan Callens Kathleen Duerinckx Katholieke Universitieit Leuven Centrum voor BioMedishce Ethiek en Recht Kapucijnenvoer 35 B-3000 Leuven, Belgium	Dr. Dimitris Maroulis Kyros (from January 1994) 77 Nav. Kountourioti Street Egaleo GR-12242 Athens, Greece E-mail: dmarou@compulink.gr
Dr. Kees Louwerse Erik Flikkenschild Leiden University Hospital (AZL) CDIV, Building 1, H5P, PO Box 9600 NL-2300 RC Leiden, The Netherlands E-mail: cplouwer@cdiv.azl.nl elaflikke@cdiv.azl.nl	Dr. P Nick Gaunt Plymouth Health Authority Derriford Hospital Derriford Road Plymouth Devon PL6 8DH, U.K. E-mail: 100557.150@compuserve.com
Mr John Fowler, Mr Theo Brueton Mr John Rowson The Royal Hospitals NHS Trust The John Ellicott Centre Cavell Street London E1 2BW, U.K.	Mr Stephen King, Mr John Davey Mr Jim Farrow SCOLL Limited (until July 1994) formerly of 2 Ashley Avenue Epsom Surrey KT18 5AL, U.K.
Dr. John Miller Paulene McKeever Tritech Numerical Consultants Limited 26 Temple Lane IRL-Dublin 2, Ireland E-mail: 73173.1245@compuserve.com	Prof. Sokratis Katsikas Dr. Dimitris Gritzalis University of the Aegean Dept. of Mathematics GR-83200 Karlovassi, Samos, Greece E-mail: ska@aegean.gr dgrit@aegean.gr
Mrs Ioanna Kantzavelou Dr. Robert Clark, Dr Ahmed Patel University College Dublin Department of Computer Science Belfield IRL-Dublin 4, Ireland E-mail: apatel@ccvax.ucd.ie	Prof. Joachim Biskup Gerrit Bleumer Universitat Hildesheim Institut fur Informatik Samelsonsplatz 1 D-31141 Hildesheim, Germany E-mail: bleumer@informatik.uni-hildesheim.de
Mr Peter Sanders, Mr Steven Furnell Mr Matthew Warren Univ. of Plymouth, Network Research Group Drake Circus, Plymouth Devon PL4 8AA, U.K. E-mail: psanders@sc.plym.ac.uk stevef@dan.see.plym.ac.uk	Prof. George Pangalos University of Thessaloniki Informatics Laboratory Computer Division Faculty of Technology GR-54006 Thessaloniki, Greece E-mail: gip@eng.auth.gr
Prof. Rik Kaspersen Vrije Universiteit De Boelelaan 1105 NL-1081 HV Amsterdam, The Netherlands



	Copyright 1997 © EHTO All rights reserved This server is the only official EHTO WWW knowledge repository. Mail suggestions to: webmaster@ehto.org