Optimization of Health Data in the United States
The following document is the product of a CHDS project that asked homeland security experts to evaluate how a better use of data could improve homeland security. Because of the nature of the projects, we are making an exception to the editorial guidelines of the collection in order to leave the citations in the way they were offered, instead of using hyperlinks as we normally request.
I. Introduction — Ronnell A. Higgins
For generations, creating “security” in a facility involved the physical: fireproof file cabinets, reinforced doors, tamper-proof window locks, alarm systems and surveillance cameras. Locks, alarms and file cabinets are by no means obsolete but, in this era of computer-based communication and record keeping, many of the locks and keys we rely on are now electronic. In this age of instant information, concerns about the privacy and integrity of personal data–whether financial, medical, or any other– are now a common part of public policy discourse. HIPPA (Health Insurance Portability and Accountability Act)[1] is a measure passed initially by Congress in 1996 to require the adoption by medical facilities of security and privacy standards to protect personal health information. HIPPA is at the center of the digitization of the American healthcare system.
There are few industries which have more to gain from the Internet revolution than medicine. Rapid advancements in medical research, increasingly curious patients searching the internet for medical information, and pressures from managed care providers to contain costs, and speed treatments are just the central components driving e-health; “using technology to improve the quality of healthcare”[2]. As hospitals attempt to evolve, they are also confronting new federal regulations on the privacy of medical information, which presents new problems in the electronic world. This paper will discuss five key issues facing the optimization of health care data: (1) The current health data mechanism, (2) Legal Challenges, (3) Cyber-Security challenges to healthcare data optimization, (4) The value of healthcare data, and (5) Securing digital healthcare data.
Through our discussions on the five key issues facing the optimization of healthcare data in the United States, you will learn that healthcare digitization exists in the zone of complexity and the challenges of Electronic Health Records (EHR)[3] create opportunities for criminals near and far. The value of EHR lie at the heart of IT implementation plans in health care systems around the world. Healthcare records stolen and or held hostage can present unimaginable challenges for healthcare providers. Unlike credit card fraud where the issuing company can issue the user a new card and absorb the charges, or a social media account wherein a user can delete an account and open up a new account, the value healthcare records cannot be overstated. According to Dave Kennedy, expert on healthcare security, “the healthcare industry is becoming a much riper target because of the ability to sell large batches of personal data for profit”[4]. Confidentiality and privacy are related but not synonymous[5]. Privacy is an individual’s right to keep certain matters secret. Clinical confidentiality is the responsibility of health care workers to safeguard patients’ personal information. If a clinician cannot elicit intimate symptoms and concerns in confidence, the ability to provide appropriate treatment is compromised and creates a critical issue for patients and ultimately our nation’s healthcare systems
With the advent of the computer era, we have been conscious of the importance of protecting electronic information. We foresaw that computers could transfer private information with remarkable efficiency–and potentially jeopardize confidentiality by transmitting personal data to inappropriate recipients. EHR enables the creation of and maintenance of all patient data electronically. As central patient-information repositories EHR must be able to send data to other health information technology and receive data from other health I.T., including lab, pharmacy, billing systems and other electronic health records. EHR captures patient data such as patient complaints, lab orders, medications, diagnoses, and procedures, at its source at the time of entry using a graphical user interface. Authorized healthcare providers can access, analyze, update and electronically annotate patient data even while other providers are using the same patient record, similar to Google docs. The system likewise permits instant, sophisticated analysis of patient data to identify relationships among the data considered. An EHR system should have the capability to access reference databases for consultation regarding allergies, medication interactions and practice guidelines. The system should also include the capability to incorporate legacy data, such as paper files. A process designed to assist in the migration from paper records to EHR was developed as a guideline for health care providers prepared to implement the transition process.
Deciphering HIPPA
In order to appreciate the depth of optimization and the challenges we face, we must attempt to decipher the Health Insurance Portability and Accountability Act of 1996 (HIPPA). HIPPA laws are commonly known for its protections of patient healthcare information. However, Title II of HIPAA, known as the Administrative Simplification (AS) provision, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. HIPPA standardizes financial and administrative health transactions for the public and private sectors, increases speed and efficiency, reduces cost for delivering services, and sets minimum standards of protection for the storage, use and transfer of protected healthcare information.
The first section of the Administrative Simplification rules involves the implementation of a national standard for electronic health care transactions which will forever optimize healthcare records. The standards set by the Secretary of Health and Human Services under HIPPA applies to all healthcare clearing houses, all health plans, health care providers that conduct certain transactions in an electronic form or use a billing service to conduct transaction on their behalf. An electronic transaction means transactions over the internet, extranet, leased lines, dial up lines for direct data entry (DDE) private networks, and transactions using a magnetic tape, disk or media. From plan enrollment, health claims, eligibility determination, claim status verification, and premium payments. While these transactions may have been available on some health care systems before, Title II requires all transactions to be processed using the same electronic format so that your health information can be shared, when you request it to be, to providers across the country.
Challenges facing optimization
The optimization of healthcare data is a challenge throughout our nation. Real challenges surrounding: (1) The current health data mechanism, (2) Legal Challenges, (3) Cyber-Security challenges to healthcare data optimization, (4) The value of healthcare data, and (5) Securing digital healthcare data will be assessed and reassessed by congress and industry experts to determine the efficacy of our efforts given the challenge of the day; and days to come. However, we must have confidence that Americans can and should be able to obtain health care without concerns for their privacy and in a contemporary and efficient manner. More than just another government acronym, and accompanying processes, the optimization of health care data has become an essential part of the way our medical records and information are handled.
