Security & Health Care Reform

The historic passage of the Health Care Reform Act by the U.S. House of Representatives (called the Patient Protection and Affordable Care Act), brings back into focus the challenges of securing electronic medical records.

Under his recently unveiled fiscal stimulus plan, President Obama seeks to invest up to $20 Billion in federal funds to achieve widespread digitization of medical records.

Once medical data is in electronic form, the reasoning held is that we can reduce long-term costs and increase the effectiveness of our health service providers. However, this new frontier is fraught with potential security problems.

In response, healthcare organizations (e.g.,CVS, McKesson, et al) got together this month to create a new security framework to address potential problems. Calling themselves the Health Information Trust Alliance (HITRUST), these companies unveiled the Common Security Framework (CSF), the first IT security framework designed specifically for healthcare data loss prevention.

The challenges that confront HITRUST, in securing digitized medical records (DMR) include:

  • Hacking incidents on DMR systems that lead to altering of patient data or destruction of clinical systems
  • Misuse of health information records by authorized users of DMR systems
  • Long-term data management concerns surrounding DMR systems
  • Government or corporate intrusion into private health care matters
  • Potential security breaches due to the DMRs being connected to web applications (or are web applications themselves) making for relatively easy targets
  • Diagnostic systems that have direct connections to the hospital networks; since these systems also have remote diagnostic capabilities for troubleshooting or downloading new software, installing a worm on the network that incapacitates, for example, all networked X-Ray machines is not out of the realm of possibility

Security is a priority for all health care providers not only because of the stimulus money but because of the possible civil and criminal penalties. Section XIII, Subtitle D of the American Recovery and Reinvestment Act of 2009 explains the consequences for liable entities if patient privacy is breached.

Included within a long list of required actions in case of a breach: patients must be notified via mail within 60 days, Health and Human Services must be notified, and, if the breach involves more than 500 patients, the news media must also be notified. Individuals must also be provided a way to contact the company to discuss the breach. Under the legislation, patients can also request an audit trail showing all disclosures of their health information made through an electronic record.

So health care reform is finally here. And with it another step towards the digital age. Looking back at our previous blog on Smart Grids, it is clear that every aspect of our daily lives will be affected by technology and hence the need for strong security.