Electronic records pose new security challenges

Fingerprint technology one solution

Securing patient information presents a special challenge when a hospital makes the move from paper to electronic medical records, but one Florida facility is determined to meet that challenge head-on. While Sarasota Memorial Hospital is in the process of piloting a computerized patient record system, it also is testing the use of fingerprint imaging technology for securing those records.

Even when a hospital has very good systems in place for ensuring patient record confidentiality, people will still be nervous about electronic records, and that issue must be addressed, says Jim Turnbull, chief information officer. "As we go to an almost 100% electronic patient record, we feel that for our own security and the security of our patients, we’ve got to add another layer to the system," Turnbull explains.

With finger imaging technology, a health care provider’s fingerprint replaces passwords, PINs, or cards to verify his or her identity and authorize access to electronic records. Since a fingerprint is a biological characteristic linked absolutely to one individual, security is enhanced because it can’t be lost, stolen, forgotten, or altered.

Sarasota Memorial is among the first organizations in the health care industry to test fingerprint security systems. When the hospital sought the new technology, hospital managers had to look outside the healthcare field for benchmark sites. Several state governments use the technology to reduce fraud in their general assistance programs by positively identifying recipients of state aid.

In addition, a few other health care organizations are conducting pilots of similar systems. The pilots include: A major university research project to positively identify children and tie them to their immunization and allergy records; a health care system pilot to positively identify patients and tie them to their medical records; and a test of the system for use within a physician’s clinical practice.

Despite the lack of a long-term track record in health care, the finger imaging system pilot was justified by the security issues associated with Sarasota Memorial’s pending switch to electronic medical records, administrators say. The hospital chose one from The National Registry, in St. Petersburg, FL. It consists of a Personal Authentication Scanner and Finger-Image Identification software, which work on any Windows-compatible personal computer. Cost for the system is $500 to $1,000 per work station, depending on the number and level of medical personnel a hospital enrolls.

The first phase of the pilot was the installation of the system on a personal computer in the doctor’s lounge. The goal is to introduce physicians to the technology, and to enroll their fingerprint image by scanning it into the system.

The second phase will begin in March, when the hospital rolls out the system onto a nursing unit work station. According to Turnbull, the system will allow multidisciplinary access to patient records — whether it be a nurse, a pharmacist, or a respiratory technician — but only on a need-to-know basis. For instance, nurses will only have access to patient records on their floor.

Audit trail deters inappropriate access

Physicians are assigned privileges to access the records of all their patients. In addition, they can access the charts of other physicians’ patients, but will leave an electronic audit trail in the process. Turnbull sees this trail as another critical piece in securing automated patient records.

"A physician may ask another doctor to check on one of his patients, but the doctor won’t be able to open the patient’s record unless he registers the reason for the access," says Turnbull. "Every such occurrence prints out on a report, which is evaluated to make sure the access was appropriate. One of the issues we have with our current system is that it’s much more difficult to identify unauthorized access."

Initially, physicians will be able to order tests, view results, and extract other data from the patient record with the click of a mouse. Turnbull notes that the hospital is now taking steps to integrate its systems, so that by the end of the year, doctors also will have access to information like radiology images and ultrasounds.

The program also will test the utilization of a Secure Screen Saver. This provides a way to secure publicly visible electronic medical records. When a health care employee steps away from the work station, the Secure Screen Saver will activate, preventing onlookers from viewing confidential information on the computer screen.

Sarasota Memorial is planning for its security pilot to last through October, to coincide with full implementation of its electronic records project. One measure of success, says Turnbull, will be user acceptance — at the physician level and among other caregivers. And after implementation? Turnbull says the greatest measure of success will be the absence of any evidence of inappropriate or unauthorized access.