While the public and lawmakers are still reeling from Virginia’s medical record breach, which potentially compromised 8 million patient records and included a whopping $10 million dollar ransom [i] demand by the hackers, its time to take a hard look at whether Internet security and data management are mature enough to be combined with sensitive medical data.
Not all breaches come with headline grabbing ransom demands, or even make the news due to varying data breach disclosure laws, [ii] but they all effect patients and consumers like you and me. This month, in addition to the Virginia case, UC Berkeley reported a breach in their health services center databases affecting 160,000 students and alumni [iii]. In April, Palo Alto Medical Foundation reported the theft of a laptop containing personal and medical information of 1,000 patients [iv], Moses Cone Health System in North Carolina also had a laptop stolen containing over 14,000 patients information [v]. According to the Identity Theft Resource Center [vi] more than 50 breaches were reported by health care providers in the first six months of 2008, and nothing indicates this number is in decline.
All parties agree that hemorrhaging patient’s medical information has to stop. The question is, how?
In an environment where no data is compromised and where patient privacy was assured, the benefits of instant access to complete, accurate, medical records are obvious. Treatment errors could be reduced, tests could be streamlined, communication and collaboration between multiple care providers could be optimized, and emergency room physicians could have immediate access to the medications and allergies of incoming patients. This was the vision in 2004 of the Bush administration as they unveiled a project to mandate that every American had an electronic health record by 2014. It remains the vision of the Obama administration where electronic health records are “one of the linchpins” of overhauling the nation’s health care system.
We don’t live in that utopian, digitally secure, and privacy protected environment.
Instead, we live in a world where cybercriminals consider medical records a golden goose, enabling millions of dollars in revenue [vii] from false billing. A world where the threat of blackmail over potentially embarrassing medical information or more innocent forms of exposure may induce patients to withhold important information from their care providers, and where medical histories, falsified by criminals to procure prescription medications, may in fact harm, even kill, patients as doctors assume the information is accurate. Until data went online, medical record theft was restricted to people breaking into a doctor’s office or disgruntled employees. The extent of the data lost was limited to the records in that office. Now millions of online records await hackers at home or abroad, location is irrelevant.
We live in a world where government and institutional organizations are forced to take cost cutting measures, where the decision makers aren’t the security specialists, and where data security is not the primary focus of the organization. Risks include turnover rates in staff which make proper security training and reviews both expensive and difficult; too few employees with a technological background strong enough to understand (or care) how risks occur; pressure to get more done in less time; and little internal monitoring for theft by disgruntled employees. In every scenario, the likelihood of devices being stolen, passwords compromised, outsiders being able to wander in, and procedural process failures exposing vulnerabilities are staggering.
We live in a world where, in spite of proposed protections in the stimulus bill, there is a noteworthy lack of effective standards or tools for guaranteeing medical data security or privacy. Legislation against the sale of personal health information (PHI) has yet to be tested, enforced, or had the loopholes plugged. Dozens of companies are racing to develop applications and ‘free’ [viii] websites to address this new market where billions will be handed to companies creating these services, and billions more can be earned from providing add-on services to consumers. One addition included in Senate’s version of the bill[ [ix], even opens the door to allow companies to market to consumers [x] based on the contents of their electronic health records.
In spite of the manifest risks to patient’s privacy and potentially their health, congress has not seen fit to provide consumers the choice to opt-out. Neither the federal (HIPAA) privacy rule [xi] nor the economic stimulus bill guarantees your ability to refuse to have your information converted to digital form and shared.
“Congress needs to add opt-out and patient-consent provisions to ensure true patient privacy,” says Sue Blevins [xii], president of the Institute for Health Freedom. “The bottom line is that if YOU want to control the flow of your personal health information, your consent to share the information must be a prerequisite and you must have the right to withhold permission.
Back in Virginia, Patricia A. Paquette, the Department of Health’s technology director told legislators that the department ranked was among the top 5 percent of most secure systems in the state government, and that firewall systems and backups were operational at the time of the attack. “It’s one of those incidents that happened, not because all of those things weren’t there, they were there.” Presumably, this statement was intended to reassure, in reality it highlights for hackers that 95 percent of the state’s agencies are even less secure.
Placing medical records online is not yet ready for prime time. We are still in a very experimental stage that will require that adjustments as flaws get ironed out, laws are tested, and failures examined. I believe the time will come when maintaining personal medical records online is not only safe and ensures patient privacy, but that it will live up to its full promise of better medical care and lower costs. That day has not yet come. Until then it is unacceptable that citizens have no method of choosing to opt-in, or -out of this medical experiment.
Let the ethics and ideals of Hippocrates set the standard, first do no harm.
More information and resources if your Medical Identity has been stolen:
- The Medical Identity Theft Information Page
- Mitigating Medical Identity Theft
- Medical Identity Theft Turns Patients Into Victims
[viii] While the user may not pay in cash, these sites are for-profit entities that earn money by the ability to advertise and potentially sell information about the users of their services.