Can Electronic Medical Records Be Secured?

While EMRs promise massive opportunities for patient health benefits and reductions in administrative costs, the privacy and security risks are daunting.

Mitch Wagner, California Bureau Chief, Light Reading

November 12, 2009

9 Min Read

While electronic medical records promise massive opportunities for patient health benefits and reductions in administrative costs, the privacy and security risks are equally huge.

The Obama administration has set an ambitious goal--to get electronic medical records on file for every American by 2014. The administration is offering powerful incentives: $20 billion in stimulus funds as per the American Recovery and Reinvestment Act (ARRA) of 2009, and stiff Medicare penalties for healthcare providers that fail to implement EMRs after 2014.

EMRs offer tantalizing benefits: Improved efficiency via the elimination of tons of paper files in doctors' offices, and better medical care through the use of the same kinds of database and data mining technologies that are now routine in other industries. One example: EMR systems can flag symptoms and potentially harmful drug interactions that busy doctors might otherwise miss.

But the accompanying privacy and security threats are significant. When completed, the nation's EMR infrastructure will be a massive store of every American's most personal, private information, and a potential target of abuse by marketers, identity thieves, and unscrupulous employers and insurance companies.

Regulators are attempting to craft rules that would unlock the benefits of EMRs while protecting Americans from the security risks. Healthcare IT pros will be required to implement systems and business processes that conform to these regulations, or face lost funding, institutional fines -- and, in some cases, personal criminal penalties.

The new regulations come as the healthcare industry faces big privacy problems, going back years. In 2003, a medical transcriptionist in Pakistan threatened to post patient records from the University of California San Francisco's Medical Center on the Internet unless she was paid for her work for a transcription service company hired by the university.

The dispute was resolved, but in the meantime, patients had no idea their records were being sent overseas. In another breach, two computers that held the confidential records of close to 200,000 patients of a medical group in San Jose, California, were posted for sale on Craigslist.org. The FBI recovered the information and the medical group informed current and former patients of the theft, according to a 2006 report in the HIPAA Bulletin. Celebrities aren't immune. Last year, more than a dozen staff at the UCLA Medical Center faced disciplinary charges for prying into the medical records of Britney Spears. The same hospital got in trouble again when employees accessed Farrah Fawcett's medical records after she went there for cancer treatments.

Healthcare providers and other health businesses aren't stepping up to protect privacy, according to a recent study. Some 80% of healthcare organizations have experienced at least one incident of lost or stolen health information in the past year, according to a study released this month from security management company LogLogic and the Ponemon Institute, which conducts privacy and information management research.

Furthermore, some 70% of IT managers surveyed said senior management doesn't view privacy and data security as a priority, and 53% say their organizations don't take appropriate steps t protect patient privacy. Less than half judge their existing security measures as "effective or very effective."

Unauthorized use of medical records has created a new kind of crime: medical identity theft, where a criminal poses as another person to obtain medical treatments using another person's insurance. This is a crime with multiple victims: The actual person with insurance coverage, whose medical records are updated with incorrect information, and the insurance company, which is paying for the criminal's medical procedure. Medical identity theft cuts twice, causing both potential medical risk and financial harm to its victims.

John Halamka, CIO of Harvard Medical School and Beth Israel Deaconess Medical Center in Boston, is one of the people trying to solve the privacy problem.

Halamka is chair of the US Healthcare Information Technology Standards Panel (HITSP) and co-chair of the HIT Standards Committee, for the U.S. Department of Health and Human Services. HITSP is developing standards for EMRs that balance patients' right to control their information and keep it confidential against healthcare providers', insurers, and other businesses' needs to share information to improve patient care and do business.

"You want to protect the patient's preferences for confidentiality," Halamka said. But you also need to get information where it's needed. "If you come to the emergency department in a coma, and you have a record that includes psychiatric treatment, HIV, drug abuse, and other information, would you share part of it or all of it? My preference would be all of it, with the hope that emergency workers would use it discreetly, to save my life." But other people may feel differently, Halamka said, and healthcare policy needs to serve all those needs. Privacy conditions include access logs, and encryption requirements for data that resides on mobile devices. Healthcare providers and other health businesses will be required to keep records of everyone who has access to a file, and the patient has a right to who saw the record, who accessed it, and why, Halamka said.

The Office of Civil Rights enforces standards, and the Federal Trade Commission has the authority to process consumer complaints. ARRA also permits states' attorneys general to prosecute HIPAA violations.

Money is a major incentive for healthcare companies to protect patient privacy. ARRA provides financial incentives for healthcare businesses to meet its privacy guidelines, and punishment for people and businesses that fail. Every doctor in American can claim $44,000 for health IT implementations that meet federal privacy, security, and other standards, between 2011 and 2015. Every hospital can claim $2 million for four years under the same conditions. Organizations that fail the ARRA tests get nothing.

The regulations have a zero-tolerance policy for data breaches. If authorized people access records inappropriately, they are terminated, and can face criminal charges and fines, Halamka said.

