Proceeding of The 1st International Scientific Meeting On Health Information (1st ISMoHIM)

SECURITY FEATURES IN ELECTRONIC MEDICAL RECORD

Abdillah Azis1, Naufal Farah Azizah2
1
Sekolah Vokasi, Universitas Gadjah Mada, Sleman, 552811
E-mail: abdillahazis69@gmail.com
2
Sekolah Vokasi, Universitas Gadjah Mada, Sleman, 552812
E-mail: nazizah87@gmail.com

Abstract should not violate the secrecy in it. The release

Abstract Medical Record is the file containing
the records and documentation of the patient’s
identity, examination, treatment, action, and other
services that have been given to patients. Forms of
medical records not only in the form of the document
data / paper but can be any electronic data. Medical
records not only the manually but also have started
switching to electronic. There is no of special rules
on electronic medical records to make patient data
security systems is not guaranteed. The research
method is a literature review. The results showed
that the security features of electronic medical
records that should be included; feature authority
or right to access, search feature or audit record,
authentication feature, documentary feature, feature
technical services, feature recovery data.
Key Words: Electronic Medical Record, security
features, feature authority, audit features,
authentication feature, documentary feature.
1. Introduction
According Permenkes 269 in 2008, the Medical
Record is the file containing the records and
documentation of the patient’s identity, examination,
treatment, action, and other services that have
been given to patients. In the execution of works,
Kepmenkes No 377 Tahun 2007 aspects of medical
records is ALFRED. ALFRED an abbreviation
of Administration, Legal, Financial, Research,
Education and Documentation.
It was generally recognized that information
obtained from medical records confidential. The
information in the medical record is confidential
because it explains the special relationship between
a patient with a doctor that must be protected in
accordance with the code of medical ethics and laws
and regulations in force. But in some cases, medical
information should be released to the patient’s needs
such as insurance or legal cases. In this case, the
medical information needs to be released, but it
of information in this case holds the legal aspect,
namely as the legal aspects of the evidence of patient
care. It is explained that medical records can be used
at any time in case of misuse of the information on a
person’s medical history because it is basically the
nature of the medical record file is confidential.
Forms of medical records not only in the form of
the document data / paper but can be any electronic
data. Medical records not only the user but also have
started switching to electronic. Institute of Medicine
(1999) describes a computer-based health record
(Computer-based patient records / CPR) is a patient
record is done electronically and take shelter in a
specially designed system. Usefulness support users
in accessing the data are complete and accurate, ie
by giving a warning, alert and clinical decision-making
support system that references the data source of
medical knowledge and other means (Hatta, 2008).
The absence of legislation specifically governing
the EHR makes the implementation of EHR is not
functioning optimally, including in the field of data
security. As for not issuing a special accreditation
from the electronic health record systems Hospital
Accreditation Committee (KARS) makes the absence
of the minimum standards of electronic health record
systems. Their accreditation electronic health record
to support the development of electronic health
record systems are becoming more advanced and
more certainly ensure the security of the data from
the patient.
2. METHOD
This study is a descriptive.
3. Result
Electronic Health Record Related Legal Aspects
RKE is the basis for the Undang-Undang
Republik Indonesia No 11 Tahun 2008 on information
and electronic transactions “electronic document is
any electronic information created, forwarded, sent,
received or stored in the form of analog, digital,
optical, or electromagnetic,, the like, which can

ISBN: 978-602-73865-5-1 65
Proceeding of The 1st International Scientific Meeting On Health Information (1st ISMoHIM)
viewed, displayed and/or heard via computer or
electronic systems, including but not limited to text,
sound, pictures, maps, plans, photographs, or the
like, letters, signs, numbers, access Code, symbols
or perforation that have a meaning or meaning or can
be understood by people who are able to understand
it. “Advantages of electronic health record-based
enabling broad access to comprehensive and timely
health information for health workers and other
authorities. Computerization greatly enhance the
protection of confidentiality of information.
