Medical Device Security Challenges

Behind lifesaving medical devices are Cyber Experts hard at work to secure and protect Patient Health Information (PHI). Check out this video on securing medical devices.

Cutting edge medical devices save lives! Not only do they save lives but they carry a vector of complicated communications and a unique set of security challenges. Cyber Security Expert Lee Neubecker, sits down with Sterling Medical Device’s top engineer, Keith Handler who develops cyber protection and security for their client’s medical devices.

Sterling Medical Devices helps companies design and develop mechanical & electronic medical devices and follows them through FDA approval. The conversation is educational and important to those interested in knowing how medical devices are cyber protected and secured. In this video, they outline the concerns that relate to the control, security, and confidentiality of the patient’s health information (PHI) when using these medical devices.

The transcript of Part 1 of our Series in Medical Device Security

Lee Neubecker: Hi, I have Kieth Handler here on my show from Sterling Medical Devices. Keith is a top engineer here that helps ensure cybersecurity and resilience and protection of medical devices of their clients. They help assist through the FDA certification process. Keith, thank you, thank you for being on my show.

Keith Handler: Thanks for having me, Lee.

LN: So can you tell me a little bit about what your firm does and how it helps clients in cybersphere?

KH: Yeah, sure. Sterling Medical Devices is a 13485 certified product development firm. We help various companies design and develop electro-mechanical medical devices. Pretty much from, anything from concept all the way to submission to the FDA.

LN: So, can you tell everyone what, ISO…?

KH: 13485?

LN: 13485 Certification means?

KH: Yes that is, that is the ISO standard that defines the product development and manufacture of medical devices. It defines all the processes that we generally run our business by.

LN: Okay, so what are some of the concerns that you have as it relates to the patient personalized information, sometimes known as PHI? Is that right?

KH: Yeah, patient help information, that’s correct. Well, you know, our first concern, of course, with any medical device is safe. We want to make sure that the devices are treating patients as intended and not presenting any undue harm to the patient or anybody else. The second thing is the Patient Help Information. It’s very important that we maintain confidentiality for all patients, in any of these systems. Diagnostics, their personal information, all need to be protected.

LN: These devices, they have PHI, they also have, they also are involved with the generation of electronic medical records, known as EMR, that feed into the various hospital systems that are used to provide and deliver healthcare to users. As it relates to this, what are some of the top concerns that you try to address as it pertains to safety for your clients?

KH: Well, when it comes to information or command and control that can be done remotely on a device, it’s again important to maintain the integrity of those communications, and to protect everything there. One of the hardest aspects, I would say, is integrating a medical device into a larger hospital system. We may have control over the confidentiality of the information, and of the commands that are sent and received within a device, but as soon as we connect to an external system we lose control of that data. So, it becomes a unique challenge to try and make sure we are protecting, and not only in our system but also in any system ours might integrate with.

LN: Yeah, and there’s such a myriad of ways devices connect, Bluetooth, wifi–

KH: Yes.

LN: I’m not sure if medical devices use infrared or–

KH: Yes.

LN: Near band communication, but there are all these vectors of communication that create new threats and potentials for compromise.

KH: And typically medical hardware is pretty cutting edge, you know, some of the things that they’re trying to treat now still can’t. So all of these things that you’re bringing up, all exist in medical, all need to be protected.

LN: Great, so in our next segment we’ll be talking a little bit more about the FDA, the certification process, and some of the standards that devices might undergo to help ensure adoption by the FDA, and to make them commercially viable to be sold in the United States. And then, in our third segment, we’ll talk more about protecting devices against cyber compromise, the firmware and software that gets embedded into these devices, and other things that should be done to help keep medical devices safe and secure. Thanks for being on the show today.

KH: Thanks again for having me, Lee.

Related Materials on Medical Malpractice

Forensic Imaging

See more about Sterling Medical Devices on their website.

https://sterlingmedicaldevices.com/

See other related websites for more information about Medical Device security.

FDA ISO Standards

https://www.iso.org/standards.html

FDA Medical Device Cybersecurity Guidelines

https://www.fda.gov/medical-devices/digital-health/cybersecurity

Understanding EMR Audit Trails

Understanding EMR Audit Trails is important to any company dealing with (PHI). They must have all the necessary security measures in place and follow them to ensure HIPAA Compliance.

