MAINTAINING SECURITY AND
PRIVACY OF PATIENT INFORMATION
September 2, 2006
Frank E. Ferrante,
MSEE, MSEPP
President FEFGroup, LLC
Past Chair, Medical Technology Policy Committee
IEEE-USA, Washington, DC
Presented at
28th IEEE EMBS Annual International Conference
Aug 30-Sept. 3, 2006, New York City, New York, USA
Outline
•
•
•
•
•
•
Why Electronic Medical Records?
Software Sample/hardware samples
Barriers/Standards for EHR
HIPAA Security and Privacy Regulations
Medical data transmission requirements
Wireline and Wireless Telecommunications
Services Security
• Security of Patient Medical Records
• References
Why Electronic Medical Records (EMRs)
• Time spent filing and pulling patient charts, searching for
charts
• Time re-creating records if destroyed by natural disaster or
accident
• Cost of supplies to maintain charts
• Cost of facility space for records (can better use of space
be made?)
• Storage and Backup Cost
• Transcription services cost
• Cost of doing nothing today
• Better Security/Privacy Maintainable
Software/Hardware Supporting Digital
Medical Records
• Electronic Medical Record (EMR)Software
– Soapware - check it out $300 Starting Price see: http://soapware.com/
– e-MDs Electronic Medical Record Support Software http://www.emds.com
– a4Healthsystems EMR and Access systems
http://www.a4healthsystems.com
•
Companion Technologies http://www.companiontechnologies.com
• Security and Privacy - all EMRs must be protected
– Sample approach: indigenous authentication of digital information (US
Patent 6,757,828 B1 of June 29, 2004) by Signa2 http://www.gjtdc.com
– Backup routinely onto remote servers or storage offerings
What are the Barriers to EHR and e-Health
Implementation?*
•
•
•
•
•
•
•
•
Lack of a Unique Personal Identifier
Lack of HIPAA Compliant Middleware
Lack of Incentives
No Paradigm or “First Mover” for Some System
Components
Evolving Standards
Disincentives
Lack of an NHIN Architecture
[Fear of Cost/Benefit]
* [Corr 06]
Barriers and Solutions
Identifiers and Middleware
Lack of a Unique Personal Identifier:
• Solutions:
•Voluntary Personal Healthcare
Identifier (IEEE-USA Voluntary
Healthcare Identifier Position Statement, 17
June 2004)
•Center for Certification of Health
Information Technology Multiple
ID Approach (Provider ID +
Provider Unique Personal ID)
•DOD Common Access Card
Model
Lack of HIPAA Compliant Middleware:
•Solutions:
•RHIO Contracts
•Marketplace Solutions
•Shortcomings:
•Public Health and Research
Interfaces may not be included
HIPAA compliant
Identification,
Authentication,
and Access
* [Corr 2006]
EHR Standards Evolution*
• International Statistical Classification of Diseases
and Related Health Problems (ICD) from ICD-9 to
ICD-10
• ASCI X12 Version 4010 to ASCI X12 Version
5010 (HIPAA Business Transactions)
• National Council for Prescription Drug Programs
Telecommunication Standards from version 5.1 to
version D.0
• Conversion of all standards to XML
* [Corr 06]
HIPAA Security and Privacy
Regulations
• Health Insurance Portability Assurance Act
(HIPAA)
– Security - Required stronger and more focused
provision of security around medical information
(supports maintaining of information privacy)
– Privacy - Enforces increase in privacy protections for
medical information (Not just speaking privacyrequired under penalty if failure occurs)
Electronic Medical Record
(EMR) Data Requirements
• Page of text for entering and storing nonimage information
– Less than 64 Kbytes(large file)
• Image Data
– (Refer to estimate table)
Medical Images Data Transmission
Requirements*
Image Type
Ultrasound
Other (Angiography,
Endoscopy, Nuclear Med.,
Cardio logy, Rad iology)
Computed Tomography
Magn etic Resonance Imaging
Digi tized (Scanned) X-Ray
Digi tal Radio logy
“
“
(high quali ty)
Mammograp hy
Image
Image resolution
Size
less
Control &
Spatial Size( bits/pixel) error bits
512x512
x8
256 Kbytes
512x512
512x512
1024x1024
1024x1280
2048x2048
2048x2048
4096x4096
x8
x12
x12
x12
x8
x12
x12
256 Kbytes
384 Kbytes
1.5 Mbytes
1.9 Mbytes
4 Mbytes
6 Mbytes
25 Mbytes
*Source: Ferrante, F.E.,“Evolving Telemedicine/eHealth Technology,” Telemedicine and e-Health, Vol 11,
Number 3, June 2005, Mary Ann Liebert, Inc Publisher, ISSN-1530-5627.
Wireless Telecommunications
Services
– Broadband Services
• 802.11n
• WiMax
– Security
•
•
•
•
PKI
VPN
Secure ID
WEP/WPA/WPA2 (802.11i)
How New Technologies Stack Up
Actual performance will vary depending on factors such as how the technology is
deployed, the user’s distance from base stations, and interference.
Data Rate
(megabits per second)
1,000
WPAN
WLAN
WMAN
WWAN
Ultrawideband
100
Wi-Fi (802.11n)
Wi-Fi (802.11a/g)
4G cellular
WiMax mobile
(802.16e)
10
3.5G cellular
Wi-Fi (802.11b)
Bluetooth 2.0
WiMax (802.16)
3G cellular
1
Bluetooth 1.2
2.5G cellular
-1
2G cellular
Established
Emerging
Source: Technology Review, October 2005
Security of Patient Records
• Wireline Communications/Computer Access
–
–
–
–
Database Encryption
Public Private Key access control
Routine Password Control and Management
Isolation of Database Server from outside access
• except via Virtual Private Network (VPN) and Secure ID hand-held
devices or Secure Private Key system
• Wireless Communications
– Wire Equivalent Privacy (WEP)
• Poorly designed, vulnerable
– Wireless Protocol Architecture (WPA)& WPA2
• Improved Security Encoding
• Enterprise Security Offering(Both WPA and WPA2 now available for
Wireless operations as alternate to WEP)
References
• [Corr 2006] Corrigan, Mike (Current Chair MTPC), “ConsumerCentered Electronic Health Records and e-Health - Roadblocks and
Opportunities,” presented to GEIA Roundtable, June 29, 2006 -
Available at:
http://www.ieeeusa.org/volunteers/committees/mtpc/index.html
• [IEEE-USA]IEEE Medical Technology Policy Committee Web Site ttp://www.ieeeusa.org/volunteers/committees/mtpc/index.html
Backup Slides
Top Level EHR Components
Personal Health Record
(PHR)
or
Personal EHR
Payer Records
or Payer EHRs
Other Healthcare
System Records
Glue
Healthcare Provider
or
Clinical EHRs
Health Insurance Payer
Records
Hospital
Records
Personal EHR
Certified
• Demographics
and Identity
• Links to other EHR
components
Carrier EHR
Personal
Health Record
Physician
Office Records
Dental
Office Records
Pharmacy
Office Records
Laboratory
Records
Radiological
Records
EMT Records
Provider EHRs
Personal
Health Record
Uncertified
• Demographics
• Allergies
• Medications
•Inoculations
Full PHR
Personal EHR
Limited PHR
Lifetime Full PHR
Links
Environmental
Records
Anonymized Links with
Trusted Reverse Channel
Personal
Health Record
Prenatal and
Pediatric Records
Military and VA
Records
Employer and Self
Insurance
Carrier Records
Medicare Records
Death Certificate
and Autopsy
Records
Public Health
Records
Research
Records
Genomic
Records