Security an Ongoing Task

We've seen much debate in the past on security and patient privacy.  Here's a brief reminder that (as we've argued) security is an ongoing process and not a one time fix.

“There’s nothing in security that you can do once,” says Kate Borten, president of the Marblehead Group, a consulting firm in Marblehead, Mass. “Risk assessment never stops. This is supposed to be ongoing.”

Everyone benefits when organizations focus on putting policies in place that make it more difficult to steal (or lose) sensitive data.

Should States Get in to EHR "Banking"?

Dr. William Yasnoff, founder of eHealthTrust, wants states to get into the business of EHR "banking".  That is to say, creating a repository for EHR data that would receive "deposits" from physicians but be controlled by patients.  Since this is the business eHT engages in, one assumes that he is either advocating for states to take his business away or, more likely, for states to contract his company to do the "banking". 

I need to review the details but my initial reaction is that it sounds like a sort of "hosted RHIO" that makes getting such an organization easier to get off the ground.  Could be a good answer to the myriad questions facing the future of EHR and interoperability.  What do you think?

Links
Article
Dr. Yasnoff Interview
eHT FAQ - What is it and how does it work?

Democrats to Push HIT Legislation

The next congress is expected to take up some of the issues impacting HIT adoption in 2007, according to an article at GovernmentHealthIT.com.

Four themes are likely to emerge among the Democrats’ talking points: funding, privacy, systems interoperability and personal health records. Funding and privacy are potential sticking points.

Democrats will likely target funding to encourage small medical practices in underserved communities to adopt health IT. But Dave Roberts, vice president of government relations at the Healthcare Information and Management Systems Society, said they will have to be creative, because the Democrats have already committed to using a pay-as-you-go budgeting approach.

Akron Children's Hospital Hacked

As was mentioned here,in a comment form Dr. Darrell Pruitt,  Akron Children's Hospital had a major security breach back around Labor Day.  Due to various administrative reasons, the breach wasn't announced until nearly seven weeks later.  It looks like the hackers (apparently two - it's not clear if these were separate incidents) were able to view sensitive patient demographic data, including Social Security Numbers, as well as the bank account information and routing numbers of hospital donors (financial, not organ).  According to Bob Howard, the hospital's director of planning, "We don't know that anybody was actually affected.  All we know is, it's possible. The information was visible for the two hackers who were able to get into the system.... We don't even know if they took anything.''  The hospital's website states that no evidence was found that information was actually downloaded or otherwise compromised but the data were open to the hackers' view.

As to why it took so long, Howard says:

[when] the hospital realized that "it was theoretically possible'' that patients' personal information had been exposed to an outside threat [three weeks after the initial incident] [they] hired an expert to build a database of the names of the patients and donors at risk, which took several more weeks.

"I know that appears to be a long time, but it was as fast as we could get the information,'' Howard said.

We aren't intimately aware of the details this work involved but seven weeks seems like a lack of urgency reigned over this entire exercise.  That gave anyone who did, in fact, steal SSN adequate head start to cause serious damage to anyone whose data were compromised.

As Dr. Pruitt points out in his comments, it is incumbent upon those of us entrusted with this information to ensure its security to the best of our ability - whether we are the healthcare providers or the IT companies they hire.  What is just as important is to exercise appropriate measures in the event that our best efforts were not enough, that is to say, owning up to the mistake and taking the necessary steps to mitigate its effects.  It doesn't appear that Akron Children's did either very well.

Another stolen laptop. . . even rats learn eventually!

Upon first seeing this, we could barely bring ourselves to read another "stolen laptop" story.  Then, after further deliberation, it seemed right just to point out that, once again, it isn't the technology that's the problem here.  It's the UNBELIEVABLE stupidity of the person that leaves sensitive patient data in a mobile computer in their car.

[Alllina Hospitals spokesperson David] Kanihan said that the nurse whose computer was stolen said she had left the laptop in her car when she went in to a Minneapolis lab to drop off a specimen. The nurse believes she locked the vehicle, he added. The theft was reported to Minneapolis police.

It's so simple.  Never, never leave a computer with patient data anywhere where it can be stolen.  Don't leave it on the front seat while you run into the gas station for cigarettes; don't leave it in the trunk while you stop off to get a sandwich.  Just don't.  Handcuff it to your wrist, if you must, but don't ever let it be compromised.  You would think that after reading fifteen of these stories in the past six months, people would learn!

Patient Privacy Debate Rages On

We've posted on this topic a few times so any regular readers will have likely figured out that we're largely comfortable with the security of EHR.  Certainly there are issues that need to be addressed but overall, EHR is a good tool to help move medicine along into the new century.  On more than one occasion during this conversation we've run across the work of Dr. Deborah Peel, chairwoman of the Patient Privacy Rights Foundation (check here, here, and here for other mentions on this blog).  It's good to know that there are people out there that believe passionately in patient privacy rights; it's comforting that watchdog groups are working on our behalf to maintain our personal safety and privacy.  We're just not convinced that the agenda being advanced is productive; we've said it before and we continue to believe it. 

