CCHIT-"Data Integrity" featu

visolveemr wrote on Monday, November 30, 2009:

Hi Team,

This topic talks about implementing “Data integrity” in openemr as part of CCHIT requirements.

Data Integrity - The purpose of this feature is to make sure that the patient information should not be modified or destroyed because this may lead to some improper medical decisions.

For ex, the encounter or the prescription info should not get altered. HIPAA suggests using “checksums” or “digital signatures” to monitor and control these problems.

We’ve gone through few of our earlier conversations related to this and here goes our current plan.

For this we can have the “Lock” feature for some of the important data (like encounter forms, prescription etc). Once the  encounter details are  finalized, the physician can click the “Lock” button provided near the corresponding encounter.

Once the data is locked, the md5sum of the data would be calculated and the same can be stored in the table.   The further changes should be added only via addendums. The addendums should also be locked and saved in the previous manner.

**Integrity checking:**

1. On a weekly basis, the administrator can run the “Integrity checker” tool (for all or for the required patient) just to make sure whether any data in the database had altered in the improper way or this can be done via the cron job also. The result of this check can be e-mailed to the configured people.

2. “Check integrity” option would be provided for the corresponding encounter and the physician can perform the check as and when required.

We’ll be adding more implementation details soon. Do let us know your views here on our approach.

Thanks

ViCare Team

visolveemr wrote on Tuesday, December 15, 2009:

Hi Team,

More details about Data integrity & the finalized approach (from our perspective)  are given in

Do share your views here…

Thanks

ViCarePlus Team

  : http://www.openmedsoftware.org/wiki/5._Data_Integrity

sunsetsystems wrote on Tuesday, December 15, 2009:

It would be good to know how other (certified) EHR systems implement this requirement.  I would think it’s difficult to do it well.

The approach described seems to address data corruption due to system failure, but what about improper intentional alterations?  Perhaps that can be approached by sending checksums to some offsite destination, so they are not easily altered afterwards.

Also checksums should be done in a way that works even across version upgrades, when database structure changes can occur.

Rod 
(http://www.sunsetsystems.com/)

sunsetsystems wrote on Tuesday, December 15, 2009:

Another thought - what is expected to happen when a checksum failure occurs?  I think this feature is inseparable from the task of effective logging, because if the failure is unexplainable then the inevitable human conclusion is going to be that the system is broken.

Rod 
(http://www.sunsetsystems.com/)

bradymiller wrote on Wednesday, December 16, 2009:

Hi,

I see you mentioned the dilemma of locking vs addendums of encounters/notes on your wiki page. This has been discussed previously here: 

What are your thought on this?

-brady

  : http://sourceforge.net/projects/openemr/forums/forum/202506/topic/3416466

visolveemr wrote on Wednesday, December 16, 2009:

Hi Rod & Brady,

Thanks for your views here.

To Rod

We can claim that there won’t be any unauthorized access due to the presence of https,client side certificates and proper Access control.

But, if the same physician intentionally changes the PHI, that can be identified via logging (Auditing is the next
requirement we are going to concentrate and we can consider this at that time. We are also planning to include the checksum in the log)

As per the current status, the checksum failure can happen due to the following two reasons:
a. Bad disk sector
b. Unintentional changes to the database

Whenever any of the above thing happens, we are planning to display a red alert at the top, and we are asking the Physician to approve
the entry by pressing the submit/verify button…

To Brady

We’ve seen this already and infact that was the first approach we’d taken.

As we’d mentioned in the wiki, the types of EPHI to be considered for data integrity

a.Encounter

b.Prescription

c.Immunization

d.Issues (Problem, Allergy, Medication, Surgery, Dental)

When addendums are used, it would be difficult to provide the consolidated information for any reporting as always the recent
information = old information + addendums. And also the users need to spend lot of time in reading all the information to
come to a conclusion.

Ex: If there is a report asking for the list of current medications used by the patient, it would be too difficult to provide the correct information if we are maintaining addendums. This is possible if we maintain different versions of data for each modification as we can provide the latest version of data. But, i think this would be very difficult to maintain.

Auditing (this includes improved logging too) is our next task. And i’m sure we can maintain the history of each transaction that time and we can easily track what went on when…

Hope this helps.

Thanks

ViCarePlus Team

bradymiller wrote on Wednesday, December 16, 2009:

hey,

Several quick questions:

1) Are you guys actively coding? If so, is it open?

2) Does the scope of your security project include things such as sql-injection?

