MEDICAL RECORD PRIVACY AND SECURITY

Internet Web Systems II- Spring 2010

Vinay Veeramachaneni

Overview

EMR/EHR (United States) Why EMR/EHR? What is Privacy and Security? The Law Example Scenarios How to Protect? Existing Systems Conclusion

Human Factor

Medical and health records maintained on paper.

Records were send by fax, mail or asked by phone.

Possibility of error is most likely by human.

Point-of-Care is hard to regulate.

Role of Technology

Availability of faster Internet and bandwidth

Low cost of hardware Low cost of storage Storage at multiple locations/mirrors to

recover from failure Software providing enhanced

authentication

EMR/EHR Objective

Digitalize and maintain patient medical records.

Electronically maintain and update health records.

Invest about $20 billion to improve health care (Stimulus package).

Eliminate Health disparities.

Why EMR/EHR ?(1)

Lower health care costs Reduce medical errors Improve point-of-care Improve access to data Improve quality of health care Enhance the use of EMR by providers

and hospitals.

What is Privacy and Security? Ability to keep information about

themselves private or reveal to a selected individual.

Protect an individual’s trust. Confide with trusted individuals. Security is preventing any unauthorized

access to personal information. Store in a reliable location. Prevent any illegal use of information.

Circle of Trust

Patient

Government

Physician

Hospital

Healthcare Provider

-Loss of privacy-Loss of employment-Loss of insurance-Improper treatment-Reluctant to medical care-Social discrimination

Related places

hacking Outsourcing

Causes and Effects of Insecure Medical Records

Possibility of illegal use

Information breach

Sell to researchers

Sell to Pharmaceutical companies

Re-route prescription drugs

Household members

Employers

Ransom

Societies

Social Web

Poor handling by medical professionals

Poor handling

Losing records Discussing in public areas including

social web. Bribery Miscommunication Poor analysis Use of data without consent

Medical Social Networking Used for peer-to-peer communication Used to connect members with various

physical and mental ailments Impact on the drugs physicians

prescribe (Stanford Business School) E.g.: PatientsLikeMe, SoberCircle,

Doc2Doc, Healtheva, SurgyTec,…… Educational purpose. Discussing related cases and cure.

Example Scenarios

Hackers hold Virginia medical records for ransom (Washington post, May 4 2009). Hackers threatened the state government that they will sell the medical records of 8 million patients and prescription drug monitoring records, unless the government pays a $10 million ransom.

One outsourced medical transcriptionist threatened to post patient medical records online.

Example Scenarios

Private medical records for sale: Patients’ files outsourced for computer input end up in black market. (www.dailymail.co.uk 18th Oct 2009)

Confidential medical records of patients of Britain’s Hospital were illegally sold in the black market in this case to under cover federal agents.

Example Scenarios(2)

Medics tweeting and posting data in social Websites.

An insurance agent found out the abortion of his niece and told her parents.

An employer illegally accessed the medical record of the employee’s HIV status.

HITECH Act – Health Information Technology for Economic and Clinical Health Act, 2009.

“Meaningful Use” of EHR and set of standards.

HIPAA act, 1996 – Health Insurance Portability and Accountability Act

American Recovery and Reinvestment Act.

The Law

How to Protect? Fair practice Patient and professionals’ training Prevent mishandling of data Optimize the information Provide better authentication Securing the facilities (Hospitals and

Healthcare Institutions) Limit use of social networking, not to

discuss about patients Provide standards and responsibilities

How to Protect?

Do not enter personal data Identify theft Red flag any misuse Penalties Report any illegal activity Report Phishing Websites Business treaties that provide data

protection.

Security (11)(North Carolina State

University)

Study on Certification Commission for Health Information Technology (CCHIT)- US HER certification organization.

OpenEMR software Static Analysis summary of 1210 alerts Vulnerabilities like Cross-site scripting,

nonexistent access control, path manipulation, error information leak.

Study of Errors (OpenEMR)

Cross-site Scripting

Error Message Information Leak

Existing Systems

Shibboleth (Johns Hopkins) Verisign eClinicalWorks EMR (Tufts Medical) E-MDs www.omniMD.com Dr.I-Net

Business Intelligence Cost Savings Improved Margins Improved Patient

Satisfaction Better care (Research by

Microsoft) (Nemours-Pediatric

Health System)

Conclusion

Privacy is always an ongoing debate also with personal identity and financial data.

Digitalizing medical data became a law in United States and also implemented globally.

Just as any financial organizations, hospitals also must provide enhanced authentication.

Pros Cons

- Cost efficiency- Faster response- Easy patient transfer- Reduce medical errors- Faster access to data

- Concerns of privacy- Problem of hacking- Lose patients- Reluctant to medical care- Social discrimination

Sources1. http://www.omnimd.com

2. http://whereismydata.wordpress.com/2008/09/24/exapmles-of-misuse-of-medical-records--where-is-my-data/

3. http://en.wikipedia.org

4. http://www.doseofdigital.com/healthcare-pharma-social-media-wiki/

5. http://www.gsb.stanford.edu/news/research/mktg_nair_drugs.shtml

6. http://www.krollfraudsolutions.com/pdf/2010_Kroll-HIMSS_Study_FINAL.pdf

7. www.hhs.gov

8. http://www.netreach.net/~wmanning/privacy.htm

9. http://www.data-storage-today.com/story.xhtml?story_id=13100CRGCVD5&full_skip=1

10. http://www.healthcareitnews.com/news/officials-outline-criteria-meaningful-use

11. Towards Improving Security criteria for certification of HER system