CanadianEMR: EMR Comparisons, Ratings, Directory Services and Expert Discussions

The high cost of security and privacy breaches was made amply evident in a recent article from the California Healthcare Foundation regarding the loss of hard drive from a Veterens Affairs medical facility. A storage device (probably costing less than $200) has resulted in a potential $20 million response.

"The Department of Veterans Affairs has reserved more than $20 million to respond to a recent data breach that could affect nearly one million VA physicians and patients, according to Bob Howard, the department's CIO, Government Executive reports. The breach occurred in January when a hard drive was lost from a VA medical facility in Birmingham, Ala., and was not recovered. The hard drive included sensitive information on any U.S. physician who billed Medicaid or Medicare through 2004 and on more than 500,000 VA patients. "We have no evidence that [information is at risk]...but we don't take the chance," Howard said. A group of about 650,000 physicians and 254,000 veterans in May were notified by mail of the breach and provided with credit monitoring services through a General Services Administration blanket purchase.

The credit monitoring funds will be pulled from the VA's fiscal year 2007 cybersecurity budget, Government Executive reports. Howard said the VA's health information system, called VistA, has weaknesses because it was built when the VA did not worry as much about security. He added that department officials are looking to expedite the modernization process of VistA, which is scheduled to last until at least 2015. The modernization update aims to protect the electronic health records and make them available on the system worldwide via the Internet. The VA's joint project with the Department of Defense on an EHR system has improved the prospects of obtaining more resources from Congress for a VistA upgrade, Howard added. Investigators still are attempting to locate the hard drive and the FBI has offered a $25,000 reward for information leading to its location (Pulliam, Government Executive, 6/14)."

Protecting patient privacy should be a critical objective for all eHealth projects. In this case, it may have been pure negligence that resulted in the loss of the hard drive, but without effective education programs and an educated administrative and provider group, how will data be effectively protected in the future? How do we avoid these types of incidents from happening or reduce the risk of their ocurrence to the barest minimum?

To add your thoughts, click on the 'Comments' link

An NHS trust has adjusted policy in order to allow physicians to more efficiently utilize electronic health record systems by 'sharing smartcards'. This is the reality of a natural tension that exists between the need to deliver care efficiently and the need to protect data and make individuals accountable for their access to systems.

"An NHS trust board has approved the sharing of smartcards, in breach of security policy under the £12.4bn NHS National Programme for IT (NPfIT), because slow log-in times would restrict the time of doctors treating emergency patients.

Paul Cundy, spokesman for the British Medical Association's GP IT subcommittee, said the actions of the trust "drive a coach and horses through the so-called privacy in the new systems". He said, "This is precisely what we have long predicted and shows that security systems, although highly specified on paper, need to be tested against live environments before they can be said to be secure." But Duncan Robinson, director of IT at the trust, said it had decided specifically in Accident and Emergency to slightly depart from what he called security "guidelines" to allow the sharing of smartcards on certain PCs. He said the trust was concerned that logging on could take up to 90 seconds. Without smartcard sharing, if doctors using a secure PC are called away when accessing a file, they may have to log off and on again when they return to it."

Link: NHS security dilemma as smartcards shared - 30/Jan/2007 - ComputerWeekly.com.

Is it possible to have the best of both worlds or do we need to accept a reduced level of security - e.g. shared IDs in a controlled environment, in order to make sure that the systems can operated in a clinical setting?

To add your thoughts or comments, click on the 'Comments' link below.

This article, just published in Technology for Doctors deals with Security of medical records from a vendor perspective. What can be done to more effectively protect data that is stored in EMR. Some common factors emerge, weak passwords, theft of hardware containing sensitive data, good backup policies are the basis for data protection. This is a good review of issues that we currently face.

"Few subjects are more important than computer and network security. Security is an issue for doctors, whether or not they are using EMR solutions. Physicians who continue to use their paper-based record keeping methods are interested because they often cite security concerns as their major reason for not computerizing.

We turned to several respected providers of EMR systems in Canada to get their latest thoughts on how doctors can best protect their data and systems and also to get a better feel for industry trends in security. We spoke with representatives of Wolf Medical Systems, Nightingale, Healthscreen, and Clinicare as well as a noted security expert at Hewlett Packard.

It seems that 2006 has already featured more major security breaches in healthcare than a typical year. No incident has attracted more attention than the temporary loss of a laptop and an external hard drive with 26.5 million patient records belonging to the Veterans Administration in the United States. That in no way diminishes the importance of the cases in Canada that have involved mere tens of thousands of records. The theft or loss of even a few records containing private and sensitive data is an important matter. Link: Technology for Doctors."

