Requirements for CDSS as a Service

Introduction

Today we are observing the trend of development of Clinical Decision Support Systems (CDSS) as separate digital services that can be embedded in any medical information systems, platforms for patients and clinics, etc.

The creation of such CDSS as services is caused by several main reasons at once:

1. If the analytical processing of medical data, including the formation of recommendations for the doctor on the tactics of patient management, examination and treatment, is implemented not in the Health (Medical) Information System (MIS), but separately, then such MIS does not need to be registered as a medical device. It is related to the fact that the risks of potential harm arise not during the use of this MIS, but because of the operation of the CDSS service.
2. The creation of expert systems is extremely costly and therefore risky in terms of investment. In addition, the need for a wide variety of functional capabilities is quite wide: from the analysis of laboratory and instrumental diagnostics results to the selection of drug therapy and remote monitoring of patients. In this regard, it is hardly reasonable for every MIS developer to invest in the creation of the entire list of own such systems. It is much more promising to create them as separate universal solutions that can be used by any developer of any information system.

In this regard, we believe that the development of the CDSS as vendor-independent solutions will dominate the market in the next few years.

The use of such services is associated with two features:

1. MIS developers will need to integrate their products with a CDSS
2. Developers of CDSS need to take into account a number of specific regulations so that their products can be used legally.

In this article, we have analyzed these legal requirements and described them. 

We have divided them into several groups:

1. Requirements for the process of preparing data in the MIS before sending it to the CDSS.
2. Requirements for the communication channel between the doctor's workstation/HIS (MIS) server and the CDSS server.
3. Requirements for the data centre in which the CDSS is deployed.
4. Requirements for the CDSS 

When developing the requirements, we proceeded from the following principles of interaction between MIS and CDSS:

• Under the CDSS we mean only an external, MIS-independent service, which cannot be considered a part (functional module) of the MIS.
• CDSS is not part of the federal services of the Unified State Health Information System.
• MIS is always a client of the CDDS service, i.e. MIS generates a request in the CDDS and receives a ready-made answer: an expert solution.
• CDSS deals only with the processing of data transferred from the MIS and not storage of this data. Accordingly, a CDSS cannot be considered a backup copy of the electronic health record and other information from the MIS.
• CDSS does not process or store personal data. It does not contain any information on the patient's last name and first name and does not accept or store patient identifiers (personal insurance policy number, etc.)
• After transferring data from MIS to the CDSS for processing, the results (derived information) automatically become an intangible asset of the CDSS service. For instance, if necessary, you can delete all information transferred from the MIS, including the data itself, from the CDSS, but you cannot require the artificial intelligence to “forget” that it processed this data or adjust its behavior without taking into account this data.

Overview of requirements for the operation of CDSS as a service 

CDSS is usually a private (not public) service. As it is not a subsystem (built-in component) of the Unified State Health Information System, state healthcare or medical information systems, CDSS thus falls under the definition of "Other information systems" provided for by the Federal Act 242. Accordingly, the main legal act governing the interaction of MIS and CDSS is the Decree of the Government of the Russian Federation of April 12, 2018 No. 447 "On approval of the Rules for the interaction of other information systems intended for collecting, storing, processing and providing information concerning the activities of medical organizations and provided services, information systems in the field of health care and medical organizations” (http://rulaws.ru/goverment/Postanovlenie-Pravitelstva-RF-ot-12.04.2018-N-447/).

Because any CDSS is intended for information interaction with MIS, it must obey the rules approved by this decree, since implements the functions defined in clause 4 of the rules:

е) provision of services for medical workers' access to information on the implementation of medical activities, including to regulatory acts and reference information in the field of health protection;

к) provision of services that allow citizens to receive aggregated information about their health status, as well as recommendations for maintaining a healthy lifestyle;

o) provision of services related to the provision of medical care.