-brady

mbrody wrote on Wednesday, December 16, 2009:

Hello All,

I had the opportunity to speak with Solomon at CCHIT regarding the issues of Data Intregity.  There are some important ‘take away’ points from my discussions with him and what needs to be done to pass certification.

1 - There is no way to prevent an authorized user from making ‘changes’ to the system that should not be made if his/her privileges allow those changes.  Therefore the ONLY mechanism to insure that inappropriate changes are not made is an audit log.  Creating a log of events for every write to the database.  The log could then be examined to determine who made what changes and by reviewing the log the database COULD be repaired.  I say COULD because that functinality is NOT required.  The possibility is.

2- Data Integrity.   This involves insuring that the data has not been tampered with in transit.  The data should be encrypted utilizing a FIPA 140-2 approved method and hashed so that the reciever of the data can utilize the checksum to insure that the data received is intact.

As far as data integrity for the ‘main database’  as long as a change log exists, that changelog could ‘IN THEORY’ be utilized to ‘rebuild’ the entire database and the rebuilt database could be compared to the ‘current database’ to see if it has been tampered with.

I will post a more detailed comment later today on all of the FND requirements.

Michael

sunsetsystems wrote on Wednesday, December 16, 2009:

Michael are you saying that data integrity, aside from logging, only matters for data that are transmitted from one location to another?  Within a closed system, checking for disk sector errors is normally done at a low level and is not something I’m accustomed to seeing in application software.

I’ll be more interested in the logging side of this.  An overhaul in that area is long overdue and highly relevant to certification.

Rod 
(http://www.sunsetsystems.com/)

mbrody wrote on Wednesday, December 16, 2009:

From the perspective of certification that is correct.  Using checksum to verify that the data transmitted is intact is important.  Moving forward from the perspective of Breach Notification which goes well beyond certification utilization of FIPS 140-2 certified encryption is RECOMMENDED.

Michael

bradymiller wrote on Wednesday, December 16, 2009:

hi,

Another question. If we focused in on Meaningful Use regarding security, what needs to be done?

-brady

drbowen wrote on Thursday, December 17, 2009:

Dear Visolveemr:

This was discussed at length at the OpenEMR get-together in Houston for the FOSS Healthcare Conference.  It was a great conference.  At this meeting this data-integrity was discussed with Tony McCormick, Justin Doiel and Fred Trotter.  Fred Trotter actually volunteered to work out some code which was a more generally applicable code that works in various environments.  He posted this to his MirrorMed site.  I will try to find the code and the referenced emails (from July 2009).

Dr. Herb Horst of GnuMed worked out a way to verify the md5sum checksums by using the date-time stamp of a certifying authority such as VeriSign.  At the FOSS Healthcare conference, in Houston, we discussed using CACert to provide this external verification.  Dr. Horst created a crytographic method to prove the progress note had not been altered.  If I remember correctly, I think he did this by doing a checksum that included the progress note and the date-time stamp of the certifying authority at the time the note was authorized by the practitioner.  This md5sum check sum was then entered into the log along with the progress note.  The only way to reproduc this checksum is to use the original checksum with the date-time stamp included in the string.

This does bring up the issue of our logging which needs a lot of improvement.  The progress notes should really keep a revision history.  Patients, in the United States, have the right under HIPPA to request modification of incorrect facts in their medical histories.  As a practitioner, I worry that this may be done for secondary gain by the patient.  From my perspective it would be better to show the entire revision history in the event there is a dispute. (Which, unfortunately, happens much to frequently in the United States.)  Only the current most recent revision shows routinely.  When necessary, the database administrator can produce the entire revision history for legal review.

Sincerely,

Sam Bowen, MD

mbrody wrote on Thursday, December 17, 2009:

Sam,

Any encryption method that does not meet FIPS 140-2 standards will not exempt providers from provisions of the Breach Notification Law.  I strongly suggest looking at those methods of encryption.  They are beyond what certification requires but since a method must be implementd why not use the method that provides the most to OpenEMR users?

Michael

drbowen wrote on Thursday, December 17, 2009:

Dear Michael,

What I am discussinng really applies more to FIPS PUB 180-1, Secure Hash Standard.  You do realize that most open source crytographic methods substantially exceed these minimal government requirements?

