Carl Gunter: Tackling EHR Privacy Issues
In an interview, Gunter, a professor of computer science at the University of Illinois at Urbana-Champaign, says healthcare organizations could make better use of EHRs and other information technologies if they could "defeat some of the barriers" to progress, especially concerns about privacy and security. The university's Information Trust Institute is heading up the project, which also involves 11 other organizations.
The 20 researchers participating in the study expect to publish a series of papers on strategies for improving privacy and security of healthcare information, with a focus on EHRs, health information exchanges and telemedicine.
Among the issues that the researchers will investigate, Gunter says, are how to:
- Protect EHRs with encryption and other security technologies;
- Make IT outsourcing arrangements more secure;
- Address the "tricky business" of ensuring information transmitted among many participants in emerging health information exchanges remains private; and
- Ensure telemedicine applications, such as implantable medical devices and in-home monitoring systems, adequately address security risks.
In the meantime, Gunter advises healthcare organizations to continually refine their risk management strategies because security technologies are rapidly evolving.
Updates on the Strategic Healthcare IT Advanced Research Projects on Security, or SHARPS, project will be available at sharps.org.
HOWARD ANDERSON: This is Howard Anderson, managing editor with Information Security Media Group. Today we are talking with Professor Carl Gunter of the Information Trust Institute at the University of Illinois at Urbana-Champaign. The institute recently received a $15 million federal grant to lead a multi-university study. It will focus on the development of security and risk mitigation policies necessary to build public trust in electronic health records, health information exchanges and telemedicine. Thanks so much for joining us today professor.
PROFESSOR CARL GUNTER: Hi.
ANDERSON: I understand that a team of 20 researchers from your university and 11 other organizations will be working on this major project. What is the primary goal of the effort and how long will the project last?
PROFESSOR GUNTER: The project is slated for four years, and it has already begun. The objective is to look at areas where we would do better in healthcare information technology if we could defeat some barriers that prevent us from doing things we would like to do that come because of concerns about security and privacy.
ANDERSON: What do you see as the biggest privacy and security challenges raised by the movement to electronic records and the transmission of clinical information over health information exchanges and the use of telemedicine?
PROFESSOR GUNTER: A good way to break this down is into a collection of environments where information exchange is likely to occur.... We'll look at electronic health records, primarily focusing on things like the records held in hospitals and healthcare enterprises, and address challenges there that come from a variety of different sources, like the need to provide defense in depth of the systems so that if there are compromises they don't compromise the system beyond well-understood levels; so things like encryption techniques.
Then we'll deal with patterns of outsourcing of electronic health records and how to provide protections that make those things less risky.
And then there is the exchange of data between enterprises and between enterprises and their patients. These exchanges between the enterprises are a tricky business because we would like to freely move the records around with the patient. But if you get too large of a collection of enterprises involved in looking at records, then risks enter for violations of security and privacy of people. These health information exchanges could be a valuable way to make healthcare more convenient. But because you are pooling data among a larger group of people, you have to take steps to try to secure the data and to make sure privacy is respected.
And then finally is the raft of new technologies that are coming in that pertain to things like implantable medical devices, where they have wireless radio communications. And it has been shown that you can get security issues with those. And also things like assisted living, where you have personal devices that people have in their homes and they collect data from them and this is transmitted over networks to clinicians, increasing the likelihood that people can stay at home and decreasing costs with home visits. And yet this kind of use of wireless communications and use of this kind of data introduces new challenges for security and privacy.
So these areas where one would really like to move ahead and do more are often ones where, if you could just say that you were confident that you were doing the security and privacy right, you could do more.
ANDERSON: So what will be the end result of your research? Will you publish a report with recommendations for policies for hospitals and clinics and others, and do you expect to develop any new security technologies as well? And, when will the results be available?
PROFESSOR GUNTER: We were asked by the Office of the National Coordinator for Health IT at the Department of Health and Human Services to make sure that we had things that would be available that would be of value within the first two years of the project. So our expectation is that the results will mainly appear in the form of published works or prototypes that companies can use to pick up ideas for things that would improve security and privacy in healthcare, or possibly even collaborations of those systems. And so within two years we will have some things.
But we also have a long-range vision for the projects to make potentially higher-risk or more substantial changes in the way things are done. So those would be reported within four years. We would expect a series of scientific review publications that would come out as the project goes along so people could track the progress by reading those publications.
ANDERSON: So you hope to provide practical advice that chief information security officers, CIOs and others could put to use at their organizations?
PROFESSOR GUNTER: Oh yes, absolutely.
ANDERSON: In the meantime, what advice would you give to hospitals and physicians about maintaining the privacy and security of electronic health records in the months to come, especially as they attempt to qualify for some new federal incentive payments for using EHRs? What should be their top risk management priorities?
PROFESSOR GUNTER: I would urge as a top priority to think of the security and privacy of the organization as a process that you build incrementally over time. In other words, it is not going to be, in many cases, cost-effective to think that you are going to sit down and figure out everything that is supposed to be done, do it and then it's over. Instead, you are going to want to bring in things step by step.
So a certain amount of attention should be devoted to the question of how you are going to incorporate innovation and advances over time. Don't be impatient and think that you maybe have to go with whatever the state of the technology is now, but also think of how, when technology gets better, you are going to roll those technologies into your operation. Security is a process; that's the viewpoint that I would put across.
ANDERSON: Finally, how can those interested in keeping informed about your project as it develops get more information? Is there a web site that will have postings?
PROFESSOR GUNTER: Yes there is. The web site is www.sharps.org.
ANDERSON: Thank you very much Professor Gunter. We have been talking today with Professor Carl Gunter of the Department of Computer Science at the University of Illinois. This is Howard Anderson of Information Security Media Group.