Friday, October 05, 2012

Consumer Portal Security It Seems To Be More In The Spotlight. Relevant For Australia.

The following appeared last week.
Monday, September 24, 2012

Guarding the Portal: Data Security Needs Rise With Patient Access

Health care providers, already grappling with information security, could see their responsibilities expand as demand grows for patient data access.
Federal policies require physicians and hospitals to make health care data available to patients. And with the increasing use of electronic health records, that handoff increasingly will take place online. A certain degree of electronic access already is required under Stage 1 of the federal government's meaningful use EHR incentive program; that impetus will expand under Stage 2.
Industry executives expect that much of the patient data dissemination will take place through Web-based portals. For many health care providers, this will represent new ground. Hospital and medical practice websites traditionally have been informational, rather than access-oriented. Providers, accordingly, will need to step up their information security and privacy measures.
Jared Rhoads -- senior research specialist at the CSC Global Institute for Emerging Healthcare Practices -- said some health care facilities have been providing patient data access and attending to the associated security issues for some time. But those providers represent the exception, not the rule.
"Certainly, the vast majority of people have not plunged into [patient data access], so it is new for them," he said. "Now, with all the new meaningful use measures, that is absolutely going to blow this wide open and make this something that everyone is going to be concerned about."
A Call for Access
In August, CMS published the final rule governing Stage 2 of the meaningful use program, which goes into effect in 2014. Stage 1 criteria call for physicians and hospitals to provide patients an "electronic copy of their health information." Stage 2 changes that language. Physicians must provide patients with the means to "view online, download and transmit their health information." Hospitals must offer the same service to patients regarding hospital admissions.
The government's escalating demand for patients' access to health data can be seen in other policy statements as well.
HHS' Office for Civil Rights in May issued a memo underscoring patient's right to information and encouraging consumers to obtain a copy of their health record -- whether paper or electronic. That message reiterates language in the HITECH Act of 2009, which gives patients the right to request health data in an electronic format if the provider is equipped with an EHR.
The access directives appear to be pushing health care providers toward portals as the mechanism for allowing patients to view and download their health data.
Mac McMillan -- CEO of CynergisTek, a health care IT security firm -- said a number of health systems already have established patient portals, pivoting off their EHR systems.
Securing the Portal
McMillan suggested three core elements for portal security.
  • User Authentication -- "If you are going to provide good access control, there has to be a way on the portal for patients to authorize uniquely to the portal, such that they are only looking at their own information and not somebody else's," McMillan explained.
  • Secure Transport -- A portal that allows users to download information must provide a secure, encrypted connection between patient and portal. This is often accomplished through a virtual private network (VPN) or a gateway that's part of the provider's network.
  • Auditing and Integrity Control -- Providers need to be able to audit what a user has done with the information obtained through a portal -- what they have looked at and what they have changed. If a patient is able to enter or alter his or her health data, integrity control provides a way to verify the information. The EHR linked to the portal retains a patient's previous data so they can be compared with the new data. If a patient with a penicillin allergy inadvertently changes the health record to indicate no such allergy, the system can flag the problem.
"Integrity is one of the biggest issues when you start allowing greater access to the information," McMillan said. "You need to have a way to absolutely verify changes so they don't create health issues."
Rhoads, meanwhile, cited network scanning and monitoring as a key portal security measure. The idea is to scan for suspicious activity, such as a series of unsuccessful logins at an odd hour from an IP address outside of the country.
Lots more here:
Here are some links provided by the article.


Additionally we have had some work being commissioned by ONC (via NIST) around the same area.

Federal grants to support online privacy projects

Posted: September 21, 2012 - 1:00 pm ET
The National Institute of Standards and Technology has awarded more than $9 million in grants for five pilot projects that seek to develop technologies to improve identification of individuals online for commercial uses, including healthcare.
The grant awards stem from a White House program, the National Strategy for Trusted Identities in Cyberspace.
"The selected pilot proposals advance the NSTIC vision that individuals and organizations adopt secure, efficient, easy-to-use and interoperable identity credentials to access online services in a way that promotes confidence, privacy, choice and innovation," the NIST, a Commerce Department agency, said in a news release.
The NIST assists the Office of the National Coordinator for Health Information Technology in developing testing procedures for electronic health-record systems under the federally supported EHR incentive program.
More here:
With a lot of the present ‘heavy lifting’ for the NEHRS being portal related it is clearly worthwhile to keep an eye on what is happening in the US.
The move to access provision for consumers to real systems, rather than a copy, seems to me to be a sensible way forward. Pity Australia does not have that idea included in current plans as the US, Denmark and the UK (among others) do!


