Are Online Electronic Health Records Secure?

Most of what I’ve read and previously written about electronic health records has been about making them work better or getting more clinicians to use them. Security of patients’ on-line data hasn’t been a major topic of concern. I’ve assumed that this was because these concerns had mostly been addressed back in the late 1990s during the development of the Health Insurance Portability and Accountability Act (HIPAA), or because those creating systems to allow medical information to be internet accessible – like those coalitions building dedicated Health Information Exchanges and companies like Microsoft, Google, and BlueCross BlueShield insurance plans – have resolved the security concerns.

Global Cyber-Security
However, I just read the cover story in the May 31st National Journal (“China’s Cyber-Militia”), which made me question these assumptions. The article doesn’t mention healthcare or electronic medical records, but it makes me very concerned because it discusses how Chinese hackers (or hackers working through computers based in China) have been responsible for serious industrial/utility computer breeches, and how government and private sector officials at the highest level are very concerned about this and the trend towards even more cyber-infiltrations.

If I had heard this third-hand I’d be inclined to dismiss it as extremist or Luddite hysterics. But the National Journal is solidly in the mainstream of responsible journalism, and even when their article cites reports from other publications (such as the New Yorker) they reinforce the point with information from other sources and direct interviews with knowledgeable insiders.

Some of the specific points in the article that made me sit up and take notice were:

The February, 2008 blackout affecting 3 million people in South Florida was probably caused by “a Chinese PLA [People’s Liberation Army] hacker attempting to map Florida Power and Light’s computer infrastructure apparently made a mistake. “The hacker was probably supposed to be mapping the system for his bosses and just got carried away and had a ‘what happens if I pull on this’ moment.” The hacker triggered a cascade effect, shutting down large portions of the Florida power grid, the security expert said. “I suspect, as the system went down, the PLA hacker said something like, ‘Oops, my bad,’ in Chinese.”

The article also discusses how the massive August 2003 blackout in the Northeastern US is believed to have been due to Chinese hackers – despite the public explanation that it was caused by overgrown trees in Ohio hitting high voltage lines.

The article even delves into how Chinese hackers are infiltrating corporate computer systems to steal company technology and business secrets, plans and strategies. For example, it includes a security expert’s story about one company’s experience of entering into face-to-face business discussions in China where “the Chinese based their starting points for negotiations on the Americans’ end points.” As Joel Brenner, the US government’s chief counterintelligence officer is quoted in the article, “If you travel abroad and are the director of research or the chief executive of a large company, you’re a target.”

Security of Online Health Records
Two potential weaknesses of utility and corporate computer systems may be because their systems are from third party vendors or were built with older architecture designed before on-line security was a concern. Because the computer systems for electronic health records and information exchanges are being built by the companies who are using them or have ongoing contracts for maintaining them – and are probably being built with newer software architectures – perhaps they are better protected.

The other reason why online health records may be more secure than utility or corporate systems is that hackers probably don’t have the financial or geopolitical incentives to break into medical record depositories. However, I can imagine situations or incentives for groups (aside from pure nihilism) that could change that – butI don’t want to speculate here and give anybody any ideas.

But if one of the great potential values of electronic medical records is having them joined together into Health Information Exchanges, and hackers are apparently able to infiltrate and wreak havoc in sophisticated computer networks, then I hope those developing EMR and HIE systems are really paying attention to security issues. If patients have concerns that their personal information is hackable, this could lead to a tremendous backlash against the use of a technology that should be very valuable for improving the quality of care and reducing the long-term growth in healthcare costs.

5 thoughts on “Are Online Electronic Health Records Secure?

  1. Personal Health Records allows patient to provide doctors with valuable health information that can help improve the quality of care that patient receives. Personal Health Records can help to reduce or eliminate duplicate tests and allow you to receive faster, safer treatment and care in an emergency and helps to play a more active role in yours and your loved ones’ healthcare.

