By Jason Dearen
Posting in Cities
Federal funds and private industry are driving the growth of electronic health records -- but the proliferation of data could lead to a boost in breaches of privacy.
It was a low-tech burglary. No one thought that it would blossom into a high-tech security breach.
All it took was a rock -- a simple, inanimate, probably centuries-old rock. An enterprising thief picked it up, cocked his arm and tossed it through the window of a Sutter Health office building in Sacramento, Calif. It couldn't have been easier.
Once inside, he found what he was looking for: laptops, monitors and desktop computers. Jackpot.
The burglary could have ended there -- until Sutter, a network of doctors and hospitals in northern California, realized that one of the purloined computers contained the electronic medical data for more than four million patients. Some of it dated back to 1995.
Worse, the data were not encrypted. The only thing standing between someone interested in accessing and selling that information was a computer password. Today, Sutter still doesn't know what happened to the data. The case remains open.
This kind of thing isn't supposed to happen. But it does -- sometimes by accident. A year earlier, the health records of 20,000 Stanford Hospital patients made their way onto a public website after the data were accidentally used as part of a job skills test. The private medical data were exposed for nearly a year before officials ordered it taken down. A $20 million lawsuit was filed, but no one really knows if the valuable information was copied.
The sensitive personal information contained in medical records is becoming more accessible than ever as the United States embarks on a fast and unprecedented shift to electronic health records. Today, many of these records are stored in databases called health information exchanges, or HIEs, which are linked together online -- making a treasure trove of data accessible to myriad hospital workers, insurance companies and government employees.
Unsurprisingly, social security numbers, health histories and other personal data from breached or stolen electronic health records are routinely used by identity thieves. Criminals can buy social security numbers online for about $5 each, but medical profiles can fetch $50 or more because they give identity thieves a much more nuanced look into a victim’s life, said Dr. Deborah Peel, founder of the advocacy group Patient Privacy Rights, which researches data breaches and works for tighter security on people's personal health records.
Some privacy experts worry that current federal law will allow pharmaceutical companies, law enforcement, insurance providers and others to exploit these data without a patient’s knowledge or consent. The pharmaceutical industry already uses medical data -- for example, pregnant women who use certain medications often will fill out a voluntary questionnaire asking for more information -- to market new products as the child grows.
Worse, when records contain errors, linked electronic systems only magnify the errors, privacy groups argue -- giving insurance companies and employers inaccurate ammunition to deny employment to candidates.
Yet the number of patient records contained in electronic databases is ballooning, fueled by billions of federal stimulus dollars. Recent healthcare legislation championed by U.S. president Barack Obama furthers the cause, imposing fines beginning in 2015 for providers who do not make the shift. The effort is propelled by the belief that a more nimble and connected healthcare system will save billions of dollars and improve the overall standard of care.
"The stimulus bill was like pouring gasoline on a fire," said Lee Tien, a privacy law attorney at the Electronic Frontier Foundation in San Francisco. "It was a slow-moving fire before, but then it got very big and a lot of people began chasing the money. But there was very little [in the bill] that did much on the privacy and security side."
With funds, privacy concerns
The federal government's $19 billion investment in electronic medical record conversion has already created a massive market for HIEs, which share patient records held in physicians’ offices with institutions large and small. Technology companies large and small, from IT industry heavyweights such as Google, IBM, General Electric and Dell to startups, operate in the market.
The demand for this data has indirectly fueled a criminal enterprise that seems to be growing: hospitals reported losses or thefts of electronic medical data 364 times from 2010 to 2011 in incidents that affected 18 million patients, according to Associated Press reports.
The rapid adoption of networked electronic records has centralized massive amounts of valuable data faster than law and policy can evolve to protect people’s privacy. Privacy lawyers and healthcare policy experts worry that the rapid transition could expose millions of medical records to profit-seeking companies and law-enforcement agencies without patients' consent.
“We were always very happy from a privacy and security standpoint because things were moving slowly and we could look at the national and state standards,” Tien said.
