EHR and Health IT Consulting
49.7K views | +3 today
EHR and Health IT Consulting
Technical Doctor's insights and information collated from various sources on EHR selection, EHR implementation, EMR relevance for providers and decision makers
Your new post is loading...
Your new post is loading...!

New Privacy Threats in Healthcare?

New Privacy Threats in Healthcare? | EHR and Health IT Consulting |

Privacy advocate Deborah Peel, M.D., is worried that several ongoing healthcare sector initiatives, including the emphasis on nationwide, interoperable health information exchange, provisions of the21st Century Cures bill, and a push for a national unique patient identifier, could erode patient privacy and individuals' control over their records.

Electronic health records systems, and databases that store massive amounts of data on millions of patients, have "created a situation where our absolutely most sensitive information is at the greatest risk of all personal information," says Peel, founder and chair of advocacy group, Patient Privacy Rights, in an interview with Information Security Media Group.

"And on top of that, as Congress has woken up and found out, your doctors are not getting the information they need [for treatment]. That was the whole purpose of having an electronic health record system, and it's failed miserably. ..."

Peel's concerned that the intensifying focus on improving electronic health records interoperability and nationwide data sharing, in an effort to ease access to treatment information, could lead to more hacker attacks as well as insider breaches.

Plus, she opposes proposed changes to the HIPAA Privacy Rule included in the 21 Century Cures bill, which the House recently passed and sent to the Senate. Those changes would allow healthcare entities to disclose patient data to other healthcare entities or business associates for research purposes without patient authorization.

"The point of the medical record is to help the physician take better care of you," She says. "Who goes to the doctor to join endless numbers of hidden 'research projects'? I don't know anyone who does."

Patients need to have more control over collection and storage of their own health information, she says, and they should be given the opportunity to approve the use of their records in research projects.

Unique Patient IDs

Peel also is concerned about renewed calls by some healthcare industry associations, including the College of Healthcare Information Management Executives, for Congress to re-examine its long ban on the creation of a national unique patient identifier

When Congress passed HIPAA in 1996, the law called for the creation of a unique health identifier for individuals. But in response to privacy concerns, Congress in 1999 passed a law prohibiting federal funding for the identifier. However, some healthcare IT leaders say some sort of ID is more critical than ever in facilitating secure national health information exchange and ensuring patient record accuracy in the wake of mass adoption of electronic health record systems.

But Peel fears a national patient identifier would open the door for more invasions of privacy. "The rationale for a unique patient ID is exactly the same as the rationale of a Social Security number. It was supposed to be used for one purpose. And what happened to the Social Security number? It's used as a national ID for everywhere, and it allows all kinds of people to collect information about you from everywhere."

Peel, a practicing psychiatrist and psychoanalyst, is founder and chair of the advocacy group Patient Privacy Rights. Peel became active in privacy rights at the federal level in 1993. She advocated first as an individual and later on behalf of state and national medical specialty organizations for patient control of access to medical records. She has made multiple presentations at national panels and Congressional briefings.

No comment yet.!

Securely Disposing Medical Practice Equipment

Securely Disposing Medical Practice Equipment | EHR and Health IT Consulting |

It goes without saying that computers are expensive. Medical practices will often gift used office equipment to employees or family members; or donate them to vocational programs. Risk management attorney Ike Devji says that donating old equipment like scanners, fax machines, and computers at the end of the year is very common. "At the end of the year practices will rush to spend money so that it is not taxable. They buy [new] equipment … and computers are replaced."

There's just one small problem. Deleting sensitive patient data will not permanently eliminate it from the hard drive of the device. And if you've donated your practice's scanner to the local thrift store, it still contains sensitive patient data that "a well-trained 12-year-old kid with access to YouTube can get … off the hard drive," says Devji.

Devji points out that a high-end digital scanner can store up to 10,000 pages of patient data. And equipment that is synched to your EHR, even smartphones and tablets, needs to be destroyed or disposed of in a secure manner.

If you have old equipment that you'd like to get rid of, contact your IT consultant. He should be able to point you in the right direction. Or you could follow Devji's approach: He uses his old equipment for target practice in the Arizona desert.