So when Dr. Peel posted an open letter on modernhealthcare.com railing against AHIMA and AMIA, we read it but didn't feel the need to post on it.  Today's response by Carol Newcomb of Knightsbridge Solutions was good to see, however, so we thought it would be productive to post on the debate and give links to the various arguments.  Take a look at the information and weigh it.  Please give us your thougths.  We have our opinion - let's hear yours.  Do you believe that electronic records are safer than paper?  Less safe?  Are you willing to trade a bit of privacy for the efficiency and efficacy of a paperless practice? 

A bit of ammunition to get the ball rolling: paper records have every major flaw inherent in electronic records PLUS you can't know that they've been compromised so you can't take counter-measures to remedy a compromise.  The value of electronic records far outweighs the privacy concerns and the efforts of groups like the Patient Privacy Rights Foundation, while undoubtedly well-intentioned, only serve to frighten folks away from adopting what we believe to be today's single most impactful healthcare tool.  Agree?  Disagree?

A nice quote from Ms Newbridge's letter:  It's time to take our heads out of the sand and use healthcare information wisely.  Can I get an amen?

UPDATE: To view Dr. Pruitt's article, click here.

HIPAA's Demise?

Just an unsubstantiated bit that I saw at HIStalk but coupled with a few articles I've seen about the fact that there have been very few HIPAA legal actions taken it makes one wonder:

"I was speaking with a DC attorney who gave me interesting information about HIPAA. He said that the Bush administration is not allocating any resources to enforcing HIPAA. There have been no lawsuits for any violations. As a result, he said many large hospitals are starting to ignore the security provisions. Nobody cares about HIPAA any more."

CIA Link to Software Vendor Involved in NHIN Prototype Raises Questions

This is a lengthy piece at modernhealthcare.com but one worth reading.  The complex issues raised are indicative of the future debates looming as EHR, RHIO, NHIN, etc. . . continue to gain traction and come up against issues of patient privacy.  I'll summarize here but I recommend taking the time to acquaint yourself with this in more detail - it will be a recurring theme.

• Initiate Systems makes a software application used in healthcare to link patients to their reccords by running a probabilistic matching algorithm.
• The software is currently used by RxHub to check patient eligibility for drug benefits and by SureScripts, whose "data-transfer network is fast becoming a de facto standard for e-Rx linking between clinicians and pharmacies."
• Initiate also worked recently with the Veterans Health Administration to augment their patient identification system.
• Initiate Systems' software is used by MA-SHARE, a Boston-based RHIO that is participating in an HHS prototype of the NHIN.
• Initiate received "Series E" funding in February from In-Q-Tel, a venture capital firm founded in 1999 by - and still financed by - the CIA.
• All relationships, while not exactly publicized, were fully disclosed by both In-Q-Tel and Initiate Systems

So the software created and sold by Initiate Systems is used to sift through patient data and find connections between patients.  The average American's greatest concern about the creation of a national information exchange network for their health data is privacy.  The CIA is involved.  That seems like a scenario that could create some ripples. . . and it has.

Dr. Deborah Peel, chair of the Patient Privacy Rights Foundation "called the CIA connection 'outrageous,' noting that it simply doesn't pass the sniff test. 'Who doesn't believe if the CIA puts up that money, they won't have access?' Peel said. 'I'm still not satisfied.'"  Meanwhile, the folks in charge of almost all the principle players - with serious stake in how this relationship is perceived - don't seem concerned:

• Mark Overhage, with Indiana Health Information Exchange: "I don't worry much about the support Initiate has received. . . Initiate doesn't have access in any way."
• John Halamka, CEO of MA-SHARE: "I don't have specific concerns that the CIA would use this to compromise the privacy of health records. . . The Initiate algorithm is simply a generic way to take a whole set of information and filter through it."
• Rob Cronin, Director of Corporate Communications for SureScripts: "We use various technologies to deliver our services, but the makers of those technologies never have access to our systems and data, period."
• Daniel Garrett, VP and Managing Director of Computer Sciences Corporation (lead contractor in the MA-SHARE-NHIN prototype): "[It] is something I would definitely ask my team to take a look at, but what I think would come back is that it's software that's being imbedded and they (Initiate Systems) don't have access (to medical data)."

I'm ambivalent on this.  On the one hand, this is exactly the sort of thing that gives rise to statements (by Dr. Peel) that "[i]f privacy is not fully protected, we won't be building anything except the most valuable mother lode of information for data mining on Earth."  When people feel that their information is at risk, they aren't going to get behind a NHIN.  That won't make it any easier to implement.  So I say, perception-wise, this is - or at least could be - problematic.