Understanding EMR Audit Trails is essential to a patient’s medical history In medical malpractice litigation. The Health Insurance Portability and Accountability Act (HIPAA) requires that the Electronic Medical Records (EMR) maintain an audit trail including all of the metadata. This EMR audit trail is a piece of highly relevant evidence as to who accessed what in the record, what entries were made and/or changed, by whom and when. Computer Forensic experts are key to effective electronic discovery during medical malpractice litigation.

How do hospitals record, protect, and store data? HIPAA sets the guidelines for the most highly sought after information by the world’s best technology hackers. Medical records are worth 4 times more than credit card information. Managing Personal Healthcare Information (PHI) places Healthcare facilities at risk of cyber attack 24/7, 365 days a year.

Check out this video with Enigma Forensics, President & CEO, Lee Neubecker, and John Blair, a noted Healthcare Industry Cyber Security Expert where they discuss the importance of protecting Personally Identifiable Information (PII).

Lee Neubecker and John Blair

Understanding EMR Audit Trails video transcript follows:

This is the third of the last video in the three-part series on Health Care Industry Cyber Threats:
Watch Part 1, Watch Part 2

Lee Neubecker: Hi, I have John Blair, a cyber security expert in the field of healthcare, and John is also involved with understanding patient medical, electronic medical record (EMR) audit trails, so I asked him to come on the show and talk a little bit about that with me. John, thanks for coming back on the show.

John Blair: Thanks, Lee. Glad to be back.

LN: So John, can you tell everyone a little bit about what HIPAA requires of healthcare organizations as it relates to tracking data of caregiving and the patients?

JB: Sure. Most of this is obviously directed at hospitals, but HIPAA also has things called business associates, and any interaction from any entity with, or any user with, PHI is going to be subject to these audit logging. Hospitals use systems called EMRs, so generally those, the audit trails are built into the EMRs by default, but obviously entities can turn those off if they so choose or configure them differently. HIPAA requires that you pretty much log any interaction, whether it’s read-only, view-only, edit, whatever that interaction might be. Identify the user, identify the time, what was done to the record, and that has to be maintained for several years. So it doesn’t matter what a user does with the record. Even if they just view it, that counts as a valid interaction and has to be logged and maintained.

LN: In fact, all of these hospital software systems out there have to be HIPAA compliant, or else the hospitals wouldn’t be able to use the software packages. Isn’t that true?

JB: Right, right. There’s a lot of federal regulations regarding that, that the standards that these systems have to meet in order to get refunds or rebates from the government.

LN: So Medicare funding, reimbursement, obviously is important.

JB: All of that stuff. And audit logs of user activity and interactions, or any interaction with PHI, is a critical component of that.

LN: You know, what I’ve seen is sometimes despite the software packages being EMR, audit trail compliant, that there’s the ability for the software that’s deployed to be altered so that the audit trails aren’t retained as long as required by law.

JB: Yeah, sometimes the storage of the audit logs, it can be overwhelming. So oftentimes they are archived offsite or inappropriate access is given to the audit log itself. And then it possibly can be changed, which ruins the integrity of the log, obviously, and that would be a very bad thing should something come up down the road and you needed that log.

LN: Yeah, and certainly, someone who has the master database administrator password to that back-end system, they could do whatever they wanted.

JB: Yup. But there’s supposed to be logs of that activity, as well, and reviews of those logs, but you’re absolutely right. If you’re an administrator, you can do a lot of damage.

LN: Yeah, I’ve assisted clients before involved in litigation, medical malpractice litigation, with just seeking the truth of what’s there in the records. Most of the time, they think many hospitals are compliant and do have those audit trail records.

JB: Absolutely.

LN: But, they don’t necessarily want to make that data readily available.

JB: No, they don’t. And it depends, it’s a case-by-case scenario, under the advice of counsel and things like that, but it’s very, very sensitive information, and obviously, it’s a public relations nightmare to have a breach of patient data, so they take those things very, very seriously.

LN: Absolutely. So can you tell everyone what PHI stands for?

