We’re making huge leaps forward, let’s make sure these systems are at least built capable of trustworthiness before we subsidize further acceleration of their implementation. Since we cannot yet assure a trustworthy record today, we gain a huge additional increment in national value by making sure that foundational requirement is met before we push forward to hard, too fast. Before we “wed” ourselves too irreversibly to the EHR vision, let’s contemplate that old saw, “Marry in Haste, Repent at Leisure”.

RDGelzer, MD, MPH, CHCC
Advocates for Documentation Integrity and Compliance
Volunteer-CCHIT Privacy and Compliance WG
Volunteer-HL7 EHR-S Functional Model WG on the Records Management-Evidentiary Support Profile

I would like to add an observation as a practitioner of security in e-health systems. In embracing Personal Health Records, and planning their security and privacy, we need to take special care with Health Identifiers.

The current state of user authentication and Health ID management puts patients accessing their own PHRs at enormous risk. Conventional username-and-password log on leaves users utterly vulnerable to ID theft, phishing and pharming (where users are drawn to what appears to be a legitimate EHR website but which is in fact a criminal enterprise trying to elicit the user’s personal details).

Health IDs (and PHR user account details) need to be treated with the utmost care; they must be safeguarded against unauthorised usage, especially theft and replay. The replay of stolen identity data now is rife in the payments system; at least $5billion of Card Not Present payment fraud happens every year, fueled by a thriving black market in stolen account details. Witness the recent highly organised attacks on Heartland Payment Systems and the TJX department stores, which netted organised criminals tens of millions of ID records.

The lesson for healthcare systems is to pay attention not only to access control mechanisms but also the pedigree of identifiers. How do we know that a given Health ID really pertains to a singular individual? And that it has been provided willfully to a carer or an information system? And how can we be sure without invading the patient’s privacy by having them play “Twenty Questions” every time they want access?

Simple password access to internet banking services is already widely superseded in the finance sector. The health sector needs to go one step better than banking, for the perils are so much greater. In e-health we must adopt uniform two factor and non replayable authentication of users accessing their own EHRs. The US federal government’s authentication guidelines expressly address these issues; NIST SP800-63 “Electronic Authentication Guideline” is very useful. It sets the bar higher than we’re accustomed to in personal internet security, but I think there is no room for error when it comes to PHRs.

If we think that PHRs are crucial to the future of healthcare, then we’re going to have to treat them as part of the national infrastructure, and invest in personal safety measures accordingly.

Stephen Wilson
Lockstep Technologies.