II. Current Health Data Mechanism — Jeremy DeMar
On August 21, 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA).[6] Created in response to concerns surrounding the unauthorized access to (and distribution of) individually identifiable health information, HIPAA established federal privacy standards for personal health information and mandated compliance by parties responsible for the handling of said information.
Prior to the passage of HIPAA legislation, no federal laws existed regulating the privacy of health information.[7] The security of an individual’s medical information was generally limited to paper files and charts being stored in a locked cabinet on the premises of a medical facility. In addition, few if any limitations existed on who could access confidential medical records.
In 2013, the HIPAA Privacy, Security, and Breach Notification Rules set forth how certain entities, including most health care providers, must protect and secure patient information.[8] Part of these protective measures included transitioning traditional paper medical records and charts to electronic health records or “EHRs”. A 2014 report however confirmed that almost 20% of office based physicians have yet to adopt EHRs in their practices.[9] With these findings in mind, and even with federally mandated penalties[10] in place for non-compliant health care professionals, a considerable number of medical providers across the country continue to collect and store confidential medical information in a conventional paper chart format.
Providers opting to participate in the electronic health record process must familiarize themselves with the federal guidelines established for the privacy and security of electronic health information, provider responsibilities under HIPAA, and the rights of patients’ under HIPAA. Even more critical is an understanding of the transition process from conventional paper records to electronic health records. While its use has not been mandated by the federal government, a step by step process for migrating from paper records to electronic records has been developed as a guideline for health care providers ready to initiate the transition process. The implementation process includes assessing the readiness of the practice to make the change, drafting a plan for the change, selecting a qualified electronic health record professional to initiate the change, training office personnel on the use of the new system, ensuring meaningful use of the new system, and continually evaluating the effectiveness of the program.
Once the EHR implementation process is complete, tasks, which were once paper based, will be performed via electronic methods. These tasks[11] include (but are not limited to) scheduling, new patient/repeat patient registration, insurance verification, referrals, organization and collation of received reports, patient progress notes, prescription related activities, and a variety of other unscheduled tasks.
Collection of personal health information via Mobile Health Technology (sometimes referred to as “mHealth” or “Connected Health”) is rapidly becoming an area of concern for those in the medical profession charged with HIPAA compliance and information security.
Figure 1.
The most common application of mHealth is the use of mobile phones and communication devices to educate consumers about preventive health care services. However, mHealth is also used for disease surveillance, treatment support, epidemic outbreak tracking and chronic disease management.[12] Solutions in the mHealth arena may be application based or hardware based. The risks associated with the use of these devices (as it pertains to data security and information integrity): losing the device, theft of the device, downloading a virus, sharing the device, and operating on an unsecured Wi-Fi network.[13]
While not directly connected to the individual, online communities (i.e. WebMD, MedlinePlus, etc.) and medical social media present another challenge for information security specialists. Information entered in these forums by patients isn’t always protected, and access to posts generated by patients isn’t restricted. Generally speaking, concerns brought up in an open forum like the ones previously mentioned won’t interface with the patient’s actual medical record.
Another tool in the electronic health record toolbox impacting information collection is the Health Information Exchange or “HIE”. Electronic health information exchange (HIE) allows doctors, nurses, pharmacists, other health care providers and patients to appropriately access and securely share a patient’s vital medical information electronically — improving the speed, quality, safety and cost of patient care.[14] Three different forms of health information exchange exist: Directed Exchange, Query Based Exchange, and Consumer Mediated Exchange. Directed exchange is used by providers to easily and securely send patient information — such as laboratory orders and results, patient referrals, or discharge summaries — directly to another health care professional. This information is sent over the internet in an encrypted, secure, and reliable way amongst healthcare professionals who already know and trust each other, and is commonly compared to sending a secured email. This form of information exchange enables coordinated care, benefitting both providers and patients.[15] Query-based exchange is used by providers to search and discover accessible clinical sources on a patient. This type of exchange is often used when delivering unplanned care.[16] Consumer-mediated exchange provides patients with access to their health information, allowing them to manage their health care online in a similar fashion to how they might manage their finances through online banking.[17]
The HIPAA Privacy Rule and Electronic Health Information Exchange in a Networked Environment white paper stipulates the federal policy on protected health data collection. Clause one of the document reads as follows:
COLLECTION, USE, AND DISCLOSURE LIMITATION PRINCIPLE: Individually identifiable health information should be collected, used, and/or disclosed only to the extent necessary to accomplish a specified purpose(s) and never to discriminate inappropriately.[18]
As it pertains to the HIPAA Privacy Rule:
COLLECTION, USE, AND DISCLOSURE LIMITATION AND THE HIPAA PRIVACY RULE The Collection, Use, and Disclosure Limitation Principle in the Privacy and Security Framework emphasizes that appropriate limits should be set on the type and amount of information collected, used, and disclosed, and that authorized persons and entities should only collect, use, and disclose information necessary to accomplish a specified purpose. The Privacy Rule is consistent with the Collection, Use, and Disclosure Limitation Principle and supports adherence to the principle by covered entities that participate in electronic health information exchange in a networked environment. In particular, the Privacy Rule: 1) Generally requires covered entities to limit uses, disclosures, and requests of protected health information (PHI) to the minimum necessary; and 2) Defines and limits the uses and disclosures covered entities may make without an individual’s authorization.[19]
III. Legal Challenges — Tracy Avelar
Healthcare reform has long been the subject of debate and consideration. In 1996, Senators Nancy Kassebaum and Edward Kennedy introduced legislation to address issues with many Americans ability to obtain and keep health insurance when changing or leaving a job. If a pre-existing condition was involved, obtaining health insurance could be denied or the premium could be increased. The Kennedy-Kassebaum Bill was enacted as the Health Insurance Portability and Accountability Act (HIPAA).
