MAINTAINING SECURITY AND PRIVACY OF PATIENT INFORMATION September 2, 2006 Frank E. Ferrante, MSEE, MSEPP President FEFGroup, LLC Past Chair, Medical Technology Policy Committee IEEE-USA, Washington, DC Presented at 28th IEEE EMBS Annual International Conference Aug 30-Sept. 3, 2006, New York City, New York, USA Outline • • • • • • Why Electronic Medical Records? Software Sample/hardware samples Barriers/Standards for EHR HIPAA Security and Privacy Regulations Medical data transmission requirements Wireline and Wireless Telecommunications Services Security • Security of Patient Medical Records • References Why Electronic Medical Records (EMRs) • Time spent filing and pulling patient charts, searching for charts • Time re-creating records if destroyed by natural disaster or accident • Cost of supplies to maintain charts • Cost of facility space for records (can better use of space be made?) • Storage and Backup Cost • Transcription services cost • Cost of doing nothing today • Better Security/Privacy Maintainable Software/Hardware Supporting Digital Medical Records • Electronic Medical Record (EMR)Software – Soapware - check it out $300 Starting Price see: http://soapware.com/ – e-MDs Electronic Medical Record Support Software http://www.emds.com – a4Healthsystems EMR and Access systems http://www.a4healthsystems.com • Companion Technologies http://www.companiontechnologies.com • Security and Privacy - all EMRs must be protected – Sample approach: indigenous authentication of digital information (US Patent 6,757,828 B1 of June 29, 2004) by Signa2 http://www.gjtdc.com – Backup routinely onto remote servers or storage offerings What are the Barriers to EHR and e-Health Implementation?* • • • • • • • • Lack of a Unique Personal Identifier Lack of HIPAA Compliant Middleware Lack of Incentives No Paradigm or “First Mover” for Some System Components Evolving Standards Disincentives Lack of an NHIN Architecture [Fear of Cost/Benefit] * [Corr 06] Barriers and Solutions Identifiers and Middleware Lack of a Unique Personal Identifier: • Solutions: •Voluntary Personal Healthcare Identifier (IEEE-USA Voluntary Healthcare Identifier Position Statement, 17 June 2004) •Center for Certification of Health Information Technology Multiple ID Approach (Provider ID + Provider Unique Personal ID) •DOD Common Access Card Model Lack of HIPAA Compliant Middleware: •Solutions: •RHIO Contracts •Marketplace Solutions •Shortcomings: •Public Health and Research Interfaces may not be included HIPAA compliant Identification, Authentication, and Access * [Corr 2006] EHR Standards Evolution* • International Statistical Classification of Diseases and Related Health Problems (ICD) from ICD-9 to ICD-10 • ASCI X12 Version 4010 to ASCI X12 Version 5010 (HIPAA Business Transactions) • National Council for Prescription Drug Programs Telecommunication Standards from version 5.1 to version D.0 • Conversion of all standards to XML * [Corr 06] HIPAA Security and Privacy Regulations • Health Insurance Portability Assurance Act (HIPAA) – Security - Required stronger and more focused provision of security around medical information (supports maintaining of information privacy) – Privacy - Enforces increase in privacy protections for medical information (Not just speaking privacyrequired under penalty if failure occurs) Electronic Medical Record (EMR) Data Requirements • Page of text for entering and storing nonimage information – Less than 64 Kbytes(large file) • Image Data – (Refer to estimate table) Medical Images Data Transmission Requirements* Image Type Ultrasound Other (Angiography, Endoscopy, Nuclear Med., Cardio logy, Rad iology) Computed Tomography Magn etic Resonance Imaging Digi tized (Scanned) X-Ray Digi tal Radio logy “ “ (high quali ty) Mammograp hy Image Image resolution Size less Control & Spatial Size( bits/pixel) error bits 512x512 x8 256 Kbytes 512x512 512x512 1024x1024 1024x1280 2048x2048 2048x2048 4096x4096 x8 x12 x12 x12 x8 x12 x12 256 Kbytes 384 Kbytes 1.5 Mbytes 1.9 Mbytes 4 Mbytes 6 Mbytes 25 Mbytes *Source: Ferrante, F.E.,“Evolving Telemedicine/eHealth Technology,” Telemedicine and e-Health, Vol 11, Number 3, June 2005, Mary Ann Liebert, Inc Publisher, ISSN-1530-5627. Wireless Telecommunications Services – Broadband Services • 802.11n • WiMax – Security • • • • PKI VPN Secure ID WEP/WPA/WPA2 (802.11i) How New Technologies Stack Up Actual performance will vary depending on factors such as how the technology is deployed, the user’s distance from base stations, and interference. Data Rate (megabits per second) 1,000 WPAN WLAN WMAN WWAN Ultrawideband 100 Wi-Fi (802.11n) Wi-Fi (802.11a/g) 4G cellular WiMax mobile (802.16e) 10 3.5G cellular Wi-Fi (802.11b) Bluetooth 2.0 WiMax (802.16) 3G cellular 1 Bluetooth 1.2 2.5G cellular -1 2G cellular Established Emerging Source: Technology Review, October 2005 Security of Patient Records • Wireline Communications/Computer Access – – – – Database Encryption Public Private Key access control Routine Password Control and Management Isolation of Database Server from outside access • except via Virtual Private Network (VPN) and Secure ID hand-held devices or Secure Private Key system • Wireless Communications – Wire Equivalent Privacy (WEP) • Poorly designed, vulnerable – Wireless Protocol Architecture (WPA)& WPA2 • Improved Security Encoding • Enterprise Security Offering(Both WPA and WPA2 now available for Wireless operations as alternate to WEP) References • [Corr 2006] Corrigan, Mike (Current Chair MTPC), “ConsumerCentered Electronic Health Records and e-Health - Roadblocks and Opportunities,” presented to GEIA Roundtable, June 29, 2006 - Available at: http://www.ieeeusa.org/volunteers/committees/mtpc/index.html • [IEEE-USA]IEEE Medical Technology Policy Committee Web Site ttp://www.ieeeusa.org/volunteers/committees/mtpc/index.html Backup Slides Top Level EHR Components Personal Health Record (PHR) or Personal EHR Payer Records or Payer EHRs Other Healthcare System Records Glue Healthcare Provider or Clinical EHRs Health Insurance Payer Records Hospital Records Personal EHR Certified • Demographics and Identity • Links to other EHR components Carrier EHR Personal Health Record Physician Office Records Dental Office Records Pharmacy Office Records Laboratory Records Radiological Records EMT Records Provider EHRs Personal Health Record Uncertified • Demographics • Allergies • Medications •Inoculations Full PHR Personal EHR Limited PHR Lifetime Full PHR Links Environmental Records Anonymized Links with Trusted Reverse Channel Personal Health Record Prenatal and Pediatric Records Military and VA Records Employer and Self Insurance Carrier Records Medicare Records Death Certificate and Autopsy Records Public Health Records Research Records Genomic Records