Electronic Health Record System from the Perspective of Data Privacy

SB Bhattacharyya,  Health Informatics Expert, Founder & CEO Bhattacharyyas Clinical Records Research & Informatics LLP

Electronic health record systems handle health-related ultra-sensitive data of a person throughout his life, along with all personal information that accurately identifies him. This makes it imperative to protect the data from cyber-threats and consequent untold damages. This article discusses the various issues involved and the different mitigation methods.

During the course of any clinical encounter a person discloses ultra-sensitive healthrelated information to his provider to enable the latter to address his health-related problems better, faster, and hopefully, cheaper. Information that he would otherwise rather keep well under wraps. Ethics demands all providers treat all information that their patients disclose to them with the greatest of care and keep them secreted away from everyone, even the spouse, unless explicitly released from this obligation by the patient. The confidentiality of the private information needs to be maintained at the highest possible levels of security by medical professionals at all times—unless there are extenuating circumstances to disclose them, like for the public good, compliance to the law, etc.

When the information is recorded electronically, the onus of maintaining the secrecy continues to wrest on the provider and he needs to ensure that it is indeed maintained at all times, else he would be liable for all consequences thereof. The fear of compromises due to lack of adequate control of the cybersecurity from threats has made the public to naturally be very wary of having their information maintained there. The digital health industry is aware of all this and already have in place a number of appropriate processes and enabling tools that are able to effectively address them to robustly. The following sections discusses some of the commonly-used ones in brief and simply.

EHR

An Electronic Health Record (EHR) is a life-long record of all the different health-related encounters that a particular person has throughout life. All of these encounter documents need to be lined up and merged together into a single continuous document to help provide that person’s journey through life with respect to health. This life-long record contains every single health-related detail of a person, many of which are sensitive enough to merit special considerations be given to the data privacy and confidentiality issues so that the person whose data is being handled and his provider are able to feel reasonably confident about permitting their location in an electronic format in the cyberspace.

Privacy

Privacy is the claim of individuals, groups or institutions to determine for themselves when, how and to what extent any information about them is communicated to others. It also refers to the ability of individuals to manage the collection, retention and distribution of private information and has been variously defined as the control of access to private information while avoiding certain kinds of embarrassment and ensuring what all can be shared, or not, with others. In short, privacy is ensuring that others do not get to know all that one does not wish to tell.

Confidentiality

Confidentiality is the protection of personal information and entails keeping certain information strictly limited to a selected few and usually is a set of rules or promise that ensures it.

Confidentiality in healthcare requires healthcare providers to keep a person’s personal health information private unless consent to release the information has been provided by the patient.

Patients routinely share personal information with health care providers. If the confidentiality of this information were not protected, trust in the physician-patient relationship would consequently be diminished. Persons would then be less likely to share sensitive information, which could negatively impact their care.

Creating a trusting environment by respecting a person's privacy encourages the patient to seek care and to be as honest as possible during the course of a health care visit. It may also increase the person’s willingness to seek care. For conditions that might be stigmatising, such as reproductive, sexual, public health, and psychiatric health concerns, confidentiality assures that private information will not be disclosed to anyone including partners, family, friends, employers or any other third party without their explicit consent.

Due to ethical and legal reasons, breaching confidentiality is justified, but only in certain special circumstances.

1. Concern for the safety, both of self and of other specific persons: access to medical information and records by third parties is legally restricted. Yet, at the same time, clinicians have a duty to protect identifiable individuals from any serious, credible threat of harm if they have information that could prevent it. The determining factor is whether there is good reason to believe specific individuals (or groups) are placed in serious danger depending on the medical information at hand.

2. Legal requirements to report certain conditions or circumstances: applicable laws usually require the reporting of certain communicable/ infectious diseases to the public health authorities. In these cases, the duty to protect public health outweighs the duty to maintain a patient's confidence. From a legal perspective, the state has an interest in protecting public health that outweighs individual liberties in certain cases.

3. Ethical considerations make it indefensible not to use information that may save the life and limb of another, where the data of one may help not only alleviate the pain and suffering of another but perhaps even save the life that would otherwise be lost. For example, if a person has a lifethreatening condition and information about someone else also having suffered a similar condition who was successfully treated of the condition exists, then it would be morally indefensible not to use that knowledge and save a life.

Security

In a healthcare context, security is the method and technique to protect privacy and is a defence mechanism from any type of attack. Studies have showed that the slow adoption of EHR is mostly due to privacy concerns. People need to be in control of the collection, dissemination, and storage of their health information. If they feel out of control, their feeling of vulnerability and general mistrust of healthcare information systems and the information that they have disclosed with the expectation of it being held in trust increases manifold. Digital health systems are used in medical applications for delivery, efficiency and effectiveness of healthcare and the users have the right to know about the various security measures that are in place in order to feel secure about their privacy.

Functional Challenges

The various functional challenges to the successful establishment and use of an EHR are as follows.