Thus, CDSS clearly refers to "Other information systems". Accordingly, Government Decree No. 447 imposes the following requirements on CDSS:

• The system should provide the results of its work (answers, recommendations, etc.) in Russian (clause 6b), including providing access to the information contained in the system in Russian (clause 6m). In other words, both the interface of the system and the results of its operation should be presented in Russian.
• The system should ensure the protection of information received by CDSS from MIS in accordance with the requirements for the protection of information contained in state information systems established by the Federal Service for Technical and Export Control in accordance with Part 5 of Article 16 of the Federal Law "On Information, Information Technologies and Information Protection "(clause 6г).
• Ensure control over access to documents by logging and storing information about granting access to documents and other operations with documents and metadata in the control information (clause 6д).
• If CDSS stores medical records, then it must ensure compliance with the storage periods for medical records in the form of electronic documents established by the regulatory acts of the Russian Federation; compliance is ensured by backing up medical records in the form of electronic documents and metadata, restoring medical records in the form of electronic documents and metadata from backup copies, as well as by timely deletion of documents with an expired storage period (clause 6е).
• Provide automated maintenance of electronic logs for recording the exact time and facts of placement, modification and deletion of information, the content of the changes introduced, as well as information about the participants (suppliers, users) of other information systems that carried out the specified actions (clause 6ж). 
• Provide the opportunity to test information interaction for MIS (clause 6и). This requirement means that the CDSS developer is obliged to organize the operation of the test environment functionally identical to the industrial service. At the same time, for the test environment, all the requirements for the industrial environment should be met since the level of testing, the criteria for passing the tests, the origin and composition of the data transmitted for testing are not explicitly defined

If CDSS processes personal data or information about medical confidentiality, then there are additional requirements. In this case, the CDSS should:

• Prevent unauthorized access to information and (or) its transfer to persons who do not have the right to access information (clause 7a);
• Ensure timely detection of facts of unauthorized access to information (clause 7б);
• Provide prevention of the possibility of adverse consequences of violation of the order of access to information (clause 7в);
• Ensure prevention of impact on hardware and software for information processing, as a result of which their functioning is disrupted (clause 7г);
• Immediate recovery of information modified or destroyed due to unauthorized access to it is ensured (clause 7д);
• Ensure the use of information security tools certified in accordance with information security requirements (clause 7з);
• Ensure constant control over ensuring the level of information security (clause 7е);
• Ensure the protection of information during its transmission over information and telecommunication networks (clause 7ж)
• Ensure the obligatory accounting and registration of actions and identification of participants related to the processing of personal data (clause 7ж);
• Comply with the requirements for ensuring the integrity, stability of the functioning and security of public information systems approved by the Ministry of Communications and Mass Media of the Russian Federation, and the requirements for the protection of information contained in public information systems approved by the Federal Security Service of the Russian Federation jointly with the Federal Service for Technical and export control (p. 7м).
• Ensure compliance with the following organizational measures (clause 7л): formation of requirements for the protection of information contained in the system; development and implementation of a system (subsystem) for information protection.

Clause 6и of the Resolution specifies the requirements for information interaction between CDSS and MIS, among which there are the following:

• CDSS should provide interaction with MIS by exchanging information messages in synchronous and asynchronous modes through the formation, sending, receiving, processing of requests and responses, the formats of which are determined by operators of healthcare information systems healthcare sector using the XML Schema Definition based on directories and classifiers contained in the federal register of regulatory and reference information of the Unified State Health Information System (clause 6и);
• CDSS should provide interaction with a MIS in accordance with the formats that are determined by the operators of the Unified State Health Information System, state healthcare information systems or MIS of a medical organization (clause 6);
• CDSS should provide interface configuration for information interaction purposes (clause 6и).

It can be said that these requirements together consolidate the priority in determining the order of information interaction (exchange protocol and data transfer format) on the MIS side. If a certain MIS has determined its own data transfer format in the CDSS, then it may be necessary to support this format on the part of the CDSS, instead of implementing support for the CDSS format in the MIS.

It is necessary to take into account that, in addition to Resolution No. 447, there are other legal requirements imposed on CDSS, the most important of which are the requirements of import substitution.