Medical data means big business
Today, there is no federal law in the U.S. requiring that a patient be notified when their records are added to an exchange. There is no way of knowing if and when thousands of people might gain access to your personal information, either: once a person’s data is entered into an exchange, there is little control over who can access it among the thousands of employees who work in a hospital, from clerks to surgeons to third-party vendors hired to manage these new, complex systems.
But the number of exchanges continues to grow. There are at least 255 in operation or in the last stages of development, said Jason Goldwater of eHealth Initiative, a Washington, D.C.-based health-care technology research group that tracks HIEs.
Since HIEs are intended to share data, it's no surprise that the number of entities with access to them -- whether hospitals or insurance companies -- doubled between 1997 and 2010, according to a study by the data privacy lab at Carnegie Mellon University.
So, too, has the number of people willing to pay for this information grown. Pharmaceutical companies seek better information about their customers’ behavior while tabloid newspapers seek scoops on celebrities such as Britney Spears and George Clooney, both of whom had records leaked by hospital employees who had no business having access to them.
“Our health records will have an enormous value in the future as genetic profiles are added," Tien said. "So whatever rules we have for privacy and security, they better be up to snuff to guard against the powerful incentives to get hold of that information.”
Patient data is protected in some ways in the U.S. by a federal law known as HIPAA, the Health Insurance Portability and Accountability Act. If data are encrypted, as happens in many exchanges, hospitals are not required by federal law to contact patients when their records are added to the exchange -- even if doing so allows many more people to access that information.
Still, there is one group exempt from HIPAA regulations: law enforcement. Police investigators and prosecutors already use health records in many different kinds of cases, including health-care fraud allegations, crimes committed in hospitals and even some rape and assault cases. Health information exchanges could increase access, making the long arm of the law much longer by giving investigators access to a much larger pool of data.
Under HIPAA, police investigators can access medical records when they deem them necessary for a case. Further, the Patriot Act passed in 2011 to combat terrorism allows federal investigators to get access to medical records with a warrant.
As patient data becomes more centralized, current laws will give police and federal agents much easier and deeper access to personal data, creating a host of unprecedented civil liberties issues.
“The electronic health records system soon may provide the cops with access in their station to a terminal with everyone’s health records,” said Bob Gellman, a Washington, D.C.-based privacy and information policy consultant. “If they have a list of wanted people and they marry their system to the healthcare electronic records, they can find out when a suspect’s next doctor appointment is. Under [current law], that's probably allowable.”
Gellman said the police exemption is problematic, since that data could easily be sent from law enforcement to another party, like a business or government research institution. A chain is only as strong as its weakest link.
“[The law] says hospitals can disclose records to [law enforcement] at will," Gellman said. "Cops can get records with no procedure at all. I think that's inadequate."
Behind the data, a stigma
But concern over medical privacy goes beyond privacy law, civil rights or even ethics. For many people, there is grave concern over the potential for exchanged digital records to turn personal problems public.
When Peel opened her initial psychiatric practice in Brownsville, Texas in the 1970s, many of her first patients in the U.S.-Mexico border town had a similar concern: could they pay to keep their medical records private?
Word travels fast in Brownsville, a city of 175,000 people, and Peel’s patients were worried that if their paper records somehow became public, they would be stigmatized for their medical diagnoses. Schizophrenia, depression and other mental illnesses continue to be poorly understood by the public; at the worst, those who suffer from them are stigmatized in their communities.
“If the information leaked to an employer, it would have affected their jobs or reputations. All the time I've been practicing, it’s been a very important and delicate issue,” Peel said. “There are prejudices associated with psychiatric diagnoses. People have powerful reactions to the names of these things.”
Once genetic profiles are routinely added to the mix, access to electronic health data may predetermine who can get jobs or serve in public office, Peel warned. While genetic information may help physicians fend off severe diseases earlier than ever, it may also be used to stigmatize people who will be stripped of opportunity based on some familial history of disease.
“If the world looked like that," Peel said, "Lou Gehrig would never get a contract to be a ball player if the team knew he had a disease that would degenerate his muscles, or Ronald Reagan would never get elected president if they knew dementia ran in his family.”
