By Kurt J. Long, all rights reserved FairWarning, Inc. (published with permission)
The American Recovery and Reinvestment Act of 2009(1), known as the U.S. Stimulus Bill contains long-needed expansion of HIPAA privacy regulation. The proposed privacy regulation modernizes HIPAA by catching it up with state disclosure laws as well as California and Massachusetts medical record anti-snooping laws. At the time of this writing, both the House and Senate versions of the Bill contain similar privacy language and the Committee version of the Stimulus Bill is expected to be “tweaked”, but not significantly altered in the area of health care privacy before it is presented to President Obama for signature. The impact of HIPAA Privacy expansion in the Stimulus package on the health care industry will be remarkable, and for the better.
Unique Privacy and Security Challenges
The health care industry has unique privacy and security challenges that should not be overlooked(2). Delivering patient care is a highly collaborative process involving administrators, nurses, clinicians, physicians, insurers, external specialists and family members amongst others. As a comparison, think of processing a credit card or ATM transaction which flows electronically from the point of initiation to a physical or electronic envelope - there are few if any personnel involved in the processing of a standard financial transaction. Also consider that patient care cannot be interrupted by security controls such as strong authentication or granular access control which are prevalent in other industries that handle sensitive information. Failure to gain immediate access due to a strong-authentication or granular authorization mis-configuration may cost a patient their life.
According to the Computer Security Institute (CSI), insider security incidents have overtaken viruses as the most reported security incident across all industries. And since health care has such a wide range of personnel intrinsically involved in patient care, it is an industry which lends itself to even greater insider fraudulent activities.
Privacy and the Adoption of Electronic Health Records
With the above said, the Healthcare industry must overcome its privacy and security challenges if it is to ever gain the improved efficiency and effectiveness of Electronic Health Records. All vested parties, beginning with the individual consumer must believe their information is safe and protected if we are ever to see full-scale adoption of EHRs. In a 2006 survey of consumers, a robust 80 % of those surveyed reported they were very concerned about identity theft or fraud when it came to having their health information maintained online.
As U.S. Healthcare expenditures creep ever closer to 20 % of the U.S. Domestic Product (GDP), the cost-savings associated with EHRs becomes a foundation for our nation’s global competitiveness. Without the trust of the American consumer and vested parties, it is hard to imagine wide-scale adoption. So it comes with surprise and some irony, that only in a crisis are we on the precipice of passing long-needed Healthcare Privacy legislation that helps position our country for a competitive and healthy future.
A question becomes, what are practical steps that health care organizations can take in order to comply with the new state and Federal laws, maintain work-flow for patient care, and implement systems that are cost-effective and rapid to deploy?
Trust but Verify® - The Importance of Auditing and Monitoring
One of the absolutes in addressing privacy within health care is to preserve the work-flow of patient care, so physicians and nurses are not encumbered with additional authentication or impractical fine-grained access controls. Thus, the Healthcare environment lends itself to a “Trust but Verify®” model. Trust Healthcare personnel to perform their respective responsibility, but verify their actions are not fraudulent.
A recent Booz Allen Report (3), dated January 15, 2009 and prepared for the Department of Health and Human Services, details the growing phenomena of Medical Identity Theft and details the risks of an unchecked electronic health care environment. The report makes specific recommendations for the curtailment of medical identity theft, including an emphasis on User Auditing & Monitoring, see in-line excerpt from the report.
| |
Auditing/Monitoring (excerpt from Booz Allen Report)
Because an increasing number of health care transactions are conducted electronically, auditing and monitoring can be an effective method for detecting medical identity theft. When numbers of transactions are large, stakeholders may prefer to conduct some form of automated auditing and monitoring. The potential, under-explored uses of technologies like these were discussed among Town Hall participants. In the information security context, the terms “auditing” and “monitoring” are often used interchangeably to refer to any automated process for reviewing information system activity and user activity within information systems. Auditing provides several advantages to participants in health care transactions who may be concerned with detecting medical identity theft. Auditing can provide a means of detecting medical identity theft soon after its occurrence. Automated auditing may be especially effective in detecting anomalous high-volume activities, as when a single individual accesses an unusually large number of records in a single day. In this latter case, the activity may indicate what is sometimes called “wholesale” medical identity theft, where an insider downloads and sells many records. If auditing detects these events, data stewards may be able to take future corrective action by (for example) setting restrictions on the number of records that can be accessed and downloaded by individuals in particular roles within a preset period. |
Summary
It should come as no surprise that if the U.S. Federal government jump-starts Electronic Health Record adoption by investing public monies, then appropriate privacy and security safeguards will be asked of the health care industry. The eyes of the world are on the American Recovery and Reinvestment Act of 2009, for the sake of patient privacy, the future of Electronic Health Records, and to some degree, the ability of the western world to compete globally, the world watches with great anticipation.
1 - Senate Version of American Recovery and Reinvestment Act of 2009, February 9, 2009
(Privacy begins on Page 320)
2 - FairWarning® Privacy Surveillance White Paper
3 - Booz Allen Hamilton Report on Medical Identity Theft, January 15, 2009
Prepared for the US Department of Health and Human Services
(Auditing and Monitoring begins on Page 14)
![[my boss] about public sector (Government, Education and Health care)](http://www.unitedfeatures.com/ufs/images/comics/characters/cast_dilbert_The_Boss_sm.gif)