Sam Bowen, MD
http://openmedsoftware.org/

drbowen wrote on Friday, December 18, 2009:

Dear Rod,

There have been separte discussions about this with Dennis Wilson of CCHIT.   The peculiar nature of open source causes a lto of trouble with traditional definitions of “ownership” because most of these rules were by proprietary software owners for proprietary software owners.  CCHIT is trying to address these differences.  To my knowledge HHS has not addressed this specifically but perhaps Dr. Brody has additonal information on this.

This is the final working version of the language that is being proposed by Dennis Wilson:

Seems like a good point to summarize conclusions, and say thanks to all
who shared your opinions.  It is important to us these policies are
workable and fair to all segments of EHR suppliers.

Overall, it sounds like most of you believe the policy, as proposed, is
workable.  For you convenience, here again is the statement in question:

“CCHIT will indicate the version of the technology that was tested on
our Website, however, once technology is certified, applicants may, at
their option, notify CCHIT when new versions are released and request to
have their version information updated on the Website.  CCHIT will allow
subsequent versions of a certified technology to be marketed as
certified as long as the applicant has not removed capabilities needed
for compliance with the certification criteria.  For technology offered
under an Open Source licensing model, the organization or community
submitting the technology for certification shall be responsible for
determining and enforcing its own policy regarding labeling of
subsequent versions of the technology as certified.
Applicants who would like multiple listings of 2 or more versions of a
technology on the CCHIT Web site may request this using the Product
Update Form and submitting the required fee…”

In going over all the responses I wanted to respond to a couple of
comments:

Regarding clarification of who are “applicants”:  the organization or
community submitting the application for certification, paying the
certification fees, and signing the certification agreement.  All of
these details are described in the Certification Handbook available at
our website.

The comments about publically providing access to the project and change
history (for purposes of transparency of continued conformance) are
good.  We can easily accommodate that within the descriptive fields of
certification listings.  Turns out we’re overhauling our records
publishing process right now.

Keep in mind the whistle-blower process as well, for helping ensure
continuity of conformance.

Regarding comments about equality between COTS and FOSS applicants, our
goal is for the policies to be fair to all - including those providers
developing their own solutions.  From a careful reading of the above,
hopefully you see the terms about versions and derivations apply equally
to all.  The only reference to Open Source is clarifying applicants are
the ones to indicate which subsequent versions are certified.  The
additional listing procedure is actually something COTS vendors have
used to get “private labeled” versions of products into the
certification listings.

The series of comments about incremental certification prompts me to
mention one of the features of the Preliminary ARRA certification
program is the ability to incrementally add more of the 28 Meaningful
Use categories to an existing certification.  Doing it this way prices
out a bit higher than certifying those same MU categories in one shot,
but incremental certification does accommodate growth in functionality
over time.

Finally, there were some interesting questions posed about end-users
modifying certified products, and whether this would still qualify for
ARRA incentive payments.  Seems (to me) if a provider can demonstrate
meaningful use to HHS then this case would still be in the spirit of the
rules.  That, however, along with many other questions about how
providers will report their meaningful use data are to be sorted by HHS.

Again, thanks to all for the thoughtful feedback.  Very helpful to us.

I’d like to solicit your responses again by starting another thread (in
a couple of days) about pursuing benefactors for funding FOSS EHR
certifications.

cheers,
dw

This is obviously still an area of flux.  Dennis Wilson is sensitive to and a proponent of open source software.  CCHIT is under fire from HHS and may possibly be replaced.  There may eventually be more than one certifying body.

My recommendation would be that the non-profit Open Source Medical Software make this application to CCHIT and be responsible for maintaining this list.  I think $1,000 for a CD is probably not going to be very well accepted.  I do think this is a situation where registration of a practice using OpenEMR is no longer optional but mandatory.  This is the only real way to keep track of these “certified installations”.  This is obviously something that will need to be discussed by the Open Source Medical Software board.

In terms of ownership of the software,  I for one have encouraged software developers to either retain ownership of their intellectual property rights or to donate them to the non-profit.  Either way we have been requiring the use of the General GPL  license version 2. (Version 3 is also acceptable).

I proposed that practitioners that are in the business of actively using and testing this type of software be allowed to get the incentive payments even though they are using unstable versions of the software.  This would include physicians such as Brady Miller, Michael Brody, Mark Leeds, and myself to assist in the active development of this type of software.  I think that this type of physican involvement in our project is one of the things that makes OpenEMR so unique.

My organization has budgeted the $35,000 for the certification fee.  Eventually, as the non-profit Open Source Medical Software gets financially stronger it should take over future certifications.  There is some legal risk in taking over this responsibility. This is one of the purposes of the Open Source Medical Software, to allow this type of activity to happen and to protect the individual developers from legal action.

