Security considerations in transmitting medical information

Jan 18, 2007

Whether it involves physicians, patients, healthcare professionals, or insurance companies, communication is an essential component of day-to-day healthcare practices. Historically, much of that communication has been analog, taking the form of the spoken word as a doctor and patient discuss a care plan. Other examples of analog healthcare communication include a hand-written toxicology report, a printed lab result, and a sheet of x-ray film.

In these formats, the information is relatively easy to protect and control. By storing these physical documents in a secure environment and transferring them by courier, a healthcare provider could readily assure patients their medical information was safe.

However, information stored in this manner is not easily processed for research nor can it be quickly communicated to or shared with a remote peer. Unfortunately, healthcare providers are slow to adopt digital solutions for information generation, storage, or transmission. This reluctance to transition to a digital environment has been noted and identified as "among the most serious threats to the health industry, ahead of rising costs," according to InformationWeek (January 31, 2005, Vol. 1024, pp. 18-19).

In an environment that stores information in digital form, that information may typically be found in two states: either in archive or transmission. Stored digital information is generally considered to be at the least risk as hardware, software, and even physical measures are often taken to ensure the information remains secure and inaccessible to unauthorized users.

Data that is being transmitted is exposed to public systems, and is in jeopardy of being accessed and copied by potentially malicious third-party users. The U.S. Department of Health and Human Services (HHS) document, "Health Insurance Reform: Security Standards: Final Rule" (Federal Register, February 20, 2003, Vol. 68:34) states: "The confidentiality of health information is threatened not only by the risk of improper access to stored information, but also by the risk of interception during electronic transmission of the information."

Required but not supported

This risk must be taken into consideration, as the result of such exposure could have devastating effects on users as well as the patient whose personal information is exposed. John Jones, an attorney at Schnader Harrison Segal & Lewis in Philadelphia, indicated in Physician's News Digest (May 2000) that regardless of the status of patient consent, malpractice is sure to arise because of confidentiality breaches during digital communications. He further stated that even though the Electronic Communications Privacy Act (ECPA) of 1986 provides punishment for the illicit capture of any form of digital communication, the sender of an e-mail could potentially still be at risk of civil charges and penalties.

Although legislation for the protection of digital communication in general has existed for a number of years, legislative imperatives for protecting patient information are relatively recent. Even though HIPAA specifies the obligation healthcare providers have for protecting confidential records and their responsibility to log and document medial record activity, the details of how this is to be achieved is left to the responsibility of the implementing facility, according to HHS.

Few healthcare providers possess such expertise in-house or have access to funds required to enlist the consultative assistance of third-party organizations, leaving them with the obligation and constraints of the legislation but little to no useful assistance in meeting those obligations. Because of this, concern over a real solution to confidentiality remains and grows even larger.

The slippery slope of standards

Some consider medical information and communication standards, such as HL7 and DICOM, to be a satisfactory response to the question of security and patient confidentiality. HL7 is widely used in healthcare for the transmission of many types of patient-related information from one system to another. It is used in the transmission of detailed physician visit information, test results, and payment and insurance information. DICOM typically addresses the interoperability of medical imaging devices, such as CT scanners, PACS applications, and other radiology-centric technologies.

The 2002 chair of DICOM Working Group 14, Larry Tarbox, stated that DICOM relies exclusively on the use of secured communications channels. The standard itself does not specify requirements or solutions for ensuring confidentiality; it focuses on interoperability. The result of this is that, although standard adherence may mean that a transmission involving at least two parties may be successful despite the fact two disparate systems are involved, no assurance or even consideration of security and privacy is provided through adherence to the standard.

Because little to no federal funding exists in support of developing standards, those who do adopt a standard such as HL7 do so voluntarily and are unsupported in this process, according to Edward Shortliffe (Health Affairs, September/October 2005, Vol. 24:5, pp. 1222-1223). Subsequently, healthcare providers invest time and money in an attempt to adhere to standards but may find their transmission destination does not. At this point, in addition to having a potential breach in information security through this transmission link, they may not even be able to share applicable medical information with their communication peer.

Home-grown security

Because of the low level of support provided to a facility by legislation and current standards, the quest for a solid solution regarding patient confidentiality and information security leads to the home of digital communication, the information technology (IT) department. It is by basing the digital transmission of patient information on the technology industry-accepted security measures in place and in use that compliance with legislation and protection of patient privacy may be ensured.

In most cases, much of the transmitted medical information is passed between nodes within a hospital network. Because any isolated system is generally considered secure from external intrusion, intranetwork communication is commonly only at risk for internal leaks.

Internal compromise of secure healthcare networks is not a new problem. In 1998, 16 state employees in Maryland sold confidential patient information from the state medical database to an HMO. The betrayal of confidentiality in this manner undermines public trust of healthcare providers and diminishes the perceived value the digital format brings to patients.