The portability of insurance made it possible for individuals to have continuous coverage when changing or leaving employment. The Act also made it so that insurance companies could not exclude or charge higher premiums to someone with a pre-existing condition. The goal of the Kennedy-Kassebaum Bill was to address the portability issues. This portion of HIPAA is said to be “relatively straightforward and has been successfully implemented.”[20] HIPAA addressed more than just portability; it addressed security and privacy of health records under Section II of HIPAA. This piece of the legislation, under Subtitle F: Administrative Simplification has been significantly more detailed and difficult to address and keep up with.
The law as originally enacted called for the Secretary of Health and Human Services (HHS) to adopt security standards within 18 months and privacy standards within 12 months. HHS was to provide recommended privacy standards legislation to Congress. Congress then had three years to enact the legislation. If legislation was not passed through Congress, which in the case of HIPAA it was not, HHS was tasked with providing privacy regulations for “individually identifiable electronic health information.”[21] The standards were “to take into account” security of record systems and safeguards “to ensure the integrity and confidentiality of the information, and to protect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized uses or disclosures of the information.”[22]
In 2000, standards for electronic transactions and privacy were published. In August, the final rule for Health Insurance Reform: Standards for Electronic Transactions became effective.[23] The rule of standard codes and transactions simplified administration of the health care system to include Medicare and Medicaid programs.[24] In December, the Privacy Rule, which provided Federal protection of health information, was published.[25] It became effective in April of 2001.[26] These rules applied to “health plans, health care clearinghouses, health care providers, and health care providers who conduct certain healthcare transactions electronically” and if not followed civil or criminal penalties could be imposed.[27] Public input was sought on two separate occasions to ensure the rules would not negatively impact patients and by August of 2002 the final Privacy Rule was established.[28] The Privacy Rule protects “individual’s medical records and other personal health information” and “requires appropriate safeguards” on identifying health information.[29]
Figure 2.
The HIPAA Security Rule established “national standards to protect individuals’ electronic personal health information.”[31] For electronic medical records storage and accessibility, the rule recommended “electronic signatures” and at the time there were no national standards.[32] The rule as first proposed in 1998 recommended that the signature must:[33]
● Identify the signatory individual
● Assure the integrity of a document’s content
● Provide for nonrepudiation
The final rule adopted in 2003, however, stated that a “final rule for electronic signatures would be published at a later date.”[34] The Security Standards for the Protection of Electronic Protected Health Information was created in the newly added subpart C of CFR title 45, part 164. The standards entailed General Rules, Administrative Safeguards, Physical safeguards, Technical safeguards, Organizational requirements, Policies and procedures and documentation requirements. Included in Appendix A to Subpart C of Part 164 was a Security Standards Matrix. The matrix laid out standards, where the standards were located in Part 164, and whether the implementation was required or “addressable”.
Figure 3.
The rules and standards of HIPAA created a great deal of concern regarding the ability to follow comply with the newly created rules while still providing service to patients. Many affected by HIPAA did much more than they were required to do and even feared just leaving a voicemail for a patient.[36] However, the first criminal action resulting from HIPAA enforcement did not occur until 2005 when a lab assistant stole a patient’s identity.[37] The approach taken by HHS was to ensure covered entities were following the rules with an educational period as opposed to enforcement. In 2009, Congress passed the Health Information Technology for Economic and Clinical Health Act (HITECH). The changes included increased penalties for HIPAA violations and a requirement to conduct privacy and security audits, data security breach notification requirements, and authorization for HIPAA enforcement by states’ attorneys general.[38] Millions of dollars in penalties have since been assessed against companies for violations such as failure to properly dispose of personal health information or failure to cooperate with an investigation. A state agency in Alaska was even fined for an incident involving a stolen USB drive.[39]
In January of 2013, the final rule modifying the HITECH act provided increased breach notification rules; added business associates must follow the Security Rule, as well as many other tweaks and modifications. Joy Pritts, ONC’s chief privacy officer, echoes this sentiment. “People sometimes ask of HHS-‘So are you finished changing the rules now?’ There is no ending point. Technology is constantly changing, and there are always new challenges,” she says. “Protecting the privacy and security of health information is a continuous process. HIPAA must be reassessed all the time to make sure it is working optimally.”
IV. A way towards healthcare data management — Manny Morales
Jack and Diane are on their first date. Jack is nervous as he sits across from her in a moment he has imagined since he first laid eyes on her three months ago. It had taken him many days staring at her lovely face during their morning commute to muster up the courage to talk to her. He was beside himself when she finally agreed to a dinner date. Now as he sits across from her in a trendy cafe in trendy South Beach, he barely notices the crowd of tourist walking by as he stares deeply into her eyes.
Jack is immersed deep in conversation; hanging on Diane’s every word. He barely notices as the waiter places the wrong dish in front of him. Almost unconscious and not wanting to break the magical connection, he takes a bite. The way they seem to magically sparkle under the dim lights of the romantic little sidewalk cafe. “This might actually be the one.” He begins to feel his temperature rise, the sweat on his brow builds as his pulse quickens. “Oh my God She is the one.” He finds it hard to breathe, he can’t believe the way she takes his breath away. But Jack was not smitten by Diane’s beauty and charm, he was going into anaphylactic shock. Jack suffers from a severe allergy to peanuts. In an instant, his airway is blocked and his heart feels like is going to pound out of his chest. Jack loses consciousness and slumps over. Diane know something is wrong, is he choking? What is wrong with him? The waiter tries to help as the hostess calls 911. Emergency Medical Personnel arrive quickly on the scene but struggle to determine the cause of the illness. They frantically ask Diane if he has any allergies, “I don’t know” she replies. The paramedic asks “Does he have any pre-existing conditions or take any medications?”, “I don’t even know his last name” she mutters in desperation. As they transport Jack to the nearest medical facility precious seconds are wasted trying to identify Jack’s existing medical conditions.