Sam Bowen, MD<br>
http://openmedsoftware.org/

drbowen wrote on Friday, December 18, 2009:

Sorry,

I posted this on the wrong thread.  Should be on the CCHIT certification thread.  Sam Bowen, MD

visolveemr wrote on Friday, December 18, 2009:

Hi Team,

Thanks for your views here…

**To Brady**

Yes, we are actively coding. We are working with Sam, Tony  & group for the CCHIT certification.

Our current scope doesn’t include sql-injection. Now, we are focusing on enhancing OpenEMR for the Meaningful Use requirements related to Security. Please visit
to get to
know more about our current plan.

**To Michael**

Auditing is our next task… Will take care of logging at that time.

As part of Meaningful Use Enhancements, we’d already
implemented SSL and Client Side certificates in OpenEMR
().
During the deployment, the providers can go for fips compliant encryption standards.

**To Sam**

Since the client side certificates are enabled (provision
for third party certificates such as Verisign), only the users with valid client side certificate and password would be able to access the data. This enhances the authenticity.

We’ve already discussed about extensive logging for encounters
()
Refer approach 2. But since, the logging & auditing of all the modules need to be taken care, we are planning to consider this as part of our Audit work.
If we all agree to sign the checksum (and store it in the log), then we can include that too… If the proposed solution mentioned in
is
not required, then we can go with our approach 2 (along
with signing the checksum)…

Do share your views here

Thanks

ViCarePlus Team

  : http://www.openmedsoftware.org/wiki/User:Vicare
  : http://www.openmedsoftware.org/wiki/User:Vicare
  : http://www.openmedsoftware.org/wiki/5._Data_Integrity
  : http://www.openmedsoftware.org/wiki/5._Data_Integrity

bradymiller wrote on Friday, December 18, 2009:

hi,

Thanks for your page link. Where is the source that listed these 8 criteria as being needed for security for Meaningful Use (I’m just trying to get myself educated).

Should sql-injection be dealt with also in regards to security (Perhaps this is more a question for Sam if this isn’t within the scope of your project). Have we also considered this security weakness? (a sql command in an input box could collect or delete all patient information by somebody whom should not have access)

-brady

visolveemr wrote on Saturday, December 19, 2009:

Hi Brady,

Meaningful Use Objectives  related to Security are:

1. Compliance with HIPAA privacy and security rules

2. Compliance with fair data sharing practices set forth in the Nationwide Privacy and Security Framework

We’ve already done a extensive analysis on the above two requirements.

The other documents referred by us are:

3.Certification criteria for Security and Privacy from CCHIT - 

4 Product certification standards  -

Hope this helps. Do let us know if you’ve any questions.

Thanks

ViCarePlus team
  : http://www.cchit.org/sites/all/files/Preliminary%20ARRA%202011%20Security%20Criteria%2020091001_0.pdf
  : http://health.state.mn.us/e-health/standards/certrecs102609.pdf

bradymiller wrote on Saturday, December 19, 2009:

Hi,

Thanks for the answers.

Reading up on HIPAA privacy and security rules(), seems like in end, just rec “reasonable and appropriate” safeguards. Unless going for a “secured PHI”, which is optional and would be a challenge to say the least, but looks like advantage is that it is much easier for providers when a “breach” of patient information happens.

Reading up on Nationwide Privacy and Security Framework ()  is again rather ambiguous in it’s “Data Quality and Integration” and “Safeguards” sections again citing things like “reasonable safegaurds in place” and “minimize risks”. For me the intersting part is this “safeguards should be developed after a thorough assessment to determine any risks or vulnerabilities”; would  describing OpenEMR’s information leakage, corss-site scripting, sql-injection, insufficient authorization and content spoofing fall under this; meaning to fulfill Meaningful Use, do we need to now fix these issues?

The CCHIT requirements are on  the other hand insanely detailed and numerous. Am I correct in concluding majority of your security improvements are based on getting CCHIT (not a bad thing, just trying to differentiate Meaningful Use requirements from CCHIT requirements)?

-brady

  : http://mcgrawwentworth.com/Benefit_Advisor/2009/BA_Issue_10.pdf
  : http://healthit.hhs.gov/portal/server.pt/gateway/PTARGS_0_10731_848088_0_0_18/NationwidePS_Framework-5.pdf
  : http://agile.csc.ncsu.edu/healthcare/doku.php