implementing security and identity and access management (IAM) for EHRs

In order to successfully implement EHRs across all entities (such as hospitals, clinics, pharmacies, health insurance companies, and so on) need to coordinate efforts with all the parties involved. The current credit history reporting model can serve as a starting point for implementing security and IAM for EHRs. In the current credit history model, independent companies collect data from various sources such as credit card companies, loan agencies, banks, etc. to maintain the credit history of an individual. An individual is identified by his/her social security number and date of birth and can request a credit history report online or via mail or email. Whenever the individual tries to purchase something on credit (such as car, house), he/she grants access to the lending company to request a credit history report from the independent company that maintains it in their database.

For EHRs a similar shift will have to happen for EHRs. The EHRs will have to be maintained online by independent companies and these EHRs should be considered as the source of truth with the latest and most recent information. All the local hospital and clinics should send updates to the EHRs at the independent companies to keep the records updated. This would require the right access privileges for the hospitals, etc. to be able to update the records. An individual will have to select one company with which they want to keep their EHR.

The following is a process flow for EHR information and access –

The patient will have access to EHRs and will be able to view and modify his/her own health record. The patients can update the EHR after visiting the pharmacy to add any over the counter medication purchased or can also add any other hospital visits, lab results, etc. The patient’s identity profile should have all access to EHRs including the ability to overwrite information entered by any other source. The patient should also have the access to add, enable and disable other users to view and/or modify his/her health record.

The other users can be granted privileges as determined by the patient. The assumption is that only those physicians, hospitals and individuals can update/modify the patients EHR who are granted access by the patient. If a hospital wants to view or enter information into a patient’s EHR, the patient will have to add the hospital as a user in the profile so that the hospital has access to the patients EHR. Similarly other users whom the patient grants access to can also be added to view and/or modify the EHR. But, to view patient information, a clinic or hospital will only need to implement and EHR system certified by Certification Commission for Health Information Technology (CCHIT). Products receive their CCHIT certification after demonstrating 100 percent compliance with hundreds of criteria in the areas of functionality, interoperability and security.

The criteria are developed by Work Groups representing volunteers from all segments of the healthcare industry, including physicians, payers, vendors, healthcare consumers, public health agencies, quality improvement organizations, clinical researchers, standards development and informatics experts and government agencies; they are approved by CCHIT’s Commissioners. Thus, providers with a CCHIT certification will not need pre-approval from patients to view their EHR in case of an emergency.

In order to achieve the model detailed above, the first step is to outline a security policy for EHRs across interoperable systems that define permitted actions (actions that users can perform based on their roles), event-triggered actions (actions different users of the system can perform when an emergency occurs), refrain actions (actions the users should refrain from) and delegation actions (actions that can be delegated to different users in the system). A combined control method which uses the principles Role Based Access (RAC) and Discretionary Access Control (DAC) will have to be implemented. Based on RAC principles, the users of EHRs will have defined roles and each of the entities in the EHR model will define the user roles within their system. Users will also have attributes assigned to them which will restrict their actions and access to systems and applications within the systems. Based on DAC principles, patients will also need to self-register themselves and need rights to grant access to other individuals (such as physicians, family members and so on). Thus, a comprehensive access control method can be applied to EHRs as detailed above.