Electronic Health Records – Calling for Security and Authentication
Electronic health information technology is transforming the delivery of healthcare. Nineteen billion dollars of the economic stimulus package has been set aside for the modernization of health records, and the federal government has set a goal of 2014 for the creation of an electronic health record (EHR) for all Americans . The move from paper records to EHRs —including electronic medical records (EMRs), personal health records (PHRs) and e-prescriptions –can solve a host of problems for medical organizations, allowing them to run more quickly, more accurately, and more efficiently. With complete and immediate access to patient records through EMRs, healthcare providers are able to provide better, faster and more personalized care, raising the level of both medical care and personal attention. As the number of patient charts is reduced, medical organizations are also dramatically reducing the costs associated with creating, storing and maintaining paper charts.
Beyond EMRs, the increasing use of electronic prescribing contributes to patient safety. A 2006 study by the Institute of Medicine reported that 1.5 million people in the United States are harmed each year – and 7,000 killed – by medication errors. E-prescriptions improve patient safety through more complete and accurate prescriptions, direct transmission of the prescription to a dispenser where fill status can be monitored, and elimination of the need for the dispenser to decipher and transcribe, often illegible, handwritten fax or paper prescriptions.
While the increased use of EHRs is integrally related to improving patient care and safety, their adoption introduces new security concerns, including the opportunity for data loss or destruction (both accidental and malicious data tampering), inappropriate corrections to medical records and e-prescription forgery. In order to address areas of potential risk and remain compliant with medical organizations must adopt policies and procedures that are compatible with EHR systems and compliance with regulations like the U.S. Health Insurance Portability and Accountability Act (HIPAA), which contains provisions for the protection of data stored electronically.
By not integrating proper security and authentication controls, the realization of electronic health records faces an uphill battle. As a Feb 16, 2009 Washington Post article reported, these challenges are real:
“Roadblocks include concerns over lack of universal protocols for collecting data as well as rules that establish how, with whom and under what circumstances the data can be shared. Many health-care providers — physician practices, testing facilities, hospitals and clinics — fear liability if private information gets into the wrong hands.
And the risk of tampering is real in healthcare as well. In the summer of 2008, when Esmin Green, a 49-year-old woman died in a Brooklyn psychiatric hospital’s waiting room, the video of her collapsing and lying on the floor for more than an hour until hospital staff responded, made front page headlines.
Among the many allegations leveled at the hospital and its staff after her death was one concerning the authenticity of the electronic records relating to Green’s care. The New York Civil Liberties Union states that hospital staff falsified Green’s records in an attempt to cover up the amount of time she was without assistance.
“Contrary to what was recorded from four different angles by the hospital’s video cameras, the patient’s medical records say that at 6 a.m., she got up and went to the bathroom, and at 6:20 a.m. she was ’sitting quietly in waiting room’ — more than 10 minutes since she last moved and 48 minutes after she fell to the floor.”
Considering the severity of the allegations and outrage over Green’s death and mistreatment, it is not difficult to comprehend the employee’s motivation for falsifying the times on Green’s records. In his blog BizTechTalk, document management analyst Dan Keldsen asked an important question every healthcare organization should ask themselves as they make the shift to electronic records:
“Do YOUR systems support verifiable, tamper-proof audit trails? Are you synchronizing the date/timestamps of related systems, such as in this case, video surveillance?”
Keldsen goes out to ask his readers scary but important questions such as “can people back-date contracts in your organizations? Invoices? E-mail messages? If you need to roll-back your entire systems to a certain point in time to see exactly what offers were made to who and when, could you do it?”
Green’s case, of course, is a dramatic example of the importance of digital time-stamping, but it highlights the ease with which electronic health records can be tampered. The instances where motivated insiders have found a way to manipulate electronic records are too numerous to mention here, but the results often make the headlines and lead to litigation and regulatory investigations.
The message is clear. Organizations must take proactive steps to guarantee the integrity of electronic health records. Healthcare professionals need the ability to irrefutably prove – without question – that patient records have not been tampered (maliciously or accidentally) since their creation.
We’ve developed AbsoluteProof in such a way that it can be integrated seamlessly at any point in the healthcare organization’s business process (including data capture, generation, management and archive), and is compatible with any data source, regardless or format. This gives healthcare IT professionals the ability to reliably and independently prove the integrity of their electronic records and prove that an electronic record existed at a specific point in time and has not been altered since.
If you’re a healthcare provider, what are you doing to ensure the authenticity of your electronic records? If you’re an EMR solutions provider, what are you doing to provide healthcare providers with this critical capability?