The various security issues inherently unique to the healthcare sector is an area which I have been following pretty closely over the course of the past couple of years, for a few reasons.
First – and thankfully – there appears to be increasing concern in the healthcare industry that the recent spate of security breaches could bleed over into the healthcare sector, and could have an adverse effect on the already troubled industry. As reported in the New York Times on Monday, there is a renewed emphasis on the protection of patient medical data, in the face of an onslaught of consumer privacy data breaches.
As stated in the Times article, “.in the last two years, personal medical records of at least 7.8 million people have been improperly exposed, according to the government data.”
These numbers seem to grow with time, and it is especially troubling that these “improper exposures” have not received the same notoriety that similar data breaches have received in other industries.
I think that number may be somewhat misleading, or may only deal with “improper disclosures”, since a still unidentified party hacked into the online systems of the Virginia Prescription Drug Monitoring Program in a 2009 incident, allegedly stole approximately 8.3 million patient records, and demanded a $10 Million dollar ransom.
Especially troubling is the apparent push to move to electronic health records (EHRs) for patient medical data without proper security mechanisms in place, which could arguably make theft and/or misappropriation of medical data even easier. I won’t go into all of the issues surrounding EHRs, but there are arguments on both sides of the issue for cost-savings, ease-of-use (including mobility), and privacy.
It is time to deal with these issues and ensure that adequate security frameworks are put into place, whether through regulatory or compliance based means (more on that later), and start to penalize organizations and individuals who violate these regimes through willful negligence, ignorance, or malice.
Secondly, the current regulatory & compliance regime – the Health Insurance Portability and Accountability Act (HIPAA) of 1996 – is woefully inadequate to deal with the current technical landscape in the healthcare industry today. It has been almost 16 years since HIPAA was created and as the NYT article points out, HIPAA needs to be updated to reflect the current complexity and technical reality in the field.
Added confusion in this area arrived earlier this year with the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which deals with the privacy & security issues involving EHRs.
The news is not all bad – it was reported today that the U.S. Health & Human Services Department is looking to strengthen privacy disclosure rules under HIPAA to allow for patients to learn who has actually accessed their EHRs. This is certainly a move in the right direction.
In fact, I think the renewed attention in this area is very good news indeed, since there seem to be certain gaps in the regulatory, compliance, and auditing framework in the healthcare industry.
There are many areas in the healthcare security landscape that deserve a much more detailed discussion, but which I will not go into in this one blog post. Having said that, however, please watch this space for a series of blog posts over the next few weeks where I will examine several of these issues in more detail.
Leave a reply