Jun 20, 2012
Well I think that the medical information is sensitive and should not keep just on the manual records there must be backup databases as well. http://www.mystructuredsettlementcash.com
Oh it was really alarming situation that happened in the disclosure of medical records and information of patients, it is indeed used by identity thieves. http://www.ppiclaimuk.org.uk/mis-sold-ppi
I agree with all these top rated comments.Medical mechanics don't need all the information that we ask for,they are always care less.Now we have variety of technologies and we can solve all the problem in short time period. Usl&h http://www.marineworkcomp.com/
I have to agree with the top rated comment with the above captioned subject. The health care providers go by the name on the Insurance Card anyways, so if they rely on that information; the insurance card, then, the social security name and card number is redundant. California has passed a law that protects the social security number from giving out. And yet they (the healthcare provider) want to squeeze every bit of information from you because they know in most cases resistance is futile for the patients. Let them know your rights when you resist. Do not become a part of one of the "most victimized" patient. Caveat: Don't give in, don't give out.
Quick to adopt and implement new software without weighing in the privacy risks? How to allow everyone to access your medical records to ruin you. Neat. The article talks of breach to the retained records and says no one knows if the data was copied. In other words the breached data could be known to have copied and the news may have been suppressed by vested interests.
Just wait for the next big power-grid outage, whether caused by accident, terrorist activity or just plain ol' natural causes like sunspots or whatever. Same for some major outage of the internet. If I was unconscious or disabled and my primary care physician wasn't available, I'd sure wish that someone still had my dog-eared, dusty medical file sitting on a shelf at the doctor's office or the hospital I've been to on occcasion. I never thought of it that way before, but I'm glad I carry a card in my wallet that lists my medications and medical issues.
Every privacy law, both state and federal, establishes stiff penalties for private citizens and companies that fail to protect their customers personal data. The fines are huge and people can go to jail for negligence that contributed to allowing the data theft to occur. But all of these laws contain a common loophole. All levels of government are exempt from privacy laws. So when your private medical data is stolen from the county hospital, HIPA nor any of the other privacy laws on the books not will allow for the negligent parties to be punished regardless of how blatantly negligent their actions were.
This article seems to me to be a bit of a beatup. Surely its no harder to secure medical records than financial records. I know that we have had some financial record mishaps, but its pretty rare. I don't know anyone who has ever been affected. Lets just have the same standards for health as for finance, and keep on trying to make both more secure.
Its a shame the greed of the culture we live in finds a way to make money off something like this. The idea of the EMR was patient safety, elimination of tests and procedures they already had , elimination of double billing, faster services and so on. Folks have lost respect for their fello man.
I have always feared something would happen where I was totally replaced, virtually, since watching the movie, "The Net". People may shrug it off as just a movie, but movies come from human minds, and if one can think of it, someone else is sure to follow through with it. No one is safe from cyber thieves and to think they can just buy a program to protect themselves, they are delusional. As much as we'd like to think we are in control because we know how to use the internet, we are opening ourselves to so much trouble from would-be assassins, the government, anyone who wants to mess with someone's mind or control a person. It isn't paranoia, it's reality.
Privacy violation is inherent in the ways medical information is made digital. It's not some far off, low-probability "risk".
The government needs to specify a format for EHR and require that it be used by all medical providers/insurers nationwide. (The VA probably already has a good handle on this.) As for the medical data itself, it should be the property of the patient, stored on a thumbdrive carried by same. If treatment requires that data be shared with another physician, [u]only[/u] the required data should be shared, and [u]only[/u] after the patient is advised and signs a one-time authorization. All data should be encrypted. Data required for epidemiological analysis should be stripped of potential personally identifiable information until all that remains is "male, 65, 67", 238 pounds, non-smoker" or whatever else is required. Yes, it will cost money, but the need for privacy of medical records justifies the expense.
