Imagine a visit to the emergency room without the hassle of red tape: Doctors retrieve your medical records in electronic format with relative ease. They quickly gain access to your medical history, ascertain what medications are safe to prescribe, and notify your physician of the visit.
In a perfect world, this is a glimpse of the future in 2014, when all medical data is expected to be stored electronically as part of President Obama’s stimulus package, also known as the American Recovery and Reinvestment Act of 2009.
The stimulus package aims to cut health care costs and make records more accessible and portable. More than $19 billion was set aside to upgrade health information technology to make this happen. The hope was that the funding would motivate physicians, practices and hospitals to make the switch to using electronic health records (EHR).
Unfortunately we don’t live in a perfect world. The Obama administration considered the security ramifications of such a massive undertaking for the medical industry by updating a federal law that sets data privacy and security rules for key players in the American health care system. But its preparations seem modest compared with real problems that are beginning to emerge.
Securing digital health records is a big concern—and for good reason. Paper records can be stored in a locked room with surveillance systems in place. They’re retrieved, opened and shared upon request only. It is much more difficult to lock down digital data, a format specifically chosen because it facilitates easy exchange among health care providers nationwide.
Consider these findings from two audit reports by the Office of the Inspector General for the Department of Health and Human Services:
- “Audits of seven hospitals nationwide identified 151 vulnerabilities in the systems and controls intended to protect electronic Protected Health Information (ePHI), of which 124 were categorized as high impact. These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk,” according to a report titled Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight
- The different IT systems used to exchange EHRs has resulted in a lack of general IT security control requirements, according to a parallel audit report titled Audit of Information Technology Security Included in Health Information Technology Standards. This report focused on the need for “general IT security standards and IT industry security best practices,” as well as emphasizing to the medical industry “the importance of general IT security.”
The growing number of politically motivated hack attacks underscores the privacy risks to digitizing medical health records. In the wrong hands, personal health data could be used to inflate insurance rates, deny work to job seekers, or for public humiliation.
Medicine is in the grips of great technological change. Subdermal chips containing your entire medical history could be as common to our children as medical bracelets are today.
It’s troublesome that these sweeping changes are coming before security measures are put into place. You can bet that opportunistic thieves will discover the holes in the system. And when they do, they’ll exploit it.
Eduard Goodman, Chief Privacy Officer, CyberScout. An internationally trained attorney and privacy expert, Eduard has more than a decade of experience in privacy law, fraud and identity management. He is a member of the state bar of Arizona and served as the 2008-2009 section chair of the bar's Internet, E-Commerce & Technology Law Practice Section.
© CyberScout, LLC. All Rights Reserved.