JB: It’s Protected Health Information, as defined by HHS, there are 18 very specific fields that comprise PHI. PHI is a subset of PII, which is Personally Identifiable Information, but with respect to healthcare, it’s primarily PHI that we’re worried about and those 18 identifiable fields.

LN: Why would hackers want to target health care records?

JB: It’s far more valuable now than several years ago, it was credit card information, basically for year after year. Now, the credit card companies and technology with respect to how quickly a card can be replaced and deactivated. And so, just more money in it to steal medical information. And there’s more flexibility, as well. You can go get drugs, you can do a variety of things, whereas, with the credit card, it’s just money.

LN: If people wanted to launch a targeted scam on individuals, certainly having records that would enable them to filter patients that have Alzheimer’s, might give them an unfair advantage at duping people out of their savings.

JB: Absolutely. Because generally if you get someone’s entire record, you’re getting everything about them: their Soc number, their address, phone numbers, relatives, I mean, all this information is now at your disposal. And loans can be taken out in their names, it’s just a disaster waiting to happen.

LN: So Electronic Medical Records, known as EMR, represent an important target that hackers seek, because of the value of that information, and the uniqueness.

JB: Yup. The price of those records, per record, now varies, but I believe it’s in the $150, $200 range per record if it’s a breach now, and laptops can hold hundreds of thousands of records. So it can be very, very expensive.

LN: But it seems that this is a problem, too, that it isn’t just localized to any one area, it’s universal.

JB: Yeah, it’s across the board. Anyone dealing with PHI has this problem.

LN: How does the cost of a patient medical record compare to a credit card record, compare to the black market?

JB: Yeah, for the last several years, medical records have gained in value every year, while financial records, credit card information have devalued. And it’s to the point now where medical information’s worth four times as much as financial information. And that’s only increasing.

LN: So does that mean that people that work in the healthcare sector in IT and security are going to get paid four times as much as the people of the financial sector?

JB: I wish.

LN: Well, thanks again for being on the show, this was a lot of good stuff. I appreciate this.

JB: Thanks, Lee, appreciate it.

Other related stories about EMR Audit Trails

Other resources to learn more about EMR Audit Trails.

https://www.cdc.gov/phlp/publications/topic/hipaa.html

Patient Medical Records: Metadata as Evidence in Litigation

ELECTRONIC MEDICAL RECORDS:

Metadata As Evidence in Litigation

By James G. Meyer* Jonathan P. Tomes** and Lee Neubecker***
As published: Vol. 101 #8, August 2013. Copyright by the Illinois State Bar Association www.isba.org

Doctor and hospital records are changing. The paper medical records that we have been familiar with, along with the rest of the “written” world, are becoming electronic —that is, written, maintained, and retrieved as digital data.

Because of many emerging “after entry” benefits, federal and state governments, insurance companies, and medical institutions are heavily promoting the adoption of Electronic Medical Records (“EMR”).[1] For example, the HITECH Act (American Recovery and Reinvestment Act of 2009[2]) includes both incentives and penalties in its calculations to encourage adoption of electronic records, versus continued use of paper records. The Act allows benefits of up to $44K per physician under Medicare or up to $65K over six years under Medicaid for adoption of electronic records. Additionally, Congress decreased Medicare/Medicaid reimbursements to doctors who fail to use electronic medical records by 2015 for covered patients.

This change in medical record keeping and changes in the laws and regulations associated with electronic medical record keeping are creating significant changes in what and how information may become evidence in litigation.

Attorneys who deal with medical records in any type of litigation should be aware of the changes in the following areas:

I. Electronic Medical Records and HIPAA

II. PHI as Electronically Stored Information

III. What is Discoverable: Metadata and Computer Forensics

IV. A Word about Encryption

V. Discoverability and Admissibility of Electronic Medical Records and Metadata

I. ELECTRONIC MEDICAL RECORDS AND HIPAA

Before the advent of electronic medical records, The Illinois Administrative Code itemized the minimum requirements for the content, management, and administration of medical records.[3]

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)[4] sets out a comprehensive set of rules, safeguards, and definitions that are, effectively, applicable to most health care providers that use computers and electronic storage devices to store or transmit patient medical records. Excepted from the statute are institutions that do not transmit billing transmissions to and from Medicare/Medicaid or other health plans, an uncommon circumstance. With the HITECH Act’s incentives to use electronic health records, more and more providers will do so.

