Security Review: Electronic Medical Records

By nhunt at 6:10 pm on January 22, 2009 | 7 Comments

Now that computers have reached the mainstream, demand for online services is increasing. Recently, this has come to include access to medical records over the Internet. The existence of products such as Microsoft’s HealthVault and Google’s Google Health demonstrates the demand for this type of service. Even though such services can be used to improve the quality of health care, care must be taken to ensure they don’t create new problems.

A recent Associated Press article discussed some of the risks associated with such a system. In this particular case, the software used by the Veterans Association in their hospitals had a bug, and as a result “patients … were given incorrect doses of drugs, had needed treatments delayed and may have been exposed to other medical errors.” This example shows that even though these types of systems are designed to help eliminate errors in treatment, they can sometimes introduce problems of their own.

The threat of medical mistakes isn’t the only shortcoming of electronic medical records, however. Patient privacy is also a serious concern. Access to these databases must be carefully controlled to protect patient confidentiality.

Assets

  • The first asset is patient privacy. Medical records often contain sensitive information that individuals would rather not disclose to other people. This can include diseases or conditions that usually carry a negative connotations.
  • Another rather important asset is the safety of the patient. The electronic medical records should contain up-to-date and accurate information that can be quickly accessed by authorized personnel. Inaccurate information could lead to improper medical care, as illustrated by the VA incident mentioned above.

Threats

Placing medical records in an electronic database increases the accessibility of the information for both authorized and unauthorized individuals. This can lead to difficulty in detecting illegitimate access to medical information; it is much easier to detect an unauthorized user in a locked room than it is to detect an unauthorized user remotely accessing a database.

  • One class of unauthorized user is someone seeking information about a particular individual for malicious use. This can be used for personal gain (such as through blackmail) or to harm the individual (by modifying the paitent’s records).
  • A second class of threat arises because of the consolidation of medical records in a centralized location. This enables someone to “harvest” the database for a specific subset of patients (all patients affected by a certain type of disease, for instance).

Weaknesses

  • With an electronic system, technical problems (such as power outages or equipment malfunction) present a serious weakness. If the system loses power, the records will be inaccessible. This can result in delay of medical treatment.
  • Humans present another weakness in the system. HIPAA requires that medical records are stored in an encrypted format, but this does nothing to prevent legitimate users from copying the information to unencrypted secondary storage devices, or protecting the information with a poorly chosen password.
  • A third potential weakness in the system comes from implementation errors in the software. The article discussed above demonstrated how a bug in the software could pose a threat to a patients health.

Defenses

  • To help combat the threat of power outages or equipment failures, implementers could utilize redundancy to help mitigate the effects of these failures. This includes using backup-generators or uninterpretable power supplies, and back-up servers to prevent data loss.
  • Stronger access control policies could reduce the likelihood of unauthorized access by users. This includes a stricter password policy, and enforcing the principle of least privilege.

Transitioning from paper based medical records to electronic databases could be very beneficial to patients and doctors alike. Quicker access to critical information could help save lives in medical emergencies. Furthermore, electronic copies of medical information would allow doctors at any hospital to acquire the necessary information to treat the patient. This transition must be done carefully, however. Proper steps must be taken to ensure the confidentiality of this information, as well as its integrity. Not only should access to the information be limited to authorized personnel, but should also be verifiable and accurate.

Written by: Nick Hunt and Jon Andes

Filed under: Security Reviews7 Comments »

7 Comments

  • 1
    Get your own gravatar for comments by visiting gravatar.com

    Comment by beenen34

    January 23, 2009 @ 12:38 am

    One interesting question that I would pose is the necessity of patients being able to view their own records. Maybe I’m not at that point in my life yet, but I find I rarely need my medical records, and if I did, I wouldn’t need them in such a timely manner that I would need to access them through my computer. I agree that having records available and quickly accessible by doctors would be extremely useful, particularly in emergency/time-sensitive operations. It would also be nice to allow people to view these records online, but I wonder if allowing this would introduce a number of weak points in the security of the records., as noted in your list of weaknesses. Going along with the principle of least privilege, it may be best for security’s sake to have these records only accessible by doctors, but perhaps I’m just unaware of some convenience of quick access to one’s own medical records.

  • 2
    Get your own gravatar for comments by visiting gravatar.com

    Comment by jonfung

    January 23, 2009 @ 3:55 am

    I believe that electronic medical records can already be justified with one reason. Cost. The administrative costs in the US for healthcare is much greater than places Taiwan which have already set up electronic medical payment systems. They have a single-payer system though. It could be possible to develop a secure electronic medical records, although as noted above, humans would probably the weak point. Poor passwords or maybe theft of data could become issues.

