No one's blaming the software: a response to EMR and HIPAA

Over on   EMR and HIPAA John writes:

I was recently sent an Information Week article on “Steady Bleed: State of HealthCare Data Breaches.” The article basically tries to list out all of the data breaches that are happening in healthcare and how healthcare companies aren’t doing what they need to do to protect patient data.

Now, I’ll be the first to acknowledge that more can always be done. I even agree that more can and needs to be done to protect patient information. However, I don’t agree with the article’s assertion that the use of an electronic health record (EHR) is the reason why health care providers are so poorly securing patient information.

Many of you might remember my post on EMR and EHR about HIPAA Breaches related to EMR. In that post, I discuss how it’s unfair for someone to automatically assume that if there was a breach, then it was the electronic medical record software’s fault. In the analysis I did in the above post, I found that most of the HHS list had nothing to do with EMR software. In fact, many of the HIPAA breaches were lost devices which contained lists of insurance information. EHR had nothing to do with that.

I’m not saying that breaches don’t happen with an EMR. They do. However, most of the examples given in the Information Week article could have happened just as easily in the paper world. It didn’t take an electronic health record for people to start looking up famous sports stars health information.

On some level, I agree with John, but I really don’t see most people blaming the software when breaches involving electronic records occur. They generally blame human error or negligence for not following good security protocols. Yes, many of the types of breaches we read about could happen with paper records, but have you ever seen anyone leave cartons of paper records on tens of thousands of patients in their car overnight where it was stolen? Have you ever heard about someone smashing and grabbing cartons of papers for the value of the cardboard like we hear about laptops or electronic devices? Have you ever heard about someone overseas remotely accessing paper records on tens of millions of records and then threatening extortion?

Electronic records pose additional risks and I disagree with John’s statement, “Maybe the real difference with an EHR is that now we can know and track who accesses each patient record. ” I would agree with him if he said, “Maybe one difference is that with EHR, we have greater potential to know and track and accesses each patient record.” Not every entity does know who accesses electronic records. They could know in most cases, but they often don’t. I would also agree with John if he had said that with electronic records, we have the ability to conveniently create backups of important information, and that ability can serve patients well. Of course, not everyone backs up their data, but the potential is there.

John also writes:

However, the numbers and reports I’ve seen don’t seem to indicate that breaching an EHR software’s security is the real problem. There are far easier ways to take patient data than trying to breach an EHR’s security system. Let’s focus on those other ways that people take patient data and punish it appropriately. That’s far more productive than saying that we’re rushing too quickly into an unsecured EHR world.

I’m not sure what John is reading, but the reports I read suggest that entities are generally their own worst enemy when it comes to security because they do not implement or adhere to good security practices. I’ve never seen anyone really blame the software. We do hold the entity accountable, though, for providing adequate security for the sensitive data they collect.

HHS can and does refer breaches to OCR for investigation. The government has the authority to not only investigate but to issue corrective plans and fines. We’ve seen HHS issue fines in a few cases, but they need to start fining some entities for really sloppy security so that everyone gets the message. The FTC fining CVS and RiteAid for improper disposal of paper records is good, but they need to issue fines over failures involving electronic records as well. If HHS started fining entities every time a laptop with unsecured PHI was stolen from a car or a flash drive with unsecured PHI was lost, the word would get out.

My motto is simple:  if you collect it, protect it.   And if you’re not prepared to do that properly, don’t collect it, and for Pete’s sake,  don’t put it on a device connected to the Internet or a device that leaves the office.

About the author: Dissent

2 comments to “No one's blaming the software: a response to EMR and HIPAA”

You can leave a reply or Trackback this post.
  1. Anonymous - September 24, 2010

    Glad to see that we’re more or less on the same page. It seems like the places we differ is really more a matter of definition of terms than anything else. Of course, blogs are great places to flesh out what we really mean when we say something.

    I agree that many clinics “can” know when there are HIPAA violations, but that doesn’t mean that many “do” know when they happen. More of this needs to happen. Plus, don’t be surprised as they do this to see more HIPAA violations being reported. Not because there are more of them, but just more being reported.

    I love the section where you talk about the volume of patient data that can be lost in the electronic world which just wouldn’t make sense in the paper world (ie. tens of thousands of records in a car overnight). I talk about that in the post I linked in my article: No doubt technology makes records so much more portable that it’s much easier to still large amounts of data.

    I think the confusion in the last part of your post comes to the definition of electronic records. In the media and other coverage I see of HIPAA violations, I often hear them refer to electronic records as the patient’s record stored in an EHR. Basically their electronic chart. That “electronic record” is very different than some partial patient data (ie. an insurance list) that is stored electronically. Sure, the later is an “electronic record” but often gets confused with the former. My point was that these partial patient data that are stored electronically are where the real problems are as opposed to an EHR being compromised.

    I guess I’m tired of people creating fear, uncertainty and doubt around the privacy and security of an electronic health record vs. a paper chart. There are plenty of reasons someone might choose to not implement an EHR, but security and privacy shouldn’t be one of them.

    • Anonymous - September 24, 2010

      I was nodding my head along with you until the end. 🙂

      I agree that there is confusion in the media, at times, and have seen people using PHR when they should be using EMR or EHR, or using EHR when they just mean some PHI was in electronic format. BUT:

      I do think that security and privacy concerns have not been adequately addressed for EHRs. Indeed, if you think about it, John, if you will agree that hackers can access insurance records (and they do, although hacking does not appear to account for the largest segment of breaches), then it’s equally possible for them to hack into databases with EHRs. Whether they would spend any time there or acquire or misuse the data is another issue, but in terms of security, I’ve seen no evidence that EHRs are any better secured than insurance records of some of the largest companies. And I’m sure you know that there have been a number of hacks involving medical center’s or hospitals’ patient databases. Then, too, think about doctors you may know who carry patient records on their Blackberrry’s. I shudder….

      I personally believe that people are more concerned about the privacy and security of their medical records than they are over their financial records. The security issues are not in the EHR software per se — we can probably agree on that — but they are in the security environment in which the software operates. Having terrific EHR software does nothing if there is no commercial-grade firewall and other elements of good security in place. Would you agree? And if you do agree, then the sheer volume of information comes back into play, which is why people may be understandably leery. So continue to ask people distinguish between vulnerabilities in EHR software and other security risks in the security environment or compliance with good security protocols, but trying to say that privacy and security are not real concerns as we move more to EHR seemingly inappropriately minimizes some real risks.

Comments are closed.