As an industry professional, you're eligible to receive a printed copy of the journal.

Fill out your address below.






Please reset your password to access the new DRJ.com
Reset my password
Welcome aboard, !
You're all set. We've send you an email confirmation to
just to confirm you're you.

Welcome to DRJ

Already registered user? Please login here

Existing Users Log In
   

Create new account
(it's completely free). Subscribe

Do you know where all of your electronic health records reside? Do you know whether they are safe?

In answering the first question, you probably think about your primary care physician, your local hospital, specialty medical providers and ancillary providers such as optometrists or your dental practice. The answer to the second question, of course, is much harder to discern but vitally important because the information contained within a medical record is often sufficient to commit identity fraud.

One area of electronic health record (EHR) collection and sharing you probably overlooked when compiling your list encompasses clinical data registries, often used for research purposes to investigate conditions, medical procedures, demographic groups and more. If a medical provider participates in a registry, you likely signed up to participate when filling out those new patient forms related to data collection, protection and dissemination. Did you read them?

Although critically important for research purposes and the categorization of diseases, clinical data registries fly under the radar in terms of privacy and security issues. They face much less scrutiny than more well-known medical data repositories such as EHRs. If anything, clinical data registries provide more chance for breaches – either unintentional or as the result of a hacker or other bad actor. That’s why clinical data registries should be certified/accredited by independent organizations to safeguard protected health information as it resides in registries and moves among those collecting the data and those using it for research.

Although rare, data breaches among clinical data registries do occur. Unauthorized disclosure of an estimated 100,000 records of patient data supplied to the American College of Cardiology (ACC) through a national cardiovascular data registry was discovered in December 2015. The incident occurred in 2009 or 2010 when ACC contracted with a third party to revamp the registry, providing 250 tables of fabricated patient data to be used for testing. However, one of the tables contained real patient data, including names, dates of birth, Social Security numbers and other identifying data.

It took five-plus years to uncover the incident. A search of the breach portal maintained by the U.S. Department of Health and Human Services Office for Civil Rights shows no direct listing for the ACC breach. Of the 1,400 entities that were reporting data to the ACC, only two show up in a search of the American College of Cardiology.

The association had introduced new security controls before the disclosure was found. A spokeswoman said ACC continues “to update security processes and monitoring to ensure best practices are followed for protecting patient data.”

Registries are facing several challenges regarding best practices which could put the security of patient data at risk. Data collection still rarely occurs directly from an EHR because of technical difficulties and costs associated with linking various IT infrastructure, but interoperability is slowly improving. Lack of integration means lots of manual data entry and manipulation that can be prone to error.

Moving registries to the cloud does have some advantages for the collecting organization, but security concerns can remain. Beyond the significant requirements for the physical and electronic security of data, other challenges can include how controls are handled, assigning roles-based access rights and inadequate consents to collect/disseminate protected health information.

Data security includes complying with HIPAA privacy and security regulations, Institutional Review Board guidance and the Federal Policy for the Protection of Human Subjects, better known as the Common Rule. With the addition of technology interfaces that allow data to move among IT systems, privileging and security become even more important, because the weakest link can be used to exploit the entire system.

The most-famous example of this type of attack is the 2013 Target breach of 110 million credit and debit card users who purchased from the ubiquitous retailer during the hack. How did the bad guys get in? Through a third-party vendor who had peripheral access to Target’s IT systems.

That’s why data registries should adhere to a core set of requirements for compliance with privacy and security standards. Such accreditation would review functions of the registry, including structure, clinical integration, compliance monitoring, interoperability, reporting and industry certification/accreditation. It should closely monitor how information is passed among databases to ensure that privacy and security are maintained during the exchange. It should also serve as a baseline standard for participating organizations to assure compliance with federal privacy, security, and regulatory guidelines.

Clinical data registries play a vital role in the health data ecosystem and in the future of healthcare. Information contained in registries is helping researchers make new discoveries and giving patients access to cutting-edge treatments and trials.

Hacking, phishing attempts and ransomware continue to proliferate, and healthcare remains a target industry. That’s why clinical data registries should adhere to strict standards to ensure privacy and while maintaining high standards for data exchange that power their important work.

ABOUT THE AUTHOR

Lee Barrett

Lee Barrett, executive director and CEO of the Electronic Healthcare Network Accreditation Commission (EHNAC) where he continues to work on key health information technology industry initiatives, including support and implementation of key healthcare legislative mandates. Barrett speaks nationally regarding security, privacy, ransomware, and cybersecurity risk management/assessment and mitigation strategies, tactics and best practices. He is a member of both the executive steering committee for the ONC Payer + Provider FAST FHIR Task Force, the HHS Cybersecurity Task Force (405d), and chair of the National Trust Network Data Sharing and Cybersecurity Task Group.

Jumpstart your Disaster Recovery and Remote Work Strategy
    6 Considerations for your Virtual Desktops Economic losses from 409 total natural disasters exceeded $232 billion USD in...
READ MORE
Counting on Disaster: What Every Financial Institution Should Know
Disaster planning and recovery are often viewed as the need for backup systems to safeguard an organization’s data. Here’s a little hint for the survival of your company ... it’s not just about the data.
READ MORE
DCIG Top 5 Enterprise Anti-ransomware Backup Solutions Report
White paper sponsored by DCIG The DCIG Top 5 Enterprise Anti-ransomware Backup Solutions Report provides enterprises guidance on the best...
READ MORE
Optimizing Your Data Center’s Disaster Recovery Plan
As part of every business plan, there should be a disaster recovery approach that plans for natural, cyber, and emergency...
READ MORE