Enterprise Software

Providing remote access to private healthcare data


We have access to nearly everything on-line – news of any variety, email, blogs (ahem), sports scores (congrats Colts!), music, family photos and our finances.  But why is our healthcare data still largely missing in action?  It’s not because IT is incapable of making it accessible.  It’s more about the skittishness of the healthcare industry to expose sensitive patient data.  The potential risks and consequences of granting the masses access to Electronic Protected Health Information (EPHI) is perceived to be far greater than the expected realized benefits.

The Health Information Portability and Accountability Act (HIPAA) altered the landscape for how healthcare entities manage private electronic medical data.  Title II of HIPAA is normally the section which affects those of us in IT, and its aim is to create “standards for the use and dissemination of health care information.”  While HIPAA is definitely a positive move in the protection of EPHI, it is also a major reason why that data is largely unavailable to patients over the Internet.  And even though entities are expected to self-govern themselves, there is the threat of severe civil and even criminal penalties for non-compliance which cause a reluctance to provide remote data access.

For all of the advancements made in technology, healthcare has grossly lagged behind in many ways.  You probably would not bank at a financial institution that does not offer the means to check your account balances on-line and make on-line bill payments.  The good news is you don’t have to.  Those have become basic perks which must be offered to customers in order to stay competitive. 

When is the last time you were able to log onto a website to access portions of your health record?  I know, most of you probably haven’t wanted to (yet), but I’m guessing the majority reading this have not even had the option to either.  I am personally more concerned about my financial data being exposed than I am about my medical history, but there are different laws governing the two industries.  (Strangely enough, many insurance carriers have been forward thinking enough to offer on-line claims access to their customers.) 

So what will it take to make personal medical data accessible by patients over the Internet?  Technically, not much.  Many physicians and other medical professionals already can access hospital lab results and medical charts from their offices and homes.  Access is usually granted through a web browser over an SSL VPN connection.  For additional security, there is typically a firewall on the hospital network, additional access controls and an application layer proxy to protect the data from direct exposure to the Internet.  It wouldn’t take much additional technical effort to extend a similar level of access to a patient wishing to view their personal medical records.

To assist healthcare entities, the Department for Health and Human Services has identified the potential risk management strategies associated with remote access into the areas of access, storage and transmission.

  • Accessing EPHI – implement two-factor user authentication; establish session time-out parameters; employ the use of firewalls and updated anti-virus software.
  • Storing EPHI – deploy policy to encrypt backup and archival media; implement audit procedures; establish EPHI deletion policies; prevent download of EPHI onto remote systems; minimize use of browser-cached data.
  • Transmitting EPHI – implement strong encryption solutions

HIPAA places the responsibility of data security on the covered entity.  The focus for HIPAA guidelines is geared toward healthcare employees and involved medical professionals who have a definite need to access protected information.  I simply don’t read anything that suggests specific guidelines for a person needing or desiring access to their own medical records.  That usually requires a personal trip to the medical records department to sign a release form.

Government guidelines warn healthcare providers to be extremely cautious about allowing remote access to EPHI, and to only allow it when it is deemed absolutely necessary.  When providers do decide to offer remote access they must be prepared to prove that they have made every reasonable effort to maintain the confidentiality, integrity and security of the protected data.  Reasonable efforts should include data encryption, detailed audit logs and granular user access control.  Usage policies should also be in place which guard against potential abuse by requiring session timeouts and routine changes to unique user passwords.  Allowing remote access to users on insecure PCs takes a certain level of control away from the healthcare providers and places them at risk for legal action.  It is a risk most are not willing to take.

