Tuesday, June 05, 2012

More Electronic Medical Record Breaches: You Could Not Do This With Paper

I have written repeatedly on the dangers posed by poorly managed health IT regarding information breaches.  See "2011 Closes on a Note of Electronic Medical Record Privacy Breach Shame" and other posts at this query link:   http://hcrenewal.blogspot.com/search/label/medical%20record%20confidentiality

Now this, from Kaiser Health News and The Washington Post:

As Patients' Records Go Digital, Theft And Hacking Problems Grow 
Jun 03, 2012

As more doctors and hospitals go digital with medical records, the size and frequency of data breaches are alarming privacy advocates and public health officials.

Keeping records secure is a challenge that doctors, public health officials and federal regulators are just beginning to grasp. And, as two recent incidents at Howard University Hospital show, inadequate data security can affect huge numbers of people.  

With paper, you'd need a stream of trucks to accomplish this magnitude of theft:

On May 14, federal prosecutors charged one of the hospital's medical technicians with violating the Health Insurance Portability and Accountability Act, or HIPAA. Prosecutors say that over a 17-month period Laurie Napper used her position at the hospital to gain access to patients' names, addresses and Medicare numbers in order to sell their information. A plea hearing has been set for June 12; Napper's attorney declined comment.

Just a few weeks earlier, the hospital notified more than 34,000 patients that their medical data had been compromised. A contractor working with the hospital had downloaded the patients' files onto a personal laptop, which was stolen from the contractor's car. The data on the laptop was password-protected but unencrypted, which means anyone who guessed the password could have accessed the patient files without a randomly generated key. According to a hospital press release, those files included names, addresses, and Social Security numbers -- and, in a few cases, "diagnosis-related information."

I add that they could also probably have booted the laptop from alternate media, and/or removed the hard drive and inserted into another computer, to access the contents.

Ronald J. Harris, Howard University's top spokesman, said in an e-mail that the two incidents are unrelated, but declined to answer further questions. In its press release about the stolen laptop, the hospital said it will set new requirements for all laptops used by contractors and those issued to hospital personnel to help protect data.

Still it could have been worse. Much worse.

Just days after Howard University contacted its patients about the stolen laptop, the Utah Department of Health announced that hackers based in Eastern Europe had broken into one of its servers and stolen personal medical information for almost 800,000 people -- more than one of every four residents of the state.

How many trucks (and Stargate SG-1 style invisibility cloaks) would it take to inconspicuously steal 800,000 paper charts, I ask?

And last November, TRICARE, which handles health insurance for the military, announced that a trove of its backup computer tapes had been stolen from one of its contractors in Virginia. The tapes contained names, Social Security numbers, home addresses and, in some cases, clinical notes and lab test results for nearly 5 million patients, making it the largest medical data breach since the Department of Health and Human Services began tracking incidents two and a half years ago.

Five million charts in a country of 300 million people...

As recently as five years ago, it's possible no one outside Howard University would have known about the incidents there. But, new reporting rules adopted as part of the 2009 stimulus act insure the public knows far more about medical data breaches than in the past. When a breach occurs that affects 500 or more patients, health care providers now must notify not only HHS, but also the media.

Meaning there were breaches the public does not know about.

Deven McGraw, director of the health privacy project at the Center for Democracy & Technology, a Washington-based Internet advocacy group, said the number of incidents is growing with the increased use of digital health records. The health care industry, she added, has been slow to respond.

A problem is not enough "motivation."

"Many financial companies have used encryption for years and they probably wonder what the heck is going on with the health care industry," McGraw said. "It's much cheaper to deploy safeguards than to suffer a breach."

I offer a one word answer:  complacency.

Now for the "spin control":

This growing problem puts HHS in a tough spot. It is pushing hospitals and doctors to adopt electronic health records, but it's also responsible for punishing health care providers who fail to properly secure their patients' records.

"Mistakes happen, incidents happen, corners get cut from time to time," said Susan McAndrew, deputy director for health information policy at HHS's Office of Civil Rights. "That's where we come in."

"From time to time" is a rather modest description of the millions of breaches mentioned in just this posting.

 But as I've written before, don't worry, your records are safe.

Just don't tell the doctor about that "incident" at that seedy club the other night, and find some other excuse to get the antibiotics you need, and that information will be safe, too.

-- SS


Steve Lucas said...

I could not help but think of a recent piece I read where a young doctor finishing his training was extolling the virtues of EMR’s. He could sit at his desk and check patients, and their records. He did not have to bother going up to the floor and finding the charts, nor did he have to deal with someone’s handwriting.

He compared EMR’s to dial-up. We are in the early stages and the technology will mature.

What I could not shake was the feeling that he related to the computer and not his patients. They were simply date on a screen. I also had the sense that his access to this data, and others also having access, was acceptable to him. He has grown up in a Facebook age.

Lacking was a certain maturity. He is a doctor and his primary concern should be his patients, not sitting at a desk interacting with a computer. He also seemed to lack an understanding of the security issues with everyone having access all the time to patient’s data.

There is an irrational exuberance embraced by young and old alike for computers.

Steve Lucas

InformaticsMD said...

The term to describe this is the "iPatient." I will have more on that in a post soon.

-- SS

SnorePros.com said...

I"m not sure what's scarier, having your credit card information stolen, or having your medical records stolen for the entire world to see. With the first, you can at least contact your credit card company and have them cancelled. What do you do about your records being out in the open?