Over on EMR and HIPAA John writes:
I was recently sent an Information Week article on “Steady Bleed: State of HealthCare Data Breaches.” The article basically tries to list out all of the data breaches that are happening in healthcare and how healthcare companies aren’t doing what they need to do to protect patient data.
Now, I’ll be the first to acknowledge that more can always be done. I even agree that more can and needs to be done to protect patient information. However, I don’t agree with the article’s assertion that the use of an electronic health record (EHR) is the reason why health care providers are so poorly securing patient information.
Many of you might remember my post on EMR and EHR about HIPAA Breaches related to EMR. In that post, I discuss how it’s unfair for someone to automatically assume that if there was a breach, then it was the electronic medical record software’s fault. In the analysis I did in the above post, I found that most of the HHS list had nothing to do with EMR software. In fact, many of the HIPAA breaches were lost devices which contained lists of insurance information. EHR had nothing to do with that.
I’m not saying that breaches don’t happen with an EMR. They do. However, most of the examples given in the Information Week article could have happened just as easily in the paper world. It didn’t take an electronic health record for people to start looking up famous sports stars health information.
On some level, I agree with John, but I really don’t see most people blaming the software when breaches involving electronic records occur. They generally blame human error or negligence for not following good security protocols. Yes, many of the types of breaches we read about could happen with paper records, but have you ever seen anyone leave cartons of paper records on tens of thousands of patients in their car overnight where it was stolen? Have you ever heard about someone smashing and grabbing cartons of papers for the value of the cardboard like we hear about laptops or electronic devices? Have you ever heard about someone overseas remotely accessing paper records on tens of millions of records and then threatening extortion?
Electronic records pose additional risks and I disagree with John’s statement, “Maybe the real difference with an EHR is that now we can know and track who accesses each patient record. ” I would agree with him if he said, “Maybe one difference is that with EHR, we have greater potential to know and track and accesses each patient record.” Not every entity does know who accesses electronic records. They could know in most cases, but they often don’t. I would also agree with John if he had said that with electronic records, we have the ability to conveniently create backups of important information, and that ability can serve patients well. Of course, not everyone backs up their data, but the potential is there.
John also writes:
However, the numbers and reports I’ve seen don’t seem to indicate that breaching an EHR software’s security is the real problem. There are far easier ways to take patient data than trying to breach an EHR’s security system. Let’s focus on those other ways that people take patient data and punish it appropriately. That’s far more productive than saying that we’re rushing too quickly into an unsecured EHR world.
I’m not sure what John is reading, but the reports I read suggest that entities are generally their own worst enemy when it comes to security because they do not implement or adhere to good security practices. I’ve never seen anyone really blame the software. We do hold the entity accountable, though, for providing adequate security for the sensitive data they collect.
HHS can and does refer breaches to OCR for investigation. The government has the authority to not only investigate but to issue corrective plans and fines. We’ve seen HHS issue fines in a few cases, but they need to start fining some entities for really sloppy security so that everyone gets the message. The FTC fining CVS and RiteAid for improper disposal of paper records is good, but they need to issue fines over failures involving electronic records as well. If HHS started fining entities every time a laptop with unsecured PHI was stolen from a car or a flash drive with unsecured PHI was lost, the word would get out.
My motto is simple: if you collect it, protect it. And if you’re not prepared to do that properly, don’t collect it, and for Pete’s sake, don’t put it on a device connected to the Internet or a device that leaves the office.