My August 3rd post Data breaches and EMRs: bad guys or just dumb mistakes? discussed my skepticism about the DEFCON level we need to have regarding EMR and EHR. I found it eyebrow-raising when Reuters was quick to distance itself from the author at the beginning of her article The road to electronic health records is lined with data thieves, which I have not often seen in EMR and EHR blogs. After I read through it, I began to think that maybe the disclaimer had to do with the content of the post. This story was a bit more interesting than Digitized medical records are easy prey, but all is not lost, the topic of my August 3rd commentary, in that it really highlighted more of the paranoia and fear about what could be rather than what probably will be. I’ve also said in previous posts that it’s not that I believe electronic medical records are going to be completely secure and HIPAA compliant under all circumstances. However, the following excerpts from the Reuters post drove me nuts with all the fear mongering that was clearly promoted.
Setting an epic tone for her piece, Constance Gustke begins discussing “The future of your personal health information…” and“gigantic Internet-driven databases”. The rest of her post includes the following comments. I admit they’re a bit voluminous, but the quotability here was difficult to resist.
“the data being stored is sensitive and so far it isn’t very secure,”
“… access explodes”.
“data breaches can have harmful effects, including medical discrimination.”
“we can’t see who uses our electronic records,” “And they can be back-door mined.”
“only 10 percent of all hospitals lock down their data” “HHS investigations have found… dozens of data breaches… in New York, California, Illinois, Texas, Massachusetts, Georgia and Missouri.”
“patients can put their information at risk at home, too, using unsafe computers that may not be secure”
“wild west in terms of how data flows,”
“Assets are roaming on the open ranges. And the rustlers are out foxing us all.”
“identity thieves and other fraudsters”
“Medical records are a gold mine of personal data, including Social Security numbers,” “financial and medical information.” “It shows everything about you.”
“Even more dangerous, stolen medical data can damage your healthcare. There could be more healthcare discrimination,”
“government regulation is weak.” “doesn’t offer enough protections” “no system can completely track access”.
“Currently, there are 281 cases listed, including hospitals, doctors and insurance companies that reported large data thefts, losses and other breaches. For example, HHS found that Massachusettes Eye & Ear Infirmary and Kaiser Permanente Medical both had medical data thefts.”
But which were cases of electronic theft that actually required hacking? Which ones were specifically due to the fact that the records were stored on an EMR or EHR system and then electronically stolen? This is to me perhaps the most important question, since without true electronic crime, a lot of the gusto cited above tends to be less grounded. She doesn’t stop with EMRs, but rather goes on to warn, “Right now, portals put more information at risk.” Okay, okay… I think I get the message.
Dr. West is an endocrinologist in private practice in Washington, DC. He completed fellowship training in Endocrinology and Metabolism at the Johns Hopkins University School of Medicine. Dr. West opened The Washington Endocrine Clinic, PLLC, as a solo practice in 2009. He can be reached at email@example.com.