On Friday, October 12, 2007, Northrop Grumman Chairman and Chief Executive Officer Ronald Sugar delivered the keynote address at the eHealth Initiative Annual Conference (2007) in Washington D.C. Below are his remarks.

The Privacy Challenge: Enabling Electronic Health Records

I am very happy to be with you this morning. As Janet [Marchibroda, CEO of the eHealth Initiative] outlined in her introduction, I lead a national security company with 120,000 employees. But Northrop Grumman’s welfare obligations actually encompass about 600,000 employees and their families. Those are a lot of health records. Like everyone else, our healthcare costs have been rising and we are interested in ways to both lower our costs and increase the quality of care for our employees and their dependents. But we have an interest in this issue for another reason. Beside our work for the Defense Department, we do a great deal of work for other customers – many of them health-related. Janet mentioned some of them in her introduction and I could mention several more. This begs a question: If my company is a technology company, and if the issue at hand is health care, what are you all doing here in Washington D.C.? Why not somewhere in Silicon Valley, the center of the IT world?; or why not in one of the nation’s prestigious centers of medical learning or research – Johns Hopkins or Stanford or UCLA?

The answer is because our nation has reached a place where the enormous potential of Information Technology to improve health care now hinges on something other than IT or medicine. Rather, it hinges on political will. Let me explain what I mean by that statement. Advances in information technology and medicine are screaming along. Take two of the recent Nobel Prizes for 2006 for example.

The Nobel Prize for Physics went to a pair of scientists – Peter Gruenberg and Albert Fert – whose discovery of “giant magneto-resistance” continues to revolutionize data storage. I assert to you that ten years from now, storage capacity and computing power will make even their accomplishment seem anemic.

And the Nobel Prize for Medicine went to Andrew Fire and Craig Mello – a pair of scientists who discovered the fundamental mechanism for controlling the flow of genetic information. Their work promises tremendous advances in clinical medicine, gene therapies, and public health.

Neither of these two disciplines – IT or medicine – is keeping us from the huge strides in patient care that seem so near but are so elusive. This is because all the information technology under the sun – all the medical breakthroughs on the horizon – won’t unlock the synergistic potential of those two elements to improve heath care and reduce its costs. The wall between that destination and our current location is one of public policy, and that is why we are having this conversation in Washington D.C., and that is what I would like to talk to you about this morning.

The policy challenges that surround health IT are many. This morning, I would like to say a few words about one of the toughest – the issue of privacy. And to my mind, this issue has three elements all of which have to be considered and all of which must find their solutions in policy.

The first of these is the privacy framework itself. That term of art – privacy framework – is rather technical-sounding. But in the context of health IT, the privacy framework is not a technical concept at all. It is simply the application of a comprehensive and rigorous method for safeguarding a body of information.

Remember that we are dealing with medical records. They have to last – intact, uncompromised, and accessible by the caregiver and the patient – for as long as that patient is alive, and even after. We all know how quickly technology changes in five years, let alone eighty-five. Therefore, the privacy framework chosen for the task must transcend the moving target of technical capability. Its design and implementation is not a matter of technology. We now have the technology. The breakthroughs needed for a successful privacy framework are breakthroughs in policy. And those policies must be considered and baked in from the very start of the design process.

Some of those policy breakthroughs might include legal and regulatory standardization across state and federal governments. They might also require clear and unambiguous access standards that are designed not only to improve interoperability, but also to prevent inadvertent disclosure of information. The number of systems and people that will potentially touch an electronic health record over its lifetime is staggering. And any attempt to force changing standardized configurations or technologies on a poorly designed framework would be hugely expensive. The point is that any privacy framework that will continue to function years down the road must accommodate changing policy, and it must be independent of changing technology.

Now, any solution for the privacy challenge must also recognize, as one of its most basic design features, the second of the three elements – the supremacy of the consumer as the focal point of their records.

The citizens of most developed nations enjoy rights to privacy through laws that are called “data protection acts.” In most nations, comprehensive, or omnibus, data protection laws govern how personal information can be used by government agencies as well as the private sector. Under such laws, the use of personal information usually requires a patient to “opt in,” meaning that use of an individual’s personal information requires the affirmative consent of the patient. This prevents such things as the use of his records for marketing, research, or perhaps even public health statistical purposes.

But the United States has no such law. Instead, we have what are known as “Sectoral Privacy Laws”. As examples, think of the Telephone Consumer Protection Act, which regulates telemarketing; or the Fair Credit Reporting Act regulating credit reports and employment background checks; or HIPAA, the law that currently governs medical records privacy. The problem with the “sectoral” approach is that it is a patchwork quilt of rules and allows too many opportunities for records to be compromised.