14 comments
bajiyagroup
bajiyagroup

Marcia is a nationally recognized Certified Medical Illustrator, who has earned national awards from the Association of Medical Illustrators and Rx Club, and has been invited to exhbit her work internationally. She applies her artistic skills to her knowledge of science and medicine, and is well known for a distinctive style that is colorful, clear, and accurate. ---------- mukesh hipaa - hipaa

jtgailey4
jtgailey4

I'm sure glad someone else is reading all this. I am an IT Auditor, I have performed multiple HIPAA 164 audits for healthcare, insurance companies, and medical product manufacturing. Not one entity I've audited since 1998 in respect to HIPAA had a clean bill of health. eHealth Records ... not on your life or mine. The latest HHS audit report I read was really scary. I've been in meetings and conferences where attorneys have told management and conference attendees ... to not worry about complying with HIPAA ... until they have a serious or costly issue ... again, the consumer - you and me - takes an unnecessary hit ....

stress junkie
stress junkie

It seems to me that the article shows a cavalier attitude toward security. Statements like "You wouldn't do business with a bank that lacks on line access to your accounts." (paraphrased) shows a complete failure to value security over convenience. I have not enabled Internet access to my bank account(s) and I never will do so. I don't trust the skill level of the people who run the computers at my bank, or at the local hospital, or my doctor's office, or my security agent's office. Any security, but here we're talking about data security, is an attempt to minimize risks. Every convenience reduces security. Every access path is an attack vector. Security is a moving target. You cannot create a fully secure environment. All that you can do is to reduce risk. When you look at security in this way then the only responsible approach to security includes a policy to minimize the number of routes that are available to access the data. I would prefer to do business with a bank that did not allow any access to accounts over the Internet. I would prefer to do business with any vendor that realized that making sensitive data accessible to the Internet is ill advised even when you have highly skilled computer sysadmins who always do their job to the best of their ability. In the real world most computer sysadmins would rather spend the day playing World of Warcraft than reading security logs, or reports summarizing log file contents. Most computer sysadmins do not fully understand the variety of security tools that are available or how to implement, configure, and use them. You cannot adopt a complacent attitude toward security and expect to keep bad guys out of the system. We hear about sensitive data being exposed at retail establishments on a regular basis. We hear about how U.S. Department of Defense computers are compromised several times a year. I cannot understand how anyone can know fully well that corporate and even military computer systems are not being run securely and then advocate making more sensitive data available to Internet access. What does it take to get through to you Bill? Are you unable to connect the dots? Do you think that hospitals and small medical offices are some how protected from malicious attacks? Do you not understand that the same people who failed to secure the TJ Maxx computers are the ones that will fail to secure your local hospital computers? How can you not understand that? Total security is an illusion. Defeating any security system is simply a matter of skill, opportunity, and effort. If you can reduce the number of people who have the opportunity to attack a computer system then you increase the effective security. Likewise, when you increase the number of people who have the opportunity to attack a computer system then you decrease the effective security. I don't want to have my medical records accessible from the Internet. Anyone that understands security would adopt the same preference.

DanLM
DanLM

I don't know, I can understand the health care industry's reluctance to make this information available online due to security concerns. But, then I think about the fact that you have no idea how your information is getting into the system. What I mean is, a lot of people make extra money keying this at home and then delivering the data via mail/??? to where it is uploaded. Ok, I know of no checks and balance's here at the first level. Doe's anyone? I think this first level of data entry is the biggest threat of data loss and until this hole is closed the health industry would just be opening themselves up further to possible data loss. If I am wrong about this data entry by home users, please show me wrong and I will definitely feel a heck of a lot better. But, I have worked with people that did this. Dan

rjollos
rjollos

And most doctors offices have locks on the door and maybe a low cost security system. So even in paper form someone could go into the office and steal your medical records. Or they could be stolen while being couriered between clinics. Perhaps the night security guard would rather be playing World of Warcraft as well. So you could extend your argument to say that medical information should not be written and stored on paper. Your argument includes many good points, but is one-sided. You apparently do not value convenience (i.e. cost savings) at all, whereas most people are willing to assume some risk in order to save time and money. Online banking saves me several hours each month, and I don't have to worry about my bank and credit card information being stolen from the mail (because I don't have paper copies sent). Mail theft is a huge issue as well, so there is a trade-off there. Granted, I am sure that I do not know as much about security as you, but I do understand that security does not apply to the internet only, and the internet allows great convenience. So I weight the two in making my decision. Given that online medical records could save billions per year in the health care industry, I would not discard the concept entirely because the internet has security issues.

