We experienced a patient portal breach involving one of our patients in June of last year. We are a single-specialty, internal medicine practice affiliated with our local hospital and using GE Centricity as our shared medical record, along with many other primary care and specialty groups. A patient of another practice received an e-mail meant for one of our patients, which linked to our patient’s personal health information. After pestering our IT Dept. for several months, I finally received an explanation for the breach. I had thought that a patient would register their e-mail and then receive a unique PIN# to access the portal and see their own health information, thus constituting a two step process (similar to a person using an ATM card and then entering a PIN# to access their account). However, it turns out that this is not how the patient portal works. Unfortunately, we were told, the only unique patient identifier is the e-mail address. What I had thought was a safer, two-step process, is only a rather risky one-step process.
This is how I understand what happened: Our patient (Patent A) was seen at a dermatology office, which uses the same, shared medical record. They changed our patient's e-mail in the EMR (by one digit) to the incorrect e-mail address. This e-mail address just happened to be the e-mail address of Patient B, a patient of yet another hospital-affiliated practice that uses Centricity. Patient B received an e-mail that should have been sent to Patient A and didn't know it was a message not intended for her. She went into the portal to see what the message was (thinking it was for her, Patient B) and saw the private health care information of Patient A.
I don't think that e-mail addresses are particularly well-suited to be unique patient identifiers. Even in our own relatively small single specialty medical group we have had several instances of patients with the same name – we even had, at one point, three patients with the same name – two of them were my patients and those two?were born in the same year! Expand that to all of the practices using the shared EMR through our hospital (Emerson Hospital) and you will find many more patients with the same name. Often our e-mail addresses contain some part of our names in them.? In larger groups, one is more likely to find more individuals with the same name.? If you ever had to set up your own e-mail address, you may be familiar with being informed that you had to choose a new one because yours was already taken. I don’t even have a particularly common name, but when I first joined our group and needed a hospital e-mail address, there was another person with the same first initial and same last name, so I was not allowed to use the usual format (first initial, last name @................hosp.org) because it was already in use! Is it so surprising that a one-digit change in an e-mail address can link to another patient using the same EMR? Don’t you think this could happen again, unless another safety step is added? Our IT Dept. told us that GE Centricity uses programming from Kryptic and that it is unlikely this will be changed to a more secure process. They have not taken the Patient Portal off-line after this breach and they have not even notified any other practice (aside from the three involved) about this portal breach. Does anyone else find this unacceptable or worrisome?
In order to sign up for the portal, you must have a pin, at least in our practice. Sending one message to the wrong pin account, in my mind, is not grounds for taking a patient portal offline. Of the possible methods of communicating with a patient, it seems like the patient portal would be the most secure, even given your unlikely situation with two patients and nearly idential addresses.
It sounds like it was the single document that reached the wrong recipient. The entire record was not linked to the wrong email address.
How many times have you had an employee fax records to the wrong phone number? What about handing a patient a document with another patients document behind it? There are no fool safe ways of passing along information, you just need to make sure have safeguards in place to catch issues. No technology can completely overcome the biggest security hole in your company, your employees.
In our practice, a patient is given a pin #, too, so that's why I thought this was a two stage protection. I thought that the patient's e-mail address was one identifier, but that one had to use a Pin# to actually get in to the portal. Since we have a shared medical record with many other practices, we are in the position of not only worrying about our people making mistakes, but also any one of hundreds and hundreds of other people using it. At first I couldn't understand how a breach could happen, because even if the wrong patient got the e-mail, I would have thought that using their own Pin # should only allow them to see their own patient information. However, we were told that the e-mail address itself was "the only unique patient identifier" in our patient portals. An analogy would be this: I had thought that the e-mail address was one identifier, in much the same way that a bank card would be one identifier. Then I thought that the Pin# was the second security measure, much in the way one has to enter a Pin# to use a bank card. However, from what we were told, the Pin# we give patients isn't a "unique patient identifier". It merely allows one to get into the portal through the e-mail to which the patient received a message. It took months for IT to explain this to my satisfaction, because I thought it was a more secure two-step process like for a bank card and IT took that long to explain it to me (the IT at our hospital, which manages the shared Centricity EMR). A major factor, for us, is that we are not just one small practice using GE Centricity. It was set up to be used across a whole Physician's Health Organization of multiple primary and specialty groups. I only pointed out how we have run into the situation of having more than one patient with the same name (and given how e-mail addresses are devised in most instances, it wouldn't be that unusual to have very similar e-mail addresses for a given name) in just our practice alone. Across the whole PHO, there would be many more. If the banking industry can come up with an elegant solution - decades ago - which still works pretty well, why doesn't GE set it up this way? Why is the e-mail address the only "secure patient identifier"?
