Health Information Exchanges
Most people today have a primary care doctor and then periodically visit specialists, labs, and a handful of other health care providers. Going along with the above paradigm, each health care provider that a patient visits would then contain a unique copy of that patient’s electronic medical record. So now there are multiple copies of a patient’s medical record at multiple health care providers that are in no way synchronized or networked. This makes diagnosing and treating patients extremely difficult and places a burden on both patients and doctors since it is now their responsible to transfer medical records from one location to another. One solution currently being implemented to address the problem of interoperability among health information systems is health information exchanges (HIE). Health information exchanges are a way for multiple health care providers to share information and patient’s medical records. Currently, in New York State there is a state funded initiative to create regional health information exchanges. University of Rochester Medical Center and the Greater Rochester Regional Health Information Organization (GRRHIO) have agreed to provide access to data and feedback about security related issues in implementing exchanges and associated health systems. Their feedback will be used in conjunction with the data collected from my experiment. Currently GRRHIO requires that patients sign a “consent to view” form before their data is shared within the exchange. In emergency situations an unauthorized doctor can “break the glass” and view the information for a one-time basis. Since there are no standardized authorized access models that work efficiently in a health exchanges this type of consent grants most medical professionals within the network full access to view patient data. This type of consent/authorization model is also used at the University of Rochester Medical Center. When granting this much access to patient data, it requires heavy auditing practices to be in place in order to identify and trace misuse. In later sections of this paper this issue (lack of authorization models) along with potential solutions will be discussed. The exchanges can be implemented in one of two ways: centralized and federated (decentralized). Currently in the United States the federated model has become the standard of choice and this model will be explored in this paper. The following is a brief explanation of both implementation methods.
Centralized
In a centralized health information exchange environment, all health data would be stored in a central repository or database. Health care providers and organizations would then access that centralized service in order to view patient’s medical records. There are a variety of security and privacy issues related to storing vast amounts of health data in one place, which is why the decentralized environment has become the standard of choice in the United States. One problem with storing large amounts of personal data in a single location is accountability. Placing one organization and person accountable for the security and privacy of large amounts of medical data is unrealistic and litigiously irresponsible. Having a centralized environment would also create many problems with ownership of data since multiple sets of medical records exist and would need to be reconciled and then relocated to the central service.
Federated (Decentralized)
In a decentralized environment each health care provider would continue to maintain their own health information system and the health information exchange would act as a “broker” or pointer service to the location of requested data. This implementation model fits the current state of electronic health care systems currently being developed and also holds each entity that houses health data accountable for the data it holds. Now that there is a solution to the interoperability requirement of health information systems, there is also a new set of security and privacy requirements that arise.
Security and Privacy Issues associated with Health Information Exchanges
Now that there is a way to connect multiple health information systems together, the security standards from ISO/TS 18308 must be applied to the exchanges along with new security issues that arise from connecting multiple health networks together. The following list is a summarization of the security requirements placed upon health information exchanges: • Authorized Access o Now that many health systems can be connected together, administrators of the networks need to not only worry about who has access to private data within a localized organization, but also they need to worry about who has access outside of the organization.
Confidentiality
Now that health systems are connected together confidentiality requires that proof can be given that unauthorized people do not view the health information shared within the network.
Patient Consent
Due to the many state and federal regulations patients must give consent before any sharing of information can happen.
Relevancy
Relevancy deals with both the doctor and patient only viewing information that is relevant to the case that is being worked on. When health networks are connected the question that arises is what doctors need what information?
Ownership of Data
Since the patient is the actual owner of their medical record. The data provider that houses their information needs to figure out who manages the data. When multiple organizations have access to the data management of the data can become complicated.
Infrastructure
When exchanging health data across multiple locations the hardware that is used needs to be compatible with other systems and versions of software.
Audit Logs
Audit logs are created in order to create a history of transaction in case of abuse. In an interconnected health network the complication that arises is what entity stores the audit logs and what needs to be audited.
Archiving
Archiving is moving data out of the active system and into offsite locations. When there are many health systems connecting together issues with storage management and retention time arise.
This list adds another level of abstraction and complexity to the problem of creating an interoperable health network. With the above list and the introduction of health information exchanges the scope of the paper can once again be more clearly defined. As stated before, this paper will investigate problems associated with authorization, interoperability, and patient access of electronic health records. Even more specifically this paper will investigate problems associated with authorization and patient access of electronic health records that are brokered within an interoperable health information exchange and how hybrid patient portals can be used to create a more secure and efficient connected health system. The next topics to be discussed are the actual issues associated with authorization and what roles hybrid patient portals can play to alleviate them.
Authorized Access and Health Information Exchanges
Authorized access in terms of a health network consists of three parts: reliable patient identification, proper authentication of healthcare providers, and correct authorization of healthcare providers. Reliable patient identification and correct authorization of healthcare providers are still being heavily researched. Proper authentication although important, has already been researched and protocols exist that can be used to ensure proper authentication.