Dontknowwhatimdoing
Dontknowwhatimdoing

We even provide our clients with laboratory results on the web. Data entry is performed on site or by a secure connection to our server. BTW, the gov. is working on a standard, can't remember what it is called, that will allow data to be transfered electronically between labs, doctors, hospitals, etc. Allan

R153nm
R153nm

In fact, I'm about five feet from our server right now. Of the seven or eight people I can think of that do data entry, none do it from home (although we did about 6 years ago, before most went inhouse). I can't speak for the entire medical community but it seems pretty SOP since HIPAA.

Why Me Worry?
Why Me Worry?

and the reason behind this is due to the complete lack of knowledge and understanding by the medical community of how VPNs', IPSec, SSL, and public/private key encryption works. The medical industry is still in the dark ages in terms of technology and IT to them is some obscure and abstract science that they simply cannot embrace. My wife works in the Healthcare Management field and she tells me that IT is seriously lacking in large hospitals and other medical practices, but it's their lack of funding and ignorance to modern technology which is behind a lot of the restrictions governed by HIPAA rules.

stress junkie
stress junkie

If I read your post correctly then we only differ in where to draw the line when we are trying to determine how much convenience we want at the expense of security. Your argument that paper records are not totally secure does not make sense. It is not possible for someone in Moscow to break into a hospital records room in San Fransisco. The Internet multiplies the opportunities for break ins far beyond those of a locked room. It is this increase in opportunity for malicious people to access the data that is at the heart of this issue. When you have paper records in a locked room then there is a relatively small number of people who can reach the room. When information is stored on a networked computer then the number of people who can reach the data is multiplied by millions. Given the sad state of computer support I think that making medical records accessible via the Internet is not worth the convenience gained. People are always the weakest link in any security system. The system administrators who don't care enough about their responsibilities to do their job correctly and thoroughly are probably at the heart of the numerous stories that we hear about commercial databases being hacked. Whenever I work with a team of system administrators I am always very discouraged at the lack of interest showed by many of my colleagues in doing their job better. Business management is also at fault. I've worked at many businesses because I've been a consultant for most of my career. The number of managers that don't do their job properly is almost 100 percent. You can point out problems in security to management and in most cases they will dismiss the problems as being unimportant and not worth the time and money required to address them. It is very discouraging. Even if everybody were doing their job to the best of their abilities the area of security is very dynamic. It is impossible for any one person to truly be expert in this area. There are new vulnerabilities being discovered, new exploits being developed, and new security techniques being developed all of the time. Any particular system administrator is very likely to be lagging in knowledge about the most recent developments, techniques, and concerns that apply to any particular computer environment. Then, lastly, even when everything that can be done is done you cannot conclude that your security is finished. For example, you may use SSL/TLS connections to access email from the Internet on your server. That's nice but it is not immune to exploit. You may have a nice firewall between your LAN and the Internet. That's important but there are ways to get through a firewall for malicious purposes. You might have virus detection software on all of your machines but there are many viruses and trojans that are not detected by any particular antivirus software package. You can even layer your security so that when one defense is broken then there are still more layers that hackers have to break before they can do whatever they have in mind to do. There is still the possibility that someone will break all of the layers of security that you have implemented. All of these issues combine to create a situation where we cannot accept the risk of exposing confidential data to Internet access. The risk of having that data fall into the wrong hands is too great. Currently we see too many successful information robberies performed over the Internet to believe that security can be attained by the average corporation. Even if the reason that these data robberies were successful was that the system administrators didn't do their job properly we still have to accept the fact that this is the way of the world. Most system administrators and their managers will refuse to do their job properly. That means that we have to seek security in a way that does not require the system administrators to do their job properly. We have to ensure that the data are not accessible from the Internet under any circumstances. We might assess the risk of having the data fall into the wrong hands as being closer to acceptable if people would all do their job correctly. Unfortunately people are assholes. Most people will spend their day playing computer games if they have the opportunity to do so. That is the principle reason that we cannot deliberately establish access to medical records over the Internet. People are lazy irresponsible assholes. That's it. That's reality. The fact that these corporations are not facing any punitive consequences of any significance when they fail to protect confidential personal data is also part of the problem. When you hear about a corporate customer database being hacked there are never any consequences mentioned. These corporations don't care about spending money on enhancing their computer security. They will save money if they ignore the risks because even if their computers are hacked they will not have to face any consequences. Nobody will lose their job. The corporation will not be fined. Nothing will happen. No penalties will be imposed on anybody. So our society is part of the problem. We do not punish people when they neglect their responsibilities. This lack of consequences encourages corporate managers to save money by ignoring computer security and it encourages system administrators to neglect their responsibilities. All of these circumstances create a situation where the risk of data that is accessible by the Internet falling into the wrong hands is too great to accept.