What we have understood to be doctor and hospital medical records, HIPAA defines more comprehensively as health information: “any information, whether oral or recorded in any form or medium, that:

i. Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

ii. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.”[5]

Under HIPAA, Protected Health Information(“PHI’) is “individually identifiable health information” that is:

i. Transmitted by electronic media;

ii. Maintained in electronic media; or

iii. Transmitted or maintained in any other form or medium.”[6]

II. PHI AS ELECTRONICALLY STORED INFORMATION

To understand where and how EMR systems “transmit” and “maintain” PHI, it is helpful to use the terminology of computer experts. From their viewpoint, HIPAA’s PHI is Electronically Stored Information (“ESI”).

ESI is data stored, processed, retrieved or transferred by “Electronic Storage Devices.”[7] Electronic Storage Devices – a subclass of Electronic Media – are commonly known as diskettes, Flash Drives and CD/DVD Disk media. Both Electronic Storage Devices and Electronic Media are capable of containing ESI (thus PHI).

Electronic Storage Devices capable of storing ESI can be classified into two main categories – Non-Volatile Electronic Storage Devices and Volatile Electronic Storage Devices.

Non-Volatile Electronic Storage Devices store data on a more or less permanent basis, but can often be deleted or destroyed. These can be grouped into several categories – Primary Storage Devices, Secondary Storage Devices, Offline Backup/Archival, and “In the Cloud.” Examples of each are:

Primary Storage Devices

(1) Hard Disk Drives

(2) Disk Media

(3) ROM / PROM / EPROM

(4) Solid State Drives (Flash Storage)

(5) SIM Cards

(6) Multi Media Cards (SD, SDHC, SDXC, SDIO, and Others)

(7) Smart Cards, Chip Cards or Integrated Circuit Card

(8) Paper Based Storage (Punch Cards, Bar Codes, Scantron)

Secondary Storage Devices

(1) USB Thumb Drives / Flash Drives

(2) External Hard Disk Drives

(3) Disk Media (Floppy Disk, CD, DVD, Blue Ray)

(4) Radio-Frequency Identification (RFID) Tags

Offline Backup / Archival

(1) Magnetic Tape

(2) Disk Media (Floppy / CD / DVD / Blue Ray)

(3) Bar Code Paper Records

(4) CD / DVD Disk Media

In the Cloud (Utilizes all types of Storage)[8]

Volatile[9] Electronic Storage Devices retain a good deal of ESI for a discrete period of time, e.g. until such time that the Volatile source loses power. The RAM in a computer is an example of Volatile Electronic Storage Devices.

ESI may be transmitted between Electronic Storage Device sources via the internet, extranets, infrared, radio, Wi-Fi, Satellite, Cable, Broadband, cellular, leased lines, barcode, dial-up telephone lines, private networks, connected external devices, and devices that are physically moved from one location to another using magnetic tape, disc, or compact disc media.[10]

A patient’s PHI maintained in any of these Electronic Storage Devices or transmitted by any of these means of electronic transmission are potential sources of discoverable information. Smart phones and PDAs are increasingly used in association with electronic health data. Industry sources estimate that “in 2010, more that 50 percent of physicians were using smartphones or PDAs on a regular basis in clinical decision making.”[11] As an indication of how important mobile devices have become in healthcare, the Healthcare Information and Management Systems Society (“HIMSS”), a leading non-profit industry group, has formed a separate entity, mHIMSS, to focus exclusively on the use of mobile and wireless technologies in healthcare.[12]

III. WHAT IS DISCOVERABLE: METADATA AND COMPUTER FORENSICS

The Department of Health and Human Services (“DHHS”) regulations implementing HIPAA govern PHI with both a Privacy Rule[13] and a Security Rule[14]. As their names imply, the rules require adoption of enumerated standards and safeguards so that covered entities protect a patient’s electronic (and paper) medical records from unauthorized access,[15] tampering, or destruction[16].

