medical record privacy and security
DESCRIPTION
Internet Web Systems II- Spring 2010 Vinay Veeramachaneni. Medical record privacy and security. Overview. EMR/EHR (United States) Why EMR/EHR ? What is Privacy and Security ? The Law Example Scenarios How to Protect? Existing Systems Conclusion. Human Factor. - PowerPoint PPT PresentationTRANSCRIPT
MEDICAL RECORD PRIVACY AND SECURITY
Internet Web Systems II- Spring 2010
Vinay Veeramachaneni
Overview
EMR/EHR (United States) Why EMR/EHR? What is Privacy and Security? The Law Example Scenarios How to Protect? Existing Systems Conclusion
Human Factor
Medical and health records maintained on paper.
Records were send by fax, mail or asked by phone.
Possibility of error is most likely by human.
Point-of-Care is hard to regulate.
Role of Technology
Availability of faster Internet and bandwidth
Low cost of hardware Low cost of storage Storage at multiple locations/mirrors to
recover from failure Software providing enhanced
authentication
EMR/EHR Objective
Digitalize and maintain patient medical records.
Electronically maintain and update health records.
Invest about $20 billion to improve health care (Stimulus package).
Eliminate Health disparities.
Why EMR/EHR ?(1)
Lower health care costs Reduce medical errors Improve point-of-care Improve access to data Improve quality of health care Enhance the use of EMR by providers
and hospitals.
What is Privacy and Security? Ability to keep information about
themselves private or reveal to a selected individual.
Protect an individual’s trust. Confide with trusted individuals. Security is preventing any unauthorized
access to personal information. Store in a reliable location. Prevent any illegal use of information.
Circle of Trust
Patient
Government
Physician
Hospital
Healthcare Provider
-Loss of privacy-Loss of employment-Loss of insurance-Improper treatment-Reluctant to medical care-Social discrimination
Related places
hacking Outsourcing
Causes and Effects of Insecure Medical Records
Possibility of illegal use
Information breach
Sell to researchers
Sell to Pharmaceutical companies
Re-route prescription drugs
Household members
Employers
Ransom
Societies
Social Web
Poor handling by medical professionals
Poor handling
Losing records Discussing in public areas including
social web. Bribery Miscommunication Poor analysis Use of data without consent
Medical Social Networking Used for peer-to-peer communication Used to connect members with various
physical and mental ailments Impact on the drugs physicians
prescribe (Stanford Business School) E.g.: PatientsLikeMe, SoberCircle,
Doc2Doc, Healtheva, SurgyTec,…… Educational purpose. Discussing related cases and cure.
Example Scenarios
Hackers hold Virginia medical records for ransom (Washington post, May 4 2009). Hackers threatened the state government that they will sell the medical records of 8 million patients and prescription drug monitoring records, unless the government pays a $10 million ransom.
One outsourced medical transcriptionist threatened to post patient medical records online.
Example Scenarios
Private medical records for sale: Patients’ files outsourced for computer input end up in black market. (www.dailymail.co.uk 18th Oct 2009)
Confidential medical records of patients of Britain’s Hospital were illegally sold in the black market in this case to under cover federal agents.
Example Scenarios(2)
Medics tweeting and posting data in social Websites.
An insurance agent found out the abortion of his niece and told her parents.
An employer illegally accessed the medical record of the employee’s HIV status.
HITECH Act – Health Information Technology for Economic and Clinical Health Act, 2009.
“Meaningful Use” of EHR and set of standards.
HIPAA act, 1996 – Health Insurance Portability and Accountability Act
American Recovery and Reinvestment Act.
The Law
How to Protect? Fair practice Patient and professionals’ training Prevent mishandling of data Optimize the information Provide better authentication Securing the facilities (Hospitals and
Healthcare Institutions) Limit use of social networking, not to
discuss about patients Provide standards and responsibilities
How to Protect?
Do not enter personal data Identify theft Red flag any misuse Penalties Report any illegal activity Report Phishing Websites Business treaties that provide data
protection.
Security (11)(North Carolina State
University)
Study on Certification Commission for Health Information Technology (CCHIT)- US HER certification organization.
OpenEMR software Static Analysis summary of 1210 alerts Vulnerabilities like Cross-site scripting,
nonexistent access control, path manipulation, error information leak.
Study of Errors (OpenEMR)
Cross-site Scripting
Error Message Information Leak
Existing Systems
Shibboleth (Johns Hopkins) Verisign eClinicalWorks EMR (Tufts Medical) E-MDs www.omniMD.com Dr.I-Net
Business Intelligence Cost Savings Improved Margins Improved Patient
Satisfaction Better care (Research by
Microsoft) (Nemours-Pediatric
Health System)
Conclusion
Privacy is always an ongoing debate also with personal identity and financial data.
Digitalizing medical data became a law in United States and also implemented globally.
Just as any financial organizations, hospitals also must provide enhanced authentication.
Pros Cons
- Cost efficiency- Faster response- Easy patient transfer- Reduce medical errors- Faster access to data
- Concerns of privacy- Problem of hacking- Lose patients- Reluctant to medical care- Social discrimination
Sources1. http://www.omnimd.com
2. http://whereismydata.wordpress.com/2008/09/24/exapmles-of-misuse-of-medical-records--where-is-my-data/
3. http://en.wikipedia.org
4. http://www.doseofdigital.com/healthcare-pharma-social-media-wiki/
5. http://www.gsb.stanford.edu/news/research/mktg_nair_drugs.shtml
6. http://www.krollfraudsolutions.com/pdf/2010_Kroll-HIMSS_Study_FINAL.pdf
7. www.hhs.gov
8. http://www.netreach.net/~wmanning/privacy.htm
9. http://www.data-storage-today.com/story.xhtml?story_id=13100CRGCVD5&full_skip=1
10. http://www.healthcareitnews.com/news/officials-outline-criteria-meaningful-use
11. Towards Improving Security criteria for certification of HER system