Uncategorized

Are We Adequately Securing Personal Health Information?

In a discussion about electronic health records (EHRs) a couple weeks ago, one of the Human Resource team members at a prospective client said, “I don’t believe it’s possible to secure electronic health data. It’s always an accident waiting to happen.”

There is some truth to that. More and more, our Personal Health Information (PHI) is in electronic formats that allow it to be exchanged with professionals and organizations throughout the health care continuum. It is highly unlikely that each contact point has the protections to wrap that data up tightly, away from those who would exploit it.

Of course, PHI is among the richest examples of personal data, often with all the key ingredients prized by identify thieves: social security number, birthday, phone numbers, address, and even credit card information. This should give health care organizations considerable pause.

Then consider that, while paper charts contain the same information, electronic files often aggregate hundreds of thousands or even millions of records, information treasures troves for someone really focused on acquiring, mining and making use of the data.

Which is what makes a new health data security survey commissioned by Kroll Fraud Solutions and conducted by HIMSS Analytics, so provocative. As they had in 2008, HIMSS Analytics found that most provider organizations meticulously comply with data security rules and standards. But they’re overly confident about the security that compliance actually conveys. Worse, many remain unaware, until confronted by an event, of the devastating implications of even a minor breach.

And the threat is intensifying as the market and technology evolve. In 2010, 19 percent of organizations reported a breach, half-again higher than the 13 percent in 2008. Apparently, both the complexity of the environment and the interest in the data are growing. Security may be diminishing as a result.

And breaches can be hugely costly. A Poneman Institute study found an average cost of $6.75 million for organizational data breaches. This figure is not limited to incidents with malicious origins or even harmful consequences. In January 2009, the Department of Veterans Affairs agreed to pay $20 million to veterans who could show they were hurt when, in 2006, a VA data analyst lost a laptop containing information on 26.5 million patients, nearly every living veteran. The laptop was eventually recovered without apparent data compromise. The VA is now struggling with a new, serious health data breach.

Nor is the impact likely to be financial alone. The larger cost may simply be in the loss of patient confidence. After all, if an organization can’t competently manage my data, do I want to hand over management of my family’s health?

Perhaps the HIMSS Analytics’ study’s most important and penetrating finding is that “health care organizations continue to think of data security in specific silos (IT, employees, etc.) and not as an organization-wide responsibility, which creates unwanted gaps in policies and procedures.”  Nearly 9 in 10 survey respondents said they have policies in place to monitor access to and sharing of health care information. But more than four-fifths of breaches occur in more mundane ways: e.g., lost/stolen laptops, improper document disposal, stolen tapes. In other words, the holes can’t be addressed by isolated approaches.

Security is a process, not a product. This means that certification of PHI security must be larger than merely plugging the security gaps in information technology, and must extend to the ways that people access and use information and the information technology.

It is clear that the answers here involve making heath data security an enterprise-wide responsibility, creating highly aware environments resistant to breach in even the most seemingly insignificant interactions. That will demand a significant cultural shift, critically necessary but, as this survey shows, difficult for many organizations’ leaders to wrap their heads around.

Brian Klepper, PhD and David C. Kibbe, MD MBA write together on health care innovation, technology and market dynamics.

Livongo’s Post Ad Banner 728*90

14
Leave a Reply

14 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
13 Comment authors
Merle BushkinGary Thompson, CLOUD, Inc.Tom BarrnonameDoc99 Recent comment authors
newest oldest most voted
Merle Bushkin
Guest

Hi David, I’m delighted to see you have moved from the rather casual approach you espoused a few months ago regarding the security and privacy of medical records. (I’m referring to your anecdote about a North Carolina banker friend and people’s gradual acceptance of electronic banking transactions.) Privacy and security have been, are and will continue to be a major and ever growing concern of consumers. It’s about time they become a major concern of providers, vendors and government agencies. As you point out, breaches and thefts of electronic records of all sorts — including EMRs — are accelerating at… Read more »

Gary Thompson, CLOUD, Inc.
Guest

David and Brian – I’m sitting here at Health 2.0 in Paris and saw a tweet go by on #EHR that pointed me to this excellent post at The Health Care Blog. As I read through this article on personal health information, I can’t help but think back to your column early in the new year on the topic of electronic health records. As I commented then, this challenge with information is not just limited to personal health information but all of our information on the Internet. The challenge is that each database of information includes both WHO I Am™… Read more »