Confidentiality of Medical Data
One of the obligations of health information
practitioners are maintaining the confidentiality of
medical data. Secrecy is as supporters the legal
aspects of medical records containing medical data.
Confidentiality of information is any information
derived from clinical relationship between patient and
health care institutions. This information includes all
patient medical data and social data of the patient.
Every medical information that is owned hospitals
should not be spread by an employee of the hospital,
except when it allows hospital administrators.
Hospitals should not be at will using medical records
in a way that could harm the interests of the patient,
unless the hospital itself will use the medical records
when necessary to protect themselves or represent it.
Confidentiality of medical data can be viewed
as a matter of privacy. Simply put, secrecy means to
keep a secret. This implies that there are two parties
involved and blocking data leaks to third parties .
Confidentiality only become an issue if a third p is
involved, only if necessary to release the information.
Security Features EMR at the Balai Bessar
Kesehatan Paru Masyarakat Surakarta
Features Authentication is about verifying
whether someone is who they claim to be. Usually
involves a username and password, but can include
other methods of demonstrating identity, such as
smart cards, fingerprint. BBKPM authentication used
in the outpatient information system in the form of
a username and password to access the SIMKES.
Username and password at the start of use specified
by the admin, then users may change their own.
When users enter an incorrect password, the system
will give an error message “your user ID or password
is incorrect.” To the users. This system not yet have
the ALO (automatic Log Out).
Features authorization is a feature that limits the
rights of users to access information in accordance
with the user authority. Thus users can only access a
menu that has been set by the admin of the system.
Authorization relating to the rights that include
validation based access permissions. Each user has
a set of rights and restrictions akases by admin so
66 ISBN: 978-602-73865-5-1
can only access certain menu in accordance with
their authority. Eg outpatient admissions officers can
only access the menus related to enrollment. The
authorization boundary between the superintendent
and his staff, for example medical records staff and
the head of the medical record. head of the medical
records are able to access what is accessed by
the staff of the medical record. but some parts of
the menu can only be accessed by the head of the
medical record.
Trace Search Feature. This feature serves
to monitor the services received by patients. This
feature is necessary as the legal aspects in medical
records or financial aspects of the medical record.
This feature berungsi to monitor every operation /
access to information systems. The current system
is able to monitor and record user activities into a
trace file search.
Features Data Recovery function to recover
data if the system is experiencing interference such
as power failure, natural disaster or a virus. features
of post-disaster recovery is a process that allows to
recover data lost or damaged after the occurrence
of a disaster disturbance such as fire, flood, riot, or
system failure. Security system in BBKPM Surakrta
to rescue affected by the disaster patient data when
using antivirus. In the event of damage to a computer
will not affect other computers.
Feature integration of health management
information system that is implemented is prepared
to set up filling multiple data items so that the user
is required to fill it. It aims to maintain the quality of
the data item and patient care. Item patient’s identity
is distinguished by red marked posts (personal data
of patients) and black (social data of patients). Red
mark an item of data that is required. Storage process
can not run if the item is not filled completely. So
the completeness of the data is the main thing in
the beginning of the process of patient data input,
for more complete patient data, the data is capable
mmenunjukkan kulitasnya. Data quality is a reflection
of the quality of service.
Security features secure storage and
transmission media systems developed today have
the ability to control the export and import functions
aktifiatas data. Media pnenyimpanan used is the hard
drive, and external hard drive. Transmission medium
used is a LAN (Local Area Network). Switch or hub
installed in each unit to make sure to avoid delays
in data transmission. (Rohmadi, 2013)
Security Features of EMR Prototype of Papyrus
Hospital
The EMR Prototype gives facility for the
administrator to have the permission to delete user,
but the user’s history in system is still saved in
 Proceeding of The 1st International Scientific Meeting On Health Information (1st ISMoHIM)
audit. EMR Prototype does not have policy “Break
the glass” yet. The EMR Prototype doesn’t have the
ability to connects with internet network, so the audit
cannot use internet network too. In this audit cannot
see deletion history, but still can use to search user’s
track and time when the user accesses the system,
although the user already doesn’t have the authority
to enter the system. However, the EMR Prototype
does conversion date entry and time with numbers
or letters into dd-mm-yy (date) and hh-mm-yy (hour).
