Security and privacy of electronic personal health information entails the same concepts as security for other electronic data, such as personal financial data.
I believe the top three requirements for security of electronic data are:
- Confidentiality – keeping data hidden. Data is encrypted both at rest (in the database) and during transfer (over TLS/SSL)
- Integrity – Ensure data is trustworthy and has not been modified. This can be accomplished using digital signatures.
- Access – Access and audit controls. Implement access controls to control who can access the data. Often this is implemented as the least privilege principle: only grant a user the role or privilege to access the minimal data they are required to perform their function. Complimentary to access controls are audit logs: produce audit logs of who accessed the data, at what time etc. Another example of roles and privileges is separation of duties; in the financial world one might ensure that the person who makes out a check cannot sign it, thus preventing a dishonest user of making a check out to themselves or their friend.
In the financial world the concern is that a user who accesses and modifies data without authorized access and privilege may use that data illegally. For example, a hacker who steals credit card numbers from the database of an online merchant and then performs purchases with those credit cards. Similarly in the United States, social security numbers can be stolen to create fake personal identities.
Implications for digital patient information stored in electronic health records or similar.
US regulations require that entities disclose breaches of electronic health data, as highlighted by Lisa Gallagher.
The security policy for an Electronic Medical Record that contains Personal Health Information consists of three entities:
1. Subject – the patient. Though the subject may require an agent, for example the agents of a new born baby are its parents; a living will can stipulate that an agent make decisions on behalf of an incapacitated person.
2. PHI – Personal Health Information – the actual medical and personal data about the patient.
3. Clinician – The physician treating the patient.
Theft of personal electronic medical data can be used for nefarious financial purposes, such as billing medicare for service not rendered. However, I believe there are greater risks as follows:
- Integrity – are we certain that this data belongs to this patient.
- Confidentiality – prevent data from posted to the Internet
It is paramount that data in electronic medical records is never overwritten or deleted only appended.
Auditors should only access a copy of a patient’s record, never the original so that they do not alter or append data.
A physician should have the privilege to alter access to an electronic record. Example, a patient is referred from a family physician to a specialist, thus the family doctor grants the specialist access to the patient’s medical record. At all times the patient should know who has access to his/her medical record.
Exceptions to these access rules:
- In an emergency access may be granted to someone other than the subject (patient or their agent).
- Court ordered access to a medical record.
However, a conflict of interest scenario is possible, a medical practitioner hacks into an EMR and faxes prescriptions for themselves.
In closing, HIMSS conducted a survey, sponsored by Symantec, of security policies and procedures in place at medical institutions.