Security

(P.S.: Since the copy of the proposed HDPSA is not yet available, we present here the contents of the Electronic Health Record Standards for India(EHRSI) which was released by the Department of Health and Family Welfare -DHFW in 2013 and placed for public comments. Our own views may be found in any of the articles).

A Revised version of the EHR Standards were published in February 2016 which is being incorporated into this document…Naavi


The term “security” shall mean that all recorded personally identifiable data will at all times be protected from any unauthorized access, particularly during transport (e.g. from healthcare provider to provider, healthcare provider to patient).

The term “trust” shall mean that Person/ persons or organisations (doctors, hospitals, patients) are those who they claim they are.

Use of Digital Signatures

Digital signatures are to be used to prevent non-repudiation (establishing authenticity of author of the document) and trust by the recipient.

Electronic Health Records Preservation

Preservation of health records assume significant importance in view of the fact that an electronic health record of a person is an aggregation of all electronic medical records of the person from the very first entry till date. Hence, all records must compulsorily be preserved and not destroyed during the lifetime of the person, ever.

The digital records must be preserved till such time according to the prevalent law of the land. It is however preferred and strongly encouraged to ensure that the records are never be destroyed or removed permanently. The health of the blood relatives and natural descendants of the person can be strongly influenced by the health of the person and on-demand access to these may prove to be hugely useful in the maintenance of the health of the the relations.

Furthermore, analysis of health data of all persons is expected to greatly benefit in the understanding of health, disease processes and the amelioration therof.

With rapid decline in costs of data archiving coupled with the ability to store more and more data that may be readily accessible, continued maintenance of such data is not expected to lead to any big impact on the overall system maintenance and use.

Security of Electronic Health Information:

The Privacy Standards and the Security Standards are necessarily linked. Any health record system requires safeguards to ensure the data is available when needed and that information is not used,disclosed, accessed, altered, or deleted inappropriately while being stored or transmitted. The Security Standards work together with the Privacy Standards to establish appropriate controls and protections.

Health sector entities that are required to comply with the Privacy Standards also must comply with the Security Standards.

Organizations must consider several factors when adopting security measures. How a healthcare provider satisfies the security requirements and which technology it decides to use are business decisions left to the individual organization. In deciding what security measures to adopt, an organization must consider its size, complexity, and capabilities; it’s technical infrastructure, hardware, and software security capabilities; the cost of particular security measures; and the probability and degree of the potential risks to the e‑PHI it stores and transmits.

Standards

Purpose of the Security Standards

The Security Standards require healthcare providers to implement reasonable and appropriate administrative, physical, and technical safeguards to

-Ensure the confidentiality, integrity, and availability of all the e-PHI they create, transmit,
receive, or maintain

-Protect against reasonably anticipated threats or hazards to the security or integrity of their ePHI

-Protect against uses or disclosures of the e-PHI that are not required or permitted under the Privacy Standards

-Ensure their workforce will comply with their security policies and procedures

Technical Standards

To protect the e‑PHI handles by a healthcare provider, the provider must implement technical safeguards as part of its security plan. Technical safeguards refer to using technology to protect e‑PHI by controlling access to it. Therefore, they must address the following standards focusing on the following. It is worth noting that they will need to use an EHR solution that is able to successfully and robustly demonstrate the possession and working of these functionalities.

Access control: The solution must assign a unique name and/or number for identifying and tracking user identity and establish controls that permit only authorized users to access electronic health information.

In cases of emergency where access controls need to be suspended in order to save a live, authorized users (who are authorized for emergency situations) will be permitted to have unfettered access electronic health information for the duration of the emergency with the access remaining in force during the validity of the emergency situation.

Access Privileges: Ideally only clinical care providers should have access rights to a person’s clinical records. However, different institutional care providers have widely varying access privileges specified that are institution-specific. No country-wide standards can be specified for this at least at this point in time.

Automatic log-off: An electronic session after a predetermined time of inactivity must be forcibly terminated. To log in back, the user will have to initiate a new log in session. However, for the sake of ergonomics, it is recommended that the unsaved state of the system at the time of automatic log-off be saved and presented back to the user for further action. This should be a user-specific feature.

Audit log:

-All actions related to electronic health information in accordance with the standard specified in this document including viewing should be recorded.
-Based on user-defined events must be provided.
-All or a specified set of recorded information upon request or at a set period of time must be electronically displayed and printed.

Integrity:

-During data transit the fact that the electronic health information has not been altered in transit in accordance with the standard specified in this document must be verifiable.

-Detection of events – all alterations and deletions of electronic health information and audit logs, in accordance with the standard specified in this document must be detected.

Authentication:

-Locally within the system the fact that a person or entity seeking access to electronic health information is the one claimed and is authorized to access such information must be verifiable.
-Across the network, however extensive it might be –that a person or entity seeking access to electronic health information across a network is the one claimed and is authorized to access such information in accordance with the standard specified in this document must be verifiable.

Encryption:

Generally, all electronic health information must be encrypted and decrypted as necessary according to user defined preferences in accordance with the best available encryption key strength.

-During data exchange all electronic health information must be suitably encrypted and decrypted when exchanged in accordance with an encrypted and integrity protected link.
-All actions related to electronic health information must be recorded with the date, time, patient dentification, and user identification whenever any electronic health information is created, modified, deleted, or printed; and an indication of which action(s) took place must also be recorded.
-Appropriate verification that electronic health information has not been altered in transit shall be possible at any point in time. A secure hashing algorithm must be used to verify that electronic health information has not been altered in transit and it is recommended that the secure hash algorithm (SHA) used must be SHA-1 or higher.
– A cross-enterprise secure transaction that contains sufficient identity information such that the receiver can make access control decisions and produce detailed and accurate security audit trails must be used within the system.

Administrative Safeguards Standards

The Administrative Safeguards require healthcare providers to develop and implement a security management process that includes policies and procedures that address the full range of their security vulnerabilities. Being administrative in nature, these need to be internally designed and developed as SOP that must be published for all users to see and adhere to. Conformance to adherence may be delegated to the Privacy Officer detailed in the Data Ownership chapter above. To comply with the
Administrative Safeguards, a healthcare provider must implement the following standards.

-The security management process standard, to prevent security violations;
-Assigned security responsibility, to identify a security officer;
-Workforce security, to determine e‑PHI user access privileges;
-Information access management, to authorize access to e‑PHI;
-Security awareness training, to train staff members in security awareness;
-Security incident procedures, to handle security incidents;
-Contingency plan, to protect e‑PHI during an unexpected event; and
-Evaluation, to evaluate an organization’s security safeguards.

Physical Safeguards Standards

Physical safeguards are security measures to protect a healthcare provider’s electronic information systems, related equipment, and the buildings housing the systems from natural and environmental hazards, and unauthorized intrusion. Covered entities must fulfill the following four standards. However, since most of the implementation specifications in this category are addressable, healthcare providers will have considerable flexibility in how to comply with the requirements as long as these are internally designed and developed as SOP and published for all users to see and adhere to. Conformance to adherence may be delegated to the Privacy Officer detailed in the Data Ownership chapter.

The required physical standards are:

-The facility access control standard, to limit actual physical access to electronic information systems and the facilities where they’re located;
-The workstation use standard, to control the physical attributes of a specific workstation or group of workstations, to maximize security;
-The workstation security standard, to implement physical safeguards to deter the unauthorized access of a workstation; and
-The device and media controls standard, to control the movement of any electronic media containing e‑PHI from or within the facility.