Published in the Fall 2011 UNC Medical Bulletin (The Medical Foundation of North Carolina)
Electronic health records and information security in the age of the hacker
By Whitney L.J. Howell
To this day, no one knows when or how the crime actually happened. The thief didn’t take any property and didn’t steal any money outright. But he did visit 83 different hospitals under the name of his victim and never paid the bills.
Now, collection agencies for the hospitals are calling, and they don’t care that the imposter racked up the charges or that the man they’re calling (not a UNC patient) is really a victim of medical identity theft.
“This client is now combatting 83 collections cases in various states for thousands of dollars because someone stole his name, Social Security number, and address,” says Pam Dixon, founder and executive director of the World Privacy Forum, a nonprofit, public interest group focused on privacy research, analysis, and consumer education. “Now, he has fraudulent medical files in these places and because the information is identical in all cases, he hasn’t been able to get on top of the problem.”
According to Dixon, medical identity theft is the fastest growing type of identity theft nationwide with reported incidents rising between 3 percent and 7 percent annually for the past decade. Many health care experts point to both the existence of electronic health records (EHRs) and the ability to move them around digitally, also known as a health information exchanges (HIE), as contributors to the crime’s rise.
North Carolina is not currently among the biggest adopters of EHRs, but state officials are set to enact several HIEs within the next few years. Those systems will make it easier and faster for physicians to share patient data long distance. However, they will also boost the opportunity for medical identity theft and HIPAA-protected patient information to be accidentally exposed or intentionally breached.
With the federal mandate to switch all patient records to electronic files by 2015 looming in the distance, it’s up to each provider or facility to put protective measures in place that appropriately balance patient privacy with a physician’s need to access medical information.
The current health of EHRs
The national nonprofit group Privacy Rights Clearinghouse reported 592 breaches of private patient information nationwide in 2010 – more than double that of 2009. Some exposures were the result of stolen laptops, and some resulted from outside persons illegally accessing medical files. The biggest threat, though, has been the disgruntled employee who breaches patient confidentiality from inside the system.
In an attempt to prevent the privacy breaks, the federal government passed the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH). The law calls on health care providers and facilities to demonstrate they’re using EHRs in a meaningful way by Oct. 1, 2012. It also allocates, along with the American Recovery and Reinvestment Act, more than $27 billion to encourage early adoption. In fact, under Medicare and Medicaid, providers who show they’ve met the requirements are eligible for $40,000 to $65,000 in incentives through 2017.
“In an effort to protect patients and patient rights, the government is trying to nudge institutions and vendors to tighten security and access to patient records,” says Michael Greenley, PhD, director of the RAND Center for Corporate Ethics and Governance. “There’s significant concern about this topic, and encouraging health care to make these changes is the right thing to do.”
Within 10 years, the Congressional Budget Office predicts that 90 percent of providers and 70 percent of hospitals will meet the standards for EHR meaningful use.
But the law doesn’t just affect providers. Patients now have enhanced rights around their medical information. At any point, a patient may request an audit trail of when and by whom their medical histories were accessed. And, if an institution is infiltrated, it must alert patients that their records have been compromised. But, because those types of requests would add a significant clerical burden to doctor’s offices, both the American Health Information Management Association and the Medical Group Management Association are now asking the U.S. Department of Health and Human Services to repeal that part of the law.
The impact of EHR privacy on an MD
For a physician, healing and positive outcomes aren’t the only clinical priorities. Properly documenting a patient’s health history is paramount, and EHRs make it easier to write notes, record prescriptions, and include information about past conditions and procedures.
But while instant electronic access to patient history can make it easier to create, coordinate, or improve a plan of care, some doctors are leery of relying on a digital database for such sensitive data.
These fears are understandable, but EHRs didn’t introduce privacy risks to health care, says Michael Barr, MD, vice president of practice advocacy and improvement at the American College of Physicians (ACP).
“I certainly appreciate the concerns about record breaches and the concern over exposure of information. People are very nervous about external parties accessing their information with malicious intent,” Barr says. “But this risk isn’t new to health care. Paper records can be lost, dropped, and thumbed through. A fax can be picked up by the wrong person.”
