Recently, services such as EHRs (Electronic Health Records) and PHRs (Personal Health Records) have become available to store an individual’s medical information online. This information can include medical history, lab tests and results, prescription drugs, and other medical procedures. EHRs are records that are created by a doctor or hospital, and are stored at a doctor’s office, hospital, insurance company, or even an employer. PHRs are personal records that are created and managed by the individual.
There are many benefits to individuals having access to records online. It would be a central place to store records and information from all of one’s medical providers. For instance, if an individual regularly sees a general practitioner, a gynecologist or urologist, and a sports medicine specialist, all of the records from the different doctors including lab results and prescription history could be stored there, making it easier to look up details and transfer records to different doctors. For a parent with a spouse and several children, or a caregiver for elderly parents, the benefits of having instant access online to each of these individuals’ records are obvious. Trying to remember all the medications an elderly person is on, the dosing instructions, and which doctor ordered each can be a daunting task.
The obvious drawback to online health records is the question of sufficient security of those records. These days there are constant notices of large organizations including banks and security firms such as RSA being compromised. An individual’s health records are some of the most private information data available, and if the records become compromised, potential embarrassment is the least of one’s concerns. At the least, medical data could be sold to advertisers to send targeted messages tailored to an individual’s medical issues. Among the worst possible scenarios, an individual’s medical history could be held against them by a potential employer.
When reading about EHRs, I learned that the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, directed the Office of the National Coordinator for Health Information Technology (ONC) to implement the use of EHRs by every individual in the United States by 2014.[1] In a letter to the ONC dated May 16, 2011, Daniel R. Levinson Inspector General for the Department of Health and Human Services, found that there were general IT security controls lacking in HIT (Health Information Technology standards) including encrypting of data stored on mobile devices, requiring two-factor authentication when remotely accessing an HIT system, and patching the operating systems of the computer systems that would process and store the EHRs. Levinson also indicates that “the ONC deferred at this time to the HIPAA Security Rule for addressing IT security for HIT” but that HIPAA reviews identified vulnerabilities about the effectiveness of IT security. It is alarming that the government is moving ahead with plans to require EHRs for all individuals, while not yet mandating adequate security.
The other side of this coin is PHRs. There are currently a few options for individuals who wish to create and manage their own medical history files online, including Google Health and Microsoft Health Vault. These services allow an individual to create an account, and then upload or input their personal medical records. Individuals would be able to assign others who they would allow to access their accounts, and the vendors claim that the records would be secure. I checked both of these websites with an eye to whether I would feel secure using them. I use a Firefox “add on” service called Calomel SSL Validation, which grades the SSL security of any website visited. The scores are color coded and range from green (strongest security) to red (weakest security). Google Health scored orange which is the second weakest level. Thirty percent of the score is based on validation of the certificate and ten percent on the domain match, both of which Google Health passed. However thirty four percent of the score is based on symmetric cipher strength. AES or Camellia at 256 bits is considered a strong cipher, and at 128 bits a moderate cipher, but Google Health scored poorly by using RC4 which is considered a weak cipher. Next, the symmetric key length is considered; the larger the key the higher the strength. A 256 bit key would be considered strong, but at 128 bits length Google Health again chose the weaker option.
I checked the same SSL Validation scores for Microsoft Health Vault, and found they scored a somewhat more satisfactory yellow, a mid-level rating, as they chose to use a moderately strong symmetric cipher (AES-128) but a weak 128 bit symmetric key length. Health Vault also indicates that it is certified by TRUSTe and HONcode. [2] While Microsoft Health Vault seems to be set up a little more securely, it concerned me that there are options to log in using either a Windows Live ID or Facebook account. This is a red flag to me, as I don’t want anyone hacking my email or social networking site to have easy access to my medical records as well. Google Health is also connected to an individual’s Google accounts, bringing up the same fear.
From reading over both websites’ privacy policies and terms of use, both indicate that information can flow or be connected in certain ways between an individual’s PHR account and their other Google or Live accounts. Both as is typical have numerous disclaimers against any responsibility to their organizations, while at the same time listing usage rules that the users would be held accountable for. The policies also mention that they may release an individual’s personal information “as required by law” or to “protect and defend the rights or property” of Microsoft or Google. These statements are rather vague and leave the possibility open for interpretation. Most importantly, as a third party that an individual chooses to release their medical data to, these companies are not responsible under HIPAA regulations.
In conclusion, while EHRs and PHRs could be extremely useful to individuals for managing their own or their dependents’ medical data, I find that there is still much work to be done to make these databases secure. Strong regulations for encryption and security as well as clear rules about the use and access to personal information must be created and implemented before these online records should be commonly used. While researching, I found several articles conjecturing that Google Health would be discontinuing this service shortly due to low adoption rates. I believe that until there is sufficient security in place and mandated, many potential users such as myself will choose not to participate.
References
http://docs.ismgcorp.com/files/external/ONCstandards051711.pdf
http://www.google.com/intl/en_us/health/about/privacy.html
https://account.healthvault.com/help.aspx?topicid=PrivacyPolicy&culture=en-US
http://www.hon.ch/HONcode/Patients/Visitor/visitor.html
http://www.markle.org/health/markle-common-framework/connecting-consumers
http://www.cdt.org/issue/personal-health-records
[1] Daniel R. Levinson, Audit of Information Technology Security Included in Health Information Technology Standards. May 16, 2011. http://docs.ismgcorp.com/files/external/ONCstandards051711.pdf
Sojourn 
Leave a comment