The EMR Prototype doesn’t provide the facility to
make doctor’s note about special information which
is specific about their patients. Password and user
name entry have been used for authentication for the
EMR Prototype system. It is done for user’s comfort,
so it will be not easy to get misuse by another parties
whose want to force to log in using internet network.
However, the probability this will happen to EMR
prototype is small because EMR prototype doesn’t
have internet network, so it will not easy to open the
data by force by someone outside the system. The
EMR Prototype can guarantees security technical
service system internet network utilization, so the
EMR cannot accessed by laptop and smart phone yet
Tabel 1 CCHIT Security Standard
No Components Explanation
1. Security 1. Acces Control
2. Audit
3. Authentification
4. Documentation
5. Technical services
2. Realibility 1. Backup/Recovery
2. Documentation
3. Technical services
(Source: CCHIT, 2007)
4. DISCUSSION
Based on CCHIT (2007) component access
rights consist of: (1) Limitation of user access rights,
(2) Determination of the access rights of users, (3)
control user access, (4) Elimination of users in the
system, (5) the specific information thus only patients
confidential, (6) the existence of specific policy called
“Break the glass” to open specific information, and
(7) Conditions on No. 5 and 6 recorded in audit
records. In detail components such access rights
are: Admin on Lung Health of the Great Hall of the
People (BKKPM) Surakarta has set access restriction
for each user. Thus users are only able to access the
menu that has been specified by the admin. Admin
at the Center for Lung Health Community (BKKPM)
Surakarta have determined the establishment of
user access rights based on the position (between
ISBN: 978-602-73865-5-1 67
regular staff and the head of the medical record).
Based on CCHIT (2007) administrator reserves the
right to control access include (1) the determination
of access rights for each user, (2) the classification of
each user, (3) restrict users based on transaction time
per day, working part-location, the emergency mode.
SIMKES at the Center for Public Health Lung new
Surakarta can assign access rights for each user and
each user penegelompokan appropriate authority.
Admin at the Center for Public Health Lung
Surakarta reserves the right to delete and change
the data when an error occurs.Specific information
about patients confidential SIMKES at the Center for
Public Health Lung Surakarta not provide this feature.
Based on CCHIT (2007) audit records to
EMR must comply components: (1) The system is
equipped with the audit records, (2) the contents of
the audit records, (3) The ability of the administrator
to read the information in the audit records, (4) ability
of the system to synchronize time , (5) the ability
to export the system in UTC format, (6) the ability
of the system prohibits unauthorized access to the
audit records, (7) the ability to enable and disable
administrator audit records, (8) the system supports
logging to audit engine.
The system used in the Center for Public Health
Lung Surakarta able to monitor and record user
activities into a trace file search. Health management
information system in BBKPM Surakarta history to
record menu automatically. Admin is able to see
all the user’s activities. Things that are recorded
in a history file: User identity code (KIP); Date,
time, duration, and access restrictions.; The menu
is accessed; The following types of activity data
accessed the data; Activities related to the access
authorization.
However, this system has not been able to export
in UTC format and has not been able to support audit
logging to the engine.
Authenticatiaon
Authentication is the mechanism used to
validate the identity of users attempting to access
the EMR. There are 13 components used to perform
the analysis of authentication. User authentication
before accessing the protected resource is meant
here such as Personal Health Information (PHI) or
other mobile pernagkat network. This SIMKES not
have the ability to connect with your mobile device or
internet network. This system has not been able to
check the strength of passwords. This is evidenced
by enabling one character sebgai password to access
the EMR. This system has not been able to do off
the username and password when the system does
not function / operated within a certain time. The
system is able to restrict access speckle consecutive
Proceeding of The 1st International Scientific Meeting On Health Information (1st ISMoHIM)
incorrect. SIMKES in BBKPM not provide password
reset facility. But users can menggati username and
password provided by the admin..