However, the possibility that someone could sneak a remote peek at a patient’s private data does make additional protection measures necessary, he says. Most importantly, physicians or clinics should have a health information technology (HIT) expert on staff to update and maintain the EHR hardware and software so they can effectively shield patient information. This person must be part of the office team to ensure the EHR is implemented in a useful and consistent way.
Although transferring patient records to an EHR can be both time consuming and worrisome, Barr recommends that physicians – especially those in more rural locations – take the plunge as soon as possible to ensure they comply with federal regulations.
“From a policy perspective, adopting an electronic health record earlier rather than later will give physicians and their offices time to learn the system,” he says, noting that practices must choose an EHR that has been certified by the Office of the National Coordinator, the chief federal entity charged with promoting HIT adoption. “Early implementation also provides time to create a workflow that helps doctors and protects patients.”
The pros and cons of EHRs
When EHRs first came on stage, many medical professionals viewed them as the silver bullet answer to all office conundrums. The belief was the new record system would streamline patient records and allow physicians to cut staff in order to save money. This initial impression hasn’t exactly proven true.
The systems do provide a faster, more efficient way to collate and organize personal health care details, but the technology isn’t always intuitive, says Harry Rhodes, director of practice leadership at the American Health Information Management Association (AHIMA). He agreed with the ACP’s Barr: the biggest challenge is maintaining in-house expertise to successfully use EHRs.
“We often see people purchasing and using an EHR for the first time with the intent of cutting staff and lowering administration costs,” Rhodes says. “The systems can eliminate the need for a file clerk, but the practices that reduce staff are often the ones victimized by security breaches because they have no one on staff to update the system and execute security patches.”
A correctly managed EHR does allow a practice to quickly and simply designate who can access a patient file and how. If an employee leaves a clinic or switches jobs away from one involved with direct patient care, a few clicks of a button eliminates his or her ability to see inside health records. Rhodes recommended the human resources department send IT administrators a bi-weekly employment update to keep access to the EHR system current.
Frequent EHR password changes can safeguard files in the meantime. Periodically creating a new alpha-numeric password for authorized employees can prevent recently dismissed or departed employees from illegally breaching records.
With the advent and prolific use of smartphone and wireless technology, however, the best thing a doctor, practice, or hospital can do to protect health records is to train staff so they know what they can and cannot do.
“It’s commonplace these days for employees to take work home on thumb drives or download files onto their laptops, but thieves can easily take advantage of weaker security on those devices,” Rhodes said. “Doctors and hospitals must take the time to train staff on which platforms are appropriate for EHRs. Knowing what not to do is a big tool in keeping records safe.”
How Carolina protects patient information
It’s a little known fact that UNC Hospitals was among the first health systems to implement a comprehensive EHR. It built its 20-year-old system from the ground up and recently partnered with Seimens to manufacture the system on a large scale. UNC’s EHR platform will appear on the market under the Seimens brand in three years.
The heart of UNC’s EHR is housed offsite in a room to which only six people have access. The security around the router room is extensive, including 24-hours-a-day monitoring and an alarm. In an added step, the University has a complete duplicate of all patient records in a secondary location inside the hospital on campus. According to Robert Berger, MD, UNC’s chief medical information officer, the secondary location will take over immediately if the primary location becomes nonfunctional.
Each of these physical safeguards exists to support UNC’s mission of protecting patient privacy. They are only part of what the University does to protect patient data, however.
“We’re as safe as a bank,” says Berger, who is a practicing physician involved with creating UNC’s EHR. “Our biggest danger is a disgruntled employee who knows the system, has access, and logs into the database inappropriately.”
To protect against that internal danger, as well as external ones, UNC established a set of electronic safeguards. As with most secure systems, providers can only access the EHR through a secure portal. Inside the hospital firewall, the system is accessible from most computer terminals with the proper user name and alpha-numeric password. If a physician needs to access a record off-site, he or she can enter the system through a secure website.
“This site is highly encrypted,” Berger says. “We’ve never had anyone break the encryption, and if they did, we have measures in place to intercept their attempt. Any information would come over the screen to them as nonsense.”
Entering the wrong password three times will also shut a user out of the system. After the third incorrect entry, the account in question is immediately deactivated as a safety precaution. Log-in session are also automatically shut down if users are inactive in the system for 30 minutes.
