December 14, 2009
Protecting Digitized Health Care Data: Look Beyond Just Technology
By Michael D. Shaw
There’s no question about it. Digitized information is more convenient than the old system of endless paper files, file cabinets, and acres devoted to archival storage. Digitizing saves time, saves energy, and makes the information far more accessible. The feds have set aside $19 billion to create an electronic health record for every American by 2014.
The ready availability of digital medical records means doctors will have the ability to quickly retrieve everything they need to know about a patient—preexisting conditions, drug allergies, past surgeries or tests, scope of insurance, and emergency contacts. With information so readily available, the improved efficiency should lead to fewer mistakes, better quality of care, and billions of dollars in savings.
A 2008 study conducted by the Department of Health and Human Services (HHS) and the Robert Wood Johnson Foundation found that 82% of doctors using electronic records said they improved the quality of clinical decisions, 86% said they helped in avoiding medication errors, and 85% said they improved the delivery of preventive care.
But, there’s the other side. Millions of records can fit on a tiny portable drive, and can be stolen. Files can be inadvertently put on insecure computer networks, and apparently secure networks can be hacked. Tales of sensational data breaches are not hard to find.
In the most recent fiasco, someone’s lack of understanding of how pdf files work allowed the entire Transportation Safety Administration “Screening Management Standard Operating Procedures” manual to be accessible to anyone with Internet access. And, just a few months ago, the Justice Department announced the indictment of a Florida man, who conspired to hack into computer networks supporting major American retail and financial organizations, and stole data relating to more than 130 million credit and debit cards.
As to data breaches on the health care side…
It was reported just last month that a hard drive with seven years’ worth of personal financial and medical information on about 1.5 million customers of Health Net of the Northeast Inc. went missing. To make matters worse, the breach had occurred six months earlier. Along with medical records, the hard drive contained names, addresses, and Social Security numbers of Health Net customers from Arizona, Connecticut, New Jersey, and New York.
In October, the Blue Cross Blue Shield Association experienced a data breach incident affecting over 800,000 doctors in the US. Thieves stole an employee’s computer that contained an unencrypted file with the personal information of nearly every doctor who accepts this popular health insurance plan.
In May, 2009, the personal medical records of tens of thousands of people were lost by the UK’s National Health Service, in a series of what were called “grave data security leaks.” From January to April of 2009, 140 security breaches were reported within this agency.
HHS regulations, effective September 23, 2009, pertaining to entities covered under the Health Insurance Portability and Accountability Act (HIPAA), require the reporting of any data breach incidents that have affected over 500 individuals, shortly after the breach is discovered.
However, as of this writing, nothing appears on the link “View a list of these breaches.” Sadly, this is yet another example of the truism that rules are not self-enforcing, and that rules alone do not change human behavior.
I recently spoke to Ralph Pierre, founder and president of SalvageData Recovery Inc., a leading provider of data recovery services, about health care data security issues. Pierre notes that information has always had value, and people are only beginning to speculate on what could be done with stolen patient medical data. It boggles the mind to imagine what hucksters could do with lists of terminal patients, for example.
Pierre reminds us that while there are inherent cost savings in moving from paper to electronic health records, there are also many security considerations—by no means free of charge—that will have to be implemented.
Here are a few:
- A unique patient ID system, eliminating the problem of connecting an actual name with a patient record
- A rigorous chain of control system and accountability, including security clearance for employees who access patient records
- Life cycle of patient data will have to be defined, along with deletion protocols, ideally set to Department of Defense data wiping standards.
- Backups must be scrupulously maintained.
While these points are not exactly novel to those immersed in IT security, for such practices to be implemented successfully, many health care organizations will require a change in culture. Indeed, technology per se is not the problem.
But, hospitals are already undergoing changes in culture. Originally, their mission was simply to provide excellent patient care. Now, they have to do this on a budget, based on what insurance will pay, all the while running sufficient tests to fend off the malpractice attorneys. Unavoidably, there are conflicts between administrators and medical personnel.
Human resources consultant Susan M. Heathfield says that the two most important elements for creating organizational cultural change are executive support and training.
Executive support means walking the walk, demonstrating by their own actions that they really believe in the new paradigm. We all recall what ensued when potential high level presidential appointments were revealed to have tax problems, and employees are quick to recognize hypocrisy in their supervisors.
Training must be comprehensive, and it must be emphasized precisely what is expected of each employee who will access sensitive records. Ralph Pierre’s point of accountability is also a key part of the cultural change. It must be stressed that security breaches can be as devastating as infection control or other clinical procedural lapses.
Sadly, true accountability has never been the forte of the health care industry, notwithstanding the endless reports that are filed. Breaches must be investigated, adjustments made, blame assessed, and disciplinary action taken. This is not the status quo of health care, but clearly the status quo is not working.
All the technology in the world won’t matter until every affected employee gets on board. More than ever, hospital IT managers must engage the human element.