  2. Pingback: Michael

  3. Michael –

    Your post is timely…A CNET News Blog reported on September 17th indicated a new study finds electronic health records vulnerable. Posted by Robert Vamosi, The author points out that the results of a fifteen-month study accessing the time to patch software associated with electronic health record (EHR) systems were published today by the eHealth Vulnerability Reporting Program. The program is a collaboration of health care industry organizations, technology companies and security professionals that is attempting to establish best practices within the emerging field of electronic health records in the adoption and reliance of eHealth systems, including electronic medical records (EMR), picture archiving and communication system (PACS), and medical devices. The 39-page report found much room for improvement.

    The amount of time between when a eHealth vendor is notified of a vulnerability and when that vulnerability is patched exceeded the time needed to patch in mainstream application software. For example, one medical application in the study remained unpatched after 2,211 days; another was 384 days and counting. By comparison, Brian Krebs of the The Washington Post found that the time to patch for Microsoft Internet Explorer was only 284 days.

    No one organization has providence over vulnerabilities in eHealth applications, the report found. Organizations such as the Certification Commission for Healthcare Information Technology (CCHIT) and Healthcare Information Technology Standards Panel (HITSP) offer general security practices and standards, but no assessment of risks associated with reported (or unreported “zero day”) threats.

    This report is a major example of the work healthcare has to adequately shore up it’s HIPAA security compliance.

    Grant Peterson, J.D. http://www.dgpeterson.com

  4. Your post, Are Online Electronic Health Records Secure?, is an excellent example of the threats healthcare faces from the outside. Even more disturbing are the lack of strong security enforcement measures internally.

    As a HIPAA compliance consultant, I make a point of asking if the client or their IT outsource vendor have conducted a security evaluation (a standard within the HIPAA security regulations) – answers range from, “Didn’t know it was required” to “I’ll check with our IT outsource group”. I find the Evaluation Standard is often overlooked, but also an indispensable provision for assuring a regular checkup of an organizations security status.

    HIPAA created the Evaluation Standard 164.308(a)(8), which requires a periodic technical and non-technical evaluation of the healthcare organizations security safeguards to demonstrate and document compliance with their security policy and the security rule requirements. Incidentally, this is a required standard, meaning, “a covered entity must implement the implementation specifications”.

    The Evaluation Standard 164.308(a)(8) specifies:

    “HIPAA Standard: Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart”.

    Aside from the Evaluation standard, HIPAA provides other strong security measures, including –
    Security Management process
    Assigned Security Responsibility
    Workforce Security
    Information Access Management
    Security Awareness and Training
    Security Incident Procedures
    Contingency Plan
    Business Associate Contracts and Other Arrangements
    Facility Access Controls
    Workstation Use
    Workstation Security
    Device and Media Controls
    Access Control
    Audit Controls
    Integrity
    Person or Entity Authentication
    Transmission Security

    A key to answering Are Online Electronic Health Records Secure?, requires an appreciation for the “outside threats, as well as a commitment to “internal” HIPAA security standards.

    Read more at: http://grantpeterson.matrixblogsuite.com/

  5. Welllllll. I work for a not to be named Gvt. entity, where all records are electronic. The VA. Where our Computer system, how to put this politely, SUCKS. It runs incredibly slow. AND it has been hacked into… And me, a former Vet, received an official letter, letting me know my VA info had got out… That was impressive. And pissed me off. The system is nation wide, and records are “Suppossedly” accessible in the VISN only, there are national access points. Which makes it very vulnerable.

    Case in point. The Power outage in Florida, was caused by a Government Hacker from China.. And the Ohio River Valley Power Blackout was also caused by a Chinese Hacker… SO, what is to stop a Major International power, ie. The PDRC, from hacking into the VA data base. When they are known to have an extensive Cyber Security Division, that’s sole purpose is to obtain Computer information from.. everyone…

    And the recent report of a Computer that had been hijacked, and the poor soul who worked at it, was arrested and charged with Child Pornography, and it wsn’t until some smart person realized his computer was running a 4 x the bandwidth it was set up for, that a virus was found… Multiple viruses as a matter of fact: Child porn, Auto clicking, Adult web site… I am forced to use E-records, but I will edit what I enter at times to protect the patient.

Leave a Reply

Your email address will not be published. Required fields are marked *