Digital Health Increases Security Risks
1 comment
Electronic Health Records (EHR) hold the promise of substantial benefits to patients. When shared among providers, they will assure that wherever you seek medical services that your doctor will have access to complete and accurate information on your medical history.
The passage of the 
Health Information Technology for Economic and Clinical Health (HITECH) Act earmarks over $19 billion in funds as incentives for healthcare providers to adopt EHR technologies. As these funds flow, the amount of medical data will grow exponentially into the petabytes over the next four years.
As recent article titled “As health data goes digital, security risks grow” published in Computerworld and Business Week highlights a significant issue with this trend, the fact that the security of your medical records is far from assured. It concludes that:
“Over the next four years, the amount of personal medical information online will increase exponentially, opening up new avenues for hackers to expose personal data that, unlike financial information, can result in a permanent violation of privacy.”
With the focus of healthcare providers being on securing HITECH stimulus funds for the implementation of EHR systems, there is the risk that the security systems and architecture for these systems, especially in areas of interchange with other entities, may increase risks of exposure of protected health information (PHI) of patients.
Dr. Taher Elgamal, the individual that led the development of secure sockets layer (SSL network encryption) as the chief scientist at Netscape, and is now the chief security officer at Axway, highlights that the current solution path for this issue, encryption of the PHI data, isn’t a silver bullet for assuring patient privacy.
“The fact that you did encryption doesn’t mean you’ve protected medical information, because access control is the real issue,” Elgamal said. “New cybercriminals do not do what the old cybercriminals did. They realize you’ll be encrypting the data and instead access the application and steal access rights.”
The implications of this on healthcare providers is significant. The financial and patient benefit motivation associates with implementing EHR systems must be balanced by the security and privacy requirements that now have public and financial implications as well for non-compliance. It isn’t clear to me that most covered entities are appropriately balancing both sides of this equation.
I agree that encryption, while valuable, is not a panacea. Compliance is a process, an ongoing process that requires commitment to policies and procedures that become the business rules by which you run your company. Anything short of that provides only false security.
Comment by Jack Anderson — March 26, 2010 @ 2:30 pm