SIMKES in BBKPM not provide password reset
command facilities. Information feedback to the user
is important to know the response of the system on
the orders that have been made. The system is only
able to provide feedback when the username and
password provided was incorrect in the login process.
Entered user name that is case-sensitive means is
the system’s ability to distinguish income uppercase
or lowercase letters in a user name.
SIMKES in BBKPM not been able to provide this
facility revenue username combination uppercase or
lowercase letters on SIMKES BBKPM can get into the
system. Users can change the password and user
name the first time by admin. Password with alpha-
numeric characters. Entered password on SIMKES
BBKPM not provide this facility because it is only by
entering one character in the password already be
allowed into the system.. At the time the password is
entered the system stores passwords in encrypted
form (not plain text).
The system’s ability to prevent the use of
passwords back. In SIMKES BBKPM not available
this service. users will feel bothered when having to
remember passwords that have been used so it is not
used anymore. Sutentifikasi system supports parallel
to the NIST 800-63 NIST 800-63 is an authentication
level 3 support for multi-factor authentication on
the network connection to the Internet. SIMKES in
BBKPM not yet connected to the Internet so that the
service is not owned.
Based on CCHIT (2007) criteria for documentation
disaratkan in CCHIT EMR system security is a
documentation system must be equipped with a
control system configuration and system security
for users. Currently SIMKES to work 24 hours. Ever
damage to the system, which caused service outages
further hindered. It will possibly happen sustained
damage that could endanger the data that is already
stored in the system.The system has two servers
were put in one room, but only one server to be used.
Documenting data other than the server and the
storage media is also used storage media such as
hard drives and external hard drive. These systems
do not have documentation of system configuration
and control system security for users.
Based on CCHIT (2007) technical services
security systems on EMR consists of: (1) The
system’s ability to protect information through the
Internet, (2) The system sends the password in
encrypted form, (3) The system does not display
the password entry time password, (4) ability of
the system store data in encrypted format when
68 ISBN: 978-602-73865-5-1
accessed via a web browser, (5) the system is able
to protect the integrity of data sent over the internet,
(7) the system stores the data in a format ekripsipada
portable media, (8) System supports for storage in
perangkatmobile, (9) the presence warning message
upon user login.
Outpatient information system based
computerization at the Center for Lung Health
Community Surakarta using transmission media
LAN (Local Area Network) in order to avoid late
delivery of data in each unit that has been fitted
switch / hub.Sistem to work for 24 hours without
any uninterruptible power supply ( UPS) to cope
with blackouts. From these studies not mentioned
outpatient information system based computerization
at the Center for Public Health Lung Surakarta has
the ability to protect the system through this internet.
Sistem only use anti-virus that can be updated at any
time to avoid disruption of the virus from a computer
virus.
SIMKES in Surakarta BBKPM still have a
weakness for user passwords to limit the number
of at least 1 (one) karakter.Sistem store data on
SIMKES using two media are the main hard drive
and an external hard drive. So the system is not yet
capable of protecting information through the Internet,
send password entry time passwords, revealing
password when access via a web browser, protecting
the integrity of data sent over the Internet, storing
data in a format ekripsipada portable media, support
for mobile storage device, and not the message
warning on the currently logged on user. Based on
this, SIMKES in Surakarta BBKPM not meet CCHIT
standards.
Access Control As Security System Component
(Security: Access-Control)
Based on CCHIT (2007) there are components
in access control : (1) User access control restriction,
(2) user access control determination, (3) user access
control, (4) deletion of user in system, (5) onfidential
special information about patient, (6) the existence
of special policy called “Break the glass” to open
special information, and (7) caondition in number 5
and 6 in audit.
Based on CCHIT (2007) administrator has the
authority to control access which covers (1) authority
determination for each user, (2) grouping each users,
(3) restricts user by time transaction each day, part,
work-location, user’s emergency mode.
