September 17, 2012
Improving Quality And Security In Health Care IT
By Michael D. Shaw
In previous columns, I have made it clear that I am less than enthusiastic about the tens of billions of dollars being devoted to the forced implementation of Electronic Health Records (EHRs). While there is nothing wrong with EHRs per se, the vast sums being spent by the Feds on this rollout could be far better utilized in any number of other pursuits.
After all, it has long been known—and has been expressed by physician leaders including Adam Sharp, MD—that EHRs do not improve productivity, and probably do not improve patient outcomes, either. And, it was Sharp, a founder of online physician community SERMO, who told us why the government is so hell-bent on deploying EHRs:
The goal of EHRs is to wrestle control of health care away from the doctor-patient relationship into the hands of third parties who can then implement their policies by simply removing a button or an option in the EHR. If you can’t select a particular treatment option, for all intents and purposes the option doesn’t exist or the red tape to choose it is so painful that there is little incentive to “fight the system.”
Under The Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the subsequent Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), various privacy guidelines were put into effect. The typical health care consumer might now observe quaint practices, such as doctors or their assistants referring to a patient as “Mrs. T.,” or being cryptically generic when referring to medical devices that must be brought into an examining room. Likely, matters of clinical importance will be discussed behind closed doors…but not always.
Far too often, patients and front office staff will engage in heated conversations regarding insurance coverage—within full earshot of others in the waiting room. Needless to say, such discourse can easily expose all sorts of financial and health information.
Even so, the public is poorly served by the perception of HIPAA and HITECH, widely encouraged by the health care industry, that “privacy” is all about safeguarding such matters as the details of your Aunt Sally’s medications, or the fact that Uncle Henry received a hip replacement. Of far more significance is the prevention of medical identity theft, whereby your insurance can be stolen, your records compromised, and your treatment plan be sabotaged.
Sadly, the very nature of EHRs lends itself to the wholesale hijacking of data. Cold comfort indeed, that most medical data theft has been perpetrated by those who have legitimate access to the information.
Setting aside the dubious benefits of EHRs for a moment, the conversion process—even if it does not meet the 2014 full implementation goal—continues. Perhaps, to quote The Borg, “Resistance is Futile.” Fair enough. But if our entire health care system will be running on EHRs, we’d better make quite certain that the information technology behind it is secure and reliable to the greatest degree possible.
I recently spoke with two experts on the subjects of security and reliability of health care IT.
Albert Ahdoot is Director of Business Development at Colocation America, founded in 2000, and headquartered in Los Angeles. The company offers colocation, dedicated server hosting, voice over IP, bandwidth and IP, and managed virtual private networks. The company is proud to count among its many data center locations, the famed One Wilshire (Los Angeles) and 60 Hudson Street (New York City) facilities.
Given the mission critical nature of health care IT, many organizations—independent of size—are making the move to colocation, whereby your server is placed in the racks of professionals, with enhanced service, connectivity, power outage protection, and data redundancy.
Albert told me why people should consider colocation:
Our company is compliant with SSAE 16, PCI, and HIPAA standards. Don’t forget redundancy. At your office, you are sitting on one power grid. In our data centers, everything is on N+2. The servers are battery backed up in the data center plus there are two available generators in the building, capable of providing power for up to a month. Given the location of our data centers, connectivity uptime has been excellent.
Michael Oldham is CEO of PortSys, based in Marlborough, MA and London, England. The company’s flagship offering is Total Access Control (TAC), a suite of products that secure and manage access to business resources from any device, regardless of where the resource is located (local or cloud). Oldham explains that…
TAC identifies the connecting device, its present location, user credentials including multi-factor authentication, and whether the device status meets the acceptable conditions set for access to that particular resource. Thus, this method of security does not rely on managing the device itself, but rather controls which devices get access to specific resources and under what conditions that access will be granted.
Michael cautions organizations against relying on the simple, but not particularly secure old method of user name and password.
We look at the access attempt, and when it is occurring. So, when a user is making a request for access, TAC looks at the user, their credentials, the device they are using, where they are coming in on, and employs that information to create a three dimensional picture of that person, with that device, at that moment in time. TAC takes all this and applies it in accordance with the established security policy. For example, only people within the data center and not using mobile devices can obtain access.
In essence, health care IT systems must be created so that resistance to their security and reliability is futile.