Last December, someone smashed the window of a car belonging to an employee of Providence Health System in Oregon and stole
computer backup tapes and disks containing records of 365,000 home health patients.
In an age when organized crime traffics in pilfered Social Security numbers, incidents like this put a chill on the growing
movement to computerize patient data. The same technology that can save lives and money can also create opportunities for
privacy violations on a massive scale. After all, it's hard to imagine identity thieves finding 365,000 paper charts in somebody's
car.
Jumbo breaches in computer security also plague the rest of society, but when the wrong eyes are looking at your medical history
as well as your Social Security number, there's even more cause for angst. And healthcare IT has had plenty of scary mishaps
besides the one in Oregon over the last 12 months:
- Wilcox Memorial Hospital in Lihue, HI, lost a thumb-sized data drive with information on 130,000 former and current patients.
- Backup tapes containing information on 57,000 enrollees of Blue Cross Blue Shield of Arizona were stolen in a burglary of
a managed care company that worked for the insurer.
- A hacker broke into a server and nabbed 42,000 patient records at the health center of Colorado University in Boulder.
- Kaiser Foundation Health Plan was fined $200,000 by the state of California for posting information on approximately 150
patients—without their permission—on a public website.
No one knows the extent to which all this footloose data translated into typical identity theft, but such security failures
are still troubling, especially since they also support the growing criminal specialty of medical identity theft—using someone else's insurance information to receive care.
Power Points
|
"The medical community is leaping into this technology without doing its homework," says Pam Dixon, executive director of
the nonprofit World Privacy Forum in Cardiff by the Sea, CA. "We can't guarantee 100 percent privacy, but we better do this
thing right."
And maintaining the privacy of electronic patient data isn't just a challenge for doctors and hospitals. An article in Consumer Reports noted that HIPAA allows providers to share data with healthcare-related businesses, which could misuse this confidential
information, or let it slip into the wrong hands.
Although surveys show most Americans believe that EHRs will improve medical care, they also worry about showing up in the
next stolen laptop. According to a Harris Interactive survey, while 48 percent said the expected benefits of EHRs outweigh
the privacy risks, 47 percent said the opposite.
These are sobering numbers for the healthcare industry as well as for the Bush administration, which envisions a national
health information network, or NHIN, that connects doctors, hospitals, and patients. For all the fear of identify theft, though,
a society that loves ATM machines and online shopping isn't likely to return to paper records.
So the challenge will be to reduce privacy risks to an acceptable level. Penalties like the one levied against Kaiser will
pressure healthcare organizations to clean up their data act. So will lawsuits filed by identity theft victims and recent
state legislation that mandates more safeguards for consumer information. Two proposed federal bills are also under consideration.
Healthcare IT safeguards are a work in progress
An hysterical attitude toward the vulnerabilities of electronic patient data doesn't help matters, though. After all, dramatic
privacy lapses also occur in the paper world. In April 2005, for example, thousands of Cleveland Clinic hospital bills blew
through downtown Cleveland after they fell out of a delivery truck.
It's even argued that paper records are inherently more vulnerable than digital ones. An EHR can be designed, for instance, so that a receptionist accessing a chart can view only
demographic data, not clinical data. In contrast, anyone handling a paper record—an orderly pushing a wheelchair, let's say—can
look at everything. Also, good EHRs typically come with an audit function that tracks who's perused a record. Still, even
staunch supporters of digital medicine acknowledge the need to satisfy the privacy fears of Americans.
"We're not prepared today for the kind of protection and security that we'll need when we have a completely automated network,"
says internist David Brailer, the National Coordinator for Health Information Technology at HHS.
Brailer characterizes recent privacy disasters in healthcare as simple failures to comply with HIPAA's security regulations.
"I used to be a critic of HIPAA when I was in the private sector, but one thing the law did well was lay out requirements
for physically protecting information," he says.
But how high do you build the walls? Brailer notes that it's possible, for example, to encrypt data that resides on a computer
hard drive. This tactic—routinely used to protect data transmitted over the Internet—might baffle a thief intent on harvesting
IDs from a stolen laptop. However, encryption could make it hard to retrieve information in a medical emergency. "It's a question
of protecting privacy vs protecting life," notes Brailer.
A sister issue, he says, is user authentication—proving to a computer that you're somebody who's entitled to view patient
data. Again, it's possible to move beyond a simple user ID and password and force doctors to possess special cards or so-called
RFID tags that communicate with a computer. But more-strenuous forms of authentication may prove impractical in a hectic clinical
setting.
Brailer and the Feds are working on several fronts to settle such issues and build reasonably tight defenses around patient
data. HHS is helping fund a group called the Health Information Security and Privacy Collaboration that consists of IT experts
and the National Governors Association. They'll work with state governments to harmonize security and privacy policies that
go beyond HIPAA. Another HHS-funded group, the nonprofit Certification Commission for Healthcare Information Technology, has
come out with proposed standards for EHRs that would require, among other things, audit mechanisms to detect snoopers.
