Utah Getting Act Together on Healthcare IT Security

Healthcare IT security has been a sensitive subject for the past 12 months in Utah’s health care community with two major healthcare security breaches.

The Future of EHR Security: Good and Bad News

The future of Electronic Health Records (EHR) security will be impacted by the findings of several studies conducted in the past year. From what I can tell, these studies bring with them both good and bad news.

The Case for a Biometric Identifier on Health Care Records

Americans have long been concerned about privacy and have never supported a National Identity Card of any kind. But when it comes to electronic health records, we might have to give that a second thought. Right now Health and Human Services is taking comments on Conditions for Trusted Exchange (CTE) of Electronic Healthcare Care records within a Nationwide Health Information Network. They are trying to determine how to verify that your health care records are indeed Your Health Care records when they transfer information between parties.

The complexity of verifying personal identity without biometric authentication on a national level is mind-boggling. How many thousands of John Smiths and James Johnsons are there in this country? According to Howmanyofme.com there are 45,354 people named John Smith in the United States and 35,933 people in the U.S. named James Johnson. What is the probability that hundreds of those individuals also share the same birthdate?

The HHS is recommending a goal of achieving a 99.9% match rate, but no matter how sophisticated the demographic matching algorithm might be, no CTE could be expected to achieve a specificity of 99.9% when dealing with the population of the whole country. Adding some sort of biometrics, whether it be iris scans, hand scans or finger prints, will add the needed level of identification that is mandatory in life and death situations.

If every person had a medical card, which carried electronic identification data, they could have access to their medical records wherever they went. They could give access to new medical practitioners while avoiding the need to fill out the packet of forms at each appointment.

Today thousands of individuals who work in private industry and government have such a card that allows them […]

Medical Records Access Report Too Burdensome

On May 31, 2011, the Department of Health and Human Services’ (HHS) Office for Civil Rights proposed a new rule recommending that patients have the right to ask for a report on who has accessed their medical records. The recommendation has been out for public comment since that time.

A number of healthcare organizations including the Medical Group Management Association (MGMA), the College of Healthcare Information Management Executives and the American Health Information Management Association are asking the Department of Health and Human Services’ Office for Civil Rights to reconsider the access report requirement.

The reasons given give are:

Few patients request such information and it would cost too much to add that feature to every system. 55% of 1,400 physicians surveyed stated that they had not received such a request in the past year.
MGMA contends the access report proposal could do more harm than good. There is concern that the proposed rule could serve as a “disincentive” for adoption of Electronic Health Records.
There was also concern about compromising the privacy of the health care professionals,  particularly Mental Health care providers who sometimes use pseudonyms “to avoid patients stalking or contacting them outside the workplace.”

The recommended solution is for the patient to provide a list of specific names to determine whether those individuals have or have not accessed the patient’s information.

The HHS is accepting comments on the proposed rule till August 1st.  Apparently, they will have a number of positions to reconsider before they find the right balance of cost effectiveness and protecting the privacy rights of both patients and clinicians.

HealthCare Providers Need IT Security Training

It appears that the health care industry lacks understanding of basic information technology security. Dr David Lee Scher, MD, just wrote an article for the Healthcare IT and Technology blog outlining five things healthcare providers should know about electronic health care record security. From his article, it is obvious that health care workers could use some IT security training.

Here are some of the problems he described.

30% of physicians did not use antivirus on their office computers.
34% of physicians offices did not have network firewalls.
The Inspector General of the HHS Office for Civil Right inspected 7 hospitals for HIPPA compliance and found that although ALL of them had implemented some policy and rules to protect EHRs, None had implemented sufficient controls to adequately protect patient privacy. Common violations were improper disposal of printed records and leaving computer screen on and unattended.
Most EHR systems date and time stamp all entries, these entries are permanent records and cannot be deleted, just corrected so healthcare providers should be careful about what they put in the record. The entry log may be audited by the practice or IT manager , as well as attorneys during discovery.
Most breaches of privacy data, do not come from “Hackers” but from improperly stored or lost data from individual not following hospital security protocols.

Data Security is the responsibility of everyone in the hospital or the doctor’s office. All staff should be fully aware their role and responsibilities in keeping private patient information safe and secure. Like anyone else who works with Information Technology, healthcare providers should have annual security training and be aware of the consequences for not following the protocols.

You can read Dr. Scher’s blog at healthcaretechnologymagazine.com.

Health IT Policy Committee Recommends Two-Factor Authentication for EHRs

The Health IT Policy Committee on June 8 accepted a recommendation that all organizations participating in the Nationwide Health Information Network initiative (NwHIN) should use digital certificates that meet the same authentication standards already required for federal agencies. Ultimate approval for the recommendation falls on the Department of Health and Human Services.

One of the main motivations for the digital certificate requirement is that most healthcare organizations, at some point, will have to exchange information with a federal agency, and that requires use of Federal Bridge standards.

The authentication recommendation, which came from the Privacy and Security Tiger Team, states, “all certificates used in NwHIN exchanges must meet Federal Bridge standards and must be issued by a certificate authority (or one of its authorized resellers) that is a member of the Federal Public Key Infrastructure Framework.”

Paul Egerman, tiger-team co-chair, told the committee that an electronic health records (EHR) vendor, for example, could serve as a certificate reseller. Plus, about six certificate authorities now offer the Federal Bridge certificates at prices of $100 or less per organization.

In addition to the authentication recommendations, the committee recommended that for stage two of the HITECH Act electronic health record incentive program participants should verify how they’re keeping stored data secure, such as through encryption.

HHS is slated to issue a proposed rule setting requirements for stage two of the EHR incentive program by year’s end, with a final rule due by mid-2012.

