At first glance, these issues do not appear to be very difficult to solve. The reality is that hospitals and other care environments are complex institutions with complex workflows. A great many staff need immediate access to medical records. These include emergency technicians, admitting staff, doctors, nurses, and back-office personnel in billing and accounting. A quick fix might be to install role based access control (RBAC) mechanisms that allow for fine-grained permissions.
But in a security and remediation effort we conducted for a large health care provider, we discovered that retrofitting RBAC mechanisms into an existing EMR system was actually quite a complex undertaking. Assigning roles is particularly tricky across various hospital departments and personnel. An inadvertent stripping of viewing rights, for example, could result in a surgeon unable to view critical images in the operating theater. That could easily lead to a catastrophe and so ease of access considerations remain paramount. In our view, this has resulted in most EMR systems implementations to have less than desirable security postures.
Take, for example, an unauthorized disclosure of medical records to the press for an individual with the HIV virus. The effect could be devastating. Unintended outcomes might include family or community ostracism, job loss and denial of medical benefits. While there are legal statutes to prevent harmful effects of such disclosures, practically these may be of little solace to the individual whose record was released. One can imagine an insurer denying claims by insisting that the condition was pre-existing. These situations can and do occur in real life, and hospitals and care providers must take heed.
The probability of a large security breach (of the network or EMR application) also leaves many hospital administrators and compliance officers shuddering over the specter of privacy violations. Health Information Portability and Accounting Act (HIPAA) violations can have severe consequences, and new state regulations such as in California impose considerable penalties for the errant disclosure of medical records.
From our work at a large health care provider, we found that security breaches could be relatively easy to accomplish. Many EMRs are now connected to web applications (or are web applications themselves) making for relatively easy targets. We also found diagnostic systems that have direct connections to the hospital networks. Since these systems also have remote diagnostic capabilities for troubleshooting or downloading new software, installing a worm on the network that incapacitates, for example, all networked X-Ray machines is not out of the realm of possibility.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.