Hackers Outsmart Pacemakers, Fitbits: Worried Yet?

Now that patients are legally entitled to their medical results from the lab, these laboratories must take further steps to ensure data doesn't get into the wrong hands.

The Department of Health and Human Services last week made its final rule on the Clinical Laboratory Improvement Amendments of 1988, giving patients (or their authorized representatives) the right to access their information. The move is designed to give patients more control over their healthcare choices, empower them to more easily adhere to treatment options, and let them track their health progress, said HHS Secretary Kathleen Sebelius in a statement. 

HHS estimates 22,861 laboratories will have to spend between $2 million and $10 million among them to develop processes and interoperability systems that enable them to conform with the rule, according to published reports. Most large lab chains and hospital labs can handle these requests already, but smaller facilities could have challenges, experts say. Each year, labs could field between 175,000 and 3.5 million requests from patients, their designees, and personal representatives, HHS predicts. However, doctors will still receive lab results first; the new rule gives labs up to 30 days to comply with a patient's request.

Although most industry groups have voiced approval of the rule, at least one group recommended that patients continued to work closely with healthcare providers to review results to avoid undue concern over phrasing or pictures.

[Does healthcare security have a respect problem? Read Healthcare Information Security: Still No Respect.]

Labs are not doctors' offices, cautioned the American Clinical Laboratory Association:

Because laboratories typically do not have direct contact with the patient, as they often obtain specimens from the physician's office, labs will be diligent in ensuring that the individual making the request has the right to that information. Laboratories will continue to be vigilant in protecting the confidentiality of sensitive private health information.

As part of that protection, labs' IT departments must work closely with front-line staff -- those who will be newly responsible for sharing results with the public -- on security, including social engineering. Conning people out of information hackers can use to further their goals accounts for 17% of cyberattacks. Labs must protect data where it's stored, shared, and as it's being transferred as well.

"The push to make patient medical records and results available at the point of need to internal providers, external providers and even patients themselves increases the need to ensure the secure transmission and remote access to medical records are safe, secure and cannot be exploited by cybersecurity threats," said Doug Copley, IT director and information security officer for Beaumont Health System, during a January 2014 meeting of the Michigan Healthcare Cybersecurity Council. 

Even before the rule change, laboratories experienced some breaches, often through unencrypted mobile devices or media. In 2013, someone stole the flash drive of a Dynacare Laboratories employee containing information on about 9,000 patients. This year, LabMD closed its doors, the result, it said, of a government probe into a 2013 security breach. Several years ago, private lab Cord Blood Registry was affected when a thief broke into an employee's car and stole a laptop that contained sensitive patient data.  

That's not to say patients shouldn't get test results, of course. Yet every time you give another user group the authority to access data, risks increase. There are more vulnerabilities, more risk for error. IT departments must assess these perils, plan accordingly, and spend their limited resources to educate staff, protect data, and update security systems.  Earlier tests prove the diagnosis: All healthcare systems are under attack. Lab systems won't be any different. 

Medical data breaches seem to show up on the 6 o'clock news almost every week. If you think it wouldn't happen to you -- or the financial impact will be minor -- think again. Download the Healthcare Data Breaches Cost More Than You Think report today. (Free registration required.)