On the tracks of medical data: Electronic records pressure
On the tracks of medical data: Electronic records pressure
Privacy breaches related to electronic medical records seem to appear in the news regularly. The Walter Reed Army Medical Center started to notify 1,000 patients of a privacy breach in June. A few days earlier, the University of California San Francisco (UCSF) disclosed that it had to notify more than 3,000 patients of a privacy breach in the Department of Pathology.

These news stories bring to mind a Markle Foundation study released at the end of 2007. Though a majority of Americans believed electronic data can improve care, 80 percent were very concerned about the risk of access without their authorization, including access related to marketing, identity theft and fraud. The Association of American Physicians and Surgeons published a similar study earlier in 2007 that found 70 percent of patients asked doctors to suppress information due to privacy concerns, and 50 percent believed control of their records was already lost.

The pressure to move records to an electronic format is stronger than ever, but at the same time the risk and awareness of privacy violations are on the rise. In tandem to the shift in opinion are more frequent HIPAA prosecutions by the Department of Justice. The FBI, for example, published a clear warning on April 15, 2008, after a nurse pleaded guilty to unlawful access to patient information:

“What every HIPAA-covered entity needs to realize and reinforce to its employees is that the privacy provisions of HIPAA are serious and have significant consequences if they are violated,” (Jane W.) Duke (United States Attorney for the Eastern District of Arkansas) stated.  […]  “We are committed to providing real meaning to HIPAA.  We intend to accomplish this through vigorous enforcement of HIPAA's right-to-privacy protections and swift prosecution of those who violate HIPAA for economic or personal gain or malicious harm.”

The rapid adoption and evolution of computer-based processes across dispersed and complex health care environments made the confidentiality, integrity and availability of patient data issues of public policy. Privacy of information in health care is a long-standing tenet of medical ethics, of course, but the move to portable electronic formats brought forward a new generation of security and interoperability challenges.

Log management for HIPAA
Patients, as well as practitioners, want to view and modify medical records more freely, but with electronic records, it is not immediately clear who else might be looking. Preserving established levels of privacy depends on efforts to better report who should or should not, and who did and did not, have access to electronic patient medical records. In other words, effective logging practices can meet the need for electronic personal health information (EPHI) protection and access management. The U.S .National Institute of Standards and Technology (NIST) Special Publication (SP) 800-66 includes the following question about HIPAA integrity (§164.312(c)(1): “Are current audit, logging, and access control techniques sufficient to address the integrity of the information?”

Effective log management for HIPAA can be described in five steps. It first should automate the collection and consolidation of log data. Secondly, it also should automate analysis of the data and generate reports related to EPHI control and access. These two automation goals will save considerable time for operations alone and add considerable value to a security team. With data being collected consistently and analyzed regularly, log management should enable better event management, such as monitoring for unauthorized software, login attempts or other suspicious behavior and discrepancies. Finally, log management should be used to identify and respond to incidents.

A covered entity that intends to maintain the integrity of its EPHI must maintain sufficient security controls to know what happens to EPHI, when it happens, and who (or what) acted on it. Capturing this information is easy; pull together the logs of all the systems that touch EPHI. Unfortunately, this log data usually comes from many large and growing sources that have inconsistent content, time stamps, and formats. Covered entities therefore need top-level commitment to a log management solution if they are to effectively store patient data and review its access, change and movement patterns.

The success of log management depends on several factors:
  • Senior management support
  • Clear statements of objectives and procedures
  • Security training for log administrators and users
Log management requires not only a reasonable amount of data to be collected (which can be archived for future review) but also the ability to detect in real time symptoms of abuse or violations. If Walter Reed and UCSF had had effective log management systems, their IT departments could have immediately alerted management to the presence of file-sharing software or of file traffic going across the network to unauthorized external locations. This is an example of how the use of logs would help satisfy HIPAA's “Protection from Malicious Software, §164.308(a)(5)(ii)(B)”. Even if logs revealed file-sharing software in a system not known to keep EPHI, a management system could pinpoint systems with malicious software and thus lead to a more timely investigation. This use of logs would help satisfy “Security Incident Procedures, §164.308(a)(6)(ii).”

The electronic format of data is a double-edged sword. It brings easier access, which makes it popular, but new barriers and controls against attack need to be evolved for the electronic medium. The shift to computers has dramatically increased the need for better information security and access controls, such as robust log management, to preserve even the status quo for privacy in health care.