Implementation of a CDSS as a service can create a false illusion that since there is no direct sale of software, it means that such a system is not subject to restrictions on the availability of such a service in the “Register of Domestic Software”. However, this is not the case. Since CDSS usually are commercial services, the clients of which are public medical organisations, the state purchases some service from the operator of the CDSS service. According to the Decree of the Government of the Russian Federation of November 16, 2015 No. 1236 "On the establishment of a ban on the admission of software originating from foreign countries for the purpose of procurement to meet state and municipal needs": "a ban is imposed on the admission of programs for electronic computers and databases ... originating from foreign countries ..., as well as exclusive rights to such software and the rights to use such software ..., for the purpose of making purchases to meet state and municipal needs. " According to clause 2.1a of this Decree, CDSS refers to such software as a cloud service. By the same resolution, the only sign that the software is Russian is determined by its presence in the register of Russian software, therefore we conclude that the CDSS should be in the register of Russian software.

Being in the registry is a prerequisite for the existence of software on the Russian market of commercial cloud CDSS. In other words, a CDSS, which is not in the register, simply will not be able to sell its services to the state medical organizations due to legislative restrictions.

Another legal act, regulating CDSS, intended for use in the state and municipal healthcare systems, is the Decree of the Government of the Russian Federation of 23 March 2017, No. 325 "On approval of additional requirements for programs for electronic computers and databases, information about which is included in the register of Russian software, and amendments to the Rules for the formation and maintenance of a unified register of Russian programs for electronic computers and databases” (http://government.ru/docs/all/110847/). The decree describes additional requirements for the composition, functional characteristics and operating environment of office software. According to clause 3 of the Resolution, a CDSS can be classified as office software if the services of CDSS are used in the operation of the "software of electronic document management systems", which can definitely include medical information systems, especially software products for maintaining electronic health records.

For example, if a certain employee of a medical organization works directly in the cloud CDSS (does not use any other MIS or IS), they enter data for analysis, save the results of queries in the CDSS as e-documents, have the ability to transfer these documents to another person or another IS (or provide access to them) and another person or IS can use the received documents, then such a system has the features of an electronic document management system and must comply with the additional requirements of the Decree No. 335. In particular, this Decree contains requirements for the operating environment: “... the software must operate under the control of the following operating systems for server hardware: under control of at least 2 operating systems, information about which is included in the unified register of Russian software".

As a result, if some commercial CDSS is to provide services to the state MO, then it should be included in the register of Russian software. In turn, the SPPVR included in the register of Russian software and possessing the characteristics of office software must comply with the requirements of Resolution No. 325.

Requirements for the data preparation process

We believe that the overwhelming majority of CDSS do not need to process personal data. Such systems should be able to perform their functions using de-identified information only, because, for example, federal tax ID, personal insurance policy number or the patient's surname do not belong to the parameters or factors characterizing or affecting the patient's health and, accordingly, their assessment is not required to form an expert decision. AS clause 7л of Resolution 447 requires minimizing the composition of processed personal data, we can say that the CDSS should not use it at all. 

In fact, the requirement not to use personal data in the CDSS can be considered quite strict, due to the features of the CDSS. The legislation of the Russian Federation in the field of personal data protection imposes a number of obligations on the operator of personal data, which cannot be fulfilled in CDSS due to technical features. For example, Federal Law No. 152 of Nure 27, 2006 "On Personal Data", Article 21, obliges the operator to destroy or block the processing of personal data in some cases. As a rule, the CDSS uses all the data received from the MIS in its operation, but at the same time stores them in a processed or implicit form. If a CDSS uses artificial intelligence based on neural networks, which operates in a continuous learning mode, then any information provided to it becomes an integral part of the system. It is simply impossible to selectively stop processing or delete certain data, including personal data, in such a system.

Communication channel requirements

According to the Government Decree No. 447, the interaction between CDSS and MIS, has to be done through a secure communication channel (secure data transmission network, clause 6и).