No comment yet.!

The Fastest Path to a Secure Cloud

The Fastest Path to a Secure Cloud | EHR and Health IT Consulting |

Personal Health Information (PHI) records and electronic PHIs (ePHIs) comprise our most confidential data, including demographic information, medical history, test and laboratory results and insurance information. Health care professionals utilize the PHI to identify the patient and determine appropriate care and treatment; insurers input financial data, and patients can access this information by request. Due to this highly sensitive combination of medical and financial data, these records have become a favorite target for hackers, as shown by the recent Premera and Anthem breaches.

As hackers become more sophisticated in their attacks, organizations must become increasingly vigilant in implementing HIPAA compliant standards to secure their data. Healthcare organizations currently use both on premise and cloud deployments to house their information. In fact, a recent survey of healthcare provider organizations indicates that 83% of IT executives report that they are currently using cloud services. The areas with the most uptake include lab systems and email services; electronic health record and information exchanges (CHIs, EMRs, Telehealth, etc.), and Shadow IT – which is enlisting cloud-based services, but not via their IT departments.

While the advantages in moving to the cloud include improved access, powerful processing capabilities, higher availability and significant savings with on-demand hosting, healthcare organizations are still wary that the cloud may deliver a less secure option. They are reluctant to transfer mission-critical and sensitive information to a seemingly anonymous IT admin in an unidentified location. Other organizations may be concerned that their IT teams may not have the requisite skills and processes to manage the migration and maintenance of the cloud deployment.

In the Public Cloud environment, responsibility for IT security is shared between the health care organization and the Cloud Service Provider (CSP), with a clearly defined demarcation. The CSP is in charge of securing access to the physical servers and the virtualization layer, while the health care organization is responsible for securing the hosted Operating Systems, the applications and the data itself. CSPs differ in the ‘native’ security features they offer, but those always fall short of best-practice security requirements. Therefore, organizations using public clouds are required to supplement the CSP offering to ensure a HIPAA compliant cloud deployment.

As part of a cloud migration process, ePHIs may be ‘exported’ to the cloud, to share with other healthcare organizations, clinicians and insurers, or for cloud-based storage and processing.  In such cases encryption of the data in transit and at rest is critical. Firewall policies to control data transfer and access are also required. Since many healthcare organizations have only migrated a portion of their resources to the cloud, the encryption and firewall policies must encompass the hybrid, private and enterprise cloud environments.

When ePHI or other clinical or sensitive data is stored in the cloud, the issue of remote access must also be addressed. Health care professionals and IT staff as well as others need to access cloud resources from remote offices and via mobile devices. Although remote access provides flexibility it is also a significant security caveat. Almost half of the healthcare security incidents last year were the result of loss or theft of devices such as laptops, phones or portable drives. Internal threats are especially worrisome, as 15% of the security incidents in healthcare in 2014 have been attributed to unapproved or malicious use of organizational resources.

The answer to these threats are strong integration with identity controls as well as access management. To protect their resources, organizations must implement a strong two factor or multi-factor authentication systems. Identity-based access management policies assure that employees are not able to access unauthorized data, and multi-factor authentication ensures that those who steal or find lost devices will not be able to reach internal resources.

Another important step in securing healthcare information involves implementing monitoring and logging capabilities. This is emphasized in a cloud environment where the infrastructure is owned by a third party and is shared among several organizations (i.e. multi-tenant). Although logs are important, unless they are regularly monitored in an accurate manner, important or suspicious events will not be noted. Therefore, visibility and automated alerts are critical in early detection of security incidents.

The cloud is becoming the default choice for healthcare CIOs. The fastest path to a secure, compliant healthcare deployment in the cloud requires careful planning and implementation. Key to a viable security solution are encryption, access management and firewall policies, combined with event monitoring capabilities and alerts. Solutions that provide this set of security elements for the public and hybrid cloud are now becoming available in the marketplace, evidence that cloud technologies for healthcare are coming of age.

No comment yet.