Security an Ongoing Task

We've seen much debate in the past on security and patient privacy.  Here's a brief reminder that (as we've argued) security is an ongoing process and not a one time fix.

“There’s nothing in security that you can do once,” says Kate Borten, president of the Marblehead Group, a consulting firm in Marblehead, Mass. “Risk assessment never stops. This is supposed to be ongoing.”

Everyone benefits when organizations focus on putting policies in place that make it more difficult to steal (or lose) sensitive data.

Democrats to Push HIT Legislation

The next congress is expected to take up some of the issues impacting HIT adoption in 2007, according to an article at GovernmentHealthIT.com.

Four themes are likely to emerge among the Democrats’ talking points: funding, privacy, systems interoperability and personal health records. Funding and privacy are potential sticking points.

Democrats will likely target funding to encourage small medical practices in underserved communities to adopt health IT. But Dave Roberts, vice president of government relations at the Healthcare Information and Management Systems Society, said they will have to be creative, because the Democrats have already committed to using a pay-as-you-go budgeting approach.

Post-Gazette.com: Spread of Records Stirs Fears of Privacy Erosion

We've had our share of cordial difference of opinion on this subject in the past; stolen laptops and the like are unpleasant but should be easily avoidable and we can't find the motivation to attack technology itself for the flaws of its users.  This article, posted at post-gazette.com, however, highlights the very real scariness of privacy violations through bureaucracy.  Patricia Galvin, whose tribulations are the article's focus, was denied claims for disability benefits based on information found in what should have been confidential psychotherapy session notes.  Shockingly, Stanford  Hospital and the insurance company, UnumProvident, deny any wrongdoing, stating the notes were taken and filed according to all legal guidelines and that UnumProvident obtained the records legally.  Meanwhile, Ms. Galvin is suing everyone involved for the records leak and the disability claim denial.

[Galvin] continues to worry, she says, that "any time anybody asks for my medical records, my psychotherapy notes are going to be turned over." In therapy, she adds, "all kinds of things come up -- they want you to go into detail about your feelings about your mother and your father and your sister and your brother and your dead fiance and how all of that affects you."

A very real concern that highlighs privacy issues that need to be addressed as we move towards pervasive electronic medial records technology.

Akron Children's Hospital Hacked

As was mentioned here,in a comment form Dr. Darrell Pruitt,  Akron Children's Hospital had a major security breach back around Labor Day.  Due to various administrative reasons, the breach wasn't announced until nearly seven weeks later.  It looks like the hackers (apparently two - it's not clear if these were separate incidents) were able to view sensitive patient demographic data, including Social Security Numbers, as well as the bank account information and routing numbers of hospital donors (financial, not organ).  According to Bob Howard, the hospital's director of planning, "We don't know that anybody was actually affected.  All we know is, it's possible. The information was visible for the two hackers who were able to get into the system.... We don't even know if they took anything.''  The hospital's website states that no evidence was found that information was actually downloaded or otherwise compromised but the data were open to the hackers' view.

As to why it took so long, Howard says:

[when] the hospital realized that "it was theoretically possible'' that patients' personal information had been exposed to an outside threat [three weeks after the initial incident] [they] hired an expert to build a database of the names of the patients and donors at risk, which took several more weeks.

"I know that appears to be a long time, but it was as fast as we could get the information,'' Howard said.

We aren't intimately aware of the details this work involved but seven weeks seems like a lack of urgency reigned over this entire exercise.  That gave anyone who did, in fact, steal SSN adequate head start to cause serious damage to anyone whose data were compromised.

As Dr. Pruitt points out in his comments, it is incumbent upon those of us entrusted with this information to ensure its security to the best of our ability - whether we are the healthcare providers or the IT companies they hire.  What is just as important is to exercise appropriate measures in the event that our best efforts were not enough, that is to say, owning up to the mistake and taking the necessary steps to mitigate its effects.  It doesn't appear that Akron Children's did either very well.

Another stolen laptop. . . even rats learn eventually!

Upon first seeing this, we could barely bring ourselves to read another "stolen laptop" story.  Then, after further deliberation, it seemed right just to point out that, once again, it isn't the technology that's the problem here.  It's the UNBELIEVABLE stupidity of the person that leaves sensitive patient data in a mobile computer in their car.

[Alllina Hospitals spokesperson David] Kanihan said that the nurse whose computer was stolen said she had left the laptop in her car when she went in to a Minneapolis lab to drop off a specimen. The nurse believes she locked the vehicle, he added. The theft was reported to Minneapolis police.

It's so simple.  Never, never leave a computer with patient data anywhere where it can be stolen.  Don't leave it on the front seat while you run into the gas station for cigarettes; don't leave it in the trunk while you stop off to get a sandwich.  Just don't.  Handcuff it to your wrist, if you must, but don't ever let it be compromised.  You would think that after reading fifteen of these stories in the past six months, people would learn!

