Thursday, October 4, 2012

Consumer Portal Security It Seems To Be More In The Spotlight. Relevant For Australia.

The following appeared last week.
Monday, September 24, 2012

Guarding the Portal: Data Security Needs Rise With Patient Access

Health care providers, already grappling with information security, could see their responsibilities expand as demand grows for patient data access.
Federal policies require physicians and hospitals to make health care data available to patients. And with the increasing use of electronic health records, that handoff increasingly will take place online. A certain degree of electronic access already is required under Stage 1 of the federal government's meaningful use EHR incentive program; that impetus will expand under Stage 2.
Industry executives expect that much of the patient data dissemination will take place through Web-based portals. For many health care providers, this will represent new ground. Hospital and medical practice websites traditionally have been informational, rather than access-oriented. Providers, accordingly, will need to step up their information security and privacy measures.
Jared Rhoads -- senior research specialist at the CSC Global Institute for Emerging Healthcare Practices -- said some health care facilities have been providing patient data access and attending to the associated security issues for some time. But those providers represent the exception, not the rule.
"Certainly, the vast majority of people have not plunged into [patient data access], so it is new for them," he said. "Now, with all the new meaningful use measures, that is absolutely going to blow this wide open and make this something that everyone is going to be concerned about."
A Call for Access
In August, CMS published the final rule governing Stage 2 of the meaningful use program, which goes into effect in 2014. Stage 1 criteria call for physicians and hospitals to provide patients an "electronic copy of their health information." Stage 2 changes that language. Physicians must provide patients with the means to "view online, download and transmit their health information." Hospitals must offer the same service to patients regarding hospital admissions.
The government's escalating demand for patients' access to health data can be seen in other policy statements as well.
HHS' Office for Civil Rights in May issued a memo underscoring patient's right to information and encouraging consumers to obtain a copy of their health record -- whether paper or electronic. That message reiterates language in the HITECH Act of 2009, which gives patients the right to request health data in an electronic format if the provider is equipped with an EHR.
The access directives appear to be pushing health care providers toward portals as the mechanism for allowing patients to view and download their health data.
Mac McMillan -- CEO of CynergisTek, a health care IT security firm -- said a number of health systems already have established patient portals, pivoting off their EHR systems.
Securing the Portal
McMillan suggested three core elements for portal security.
  • User Authentication -- "If you are going to provide good access control, there has to be a way on the portal for patients to authorize uniquely to the portal, such that they are only looking at their own information and not somebody else's," McMillan explained.
  • Secure Transport -- A portal that allows users to download information must provide a secure, encrypted connection between patient and portal. This is often accomplished through a virtual private network (VPN) or a gateway that's part of the provider's network.
  • Auditing and Integrity Control -- Providers need to be able to audit what a user has done with the information obtained through a portal -- what they have looked at and what they have changed. If a patient is able to enter or alter his or her health data, integrity control provides a way to verify the information. The EHR linked to the portal retains a patient's previous data so they can be compared with the new data. If a patient with a penicillin allergy inadvertently changes the health record to indicate no such allergy, the system can flag the problem.
"Integrity is one of the biggest issues when you start allowing greater access to the information," McMillan said. "You need to have a way to absolutely verify changes so they don't create health issues."
Rhoads, meanwhile, cited network scanning and monitoring as a key portal security measure. The idea is to scan for suspicious activity, such as a series of unsuccessful logins at an odd hour from an IP address outside of the country.
Lots more here:
Here are some links provided by the article.


Additionally we have had some work being commissioned by ONC (via NIST) around the same area.

Federal grants to support online privacy projects

Posted: September 21, 2012 - 1:00 pm ET
The National Institute of Standards and Technology has awarded more than $9 million in grants for five pilot projects that seek to develop technologies to improve identification of individuals online for commercial uses, including healthcare.
The grant awards stem from a White House program, the National Strategy for Trusted Identities in Cyberspace.
"The selected pilot proposals advance the NSTIC vision that individuals and organizations adopt secure, efficient, easy-to-use and interoperable identity credentials to access online services in a way that promotes confidence, privacy, choice and innovation," the NIST, a Commerce Department agency, said in a news release.
The NIST assists the Office of the National Coordinator for Health Information Technology in developing testing procedures for electronic health-record systems under the federally supported EHR incentive program.
More here:
With a lot of the present ‘heavy lifting’ for the NEHRS being portal related it is clearly worthwhile to keep an eye on what is happening in the US.
The move to access provision for consumers to real systems, rather than a copy, seems to me to be a sensible way forward. Pity Australia does not have that idea included in current plans as the US, Denmark and the UK (among others) do!