The HealthITBlog

Healthcare Informatics and Technology

Back in the saddle, galloping to secure electronic health data.

Gentle reader,

After a hiatus of a few weeks, adjusting to my new position selling this, I am back in the blogosphere.

With my new focus on security for cloud, virtualization and general data center, I bring a new perspective and focus on healthcare IT – that is security of patient data. Ever so important if patient records are going to go electronic, especially if stored in the cloud. Aside from my new paid position, I have also had the privilege of volunteering under the stewardship of Arien, as the leader of the Security and Trust Workgroup of NHIN-Direct. I also have the privilege of working with the likes of Sean Nolan, who wrote a terrific compliment on my comparison of a Google and Microsoft PHRs.

So, securing electronic health data: Last week I attended a CSO (Chief Security Officer) conference in San Francisco and learnt some interesting lessons:

  1. Trust is fundamental in healthcare – patients may not disclose an embarrasing disease if they fear the data is not private.
  2. Security is required for regulatory purposes and patient safety.
  3. Computers are not personal. When IBM coined the term, PC or Personal Computer, computer users at work believed that the computer they used was theirs. Thus security software that is designed to restrict the flow of data, prevent users from accessing certain websites, download specific files or copy files to disks/thumb drives is viewed by the user as an invasion of their personal space, a restriction on their personal computer. Don’t make users paranoid to do their job or feel that big brother is watching their every mouseclick, but rather explain the highly personal nature of healthcare records and the need to secure access.
  4. Refine business processes. Often one reads of data lost when a laptop or external hard-drive is stolen, for example: 600 patient records lost on a stolen laptop. A natural reaction is one of horror and surprise. While certainly justified, a more analytical reaction would be “Employees are rarely malicious or dishonest, so what business process necessitated copying patient data to a laptop?” Refine, the business process that necessitated this action. Remove the individual choice of where to store patient data, rather make a business decision and apply a policy based on the data.

More on cloud and SaaS security to follow. I was pleased to read that the VA is taking steps to tighten security.

It’s good to be back!

May 25, 2010 Posted by | Health Information Technology | , , , , , , | 2 Comments

Will you entrust the US government or a private entity with your electronic medical records?

The ARRA stimulus bill provides incentives for medical providers to use Electronic Medical Records for storing patient healthcare information. (To read more about Meaningful Use and certified Electronic Medical records, beyond the scope of this posting, please refer to CCHIT). The overarching goal is to allow medical records to be exchanged between health-care providers. A simple example: An employee changes jobs and receives new health insurance, which requires him to use a different healthcare provider. How does he transfer his medical records to that new health-care provider.  Or a soldier is treated in a military hospital, then transferred to the VA and finally to a public/private hospital. How does his/her electronic medical record transfer between the three distinct institutions.

In transferring electronic patient data between institutions:

  • How does American law protect the privacy and security of patient health-care data?
  • Why are Americans hesitant to share medical information electronically?

On Monday January 25th, 2010 a study by the Ponemon institute revealed that Americans distrust the Federal Government or private enterprise to electronically store their health-care data.

Of the 868 Americans surveyed about their views on digitizing and storing health records, only 27% said they would trust a federal agency to store or access the data–the same percentage as those who would trust a technology firm like Google Microsoft or General Electric

Let’s examine how US Federal law protects electronic medical records

Health Insurers and Providers who are covered entities must comply with your right to:

  • Ask to see and get a copy of your health records
  • Have corrections added to your health information
  • Receive a notice that tells you how your health information may be used and shared
  • Decide if you want to give your permission before your health information can be used or shared for certain purposes, such as for marketing
  • Get a report on when and why your health information was shared for certain purposes

Nothing implied about electronic medical records, nor exchange of electronic data and most importantly authenticating the individual who is requesting access to the records. In an electronic medical record system, how can I be certain that Joe Smith is who he claims to be when he logs into the system. Is user-name password sufficient security?

  • In light of the ARRA stimulus bill, the US Department of Health and Human Services (HHS) revised the privacy rule in December 2008. (11 page PDF here). In summary:
  1. Access: Individuals must be provided timely access to their medical data
  2. Disputation/Correction: Individuals must be able to dispute and correct information in their health record, from a simple typo, corruption of digital information in transit  between entities and even medical identity theft.
  3. Openness/Transparency: Individuals must have access to their record and know what is in there and how it is disclosed.
  4. Individual choice: Individuals must be able to choose how data is shared. For example which doctor is allowed to view their record delegating access to another person in case the individual/patient is incapacitated and cannot access their record.
  5. Collection/Use: Individuals have the right to know how their medical data is distributed/used; that data is only used for their care and not distributed beyond the patient’s consent.
  6. Data quality/integrity: Data is secure and not compromised
  7. Accountability/Auditing: An audit trail and legal accountability exists to know who was authenticated and authorized to access an individual’s data.

The word “trust” appears 13 times in the 11 page document, the phrase “trust in electronic exchange of information” appears six times. Clearly the HHS is attempting to gain the public trust in an electronic exchange of health data.

  • The Federal Trade Commission proposed a breach notification rule (50 page PDF) “requiring vendors of personal health records and related entities to notify individuals when the security of their individually identifiable health information is breached.”