Based on CCHIT (2007) administrator given
the ability to set user’s access authority or group
by system. So, administrator is user who has the
authority to all accesses and to determines user’s
access, but while administrator runs the activity
corresponds to management decision. In EMR,
 Proceeding of The 1st International Scientific Meeting On Health Information (1st ISMoHIM)
grouping user’s authority access has been done
to keep the confidential of health information.
Administrator has the authority to access all of user
groups in the EMR Prototype which is consists of
administrator, management, outpatient, nurses,
doctors, laboratories, pharmacy, medical records,
operator, finance cashier, supervisor and inventory.
System’s users based on transaction each day,
work-location part, and emergency mode in the EMR
prototype cannot control yet. This control is important
to give access to use system. So, user’s access rights
in the EMR prototype has been done by (1) user’s
access rights, and (2) grouping users in group.
Based on CCHIT (2007) system supports
deletion of user’s rights without deleting user
from system. The EMR Prototype gives facility to
administrator to delete user, but the user’s history
in system still saved in audit. CCHIT (2007) system
allows doctors to mark specific information as data
which is invisible and forbids access from all of
another user. This policy which is called “Break the
glass”. This special information important to writes
information about patient’s disease as complement
of information that existed in their health records.
“Break the glass” policy make user can access this
special information.
Based on Abdelhaket al. (2007) “Break the glass”
policy make medical staffs can open patient’s health
information by force when in emergency condition
or when the password cannot be use. Access is
owned by each user based on health care facilities
concerned and only caregivers who can access
information from their patients in their care. The EMR
Prototype doesn’t have “Break the glass” policy yet.
Audit As EMR PrototypeSecurity System Com-
ponent (Security: Audit)
Based on CCHIT (2007) audit for EMR to fulfill
the components: (1) System equipped with audit,
(2) audit content, (3) Administrator’s ability to read
information in audit, (4) System’s ability to do time
synchronization, (5) System’s ability to export in UTC
format, (6) System’s ability forbids user which doesn’t
have the authority to access audit, (7) Administrator’s
ability to activate and nonactivate audit, (8) System
supports logging to audit engine.
The EMR System have to complete with audit.
Audit is documentation to all of the activity which
have done by all of system’s user. ATNA (Audit
Trails and Node Authentication) sets audit which is
contains about users, status, login time, logout time,
pedan and audit level. Audit functions to search
user’s activity in the system which is indirectly use
to detect the security of the system. EMR’s audit can
only accessed by system’s administrator. In EMR
prototype audit can only accessed through database
ISBN: 978-602-73865-5-1 69
management system (DBMS). “That audit content
inmodi_by and modi_date form, which is mean audit
records staff who has done the activity and also
the date and the time when the activity has done.
Whereas to delete audit cannot be done because
audit is congenital in database management system
(Microsoft SQL Server 2005) and cannot appear in
the user’s application except administrator. So that
user cannot accessed audit system.”(Budi, 2010)
The EMR Prototype doesn’t have the ability to
connect with internet network, so the audit doesn’t
use internet network too. However, EMR Prototype
do conversion of date and time entry with numbers
or letters into dd-mm-yy (date) and hh-mm-yy
(hour). Based on literature review which can be
found in EMR prototype doesn’t have audit yet.
So that EMR Prototype’s audit not fulfilling (0%)
CCHIT standard.
Authentication As EMR Prototype Security Com-
ponent System (Security: Authentication)
Authentication is an activity to confirmed data
validation which is given is correct information.
Base on CCHIT (2007) authentication is the security
system’s component which consist of some criteria :
(1) User’s authentication before Protected Resources
access, (2) System requires strong user’s password,
(3) System can detects inactivities from session,
(4) System restricts wrong consecutive access , (5)
System can do reset password, (6) The presence
of reset password command, (7) System provides
feedback information to users, (8) System use
user name entry which case-sensitive, (9) System
provides facility to change consistent password, (10)
System use alfa-numeric character password, (11)
System saves password in encryption form, (12)
System can prevent the use of the password back,
(13) System supports parallel authentication with
NIST800-63.
