• Investment World
• eWorld
• Brand Line
• Mentor
• Life
• Canvas
• Praxis
• Urban Pulse
• Brand Quest
• The New Manager

Stocks

• Quotes
• SE Diary
• Scoreboard
• Open-End Mutual Fund

Cross Currency

• Rates
  
  

Shipping

• Ports
  
  

Archives

• Yesterday
• Datewise
• Resources
• In Focus
• In Depth

Group Sites

• The Hindu
• The Hindu ePaper
• Business Line
• Business Line ePaper
• Sportstar
• Frontline
• The Hindu eBooks
• The Hindu Images

R.K. Raghavan

Legislation makes it obligatory that electronic medical records be kept secure and not shared with anyone not authorised to look at them. Is this leading to an overdrive, as some recent events indicate?

Two bizarre occurrences of this year in the US should be dismaying to those who uphold the sanctity of maintaining the confidentiality of health information of individuals, a requirement imposed by the Health Insurance Portability and Accountability Act (HIPAA), 1996.

In the first, a young Colorado woman of 17, Cheyenne Corbet, who became pregnant, possibly outside wedlock, hid this information from her parents out of sheer fear. When she was first taken to a doctor by her father, she told her physician that she did not want her pregnancy to be disclosed to anyone, and went on to sign a prescribed form under HIPAA.

Not receiving any medical advice thereafter, she delivered a baby while she was in the shower of her parents' home. Finding her bleeding profusely, her mother rushed her to hospital. It was only at this point of time that the mother got to know of the newborn. The police later found the baby dead in the girl's bedroom wrapped in a towel. Obviously, the child had died of asphyxiation. Cheyenne is now facing charges of manslaughter.

In a more recent case reported from Washington State, on November 7, Chris McCune, 42, was stabbed by his girlfriend, Forcen, and was taken to hospital for emergency care. Although he had suffered serious spleen and lower heart injury, McCune told the doctors attending on him that no one should be informed. Thereafter he became unconscious.

His parents, with whom he was staying before the stabbing, were in the dark until an acquaintance of the assailant tipped them off about the incident. Thereafter it was a week of nightmare for the parents, both 80, who just did not get to know where their son was being treated and what his condition was.

Press reports, no doubt, spoke of the incident as revealed by the Sheriff's Office, but would not refer to the medical centre where McCune was being treated. All in the name of maintaining confidentiality as desired by a patient! It was only on November 15 that the parents got a call from the hospital about McCune's condition. This was after McCune recovered consciousness for a while earlier in the day when, on being questioned by doctors, he agreed to his parents being informed. Soon after this, he again lapsed into unconsciousness. Can there be anything more harrowing to a set of parents?

Tricky balance

The two incidents will have to be viewed against the backdrop of growing pressures on health authorities the world over, both government and private, to store patient data electronically and make it available online for physicians and surgeons to render effective assistance, both in the leisure of a consulting room and at the operation theatre in an emergency.

But a legislation like HIPAA makes it obligatory that electronic medical records (EMR) will have to be kept secure and not shared with anyone who has not been authorised to have a look at them. This is the dilemma that faces medical administrators.

The benefits of computerisation in a setting of overcrowded hospitals and greater and greater specialisation of medical treatment that demands accurate data on a patient's past medical history, cannot be overemphasised. Alongside it is the complicated and daunting task of protecting such data from predators and mischief mongers.

Privacy and security

Privacy and security issues are intertwined here. Take the case of a VVIP who is holding a sensitive public office. If he undergoes routine medical tests, which all of us do, or gets admitted to a hospital for treatment, enormous interest is generated all round, giving room to wild speculations that may affect political and economic stability in a country.

On such occasions, political rivals of the VVIP have been seen to display more than benevolent interest in getting to know details that are normally known only to the medical staff. The scene is so vitiated that, according to a recent New York Times report, when former President Clinton entered the Presbyterian Hospital in the city two years ago for heart surgery, he assumed a new name.This did not, however, deter hackers and curious hospital staff from attempting to get access to data pertaining to his health! The hospital is known to have encountered several similar attempts when a famous local athlete was receiving treatment.

So, if you are a hospital administrator and are tough and uncommunicative, you can rest assured that there will be hundreds trying to break into your health records through methods that are normally associated with cyber criminals.The situation is compounded by an aggressive media, whose appetite for information is ravenous. Enterprising reporters, to whom the end justifies the means, add spice to the situation, thereby highlighting the need for the highest standards of data security. There is also the fundamental requirement of integrity of data so that it is not eliminated or gets distorted through attempts at hacking, two possibilities that adversely affect the quality of medical treatment.

Protection of health data broadly involves the same technology that applies to other categories of information. User ID, passwords, etc, form part of an accepted standard. Encryption has also been employed by some hospitals.

`Masking' technique

In the US, HIPAA deals with all issues related to protection of health data. While it embodies a comprehensive mechanism to ensure that such data is protected, the exhaustive regulations within HIPAA are a damper to those who need data in quick time for speedy and efficient healthcare delivery.

Another irritant and source of danger is the requirement for sharing data with hundreds of authorised individuals and groups within a system. According to an LA Times report, in a large hospital, there are as many as 600 resources who have either total or partial access to data. This boils down to the question of how to prevent misuse of data by trusted insiders who have been permitted access. Imagine the uncertainties and dangers in such a system from the points of view of privacy as well as security.To meet concerns of this kind, the technique of `masking' has been gaining some acceptance amongst healthcare administrators. Here a whole file may not be seen by every authorised person. He will get to see only what is relevant to his need. This ensures reasonable protection against a dishonest insider who has been permitted only partial access.

The National Health Service (NHS) in the UK, which has embarked on a major computerisation project, has, for instance, been bogged down by controversies related to security as well as speed and efficiency with which data can be shared. There is further the debate as to who owns the data, the patient or the NHS administration. The emerging consensus is that the patient is the primary owner.

The scene in India is still primitive. The concept of storing and sharing health information online is fanciful to even the more advanced institutions.

The most that is available in hospitals in the electronic format would be a Discharge Summary as a Word document stored on a couple of Desktop PCs. As EMR makes an entry into the developing world, the issues that have been faced in the US will need to be addressed in India too. Our lack of obsession with privacy, except in a few areas, could mean that HIPAA-like regulations may never be used here.In the ultimate analysis, technology alone cannot ensure security. It is a combination of technology with organisational policies and strict enforcement of discipline through a `rewards and penalties' system that may do the trick.

(The writer is a former CBI Director who is currently Adviser (Security) to TCS Ltd.)

More Stories on : Privacy | Security Musings | Security

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
One key to many locks

Copyright © 2006, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line