Riding the Wave of Digital Health Information

Download Report

Transcript Riding the Wave of Digital Health Information 

How not to get lost in the Big Ocean of
Portable Electronic Health Records:
Riding the Wave of Digital Health
Information
Spring Conference
April 4, 2008
Gary Beatty
President
EC Integrity, Inc
Vice-Chair ASC X12




Need to reduce the cost of health care
Increase quality of health care
Consumer driven health care
Online health records




Payer support for community health records
Transparency in health care
Pay for performance programs
Governmental
EMR
HR
EHR
PHR
CCR
PHI
Hybrids
Health Records (AHIMA)
The legal business record for a healthcare organization.
 Individually identifiable information
 Any medium
 Collected, processed, stored, displayed


Health Records contain
Diagnosis
 Medications
 Procedures
 Problems
 Clinical Notes
 Diagnostic Results
 Images
 Graphs
 Other items deemed necessary


Health Records



Support continuity of care
Planning patient care
Provides planning information
 Resource allocation
 Trend analysis
 Forecasting
 Workload management
 Justification for billing information

Electronic Medical Record (EMR) (HIMSS)

An application environment composed of:








Clinical Data Repository (CDR)
Clinical Decision Support (CDS)
Controlled medical terminology
Order entry
Computerized provider order entry
Pharmacy
Clinical document applications
Enterprise support
 Inpatient and Outpatient
 Use to document, monitor and manage delivery of health
care

Electronic Medical Record (EMR) (HIMSS)


The EMR is the legal record
Owned by the Care Delivery Organization (CDO)

Electronic Health Record (EHR) (HIMSS)
Longitutal electronic medical record across encounters in
any care delivery setting.
 Resource for clinicians






Secure
Real-time
Point-of-care
Patient centric information source
Aids collection of data for other uses






Billing
Quality management
Outcomes reporting
Resource planning
Public health disease surveillance
Reporting

Electronic Health Record (EHR) (HIMSS)

Includes:
 Patient demographics
 Progress notes
 Problems
 Medications
 Vital signs
 Past medical history
 Immunizations
 Laboratory data
 Radiology reports

Electronic Health Record (EHR) (HIMSS)



Automates / streamlines clinicians workflow
Complete record of clinical encounter
Supports other care-related activities
 Evidence-based decision support
 Quality management
 Outcome reporting

Personal Health Record (PHR)
Created by the individual
 Summarizes health and medical history
 Gathered from many sources
 Format of PHR

 Paper
 Personal computer
 Internet based
 Portable storage

Continuity of Care Record (CCR)

Patient Health Summary Standard
 ASTM / MMS / HIMSS / AAFP / AAP co-
development



Core health care components
Sent from one provider to another
Includes
 Patient demographics
 Insurance information
 Diagnosis and problem
 Medications
 Allergies
 Care plan

Hybrid Health Record

Both
 Paper health records
 Electronic health records

Protected Health Information (PHI)

Any health care information linked to a person
 Health Status
 Provision of Health Care
 Payment of Health Care

Includes
•Names
•Geographic subdivision smaller than a state
•Dates related to an individual
•Phone Numbers
•Fax Numbers
•Email Addresses
•SSN
•Medical Record Numbers
•Beneficiary Numbers
•Account Numbers
•Certificate/license numbers;
• Vehicle identifiers and serial numbers
• license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers
• Finger
• voice prints
• Full face photographic images and any
comparable images
• Any other unique identifying number,
characteristic, or code

Privacy


Authentication


Did it arrive exactly as sent?
Non-repudiation of receipt



How do I know who sent it?
Data Integrity


Can anyone else read it?
Can the receiver deny receipt?
How do I know it got there?
How do I track these activities?

Internet / Intranet


Wired
Wireless
 Wifi (802.11a, b, g, i, n)
 Bluetooth (Personal Area Network - PAN)



VoiP
Dial-up
Mobile Devices

Smart Phones
 Mobile Standards (GSM, GPRS, etc.)



