Health care providers, already grappling with information security, could see their responsibilities expand as demand grows for patient data access.
Federal policies require physicians and hospitals to make health care data available to patients. And with the increasing use of electronic health records, that handoff increasingly will take place online. A certain degree of electronic access already is required under Stage 1 of the federal government's meaningful use EHR incentive program; that impetus will expand under Stage 2.
Industry executives expect that much of the patient data dissemination will take place through Web-based portals. For many health care providers, this will represent new ground. Hospital and medical practice websites traditionally have been informational, rather than access-oriented. Providers, accordingly, will need to step up their information security and privacy measures.
Jared Rhoads -- senior research specialist at the CSC Global Institute for Emerging Healthcare Practices -- said some health care facilities have been providing patient data access and attending to the associated security issues for some time. But those providers represent the exception, not the rule.
"Certainly, the vast majority of people have not plunged into [patient data access], so it is new for them," he said. "Now, with all the new meaningful use measures, that is absolutely going to blow this wide open and make this something that everyone is going to be concerned about."
A Call for Access
In August, CMS published the final rule governing Stage 2 of the meaningful use program, which goes into effect in 2014. Stage 1 criteria call for physicians and hospitals to provide patients an "electronic copy of their health information." Stage 2 changes that language. Physicians must provide patients with the means to "view online, download and transmit their health information." Hospitals must offer the same service to patients regarding hospital admissions.
The government's escalating demand for patients' access to health data can be seen in other policy statements as well.
HHS' Office for Civil Rights in May issued a memo underscoring patient's right to information and encouraging consumers to obtain a copy of their health record -- whether paper or electronic. That message reiterates language in the HITECH Act of 2009, which gives patients the right to request health data in an electronic format if the provider is equipped with an EHR.
The access directives appear to be pushing health care providers toward portals as the mechanism for allowing patients to view and download their health data.
Mac McMillan -- CEO of CynergisTek, a health care IT security firm -- said a number of health systems already have established patient portals, pivoting off their EHR systems.
"I think patients are going to embrace the ability to go online and set up their appointments and get their meds and check their test results and communicate with their doctors," he said.
But the portal push comes with a privacy and security burden.
"A patient portal, by its nature, has to accept a connection from the public on the open Internet and that brings you into the realm of Web security," Sadik Al-Abdulla, senior manager with CDW's security practice, said, adding, "It is the exact same threat landscape that major retailers face, that government agencies face."
Securing the Portal
McMillan suggested three core elements for portal security.
- User Authentication -- "If you are going to provide good access control, there has to be a way on the portal for patients to authorize uniquely to the portal, such that they are only looking at their own information and not somebody else's," McMillan explained.
- Secure Transport -- A portal that allows users to download information must provide a secure, encrypted connection between patient and portal. This is often accomplished through a virtual private network (VPN) or a gateway that's part of the provider's network.
- Auditing and Integrity Control -- Providers need to be able to audit what a user has done with the information obtained through a portal -- what they have looked at and what they have changed. If a patient is able to enter or alter his or her health data, integrity control provides a way to verify the information. The EHR linked to the portal retains a patient's previous data so they can be compared with the new data. If a patient with a penicillin allergy inadvertently changes the health record to indicate no such allergy, the system can flag the problem.
"Integrity is one of the biggest issues when you start allowing greater access to the information," McMillan said. "You need to have a way to absolutely verify changes so they don't create health issues."
Rhoads, meanwhile, cited network scanning and monitoring as a key portal security measure. The idea is to scan for suspicious activity, such as a series of unsuccessful logins at an odd hour from an IP address outside of the country.
Privacy, Security and Responsibility
Some health care facilities -- academic medical centers, for example -- might develop their own portals and must assume responsibility for building in privacy and security controls. But many health care providers will turn to vendors for help in deploying portals. EHR vendors often include portal technology as part of their systems.
For a health care provider invested in an EHR system, "it becomes a pretty natural add-on to stick with the same vendor for the portal part," Rhoads said.
Third-party health care portal vendors also are an option. In both cases, product vendors should provide the fundamentals of security -- authentication, auditing and integrity checking -- within their portal products.
"The portal should have all of those features encoded in the system itself," McMillan said.
The secure transport component may be part of the portal or provided separately, via VPN, for example.
Physician practices in northern New York are beginning to deploy portals through their EHR systems.
Corey Zeigler -- health IT program manager at the Fort Drum Regional Health Planning Organization -- said the portal use is part of a project to get practices in a three-county area up to speed on EHRs and connected to a regional health information exchange. He said about 95% of the primary care providers in the area are participating.
Security, Zeigler noted, is baked into the vendor-provided portals, including website encryption.
Health care providers aren't entirely off the security hook when they purchase a vendor's product, however. Al-Abdulla commended EHR vendors for bundling security, but that posture only holds for the initial deployment. Hospitals should conduct periodic security assessments and architecture reviews, since the threat landscape and attack vectors constantly change, he said.
Patients have responsibilities as well. The general consensus among industry executives is that the hospital and its business partners are responsible for adequate user authentication, secure data storage and secure data transmission. However, once the data arrive on the patient's computing device, the security job shifts to the user.
"It's the patients' responsibility to make sure they don't upload it to a blog or broadcast it to the world," Rhoads said.