In a medical emergency seconds matter. The ability of emergency medical personnel to identify a patient’s conditions, allergies, and medical history is critical in emergency situations. Interoperability in the U.S. healthcare industry is needed now. The United States needs to a develop a system that allows all health care provider to connect ” the fragmented places where health data resides, and bring them together into a unified health data layer that is current, secure, and usable.”[40] A system that will allow healthcare provider to access patient information to allow for faster clinical decision-making, but is also user friendly enough to allow patients to access their health data to interact as needed. Currently 80–90% of medical providers have some type of electronic health record (EHR), which are digital version of patient’s health and medical records.[41] The flaw lies in the ability to connect to one another in a seamless data system that allows access to healthcare care professionals regardless of medical provider.
The potential of EHR’s are immense; as the National Alliance for Health Information Technology notes data “can be created, managed, and consulted by authorized clinicians and staff across more than one healthcare organization.”[42] A place where you can access all patient records from any authorized secure site. The potential access to patient’s EHR can have a significant impact in the way we provide emergency care, approach preventive medicine, and identify outbreaks.
A survey of health care professionals identified the top five benefits of the implementation of an EHR management sharing system:
● improve the ability to share patient record information among healthcare practitioners and professionals within a multi-entity healthcare delivery system
● improve quality of care
● improve clinical processes or workflow efficiency
● improve clinical data capture
● reduce medical errors (improve patient safety)[43]
But EHR is only the a small section of how big data can aid the healthcare industry change patient treatment, discovery of epidemic outbreaks, and more. Big data can help medical industry to quickly access personal medical records to provide “personalized medicine and disease modeling.”[44] In addition, big data can advance healthcare by allowing the search for sustainable solutions to such issues as tracking public health, determining and implementing appropriate treatment paths for patients, supporting clinical improvements, monitoring the safety of healthcare systems, ensuring managerial control, and promoting health system accountability.”[45]
Currently healthcare professionals used their medical education and training to diagnose patients, the use of big data analytics could ease the transition from evidence-based medicine (EBM). EBM is the standard of current healthcare models and it “involves systematically reviewing clinical data and making treatment decisions based on the best available information.”[46] Big data can change the way doctors diagnose patients by using EHR “by mining the world of practice-based clinical data — i.e. actual patient records — for information on who has what condition and what treatments are working, we could learn a lot about the way we care for individuals.”[47]
The challenge is how do we take all that patient information, which could be as much as 80% unstructured data, and make those x-rays, lab results, and doctor’s notes into usable data that algorithms can process.[48] And once we convert the patient information into usable data, how do we input it into a usable database that can be accessible to all disciplines in the healthcare industry? Advent Health Partners is exploring the use of a Healthcare Data Management Tool that would allow for web entry of patient data that could be sorted into a searchable and usable library. The system would allow for disparate patient data to be entered into a web based system that allows user the “ability to query large amounts of actionable information with immediate results.”[49] The model would allow primary care and emergency responders the ability to access critical patient information immediately to tailor medical care based on the patient’s needs.
Figure 4 — Flow chart illustrating the flow of information from the website to the information library in the Healthcare Data Management Tool.[50]
A system that offers that capability to bridge the gap between institutional silos and improves communication between medical professionals can be invaluable to large healthcare providers. One such government controlled organization that can benefit from EMR and practice-based clinical data is the U.S. Department of Veterans Affairs (VA). The VA is huge, with an estimated 2017 budget of $182.3 billion to service almost 9 million medically connected veterans annually.[51] The VA manages 144 hospitals and 1,221 outpatient centers nationwide. The management of patient data is critical to their success in providing medical care to our nation’s wounded warriors. However, the VA does not have a great track record for providing patient care. Scandals have plagued the VA for the past few years, with several high ranking administrators facing dismissal due to the department’s failure to properly care for our nation’s veterans.[52] In 2014, nearly 300 veterans died awaiting for medical care in Phoenix, Arizona.[53]
Tragedies from medical oversight, skyrocketing healthcare costs, and emergence of evidence-based medicine, “a system in which treatment decisions for individual patients are made based on the best scientific evidence available, are causing a tipping point in the healthcare field towards the use of big data.”[54]
Figure 5 — Health Care and Big Data tipping point.[55]
A framework now exist to aggregate patient information, store it, extract big data from it and share it, but the important work begins on how to secure it. Considering that “in 2014, medical records accounted for 43% of all data stolen and the healthcare sector has seen the biggest increase in data theft since 2010” the way we secure our healthcare data is of primordial importance.[56]
V. Cybersecurity Challenges to Healthcare Data Optimization — Jake Hallgarth
Among the dozens of emails Medical Records Technicians receive daily, this one did not seem out of the ordinary. The email had an invoice attached and explained the information was to remit payment for medical services. However, once the attachment was opened a small piece of Visual Basic Script reached out to a predetermined website and begun to download a file encryptor, known as Locky, onto the unsuspecting computer. Once downloaded and executed, the malware renamed itself and set a registry value to continue the Locky process even if someone detected the malware and restarted the computer. Once fully downloaded, Locky communicated with an IP address providing basic information about the computer and received a public key to use in data encryption in exchange. Locky then scrambled all the files on the computer using an AES-128 cipher that could only be broken with the decryption key. Within minutes of opening the invoice attachment, the surprised employee received a pop-up screen message that all the computer files were encrypted and demanded 3.6 million dollars in bitcoin to release the files.
