Security of the electronic health care record--professional and ethical implications.

Many challenges face developers of secure computerised clinical systems but the technical problems are overshadowed by procedural, professional and ethical issues. The development and use of computerised systems must be controlled through compliance with standards and procedures for information security, enforced through national legislation and professional codes of conduct, if serious abuse of the data is to be avoided. Health care professionals cannot be expected to acquire working knowledge of how information systems are made secure since this is a technical and highly complex subject. However, it is essential that health care professionals understand why it is important to maintain a secure environment for the records they keep about patients and their care and how this can be organised. This is best achieved through a well structured educational programme involving all trainee and qualified health care staff, a task which should be coordinated by the national professional bodies. A management structure is needed within health care facilities that recognises the responsibility of health care professionals to keep the health care data relating to their patients secure. An arrangement is proposed that gives the most senior clinician in a health care facility the ultimate responsibility for security of health care data held in the organisation. Where appropriate, this would be delegated to a senior clinician with training and experience in information systems and their security. This 'information doctor' would, with the assistance of computer experts and health care managers, implement and monitor the organisation's information security strategy. Contracts should be developed between health care facilities and their patients, defining the limits to the use and disclosure of personal health data. Similar contracts with external agencies should also stipulate the minimum level of security to be applied to health records shared between the organisations.