Under his recently unveiled fiscal stimulus plan, President Obama seeks to invest up to $20 Billion in federal funds to achieve widespread deployment of Electronic Medical Records (EMRs). A principal reason for his initiative is to improve our nation's health care system by reducing long term costs and increasing effectiveness of our health outlays. So what exactly is an Electronic Medical Record and what does this new direction mean for security and privacy professionals?
At its core, an Electronic Medical Record (EMR) is the effective capture, dissemination, and analysis of medical and health related information for a single patient. All participants in the health care delivery system have a stake in efficient information flows. They include health care providers, insurers, government agencies, claims processors, and patients. Thus the term EMR has a slightly different meaning depending on one's perspective. Indeed, Electronic Medical Records managed by individuals are termed Personal Health Records (PHRs). PHRs capture all relevant personal health details, including diagnoses, X-Rays, and similar items into a single repository. Individuals are then empowered to make health decisions for themselves, to easily choose among providers, to selectively disclose medical conditions, and to receive optimum care during emergencies. Both Google and Microsoft offer services for individuals to create, manage, and store their PHRs. We expect that there will be an explosion in demand as the computer-savvy population ages.
The focus of this article, however, is on the secure use of EMRs by institutions and health providers in a regulatory arena rife with complexity and with strict privacy and safety requirements. Consider a typical hospital with a relatively well functioning EMR system. Using EMRs, doctors can conduct much of their business totally electronically. This is in sharp contrast to traditional care environments where paper shuffling is the norm. Using EMRs, doctors can review patient histories and charts, obtain laboratory results, generate referrals for specialist consultations, prescribe medicines, and diagnose images all without the use of paper. This sounds utopian, and in many ways it is.
But the soft underbelly of EMRs is the difficulty in adequately securing such records. Key security and privacy concerns for EMR systems include:
- Hacking incidents on EMR systems that lead to altering of patient data or destruction of clinical systems
- Misuse of health information records by authorized users of EMR systems
- Long term data management concerns surrounding EMR systems
- Government or corporate intrusion into private health care matters
At first glance, these issues do not appear to be very difficult to solve. The reality is that hospitals and other care environments are complex institutions with complex workflows. A great many staff need immediate access to medical records. These include emergency technicians, admitting staff, doctors, nurses, and back-office personnel in billing and accounting. A quick fix might be to install role based access control (RBAC) mechanisms that allow for fine-grained permissions.
But in a security and remediation effort we conducted for a large health care provider, we discovered that retrofitting RBAC mechanisms into an existing EMR system was actually quite a complex undertaking. Assigning roles is particularly tricky across various hospital departments and personnel. An inadvertent stripping of viewing rights, for example, could result in a surgeon unable to view critical images in the operating theater. That could easily lead to a catastrophe and so ease of access considerations remain paramount. In our view, this has resulted in most EMR systems implementations to have less than desirable security postures.
Take, for example, an unauthorized disclosure of medical records to the press for an individual with the HIV virus. The effect could be devastating. Unintended outcomes might include family or community ostracism, job loss and denial of medical benefits. While there are legal statutes to prevent harmful effects of such disclosures, practically these may be of little solace to the individual whose record was released. One can imagine an insurer denying claims by insisting that the condition was pre-existing. These situations can and do occur in real life, and hospitals and care providers must take heed.
The probability of a large security breach (of the network or EMR application) also leaves many hospital administrators and compliance officers shuddering over the specter of privacy violations. Health Information Portability and Accounting Act (HIPAA) violations can have severe consequences, and new state regulations such as in California impose considerable penalties for the errant disclosure of medical records.
From our work at a large health care provider, we found that security breaches could be relatively easy to accomplish. Many EMRs are now connected to web applications (or are web applications themselves) making for relatively easy targets. We also found diagnostic systems that have direct connections to the hospital networks. Since these systems also have remote diagnostic capabilities for troubleshooting or downloading new software, installing a worm on the network that incapacitates, for example, all networked X-Ray machines is not out of the realm of possibility.
At one facility, observations that subsequently led us to a focused remediation path included:
- The compliance organization at the facility was hampered by inadequate technology, resources and processes for monitoring and acting on potential privacy violations.
- Application security vulnerability identification and management by the EMR vendor was inadequate and sorely needed
- Security monitoring especially at the application and database level needed substantial improvement.
Secure data lifecycle management was not a priority during EMR system deployment. As a result items of specific concern included:
- Haphazard long term data storage and archiving approach
- Inappropriate data purging
- Murky data ownership responsibilities
- Inadequate procedures and systems for information asset discovery
- Inadequate data classification
- Insecure handling of physical media
While contemplating doomsday scenarios alone is not helpful, we believe that hospitals and large health institutions must tackle the notion of security and privacy in a very diligent and holistic way—almost akin to what the financial industry did to secure their transaction systems in the mid 2000's. Without a concerted effort at every layer of the information infrastructure (device, network, and application), strict policies and use guidelines, and accurate monitoring capabilities, EMR deployments could crawl to a halt. The country needs better answers for securing EMRs. With the imminent outlays proposed by our new President to modernize our health care system, security professionals must step to the fore. ##
Feisal Nanji, CISSP, is Executive Director at Techumen, a consulting firm that focuses on security, compliance, and privacy issues for health institutions. He can be reached at: firstname.lastname@example.org.