23

I've seen referenced in literature the need to have a "break glass" mode in Healthcare IT applications. In this mode, the access controls in an application can be bypassed for an emergency when it is critical for a user to gain access to imaging data. Typically, the facility will have some sort of policy in place to justify using the mode after the fact.

I'm wondering if many facilities are demanding this feature in heathcare applications? I don't recall seeing this in many real applications.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
Steve Wranovsky
  • 488
  • 1
  • 4
  • 9

10 Answers10

17

My healthcare organization uses Break The Glass with our EMR. I work on the IT side of things so I'm not sure how it applies to the clinicians, but for us it is setup so that if we access any patient record we are required to Break The Glass. In doing so we are forced to enter a comment as to why we need access to the record.

It's a good feature - with the introduction of the HITECH act, and of course with HIPAA, it is important to document why you went into a patient's chart.

As a patient, you have the right to request the names of all of the employees who accessed your medical record and you also have the right to know why they needed to see your chart. By forcing the Break the Glass feature, we as employees are forced to create this documentation. If we didn't have this documentation and a lawsuit was brought against my organization, the individuals who accessed the chart could be held liable if they cannot produce sufficient reason for entering the chart.

So in short, no it is not required, but it is an excellent way to mitigate risk - not only for your organization but for the individuals who can be held liable by HITECH and HIPAA.

  • 2
    Similar system in place here. Though not called "break the glass", you have to self-actualize your access request if you attempt to access patient records outside your own ward (or patients deemed to be "yours", for various reasons). For attendings who roam between departments (for instance 'specialty' on call), this means clicking "to provide healthcare service" when they open the record. Similarly there are overrides for "for research", etc. Allowing for slightly (but only slightly) more meaningful post-access audits. –  Oct 27 '11 at 07:04
9

There is no broad requirement for that specific feature as far as I'm aware. However, as a medical application you will normally consider the hazards of the system and mitigations.

If one of your hazards is "can't get at the images when I need immediate access for emergency diagnosis" then it's quite likely that one of your mitigations would be a "break glass mode". I have certainly seen systems offering backdoor (non-GUI) access into the image archive for precisely this reason. As @Marshall Anschutz said, this all depends on how life-critical the image operations are.

I cannot comment as to the demand for this feature, but I think that falls secondary to the need for the feature from a safety perspective.

8

As a physician, even though I can think of situations where having immediate, unrestricted access to clinical information can be critical, I can't think of an "emergency break glass" feature as an absolute requirement for an electronic healthcare information system. The security risks of having unrestricted access are too high, and besides, think of the following: a similar feature is definitely not available with traditional, paper-based systems, and yet they are still used to good effect (if, for whatever reason, you can't access a physical record because it has been misplaced, or is otherwise "locked away" from you, that's it, and you'll have to make do just with what you have at hand).

In my opinion, having this kind of feature just adds an unacceptable security risk. The proper way of ensuring patient safety with timely and appropriate access to clinical information is by correctly instructing our systems' users in knowing and using our security and authentication measures.

  • 4
    I agree with your first paragraph, but the general effect of rigid/inflexible access control systems is that they are circumvented. If the system does not provide for "on call"-specialists to self-actualize when they attend patients outside their own department, the solution is often to give them untethered access to everything, which is worse (IMO). –  Oct 27 '11 at 07:08
  • Traditional, paper-based systems usually have a "break the glass" mode. For example, if a record has been physically locked away, a fire axe may be able to give you access to it. – Simon Woodside Dec 22 '16 at 01:16
  • 1
    You know, over the last years I have given more thought to this question -- while I still don't see the "break the glass" functionality as an absolute requirement, I think it can be a good thing to have, as long as there are well-implemented traceability features around it. – Jaime de los Hoyos M. Dec 27 '16 at 12:22
7

Personally, I always think of a "break glass" setup when considering the use of data in an emergency setting. Take an emergency room for example: in my mind, all ER doctors should be able to pull all records from the ER terminals. You handle issues by means of exception logging. If a patient's record is accessed without a check-in, then you can investigate after the fact. You don't lock-out access because they may have arrived in cardiac arrest and the triage desk never sees them.

