Last Friday, I met with a client and a company well versed in internet security. We were discussing aspects of cloud computing, and the increasing interest in its use for handling PHI (Patient Health Information).
As you might know from my prior blogs, I am a proponent of the use of web-based applications as a means of fostering and accelerating their use to enable the application of electronic health records (EHR) in the physician office. Physicians don’t like to spend a lot of money on computer technology, or become dependent on technical entities that are expensive and may not understand their clinical needs. In addition, healthcare providers such as hospital information systems operations are loath to take them on, as it means dealing with additional security practices to assure they don’t breech the hospital’s systems.
The notion of using web-based applications is therefore appealing, as it would reduce the capital cost for the physician office, and relieve the office practice from administering the systems, and maintaining the database. The security and data redundancy responsibility would be shifted to the web-based application provider.
The aspect of this shift in personal responsibility for the security of PHI to a third-party is what piqued my interest! While image transmission of PHI over the internet can be managed by HTTPS security, the bigger question is how the data is handled once it is housed in the web application’s data center. If the data is not encrypted, and the data center is hacked, is the PHI accessible? Usually, data is stored both as an entry in a database, as well as the actual data file. The data itself may be stored in encrypted fashion. But what about the database? If not also encrypted, the names of patients may be vulnerable to unauthorized access!
And, what if both the data and database are encrypted? What are the implications for the achievement of a Health Information Exchange (HIE)? There certainly are schemes for handling this on the technical level, but what about the practical level? One approach would be to establish a “trust” level between users, such as by means of a secure password. Unfortunately, physicians don’t take kindly to a password! Your college football team’s nickname may seem like an appropriate password, but it is not a very secure one. And how is a physician supposed to comply with a more secure password structure and frequent changes? To be truly accessible, the schema will need to be universal, implying the need for some form of universal security protocol.
If data is managed by a third party as part of an HIE, who has responsibility for managing the security? If it is the third-party, then most likely the security protocols of the third-party will apply to image accessibility. If the third-party follows industry standards, it will most assuredly employ security protocols that exceed the expectation of participating physicians, and will probably mean different password protocols from the entities that the physician wishes to share data with.
My point in raising these issues is not to scare potential users out of their use, but to assure that potential vendors of such services take both technical and practical factors into consideration. That way, users can be assured that the solution will have the security required by regulators, while at the same time offering enough convenience to assure their use. Another issue: who is in charge of determining the level of security deployed? If healthcare becomes nationalized, will it be up to the bureaucrats to set the level of security? A simply elegant solution would be to “chip” all healthcare professionals. But realistically, would anyone go for this? How will the need for security be balanced against the practicality of real world healthcare demands?
As part of healthcare reform, I think everyone needs to step back and look at the implications of security as part of the design for electronic records. There’s a lot to be said for a piece of paper in a folder locked in a file cabinet. But those days are gone, and we must find manageable solutions. We need to start with the bigger picture, and then narrow down the implications.
I welcome your comments and perspective!