Attorneys that have been involved with medical records in litigation since the enactment of HIPAA and the implementation of the DHHS regulations are generally aware that the Privacy Rule enumerates the ways to obtain PHI from health care providers during discovery by the use of written authorization or subpoena.[17]

In addition to delineating how to obtain PHI, HIPAA’s Privacy Rule also requires that covered entities have procedures in place to give individuals an accurate accounting of disclosures of their PHI in cases in which an accounting is required.[18]

HIPAA’s Security Rule requires that a covered entity “ensure the confidentiality, integrity and availability of all electronic PHI the covered entity creates, receives, maintains or transmits”.[19] The standard specifically defines “confidentiality” as “the property that data or information is not made available or disclosed to unauthorized persons or processes” and “integrity” as “the property that data or information have not been altered or destroyed in an unauthorized manner.”[20]

In order to implement the Privacy and Security Rules, HIPAA requires covered entities to use “audit controls,” such as “hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information”[21] and to “implement procedures to regularly review records of information system activity, such as audit logs, access reports and security tracking reports.”[22] The Metadata generated by these audit control systems, about the access and use of a patient’s records and the use and operation of the computer device maintaining or transmitting the records, is typically not part of the formal medical record. But it can often be a gold-mine of important information that would not otherwise be obtainable in discovery.[23]

For example, Metadata in the form of an audit log or audit trail may be helpful with faulty or incomplete memories. An audit trail is a record of who, when, where, how and sometimes why a person used a computer program or accessed a patient’s medical record. Typically, the identity of the user who accesses the patient’s record, the time of access, the terminal or device used for access, the action taken by the user (i.e., viewing the record, changing the record), and the substance of anything added to the record and any changes or corrections made by the user are recorded in the Metadata which can be reproduced in the form of an audit trail or log. In a case known to the authors, a hospital audit trail produced during discovery, showing the “terminal identifier” for an EMR entry (the unique number assigned to each computer terminal in the EMR system) resulted in a nurse changing her testimony when it disclosed she was using a computer terminal in another part of the hospital, and was not with the patient, as she had testified.

Metadata, such as in an audit trail, is captured automatically by the EMR system. As a result, the audit trail should correspond, entry by entry, to the patient’s medical chart or record. If an entry in the audit trail shows data was added, changed or deleted, a corresponding entry should appear in the patient’s chart, and vice versa.

Metadata found in a forensic image of a medical record may be more helpful. A “forensic image” is not simply a copy of the electronic record; it is a bit-for-bit copy of all sectors of the media involved and must be done properly.[24] In a case known to the authors, the analysis of the Metadata on a video disk of a surgical procedure produced during discovery showed that the several of the video clip files in the series of video files that were generated during the procedure were deleted, with the remaining video clips renumbered in an apparent attempt to conceal what transpired during the missing video clips. An analysis of the DICOM video clip embedded Metadata within the contents of each of the DICOM video files revealed the original clip sequence numbers were different for the last few video clips. The file Metadata compared to the DICOM video clip embedded Metadata implied an intentional manipulation of the data in order to alter the events that actually occurred.

IV. A WORD ABOUT DATA ENCRYPTION

Data encryption does not ensure the confidentiality or integrity of PHI. HIPAA’s data encryption standards allow health care providers, health insurance companies and business associates who transmit, store or access protected health information in electronic form to utilize a standardized level of data encryption when encryption is reasonable and appropriate. The Advanced Encryption Standard (AES) is an Federal Information Processing Standards (FIPS) approved cryptographic algorithm used to protect electronic data and is quite prevalent in the healthcare industry to secure data-at-rest, data-in-motion and data-in-transit.[25]

PHI data is vulnerable when actively used and stored in volatile memory. Much of a patient’s information is stored unencrypted in volatile memory when a computer device is actively working with a patient’s record or following the access of a patient’s record until such time that the data is discarded automatically or the computer device shuts off. Anyone with physical or network access to the device or a strong hacker skill set would have a reasonable opportunity to capture the non-encrypted information stored in volatile memory.

Another vulnerable area of risk is when PHI is in transit without the appropriate encryption safeguards. Encrypted ESI using today’s standards is unlikely to be compromised while in a data-at-rest, data-in-motion and data-in-transit state. But, ESI containing PHI is unencrypted at the point of service on a portable or fixed computing device. These devices are sometimes not properly secured with the appropriate physical and network security protections required, providing an opportunity to manipulate the unencrypted data.