Centralised availability

There is a need to ensure that all records of a person are available at a central place so that they may be accessed and processed together in real-time.

Privacy issues

There is a need to ensure that private things are indeed kept private.

Confidentiality issues

There is a need to ensure that confidentiality of information is maintained as well as the information is available to those who need it for safety, legal or ethical reasons.

Security issues

There is a need to ensure that both of the above are successfully addressed in a meaningful and demonstrable manner to the satisfaction of care receivers (persons and patients) and their care providers (medical professionals).

Technological Solutions

The various functional challenges detailed above are addressed in this section.

Cloud-based solutions

The ‘Cloud’ is actually a group of interconnected computer servers that is accessible through the Internet by a broad group of authorised users across enterprises, geographical locations and operating platforms.

A person visits a number of healthcare professionals to receive services over his lifetime. These services could be for routine attention like immunisation, health check-up, etc., or special like a doctor visit for consultation due to illness or a facility visit for undergoing procedures like surgery or emergency due to some accident – minor or major.

Each of these healthcare encounters leads to the creation of a record. Creating one single life-long record from all of these individual encounter-based records requires all of the latter to be serially collated from the very first to the very latest and then processed together. Consequently, the availability of all the records at a central place is crucial.

Either using a Cloud-based solution or storing a copy of each and every encounter in the Cloud makes this very practical.

Cyberspace, security, and threats

Cyberspace is a notional space created by networking various digital devices including computers. Basically, it is the electronic ecosystem where not all of rules of the natural laws of physics and chemistry apply. The ‘Cloud’ essentially exists in the cyberspace.

Cyber security refers to the techniques of protecting computers, networks, programs and data from unauthorised access or attacks that are essentially malicious.

Cyberthreat is the possibility of malicious attempts to damage or disrupt a computer network or system.

Achieving EHR security

There are a number of methods by which adequate levels of security can be achieved in any EHR system that would be sufficient to allay the various security-related concerns of the stakeholders.

Technical Solutions – using various security techniques as follows:

• Encryption
• Authentication
• Role based access control (RBAC)

Human Solution

• Privacy Awareness
• Privacy Education

Information system designer and developers need to ensure that privacy requirements are included in the design and development phases itself. This is an extremely issue that all EHR vendors must pay particular attention to and failure to do so would in all likelihood result in serious legal consequences, which would mean one definite thing—business failure.

Security anywhere is as weak as it is at its weakest point. This unfortunately happens to be the users themselves. Using passwords that can easily be guessed, making them available from where even a toddler can access, sharing them with all and sundry, etc. are all extremely dangerous practises that many users, unknowingly and knowingly continue to indulge in for a variety of reasons, mostly due to matters of convenience.

Encryption

Encryption is the process of using an algorithm to transform readable data into an unreadable encoded one in order to make it incomprehensible to unauthorised users. The encoded data can only be decrypted to make it readable with a security ‘key’. This end-to-end data protection process, which falls under the science of cryptography, is essential for to ensure a trusted delivery of sensitive information, including those over such open networks like the Internet.

Advanced Encryption Standard (AES) is an example of symmetric-key encryption process that uses a 128-bit, a 192-bit or a 256-bit key is considered pretty reliable as breaking them is virtually impossible at the currently available computing power. The Pretty Good Privacy (PGP) is an example of asymmetric-key encryption and is a public-key encryption process that uses private and public keys in tandem.

Authentication and authorisation

Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. This is accomplished by identifying an individual through the person's unique user identifier and a password (or passphrase, biometric, OTP challenge, etc.). It is distinct from authorisation, which is the process of giving individuals access to system objects based on their identity. Once a person has been authenticated, he is permitted access to the system based on his access rights. This is authorisation. Both are accomplished through the log-in functionality.

Role-based access control

Aka RBAC, this is a process by which system access to users is granted based on the roles they are authorised to perform. By tagging the roles to access, a user is permitted, or not, to execute a certain set of functions based on the roles they perform. This provides the flexibility to deny any unauthorised user, including those unknown, who are trying to gain access with malicious intent, from carrying out task or tasks that they are not permitted to.

Consent management

Any person whose data is being managed using a system needs to provide as explicit a consent as is practical to permit anyone who uses the system to access the data, or not. Taking such a consent in as transparent a manner as possible provides the necessary legal protection to all those who use the system and access the data contained therein while ensuring that the person who has provided the consent has done so with sufficient clarity as to what all he has consented to and not.

Audit trail

The genesis of audit trail belongs to the world of accountancy and is basically a system that traces the detailed transactions relating to any item in a record. In the context of EHR, it is a tracing record of detailed transactions of all activities performed on it. Such a record is able to keep track of everything that has occurred with respect to the EHR and is able to provide details of all activities, thereby making it easier to detect most, if not all, malicious activities. Any compromise to the data integrity or the performance of any nefarious activity can not only be traced but the culprits identified so that necessary action can be undertaken, often in real-time.