The architecture of the proposed national health information network itself figures into the quest for privacy. Brailer is
seeking a decentralized, Internet-based model that will rely on existing repositories of patient data—a clinic or hospital
EHR, for instance—rather than one gigantic database. Such an approach is safer because it doesn't give hackers a tempting
mother lode to attack. Right now, four IT umbrella groups funded by HHS are developing prototypes with this strategy in mind.
Meanwhile, there's also a debate about the patient's role. A coalition of consumer and privacy advocates, clinicians, IT experts,
insurers, ethicists, and federal policymakers assembled by the nonprofit Markle Foundation recently issued a veritable Patient
Data Bill of Rights. They include a patient's right to access his own data, authorize who can see it, review who's already seen it, and even opt out of the NHIN entirely. Brailer's sympathetic to these principles, but he says the hard part will
be applying them in real life. "Can we expect patients to continually click Yes or No to requests to use their information?"
Fortunately, healthcare software vendors have already gotten a head start in giving patients greater control over their records.
EHRs used by some medical groups allow patients to access the same health information their doctors access (see "Personal health records: What's the status now?" in the Feb. 17, 2006 issue). The security advantage? Patients can tell whether an identity thief received a prescription
in their name.
Take these steps to prevent data theft
So, what can a small medical practice do to ensure privacy right now? Plenty, say the experts, and it's easier than you might
think. Here are nine steps you can take to minimize the chance that your patient data will end up as booty for an identity
thief:
1. Put a lock on the door to the room where you keep your network server. Ponderosa Medical Health & Wellness Center in Bend,
OR, goes several steps further. Its two servers sit in a locked closet inside a locked room. The servers themselves are locked
to a rack, and their casings are locked, too. "We need to be very careful," says internist C. Frost Lee.
2. Position desktop monitors so "shoulder surfing" patients and visitors can't easily read them. Set screen savers to come
on if a computer has been idle for a few minutes, with reactivation requiring a password.
3. Stave off hackers by installing a firewall, or a router that incorporates one.
4. Password-protect laptops, tablets, and PDAs since they can be easily snatched.
5. Replace patient-sensitive e-mail with secure messaging that's encrypted and password-protected. Wireless transmissions inside
the office also warrant encryption.
6. Destroy the hard drive of any computer you're throwing away. If you're selling or giving it to somebody, don't delete patient
files the routine way—they can be easily recovered. Instead, treat the hard drive with special "data wiping" software.
7. Regularly audit who sees what in your EHR. This tracking capability can deter snooping, but only if you use it. Consider
auditing a random sample of 50 charts per month. And put teeth in your policy, says FP David Kibbe, director of the Center
for Health Information Technology at the American Academy of Family Physicians. "Give a warning to someone who had no business
looking at a record, and make it clear that further infractions could get them dismissed."
8. Forbid sharing passwords, or writing them on paper. They should be memorized.
9. Be choosy about third parties that handle your practice's data, like billing companies and transcription services. HIPAA
requires you to have such companies sign business associate agreements that oblige them to safeguard patient privacy. Before
signing up, for example, ask a transcription service if it farms out work overseas, where HIPAA might be hard to enforce.
The best thing to remember, though, says David Kibbe, is that computer security is an ongoing process. It involves reviewing
policies and procedures each year, analyzing security breakdowns, and making the necessary adjustments. And more than anything,
it means creating a culture of vigilance. That takes leadership.
"If a doctor sets up policies and procedures and puts them into practice, the staff will follow," says Kibbe. "But if he tolerates
people sharing passwords, say, that security breach will have a cascading effect through the office."
With identity thieves on the prowl, nobody can afford to let down his guard.
To minimize data theft, watch your backup
As recent security breaches illustrate, backing up data on a tape, disk, or removable hard drive and taking it home is a risky
routine. Someone could steal the backup medium from your car. Or you could simply lose it.
So how do you avoid toting around backup media? One way is switching to a web-based EHR from an application service provider,
or ASP. In this arrangement, your data resides on a remote server instead of your office computer and the ASP is responsible
for backups. True, the ASP could do something stupid with your data, but New York City attorney and HIPAA expert Margaret
Davino says these companies typically run a tighter ship than doctors do since security is part of their business.
Even if you don't opt for an ASP, you can follow the same principle by backing up your computer's data via the Internet to
a remote server operated by a company like LiveVault (www.livevault.com) or First Backup (www.firstbackup.com). Again, the idea is to find someone who will handle your data better than you will.
A third option is backing up the traditional way, then stashing your tape, disk, or removable hard drive inside a fireproof
safe.