What is your patient registration process? We issue a PIN. The patient recieves the PIN, but then must register the account by matching their name, date of birth, and gender to what we have in their chart to gain access to that account. This essentially gives you 4 unique identifiers.
The PIN number is essentially a one time use password for the medical record. Once the PIN is used once, it is not ever needed again.
If you have admin rights to the portal, you can link a Portal account to a medical record manually without ever having generated a PIN for the user.
Correct, but we make our users complete the registration process versus our staff and that gives us the option of having the user give multiple identifiers. I try to avoid manually linking a portal account to a record and bypass the PIN and reg process. Once their account is registered, they can log into it and change their email address via that and I can verify the pending change to make the switch. There are multiple ways to do it, I'm just sharing our process.
We are probably manually linking about 10+ accounts a day because there is some sort of bug in our system that is not allowing probably 10-20% of the pins to work. We have had a ticket open for a couple of weeks and they have not solved it for us.
Are you using the PIN generator form from MD EMR consulting by chance? We purchased this from them and it has been worth every penny (which wasn't that much!). Also, we had trouble with temp passwords not working when sent so we disabled the temporary password option and things seemed to run much smoother after that. Kryptiq said it had a bug.
All I know is that when I asked our IT about this, they told us that the only unique patient identifier was the e-mail address, that this is how Kryptiq is set up and that Kryptiq and/or GE has no plans to change this. We were told that the PIN# was only used at registration and was not part of a two-step access process. What might help a little, I would think, is if it could be set up so that after a patient is registered, only the patient him/herself could change the e-mail address. However, as it stands now, anyone at any of the hundreds of people at multiple primary and specialty groups linked together in a shared medical record for patients of our PHO can change that e-mail address. Is there a way to set it up so that only the patient can change it? Our IT department doesn't seem to know how to do it. BUT, even if it was set up so that only a patient could change an e-mail address, a patient could still make a mistake him/herself (a simple typo could do it) and the same breach could occur again. Why is it so hard to add that extra step, so that even if a mistake in the e-mail is made, someone else could be blocked from seeing another patient's medical information? Is it so hard to set it up like the bank cards, with a bank card and a PIN# code BOTH required to access account information?
You can setup permissions on what your users are able to change on the portal. You can also set it up so that your patients have to verify any email address change.
In our system, you can not change the email address from within emr (unless you are on the messaging system which is really just an extension of the portal) and have it flow to the portal. I don't know if you have a different system in place which allows you to do this or not. When you mean the employee changed the email address, do you mean from the messaging tab within EMR? If so that should be completely controllable by your portal administrator as far as what rights your end users have.
I do not mean changes in messaging tab within the EMR. In the EMR, we only have patient's physical (home) address and telephone number(s). We register the patients the same way other practices in our PHO do, which I believe is through the Patient Portal, not in the EMR. We don't even list a patient's e-mail address at all within the EMR.
I have not been able to get all the details from our IT Dept. I think what happened is that our patient was being seen by Dermatology and may not actually already have Patient Portal access, yet - or it is possible that she did, but may have thought that Dermatology Patient Portal was a separate "place", so had a previously correct e-mail address changed by the dermatology department. So, the Dermatology office entered the patient portal registration area and began the process, typing in the incorrect e-mail address for our mutual patient -- mistakenly using the e-mail address of another patient - not of our practice, but of another practice (a patient whose e-mail address differed by one digit.letter from our patient - the mutual patient with dermatology and us). Because our patient and the other patient (to whom the private health information of our patient was sent) are in the same shared EMR that our office, the dermatology office and the other primary care practice use, the wrong patient was sent our patient's information and was able to see our patient's private health info.
Which brings me back to the original issue - IF the process by which a patient goes to look at their health information had been a 2-step process, with the e-mail (akin to a bank card) and a PIN# (akin to a bank PIN) BOTH required to see the health information, this would never have happened (the portal breach). We were told that GE and/or Kryptiq has no plans to make the Patient Portal a more robustly protected system, which I believe is unconsionable. I fervently believe that technology exists today to fix this situation - after all the banking process has been standard for many, many years. So, why won't GE/Kryptiq fix this?
