Industry Insights

Are Electronic Health Records Safe?

The security of health information is different from all other types of personal information, including financial. Unlike financial information, there are no policies or procedures in place to correct fraudulent health records. If health information, like personal health benefits, is illegally accessed and used to obtain medical services, the diagnosis and treatment associated with the compromised identity may be irreversible due to the lack of a unified system. This health identity theft and the associated medical diagnostics could follow an individual for the remainder of their life potentially creating challenges when applying for medical coverage or certain forms of insurance (i.e., life insurance).

Protecting an individual's medical information and their privacy is the most important and fundamental element of implementing an EHR system. A critical aspect of this protection is knowing - with a high level of assurance - who is attempting to access the EHR. Today, the majority of U.S. healthcare networks are designed to grant access to individuals if they have a correct username and password. Since these are both something known to the user, they are considered one-factor authentication. According to Brookhaven National Laboratory, "Predictable, easily-crackable, and/or unchanging passwords are the single weakest point in the standard site-security model." This simply is not sufficient to protect personal health information.

Two factor authentication is defined as having two identification elements, which could include something you know (i.e. pass phrase or PIN), something you have (i.e. smart card or token) or something you are (biometric detail). This higher level of assurance proves that the person attempting to view the EHR has proper authorization to access the system. This type of authentication has been implemented by the U.S. Military through the common access credential (CAC). This smart card based identity credential includes a picture and printed security features and contains a microprocessor within the card storing identity information specific to the owner. This card, coupled with a personal identification number (PIN) or pass phrase, allows the person carrying the identity credential to prove with a very high level of assurance that they are the person identified by the card.

This highly successful form of strong authentication needs to be adopted by the U.S. healthcare system. The only way to protect EHRs is to implement strong controls over every access point. By implementing two factor authentication like smart card based identity credentials, health organizations can be confident in knowing exactly who is attempting to access EHRs thereby ensuring the security of the records they have been entrusted to maintain. Modernization of the U.S. healthcare system to EHRs is imperative, but only if proper controls are implemented to ensure the security of all personal health information.

Protecting an individual's medical information and their privacy is the most important and fundamental element of implementing an EHR system. 

Michael Magrath, business development director for the security division of Gemalto North America, is responsible for the strategic marketing, business development and government affairs activities in the government and healthcare sectors. Mr. Magrath develops and drives consensus on legislation and policy within technology, information security, privacy, and additional security-related public policy issues. In addition to supporting Gemalto's business and policy initiatives, Mr. Magrath is committed to consumer education and advocacy through Gemalto's online resource www.JustAskGemalto.com, which provides answers to consumer questions about how to better enjoy the conveniences of the digital world. He serves as vice chairman of the Smart Card Alliance's Healthcare Council and represents Gemalto on TechAmerica's Health IT Committee, the Health Record Banking Alliance, The Secure ID Coalition and TechAmerica's Information Security Committee. Mr. Magrath is also a member of the Healthcare Information and Management Systems Society (HIMSS) and is a Certified Smart Card Industry Professional (CSCIP).


About the Author




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.