This happened to the Hollywood Presbyterian Medical Center in February 2016. While it isn’t clear how many Electronic Health Records were held ransom, the medical center did end up paying $17,000 in bitcoins to have the files decrypted. According to the Hollywood Presbyterian Medical Center CEO Allen Stefanek, “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key.”[57] The Hollywood Presbyterian Medical Center was lucky; negotiating with ransomware attackers doesn’t always work out. In May 2016 another medical center, the Kansas Heart Hospital in Wichita had a similar ransomware attack. The hospital paid to get the files back but only received “partial access” as well as a demand for more money.[58]
The Value of Healthcare Data
Healthcare data is a prime target for criminals. Unlike a stolen credit card or Facebook accounts, you can’t just simply get a new medical history. Likewise, health data needs to be accessible at a moment’s notice. As the staff at Hollywood Presbyterian Medical Center learned, even a week without access to health records is too long. Between April and June of 2016 a stunning 88 percent of ransomware cases globally targeted health care organizations.[59] According to researchers at Forcepoint and Duo Security, the healthcare industry sees 340% more cybersecurity incidents than the average industry. Meanwhile, the industry continues to spend only three percent of their IT budget on cybersecurity (recommended amount is 10%) and healthcare organizations are four times more likely to run outdated software, such as older versions of Internet Explorer, than other industries.[60] Ransomware attacks may be the most visible, but lost, stolen, or altered health data could lead to insurance fraud, drug abuse, financial gain, or even targeted attacks. In fact, this may already be occurring as researchers found medical data is worth ten times more than other data on the blackmarket.[61]
The importance of securing medical information is not a new concept. As mentioned in Chapter II, The 1996 Health Insurance Portability and Accountability Act (HIPAA) requires that health care providers to protect and secure patient information.[62] HIPAA also mandates transition of paper medical records and charts into Electronic Health Records. Not only could this potentially increase the security of this data, it also holds the future promise of aggregated health care data from sources as varied as wearable devices to pharmacies and medical clinics. The possibilities of seamless data could revolutionize personal healthcare; to include near real-time monitoring and treatment of patients and big data analytics to better understand and protect against pandemics. However, poor cybersecurity continues to be a major hurdle to moving toward these goals.
Securing Digital Healthcare Data
Barriers to securing digitized healthcare data can be divided into two broad categories, business barriers and technical barriers. These challenges are not unique to health care practitioners. Many industries, to include critical infrastructure are facing identical hurdles as they look to leverage the benefits of data analytics and data aggregation. However, for the healthcare industry, business barriers may be the hardest to overcome. In her Naval Postgraduate School thesis, Catherine Chiang researched two of these business barriers unique to healthcare; data silo and legislative hurdles.[63]
Business Barriers
Data Silos exist within the healthcare industry. Each healthcare provider is responsible for the healthcare information they collect. Patients do not have ownership of all the information. HIPAA mandates individuals have the right to access, amend, or copy medical records but healthcare providers are the owners of the records and the records and information are considered business data.[64] This becomes even more of an issue for non-medical record healthcare data (such as generated by Apple or Fitbit), which typically belongs to the individuals or businesses that created the information.[65] Healthcare providers and corporations have little or no incentive to enable integration with other data sources. Not only does this prevent aggregation of healthcare data, it also leads to haphazard and non-standard approaches to cybersecurity.
Chiang points out that the current regulation regarding safeguarding health care data was drafted prior to the digitization of healthcare information.[66] As a result, there is little legislation to require sound cybersecurity practices. HIPAA does require healthcare organizations to implement certain general technical safeguards such as access control, audit mechanisms, integrity safeguards, access authentication, and transmission security.[67] Yet very little legislative guidance exists concerning what is reasonable and what may be considered willful neglect on behalf of the healthcare industry when data breaches do occur. Simply put, current legislation is of little use in influencing the healthcare industry or private corporations to protect healthcare data commensurate to the value of the data to criminal organizations.
Healthcare businesses have very little reason be diligent with cybersecurity. They also have incentives to not optimize healthcare data into Electronic Medical Records. The public has more confidence in health care providers safeguarding their medical information than any other industry (figure 1).[68] At the same time, health care regulations require strict data breach notifications which leads to highly visible incidents, such as the ransomware attack mentioned earlier, which can erode trust in medical providers.[69] These two factors work together to discourage the healthcare industry from taking additional risks of digitizing medical information. Likewise, digital optimization of healthcare data may lead to issues regarding the large amount of data (aggregation of personal medical devices), duplicate data (multiple x-ray charts), and data reliability (multiple care providers lead to multiple diagnoses).”[70] As Chiang notes in her thesis, “consumers’ lives could be seriously threatened if healthcare professionals and researchers used falsified or altered data to derive treatment plans and medical findings.”[71] Any of the above mentioned concerns might lead to a misdiagnosis and possible litigation. Additionally, from a business model perspective, digital optimization will eventually lead to integration and a loss of business advantage as more individuals are empowered to move between providers and caregivers. Current conditions ensure it will be an uphill battle to get corporations fully onboard with digitization of healthcare data.
