A dose of security

It was recently announced that Electronic Health Records (EHR) are in use in all military hospitals. Granted the article is mostly marketing screed for one company, but it still represents a big step. Outside of the Department of Defense (DoD), this probably doesn’t seem like a very big deal. Inside the DoD, it’s HUGE. This is the culmination of years of work and millions, possibly billions, of dollars spent. It’s an important step in improving the health care for Wounded Warriors.

It also sets the stage for wider adoption of EHR in the private sector. But there are reasons to be concerned about this, of course. There are few, if any, pieces of information more intrinsically private and personal than one’s medical records. And while making these records available in an electronic format offers great advantage in medical care, it opens up great risk of compromise.

As with any important data, there are ways to provide EHR. The medical industry in America is very heavily regulated, with HIPAA being the primary source of guidance. Based on HIPAA and related laws and regulations, various healthcare-related certifications exist. The two with which I am most familiar are DIACAP and CCHIT.

DIACAP stands for Department of Defense Information Assurance Certification and Accreditation Process. It’s not specific to medical information, but it is specific to DoD systems. It’s important here because most publicly-available EHR systems will have descended from DoD systems which had to pass DIACAP. DIACAP is a very intensive process which takes reams of documentation and months of work. It’s very comprehensive. Unfortunately, because of how it’s designed it can sometimes be outdated, and even force systems to be insecure. For example, at least as of 2010 when I last worked with it, systems were required to use Internet Explorer 6, with all the limitations of that browser. Nothing newer was possible.

Outside of the DoD, I’ve also worked to certify systems under CCHIT standards. CCHIT stands for Certification Commission for Health Information Technology, and has been required for certain government tax incentives and even in some cases the ability to operate a system at all. While still rather intensive, it is far less so than DIACAP. Realistically, looking back on it, it didn’t go into nearly enough depth on security, being focused on healthcare and data integrity.

This doesn’t even touch on the clinical side of things – the actual data directly gathered by medical devices like MRIs, CT scans, x-rays, etc. Most security audits avoid dealing with clinical data directly – it’s a hassle to allow auditors to know anything about those systems, and the auditors seldom have any idea what they’re looking at anyway. Frequently the data is handled in a proprietary fashion which may or may not be well-documented, and frankly it’s often little short of a miracle that it works at all. As a result, even if a hospital or doctor’s office has a secure computer system, the clinical data, the most revealing data, may be the least secure.

The most worrisome part, having been on both sides of the table for security reviews, is knowing that too often they’re looked upon as just another tedious piece of paperwork. As a tech writer, my job was frequently “write something so these people go away”. I’ve also seen security auditors who felt that their job was “find a reason to fail these people”. These attitudes are, of course, common to all security audits. But they become especially worrisome when it’s medical records on the line.