Cyber Security Industry Alliance Newsletter • Volume 2, Number 3 • November 2005

National Electronic Health Records: How Close Are We?

In early 2005, President George W. Bush called for the implementation of a national electronic health records (EHR) system in an effort to reduce health care costs and medical errors. To reap the benefits that will come with wide use of EHRs — efficiency and error avoidance — the systems must be secure. Few people will rely upon EHRs unless they are certain that their private medical information is safe from prying eyes or malicious hackers.

The events and devastation of the recent hurricanes, tornadoes, and other natural disasters have underscored the need for a secure, interoperable health information technology system. In the case of Hurricane Katrina, many medical records were lost as a result of the hurricane, particularly those not computerized, and the Federal government began making medical information on evacuees available online to doctors. This marked the first time private records from pharmacies and health care providers were organized into accessible, centralized databases. However, the security of personal, sensitive data, interoperability of systems, and proper implementation is paramount.

The movement toward an EHR system is seen as a way to enhance the speed, portability and effectiveness of the health care system. Implementation will face many challenges — securing personal information, ensuring privacy, technological compatibility, interoperability, and cost chief among them. Developing a secure and reliable system is important because patients will not use a system that violates their privacy and therefore their trust.

While setting up a secure, seamless system is the first order of business, another fundamental challenge facing EHR implementation will be getting physicians’ offices to actually use the system, a challenge that will need to be dealt with on a cultural as well as technological level. National Health Information Technology Coordinator Dr. David Brailer has said, "I think health care is without a doubt the last industry to go through a broad information revolution. It's a big revolutionary change to doctors."

In a step toward the creation of an EHR system, Health and Human Services Secretary Mike Leavitt has established an advisory panel, American Health Information Community (AHIC). This Community consists of government and private-sector members and is tasked with advising Leavitt on health information technology issues and guiding the national effort to adopt health IT.

For reasons which remain unclear, the Community does not include representation from the privacy and security community. The Community has seventeen members, with representatives from the Department of Defense, Veteran Affairs, Commerce and Treasury on the federal side and private sector groups such as Blue Cross Blue Shield and SureScripts — yet no security and/or privacy experts were named to the panel. Nancy Davenport-Ennis has been designated as the consumer representative in the Community, and will advocate for privacy from a consumer's perspective.

The National Committee on Vital and Health Statistics (NCVHS) will advise on the policy considerations surrounding privacy and security. HHS is looking to outside entities for data-sharing standards and the creation of a private certification-and-inspection system for medical-records software as it is developed. Secretary Leavitt envisions a market-sensitive, gradual implementation process, led by the private sector. He has said, "It is clear to me that the power to innovate lies in the private sector, but for the private sector to do its magic, it needs to be channeled into a common framework."

AHIC held its first public meeting in October, where they proposed four areas for the initial work: e-prescribing, consumer empowerment, bio-surveillance, and quality monitoring. Working groups will be created for these areas before the end of this year.

The Administration and the private sector, cooperatively and independently, have taken steps to move EHR implementation, and health IT in general, to the forefront of policy. Likewise, Congress has taken on health IT issues and marked them as top priority. Several bills have been introduced, including S. 1223, which is aimed at improving the quality and efficiency of health care delivery through improvements in healthcare IT; S. 1262, which creates an interoperable health information technology system through the adoption of standards to reduce costs, enhance efficiency and improve overall patient care; S. 1355, which enhances the adoption of health information technology and improves the quality and reduce the costs of healthcare; and H.R. 4157, which encourages the dissemination, security, confidentiality, and usefulness of health information technology. The Senate passed S. 1418 on November 18 which codifies the Office of the National Coordinator of Health Information Technology and combines elements of both S. 1262 and S. 1355.

We are on the edge of moving healthcare into the 21st century. The Administration, Congress, and the private sector are making health IT a priority. Ensuring data security and interoperability are among the many challenges before us, but we are certainly on the way.