American College of Health Data Management

American College of Health Data Management

The necessity to adopt the Five Rights of Secure Health Data

As attacks ramp up, a new protocol is needed for privacy of patients’ information, and KERI represents a revolutionary step forward.

This article is the first in a series of six articles related to the Five Rights of Secure Health Data. Read Part 2

When it comes to patient safety, we all recognize parts of clinical care — like medicine administration — must be checked every time, without fail. It’s time we treat the safety of healthcare’s data the same way.

Think back for a moment to 2005; you probably remember standing in line for the release of “Revenge of the Sith” while listening to Green Day on your iPod Nano. Despite what your grandma said, you rocked that spiked hair with bleached tips. Oh yeah, and the Department of Defense just put out a report stating 50 percent of patient safety events were the result of medication errors.

In the two decades following that report, health systems significantly de-risked the administration of medications. Barcode-enabled point of care (BPOC) approaches gave hospitals a simple, technology-enabled way to check the Five Rights of Medication Administration every time, without fail.

When a patient is checked in, just slap a barcoded bracelet on their wrist, and let the clinicians scan away! It’s quick, easy and life-saving.

If you’re not familiar with it, the Five Rights of Medication Administration are a set of checks that ensure patient safety. By verifying the five rights before giving a medication, doctors, nurses and pharmacists can — and very often do — successfully avoid catastrophic medication errors. These are:

  • Right patient: Is this this right patient?
  • Right medication: Is this the right med?
  • Right dose: Is this the right amount of that med?
  • Right route: Is this the right way to administer? (Oral, intravenous or in another way)
  • Right time: Is this being administered too early? Too late? On time?
  • Because of technology like barcodes, clinicians have an automated way to check all five every time. If a patient's barcode doesn’t match the medication's barcode, no drug is administered until the issue is resolved. One study showed BPOC completely eliminating missed medication doses.

    Now, let’s come back to the present day. You just saw Dune 2, you’re already optimizing your Spotify for 2024’s Wrapped, you’ve ditched those sweet bleached tips, and healthcare is still reeling from the latest major data breach.

    HHS appears to be seriously considering reinstituting the HIPAA audits as industry luminaries are pushing for “too big to fail” style interventions after the Change Healthcare incident. Which, by the way, is now being called a $100 billion cyberattack. Such attacks increase in both frequency and devastation as bad actors leverage new technologies like AI to supercharge their efforts.

    The result is a staggering 133 million medical records breached in 2023, with the prognosis for this year also looking bleak. The costs go beyond the financial, hacker groups have begun extorting patients themselves following breaches by promising to release compromising medical information or selling data on the dark web. One group allegedly posted 2,800 images of breast cancer patients following an attack.

    It is clear that healthcare has reached a breaking point, and something’s got to give.

    Enter the Five Rights of Secure Data Exchange. We need a simple checklist we can verify every time, before data is exchanged or access is granted.

  • Right data: Is this the right, unaltered data?
  • Right source: Is this the right entity (person/client/server) to send this data?
  • Right role: Is this entity the right one to interact with this data?
  • Right purpose: Is this an approved use of the data?
  • Right route: Is this the right method for transacting this data?
  • If any one of these five rights are wrong, the data transaction should be barred. However, healthcare currently does the data-equivalent of barely checking a nurse once when they clock in. If they’re wearing the right badge, they’re never checked again as they administer meds throughout their shift.

    It’s actually worse, because in this hypothetical, you at least get an in-person validation that the nurse isn’t being impersonated. No such physical check happens in data exchange. This data security catastrophe happens on the scale of thousands of users, clients, servers and devices in even a modest health system’s infrastructure.

    And don’t forget, medication administration’s main problem was mistakes, not malice. But with health data, there are actual nation-states who view U.S. health systems as critical infrastructure targets. The result? Ransomware, HIPAA violations, patient harms, increased costs and damaged reputations. Healthcare desperately needs a BPOC for health data, a mechanism to check the Five Rights of Secure Health Data Exchange on every data flow for every transaction.

    The BPOC of Health Data Exchange

    Until recently, a BPOC for data that enables healthcare entities to reliably and efficiently verify these five security rights every time simply didn’t exist. But for the past five years, pioneers in the digital trust and identity space have been working on a new, open source protocol with the capacity to fill this need – the Key Event Receipt Infrastructure (KERI).

    For the true techno-nerds, you can learn more about KERI here. For everyone else, a simple way to understand KERI for health data is to compare it with the barcodes of medication administration. It provides a simple yet robust way to sign and verify those signatures on both data in motion (active data exchange) and data at rest (stored data). Note that signing here means a “tamper-proof cryptographic seal” rather than a “digitized wet signature” and without that cryptographic signature attesting to all five rights, the transaction is barred.

    This process enables healthcare entities to check their “five rights” swiftly and securely, every time. By adopting the Five Rights of Secure Health Data Exchange and employing open-source digital ID technologies (like KERI), healthcare can move to a higher standard of data trust and security.

    This is the first article in a series laying the foundation for understanding the crucial role of modern digital ID in secure data exchange for healthcare. Next, we’ll take a deeper dive into each Right of Secure Health Data. Stay tuned for more insights into securing the lifeblood of modern healthcare – it’s data.

    Jared Jeffery is an HDM contributor and Philip Feairheller is chief technology officer of healthKERI.

    This article is the first in a series of six articles related to the Five Rights of Secure Health Data. Read Part 2

    More for you

    Loading data for hdm_tax_topic #reducing-cost...