Giving a patient medications in the ER, having them pop positive on a test, and then withholding further medications because…
Time Capsule: Joe Sixpack’s Concerns About Privacy and Security Need to be Taken Seriously
I wrote weekly editorials for a boutique industry newsletter for several years, anxious for both audience and income. I learned a lot about coming up with ideas for the weekly grind, trying to be simultaneously opinionated and entertaining in a few hundred words, and not sleeping much because I was working all the time. They’re fun to read as a look back at what was important then (and often still important now).
I wrote this piece in February 2006.
Joe Sixpack’s Concerns About Privacy and Security Need to be Taken Seriously
By Mr. HIStalk
Is it just me, or are we having a sudden epidemic of privacy and security breaches in health care organizations?
Quite a few examples have been reported in newspapers and on TV lately, including the embarrassing “backup left in the back seat” exposure at Providence Health System. Patients are angry, lawyers are salivating, and those organizations involved in such breaches are fixing the gate as the horse gallops away.
Consumer Reports joined the fray this week, expressing concern that our electronic systems may not protect personal health information. Not just from thieves, but from drug marketers and fundraisers as well (odd, I know, but that’s what they said).
Hospitals used to feel safe, rationalizing that much more attractive targets such as banks would receive hacker priority. Indeed, hacker-type security breaches that expose patient data are fortunately rare (medical information has little cash value and few willing customers, so we can’t take all the credit).
We in health care IT may believe that the biggest barrier to our obviously beneficial migration to electronic medical records is money. Outside our world, however, Joe Sixpack doesn’t give that a thought (he’s seen all those construction cranes darkening our hospital skies, so he knows we’re doing OK). He’s worried that his neighbors will learn his medical history, that his employer may fire him for poor health, or that his insurance will find a reason to deny him care because he is predisposed to need it.
Joe Sixpack understands stolen paper charts, but he doesn’t worry much about that. He knows thieves seldom bother, for the same reason they’d rather not steal pennies from a wishing well: it’s too much work and risk for too little gain. Electronic records are obviously more attractive. A single computer, backup disk, or unprotected server can hold thousands or even millions of medical records that are easy to carry and hide, attracting a thief who’s more interested in showing how smart he or she is instead of robbing a convenience store.
(And of course, there’s a good chance that the prospective thief is your own employee, as I’m sure you already know.)
Joe Sixpack might view your EMR project as unusually risky, despite liking the concept. He doesn’t know what precautions you should take, but he’ll hold you accountable if you are breached. Odd, isn’t it, that a physical break-in seldom reflects poorly on the company being victimized, but an electronic one immediately triggers outrage and disbelief?
Other industries already have electronic records, so their risk is lawsuits. Healthcare is just moving to electronic data storage, so our risk is greater. The implied threats could stall our efforts to get there.
I think we need to take quite seriously those concerns about privacy and security as we solve connectivity problems to support RHIOs and integration. That means money diverted away from much-needed functionality to hopefully never-needed security. The people sitting around the table need to come from all industries, not just healthcare. We’re fairly new at this security thing, after all.
Most of all, we need to pay new attention. When Consumer Reports is worried about health care security and privacy, that means a lot of Americans are worried. We need to reassure them that we know what we’re doing.
What’s being reported today is just the tip of the iceberg. Regulators have no idea how to do their jobs and the health plans and hospitals know it.
Frankly, I don’t see any point in putting in more regulations when the ones we have aren’t being enforced.