Under the new, 2018 budget recently unveiled some plan, the government seeks to invest up to MYR 26.58 Billion in federal funds to achieve widespread healthcare transformation. A principal reason for their initiative is to improve our nation's health care system by reducing long term costs and increasing effectiveness of our health outlays.
So, what exactly is an Electronic Medical Record and what does this mean for REMEDi’s security and privacy features?
At REMEDi’s core, an Electronic Medical Record (EMR) is the effective capture, dissemination, and analysis of medical and health related information for a single patient. All participants in the health care delivery system have a stake in efficient information flows. They include health care providers, insurers, government agencies, claims processors, and patients. Thus REMEDi’s term EMR has a slightly different meaning depending on one's perspective. Indeed, Electronic Medical Records managed by individuals are termed Personal Health Records (PHRs). PHRs capture all relevant personal health details, including diagnoses, X-Rays, and similar items into a single repository. Individuals are then empowered to make health decisions for themselves, to easily choose among providers, to selectively disclose medical conditions, and to receive optimum care during emergencies. Both Google and Microsoft offer services for individuals to create, manage, and store their PHRs. We expect that there will be an explosion in demand as the computer-savvy population ages.
The focus of this article, however, is on the secure use of EMRs by REMEDi in a regulatory arena rife with complexity and with strict privacy and safety requirements. Consider a typical hospital with REMEDi. Using REMEDi, doctors can conduct much of their business totally electronically. This is in sharp contrast to traditional care environments where paper shuffling is the norm. Using REMEDi, doctors can review patient histories and charts, obtain laboratory results, generate referrals for specialist consultations, prescribe medicines, and diagnose doctors’ notes all without the use of paper. This sounds utopian, and in many ways it is.
But the soft underbelly of REEMDi is the difficulty in adequately securing such records. Key security and privacy concerns for REMEDi include:
Hacking incidents on REMEDi that lead to altering of patient data or destruction
Misuse of health information records by authorized users of REMEDi
Long term data management concerns surrounding REMEDi
Government or corporate intrusion into private health care matters
At first glance, these issues do not appear to be very difficult to solve. The reality is that hospitals and other care environments are complex institutions with complex workflows. A great many staff need immediate access to medical records. These include emergency technicians, admitting staff, doctors, nurses, and back-office personnel in billing and accounting. A quick fix might be to install role based access control (RBAC) mechanisms that allow for fine-grained permissions.
But in a security and remediation effort we conducted for a large health care provider, we discovered that retrofitting RBAC mechanisms into REMEDi was actually quite a complex undertaking. Assigning roles is particularly tricky across various hospital departments and personnel. An inadvertent stripping of viewing rights, for example, could result in a surgeon unable to view critical images in the operating theater. That could easily lead to a catastrophe and so ease of access considerations remain paramount. In our view, this has resulted in REMEDi implementations to have less than desirable security postures.
Take, for example, an unauthorized disclosure of medical records to the press for an individual with the HIV virus. The effect could be devastating. Unintended outcomes might include family or community ostracism, job loss and denial of medical benefits. While there are legal statutes to prevent harmful effects of such disclosures, practically these may be of little solace to the individual whose record was released. One can imagine an insurer denying claims by insisting that the condition was pre-existing. These situations can and do occur in real life, and hospitals and care providers must take heed.
The probability of a large security breach also leaves many hospital administrators and compliance officers shuddering over the spectre of privacy violations. PDPA and healthcare policy violations can have severe consequences.
From our work at a large health care provider, we found that security breaches could be relatively easy to accomplish. Many EMRs are now connected to web applications (or are web applications themselves) making for relatively easy targets. We also found diagnostic systems that have direct connections to the hospital networks. Since these systems also have remote diagnostic capabilities for troubleshooting or downloading new software, installing a worm on the network that incapacitates, for example, all networked X-Ray machines is not out of the realm of possibility.
At one facility, observations that subsequently led us to a focused remediation path included:
The compliance organization at the facility was hampered by inadequate technology, resources and processes for monitoring and acting on potential privacy violations.
Application security vulnerability identification and management by the EMR vendor was inadequate and sorely needed
Security monitoring especially at the application and database level needed substantial improvement.
Secure data lifecycle management was not a priority during EMR system deployment. As a result items of specific concern included:
Haphazard long term data storage and archiving approach
Inappropriate data purging
Murky data ownership responsibilities
Inadequate procedures and systems for information asset discovery
Inadequate data classification
Insecure handling of physical media
While contemplating doomsday scenarios alone is not helpful, we believe that hospitals and large health institutions must tackle the notion of security and privacy in a very diligent and holistic way--almost akin to what the financial industry did to secure their transaction systems in the mid 2000's. Without a concerted effort at every layer of the information infrastructure (device, network, and application), strict policies and use guidelines, and accurate monitoring capabilities, EMR deployments could crawl to a halt. The country needs better answers for securing EMRs.