Loading …

Although many have indicated a preference for USB based personal health record along with online based system in our ongoing poll survey,yet there are several pitfalls associated with USB based personal health record application.
They could be either loss or damage of USB key or Security threat due to viral programs which could corrupt the network.

One of the paper on  Security Threat Posed by USB-Based Personal Health Records Published in  February 2007 Annals of Internal Medicine Volume 146 • Number 4 at www.annals.org highlights this issue.

This paper however does not indicate the  type of software or the application  that powers these various personal health record programs.

Background:
USB (universal serial bus)– based personal health records enable patients to easily transport their health histories to physicians for review. These small, handheld devices (sometimes called “thumb drives” or “flash drives”) contain a database to store personal health information and a software program to display and edit the contents of the database. They are rapidly gaining popularity (1) and have drawn the attention of the popular press (2) and U.S. Congress (3). Recently, they were distributed to Hurricane Katrina victims in New
Orleans as part of the city’s Health Recovery Week (4). These devices sell for less than $100 and are often given free to patients by insurers, employers, hospitals, and health systems.
However, USB-based devices may pose a security threat that could be used to access sensitive data from a physician’s computer.

By simply inserting the device into a USB port, a provider may put all data on that computer, and potentially all data on the network to which the computer is connected, at risk for theft or corruption.

Objective:
To determine whether USB-based personal health records pose a security threat to provider data.

Methods:
We identified 5 major USB-based personal health records: the E-HealthKEY (MedicAlert, Turlock, California), Personal HealthKey (CapMed, Newtown, Pennsylvania), Med-Info-
Chip (Med-InfoChip LLC, Boynton Beach, Florida), MedKey (MedKey Corp., San Diego, California), and The Bartlett (PEHR Technologies, Salt Lake City, Utah). We obtained 3 of these devices (MedKey Corp. and PEHR Technologies did not supply a sample of their device), analyzed them to determine their structure, and attempted to modify the software program on each device to perform actions of our choosing. No device was manufactured with protections against this.

Findings:
 We modified the programs on the devices so that, when connected to a computer, they gave the appearance of normal operation but surreptitiously searched for and copied data from the computer to a hidden location on the USB device.

Discussion:
The security threat posed by existing patient-controlled USB devices is serious. Depending on how a USB-based personal health record is modified, the programs on the device could tamper with data (for example, to enter unauthorized prescriptions); spread computer viruses; corrupt the hospital or practice network to which the computer is attached; leave harmful software behind that could, for example, capture usernames and passwords and send them to the person on an ongoing basis; and copy financial or health data—all while the physician is viewing the patient’s health record on the device. Each of the devices we reviewed contains a program that must be used to view the patient record, and no reliable mechanism can verify the integrity of these programs. The only certain way for providers to avoid this type of attack is to avoid accepting such devices. Web-based personal health records, which are also available, are a safer alternative. Because they are viewed through a
Web browser and require no special software to run, they are not subject to this type of attack.

Adam Wright, BS
Oregon Health and Science University
Portland, OR 97239
Dean F. Sittig, PhD
Oregon Health and Science University and
Northwest Permanente Medical Group
Portland, OR 97227

Potential Financial Conflicts of Interest: None disclosed.

References
1. Attitudes of Americans Regarding Personal Health Records and Nationwide Electronic
Health Information Exchange: Key Findings from Two Surveys of Americans.
New York: Markle Foundation; October 2005.
2. Landro L. Your medical history on a microchip: having key data ready in an emergency.
Wall Street Journal. 27 July 2004:D1.
3. Health Information Technology: Hearing Before the Subcommittee on Technology,
Innovation, and Competitiveness of the Senate Committee on Commerce, Science,
and Transportation, 109th Cong, 1st Sess (30 June 2005) (statement of Senator Mike
Enzi).
4. City sponsors Health Recovery Week: residents to receive free full-service medical
care [press release]. New Orleans, LA: City of New Orleans Mayor’s Office of Communications;2 February 2006.

Popularity: 38% [?]

 Loading …

Early Experiences with Personal Health Records

John Hamalka and his group write about their experience with three case studies—MyChart at Palo Alto Medical Foundation, PatientSite at Beth Israel Deaconess Medical Center, and Indivo at Children’s Hospital Boston.They present the challenges they faced in implementation of Personal health record from 1998-2007 and the challenges that they foresee in 2008 and beyond.

As consumer awareness in Personal Health record increases.There are bound to be some challenges in deployment of personal health record.



Abstract of the paper:

Over the past year, several payers, employers, and commercial vendors have announced personal health record projects. Few of these are widely deployed and few are fully integrated into ambulatory or hospital-based electronic record systems. The earliest adopters of personal health records have many lessons learned that can inform these new initiatives. We present three case studies—MyChart at Palo Alto Medical Foundation, PatientSite at Beth Israel Deaconess Medical Center, and Indivo at Children’s Hospital Boston. We describe our implementation challenges from 1999 to 2007 and postulate the evolving challenges we will face over the next five years.

Introduction

The definition of Personal Health Records (PHRs) is still evolving. Implementations to date have ranged from web pages for patients to enter their own data manually, to physician-hosted patient portals giving patients access to their electronic health records (EHRs), to employer/payer portals which give patients access to claims data. The intent of all of these systems is clear—to give patients better access to their own healthcare data and enable them to be stewards of their own information.

Traditionally, clinical records have been sequestered in hospitals and provider’s offices. Although HIPAA mandates that patients can access their medical records, it does not specify the manner in which this access is given, so most patients must visit the medical records departments of caregivers to obtain paper copies of their charts. As more clinicians adopt EHRs and a nationwide health information network (NHIN) is implemented, more and more patients will demand access to records online. Such access raises many questions. What information should be shared? How should patients be authenticated? How should privacy be protected?

At the height of the “dot.com” era, health information websites became very popular and attracted significant venture-capital funding. Although the number of visits to healthcare information websites grew substantially in the early 2000s, public opinion surveys demonstrated that consumers were interested in receiving more than just health information from unknown sites; they were interested in receiving information that was endorsed by their own physicians and getting in touch with their own physician offices.

This led EHR developers (both commercial and institutional) to develop products linking clinician and patient, such as web-based patient interfaces to their information residing in the EHR. In this paper, the authors share their collective experiences from operating PHRs in their respective institutions: a university hospital, a community-based multi-specialty group practice, and a children’s hospital.

Conclusion

The increasing prevalence of personal health records over the next five years will create many policy and technical challenges for healthcare institutions, payers, and employers, However, it may also provide a great opportunity. Providing patient control of healthcare information exchange is appealing, since it solves many of the privacy and consent issues faced by organizations desiring to exchange data today. By placing the patient at the center of healthcare data exchange and empowering the patient to become the steward of their own data, protecting patient confidentiality becomes the personal responsibility of every participating patient. This may accelerate healthcare information exchange as it simplifies consent models among producers and consumers of healthcare data. Our experience to date at three institutions demonstrates that personal health records which share data among patients and providers can successfully be deployed, but require careful attention to policy around privacy, security, data stewardship, and personal control.

Journal of the American Medical Informatics Association
Volume 15, Issue 1, January-February 2008, Pages 1-7

Popularity: 100% [?]