Saqib, thanks for that reference. At that site, you posted the following comment:
"This will increase the cost of the handling patients' personal data, and that cost will be passed on to the patients. I think the Health Care Providers should be allowed to purchase the encryption solutions under General Services Administration (GSA) SmartBUY discounts to keep the costs low." I couldn't post my entire response to that list (too long), but I'd like to post these here. The emphasis in the HITECH act seems to be on confidentiality and safeguarding PII, especially when information is transmitted outside the physical boundary of the health care establishment. This level of legal protection is already being required for all health care providers doing business in the State of California. But the HITECH act also contains a stated requirement for accuracy and an implied need for the availability of the information. Accuracy requires that the initial inputs are correct, of course, but it also requires that appropriate data integrity measures be applied whenever the data is transmitted or stored. And availability requires robust data backup and archive facilities, probably into the "cloud" somewhere, which exacerbates the confidentiality and integrity problem. The DOD/GSA SmartBUY program has focused on the confidentiality aspect of the problem, primarily with software-based Full Disk Encryption packages that do nothing to provide confidentiality while the data is in transit, and also does nothing to protect the data against bit-rot (or contamination by malware) in storage, or the possibility of undetected data transmission errors. Data integrity mechanisms, including a strong hash and an Elliptic Curve Cryptography based digital signature need to be applied at the instant the data is created. Otherwise, nonrepudiation cannot be guaranteed, and the possibility that records could be modified or deleted after the fact, perhaps to cover up a potential malpractice issue, cannot be ignored. Ideally, confidentiality needs to be applied to records when they are first created as well, but the devil is in the details regarding the records management and information flow within a facility, and this may require a lot more effort. In any case, we can expect (and demand) that these issues will be addressed by the software suppliers and system integrators for this emerging industry. Robert Jueneman Message: 1 Date: Sun, 22 Mar 2009 17:46:34 -0700 From: "Ali, Saqib" <[email protected]> Subject: [FDE] New Disclosure Rules for Medical Information To: fde <[email protected]> Message-ID: <[email protected]> Content-Type: text/plain; charset=windows-1252 The latest US Federal Government stimulus package included new rules for health information which requires disclosure of any breach of medical information. "For medical information that is breached, the medical practice will need to contact the individuals and post about a breach affecting 10 or more patients on the practice's web site. If the breach is larger (500 patients or more) the medical practice will have to inform local media and the government. " Read more: http://srmsblog.burtongroup.com/2009/03/new-disclosure-rules-for-medical -information.html _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