To add your thoughts or comments, please click on the 'Comments' link below.

This thought provoking posting was is published on behalf of Dr. David Woolliscroft:

When we went the wireless route I deliberately asked the hardware company to ensure we were secure. We have WEP with 128 bit encryption, mac addressing, firewall, passwords galore, the router and server are locked away the clinic is alarmed - we went the whole way. As part of the Alberta POSP we had to do a Privacy Impact Assesment (PIA), which we did and passed. - Then the Government came to Visit!!!! The visit was triggered by joining the EHR - Electronic Health Record which is a repository for patient data such as labs (which are collected elsewhere). To be honest we don't use it very much at all but it can be useful for the odd patient and it is a way to check for valid health Insurance numbers.

OK, anybody needs advice, but one hopes the 'experts' are able to keep a proper perspective. I don't mean to be ungrateful, however the DRAFT gudelines are 25 pages long and the checklist has 36 items! The checklist items are divided into either Best Practice (mandatory!) or recommended.

We had already completed most of the requirements but a couple of sections I felt were just a little excessive. So I called in the experts and was informed new installations would only be accepted if they complied with all requirements. I thought I would share some of the more interesting points. (By the way, according to the guidlines, these are MANDATORY!!!!!)

Perform comprehensive security assessments at regular intervals .... to fully understand the wireless network security posture.
{Sure we'll just call up our IT department - If I am not seeing patients, working in the ER etc etc I will do it right away}

Ensure external boundary protection is in place around the perimiter of the building or buildings of the organisation.
{Razor wire and mine fields may play havoc with disabled access}

Deploy physical access controls to the building and other secure areas (e.g. photo ID, badge Id reader)
{I wonder if the KGB are still operating??? I guess my receptionist won't recognize the doctors}

Complete a site survey to measure and establish the AP coverage for the organization.
{Hmmm - we had problems connecting our own computers!}

Empirically test AP range boundaries to determine the precise extent of the wireless coverage.
{Is it MANDATORY to screen the pidgeons on the roof?}

PS. Comments in { } are mine.

I respectfully suggest that either these experts are trying to prevent the use of wireless networks - or because they work for Government funded organizations, money, time and resources are no problem. Sensible precautions are entirely reasonable but this is more like Paranoia!

From my perspective the wireless networks offer many advantages. For one, I carry the tablet with me at all times therefore it doesn't get left in an office for someone to play with. Because it is wireless I don't have to log on and off all the time. If I had to use a wired pc I would require several computers (and accesories) several editions of software, even more maintanence and I would spend half my time entering passwords - or Heavens to Betsy - Not bother! By the way I have not swept the office for electronic bugs either!

Eventually an expert came to visit and I put forward my comments on the PIA - which had been available but had not been read. He accepted that a small office probably doesn't need photo ID and a few other items and eventually we were accepted. Duh!

I believe we should follow a common principle seen in other medical areas called ALARP - As Low As Reasonably Practical. But the emphasis is as much on Reasonably as it is on Low. If we let the 'Government' make the all decisions we are likely to end up with something that is neither useful nor affordable. Hmmm they would never do that would they??

Dr. David Woolliscroft

Over the past two years, I have watched the 802.11(x) wireless protocol develop and mature. Currently I use an 802.11b wireless network in my office, which allows me adequate speed to access my EMR. Because of security concerns, I installed a SonicWALL SOHO TZW Internet Security Appliance: Secure Wireless, Firewall, VPN and did not use one of the consumer level wireless routers such as a Linksys or Netgear. The result is that I use a wireless Virtual Private Network to maintain as high a level of security as possible. The difference in cost is quite significant $1000+ for the SonicWall vs. $199 for a consumer level device.

I am concerned that physicians may be installing wireless access points in clinics that provide inadequate security. Even if the WEP encryption is enabled on these access points, the security is not sufficient to guarantee protection of clinical data that may reside in that physician office.

If using a wireless access point in a clinic, physicians should ensure that a careful review process is undertaken to ensure that sensitive data is protected.

With security issues becoming very important as we begin to share information, you may have had an experience that compromised security or has made you more aware of security. Security issues include having your EMR connected to the Internet or using a wireless network. Security also applies to systems you use within the office to protect your data. Would you like to share your experience regarding your EMR system and security concerns? Click on the 'Comments' link below this posting and type your comments into the text box.