Figure 1, public trust in healthcare protection of sensitive data
Technical Barriers
The healthcare sector faces many of the same technical challenges to safeguarding data as other sectors such as financial, government, and e-commerce businesses. Just like all industry sectors, malicious actors may use a variety of attack methods such as email, compromise of a trusted website or partner computer, denial of service attacks, or an insider threat. However, unlike non-healthcare industries, the stakes of loss or altered medical data are much higher. In addition to financial consequences, literal lives could be at stake if information isn’t safeguarded properly.
The technical solutions to healthcare cybersecurity challenges will look very similar to other industry solutions to this same challenge. Effective cybersecurity will require defense in depth to ensure the confidentiality, integrity, and availability of healthcare data. Accessing the data will require proper training and authorization as well as audit controls to monitor and review access. Data at rest will need strong encryption and mechanisms will need to be emplaced to corroborate that electronic health data has not been altered or destroyed. Some form of effective biometrics or multi-factor authentication will be needed to ensure person or entity authentication to the information. Data in motion will need security measures to prevent and detect unauthorized tampering. Healthcare IT needs to spend more on the detection and prevention of malware ensuring their systems and antivirus software is up-to-date. Healthcare employees will need cyber awareness training on a recurring basis to ensure they don’t inadvertently compromise the computer systems. Likewise, employees should be restricted in what they can access to limit any damage when malware infections do occur.
Possible Solutions
In addition to legislative and regulatory solutions to change the incentive model for healthcare providers, data security experts have identified the importance of secure healthcare data. In a white paper published in 2014, Symantec Corporation analyzed various security issues with safeguarding healthcare data and provided a number of recommendations for both users and service providers of the data.[72] Symantec’s recommendations are similar to safeguarding any digital information such as effective passwords, device-based security measures, full device encryption, and install updates whenever possible. For service providers, example mitigation recommendations include build in security from the start, use secure protocols when transmitting data and follow secure coding practices.[73] Another recommendation includes industry support for digital certificates and PKI data encryption to secure collection of health data to help with authentication and interoperability of patient data.[74] A third recommendation discusses technical solutions to anonymize and aggregate health data before it is collected to mitigate privacy concerns for centralized storage.[75]
A more radical solution that breaks away from the traditional business model is allowing patients to own their own database of personal health data, sort of like an electronic dog tag. While currently the vast majority of patients may be poorly motivated to take control of their own health data, some consumer-facing Electronic Health Record aggregation tools such as Prime and Picnic Health have already entered the market.[76] Incentivizing personal health data management may require financial or efficiency improvements, in addition to the lower costs, greater convenience, and the better care that will likely occur. However, unlike much other industry data, an argument can be made that healthcare data belongs to the individual and, as such, the individual has the responsibility to maintain and secure the data. This approach would solve many of the technical and motivational cybersecurity challenges but would introduce other hurdles such as ensuring everyone has the ability to maintain their data and ensuring the data is updated and can be accessed in an emergency.
Ultimately, any successful solution will need to be a combination of technical and legislative and regulatory changes. Until the healthcare industry is motivated to optimize healthcare data through digitization, a comprehensive, industry-wide solution is doubtful. As discussed in chapter III, the legislative challenges are constantly evolving and HIPAA must be reassessed constantly to ensure it is effective. However, there is hope. As an example, online financing did not exist prior to the passage of current laws regulating electronic financial services.[77] Even greater than online financing, the potential rewards of optimized healthcare are worth the effort to overcome the legislative and technical cybersecurity challenges.
VI. Conclusion — Thomas Landry
In a utopian world everyone’s medical records would be secured electronically, safely, and available at the touch of a button from anywhere in the United States. The potential benefits are intoxicating and include instantaneous access of records and diagnostic tests, potentially lower costs, and reduced medical errors. Unfortunately, the current state of health care records management falls far short of that ideal.
Since 2009 the federal government has spent over $30 billion in taxpayer funds in an attempt to incentivize the shift to digital medical records.[78] From 2009–2013, this government spending has assisted in increasing digitization in doctor’s offices from 17 to 48% and even more impressively from 13 to 70% in hospitals.[79]This rapid push to digitization, although significant, has also opened up vulnerabilities that pose the greatest risk to the future expansion of medical record optimization. According to the Department of Health and Human Services (HHS), over 32 million individuals have had their medical privacy compromised electronically since 2009. HHS has been aggressively metering out fines to companies that are failing to comply with HIPAA, but organizations continue to fall victim to data breaches using both old school techniques and new ones such as ransonware.
The current trend of medical record digitization will continue as the benefits become more apparent to the healthcare industry and public. The speed at which this transformation occurs will largely depend on two main factors: legislative mandates and cybersecurity. Legislative requirements placed upon the healthcare industry will continue to push the progress towards a more completely digitized system; however privacy and security will remain the primary concerns in this space. The ability to protect sensitive medical records, while still keeping them available, will continue to be the single greatest impediment to a completely digital medical system. The Federal government should continue to support private corporations with best practice guidance, but also serve as the enforcement arm to hold them accountable for when they fail to uphold their legal responsibilities. The healthcare industry needs to be properly incentivized to protect the critical medical records of their clients. A big part of this incentive will be civil and potentially even criminal penalties (although rare) against corporations and corporate leadership.
This paper has outlined the current healthcare data digitization status, legal framework, best practices, and the serious risks posed to patient’s information presented by cybercriminals. Each section has been critical to understanding not only the current state of medical data optimization, but the hurdles that exist in the future expansion of this important improvement to our health care system.
Bibliography
Basel Kayyali, David Knott, and Steve Van Kuiken. “The big-data revolution in US health care: Accelerating value and innovation.” McKinsey & Company. Accessed December 26, 2016. http://www.mckinsey.com/industries/healthcare-systems-and-services/our-insights/the-big-data-revolution-in-us-health-care.
