INSECURE RECORDS: THE ACHILLES HEEL OF HEALTH CARE INOFRMATION TECHONOLGYIntroduction
The American Recovery and Reinvestment Act (ARRA) of 2009, perhaps better known as President’s Obama’s stimulus bill, goes a long way to offer a blueprint for improving our nation’s health care system. A significant portion of the package is aimed at jump-starting a revolution in Health Information Technology by providing funding for the use of Electronic Health Records. While the $ 20 Billion allocated may or may not be enough, it demonstrates the administration’s attitude and determination of using technology to help solve our health care crisis.
We applaud this direction. In our view, and of many others, Electronic Health Records (EHRs) offer a cornerstone for improving patient care while reducing costs. What concerns us, however, is the possibility of a “Three Mile Island” for Electronic Health Records.
“Our failure ….has cast a shadow on the whole nuclear power industry. Soaring inflation, new and often contradictory federal and state regulations, and public intervention are all major factors in halting growth of nuclear power” (Source: Jay E. Boudreau, Deputy Associate Director for Nuclear Programs at Los Alamos National Laboratory, in a 1980 article entitled Three Mile Island: Aftermath and Impact.
We believe that we face a situation in Electronic Health Records similar to what happened to the fortunes of the nuclear power. The promise of abundant, cheap electricity was all but halted after Three Mile Island. Medical records must be maintained using stringent and appropriate technical controls, policies, and procedures. Instead of radioactive leaks, Health Information technology’s downfall could be the theft or unwitting release of sizable numbers of electronic records.
“Healthcare companies were responsible for 11% of all data breach incidents in the U.S. between 2000 and 2007…… In the healthcare industry, records were either in an electronic format at the time the breach occurred or they did not specify. Of the more than 1.7 million Health Records compromised between 2000 and 2007, only 7,250 records were in printed format. “ (Source: A Comprehensive Study of Healthcare Data Security Breaches in n the United States From 2000 – 2007, Kevin Prince, Perimeter eSecurity
With the imminent, widespread use of Electronic Health Records, we must prepare better.
In this article we provide an overview of:
· New provisions in the ARRA that strengthen privacy and security requirements
· An overview of possible sanctions and penalties for breaches
· Key things EHR vendors and users must doSecurity and Privacy Provisions in the American Recovery and Reinvestment Act (ARRA)
The ARRA significantly strengthens the security and privacy of medical information. In particular, the new law allows for significant fines and even criminal penalties for some breaches. Among some of the key provisions of the ARRA include:
· Establishes a federal security breach notification requirement for breach of protected health information
· Requires each individual be notified if their “unsecured” Personal Health Information (PHI is accessed, acquired or disclosed as a result of the breach. A breach notice provided to the individual must include: the date of the breach, the date of discovery and the steps the individual should take to protect themselves from potential harm,
· Requires notification to the Federal Government and prominent media outlets if more than 500 individuals impacted
· Applies to Personal Health Record Vendors such as Google and Microsoft
· Ensures that new entities that were not contemplated when HIPAA was written, are subject to the same privacy and security rules as other covered under HIPAA. These include PHR vendors, Regional Health Information Organizations (RHIOS), and Health Information Exchanges (HIEs)
· Provides an individual the right to have access to certain information about them in electronic format, for which the provider may charge a fee
· Gives individuals the right to receive an electronic copy of their PHI, if it is maintained in an electronic health recordPenalties under ARRA
The penalties for violations under ARRA can be severe for both organizations and individuals responsible for the safety of health information. Since this is a broad definition, it likely includes various executives, and practitioners who handle or supervise the systems that house this information. The specifics include:
· Allows criminal penalties to apply to individuals
· Provides a new system of civil monetary penalties
· Modifies distribution of certain civil monetary penalties collected
· Requires the Secretary of Health and Human Services (HHS) to provide for periodic audits of covered entities and business associates
· Allows State Attorneys General to bring civil actions in federal court on behalf of the residents of their stateWhat must EHR vendors do?
In our view EHR vendors may have to re-architect their products to provide for better security. Developing key software such as EHR systems are a life and death issue. For example, testing for security weaknesses should not be an afterthought, but instead be required at every stage of software development. Further, EHR systems must be vetted by security experts steeped in understanding attack patterns and malicious behavior. For buyers of EHR systems, we believe that assurances from vendors alone cannot be taken at face value. They must require adequate proof that the system was designed with security as the priority.
Consider the case of Microsoft, the world’s leading software company. After multiple attacks in the late 1990s on its flagship Windows operating system, Microsoft made security its top priority. It froze all new operating system releases until every identifiable security hole was fixed and stringent security processes were adopted. Today, Microsoft’s security approaches are second to none. The stringent application of security processes within Microsoft cost it money, but arguably it has saved its business.What should EHR users do?
Users of Electronic Health Record Systems will vary considerably. They will include small physician groups, small community hospitals, hospital networks, integrated delivery providers such as Kaiser Permanente, and Regional Health Information Organizations (RHIO) sponsored by many states. They may also include payers, insurance companies, and others in the fiscal and supply chain of health care.
The overarching concern for any of these entities should be the sanctity and security of the electronic records. This is a must. We suggest a two stage approach that can apply to all organizations – large and small.
The first objective is to document and evaluate the current adequacy of your information security posture including among other items:
· Information security policies and standards
· Information asset profiling and classification
· Core security technology components and security architecture
Following this, the entity must conduct immediate improvements in security. These may include:
· Improving governance mechanisms for faster security policies and standards adoption
· Development of appropriate information security policies and standards
· Infrastructure augmentation e.g. additional firewalls and monitoring systems
· Development of an appropriate data classification and asset profiling approach
For smaller or larger entities, this need not be an overwhelming expense or a lengthy exercise. All that is required, is a will and support from leadership.Conclusion
Without adequate security, there is no trust. Insecure EHRs will result in rampant violations or breaches, the inevitable fines and sanctions and ruined reputations. Even more tragically, the promise of EHR to dramatically reduce health care costs and improve patient care will be in tatters. As citizens we simply cannot let this happen. We must design-in security with the right balance of processes, behavior changes, and technology email@example.com