So, given the above laws, why does the Ponemon study find Americans so distrustful to store their electronic health data. The study revealed:  Users rated health records as far more sensitive than other information they typically share with Web companies. On a scale from one to seven, medical data received an average rating of 6.64, while credit card information received only a 4.27 and online search records just a 1.86.

I posit that:

  • Internet searches can be reasonably anonymous.  I can search for information from a public computer such as the library or a firewall can transform my computer’s identity (IP address).
  • If my credit card information is compromised I am protected by the credit card company; so much so that credit card companies have sophisticated software that track errant spending patterns and forewarn me. Am I in an obscure overseas country attempting to purchase a $3000 airline ticket?
  • Americans, historically, have a distrust in their government. The Bill of Rights dating back to 1791 protects the individual (for example unreasonable searches).  So why should the government be trusted with personal health information?

The problem is health information potentially reveals personal and important details about an individual: their weight, medications, illnesses, addictions, allergies,  perhaps even sexual preferences. (Interestingly under the US law, patients do not have access to their  psychotherapy notes. See HIPAA rule “You do not have the right to access a provider’s psychotherapy notes.” )

The real problem I believe is what options does a an individual have if their electronic medical record has been compromised? Witness two recent incidents in California where electronic patient information was stolen: UCSF – (600 patients) and Kaiser (15000 patients).

Is the FTC breach rule sufficient?

I think the rule is sufficient, but the ubiquity, and ease of electronic data duplication, makes it difficult to gain the trust of users. If my medical records are stolen, what comfort is the rule? The answer individuals require from electronic medical record vendors is “we will encrypt your data, at rest and in transit.” At rest means data in a database is encrypted; in transit means, that the data as it is transmitted across computer networks. Today, encryption in transit is easily achieved with SSL. Encryption at rest is rare because it is practically difficult to implement. If I encrypt “Joe Smith” as “aS@Pn!”, then how do I search for his record, as I cannot search for “Smith”? How does another, say reporting application, access and present the encrypted data? How do I index a database (group all the “Smith”s together) if the data is encrypted? How can a receiving party in another institution (sharing electronic medical records) decrypt the data? As the UCSF and Kaiser incidents note, unencrypted data was stored on detachable disks and subsequently stolen.

Electronic medical record vendors and the US government have a long way to go to gain public trust.

(This posting is an assignment from my UC Davis Informatics class on telemedicine)

January 28, 2010 Posted by | Health Information Technology | , , , , | 2 Comments

Security for Personal Information stored in Electronic Medical Records

Security and privacy of electronic personal health information entails the same concepts as security for other electronic data, such as personal financial data.

I believe the top three requirements for security of electronic data are:

  1. Confidentiality – keeping data hidden. Data is encrypted both at rest (in the database) and during transfer (over TLS/SSL)
  2. Integrity – Ensure data is trustworthy and has not been modified. This can be accomplished using digital signatures.
  3. Access – Access and audit controls. Implement access controls to control who can access the data. Often this is implemented as the least privilege principle: only grant a user the role or privilege to access the minimal data they are required to perform their function. Complimentary to access controls are audit logs: produce audit logs of who accessed the data, at what time etc. Another example of roles and privileges is separation of duties; in the financial world one might ensure that the person who makes out a check cannot sign it, thus preventing a dishonest user of making a check out to themselves or their friend.

In the financial world the concern is that a user who accesses and modifies data without authorized access and privilege may use that data illegally. For example, a hacker who steals credit card numbers from the database of an online merchant and then performs purchases with those credit cards. Similarly in the United States, social security numbers can be stolen to create fake personal identities.

Implications for digital patient information stored in electronic health records or similar.

US regulations require that entities disclose breaches of electronic health data, as highlighted by Lisa Gallagher.

The security policy for an Electronic Medical Record that contains Personal Health Information consists of three entities:

1. Subject – the patient. Though the subject may require an agent, for example the agents of a new born baby are its parents; a living will can stipulate that an agent make decisions on behalf of an incapacitated person.

2. PHI – Personal Health Information – the actual medical and personal data about the patient.

3. Clinician – The physician treating the patient.

Theft of personal electronic medical data can be used for nefarious financial purposes, such as billing medicare for service not rendered.  However, I believe there are greater risks as follows:

  • Integrity – are we certain that this data belongs to this patient.
  • Confidentiality – prevent data from posted to the Internet
  • Access

It is paramount that data in electronic medical records is never overwritten or deleted only appended.

Auditors should only access a copy of a patient’s record, never the original so that they do not alter or append data.

A physician should have the privilege to alter access to an electronic record. Example, a patient is referred  from a family physician to a specialist, thus the family doctor grants the specialist access to the patient’s medical record. At all times the patient should know who has access to his/her medical record.

Exceptions to these access rules:

  • In an emergency access may be granted to someone other than the subject (patient or their agent).
  • Court ordered access to a medical record.

However, a conflict of interest scenario is possible, a medical practitioner hacks into an EMR and faxes prescriptions for themselves.

In closing, HIMSS conducted a survey, sponsored by Symantec, of security policies and procedures in place at medical institutions.

November 11, 2009 Posted by | Health Information Technology | , , , , | Leave a Comment

   

Follow

Get every new post delivered to your Inbox.