V. Discoverability and Admissibility of Electronic Medical Records and Metadata

Illinois Supreme Court Rules make electronic data discoverable. Under Rule 201, “General Discovery Provisions,” discoverable “documents” include “all retrievable information in computer storage.”[26] Rule 214, “Discovery of Documents, Objects, and Tangible Things,” specifically requires production of “all retrievable information in computer storage in printed form.”[27]

Medical records have long been admissible as an exception to the hearsay rule. Before adoption of the Illinois Rules of Evidence (effective January 1, 2011), Illinois Supreme Court Rule 236(b), as amended in 1992, was generally accepted as permitting the admission into evidence of medical and hospital treatment records, in written or computer form, as business records. That rule is silent, however, as to computer generated “data” or “data compilations.” Any confusion in that regard seems resolved in the new Rules of Evidence.

In the first instance, much of the Metadata recorded in an electronic medical record may not be hearsay at all. Rule 801 defines a hearsay “statement” as the oral or written assertion or conduct of a “person.”[28] Automatically imprinted Metadata, is not the assertion or conduct of a person. See, People v. Holowko, 486 N.E.2d 877, 109 Ill. 187 (1985) (recognizing the difference between computer stored information, which may be hearsay, and computer generated information, which is not hearsay). Recorded Metatdata in an EMR system is similar to images recorded on surveillance cameras, which are not hearsay. People v. Tharpe-Williams, 676 N.E. 2d 717, 286 Ill. App. 3d 605 (1997). Because Metadata involves no human input in its creation, other than the actions taken by the user in creating or manipulating the file or record referenced by the Metadata, it is non-hearsay evidence.[29]

To the extent that Metadata does include human input, the new rules provide a hearsay exception for “a memorandum, report, record, or data compilation, in any form, of acts, events, conditions, opinions, or diagnoses” kept as part of a regularly conducted business activity.[30] In addition, the new rules make “writings” and “recordings,” defined to include “numbers . . . set down by . . . magnetic impulse, mechanical or electronic recording, or other form of data compilation,”[31] admissible as “duplicates”[32] or when offered “in the form of a chart, summary, or calculation.”[33]

Although Illinois decisions on the admission of electronic data are not as common as cases in the federal courts, Illinois cases predating the new rules have approved its admission. See, for example, Bachman v. General Motors, 776 N.E.2d 262, 332 Ill.App.3d 760, 267 Ill. Dec. 125 (2002), (approving admission of data retrieved from an automobile crash sensor in a personal injury case).

CONCLUSION

Medical records are in a state of transition from paper records to electronic data. Being aware of the changes to HIPAA, the HITECH Act, the DHHS Privacy Rule and Security Rule, and the capabilities of computer forensics, are necessary in dealing with electronic medical records as evidence.

*James G. Meyer is an attorney who practices in the law firm of Ialongo & Meyer in Chicago.

**Jonathan P. Tomes is an attorney admitted in Illinois, Missouri, Kansas, and Oklahoma who practices in the law firm of Tomes & Dvorak, Chartered, in Overland Park, Kansas, and consults around the country on HIPAA and the HITECH Act. He has also served as an expert witness on HIPAA, medical records, and the Federal Tort Claims Act in cases in Illinois, Washington, DC, and Colorado.

***Lee Neubecker is a computer forensics expert and the principal of Enigma Forensics, a Chicago based computer forensics & expert witness consulting firm.

Notes

[1] We mean “EMR” to include Electronic Medical Records (digital information created, gathered, managed and consulted by clinicians and staff within one health care organization), Electronic Health Records (“EHR”) (digital information that may be operated by clinicians and staff across more than one healthcare organization – sometimes referred to as “interoperability”) and Personal Health Records (“PHR”) (digital information that can be accessed and created by patients themselves). See, http://www.healthit.gov/providers-professionals/faqs/what-difference-between-personal-health-record-electronic-health-record

[2] U.S. Department of Health and Human Services Centers for Medicare & Medicaid Services, 42 C.F.R. Parts 412, 413, 422, et seq., Medicare and Medicaid Programs; Electronic Health Records Incentive Program; Final Rule; Title XIII of the American Recovery and Reinvestment Act of 2009, the Health Information Technology for Economic and Clinical Health Act, Subtitle A, Part 2, Subtitle C (hereinafter “HITECH Act”).