On the other hand, many of the folks I've heard talking about this on the "patient advocacy" side seem a bit shrill.  Someone will always be there to point out that the sky is falling; it's easy to enumerate all the ways that bad things can happen.  And they aren't wrong.  Bad things can happen but it doesn't mean they will and it doesn't mean we should stop progress to avoid them.

In this instance, I think this is a bit of a tempest in a teapot.  But please click through, read the story, and tell us what you think.

Hackers Are Not the Primary Privacy Threat

Thanks to Medical Connectivity Consulting (that's twice in two days) for highlighting the recent JAMA article on privacy and the NHIN.  I continue to refine my understanding of this issue and so I like to see different perspectives on it.  I particularly like the treatment this article gives, ie, stop pointing the finger at EMR every time someone carelessly compromises patient records - that's not the overarching threat.  Rather, the authors see the access insurance companies and employers have to the entire history of medical care, "including information about mental health treatment, sexually transmitted diseases, HIV status, history of abortions, domestic violence and drug or alcohol abuse. . ." as the greatest threat to patient privacy in the coming age of interconnected EHR.

One argument put forward is that the inherent inefficiency of the paper record provided de facto protection against such comprehensive access.

Currently, the leading protection for privacy and confidentiality of personal health information is the fragmentation of paper-based health records. It is virtually impossible to locate and collect all of an individual's medical records stored by different clinicians and healthcare organizations (e.g., hospitals, health systems) in different geographical areas. The older the records, the more difficult they would be to access. Thus, most individuals generally can be confident that years-old or decades-old, sensitive health information that may have no current clinical usefulness is unlikely to be disclosed when they authorize release of their medical records for employment or insurance purposes.

I don't love the argument; it cuts both ways.  That same inefficiency is the most compelling case for EHR.  Who's to say what information has "no current clinical usefulness?"  One would hope it would be a care provider with access to that information who looks at it and says, "This is not germane to the current condition."  But, it does highlight the complexity of the debate.  It isn't going to be easy to resolve these issues - but the resolution is essential to the successful implementation of a nationwide health information network.

Medical ID Theft On The Rise

A report released on May 3 by the World Privacy Forum estimates "there could be as many as a quarter to a half million people who have been victims of [medical identity theft]."  The study details the increasing occurence of this form of fraud and discusses the impact on both patients and the envisioned National Health Information Network (NHIN).

The WPF sounds a warning note in its discussion of electronic records and the NHIN:

Further complicating the challenges of medical identity theft is the push to make patient medical records electronic and place patient information in a National Health Information Network (NHIN). . . .

Currently, the mantra is that digitization of patient records will improve health care, reduce fraud, reduce medical errors, and save lives.  But this does not account for the challenging reality of medical identity theft and the substantial problems it can introduce into such a system.

In particular, the report points out that the factors generally regarded as benefits to EHR/NHIN adoption can also be its downfall: ease of portability and accessibility.  It's a pretty bulky report and I haven't read it all the way through but my initial reaction is contrary to the report's tone: EHR and NHIN implementation will, in fact, make such theft more difficult.

One reason is that EHR, at its best, would bring significantly greater transparency to the process.  I don't often look at my paper medical records.  If I don't physically go to my physician's office, I can't.  But if my records were electronic and available online, I could easily review them for any erroneous activity.  Perhaps that's a "perfect world" scenario but it is certainly within the scope of what most proponents of the EHR/NHIN movement envision.

One example of fraud cited in the report that clearly shows the potential benefit of sharing patient data:

A Pennsylvania man discovered that an imposter used his identity at five different hospitals to receive more than $100,000 worth of medical treatment.  At each hospital, the imposter created medical histories in the victim's name.

This would have been detected quickly if these hospitals were connected by a RHIO or NHIN and thus were aware that this person had been bouncing from hospital to hospital.  Similarly, the case of a woman who, "while working at a dental office, accessed protected patient information and used the information to phone in prescriptions to area pharmacies" shows how electronic records can help.  Her access to properly protected patient EHR would be significantly less easy to come by than her access to paper records and would be password protected (easily traceable to the perpetrator).

One more miscellaneous point in favor of EHR: most currently available applications give practices the ability to embed a patient photo in the record.  That's one more level of security to ensure that an impostor can't walk in off the street and hijack an establish electronic record shared through a Health Information Exchange (HIE) network - national, regional, or otherwise.

All in all, I think the report brings up some great points about medical identity theft (something I didn't even know existed until today) and its impact on electronic records.  It's important to ask the right questions about how we implement new technologies.  It's also important not to sound alarmist (the title of the report is MEDICAL IDENTITY THEFT: The Information Crime that Can Kill You) and while I may be biased in favor of EHR, I think this report gives the benefits of properly implemented HIT solutions short shrift.  As always, I'd love to hear what you think.  Let us know.

To read the entire report, click here.