Medical Device Daily Washington Editor

WASHINGTON – The recent disclosure that financial data for American veterans were recorded on a laptop computer – and then stolen – has intensified the scrutiny of electronic records, of all kinds, including electronic health files. As the largest healthcare system in the U.S., the Veteran's Health Administration (VHA), part of the U.S. Department of Veterans Affairs (VA; Washington), was almost certain to find itself in the expanding spotlight of public scrutiny.

Thus it was that the health subcommittee of the House Committee on Veterans Affairs, chaired by Rep. Henry Brown (R-South Carolina), on Wednesday took the opportunity to scrutinize the VHA's security measures.

“The value of VA's health records was demonstrated during Hurricane Katrina” when medical records for veterans were made available to doctors outside the New Orleans area, Brown said. Thus, he described the recent loss of VA data as “simply unacceptable,” and that VA needs “explicit and clear confidentiality policies.”

Ranking minority member Michael Michaud (D-Maine) said that “VA's electronic patient record system remains the technological force behind VA's state-of-the-art care.” But he noted that while the recent disclosure of lost VA data had not impacted VHA directly, “there may be a dark side to huge electronic databases.”

Michaud said that a report by the Office of Inspector General at the VA demonstrated “weak controls over veterans' records,” and noted a threat in 2005 by a VA subcontractor in India to “expose thousands of patient records over the Internet” in an attempt to obtain payment.

Michaud said the data security problem does not end there.

“A nurse who accidentally leaves on a computer screen, while rushing off to help a patient, is also a threat to patient privacy.”

Brigadier General Michael Kussman, MD, VA's deputy undersecretary for health, said, “I want to assure you and our nation's veterans that the recent data breach did not include any of VHA's electronic health records [EHRs].”

Kussman assured the committee that “only those who have a legitimate and demonstrated need are granted access” to EHRs and that “data transmitted among VA systems are monitored seven days a week, 24 hours a day, 365 days a year.”

Data transmissions inside the VA network are not encrypted, he said, but that data sent outside the administration's firewall are transmitted via the virtual private network (VPN), which encrypts the data “in accordance with VA and VHA directive 6210.”

Kussman also noted that intrusion detection software is in place in VA systems to fend off hackers.

VHA, he said, is taking “several steps to alleviate the risk” associated with a contract for medical records transcription, adding that VHA had changed business agreements to forbid export of such records outside the U.S. VHA also is at work on standards for voice recognition software to replace transcription.

As for telework – another potential threat to data privacy – Kussman said such arrangements are “not open to everyone, nor to every kind of work.” Would-be teleworkers must go through an approval process and must agree to protect records from unauthorized disclosure or damage in accordance with the requirements of the Privacy Act and any applicable federal regulations.

Kussman noted also “external mechanisms promoting VHA compliance,” such as HIPAA and regular reviews by the U.S. Department of Justice and the Joint Commission on the Accreditation of Healthcare Organizations (Oakbrook Terrace, Illinois).

VHA also is “continuing to strengthen our security and privacy controls,” including increased use of encryption and improvements to existing applications “that will broaden auditing capabilities.” He added that the agency is working on upgrades to the Veteran's Health Information Systems and Technology Architecture (VistA) which provides secure, near real-time access to electronic health information, that will “address need-to-know, least privilege and separation of duty principles.”

VHA also is rolling out or will soon roll out measures that will encrypt internal data, improve e-mail security, mandate encryptability in all future laptop and portable media purchases, and institute ongoing assessment of security in light of developing security threats.

Kussman promised “everything in our power” to keep veterans' data secure.

Robert Seliger, CEO of healthcare data management firm Sentillion (Andover, Massachusetts), told the committee that his firm's experience suggests that data access in clinical settings should be handled in accordance with the unique nature of the work involved.

“The practice of safe and effective medicine will always take precedence over security,” Seliger said, adding that doctors and nurses, who are “among the smartest, most highly trained people in the world [must] work around and challenge policies that impede the care delivery process.”

He made the case that, in a typical day, a hospital healthcare worker might have to consult a laptop or other portable electronic device 50 times and that if each log-on and log-off consumes a minute, much precious time goes down the drain.

“I would like to assert that the real security and privacy challenge that the healthcare industry faces is not from attacks from without, but from transgressions from within,” Seliger said.

He said a Sentillion study had shown that when computers respond more quickly to log-on and log-off commands, nurses are liable to log computers off at each use rather than only half the time. And physician compliance with log-off policies went from zero to 86%.

“This change in behavior was not due to a new policy or a threat of punitive behavior,” Seliger said.

During the Q&A, Kussman insisted that the mere presence of EHRs has improved security because “hard copy is even more accessible” than its electronic offspring. He added that HIPAA “put in place a higher set of standards” than other industries are subject to, but that recent events have nonetheless “sensitized us immensely” to the need for improved security.

Gail Belles, a technical security advisor at VHA, said the organization had issued “a data access inventory for every individual in our work force,” a major effort that includes employees and contractors, and that the same groups have been briefed recently on security and privacy measures. Some of VHA's computer systems are also subject to audit trails that are “logged continuously” and reviewed every 30 days, Belles said.

As for measures to ensure that researchers cannot accidentally place sensitive data in the wrong hands, Kussman said that the VA Office of Research Oversight looked at this issue and concluded: “the process in place works pretty well,” inasmuch as there are no recorded instances of breaches involving researchers. However, VHA is “working on an encryption protocol that would make the data difficult [for an interloper] to use.”