Similarly, you keep a stack of valid and unassigned cards behind the nurses desk. If one of them is used and not assigned to a person within a few hours, you can investigate after the fact... but I wouldn't risk a scenario where a doctor loses his card and can't access data until requesting a new card from IT.

Access control is part of the solution. Good auditing and trigger rules make up the gap so that you don't stop something necessary. For a clinical setup, the 'all access' card deck might be the one you keep in a drawer and always investigate their use after the fact.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
4

There may be a requirement such as this depending on the application; however, it is most likely limited to certain applications. i.e. heart monitoring devices in a hospital. Whereas, an electronic claims submission system would never have the requirement to allow modifying who submitted the claim by the normal end user, as that may violate the premise of such a system's security.

In short, this may be a requirement, but it depends on who the target end user is, and how life-critical the operation it performs would be.

  • I would expect "Break the Glass" mode to allow *reading* existing data, and possibly appending additional data -- which is different from modifying existing data. I wouldn't expect to see a "Break the Glass" mode for an electronic claims submission, which is not time-critical (no one will die if the claim is not submitted for another day or two), but I might expect to see it for read access to medical charts. – D.W. May 02 '12 at 00:35
4

If such requirements exist (not arguing against them mind you) then we should inform creators of centralized systems. Many systems I have seen have very strict security policies in place, some will squarely lock you out if, say you mistype your password more than 3 times. the lockout occurs centrally such that even if we allow the user to bypass all out application`s security policies he will still be blocked from accessing the central database.

In some case it is not vitally important (least not directly) to access a patient`s current demographic information but getting the latest INR results however could be vital.

Personally I never had to implement such bypass. Most applications and systems I was involved with were never intended to be used in emergency situation so the situation never really came up.

However if I were to implement such measures I would keep a special thorough audit tracking log of all operations performed while under this mode.

3

In a former job our EMR was set up with "Break the Glass" for our VIP patients and all employees, you couldn't access their health record without clicking another box stating you understand your actions are being logged.

2

Some automatic blood bank audit and release systems have a 'break glass' feature where the fridge can be accessed without having to follow the normal process, which might be; input request, scan patient record identifier, bidirectional interface with lab system looks up blood type and the blood unit is scanned on removal from the fridge...

It's very useful to have a quick release door mechanism, and field to subsequently capture a justification in this instance.

Peter
  • 21
  • 1
2

This mechanism is now made mandatory by law in France (lookup PGSSI-S, in French).

I don't know about other states, but you should check the relevant legislation.

  • sadly, the link doesn't work anymore. Can you please refresh your answer, maybe even shortly summarize the relevant information? – kaiya Nov 06 '20 at 16:01
-1

No. Its not actually required, and is not really a secure way (IT Security wise) of handling it.

Access control is not only to prevent a authorized user to do prohibited things, but to limit damage if an attacker would in some way aquire a authorized user's credential. Then no "Break the glass" systems will prevent access, the attacker will just click through.

A better way of handling it, is to use terminal restrictions instead. This means that you give different access policies based on WHERE the access comes from.


For example, if the ambulance has a laptop or terminal, you could assign so this terminal can access any medical record, but then you have some limitation put in place that prevents abuse. You could for example have that the dispatch center can set how many medical records that can be accessed during a "dispatch", since they know roughly how many people at the target location requiring medical attention.


Then in for example patient rooms, you can have so certain non-medical personell on-site responsible for a corridor or a set of rooms, can "book in" patients into the room, and "book out" patients from the room (but not access records). And ofcourse dispatch personell should be able to "book in" and "book out" patients from any room, but only patients that have partipicated in a recent "dispatch" so to say. And same way here, physicians which "have" a patient, should also be able to "book in" and "book out" patients into any room in the facility.

Any patient that is "booked in" that room, can then be accessed by ANY medical personell, but only from a terminal located in that particular room where the patient is "booked in". And of course, no more patients than the room can hold should be able to be "booked in", and of course it should not be possible to "book in" patients "booked in" somewhere else, first the patient have to be released from the previous room first.


Using such limitations greatly increases security, because you can then totally block the possibility to access "foregin" medical records, while still allowing emergency response in emergency situations.

sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33
  • This would be a disastrous approach that is completely ignorant of how health care is actually delivered, which, of course, is why it's not actually used by any system in existence. – Xander Aug 23 '19 at 05:23