In addition to using illegally acquired information for making costly coverage decisions, some companies will go to great lengths to acquire information that may benefit them in many aspects of business. According to an article in Healthcare Financial Management (October 1998, Vol. 52:10, pp. 66-68), 35% percent of Fortune 500 companies stated they have used personal medical information in the hiring-decision process. By considering these examples and understanding the value this information has, and therefore the lengths to which a company will go to acquire it, yet another reason to protect this information is evident.

Internal controls in the form of information security policies are instrumental in protecting sensitive information. In implementing policies, companies are taking reasonable steps to protect themselves from the risks associated with the use of various computer systems.

In addition to policies, facilities may utilize the logging functionality built into many software applications. Software developers may be required to support such functionality to allow their customers to achieve compliance with legislation such as HIPAA. In addition, patient information security and privacy mandates extend to healthcare facilities outside the U.S. Directive 95/46/EC of the European Parliament demands data security and accountability in the European Union that is quite similar to U.S. legislation.

HIPAA compliance for logging is complex because the rules do not explicitly state the items that must be tracked. They merely state that audit logs must track who accesses protected data stores. Many facilities opt to also include details such as individual user login and logout activity, the required display of patient-specific information, and the modification of patient data.

Considering the software, logging, and policies required to make data as safe as possible within a healthcare facility's network, additional components are required to secure medical information transmitted outside that network. Appropriate hardware and software must be in place and properly configured to maintain the division between external Internet traffic and internal network traffic in a healthcare facility. These items include firewalls, secure socket layer (SSL) servers, and virtual private networks (VPNs).

A firewall is a device installed between the internal network of a facility and the public Internet. It serves the purpose of controlling access to the internal system, and is designed to forward and filter individual messages. An SSL server provides end-to-end security for applications. In a healthcare setting, these applications are often Web servers that publish patient-related data to users outside the facility. As this sensitive information travels out of the hospital network realm, it is protected and kept confidential through the use of this transport layer technology.

VPN technology can serve somewhat the same purpose as SSL in that it serves to encrypt information, protecting it from being viewed by a third party. A VPN solution typically is implemented as a component within the facility that is connected to by users launching a VPN software client. The solution is highly scalable and creates a private network that ensures communication between the client and the host facility remains secure and encrypted.

Considering the lengths to which a healthcare provider must go to achieve and maintain data security for confidential patient information, mistakes may be made in countless ways. Hospital staff members may tape that hard-to-remember passwords under their keyboard or write it on the back of their identification badge. E-mail sent outside the facility is, as a rule, unencrypted and patient information may be included in those messages. In addition, the physical security of hospital-based servers is often overlooked.

Further, legacy systems may have too much trust placed in them -- even though they were implemented years before and have never had their level of data protection reviewed. These legacy systems may present wide-open doors for intruders to access sensitive systems connected to them. A worst-case scenario would be if those legacy systems themselves possessed confidential patient information and it became available outside the facility. Reviewing existing hardware, systems, and configuration is vital and should be performed on a regular basis by IT administrators.

Last off the blocks

For too long, information security has been one of the last items to receive funding from hospital chief financial officers or attention from chief information officers. The lesson that is being learned now is that chronic underfunding of security projects leads to higher costs later. One of the reasons for this is that revenue-generating projects tend to be funded first, leaving the "ancillary" departments of the hospital with the remnants of the budget. However, as security breaches become evident and, more importantly, the repercussions from them, both financial and community reputation costs begin to add up dramatically, according to Healthcare Financial Management (February 2006, Vol. 60:2, pp. 56-60).

Although excellent arguments can be made for funding revenue-generating departments, the departments that are repositories for medical information such as IT, medical records, and radiology have a significantly more prolific role than ever before. The contribution these departments offer a healthcare facility is significant and is relied on by the institution and its external customers, such as referring physicians, clinics, and imaging centers.

All departments in a healthcare enterprise require the capability to communicate information in a secure and confidential manner throughout the confines of its network. Additionally, they must now be able to move information across the Internet to serve remote users or communicate information with third-party enterprises, such as other healthcare providers or insurers. The time is clearly overdue for the medical information industry to focus on security during the transmission of confidential information.

By Rocklyn Lien
AuntMinnie.com contributing writer
January 19, 2007

Rocky Lien is a trainer for a medical imaging developer and is responsible for preparing administrators for their role in the implementation and management of PACS. He is a registered technologist with 11 years of experience in the radiology field.