Data center requirements

According to Government Decree No. 447, the data center in which a CDSS is located must meet the following requirements:

• It must be located on the territory of the Russian Federation (clause 6a);
• It should ensure the protection of information contained in the CDSS by applying organizational and technical measures to protect the information, as well as by monitoring the operation of the system (clause 6в);
• The uninterrupted maintenance of databases and protection of the information contained in the CDSS from unauthorized access should be ensured. The total duration of pauses in its operation should not exceed 4 hours per month, with the exception of breaks associated with force majeure circumstances (if it is necessary to carry out scheduled maintenance workd, during which it will be impossible for users to access information posted in the system, the notification must be posted at least one day before the start of maintenance works) (clause 6h).

We recommend that the data center adheres to the generally accepted standards governing data center construction. The most popular is the TIA-942 standard (text in Russian: https://www.ups-info.ru/etc/tia_russkii.pdf). It describes the following aspects of building a data center:

• Requirements for the location of the data center and its structure;
• Requirements for cable infrastructure;
• Requirements for engineering systems;
• Requirements for reliability;

This standard determines the level of reliability of the data center based on the set of characteristics. There are 4 levels: 1 is the minimum, 4 is the maximum. It takes into account the time of uninterrupted operation of the data center as well. All commercial data centers usually declare what level of reliability they meet according to the TIA-942 standard, confirming it with voluntary certification. Only data centers with a reliability level of 3 (Tier 3) or 4 (Tier 4) according to the TIA-942 standard are responsible for the tasks of the CDSS service. Only these data centers can guarantee the fulfilment of the requirement for the duration of uninterrupted operation (clause 6з of Resolution 447).

In the Russian Federation, there is still no special state standard for a data center (it is currently under development) and there are no requirements in the regulatory documentation for compliance of data center with any international standard. However, by placing the service in a data center certified according to the reliability level 3 or 4 of the TIA-942 standard, on the one hand, the operator of the CDSS service can partially ensure the compliance with the requirements for the reliability of the Decree, on the other hand, minimizes its risks and costs associated with hardware problems.

The decree obliges to provide "information protection by applying organizational and technical measures to protect the information, as well as by monitoring the operation of the system." It is clear that this includes physical security, and the organization of the work of staff, as well as the timely execution of routine maintenance of systems and much more, in addition to direct protection using the software. Although the requirements do not indicate the need for the data center to comply with any special documents in this area or to undergo any certification, a CDSS operator that hosts the service in the data center, as well as its customers, are interested in some kind of evidence that organizational and technical measures to protect the information in the data center are carried out in a manner to comply with the rules of the Decree.

Voluntary certification according to the following standards can be confirmation that information protection is properly organized in the data center:

• Russian National Standard GOST R ISO / IEC 20000-1-2013 “Information technology. Service management. Requirements for a service management system" (identical to international ISO / IEC 20000-1: 2011).
• Russian National Standard GOST R ISO 9001-2015 “Quality Management Systems. Requirements" (identical to international ISO 9001: 2015).

The fact that a data center has certificates for compliance with these standards does not automatically confirm the security of the information placed in it, but at least guarantees that the data center management processes are organized in order to satisfy the needs of its customers, including information security requirements.

Requirements for MIS

When working with a CDSS, a MIS is the initiator of the interaction and the source of the input data. Therefore, the following data processing operations must be performed  in MIS before transferring them to the CDSS:

• De-identification (depersonalization) of data. Because CDSS does not use personal data, then MIS, as an operator of personal data, should not process them (in this case, transfer to SPPVR) in accordance with Art. 5 of Federal Act of June 27, 2006 No. 152 "On Personal Data", namely:
  • Only personal data that meet the purposes of its processing (part 4) is subject to processing;
  • The content and volume of processed personal data must comply with the stated processing objectives. The processed personal data should not be redundant in relation to the stated purposes of their processing (part 5);
• Bringing data to the established format of information exchange, including control of the correctness and completeness of the transmitted information has to be ensured.