In all honesty its just as easy for a criminal to break into an offsite storage of papered charts and steal information as it would to do it digitally. The big difference is the quantity of data stolen. With the advancement of technology it would be wiser to use it as it was intended e.g. reduce paper cost, storage fees, eliminate wrong patient information in another patients chart etc. The average hospital worker responsible for maintaining patient information (Medical Records)is the bottom of the bottom in comparison to the CEOs, Doctors and Nurses and yet is one of the most important personnel to a hospital to ensure that the correct information is in place with all others like it in regards to each patients visit history. The legalities of who can access records and why and for what reason needs addressing I'm sure but computing technology is not going away anytime soon and its better to embrace it head on instead of waiting till the last minute to jump on the bang wagon of EMR conversion.
There must be a "BALANCING ACT" between the benefits of Sharing Patients' electronic Health Records and the Concern of Privacy, Confidentiality, and Security. On going Efforts by Organization such as "Integrating the Healthcare Enterprise" (IHE) to make Global Health Records Networks (GHRN), like the Global Financial Services Networks. GHRN holds tremendous benefits for Nations such as, improved Healthcare Outcomes, Healthcare Costs reduced, that can help Nations such as USA, Maintain a Sustainable National Deficit. We must therefore work very hard to Deployed current and future Technologies that will provide Secured Sharing Patients' Electronic Health Records through of Healthcare Information Exchanges. Please See: www.21stcenturycommunications.blogspot.com www.NarionwideEHRinteroperability.blogspot.com Gadema Quoquoi President & CEO COMPULINE INTERNATIONAL, INC.
...because I'm fascinated to hear Progressives have to answer for the nightmares they've long argued for. http://www.smartplanet.com/blog/rethinking-healthcare/technology-and-the-power-to-say-no-is-real-health-reform/920 Now, to be fair, this issue isn't all that simple. And I am not against information being digital. I'd like it if my doctor could electronically transmit my information to me, or people I designate. What offends me is it being sold for other people's profit. My solution is for federal law dictating that such personal information be the sole property of the individual. It would only be up to the individual to determine if it could be transferred or sold to a 3rd party. Anyone stealing information or selling personal would be violating federal copyright law. As for ID theft, it was a big problem even before records went digital. Doctors offices, hospitals, etc are filled with people, largely transient, with complete access to your personal data.
Medical mechanics don't need all the information they ask for. DO NOT ever give them your social security number, and have it removed from their system if they have it (ask the doctor). They don't need it, not even for Medicare. If they resist, get upset and mention that six letter word they all hate: L A W Y E R !!! Medical providers are always losing data - they always have. Carelessness, theft, etc. Now that we have computers, we can cause more problems in a shorter amount of time than ever before.
Just think of three different classes of data. Medical data covered by HIPAA and HITECH, credit data covered by the F.A.C.T. Act and criminal data covered by CJIS. Despite the need for some people to be able to access this data, thiese laws should be protecting the public. However, "sharing" issues have made it a mockery. We should be notified if ANY of our data is kept accessible through the Internet (such as on public cloud services. Could you sleep at night knowing almost all of your creit card numbers, security codes, experation dates and name-on-the-card are kept somewhere when any employee (U.S. or otherwise) can view the data? It's the same with medical data and with criminal data (arrest records even without a conviction?).
That some organizations keep their patient's medical records on public cloud's like Google and Dropbox? After reading the terms of service of these companies, HIPAA people should go after the companies that jeopardize the patients' data this way.
That's how we ended up with this mess....federal mandate.... and it won't be that long before "someone" will decide you've used too much salt, had too much soda, etc... Oh wait! They're already trying that in New York City...
You are looking at this from the standpoint of the technology companies that stand to benefit from this. What if you lost your job as CEO because some member of the board didn't like what they saw in your medical record, or your great-grandparents record. Remember all the panic among stockholders of Apple, Inc. when the stories of Steve Jobs and his medical issues got out? It can happen to anyone. The important question is, "What are you doing to insure that HIPAA details are not given out to people who have no patient-authorized business seeing such information?" Let me ask you this. In your rolde as president and CEO would you be able to look at a patient's medical record? Do your employees leave copies of real medical records lying on their desks overnight (IT workers)?
In Massachusetts the doctors are required to ask patients a litany of questions that have nothing to do with medicine. It is a state form you have to fill out. Do you own a gun? Have you ever owned a gun? Have you ever fired a gun? Have you ever been in a gang? Do you know anyone in a gang?