CFR 42:  Preserving EHR Privacy with Data Masking Techniques

By Kaye Eisele

Masking data is one technique that helps ensure confidentiality of electronic health records (EHR) for discrete data items found in substance and alcohol abuse records.  The Privacy Rule, outlined in CFR 42, is a law designed to protect patients’ sensitive medical information in regards to substance and alcohol abuse treatment.  As further regulations are developed, key in their development is the concept of involving patients by signing release of information forms permitting (or not signing consents or permitting) sensitive medical data to be shared among various healthcare providers, insurance companies, and for necessary audits.  Protected health information and personally identifiable information needs to be available for care givers treating these patients, but it must also be secure and protected.  The concept that the patient being treated for substance and/or alcohol abuse has the right to decide where their sensitive medical information is sent, who will have access to  it, and under what circumstances, is gaining support. 

Healthcare providers and others who are not diligent in protecting sensitive patient data can be, according to CRF 42, fined $500 for breaching otherwise secure patient information.  If they repeat these offenses, they can be fined $5,000 for every breach thereafter.  Caregivers have equal interest in keeping substance and alcohol abuse EHRs confidential as do their patients, and it isn’t just due to the possibility of fines.  Confidentiality is the crux of the patient-caregiver relationship; few patients will fully divulge necessary alcohol and/or substance abuse histories and related information if they do not feel that their EHRs will be kept confidential.  Even with the best of intentions among providers, savvy computer hackers or other unauthorized users can obtain this highly sensitive medical information.  Current legislation does not provide for an overall security of EHRs when it comes to alcohol and substance abuse records.  It is important that all aspects of the CRF 42 law are applied to the integrity and security of all EHRs. 

Certainly healthcare providers for persons with substance and/or alcohol abuse diagnoses recognize the importance of EHRs and their role in continuing and quality treatment of patients, but many are concerned that these types of EHRs need stronger features of confidentiality that are currently being overlooked.  It is imperative that healthcare organizations adopt information infrastructures that include readily available records that are also secure.  Although somewhat of a tight-rope walk, it proves more complex than initial EHR-related legislature has recognized.   Physicians and health care providers are advocating for secure EHRs that will continue to set the stage for successful treatment of their patients without concern regarding confidentiality of patient records. 

“While contemplating doomsday scenarios alone is not helpful,” says Feisal Nanji, executive director at Techumen, a consulting firm that focuses on security and privacy issues for health institutions, “we believe that hospitals and large health institutions must tackle the notion of security and privacy in a very diligent and holistic way—almost akin to what the financial industry did to secure their transaction systems in the mid 2000's.”

While EHRs will permit interoperability of medical information, as the number of authorized users increase, the possibility of inadvertent disclosure of confidential records will also increase.  Compromising entire data infrastructures can be as “easy” as a health care provider writing down a password and accidentally leaving it for unauthorized users to see.  In order to combat these types of situations, database management techniques are often useful when applying them to medical privacy issues.

For instance, data de-identification is a technique that could be useful when protecting patient confidentiality by advancing the security of EHRs.  Other techniques include data masking, encryption of data, data obfuscation and data repositioning.  Other techniques of data transformation include data perturbation and hashing of individual data elements, with data exclusion being yet another technique that ensures confidentiality of sensitive EHR records.  However, while users value security in EHRs, if a solution is too intrusive or difficult, user satisfaction may decline.  What’s worse, user abandonment could result. 

Even before considering what types of techniques are best, or before asking a vendor what applications they provide for securing EHRs, it is important to consider secure user identification platforms which are efficient and effective for all users. The RSA® Identity Verification for Healthcare is a user-friendly application that does not require users to be certified or enrolled in a program.  Users do not have to download software or provide their Social Security numbers, which makes it easy for hackers to obtain confidential EHR information.   At any rate, this platform identifies the nature of risk when recognizing all users.  Based on the level of risk, certain questions are posed that the user must answer.  The question and answer format is very diverse and is automatically adjusted to higher levels of difficulty if the user is not immediately recognized, or if the user is suspicious.  Likewise, if the user is a first-timer, as long as they are an appropriate user, the system can easily identify them and will not prevent or delay their gaining necessary information.  The process is done in real time and can quickly identify appropriate users so their work can be done in a timely fashion, likely frustrating or shutting out users who do not have the proper authority to access highly confidential EHRs.  Password resets are automated with this type of application and suspicious activities are easily tracked. 