[3] 77 Ill. Admin. Code § 250.1510(b)(2).

[4] Public Law 104-191, 110 Stat. 1396 (1996).

[5] 45 C.F.R. §160.103.

[6] Id. (Note that PHI may also consist of paper records and oral communications).

[7] storage media

[8] The National Institute of Standards and Technology (“NIST”) of the U.S. Department of Commerce has defined cloud computing as follows:

Cloud computing has been defined by NIST as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction.

Peter Mell, Tim Grance, The NIST Definition of Cloud Computing, Version 15, October 7, 2009 at http://csrc.nist.gov/groups/SNS/cloud-computing. More and more large health care providers are hiring outside hosts to maintain their electronic health records “in the cloud,” using large companies like Google, Microsoft, or Amazon or smaller companies that provide hosting only for medical records.

[9] http://en.wikipedia.org/wiki/Volatile_storage

[10] Id.

[11] Putzer, J. MD, Park, Y, Are Physicians Likely to Adopt Emerging Mobile Technologies? Attitudes and Innovation Factors Affecting Smartphone Use in the Southeastern United States, Perspectives in Health Information Management, Spring 2012. p. 2, at http://www.perspectives.ahima.org/attachments/article/241/ArePhysiciansLikelyTo AdoptEmergingMobileTechnologies_final.pdf (last visited January 14, 2013).

[12] http://www.mhimss.org/about-us (last visited February 25, 2013).

[13] 45 CFR §164.500, Subpart E, Privacy of Individually Identifiable Health Information. (The Privacy Rule applies to both paper and electronic medical records.)

[14] 45 CFR §164.302, Subpart C, Security Standards for Protection of Electronic Protected Health Information.

[15] 45 CFR §164.502 Uses and disclosures of protected health information: general rules.

“(a) Standard. A covered entity may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter.”

[16] 45 CFR §164.306 Security standards: general rules.

“(a) General requirements. Covered entities must do the following:

(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information he covered entity creates, receives, maintains, or transmits.”

[17] See generally, 45 CFR §§ 164.506, 164.508, 164.510, 164.512.

[18] 45 C.F.R. § 164.528.

[19] 45 CFR §164.306(a)(1).

[20] 45 CFR §164.304.

[21] 45 C.F.R. § 164.312 (b) Standard: Audit controls.

[22] 45 C.F.R. § 164.308(a)(1)(D).

[23] See Thomas R. McLean, EMR Metadata Use and E-Discovery, 18 Ann. Of Health Law 75 (2009).

[24] hard drive imaging

[25] http://www.hipaacompliancejournal.com/2011/03/knowing-about-advanced-encryption-standard-aes/

[26] Ill. Sup. Ct. Rule 201 (b)(1).

[27] Ill. Sup. Ct. Rule 214. The Committee Comments to Rule 214 further clarify. “The first paragraph has also been amended to require a party to include in that party’s production response all responsive information in computer storage in printed form. This change is intended to prevent parties producing information from computer storage or computer discs or in any other manner that tends to frustrate the party requesting discovery from being able to access the information produced. Rule 201(b) has also been amended to include in the definition of ‘documents’ all retrievable information in computer storage, so that there can be no question but that a producing party must search its computer storage when responding to a request to produce documents pursuant to this rule.”

[28] Illinois Rule of Evidence 801(a).

[29] See generally, The Sedona Conference Commentary on ESI Evidence & Admissibility 10 (2008).

[30] Illinois Rule of Evidence 803(6) “Records of Regularly Conducted Activity.”

[31] Illinois Rule of Evidence 1001.

[32] Illinois Rule of Evidence 1003.

[33] Illinois Rule of Evidence 1006.

Reprinted with permission of the Illinois Bar Journal,

Vol. 101 #8, August 2013. Copyright by the Illinois State Bar Association www.isba.org

Related Electronic Medical Records Posts: