The problem of developing security mechanisms needed for management protocols and policy management of personal health information (PHI) remains largely unsolved, according to Gerald Masson, PhD, director of the John Hopkins University Information Security Institute (JHUISI), who spoke at an assembly hearing of the Health IT Standards Committee on Nov. 19.
The hearing addressed health IT security issues, challenges, threats and solutions, and sought input from domain experts and health practitioners on potential security issues regarding health information.
JHUISI is an academic education and research center focusing on information security and assurance issues from the perspectives of education, research and development. One of its primary goals is to develop new security technologies to enable deployment of secure EMRs, according to Masson.
The Health IT for Economic and Clinical Health (HITECH) Act, he stated, puts an enormous burden on covered entities in the form of mandatory notification to the patient if PHI is disclosed.
While the “promises of EMRs are seductive,” Masson stated, “moving from paper-based systems to electronic is not without risk.” For example, it would be easier to unnoticeably sneak out of a hospital or a data center with a USB stick containing 8,000 EMRs than with boxes containing the equivalent paper records, Masson said.
Additionally, security threats will get worse as attacks grow in sophistication, said Masson.
Masson noted that there is considerable effort from companies like Google, Microsoft and Walmart to provide personally controlled health records (PCHRs). Some intend to offer individuals access to, and control of, their health records, described as “patient-centered" solutions. "Provider-centric” solutions are designed to share EMRs among multiple providers through a centralized data center, Masson said.
EMRs have the potential to improve the U.S. healthcare system, said Masson. “However, EMRs introduce new threats to patient privacy, and so securing EMR systems is paramount.”