Related Reading

Crafting an RFP for device and systems security, November 9, 2006

GAO: CMS needs to improve IT security, October 4, 2006

Practices that embrace EHR security regulations inspire patient confidence, July 14, 2006

HIPAA compliance remains inconsistent, April 12, 2006

Dealing with HIPAA changes in 2006, April 6, 2006

Copyright © 2007 Rocklyn Lien

Latest in IS
2017 03 30 15 16 56 745 Mammogram Calendar 400
Can self-scheduling and referral close breast cancer screening gaps?
July 31, 2023
2018 11 19 17 20 4754 Back Pain 400
Simple EHR intervention reduces unnecessary lower-back x-rays
July 30, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Amazon Web Services releases imaging data platform
July 25, 2023
2021 06 16 23 10 5735 Student Doctor Laptop Test 400
Online course teaches students about appropriate imaging use
July 19, 2023
Related Stories
2006 12 23 13 10 09 706
IS
Moving toward flexible healthcare data sharing
2006 07 26 14 38 18 706
IS
Is a hosted application right for your organization?
2006 11 10 13 57 56 706
IS
StructuRad
2006 11 10 14 34 57 706
IS
Philips Speech Recognition Systems
More in IS
Can self-scheduling and referral close breast cancer screening gaps?
By Amerigo Allegretto
Online patient portal self-scheduling and self-referral methods can help mitigate health disparities in breast cancer screening, according to research published July 26 in the Journal of the American College of Radiology.
July 31, 2023
2017 03 30 15 16 56 745 Mammogram Calendar 400
Simple EHR intervention reduces unnecessary lower-back x-rays
By Kate Madden Yee
A relatively simple electronic health record (EHR) intervention reduces the incidence of unnecessary x-rays for patients presenting with low back pain, a study published July 28 in the Journal of the American College of Radiology has found.
July 30, 2023
2018 11 19 17 20 4754 Back Pain 400
Amazon Web Services releases imaging data platform
By AuntMinnie.com staff writers
Amazon Web Services has launched an imaging data platform for storing, accessing, and analyzing medical images at petabyte scale.
July 25, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Online course teaches students about appropriate imaging use
By Amerigo Allegretto
An online elective course can effectively educate radiology students on the concept of appropriateness in medical imaging, according to an Israeli study published July 18 in Academic Radiology.
July 19, 2023
2021 06 16 23 10 5735 Student Doctor Laptop Test 400
CMS proposes radiology reimbursement cuts, AUC pause for 2024 MPFS
By Erik L. Ridley
In what has seemingly become an annual event, the U.S. Centers for Medicare and Medicaid Services (CMS) has once again included radiology reimbursement cuts in its Medicare Physician Fee Schedule (MPFS) Proposed Rule.
July 13, 2023
2019 07 31 17 01 7432 Medicare Puzzle 400
Summary reports improve CT planning for ovarian cancer surgery
By Kate Madden Yee
A synoptic, or summary radiology report, improves pretreatment CT planning for patients with advanced ovarian cancer compared to a simple structured report, according to a study published on July 12 in the American Journal of Roentgenology.
July 12, 2023
2023 07 12 19 50 6142 2023 07 12 Ajr Ct Ovarian 400
PET/CT shows value in patients with portal vein thrombosis
By Will Morton
PET/CT could be a valuable new imaging technique for distinguishing benign from malignant portal vein thrombosis in liver cirrhosis patients, according to a group in Egypt.
June 26, 2023
2023 06 22 23 04 9721 2023 06 23 Pet Pvt 20230622231003
Ransomware affects emergency radiology workflows
By Amerigo Allegretto
Ransomware attacks have a significant effect on emergency radiology workflows, as well as on acute care delivery and the personal well-being of healthcare providers, according to a study published June 15 in the Annals of Emergency Medicine.
June 19, 2023
2021 08 10 16 10 2928 Cybersecurity Lock V2 400
SIIM: Can Microsoft Teams lessen radiologist interruptions?
By Erik L. Ridley
AUSTIN, TX - Asynchronous forms of communication such as Microsoft Teams are much less disruptive to radiologists than phone calls or in-person visits, according to a talk delivered at the annual Society for Imaging Informatics in Medicine (SIIM) meeting.
June 18, 2023
2020 04 16 18 17 3383 Radiologist Ct Scan Brain Tumor 400
Turing debuts MRI visual feedback module at ISMRM 2023
By AuntMinnie.com staff writers
Neuroimaging software company Turing Medical Technologies (formerly Nous Imaging) used the venue of ISMRM 2023 in Toronto to launch FIRMM-pix, an in-bore visual feedback module designed to actively reduce head motion during brain MRI scans.
June 8, 2023
2023 01 30 21 50 9506 Computer Display Monitor Lab Mri V2 400
ImagineSoftware acquires Within Health
By AuntMinnie.com staff writers
Radiology billing and RIS developer ImagineSoftware has acquired artificial intelligence software developer Within Health. Terms of the deal were not disclosed.
May 23, 2023
2020 08 20 17 37 8876 Business Handshake Man 400
DetectedX touts learning platform success
By AuntMinnie.com staff writers
DetectedX is highlighting that the user base for its Radiology Online Learning Centre has exceeded 4,500 users, which the company says range from large radiology groups to individuals around the world.
May 3, 2023
2020 06 16 22 09 9134 Doctor Virtual Meeting Laptop Computer 400
Page 1 of 603
Next Page