The Department of Health and Human Services (HHS) has released their interim final rule on the handling of notifications when personal health records are exposed that will take effect September 23rd of this year.
The rule requires healthcare providers, health plans and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify patients, as well as HHS and the media, of any unauthorized access to their health information. This interim final rule defines definitions for breach and unsecured protected health information, and establishes specific notification requirements.
Notification is Good, Prevention is Better – but Missing
In an environment where no data is compromised and where patient privacy is assured, the benefits of instant access to complete, accurate, medical records are obvious. We don’t live in that world.
My concern is not with breach notification requirements, what scares me is that security measures currently in place are riddled with holes and will be unable to prevent the breaches.
We live in a world where:
- Cybercriminals recognize that medical records are a modern-day golden goose, enabling millions of dollars in revenue from false billing, ID theft, and more
- The threat of blackmail over potentially embarrassing medical information or more innocent forms of exposure may induce patients to withhold important information from their care providers rather than risk it being compromised in a data breach
- Medical histories, falsified by criminals to procure prescription medications may in fact harm, even kill, patients as doctors assume the information is accurate
We live in a world where:
- Medical assistants and archivists aren’t trained security experts and turnover rates in staff make proper security training and reviews both expensive and difficult. Too few employees will have a technological background strong enough to understand (or care) how security risks occur
- Passwords will be weak or written where they are easily accessed, and therefore be compromised
- Machines will be left on, periodically unattended, and easy to steal
- Anti-virus and anti-spyware programs won’t be up-to-date.
- Social engineering will open doors for criminals to the wealth of information stored in medical records, including your SSN, co-pay credit card info, and other personally identifiable information can cause harm in other ways
- Government, institutional organizations, and companies are forced to take cost cutting measures where the decision makers are not the security specialists, and where data security is not the primary focus of the organization
- Poor internal monitoring will be in place to prevent or detect theft by disgruntled employees
In every scenario, the vulnerabilities you and I potentially face are staggering.
Where are the HHS, and FTC, rules for securing data? Where is the work force that will check for data security compliance? Who is teaching data security to the 600,000+ doctors, 3 million+ nurses, and additional millions of assistants, technicians, clinicians, and support staff, and 3rd party vendors touching these records? Where are the background checks on individuals allowed to access this information? And, what percent of data breaches does HHS expect will be detected – or remain undetected?
Placing medical records online is not yet ready for prime time. We are still in a very experimental stage that will require adjustments as flaws get ironed out, laws are tested, the medical world gets trained, and failures examined.
Until the kinks and criminals are cleaned out of the system, it is unacceptable that citizens have no method of choosing to opt-in, or -out of this untested medical experiment.