Boyer, Dave. “VA still plagued by problems two years after scandal.” The Washington Times. April 3, 2016. Accessed December 26, 2016. http://www.washingtontimes.com/news/2016/apr/3/va-still-plagued-by-problems-two-years-after-scand/.
Garrett, Peter , and Joshua Seidman. “EMR vs EHR — What is the Difference?” Health IT Buzz. April 1, 2011. Accessed December 26, 2016. https://www.healthit.gov/buzz-blog/electronic-health-and-medical-records/emr-vs-ehr-difference/.
Jee K, Kim GH. Potentiality of Big Data in the Medical Sector: Focus on How to Reshape the Healthcare System. Healthc Inform Res. 2013 Jun;19(2):79–85. https://doi.org/10.4258/hir.2013.19.2.79
Marr, Bernard. “How Big Data Is Transforming Medicine.” Forbes. February 16, 2016. Accessed December 26, 2016. http://www.forbes.com/sites/bernardmarr/2016/02/16/how-big-data-is-transforming-medicine/#4f3222131cd4.
Mason, Moya K. “What Can We Learn from the Rest of the World? A Look at International Electronic Health Record Best Practices.” What Can We Learn from the Rest of the World? A Look at International Electronic Health Record Best Practices — ehr, trends, barriers, standards, lessons learned. 2016. Accessed December 26, 2016. http://www.moyak.com/papers/best-practices-ehr.html.
Rowley , Robert. “Universal Health Data Platforms is the “Holy Grail” of Interoperability?” Universal Health Data Platforms is the “Holy Grail” of Interoperability? February 02, 2015. Accessed December 26, 2016. http://hitconsultant.net/2015/02/02/op-ed-universal-health-data-and-hies/.
Sohr, James Martin. Healthcare Data Management Tool. . US Patent US20160085919 A1, filed September 18, 2015.
[1] “Milestones of the Health Insurance Portability and Accountability Act” — HIPAA Journal — 2016 — http://www.hipaajournal.com/wp-content/uploads/2015/05/hippajournal-histor-hipaa.png
[2] http://www.usfhealthonline.com/resources/key-concepts/what-is-e-health/#.WHLUUlMrLIU
[3] https://www.healthit.gov/providers-professionals/faqs/what-electronic-health-record-ehr
[4] http://www.reuters.com/article/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924
[5] https://www.princeton.edu/~ota/disk2/1985/8503/8503.PDF
[6] “Milestones of the Health Insurance Portability and Accountability Act” — HIPAA Journal — 2016 — http://www.hipaajournal.com/wp-content/uploads/2015/05/hippajournal-histor-hipaa.png
[7] “HIPAA turns 10: Analyzing the past, present, and future impact” — Daniel J. Solove — AHIMA — http://library.ahima.org/doc?oid=106325#.WEutJvkrKM8
[8] “Guide to privacy and security of electronic health information” — The Office of the National Coordinator for Health Information Technology — 2015 — https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
[9] “Office-based Physician Electronic Health Record Adoption: 2004–2014” — HealthIT — 2014 — https://dashboard.healthit.gov/quickstats/pages/physician-ehr-adoption-trends.php
[10] “Are there penalties for providers who don’t switch to EHRs” — HealthIT.gov — 2013 — https://www.healthit.gov/providers-professionals/faqs/are-there-penalties-providers-who-don%E2%80%99t-switch-electronic-health-record
[11] “Workflow and Electronic Health Records in Small Medical Practices” — Mala Ramaiah, MD — 2012 — AHIMA — http://perspectives.ahima.org/workflow-and-electronic-health-records-in-small-medical-practices/
[12] “mHealth” — TechTarget — 2016 — http://searchhealthit.techtarget.com/definition/mHealth
[13] “Your mobile device and health information privacy and security” — HealthIT.gov — 2014 — https://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security
[14] “Health Information Exchange (HIE)” — HealthIT.gov — 2014 — https://www.healthit.gov/providers-professionals/health-information-exchange/what-hie
[15] “Health Information Exchange (HIE)” — HealthIT.gov — 2014 — https://www.healthit.gov/providers-professionals/health-information-exchange/what-hie
[16] Ibid
[17] Ibid
[18] “The HIPAA Privacy Rule and Electronic Health Information Exchange in a Networked Environment” — HHS.gov — publishing date unknown — http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/healthit/collectionusedisclosure.pdf
[19] Ibid.
[20] http://hipaa.bsd.uchicago.edu/background.html
[21] https://aspe.hhs.gov/report/health-insurance-portability-and-accountability-act-1996
[22] http://www.legalarchiver.org/hipaa.htm
[23] https://aspe.hhs.gov/report/health-insurance-reform-standards-electronic-transactions
[24] Ibid
[25] http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/general-overview/index.html
[26] Ibid
[27] Ibid
[28] http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/general-overview/index.html
[29] http://www.hhs.gov/hipaa/for-professionals/privacy/index.html
[30] http://www.wvdhhr.org/hipaa/images/hipaatimeline.jpg
[31] Ibid
[32] http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/srnprm.pdf?language=es
[33] Ibid
[34] http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf?language=es
[35] http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf?language=es
[36] http://library.ahima.org/doc?oid=106325#.WD33ok0zUiQ
[37] Ibid
[38] Ibid
[39] Ibid
[40] Robert Rowley , “Universal Health Data Platforms is the “Holy Grail” of Interoperability?,” Universal Health Data Platforms is the “Holy Grail” of Interoperability?, February 02, 2015, , accessed December 26, 2016, http://hitconsultant.net/2015/02/02/op-ed-universal-health-data-and-hies/.
