NATIONAL HARBOR -- Information technology experts underscored the importance of keeping patient health information secure and outlined strategies for doing so at a cybersecurity conference here.
Dale Jessop, chief technology officer for Exco In Touch, recounted recent high-profile cyberattacks on large companies including retailers Target and Home Depot, financial giant JP Morgan Chase, and health insurer Anthem.
Most breaches are preventable, he said: "Often they come down to one person doing something they shouldn't have done." This includes clicking links or opening attachments from unknown senders.
Anthem stressed after it was attacked that no credit card numbers had been stolen in the breach. The statement may have provided comfort to some consumers but not Jessop.
Healthcare data typically include a person's name, address, gender and, often, a Social Security number. "That's enough for people to create a new line of credit," he said.
Tim Bulu, director of information security for health information systems at the University of San Francisco, told MedPage Today that even basic demographic information, such as gender and address, is valuable when combined with medical information.
"If I can steal your medical identity and get medical coverage as you, I can go have surgeries and your insurance gets billed, and I walk away scot-free," Bulu said.
Jessop stressed the importance of educating companies about the strategies hackers use. The range from "phishing" scams -- emails that deceive recipients into divulging passwords or other sensitive information -- to simple "tail-gating" in which the hacker physically enters a private space on the heels of a delivery person or other employee.
"It's very easy to move around a hospital if you look like you should be there," he said.
A second presenter at the lecture, Bill Braithwaite, MD, PhD, chair of the identity management task force for the Healthcare Information and Management Systems Society (HIMSS), a multi-stakeholder industry group, described potential new requirements that aim to balance patient rights while also keeping patient health information secure.
Braithwaite, known as a key author of HIPAA, the Health Insurance Portability and Accountability Act of 1996, said that new guidance for identity management in patient portals is currently being developed.
Some potential elements include:
- Requiring that all systems offering electronic access by patients to their own protected health information (PHI) are able to use identity proofing and authentication at a high level of confidence (standards "equal to National Institute of Standards and Technology (NIST) Level Of Assurance 3")
- Requiring that all patients must be informed of the risk to their own privacy of viewing, downloading or sending protected health information "including any differences based on any security choices they may have"
- With "rare and well-defined exceptions" all patients must meet a "high confidence identity proofing standard" before gaining access to protected health information
Braithwaite also spoke about specific challenges to identity management such as patients who choose to be anonymous and those who request proxies.
The proxy issue is difficult because some individuals may wish some but not all of their health data to be managed by another person -- e.g., a senior wanting to delegate management of certain health issues to an adult child.
Another difficulty is determining at what age a patient is capable of managing his or her own healthcare decisions and data, without parental control. For patients anywhere from 13 to 19, deciding this question in legal terms is nearly impossible, Braithwaite said.
"In some states the law is so inconsistent that you cannot make a decision that's legal," he said.
A subgroup of Braithwaite's task force is developing guidance for how to manage these concerns.
Another task force subgroup is focusing on anonymity issues. The group determined a core principle of securing the privilege of anonymity or pseudonymity is counter-intuitive: Patients must first be "known to a practice" -- in other words, they must have already proved their identity in some fashion.
The team established the following conclusions based on their discussions:
- Patients have a right to anonymity
- Each patient must have a unique identifier so that his or her records cannot be confused with anyone else's
- Authentication for anonymous patients does not require a different mechanism than for openly identifiable patients
Currently, an anonymous or pseudonymous identity cannot be used across institutions while a fully-proofed identity can, Braithwaite said. Emerging technologies can help remedy this problem in the future by allowing all patients to more easily understand the conditions in which disclosures of personal information occur.
It boils down to creating trust in the system, he said.
"If patients trust the system that we implement that their information is not going to be used against them or released without their permission, being anonymous won't be such a big deal anymore. It won't be such an important right to be taken advantage of."