The EMR Prototype doesn’t have the connection
facility yet with other media include to save and
accessed by other media, so for another function
unfulfilled. Besides, password and user name
entry has been used for EMR Prototype system
authentication. This is done for user’s comfort, so it
will not easy for misusers by another parties to enter
the system by force. However, the probability this will
happen is small because EMR Prototype doesn’t use
internet network, so it will be complicate to open the
data by force by somebody outside the system.
Based on CCHIT (2007) prerequisites criteria in
CCHIT for EMR security system documentation is
system have to completed by system configuration
documentation and security system control for users.
Based on literature view that had been done, The
EMR Prototype doesn’t have documentation as
Proceeding of The 1st International Scientific Meeting On Health Information (1st ISMoHIM)
security control EMR guide. The EMR Prototype
security documentation unfulfilled (0%) from CCHIT
standard. The EMR Prototype doesn’t have security
documentation.
Technical Services As EMR Prototype Security
Component System 9Security: Technical Ser-
vices)
Based on CCHIT (2007) technical security
service system in EMR consists of : (1)System’s
ability to protect information through internet, (2)
System sends password in encryption form, (3)
System doesn’t show password when inserting
password, (4) System’s ability to save data in
encryption format when accessing through web
browser, (5) System can protects data integrity
which send through internet, (7) System saves data
in encryption format in portable media, (8) System
supports to save in mobile device, (9) The presence
of warning message when user logging in. The EMR
Prototype can guarantee security technical service to
desktop computer user and its application. However,
doesn’t have security technical service system utilize
internet network, so that EMR prototype cannot
accessed by laptop and smart phone. The EMR
Prototype’s prototype and design have similarity in
EMR system and utilization of internet network.
Base on literature view which had been done,
The EMR Prototype fulfilled 22% CCHIT standard.
The research mentioned from 9 components which
used to do the prototype observation in EMR
prototype, there are 3 components which exist and
6 components not exist in the EMR Prototype.
5. CONCLUSION
Confidentiality of data is a method of protection
against unauthorized access. Health care providers
should pay attention to security aspects and
70 ISBN: 978-602-73865-5-1
ensure the implementation of the release of health
information effectively and safely in the EMR, so
that the data contained in it can not be misused and
secured.The Government of Indonesia does not
have specific rules for EMR. EMR in Indonesia still
has to be fixed for a standard memenuhui CCHIT.
The government could consider CCHIT standards to
make special rules in the creation and assessment
EMR.
REFERENCE
Budi,S,C. 2010. Pengujian Sistem Keamanan
Prototipe Elektronik Medical Record RS.
Papyrus Berdasarkan STandar CCHIT. Tesis.
Universitas Gadjah Mada. Yogyakarta
CCHIT. (2007) Ambulatory 2007 EHR Certification
[Internet]. Available from: http://www.cchit.org/
certify/2007/ ambulatory-2007-ehr-certification
(accesed 30 April 2016)
Computer-based Patient Record Institute. 1999.
CPRI Tool Kit Managing Information Security in
Health Care. Computer-based Patient Record
Institute: Bethesda.
Hatta Gemala, 2008. Manajemen Informasi
Kesehatan di Sarana Pelayanan Kesehatan.
Universitas Indonesia: Jakarta
Menkes, RI. 2008. Permenkes RI No.269/MENKES/
PER/III/2008 tentang Rekam Medis. Jakarta:
Indonesia
Rohmadi,et al. 2013. Tinjauan Fitur Keamanan
Data Pasien pada Sistem Informasi Rawat
Jalan Berabasis Komputerisasi di Balai Besar
Kesehatan Paru Masyarakat Surakarta Tahun
2013. Karanganyar: APIKES Mitra Husada
Karanganyar