How Should DoD Secure Health Records?Data Protection Strategies for New EHR Mega-Project
The Department of Defense is about to move forward with its multi-billion dollar plan to overhaul its electronic health records system. But when you're an organization such as DoD, supporting 9.5 million active and retired military personnel and their beneficiaries, there are variety of important privacy and security challenges that must be prioritized and tackled, privacy and security experts caution.
In late July, the DoD awarded a $4.3 billion, 10-year contract to Leidos Partnership for Defense Health, a group of three main vendors that include EHR provider Cerner and consulting firms Accenture and Leidos Inc. The contract, which has the potential to be worth $9 billion if DoD exercises all its options over 18 years, involves the Leidos Partnership team transitioning the Pentagon's existing proprietary EHR system onto a Cerner off-the-shelf EHR at about 1,000 DoD sites worldwide, including military hospitals in the U.S., as well as health clinics in remote places such as Afghanistan.
However, as the Leidos partnership embarks on the massive overhaul, there are several critical privacy and security issues that need to be addressed to safeguard patient data throughout the plan.
Additionally, many of the challenges faced by the DoD in its EHR project are also similar - but much larger in scope - to the privacy and security concerns that healthcare organizations in the private sector face when undertaking their own EHR system migrations.
Those issues range from protecting patient data as its moved from one platform to the next, to thoroughly vetting the consultants involved with the EHR work.
"Several security and privacy challenges exist as the DoD transitions from its old EHR to the new system," says Keith Fricke, principal consultant at consulting firm, tw-Security.
"Migrating from one EHR to another often involves importing historical data from the old system to the new one. The data set may be rather large," he notes. "Extracting data from the old EHR will likely result in a large interim database or data file. The database may need to be sent to the new vendor for data field mapping or importing."
Yet, it is not practical to send data extracts this large over a data connection. "Instead, it is better to send the data sets on an encrypted external hard drive, tracked via shipping provider," he says.
Data integrity issues are among the biggest challenges involved with such massive EHR undertakings, says Tom Walsh, founder of tw-Security. "Often times, the data mapping between an old system and new systems misses something. The only thing worse than no patient data is the wrong patient data."
To counter those problems, the data extraction process must include mechanisms to validate the data ultimately imported into the new EHR exactly matches the data stored in the old EHR, Fricke advises.
Another factor that needs close oversight is ensuring that role-based access controls to patient data are maintained from the old system to the new, especially where highly sensitive information, such as behavioral health data, is involved, Fricke says.
Privacy and security expert Kate Borten, founder of consulting firm The Marblehead Group, says it's equally important to ensure that the consultants working with or accessing the sensitive data are scrutinized. "I expect that many contractors will have access to PHI throughout this major project," she says. "It is very important that they be thoroughly vetted, that they be given the minimum necessary access permissions, and that they be monitored."
Because the DoD project will last several years, it's important to have measures in place to safeguard data during the various project stages.
"Workers should use simulated PHI rather than actual PHI as much as possible," Borten says. "Too often, PHI access is granted for development, testing, and training purposes, when simulated PHI could and should be used instead."
However, often a test environment must have real patient data in order to perform a true functional test, Walsh notes. "Security controls for test environments can often be less stringent. People using the test environment may forget that the data they are working with represents a real patient. Generic user accounts with easy to remember passwords may be set up to help facilitate functional testing."
So, to avoid possible breaches or unauthorized access to PHI, the test environment needs to have security controls set to the same level as the production environment, Walsh recommends.
Because there will be thousands of people involved with the project - including individuals working for contractors and subcontractors - another danger is a watering down of security measures and practices that should be in place throughout the project, at all locations, for all personnel involved with the work.
"A front line worker may honestly say, 'I didn't know,' and it is a true statement," Walsh says. "Privacy and security education must be conducted for everyone involved."
As for securing data during project stages, Fricke recommends that data be stored on servers located in a secure data center and accessed via virtual desktops. "Doing so significantly reduces the likelihood that data is being stored on contractors' laptops or hard drives of workstations," he says.
"If storing data locally on laptops and desktops is required, these devices must be using encryption."
In addition, Fricke suggests that two-factor authentication be used for any remote access to the data being worked on for the migration. "We've seen news stories in the past year about foreign countries targeting US government systems for hacking and exfiltration of data," he says. "The vendors involved in this EHR migration must ensure that all systems involved in the process have proper security patching levels, well-maintained malware protection, and 24x7 audit log monitoring."
Also, if any of the individuals working on this project had their information compromised in the Office of Personnel Management breach, extra care must be exercised to avoid becoming a victim of a spear-phishing attacks.
Because the DoD EHR systems contain healthcare data for U.S. military personnel, then the information potentially could be a hot target of the most devious cyberattackers, Walsh notes.
"The data in these systems are not just any patient. This is the patient data of the men and women who willing chose to serve our country," he says. "Our military personnel are prime targets for domestic and foreign terrorists. Workforce clearance will have to be strongly enforced for anyone involved, but especially far more rigid for any person with elevated privileges, such as system administrator, super user, etc."
Finally, because the DoD project will last at least a decade, maybe two, it's vital that all project work is thoroughly documented, Fricke says.
"It is important that from a project management perspective, the project managers ensure all project documentation is kept very current," he says. "There is always staffing turnover of project managers and contractors in a project this large and with the long timelines expected. Gaps in documentation will cause potential delays, potential rework and possible lapses in security practices as turnover occurs."