The shortcomings of this approach are stark. According to the Privacy Rights Clearinghouse, on December 13, 2006 the U.S. exceeded the 100 million mark for lost or exposed personal records – and they have only been compiling the data since January of 2005.

Just imagine the impact of these privacy breaches on the patient. Perhaps her records are used without her knowledge for medical research. Or, what about the exposure of mental health, genetic predisposition, or other sensitive information in the media, at an employee’s work place, or in a public lawsuit?

It is all well and good that this privacy debate is starting to prompt businesses and governments to reengineer their processes and to modernize systems that might have served them well for years. But in too many instances, what is being overlooked in these efforts is a core principle that we must never forget: It is the consumer who is the ultimate focal point of their health records.

The third and final health IT privacy challenge requires fixes to business processes and operations policies. Here is where the rubber meets the road. Of the three elements I talk about this morning, this is the one that could best move the health IT vision from theory to implementation.

It is also the most frustrating of the three if for no other reason than that we know what works but we cannot seem to implement it. Other, more IT-centric industries already have secure, data management practices in place that are functioning well. The banking and financial industries come most readily to mind. Some of their best practices are worth considering. One such practice employs “separation of duties” policies. Those policies require that data handlers from different realms of responsibility are restricted to their own areas of need. In the defense and intelligence communities, such restrictions are collectively referred to as “compartmentalization”. This principle allows access to classified information on a strict “need-to-know” basis. We in the national security business have been operating with this principle for many years.

Some provisions of HIPAA echo this principle. For example, under HIPAA, access to a patient’s records does not require his consent if the person seeking the access is doing so for purposes of direct patient care. In other words, one physician can share records with another in a consult without informing the patient or seeking his consent as long as the underlying purpose is restricted to the care of the patient. This is very much like the “Need to Know” policy in Department of Defense. Such a policy highlights the question of authorization – who is authorized to see the records? Current authorization policy – and the privacy framework that supports and enforces it – is generally lacking in both the IT and paper-based worlds. HIPAA provides a start, but only a start.

The adoption of proven intrusion detection tools, monitoring and forensics capabilities, are also needed to deal with security breaches. But breaches are not the foremost concern. The foremost concern is inappropriate or inadvertent disclosure – accessing records for purposes other than patient care. There is a need for stricter access control. But it must work in a manner appropriate to the healthcare environment – an environment in which roles change dynamically. There is a need for appropriate logging and reporting of access that records more than just a time stamp and the name of the person seeking access. It must also include the purpose, role, or authorization of that person.

How easy it would be if this was merely an issue of technology. But it is an issue of policy as well. Responsive and accurate reporting of incidents – not just to law enforcement – but also to the individual data owner – will require big changes to laws, regulations, and enforcement policies now in place. Complicating this third element even further is the requirement of affordability – and by implication – the requirement that these business processes and operations be internet based. Like on-line banking records, health IT records have to be readily accessible to consumers for review, update, correction and decision making.

Someone once said that a vision without execution is just hallucination. All of these changes are possible if we, as a nation, have the will to put in place the laws and policies that enable the available technology.

Organizations like e-Health Initiative can make a different. Companies like the one I lead can also help. At Northrop Grumman we consider it our task to bring an industry perspective to groups like this one. Among you here today are representatives of many interests and constituencies. I cannot prescribe for you what to advocate. I can only encourage that your views be heard in an intense public debate of these issues.

The good news is that the Information Technology solutions are already here with more on the way. And medical advances continue to proceed at a breakneck pace. Like the two legs of a ladder, they are strong and sound and reinforce each other. But the finest ladder is useless without something to lean it against. In this metaphor, that something is a sturdy wall of common-sense policies that are proven and adaptable. Policies that will enable a privacy framework that can be counted on today, tomorrow, and decades from now; Policies that collectively recognize the consumer to be the undisputed focal point of her own health records; And policies that enable the use of well-defined business processes in the complex world of health IT.

Our political system is characterized by a large element of inertia. That inertia is there by the design of our Founding Fathers and over the decades the wisdom of that design element has revalidated itself many times. It is good that the foundation stones of our government are not easily shaken or they might be moved too frequently and too rashly. But when the need is undeniably urgent, and the potential benefits are virtually universal, our system will respond if the call for action is compelling and unified. This is the balance that has made our American system the most enduring in the history of free peoples. And it points to our task – yours, mine, and ours – to work together to establish those policies that are missing, and to correct those policies that are wanting. If we get it right, we, our children and subsequent generations of Americans will surely reap the benefits. Have a great conference, and thank you.