PDA
Tablet PC’s
Physical Media

Magnetic, optical, flash (thumb drives), others

RC4 (ARC4 /ARCFOUR) – Stream Cypher (easily broken)

Secure Sockets Layer (SSL)
 WEP Wire Equivalent Privacy
WPA WiFi Protected Access




WPA2 (based upon 802.11i)
Data Encryption Standards (DES)
Advanced Encryption Standards (AES)

Government strength encryption




Firewall machines
IP address selection
ID + Passwords
Security techniques





Encryption
Digital Signatures
Data Integrity Verification
Non-repudiation
Trading Partner Agreements (TPA)
CYPHERTEXT
PLAINTEXT
DOCUMENT
ENCRYPT
DECRYPT
PROVIDER
PLAINTEXT
DOCUMENT
PAYER
PRIVATE KEY




n * (n-1) / 2 keys to manage
100 users would require 4950 keys
Key size 128 bits
Generally considered fast
Gary
Alice
Julie
Karen
Frank
Erin
Dale
Mary
CYPHERTEXT
PLAINTEXT
DOCUMENT
ENCRYPT
DECRYPT
PROVIDER
PLAINTEXT
DOCUMENT
PAYER
PAYER’S
PUBLIC KEY
PAYER’S
PRIVATE KEY




n key pairs needed for n partners
key size (128, 768, 1024, 2048 bits)
Generally considered slower
What happens if you lose your key?
Gary
Alice
Julie
Public Key Directory
Gary
Alice
Frank
Erin
Frank
Mary
Dale
Karen
Julie
Erin
E
F
G
H
Karen
Dale
Mary


A digitized signature is a scanned image
A digital signature is a numeric value that is
created by performing a cryptographic
transformation of the hash of the data using the
“signer’s” private key.
Ö m25_
+¦_+_ò`_^5w+A___enruƒ•\ƒ½PÑ7
»q*++•¤Gß_¿_°;·Ae¦_7¦?ââá+H¶¥-÷•90Y
å+£ú'¦Æ<§_8óX`p¡ì•É_V+1^ª+
¦%Gary A. Beatty <[email protected]>


Part of the digital signature process
A secure one way hashing algorithm used to
create a hash of the data
PROVIDER A
EHR
Provider B
PUBLIC KEY
Encoded
Provider B
Cypher
PROVIDER A
PRIVATE KEY
Cypher
Encoded
PROVIDER A
PUBLIC KEY
EHR
Provider B
PRIVATE KEY

AS1 – Applicability Statement 1
Email exchange of electronic transactions
 S/MIME – Secure Multi-Purpose Internet Mail Extensions
 Uses SMTP (Simple Mail Transfer Protocol)
 Satisfies Security Requirements






Encryption
Authentication
Integrity
Non-repudiation
What’s needed
 Email capability
 Electronic Transaction
 Digital Certificate

AS2 – Applicability Statement 2



HTTP exchange of electronic transactions
S/MIME – Secure Multi-Purpose Internet Mail Extensions
Uses HTTPS
 Hypertext Transfer Protocol over Secure Socket Layer


Allows for REAL TIME delivery
Satisfies Security Requirements





Encryption
Authentication
Integrity
Non-repudiation
What’s needed
 Web Server (static IP address)
 Electronic Transaction
 Digital Certificate

AS3 – Applicability Statement 3





FTP exchange of electronic transactions
S/MIME – Secure Multi-Purpose Internet Mail Extensions
Uses FTP – File Transfer Protocol
Allows for REAL TIME delivery
Satisfies Security Requirements





Encryption
Authentication
Integrity
Non-repudiation
What’s needed
 FTP Server
 Electronic Transaction
 Digital Certificate

Electronic Credit Card


Issues by Credential Authority








Establishes “Credentials” for electronic transactions
Name
Serial Number
Expiration Dates
Certificate Holder’s Public Key
Digital Certificate of Certification Authority
Verified by Registration Authority
X.509 Standards
Registry of Digital Certificates

Access with HIPAA Identifiers


We can secure transmission of data!
Weakest link – usually when data is
AT REST!
Paper
 On the screen
 Waste baskets


Physical Security
Building access
 Data Center access


Electronic Security
Screen Savers
 Auto Logoff

Spring Conference
April 4, 2008
Gary Beatty
President
EC Integrity, Inc
Vice-Chair ASC X12