    On another note, I know that while many may distrust giving companies like Google so much information, they treat the security of medical information very very seriously. On slashdot there was debate over Google Health and HIPAA compliance, but I know that employees must get clearance and must have a very specific reason to get any sort of access to medical information. I’m certain that a secure system can be developed and that legal restraints can be put in place (if they aren’t already) to ensure patient privacy. Couldn’t services like Google Health use encryption to guarantee it as well? Doctors and patients can have their own private keys and the service can serve as a key bank/CA. That way, the service wouldn’t be able to read private information even if it wanted to.

  • 3
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Heather Underwood

    January 23, 2009 @ 3:00 pm

    Electronic medical records have a lot of potential benefits for accessibility, accuracy, and manageability. However, I am concerned about taking the human element out of medicine. Even now when I go to the doctor I often feel like I am just one of many check marks on a chart of patients, but at least the doctor still has to talk to me. As the article here: http://industry.bnet.com/healthcare/2008/04/29/electronic-medical-records-bad-for-health/ points out, doctors are abusing electronic record systems by cutting and pasting other doctors comments right into their own diagnosis, thus committing what the article refers to as “clinical plagiarism”. Doctors are also resorting to “cookie-cutter” medical practice by just cut and pasting the lab requests for a specific disease without ever consulting the patient directly! As a patient, I would feel very concerned about my personal health safety and frustrated that a doctor that I’m paying for didn’t even take the time to talk to me. I think the human factor definitely needs to be considered when digitizing such personal and private information.

  • 4
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Ethan Apter

    January 23, 2009 @ 3:48 pm

    I hope (and would like to assume) that, in addition to being encrypted, there is a record digest being stored along with the records. We already know that encryption helps prevent the original message being read (protects patient privacy) but does nothing to protect the message integrity (doesn’t protect patient safety). I would further like to assume that there is sufficient structure to these records that even if they are modified and do not have a digest for comparison, tampering should be readily apparent by the corruption of data. However, the human element here cannot be ignored: it is too easy for doctors to enter invalid information (false positive) and many doctors may ignore errors if they do not occur in the “relevant” part of the file.

    My dad is an ER physician and his ER switched to a computerized database years ago. He hates it. Though I believe a worthwhile medical computer database could be constructed, it actually takes the medical professionals at this hospital longer to enter records than the old paper system. He also believes that it is more prone to mistakes than paper, and frequently worries that it is only a matter of time before this database results in patient death.

  • 5
    Get your own gravatar for comments by visiting gravatar.com

    Comment by devynp

    January 23, 2009 @ 5:52 pm

    I read an interesting idea of the newly elected president is to digitize medical records in the United States. I can see how medical record systems can be beneficial, for example, paper prescriptions can be eliminated, check up reminders can automatically be sent to patience cellphone, etc. If all the medical personnels are familiar with the system, the medical area would definitely improve.

    But what do we need prior to implementing that idea? Would it really make the health system better? Imagine how much money it will cost. We need human resources to do all the development and installation of the systems. Also, you cannot expect all medical personnels to be comfortable with computers. They need to be trained. However, training programs costs money and time. This might also lead to frustrations among the medical personnels. Let’s say these people have bad experiences with technology, it might trigger their emotion and patience, decreasing the quality of their work. If it turns out that digital medical records are susceptible to thief or human errors, all the money used to make this huge change will be wasted.

  • 6
    Get your own gravatar for comments by visiting gravatar.com

    Comment by sal

    January 23, 2009 @ 6:38 pm

    In response to some of the responses. It _will_ make the health system better. Way more money is spent on healthcare in America than in any other country already, and big contributor to this spending is a high level of bureaucracy in dealing with medical records. Introducing electronic medical records will significantly reduce what is called “transactions cost”, and thus make healthcare more affordable. Certain problems might arise, like with any technology, but benefits definitely outweigh problems and like mentioned in the article, gradual change and addressing potential problems will make this transition smoother.

  • 7
    Get your own gravatar for comments by visiting gravatar.com

    Pingback by UW Computer Security Research and Course Blog » More on Electronic Medical Records

    February 6, 2009 @ 9:05 pm

    […] mentioned earlier in the blog in “Security Review: Electronic Medical Records,” Google has started an electronic medical record database.  Today, IBM and Google announced that […]

RSS feed for comments on this post