Tom Barr
Guest
Tom Barr

Is there anything in our lives that is adequately secure? Airplanes, cars, banking information, the stock market, our tax information? I don’t know ; our whole connected world enterprise seems pretty porous to me.

noname
Guest
noname

Add that to the intentional leaks and intentional inaccuracies from our government and medical “professionals” are already at a high, especially for people with disabilities. But why do we care – the most hated group ever in the history of the world? It could only mean the difference between life and death, employed or not employed for the 30% of the population that have been labeled “disabled”. Let’s just shove it under the rug, like we do with all of the rest of questions about this “health” care legislation. We make money when we screw up somebody elses life –… Read more »

Joseph Stevens, MD
Guest
Joseph Stevens, MD

The best place for your private information is locked in your doctor’s office. If any one wants to know, they can call me, and tell me why they need the information, and what they want, exactly, after you give me permission. Then, I will decide what is appropriate to give out, recognizing that I am your advocate, and will protect you.

Doc99
Guest
Doc99

Short answer – NO. Opening Healthcare to the IRS … what could go wrong?

Good Health To You
Guest

Freedom from pain, illness and disease! Master Herbalist recommended, safe and effective. Achieve a healthier America through self help. Taking control of your health care is as easy as 1,2,3.

MD as HELL
Guest
MD as HELL

Of course not.

Margalit Gur-Arie
Guest

Great article as usual, Brian and David. While security breaches need to be addressed, I recently looked at this subject from a slightly different perspective – Privacy. We are embarked on an effort to make data “fluid” and it seems that all those small practices out there are going to be required to store, or at least upload, their data to various aggregators, whether these are EHR vendors, HIE vendors, RHIOs, platform owners or ultimately government. The question begged to be asked is what happens to all that data? What can those aggregators do with it? What will they do… Read more »

Bryan Kibbe
Guest

Excellent post. I especially appreciated your insight that security is a process not a product. I take your point to be in part that we need more than just a technological solution to the security gaps in electronic health records. Instead, we need people to change fundamental behaviors that take into account life in an increasingly digital world. It strikes me that your insight is especially good because not only does a technological patch not address the problem of electronic health record security, but it in fact may exacerbate it by allowing bad behaviors to persist under the illusion of… Read more »

Dave Kirby
Guest

Thanks to Brian and David for highlighting this issue. The post and the fine Kroll study focus on an important area – security measures related to confidentiality in large healthcare enterprises (e.g. hospitals, AMCs, VA). But, one should not leave this topic without also visiting the issue from the perspective of the organizations where a great percentage of all PHI resides- small medical practices. Most practices are small practices; so, this is a large segment of the healthcare institution population. The opportunities, challenges, risks, benefits, politics, and public relations related to security of PHI in small medical practices are distinct… Read more »

Hand Gel Geek
Guest

At least in America you’re having the debate and there’s a reasonable chance the various parties will adhere to the course of actions decided upon…
unfortunately, here in the UK it was discussed; recommendations made and then various bodies ignored all the recommendations – http://www.telegraph.co.uk/health/healthnews/7552827/Security-fears-as-NHS-sends-patient-records-to-India.html
“The possible risks of transferring patient data abroad were exposed last year when undercover reporters from ITV’s Tonight programme were able to buy health records which were processed in India from a private hospital in London.”
I hope people in America can learn from our mistakes.

Confidential Clinic Worker
Guest
Confidential Clinic Worker

Perhaps this isn’t an issue that men think about very often but with over 1 million abortions a year – many women are less concerned about the “theft” of their data then by the forced disclosure to all of their health care providers that they may have had this procedure.. If for example you are one of the 8 million Kaiser members and you have even a therapeutic abortion – ie the baby died in utero – everyone from your eye doctor to your foot doctor will see it listed under procedures.. In the same way that not all pharmacists… Read more »

Joseph Stevens, MD
Guest
Joseph Stevens, MD

“Perhaps the HIMSS Analytics’ study’s most important and penetrating finding is that “health care organizations continue to think of data security in specific silos (IT, employees, etc.) and not as an organization-wide responsibility, which creates unwanted gaps in policies and procedures.” This is what is known as the pot calling the kettle black. HIMSS is trying to protect itself from the charges of conflict and promoting unsafe HIT devices. The breaches in privacy are widespread. Hospitals go to the extreme of using HIPAA to fire aggressive patient safety oriented disruptive (to the unsafe conditions) doctors who complain about the environmental… Read more »