DanLM
DanLM

That does make me feel better. Dan

IMFerret
IMFerret

I have worked as an IT prof. in Healthcare for a number of years. In my current role, I am quite involved with HIPAA compliance. With that said, I can safely assure you that remote access is not prohibited by HIPAA. As a matter of fact, the HIPAA rule is so vague and open to "reasonable and appropriate" at every turn, that there is a great deal of freedom in "complying". Unfortunately, this along with lack of external enforcement has lead to very lacks security posture. With regard to comments pertaining to Healthcare?s lack of IT interest, allow me to offer some ?insider? perspective: Healthcare is not lacking for IT interest and use. The problems are actually the result of the very unique business structures in Healthcare. These may make it appear to be lacking to the unaware person. There are a number of fundamental issues for IT in healthcare. First is that there are IT decision makers in every department (we're not just talking Finance, HR only here. We're talking about Cardiology, Oncology, ICU, Physical Rehab, Sleep Center, Nursing, Individual Physician?s practices AND HR, Finance, etc.) Each department has very unique needs with very unique IT vendors filling those needs. Each of their systems has one or more ways that make integration into the overall infrastructure difficult. A second issue is that Healthcare IT staff is typically not paid at the same level as those in other businesses. This leads to a large percentage of long-term staff that lack strong skills. This in-turn leads to systems that are cobbled together and left largely as they are for fear of ?breaking? them. Third, for many years Healthcare IT vendors would not allow for patches and upgrades because each one was interpreted as a major change and would breach certain FDA certifications of their systems. This lead to, for example, Windows NT 4.0 servers being run without patches installed and well past the end-of-support from Microsoft. This in-turn prevents or hinders certain infrastructure upgrades and performance improvements. A fourth issue involves monetary investment. Most of the specialized Healthcare IT systems are extremely expensive and budgets for them are made without consideration for overall infrastructure requirements. Therefore they are often purchased and implemented with the IT groups struggling to integrate them into a taxed and/or incapable infrastructure. Required upgrades must be requested as additional costs and upper management views these as often unnecessary or too costly. All of these items lead to security investment being the last thing considered, if at all. In short, I am in agreement with those that say we SHOULD NOT make medical records available to individual patients. Others have commented on the human condition leading to insecurity, and I agree with those comments. Add to that the lack of real consideration given it by the management of Healthcare facilities and you have a recipe for disaster.

stress junkie
stress junkie

That's discouraging. I'm sure that there is no lack of funding when it comes to determining the salaries of the top management at the hospital.

fsiedenburg
fsiedenburg

Don't forget that the vast majority of medical claims (which contain PHI) become electronic through outsourced scanning and transcription via other countries. Very often claims forms and supporting documentation as well as digitally recorded voice information from doctors are sent to India and other countries via mail and internet for transcription and scanning to electronic form and then sent back to the US. There in lies a huge risk of compromising EPHI.

Why Me Worry?
Why Me Worry?

because they see IT as useless cost center. When these idiots in charge of hospitals realize that IT is an integral part of their business instead of of a "useleless business expense", then we will start seeing things improve. First, the old school mindset has to be changed before IT has any say in the medical field.

Editor's Picks