Feds: Electronic health records privacy will require metadata scheme

For the first time, the government is propounding a conceptual framework for securing electronic health records.

Both as employers and operators of healthcare networks, Federal agencies are part of the nation's multiyear rollout of electronic health records (EHRs) under the HITECH Act. To be sure, securing and ensuring the privacy of EHRs over a vast health IT network that crosses numerous organizational boundaries is still a work in progress. But, for the first time, the government is propounding a conceptual framework for securing EHRs.

A recent report on health IT and electronic health records privacy (.pdf) by the President's Council of Advisors on Science and Technology concluded that the best way to manage and store electronic health data is to break them down into the smallest individual pieces that make sense to exchange and aggregate, accompanying each unit with a mandatory metadata tag that describes the attributes, provenance and required security and privacy protections of the data. The metadata are inseparable from the data and are inviolable, protected by a digital signature.

According to the council, a key advantage of the tagged data element approach is that it allows a more sophisticated privacy model—one in which privacy rules, policies and applicable data preferences are innately bound to each separate tagged data element and are enforced both by technology and the law. The report also addressed another crucial aspect of security—determining and authenticating the identity of those who access the system.

The sheer complexity of the health information arena is probably one of the biggest challenges.

Kevin Stine,
information security specialist, NIST

The council recommended two-factor authentication—a combination of physical credentials, such as smartcards or biometrics, and a password--in the design of a health IT security system. It also advised agencies to incorporate an audit mechanism to record and track the actions taken by principals in the system along with the information used to authorize those actions.

Overall, "a well-designed combination of encryption, authentication [and] authorization…can yield a health IT infrastructure that is secure and where all principals are auditable," the report said.

The pieces of a national health IT system are "starting to come together," according to Amy King, vice president for health IT programs at Northrop Grumman Corp., a key contractor for the Health and Human Services Department's Office of the National Coordinator for Health Information Technology (ONC), which is leading the effort to roll out a national health IT system. But, she says, the process of developing an overall security strategy has been haphazard.

"You have a lot of things converging but really I think it's still fuzzy how all this can work securely," said King.

Northrop Grumman has developed a prototype for the National Health Information Network under a contract with the ONC. Among other government health IT programs, the company also is supporting the development of electronic health records systems at the Defense Department.

Federal agencies must collaborate

Implementing a comprehensive approach to protecting EHRs as they are exchanged among multiple agencies and healthcare providers--ranging from large federal agencies and state and local government offices to insurance companies and rural doctors' clinics--won't be easy.

"The sheer complexity of the health information arena is probably one of the biggest challenges," said Kevin Stine, an information security specialist in the National Institute of Standards and Technology's IT laboratory, which has developed a set of test tools for EHRs. "You've got various state laws, federal laws and all kinds of roles in this. You've got all different types of providers and organizations."

At the 25 federal agencies whose missions touch the healthcare system, managers should work together to develop ideas and strategies to ensure the security of EHRs, King said.

"What's important first of all is that [managers] talk to each other and look for opportunities to collaborate," she said. King also suggested that managers:

  • Partner and brainstorm with industry around private-sector best practices in securing critical information. "Vendors and systems integrators have experience in terms of what works so you don't have to reinvent the wheel," she said. "You can start from a well-documented position and then build from there."
  • Leverage security strategies and lessons learned from DOD and other federal agencies, such as the Veterans Administration, that have been ahead of the game in health IT. "There are programs that have been in place, there are lessons learned, there are case studies, and there is analysis on return on investment," she said.

About the author:
Richard W. Walker is a freelance writer based in the Washington, D.C., area who has been covering issues and trends in government technology for more than 10 years.

This was last published in February 2011

Dig Deeper on Disk and file encryption tools

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.