[41] Peter Garrett and Joshua Seidman, “EMR vs EHR — What is the Difference?,” Health IT Buzz, April 1, 2011, , accessed December 26, 2016,
[42] Ibid
[43] Moya K. Mason, “What Can We Learn from the Rest of the World? A Look at International Electronic Health Record Best Practices,” What Can We Learn from the Rest of the World? A Look at International Electronic Health Record Best Practices — ehr, trends, barriers, standards, lessons learned, 2016, , accessed December 26, 2016, http://www.moyak.com/papers/best-practices-ehr.html.
[44] https://healthdataalliance.com/wp-content/uploads/2016/07/Health_Data_Alliance_Press_Release_FINAL.pdf
[45] Jee K, Kim GH. Potentiality of Big Data in the Medical Sector: Focus on How to Reshape the Healthcare System. Healthc Inform Res. 2013 Jun;19(2):79–85. https://doi.org/10.4258/hir.2013.19.2.79
[46] Ibid
[47] Bernard Marr, “How Big Data Is Transforming Medicine,” Forbes, February 16, 2016, , accessed December 26, 2016, http://www.forbes.com/sites/bernardmarr/2016/02/16/how-big-data-is-transforming-medicine/#4f3222131cd4.
[48] Ibid
[49] James Martin Sohr, Healthcare Data Management Tool. , US Patent US20160085919 A1, filed September 18, 2015.
[50] Ibid page 2
[51] http://www.va.gov/vetdata/docs/Quickfacts/Homepage_slideshow_06_04_16.pdf
[52] Dave Boyer, “VA still plagued by problems two years after scandal,” The Washington Times, April 3, 2016, , accessed December 26, 2016, http://www.washingtontimes.com/news/2016/apr/3/va-still-plagued-by-problems-two-years-after-scand/.
[53] Ibid.
[54] Basel Kayyali, David Knott, and Steve Van Kuiken, “The big-data revolution in US health care: Accelerating value and innovation,” McKinsey & Company, 3, accessed December 26, 2016, http://www.mckinsey.com/industries/healthcare-systems-and-services/our-insights/the-big-data-revolution-in-us-health-care.
[55]The big-data revolution in US health care: Accelerating value and innovation,” 2.
[56] Marr, “How Big Data Is Transforming Medicine.”
[57] Joseph Conn, “Hospital Pays Hackers $17,000 to Unlock EHRs Frozen in ‘Ransomware’ Attack,” Modern Healthcare, February 17, 2016.
[58] Justin Pot, “Ransomware Attackers Refuse to Decrypt Hospital’s Files After Being Paid Off,” Digital Trends, May 24, 2016
[59] Laurens Cerulus, “Hackers Hold the Health Care Sector Ransom,” Politico, November 29, 2016.
[60] Ibid
[61] Ibid
[62] “Guide to privacy and security of electronic health information” — The Office of the National Coordinator for Health Information Technology — 2015 -
[63] Catherine Chiang, “Securing Healthcare’s Quantified-self: A Comparative analysis Versus Personal Finance Account Aggregators Based on Porter’s Five Forces Framework for Industry Structure,” (master’s thesis, Naval Postgraduate School, 2016).
[64] Health Information & the Law, “Fast Facts” (healthinfolaw.org, August 2015).
[65] Ibid
[66] Chiang, “Securing Healthcare’s Quantified-self,” p. 63.
[67] U.S. Department of Health and Human Services, Office for Civil Rights, “HIPAA Administrative Simplification,” March 26, 2013, http://www.hhs.gov/sites/default/files/hipaa-simplification-201303.pdf
[68] Darren Thomson et al., “Symantec State of Privacy Report 2015,” https://www.symantec.com/content/en/us/about/presskits/b-state-of-privacy-report-2015.pdf
[69] Laurens Cerulus, “Hackers Hold the Healthcare Sector Ransom,” Politico, November 29, 2016.
[70] Valerie Gay and Peter Leijdekkers, “Bringing Health and Fitness Data Together for Connected Healthcare: Mobile Apps as Enablers of Interoperability,” Journal of Medical Internet Research 17, no. 11 (November 18, 2015), doi:10.2196/jmir.5094
[71] Chiang, “Securing Healthcare’s Quantified-self,” p. 27.
[72] Mario Barcena, Candid Wueest, and Hon Lau, “How Safe Is Your Quantified Self?” Version 1.1 White Paper (Symantec Corporation, August 11, 2014).
[73] Ibid, p. 30.
[74] C. Doukas et al., “Enabling Data Protection through PKI Encryption in IoT M-Health Devices,” in 2012 IEEE 12th International Conference on Bioinformatics Bioengineering (BIBE), 2012, 25–29, doi:10.1109/BIBE.2012.6399701.
[75] Carol C. Diamond, Farzad Mostashari, and Clay Shirky, “Collecting And Sharing Data For Population Health: A New Paradigm,” Health Affairs 28, no. 2 (March 1, 2009): 454–66, doi:10.1377/hlthaff.28.2.454.
[76] On Digital Healthcare, “Health Data,” http://ondigitalhealthcare.com/part-II
[77] Chiang, p. 46.
[78] https://www.bostonglobe.com/news/nation/2014/07/19/obama-pushed-electronic-health-records-with-huge-taxpayer-subsidies-but-has-rebuffed-calls-for-hazards-monitoring-despite-evidence-harm/OV4njlT6JgLN67Fp1pZ01I/story.html.
[79]Ibid.