Advocates of secure EHRs include Sharona Hoffman and Andy Podgurski, professors at Case Western Reserve University School of Law.  In one study, they wrote, “We argue that the advantages of EHR systems will outweigh their risks only if these systems are developed and maintained with rigorous adherence to best software engineering and medical informatics practices.”  Given the host of software engineering available to several arenas even outside of healthcare, there is no reason to overlook the tried and true applications of maintaining the confidentiality of records.

Data masking is a technique that alters data so that certain information is altered but the EHR is still functional but highly confidential data is not available to all users.  For instance, in The Netherlands, not only can patients “opt out” of which information they want to include in their EHRs for all users to see, but they can also request their provider to conceal or mask highly sensitive medical information such as substance and alcohol abuse information. 

Encryption is another way to protect highly confidential information.  This method requires a password or key while the encryption process alters itself resulting in a different encrypted output.  A unique key or password decrypts itself, which makes it extremely difficult for hackers or other unauthorized users to obtain sensitive medical information included in EHRs.  When the system requests the masked data, it simply will not be provided to unauthorized users.  The generating source, however, is privy to all of the medical information. 

Done properly, encryption is a fairly safe method when securing EHRs and is considered to be quite difficult and time consuming to de-code the encrypted information.  Note:  When the encrypting process is being implemented, it is important to recognize the fact that hackers usually get in prior to the encryption process or after de-encryption.  Therefore, it is extremely important to have a secure system right from the beginning to the very end of the process.   

Another technique for keeping EHRs confidential is hashing of data.  Unlike encryption, data hashing cannot be broken.  Hashing data techniques should only be used for data that the user will not need in the future as it cannot be retrieved, and the data gets moved into a one-way string of characters that is not similar to the original content.  This can be applied to passwords or sets of numbers, such as zip codes. 

Another level of data masking is known as data obfuscation.  This technique de-identifies personally identifiable information.  By enlisting this method, it is not necessary to physically mask data.  It is a flexible technique that limits sharing of highly sensitive medical information.  This makes it hard for hackers, as well as unauthorized staff, to access the information.  Other than patient’s “opting out” or choosing complete exclusion of data, data transformation techniques preserve certain data elements necessary to carry out quality patient treatment, and they modify data that destroys original values or correlations, although some information is lost in the process.  This is usually used in statistical data and data sets where individual data elements are transformed. 

In order to simultaneously preserve privacy in EHRs and access sensitive data, data perturbation is another viable technique that can be utilized.  Data can be perturbed one time, and the actual data is never released but aggregate data (or trends) are released.  Random noise can be added to the data. 

Some companies, however, are producing software applications that bypass the need for masking techniques data altogether.   For instance, IBM reports a system of theirs called MAGEN which views information as pictures and catches the information prior to it being displayed on the screen.  It can identify confidential or non-approved/non-consented EHRs for which the system hides from the unauthorized user.  MAGEN does not alter the information in any way and the data is not officially masked or eliminated.  Patients can choose at what levels (per screen structure or per application) the exact information they do not want to be shared from within their EHR.  This could also be helpful for customer service representatives who need to access patient records but who are not authorized to view the entire EHR.

 

So, while the Health Insurance Portability and Accountability Act of 1996 (HIPAA) does attempt to protect patient privacy, some feel it allows for too many entities that are not required to protect the confidential doctor-patient sanctity.  In Whalen v. Roe, 429 U.S. 589 (1977), the Supreme Court upheld the constitutional privacy protection of personal health information.  And the Fourth Amendment to the United States Constitution dictates "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.”  Many healthcare providers, especially those who treat patients diagnosed with substance and alcohol abuse are concerned that laws regulating patient confidentiality in EHRs are being overlooked.  EHR regulations need to be tightened to more closely adhere to CRF42 laws, and for the dual purpose of keeping sacred the provider-patient relationship while maintaining patient confidentiality.  As time goes on, with more information and discussions as well as an increasing number of advocacy groups and strong individual concerns, patients and providers alike should see improving legislations, but the dialogue must continue and regulations have room for improvement.