Reliable Identification
Since a patient has multiple sets of medical records being shared within an exchange there has to be a way to universally identity that patient and his/her medical records across the different health systems. That can be done in two
ways:
Mapping
Reliable patient identification can be accomplished in two ways: by mapping or by creating a national health ID (NHID).Mapping is currently the method that many health information exchanges utilize, since a national health ID does not yet exist. When the patient enters the exchange, an enterprise master patient index (EMPI) must be created. The MPI then maps the various user ID’s from the various health information systems connected to the exchange to one patient ID. Unfortunately this method is not scalable and has been proven to produce errors when applied to a large networked environment. This is problematic since accuracy is critical when dealing with health data and scalability is one of the ultimate goals of an interconnected health network. This is why I believe the creation of a national health ID is critical; unfortunately the
reality of creating one is dim.
National Health ID
The national health ID model is ideal for a large interoperable network and I believe will help alleviate some of the authorization issues that arise with the creation of these networks. Under the NHID model the government or a national institution would administer every patient, doctor and health care entity an identification number. This ID would then be used throughout the various exchanges and health systems, eliminating the need for mapping and dramatically increasing accuracy. In terms of authorization if the person attempting to access health data is already identified in the system the method and procedure for authorizing that user becomes much easier. Unfortunately, in reality, implementing a NHID is highly improbable. When the original Health Information Portability and Accountability Act (HIPAA) was drafted there was proposed legislation for a NHID. However when the bill was passed into law in 1998 the provisions for a
NHID was stripped. This certainly did and still makes implementing many of the security functions of HIPAA difficult. This is the primary reason why patient ID mapping is the prominent system used in electronic medical systems. Although the federal government has prohibited the development of a NHID some private organizations have picked up the research. In 2009 a private corporation called Global Patient Identifiers, Inc. created an alternate NHID system called the Voluntary Universal Healthcare Identifier (VUHID). The VUHID creates a secure identification system while at the same time meeting the needs of health professionals while satisfying some of the concerns that arise with a large identification system. VUHID is based on two standards developed by the American Society of Testing and Materials and the American National Standards Institute. The identification number would contain two parts, an open identifier and a private one. This would help ensure patient privacy and
reduce clerical errors. Another major advantage of the VUHID is that patient information would not be stored in a central database; the VUHID simply provides an identifier and then the traditional mapping services would be linked to the newly created ID number.The critical flaw with this system is that it is voluntary and getting multiple health information systems and exchanges to use this particular system could be as polarizing as passing legislation for a NHID. Despite the political setbacks, this type of system would make creating an efficient authorization access model very feasible. I believe that the feedback from
my experiment will show that using a NHID would be beneficial. Unfortunately development and implementation of a NHID system is beyond the scope of this paper, but an area that could use future research.
Correct Authorization of Healthcare Providers
This is the second area of authorized access that this paper will cover. Currently there are traditional access methods that are implemented within health systems and exchanges, but they are failing to meet the demands and unique needs of health data. Essentially there does not exist an access method that can be successfully used in a health setting that will accommodate the majority of the needs that are demanded in an interconnected health network. The following are examples of the unique demands that health systems put on authorization models.
Multilevel vs. Multilateral Security
Unlike most government information systems where information is prevented from flowing downwards (i.e. top secret to secret to confidential), health systems many times need information to flow downwards. For example, information that doctors enter into the system needs to be read by the nurses below them and then again viewed by lab technicians. If the information was not permitted to flow downwards the diagnosis process would not be able to be completed. In an electronic health system, information also will need to be allowed to pass laterally from one healthcare provider to another. This creates a need for multilateral security instead of multilevel security. Yet at the same time some information contained within electronic health systems must also be prevented from flowing downwards. Data that has no context or relevance with a current case a doctor is working on should not be viewable by all people on different access levels. Therefore many times in an electronic health system it is simultaneously required to prevent information from flowing down and across. This unique demand has made it difficult to apply traditional access methods to electronic health systems and has prompted new ones to be created.
Hybrid Layered Approach
One method to try to make an access control model that can meet the demands of electronic heath systems is a hybrid layered approach. In this approach many of the traditional access control models are used together to create a model that can be applied to both lateral and layered systems. At the first level, mandatory access control would be used (MAC), which uses classification (top secret, secret) to mandate who has access to which data. Layer two would utilize discretionary access control (DAC), which mandates access by the group a user belongs to. Then at the final layer, role based access control would be used, which mandates control based on the role the user plays in the organization. The three access control models are used together in an effort to bridge the gap between multilateral and multilayered security paradigms. Unfortunately this model is not dynamic and the health care industry contains many granular groups and roles. The hybrid approach is a step in the right direction, but still would not be able to provide adequate access control to a large interconnected heath system.
Activity Oriented Access Control
Another theoretical access control model that was proposed is an activity oriented access control model. Although similar to role based access control, it is different. The model can be abstracted into three levels: the privilege level, the activity level, and the user level. Unlike role based access control, in which the user must be assigned a role to which they belong to, activity oriented access control grants access based on what activities a user performs. If the user performs multiple activities associated with an object then that user is granted access to that object. It allows for a more dynamic access control model to be created. This kind of control model gives the user more flexibility and lessens the amount of work that traditional access control models would require of administrators. This control model is still theoretical and has not been fully implemented in any major electronic health system. Because of this the, practicability of this model has not been tested, although it is a step in the right direction. More research still needs to be done in the area of types of access control model that can be used; this paper does not directly address that issue.