Just because an employee has clearance to access the EHR system doesn’t mean he or she can open all patient records. Based on who the employee is – and who the patient is – Berger says the system can pinpoint an internal breach, identify the perpetrator and cut off his or her EHR access.
The protections around the EHR system are equally as effective when combatting outside attacks. Sniffer and scanner software constantly troll through the EHR, looking for evidence of external assaults. So far, these methods have been effective.
“We have hundreds of attempts from outside hackers to break into our system every day,” Berger says. “In the 20 years that we’ve had our electronic health record system in place, none has ever been successful.”
The hospital is taking its safety measures a step further with a pilot test of a new patient portal that will allow patients to receive e-mail messages and test results from doctors. The new portal will be opt-in, and each time a doctor adds information to the file, patients will receive an e-mail, directing them to a secure, UNC-controlled site. After entering an alpha-numeric password, patients will be able to access their records and any messages from the doctor. The patient portal will be widely implemented by the end of this year.
A new e-prescribing system will also change how doctors prescribe medications, including narcotics, as well as keep a patient’s drug information safer. The password-protected system requires providers to both swipe their identification badges through a reader and enter a password that changes every 30 seconds. They can retrieve the password from a fob carried in their pocket. The dual authentication works to curb fraud and any unauthorized access to a patient’s medication files, Berger says.
While protecting patient information in clinical settings is of the utmost concern, UNC also has a system in place to shelter patient information used in research studies. Known as the Carolina Data Warehouse-Health, the system, launched in 2008, works more like a repository for de-identified information than a clinical EHR. The North Carolina Translational and Clinical Sciences Institute (NC TraCS), established in 2006, is its gatekeeper and is the only door through which physician-researchers can access the warehouse and all the patient data it holds.
“The Warehouse is UNC’s cutting edge, safe harbor of where all data used in research can go,” says Brent Lamm, NC TraCS IT manager. “It provides a secure workspace in a virtual environment for researchers.”
Investigators can log into the system with their ONYEN, search through files, and analyze rich data sets to use in retrospective studies. They cannot, however, download, e-mail, or otherwise excise the data from the Warehouse. This way, TraCS can be confident that no patient-related information falls into unapproved hands, Lamm says.
The physical equipment behind the Warehouse, which was constructed through a partnership with IBM, is housed in offsite alongside the EHR system for the hospital and is protected behind the same set of security measures. Additionally, the School of Medicine recently upgraded its firewall, making protection for more computers and devices possible.
For investigators who have never worked with NC TraCS, the Institute provides experts who can walk them through the research, ethical, and Institutional Review Board rules they must follow both for their studies to succeed and to keep patient information safe. Seminars and workshops, such as training about HIPAA, are also available to teach faculty the proper way to use collected data.
“We have an operations committee and an oversight committee,” says Donald Spencer, MD, family medicine professor and Warehouse leader. “They ensure research studies are designed and executed properly.”
In addition to keeping research data secure, the Warehouse reduces the amount of time researchers spend analyzing data, lowering the time span that patient data is displayed on the screen. Before its existence, investigators would evaluate characteristics from hundreds of patient files, spending between 15 minutes to 30 minutes on each one. The Warehouse technology can perform the same functions in only two to three hours.
In mid-2009, a data breach was detected on the Carolina Mammography Registry (CMR) database (a self-contained server not connected to the clinical EHR or the Data Warehouse) housed at UNC, potentially exposing data on 180,000 breast cancer research participants. Although there was no evidence of data theft, UNC quickly shut the server down and removed all of the data, and letters were sent to all of the patients informing them of the breach. The event prompted a review of, and several subsequent changes to, the CMR’s information security measures. Now, all research data at CMR are safer than ever.
The security measures in place in both the hospital and in University-side research allow physicians and investigators to conduct their work without the constant worry they will accidentally breach a patient’s confidentiality. However, it’s the public’s perception of these measures that matter most.
“It’s most important that the community knows UNC has established an ultra-secure system that protects electronic health records and other information that patients provide,” said Dennis Schmidt, the director of the School of Medicine’s Office of Information Systems. “People want to know that when they see a doctor or when they volunteer to be a study subject that their privacy will be respected and protected. Security is our No. 1 priority at UNC.”