Anonymous said...

I just logged in to have a look at my PCEHR. Being of the female gender and quite sensitive about my age, I noticed immediately that on the 'your personal details' screen, my age had been calculated as one year older than I actually am! Very strange - on the same page, the top display banner had my correct date of birth and correct age (X), but on the same page lower down, my age was presented as (X+1). The page advised that the data had come from Medicare, and if it was incorrect I needed to check with Medicare. So I logged into my Medicare account and all was in order over there. Perhaps I am being picky, but age is important medically and also to be in accordance with the Medicare and PCEHR legislation. I am hoping that someone who can fix this is reading your column. And I hope that there is some care taken with integrity of PCEHR views when calculating and combining data in the future.
PS - admittedly, my birthday is in late October, and my guess is that the X+1 age algorithm is just looking at the month and rounding it up…but no excuses for having different ages on the same page. Makes me feel old before my time!.

Anonymous said...

Dear Anonymous, I feel for you having had your birthdate recalculated for you!

It does give one uneasy feelings about just what else might be being "recalculated" behind the scenes though doesn't it.

PCEHR/NEHRS was really just supposed to be about being a data repository or series thereof. At no point in time is it ever supposed to misrepresent the data it gets from other repositories like Medicare. Once again, something seems to have seriously gone wrong.

If it ever gets pathology results entered, you wouldn't want those to be given the X+1 touch....

Keith said...

Anonymous 10/05/2012 09:41:00 PM said...
"PS - admittedly, my birthday is in late October, and my guess is that the X+1 age algorithm is just looking at the month and rounding it up…"

That explanation sounds plausible, but it is probably not correct - in computer systems dates are converted into an internal form for easier manipulation and comparison. Sounds like a bug which may affect many users. It would be interesting to see if your age calculation corrects itself once your birthday has passed!

Anonymous said...

"Once again, something seems to have seriously gone wrong."

Now those of us that are cautious might want to look at the issue first and investigate if it really is a bug with the system that is repeatable, the professional approach, right?

But if it is correct, and it sounds pretty straight forward that it is, then:

1. I wonder how long before someone puts up the words "Not to be used for Clinical Decision Making", and
2. This thing has obviously not undergone adequate testing for a hundred million dollar spend (probably argued on the basis that it was an existing system).

Every tester knows that visual issues on the screen are the easiest things to find and get fixed, so what is going on here? Is someone checking? If it is right then we have a system that can't get a date right and consistent on the same screen, ..WHY NOT?

Someone needs to ask why we continue to pay so much for so little.

Lets see how long it takes to fix.

Anonymous said...

It would seem they have spotted something wrong regarding the Medicare data
PCEHR consumer registration is currently unavailable.
Access to existing eHealth records remains available but an error may be encountered when retrieving a Medicare document. Details of Medicare documents remain available in the Medicare Services Overview page.

Notification of planned outage
There are no scheduled outages at this time.

However yesterday stated due to daylight saving the HI service would not be available and would affect the ehealth records

Could someone enlighten me as to why daylight saving cause this in this day and age and effect the pcehr, should I be setting reminders not to need critical care at certain times of the year? And just when is the next solar flare scheduled?

Bernard Robertson-Dunn said...

I wrote:

How a system deals with time is a good indicator of the analysis that went into its architecture.

Australia (unlike Singapore) is a multi-timezone country.


I should have also added that Singapore doesn't have daylight saving.

And I finished with:

I do hope this has all been thought through.

There's still not much evidence that it has been thought through.

Anonymous said...

Well there is nothing wrong with the Medicare data in its own sweet home, it seems to be a problem with the way the pcehr displays it.... Funny I thought that was the core job of the pcehr. Now I know it was to remind us when daylight saving starts.

k said...

It's true that there was scheduled down time for medicare services - and not a bad time to do it. But it seems as though something went wrong - not necessarily time change related - and the problems cascaded unto unexpected down time. (Notifications are being sent out about this)

Anonymous said...

The service availability did state due to daylight savings the Hi service will not be available whatever the issue systems like this and on this scale and importance should run 24/7

Anonymous said...

HI service has been running for 2 years now... Do they always take it down for daylight saving?