We noticed this "feature" when we were doing our testing during setup. It has been a while but I did manage to make a note at the time, that appears to be answer to this issue.
On the portal application server, in your SMPP Configuration Utility:
Go to Secure Messaging -> Messaging -> Automatically create user accounts for first-time message recipients.
Uncheck everything except "Message Stream API" or it used to be called "Patient Portal" in the version I made the note in.
If my notes serve me well, this will restrict secure messages to be sent to EXISTING community members only. People not in your community won't get the email asking them to create and link their account (without a PIN).
You can test this by trying to send a secure message to an email not in your community. Depending on your version, you should either get some sort of error message if the email exists in Centricity, but not in the portal. Or the Send button will be greyed out, if the email does not exist in either Centricity nor the portal.
Hope this helps.
Drew
I appreciate your idea, but we already have this situation (restriction to existing registered patients). The problem is that both our patient (who was the one who was supposed to have gotten the e-mail) and the other person are "in the community". You see - the incorrect e-mail address was entered into the system, but it just happened to be the correct e-mail for another patient in the same system! She was also "in the system", so had no trouble getting in to see the health information (which wasn't hers).
You see, we are not just one small practice that is independently using the GE product, Centricity. It is being applied across many primary care and specialty groups, all in the same PHO linked to the same hospital. If there was a two step process, with two "unique identifiers", such as an e-mail address AND a second secure PIN, then this wouldn't have happened. The wrong person would still have gotten the e-mail message, but wouldn't have been able to "get in" to see the personal health info, because they wouldn't have the second unique patient identifier for that account.
Is there a way to make subsets within the larger group using this shared electronic medical record and then set up a restriction to the subset? That would at least lessen the chance of having another patient with the same name and possibly a similar e-mail address (within the subset versus the larger set of users) - although even in our smaller group we have had several instances of patients with the same name - we even had 3 patient with the same name, two of them my personal patients and those two were born in the same year! Also, even though we were told otherwise, do you know if there is a way to add a second unique patient identifier that a patient would have to use? We were told that there wasn't and that Kriptyq and/or GE were not planning to add a second step, even though that would make the whole process far more secure.
To make sure I understand, you are a multi-specialty group sharing the same Centricity database? But you make them get a different portal PIN for each specialty? Do you not allow each specialty to see the other's charting? We are a multi-specialty group (17 specialties) sharing the same CPS database; patient charts are all set with a home loc of all, thus creating a shared chart. Patients register for the portal via the PIN form from MD EMR consulting. They then get access to any records of theirs from any specialty within our organization. I also don't understand what you mean by needing a second unique patient identifier? The way we have patients register, they receive the PIN, click on a link and have to verify their identity by entering the PIN that came from their chart, their DOB, their first and last name. If all of these do not match, it will not allow them to register or gain access. The PIN also pulls from the registration, and an incorrect email, even if it matched someone elses, would result in someone not being able to register because they wouldn't match the other info. I think I am missing part of your process?
I am still not 100% I understand the situation.
"A patient of another practice received an e-mail meant for one of our patients, which linked to our patient’s personal health information."
Intended recipient - @test.com" rel="nofollow" target="_blank">test1@test.com (in Centricity Registration, Not in Portal)
Actual recipient - @test.com" rel="nofollow" target="_blank">test1@test.com (in Centricity Registration, Not in Portal)
Our setup is such that, if the email is not in the portal, you cannot send a secure message to them. They cannot get the message that allows them to link to a Centricity chart without going through the linking process with the PIN, DOB, etc.
In the above example, at least in our setup, since only 1 of those people can have the @test.com" rel="nofollow" target="_blank">test1@test.com email registered in the portal, neither person will get a secure message until 1 of them registers and links in the portal.
When I say "in the community" as far as I know, it means actually registered and linked in the Patient Portal Community, not just a patient in Centricity.
This is what we see if we try to send a secure message to a patient that has not registered in the portal:
Now you would still have the possibility of attaching medical information to a secure message and sending an attached document to the wrong patient. Even this requires at least one of the patients to be registerd and linked in the portal to receive ANY secure messages. I am still unsure how Patient A could LINK to Patient B's chart with the way we are setup...
Drew