Use of Affordable Open Source Systems by Rural and Small-Practice Health Professionals - 2012

Summary: National efforts focus on improving medical quality and reducing costs by implementing standardized electronic health records (EHRs), which can support the secure exchange of health information between different systems. However, rural health care providers and providers with small practices may not have the financial resources or expertise to purchase and maintain expensive hardware and software applications to participate in this effort.

Dr. Williams and her research team investigated whether the EHR application needs of rural and small-practice ambulatory health care providers could be met with open-source EHR applications that were trustworthy (i.e., functional, affordable, reliable, available, secure, privacy-preserving, standards and regulations-based, and able to interoperate and be integrated with other health care systems).

The research team developed a protocol and conducted telephone interviews to assess the needs of rural and small practice doctors and their information technology (IT) support staff. In addition, they conducted detailed assessments of five promising open-source EHR applications and one proprietary system to evaluate their trustworthiness. The assessment process involved defining a set of software engineering practices for developing trustworthy EHR applications, developing an automated testing process to evaluate existing open-source EHR applications and remove faults and vulnerabilities, and evaluating these practices and techniques on these EHR applications. The research team also created a reusable testbed, where they installed open-source EHR applications in a virtual computing environment such that the applications could be used by other researchers and tried by practitioners.

The proliferation of open-source applications has major implications for rural and small practice providers who may not be able to purchase or maintain commercial products. At the same time, developments in software engineering and evaluation have led to a more thorough assessment of the trustworthiness of a number of applications and a deeper understanding of providers’ software needs, and can support provider decisionmaking and inform improved trustworthiness of EHR applications.

Specific Aims:

• Advance the understanding of engineering practices for developing new or enhancing existing trustworthy open-source or proprietary EHR applications based upon evaluation experiences. (Achieved)
• Advance understanding of a process for evaluating the trustworthiness, functionality, interoperability (i.e., use of standards such that information can be shared with other providers), performance, compliance, and affordability of existing open-source EHR applications. (Achieved)
• Gather and analyze the needs of rural and small practice ambulatory health care providers in the realm of electronic health records. (Achieved)
• Develop and evaluate a prototype system on which promising open-source EHR applications can be assessed (i.e., deployed, run, and administered remotely) and for which hardware usage is securely shared and optimized to improve affordability. (Achieved)
• Provide an assessment of the capabilities, strengths, and limitations of existing open-source EHR applications toward meeting the needs of rural and small practice doctors. (Achieved)

2012 Activities: Dr. Williams and her team completed a thorough security analysis of five open-source EHR applications (OpenEMR, OpenMRS, Tolven, WorldVista, and PatientOS) and one proprietary system. Identified vulnerabilities were reported to the EHR development organizations. The research team found that the overall security and privacy-preserving attributes of these applications were inadequate, and recommended that meaningful use security certification criteria be evolved to detect more security problems.

The research team developed processes for creating secure EHR applications. This included a comparison of the vulnerabilities detected by four different validation and verification techniques (exploratory manual penetration testing, systematic manual penetration testing, automated penetration testing, and automated static analysis) through three case studies. They found empirical evidence that no single technique discovered every type of vulnerability, and determined that at least systematic manual penetration testing and automated static analysis should be performed when testing a system. They also completed work on a process partial test for basic compliance with requirements of the Health Insurance Portability and Accountability Act (HIPAA) security rule. This partial test can eventually be expanded, and provides an outline for a more comprehensive set of test cases for HIPAA. Development of the prototype system did not progress because the research team was never satisfied with the quality and security of the open-source EHR systems. However, they established a virtualized platform that allows practitioners, support staff, and other researchers to try a variety of applications.

Dr. Wiliams prepared the findings from the physician needs assessment for publication as a North Carolina State University technical report titled “On the Affordable Use, Administration, and Maintenance of Open- Source Health Care IT Applications by Rural/Small-Practice Health Professionals.” The assessment was conducted in collaboration with Dr. Jackie Holladay from the University of North Carolina Chapel Hill. Data collection for the physician needs assessment had been completed in 2010 and included physicians and IT support staff from four practices.

As last reported in the AHRQ Research Reporting System, project progress was on track and budget spending was on target. The project ended in September 2012.

Impact and Findings: Dr. Williams found that while the assessed applications were largely functional, security was a substantial area of concern. Existing EHR applications are likely to contain significant and serious security vulnerabilities that security certification criteria do not detect. Therefore, even certified applications can be insecure. Publications resulting from this study are some of the first reports on vulnerabilities in some widely used open-source EHR systems, and should be cause for considerable concern in the EHR community.

Target Population: General

Strategic Goal: Develop and disseminate health IT evidence and evidence-based tools to improve health care decisionmaking through the use of integrated data and knowledge management.

Business Goal: Knowledge Creation