Monday, May 24, 2010

Watching the Watchmen

Securing information is a big deal right now, but it's nothing new to health care. Protected Health Information (PHI) is the buzzword we always hear, but it turns out that the there are so many ways that information can leak, it's just one of those things where you try your best.

It seems like the latest rash of concerns are stemming from the administrative side rather than the care provider side. At first, everyone was worried to death that health care professionals or random passers-by were diving into their electronic records and gathering deeply personal information like their STI test results or what surgery they were getting last week. When I was coming up in school, that was all we talked about, and the fallout was rashes of students and medical staff that were fired or penalized for information indiscretions.

All this time, no attention was paid to the larger risk, which was IT staff themselves. While less personal, breaches by IT staff are much larger in scale, and certainly contain more potential for harm in the form of mass identity theft, or breaches that are almost impossible to track. It's the latter issue that I'd like to talk about.

Most systems have a method of logging when any particular user views a patient chart. So if I dive into your medical record looking to see if you're pregnant, the system logs not only who I am and when I accessed the chart, but in many cases what sections of it I looked at. For care providers, it's very obvious whose charts they should be viewing because they are working with patients in a certain location or possessing a certain diagnosis/problem. If they start looking at charts for a patient in another hospital unit or specialty, hijinks may ensue.

With IT staff though, we have to go into patient charts all the time, most of which have no apparent relationship to us or to each other. At UPHS, the members of the team all do tech support for several hours a day on top of our projects, and will also occasionally look at an individual chart to try and analyze workflow. This happens many times a day, and only about half the time is there any sort of recorded reason for the access. If asked why we looked at a particular patient's chart a week or more in the past, I know I would probably give something between a vacant stare or quizzical look as a response. Consequently, as long as there is no apparent relationship between the IT staffer and the chart accessed, the benefit of the doubt is usually given.

It's further complicated by the existence of temporary copies of the production database (the version of the EMR where everything used clinically lives). In order to prevent catastrophic failure in the event of a disaster, at Penn we create a backup of the entire system every 24 hours. It serves multiple purposes--in addition to acting as a backup, we often test changes we're planning to make to the production EMR in that environment. If something goes wrong or doesn't work, we can roll it back with no disruption to patient care... or just leave it there. We can do that because the entire copy is wiped out and replaced by the current production version every night. The dark side is that we can also potentially view patient data in that environment, and any traces that we were there are cleared out in 24 hours, most of the time in even less time. So if a malicious actor were to simply wait a day for some information to come into this copy environment, they could gather anything they wanted and then just wait for any traces that they were there to disappear. All that would be logged is that they accessed the environment, and as long as that occurred during normal business hours, there's nothing to prove because you can't tie it to a medical record.

There are other examples, plenty enough for many more posts--but it needs to be said that information security is not quite what it should be. And I say that working at an institution where I believe security is taken seriously. Balancing the need to safeguard PHI isn't going away though, and the work is never done.

No comments:

Post a Comment