"There is also a requirement to notify prominent media. If there are more than 500 records compromised, you have to notify the prominent media of the region. I would have to call the New York Times to say, 'look what we did.' Of course I respect federal law, but I'm more afraid of the Boston Globe and New York Times because if I lose the trust of my patients, I'm not going to be given a second chance."

But the ARRA regulations aren't enough, said Deborah Peel, founder and chair of the political group Patient Privacy Rights.

"Hospitals let thousands and thousands of employees see millions of patients' data," she said. Hospitals have rules-based systems governing who gets to see patient data -- for example, doctors and nurses get to see data, but not clerks and office workers. If someone is accessing records inappropriately, often the only barrier is a pop-up warning--and often not even that.

"That's why people looked at the Octomom's records," Peel said. Fifteen hospital workers were fired and another eight disciplined in March for unauthorized access to the medical records of octuplet mother Nadya Suleman. "And a hospital employee was able to get into Farrah Fawcett's records and leak the story before she even told her own family. Typically, the nurses get fired and the doctors don't." Policing medical records is difficult. Developers are working on algorithms to search for potential data breaches. For example, software searchers for healthcare workers accessing medical records of people with the same last name, or living at addresses near their own home, based on the possibility that they might be snooping on family members or neighbors. "Suppose a woman's partner is an abuser, she's left him, she goes to the hospital for treatment. If the abuser is an employee of the hospital, how is her privacy going to be protected?"

Amendments to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule in 2002 removed earlier privacy protections. "In the paper world, you were told by your doctor's office every time he got a request to release information. You were asked to sign off on that. But in the electronic world, your ability to do that has been taken away," she said. "This is very important, because once health information is out there, you can't put it back in the bottle."

Earlier, the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999 (a major contributor to the current financial meltdown) permitted companies to share medical records the way they share financial records, Peel said.

Medical privacy regulations, however, have been getting new teeth, said Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society (HIMSS). Under the Bush administration, the U.S. Justice Department said that HIPAA could not be applied against individual employees of healthcare providers, but ARRA said individuals can be prosecuted.

HIPAA now provides criminal penalties of fines up to $250,000 and up to 10 years in prison for disclosing or obtaining health information with the intent to sell, transfer or use it for commercial advantage, personal gain, or malicious harm, Gallagher said.

The law now requires patients must have access to their medical records, in electronic form. Providers are required to give an accounting to the patient any time medical information is disclosed.

"All in all, what you're seeing here is that there are significant privacy rules that have been put in place now," Gallagher said.

But Peel said more is needed. Patients need to have complete control over their own medical records. Patients' consent should be required to release medical records--to anyone. "We're still, essentially, voyeurs into our own medical records," she said. "Now, with audit trails, we're going to be able to see who's gotten into our medical records, but voyeurism isn't the same as control."

But it's not that simple, Gallagher said. "Consent puts most of the burden on the patient. The patient has to be involved in every transaction, and the patient needs to be knowledgeable enough to make the consent, and aware that they're not leaving out things through inaction that might hurt them later on," she said. Some people--like Peel--believe that's essential to privacy; others believe the issues are too complex to leave to patients. "In my view, Congress weeded out consent as a solution to the privacy problem," Gallagher said.

For Further Reading:

E-Health Records Put Patient Privacy At Risk

E-Health Records Could Flag Domestic Abuse

Why Your Next IT Job Will Be In Healthcare

Healthcare IT Career Tips

Read more about:

20092009

About the Author(s)

Mitch Wagner

Mitch Wagner

California Bureau Chief, Light Reading

Mitch Wagner is California bureau chief for Light Reading.

See more from Mitch Wagner
Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
SIGN-UP

You May Also Like

More Insights
Webinars
More Webinars
Reports
More Reports

Editor's Choice

development toward AI brain and artificial intelligence
Machine Learning & AI
More Robots Are Coming, But Where Are They Going?
More Robots Are Coming, But Where Are They Going?

May 28, 2024

Future environmental conservation and sustainable ESG modernization development
Sustainability
Nature Positive Isn’t a Negative
Nature Positive Isn’t a Negative

May 28, 2024

Close-up Of A Businessperson Looking At Laptop Screen Showing Personal Files Encrypted Text
Cyber Resilience
How Does the Ransomware-as-a-Service Model Work?
How Does the Ransomware-as-a-Service Model Work?

May 23, 2024

Business person draws a creative business project
IT Leadership
Why CIOs Are Under Pressure to Innovate
Why CIOs Are Under Pressure to Innovate

May 15, 2024

RSA Conference 2024 in San Francisco.
Cyber Resilience
RSA Conference Last Look: From VC Investing to Cybersecurity CEOs
RSA Conference Last Look: From VC Investing to Cybersecurity CEOs

May 21, 2024

Webinars
More Webinars
White Papers
More White Papers
Live Events
More Live Events
Reports
More Reports
May 2, 2024
While there are plentiful options in cyber resiliency and business continuity tools and platforms, there isn’t one that can knock out everything from sudden cloud outages to prolonged ransomware attacks in a single punch. What can you do to keep the company on its feet no matter what is thrown at it? Find out in this new virtual event.
Reserve Your Seat Now