MAINTAINING SECURITY AND PRIVACY OF PATIENT INFORMATION September 2, 2006 Frank E. Ferrante, MSEE, MSEPP President FEFGroup, LLC Past Chair, Medical Technology Policy Committee IEEE-USA, Washington, DC Presented at 28th IEEE EMBS Annual International Conference Aug 30-Sept. 3, 2006, New York City, New York, USA

Outline Why Electronic Medical Records? Software Sample/hardware samples Barriers/Standards for EHR HIPAA Security and Privacy Regulations Medical data transmission requirements Wireline and Wireless Telecommunications Services Security Security of Patient Medical Records References

Why Electronic Medical Records (EMRs) Time spent filing and pulling patient charts, searching for charts Time re-creating records if destroyed by natural disaster or accident Cost of supplies to maintain charts Cost of facility space for records (can better use of space be made?) Storage and Backup Cost Transcription services cost Cost of doing nothing today Better Security/Privacy Maintainable

Software/Hardware Supporting Digital Medical Records Electronic Medical Record (EMR)Software –Soapware - check it out $300 Starting Price see: –e-MDs Electronic Medical Record Support Software mds.comhttp:// mds.com –a4Healthsystems EMR and Access systems Companion Technologies Security and Privacy - all EMRs must be protected –Sample approach: indigenous authentication of digital information (US Patent 6,757,828 B1 of June 29, 2004) by Signa2 –Backup routinely onto remote servers or storage offerings

What are the Barriers to EHR and e-Health Implementation?* Lack of a Unique Personal Identifier Lack of HIPAA Compliant Middleware Lack of Incentives No Paradigm or First Mover for Some System Components Evolving Standards Disincentives Lack of an NHIN Architecture [Fear of Cost/Benefit] * [Corr 06]

Barriers and Solutions Identifiers and Middleware HIPAA compliant Identification, Authentication, and Access Lack of a Unique Personal Identifier: Solutions: Voluntary Personal Healthcare Identifier ( IEEE-USA Voluntary Healthcare Identifier Position Statement, 17 June 2004 ) Center for Certification of Health Information Technology Multiple ID Approach (Provider ID + Provider Unique Personal ID) DOD Common Access Card Model Lack of HIPAA Compliant Middleware: Solutions: RHIO Contracts Marketplace Solutions Shortcomings: Public Health and Research Interfaces may not be included * [Corr 2006]

EHR Standards Evolution* International Statistical Classification of Diseases and Related Health Problems (ICD) from ICD-9 to ICD-10 ASCI X12 Version 4010 to ASCI X12 Version 5010 (HIPAA Business Transactions) National Council for Prescription Drug Programs Telecommunication Standards from version 5.1 to version D.0 Conversion of all standards to XML * [Corr 06]

HIPAA Security and Privacy Regulations Health Insurance Portability Assurance Act (HIPAA) –Security - Required stronger and more focused provision of security around medical information (supports maintaining of information privacy) –Privacy - Enforces increase in privacy protections for medical information (Not just speaking privacy- required under penalty if failure occurs)

Electronic Medical Record (EMR) Data Requirements Page of text for entering and storing non- image information –Less than 64 Kbytes(large file) Image Data –(Refer to estimate table)

Medical Images Data Transmission Requirements* *Source: Ferrante, F.E.,Evolving Telemedicine/eHealth Technology, Telemedicine and e-Health, Vol 11, Number 3, June 2005, Mary Ann Liebert, Inc Publisher, ISSN

Wireless Telecommunications Services –Broadband Services n WiMax –Security PKI VPN Secure ID WEP/WPA/WPA2 (802.11i)

How New Technologies Stack Up Data Rate (megabits per second) Source: Technology Review, October 2005 EstablishedEmerging Actual performance will vary depending on factors such as how the technology is deployed, the users distance from base stations, and interference. 1, WPAN WLAN WMAN WWAN Bluetooth 1.2 Bluetooth 2.0 Ultrawideband Wi-Fi (802.11b) Wi-Fi (802.11a/g) Wi-Fi (802.11n) WiMax (802.16) WiMax mobile (802.16e) 2G cellular 2.5G cellular 3G cellular 3.5G cellular 4G cellular

Security of Patient Records Wireline Communications/Computer Access –Database Encryption –Public Private Key access control –Routine Password Control and Management –Isolation of Database Server from outside access except via Virtual Private Network (VPN) and Secure ID hand-held devices or Secure Private Key system Wireless Communications –Wire Equivalent Privacy (WEP) Poorly designed, vulnerable –Wireless Protocol Architecture (WPA)& WPA2 Improved Security Encoding Enterprise Security Offering(Both WPA and WPA2 now available for Wireless operations as alternate to WEP)

References [Corr 2006] Corrigan, Mike (Current Chair MTPC), Consumer- Centered Electronic Health Records and e-Health - Roadblocks and Opportunities, presented to GEIA Roundtable, June 29, Available at: [IEEE-USA]IEEE Medical Technology Policy Committee Web Site - ttp:// ttp://

Backup Slides

Other Healthcare System Records Payer Records or Payer EHRs Healthcare Provider or Clinical EHRs Top Level EHR Components Glue Personal Health Record (PHR) or Personal EHR

EMT Records Radiological Records Laboratory Records Pharmacy Office Records Dental Office Records Physician Office Records Hospital Records Personal Health Record Health Insurance Payer Records Personal EHR Provider EHRs Carrier EHR Personal Health Record Personal EHR Uncertified Demographics Allergies Medications Inoculations Certified Demographics and Identity Links to other EHR components Limited PHRFull PHR

Personal Health Record Lifetime Full PHR Prenatal and Pediatric Records Medicare Records Employer and Self Insurance Carrier Records Military and VA Records Research Records Public Health Records Anonymized Links with Trusted Reverse Channel Environmental Records Genomic Records Links Death Certificate and Autopsy Records