Patient Privacy Debate Rages On

We've posted on this topic a few times so any regular readers will have likely figured out that we're largely comfortable with the security of EHR.  Certainly there are issues that need to be addressed but overall, EHR is a good tool to help move medicine along into the new century.  On more than one occasion during this conversation we've run across the work of Dr. Deborah Peel, chairwoman of the Patient Privacy Rights Foundation (check here, here, and here for other mentions on this blog).  It's good to know that there are people out there that believe passionately in patient privacy rights; it's comforting that watchdog groups are working on our behalf to maintain our personal safety and privacy.  We're just not convinced that the agenda being advanced is productive; we've said it before and we continue to believe it. 

So when Dr. Peel posted an open letter on modernhealthcare.com railing against AHIMA and AMIA, we read it but didn't feel the need to post on it.  Today's response by Carol Newcomb of Knightsbridge Solutions was good to see, however, so we thought it would be productive to post on the debate and give links to the various arguments.  Take a look at the information and weigh it.  Please give us your thougths.  We have our opinion - let's hear yours.  Do you believe that electronic records are safer than paper?  Less safe?  Are you willing to trade a bit of privacy for the efficiency and efficacy of a paperless practice? 

A bit of ammunition to get the ball rolling: paper records have every major flaw inherent in electronic records PLUS you can't know that they've been compromised so you can't take counter-measures to remedy a compromise.  The value of electronic records far outweighs the privacy concerns and the efforts of groups like the Patient Privacy Rights Foundation, while undoubtedly well-intentioned, only serve to frighten folks away from adopting what we believe to be today's single most impactful healthcare tool.  Agree?  Disagree?

A nice quote from Ms Newbridge's letter:  It's time to take our heads out of the sand and use healthcare information wisely.  Can I get an amen?

UPDATE: To view Dr. Pruitt's article, click here.

More CIA & Health Record Privacy

HIStalk picks up on Chapter II of the Initiate Systems and the CIA debate in a post linking to this story.  This time Canadian privacy advocates are calling for investigations.

But Twila Brase, president of Citizens’ Council on Health Care, a health care policy organization, views MPI software as an invasion of privacy because “it allows disparate pieces of data to be gathered on an individual as part of a countrywide data sharing system.”

Brase finds the CIA investment disturbing and thinks it could lead to the agency obtaining private medical records under the guise of national security.

Health and Human Services Secretary Mike Leavitt has repeatedly stated that the public will only accept widespread use of electronic health records if privacy is paramount, and a CIA investment in widely used MPI software will not help that effort. Putting the words “CIA and medical record privacy in the same sentence does not fit," Brase said.

Still seems like a problem of perception over reality on the security issue to us.  As the experts we quoted here all pointed out, there is no capability for Initiate/In-Q-Tel to access that data once the software is in place.  Anyone out there worried about this?  We'd love to hear from you.

Hackers Are Not the Primary Privacy Threat

Thanks to Medical Connectivity Consulting (that's twice in two days) for highlighting the recent JAMA article on privacy and the NHIN.  I continue to refine my understanding of this issue and so I like to see different perspectives on it.  I particularly like the treatment this article gives, ie, stop pointing the finger at EMR every time someone carelessly compromises patient records - that's not the overarching threat.  Rather, the authors see the access insurance companies and employers have to the entire history of medical care, "including information about mental health treatment, sexually transmitted diseases, HIV status, history of abortions, domestic violence and drug or alcohol abuse. . ." as the greatest threat to patient privacy in the coming age of interconnected EHR.

One argument put forward is that the inherent inefficiency of the paper record provided de facto protection against such comprehensive access.

Currently, the leading protection for privacy and confidentiality of personal health information is the fragmentation of paper-based health records. It is virtually impossible to locate and collect all of an individual's medical records stored by different clinicians and healthcare organizations (e.g., hospitals, health systems) in different geographical areas. The older the records, the more difficult they would be to access. Thus, most individuals generally can be confident that years-old or decades-old, sensitive health information that may have no current clinical usefulness is unlikely to be disclosed when they authorize release of their medical records for employment or insurance purposes.

I don't love the argument; it cuts both ways.  That same inefficiency is the most compelling case for EHR.  Who's to say what information has "no current clinical usefulness?"  One would hope it would be a care provider with access to that information who looks at it and says, "This is not germane to the current condition."  But, it does highlight the complexity of the debate.  It isn't going to be easy to resolve these issues - but the resolution is essential to the successful implementation of a nationwide health information network.

The Business Journal: System Would Share ER Information

Another example of effective IT solutions saving lives and money.  The Wisconsin Health Information Exchange is looking to implement a system that "would act as a conduit between hospitals' emergency admissions and treatments."  The information exchange would "streamline emergency procedures and steer patients from ERs to less expensive primary-care clinics."  By tying together the disparate hospitals, the program looks to leverage their individual investments in IT and give each a "big picture" perspective on emergency care in the region.  The system will improve care, drive efficiency, and minimize abuses thus saving millions of dollars.  As expected, there are legal/privacy concerns that are currently something of a stumbling block; it seems that they are being worked through, however, and the program launch is expected early next year.

Link