Internet Web Systems II- Spring 2010
Vinay Veeramachaneni
EMR/EHR (United States)
 Why EMR/EHR?
 What is Privacy and Security?
 The Law
 Example Scenarios
 How to Protect?
 Existing Systems
 Conclusion

Medical and health records maintained
on paper.
 Records were send by fax, mail or
asked by phone.
 Possibility of error is most likely by
human.
 Point-of-Care is hard to regulate.

Availability of faster Internet and
bandwidth
 Low cost of hardware
 Low cost of storage
 Storage at multiple locations/mirrors to
recover from failure
 Software providing enhanced
authentication

Digitalize and maintain patient medical
records.
 Electronically maintain and update
health records.
 Invest about $20 billion to improve
health care (Stimulus package).
 Eliminate Health disparities.

(1)
Lower health care costs
 Reduce medical errors
 Improve point-of-care
 Improve access to data
 Improve quality of health care
 Enhance the use of EMR by providers
and hospitals.

Ability to keep information about
themselves private or reveal to a
selected individual.
 Protect an individual’s trust.
 Confide with trusted individuals.
 Security is preventing any unauthorized
access to personal information.
 Store in a reliable location.
 Prevent any illegal use of information.

Government
Healthcare
Provider
Patient
Hospital
Physician
hacking
Re-route
prescripti
on drugs
Ransom
Outsourcing
Information
breach
Sell to
Pharmaceutical
companies
Possibility
of illegal
use
Sell to
researchers
Social Web
-Loss of privacy
-Loss of employment
-Loss of insurance
-Improper treatment
-Reluctant to medical
care
-Social discrimination
Societies
Household
members
Poor handling
by medical
professionals
Employers
Related places
Losing records
 Discussing in public areas including
social web.
 Bribery
 Miscommunication
 Poor analysis
 Use of data without consent

Used for peer-to-peer communication
 Used to connect members with various
physical and mental ailments
 Impact on the drugs physicians
prescribe (Stanford Business School)
 E.g.: PatientsLikeMe, SoberCircle,
Doc2Doc, Healtheva, SurgyTec,……
 Educational purpose.
 Discussing related cases and cure.

Hackers hold Virginia medical records for
ransom (Washington post, May 4 2009).
Hackers threatened the state government
that they will sell the medical records of 8
million patients and prescription drug
monitoring records, unless the government
pays a $10 million ransom.
 One outsourced medical transcriptionist
threatened to post patient medical records
online.

Private medical records for sale:
Patients’ files outsourced for computer
input end up in black market.
(www.dailymail.co.uk 18th Oct 2009)
 Confidential medical records of patients
of Britain’s Hospital were illegally sold in
the black market in this case to under
cover federal agents.

Medics tweeting and posting data in
social Websites.
 An insurance agent found out the
abortion of his niece and told her
parents.
 An employer illegally accessed the
medical record of the employee’s HIV
status.

HITECH Act – Health Information
Technology for Economic and Clinical
Health Act, 2009.
 “Meaningful Use” of EHR and set of
standards.
 HIPAA act, 1996 – Health Insurance
Portability and Accountability Act
 American Recovery and Reinvestment
Act.









Fair practice
Patient and professionals’ training
Prevent mishandling of data
Optimize the information
Provide better authentication
Securing the facilities (Hospitals and
Healthcare Institutions)
Limit use of social networking, not to
discuss about patients
Provide standards and responsibilities
Do not enter personal data
 Identify theft
 Red flag any misuse
 Penalties
 Report any illegal activity
 Report Phishing Websites
 Business treaties that provide data
protection.

Study on Certification Commission for
Health Information Technology (CCHIT)US HER certification organization.
 OpenEMR software
 Static Analysis summary of 1210 alerts
 Vulnerabilities like Cross-site scripting,
nonexistent access control, path
manipulation, error information leak.

Cross-site Scripting
Error Message Information Leak
Shibboleth (Johns Hopkins)
 Verisign
 eClinicalWorks EMR (Tufts Medical)
 E-MDs
 www.omniMD.com
 Dr.I-Net







Cost Savings
Improved Margins
Improved Patient
Satisfaction
Better care
(Research by
Microsoft)
(Nemours-Pediatric
Health System)
Pros
-



Cost efficiency
Faster response
Easy patient transfer
Reduce medical errors
Faster access to data
Cons
-
Concerns of privacy
Problem of hacking
Lose patients
Reluctant to medical care
Social discrimination
Privacy is always an ongoing debate also with
personal identity and financial data.
Digitalizing medical data became a law in
United States and also implemented globally.
Just as any financial organizations, hospitals
also must provide enhanced authentication.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
http://www.omnimd.com
http://whereismydata.wordpress.com/2008/09/24/exapmles-ofmisuse-of-medical-records--where-is-my-data/
http://en.wikipedia.org
http://www.doseofdigital.com/healthcare-pharma-social-mediawiki/
http://www.gsb.stanford.edu/news/research/mktg_nair_drugs.s
html
http://www.krollfraudsolutions.com/pdf/2010_KrollHIMSS_Study_FINAL.pdf
www.hhs.gov
http://www.netreach.net/~wmanning/privacy.htm
http://www.data-storagetoday.com/story.xhtml?story_id=13100CRGCVD5&full_skip=1
http://www.healthcareitnews.com/news/officials-outline-criteriameaningful-use
Towards Improving Security criteria for certification of HER
system