In light of that timeline, the HIT Policy Committee on June 8 recommended that HHS fine-tune the deadline for certain participants in the program to achieve stage two benchmarks. Under the revised plan, those that attest to qualifying for stage one in 2011 would have until 2014, instead of 2013, […]

Electronic Health Records Help Bring Hospital Back On Line After Disaster

Just weeks before the powerful F5 tornado ripped though Joplin Missouri severely damaging the St. John’s Regional Medical Center, St. John’s had converted to a new electronic health records system. Having all their records online and backed up in another city, allowed the hospital to be up and running a 60 bed mobile hospital in less than a week.

“If the tornado had hit a month earlier, before installing the electronic health record system in Joplin, St. John’s would not have been able to bring up our mobile hospital within a week’s time. We still would not be operational at this point,” said Mike McCreary of Mercy Technology Services.

“Today, patients have continuity of care across all of our physician locations and the new St. John’s Mercy Hospital, and connection to the entire Mercy health system, because of our EHR and our ability to quickly re-establish communication services.” McCreary noted that St. John’s patients also have access to historical medical records. More current health information was stored within the new EHR, and older paper records had been scanned prior to the tornado and are securely stored on servers located in other communities.

Read the complete story at Healthcaretechnologymagazine.com.

Maine reverses decision on HIE Consent

After hearing objections from hospitals and physicians about a proposed “opt-in” approach to obtaining patient consent for health information exchange (HIE), the Maine legislature has dropped a proposal to switch from an “Opt-out” approach.

The original proposal would have been required to give patients an opt-in form that they would need to sign to authorize having their electronic health records shared over HealthInfoNet, the statewide HIE.

Concerns were expressed by the state hospital and medical associations  and HealthInfoNet that the “opt-in” approach would result in few people taking advantage of the benefits of the HIE. Other HIEs using the opt-in approach have found that a relatively small percentage of patients take the initiative to sign the form. Amy Landry, HealthInfoNet’s communications director stated that, “Unless a majority of state residents’ records are accessible via the HIE, physicians and hospitals are unlikely to use it because of its limited value”.

HealthInfoNet has always instructed participating providers to give patients a Notice of Privacy Practices, as required under HIPAA, that also describes that their data may be shared via the HIE and offers the opportunity to opt out.

Last year, the Health and Human Services Privacy and Security Tiger Team, which advises federal regulators, endorsed a “meaningful consent” approach that HIEs should take. It accommodates either the opt-in or opt-out approach, emphasizing educating patients about their privacy rights as well as HIE procedures.

The revised proposal, which awaits the governor’s signature, requires informing patients about the benefits and risks of the HIE and giving them the opportunity to “opt out.” Unless they take action to opt out, their information will automatically be accessible via the HIE, which stores certain records in a central data repository.

To view the revised Maine legislation, visit […]

Safeguarding EHRs from Snoopers

With the National Health Information Network Direct (NHIN Direct) working to create a standard for the transfer of Electronic Health Records (EHRs), the need for segmented and secure patient records is becoming apparent to all who are working on this technology. A segmented EHR would allow for providers with different roles to access only the portions of the EHR relevant to their task.  Protecting personal health information through the use of data segmentation is partially rooted in state and federal privacy laws addressing abuse of information.

Such laws include: HIPAA – Privacy Rule, HIPAA – Security Rule, the federal Confidentiality of Alcohol, and GW SPHHS Department of Health Policy ES-1 Drug Abuse Patient Records regulations (Part 2).  These laws protect the exchange of health information without patient consent.

Lesser-known but equally stringent state laws protect a broad range of information. For example, health data related to minors or incidents of sexual violence1.  Other justifications for the use of data segmentation in protecting health data include established principles of patient autonomy and the need to encourage greater patient trust and participation in the health care system.

Data segmentation provides the potential means of protecting specific elements of health information. Both within an EHR and in broader electronic exchange environments, segmentation can prove useful in implementing current legal requirements and honoring patient choice.

Most patients want to control access to their medical records, and restrict which parts of their medical record are accessed.  Not all health providers need access to the patient’s full record (for example, billing clerks and X-Ray technicians), but they do require access to portions of the record.

This capability for patients to have complete control over their EHR is slightly ahead of the current US law.  However, […]

Keeping Electronic Health Records Safe

Surveys have shown that the majority of Americans are “very concerned” about identity theft or fraud (80 percent), the use of their medical information for marketing purposes (77 percent), and that their data might become available to employers or insurance companies (56 and 55 percent, respectively).  At the same time, 89 percent of respondents say that they want their physicians to be able to communicate with one another, while the majority support the development of Health Information Technology as a whole and believe that it will improve care and reduce costs1.

According to a current listing on DataLossDB.org, four of the ten major data security breaches on the list involved medical records getting into the wrong hands.  The VA experienced one of the top ten data security breaches of all time (over 26 million records).  Patient records contain information that can be used to steal a person’s identity or help criminals pinpoint vulnerable targets. Medical information can be used to discriminate unfairly because it is often beyond what the payors and others are allowed to know. Employers and insurance companies can discriminate based on past health issues if given access to these records.

Initiatives for a standardized Electronic Health Record (EHR) are gaining acceptance. As these standards are developed, the government and industry should look to the Purchase Card Industry Data Security Standard (PCI DSS) standard for eCommerce security. Under PCI DSS, compliant systems require sensitive information to be separated from non-sensitive data within the system and to be encrypted both in transit and at rest. This prevents hackers from reading the information even if they manage to break into the system or steal a computer. While PCI DSS compliance has helped prevent security breaches in […]

Google+