Earlier this month, University Medical Center in Tucson, Ariz., fired three employees for improperly accessing electronic health records (EHR) of victims of the January 8 shooting spree that shocked the nation. The incident served as a conspicuous reminder of a top concern about digitized medical records: the potential for security and privacy breaches.
Managers need to understand that ... they need to look at a security-in-depth posture, which means there have to be multiple layers of security, starting at the human level.
Wendell Ocasio, M.D.
head of healthcare strategy, Agilex Technologies Inc.
Because the federal government has been the central force behind the effort to design and adopt a national system of interoperable medical records, the burden of making certain that e-medical records platforms and networks are secure falls largely on the agency stakeholders in the development of the system.
The federal program to digitize health information and exchange it electronically across many organizational boundaries encompasses a huge number of agencies: more than 25 are involved directly or indirectly with the delivery of healthcare services, ranging from the Defense Department and the Veterans Administration to the Health and Human Services Department and the Social Security Administration.
While electronic heath records benefits have been widely touted, and health IT is high on President Obama's priority list -- the goal is that every citizen have an electronic health record by 2014 -- the reality of a national system of interoperable e-health records is still on the distant horizon and progress at individual agencies is uneven. But, as health IT evolves, agency managers have to ensure security is baked into their new requirements, said Wendell Ocasio, M.D., head of healthcare strategy for Agilex Technologies Inc. and former chief architect of DOD's $4 billion electronic health record program.
"Managers need to understand that, in this day and age, they need to look at a security-in-depth posture, which means there have to be multiple layers of security, starting at the human level -- better procedures and training -- all the way to encryption at rest and encryption in transit," he said. "It ends up being a combination of these kinds of techniques, so that if you have multiple layers of security that prevent a breach, even if one of the levels breaks down."
Ocasio also said that growing use of mobile technologies by employees in the federal government and healthcare providers poses new hurdles for securing and exchanging health data. "The level of security in most smartphones and mobile devices is nothing like what we're used to," he said. "You have to understand how to transform the eco-system of those devices to comply with more stringent security requirements [under health IT]." Scott Lundstrom, vice president of research for health industry insights at IDC, offered this advice for securing health data across agency systems:
- Reduce the scope of the health IT environment that has to be secured; rationalize applications, consolidate data centers and virtualize hardware. "If you can reduce the scope up front, you can save a lot of effort down the road," he said.
- Storage: Consider moving large electronic medical archives to third-party providers that offer exceptionally robust security architectures. For example, the Military Health System's MiCare pilot program has enlisted Google and Microsoft Corp. to provide health-records databases.
About the author:
About the author: Richard W. Walker is a freelance writer based in the Washington, D.C., area who has been covering issues and trends in government technology for more than 10 years.
This was first published in January 2011