Through the use of audit trail in digital health documenting systems, any person or entity, including a court of law, can be provided with sufficient information with a better-than-acceptable levels of confidence that the health records maintained in the electronic format is safe and secure.

Data integrity

Data integrity is a fundamental component of information security and generally refers to the accuracy and consistency of data stored anywhere, whether in a database or data warehouse or data mart or something else. For data to be complete, all of its characteristics including business rules, relations, dates, definitions and lineage need to be correct. Data integrity is maintained through the ongoing use of error checking and validation routines, like ensuring that numeric columns/cells do not accept alphabetic data.

As a process, it verifies that the data has remained unaltered in transit from creation to reception. As a state or condition, it is a measure of the validity and fidelity of a data object. Database security professionals employ any number of practices to assure data integrity, including data encryption that locks data by cipher, data backup that stores a copy of data in an alternate location, having in place appropriate access controls, including assignment of read-write privileges, input validation, to prevent incorrect data entry, and data validation, in order to certify uncorrupted transmission.

This ensures that the data, as intended to be captured, is not only captured in that state but also stored, retrieved, or exchanged, is exactly the same from the time of entry forever.

Hashing

Hashing is the transformation of a string of characters into a fixed-length value or key that represents the original string and is used in many encryption algorithms apart from its use in indexing data in databases to make data location and retrieval quick.

This technique makes it possible to generate and store a hash key of a particular record and subsequently to re-generate the hash key of the same record and check the re-generated key with the original key. A match means that the original record is being preserved. Else it points to compromise of the record’s integrity. This is a red flag indicating breach of security that may have privacy and confidentiality issues.

Safeguards

Physical

These are safeguards put in place to ensure that all computer hardware including servers, networking equipment including routers, continuity of power supply and temperature maintenance are in a safe place free from any physical harm due to elements of nature, acts by animals or breaking and entering by humans. Various guidelines are drawn up and rigorously followed to ensure that all threats are adequately dealt and mitigated.

Administrative Safeguards

These are basically a set of standard operating procedures related to how security is to be handled, the rules that govern the personnel who deal with or handle sensitive data, how risks are to be managed, methodology for oversight, etc.

Blockchain technology

As of 2018, this is ‘the new kid on the block’ as far as cyber-security is concerned and appears to be on the up and up on the hype cycle of the type popularised by Gartner.

A blockchain is a continuously growing list of records that are linked and secured using cryptography containing a cryptographic hash of the previous block, a timestamp and transaction data. By design, it is inherently resistant to modification of the data. They are secure by design and exemplify a distributed computing system with high fault tolerance. This makes these types of database potentially suitable for the recording of events, medical records, and other records management activities, such as identity management, transaction processing, documenting provenance, food traceability, voting, etc.

Sadly, what prevents it from being the answer to all EHR-related problems is its inherent latency in data retrieval. While this is not a serious enough issue in the non-critical care settings like outpatients or routine inpatients where the patient is well-settled, it is definitely a problem that cannot be mitigated using high-end technological solutions in critical care settings including accidents and emergencies.

Privacy awareness & education

Painful as it is, there is no recourse other than to admit that awareness about privacy and rights related to confidentiality is practically non-existent amongst the publicat-large. Too often a person will not think twice before sharing their intimate details on the social network, but mention of someone entering information into a health information system makes that very person extremely concerned that assumes the hue of outright paranoia. Such a situation is, sadly, all too common for one’s comfort.

This results in the requirement of appropriate raising of awareness and educating the stakeholders using simple and easy-to-follow techniques so that their concerns are adequately allayed and their knowledge regarding the various related do’s and don’ts are suitably augmented. Public messages in the media, private emails and messages, availability of capacity building videos and other educational documents, appropriate postings in the various discussion forum, etc. are some of the various methods that can be adopted in this regard.

Concluding Observations

As is evident from the various functionalities, techniques and tools mentioned and discussed above, robust safeguards are well-known and extensively used by the Information Technology industry to ensure that the privacy and confidentiality of any data can be securely handled with reasonable care.

By using them in EHR systems the data they contain can be well-protected in a reasonably secure manner. Stakeholders can consequently rest easy, confident in the knowledge that the sensitive health-related data contained in EHRs are sufficiently safe in the cyberspace.

--Issue 40--

Author Bio

SB Bhattacharyya

SB Bhattacharyya is a practising family physician and health informatics professional with more than 29 years of experience as a general practitioner and business solution architect for digital applications in healthcare, pharmaceutical and medical devices domains. He is currently Member, National EHR Standardisation Committee, MoH&FW, Government of India; Member, Healthcare Informatics Sectional Committee, MHD 17, Bureau of Indian Standards; Member, IMA Standing Committee for Information Technology, IMA Headquarters; and Head – Health Informatics, TCS.

TOP