Thursday, September 08, 2011

Data Security: A Rising Problem for Electronic Health Records

It was kind of funny reading this recent article from the New York Times that focuses on a relatively small health data breach from Stanford Hospital's emergency room:
A medical privacy breach involving Stanford Hospital in Palo Alto, Calif., led to the public posting of data for 20,000 emergency room patients, including names and diagnosis codes, on a commercial Web site for nearly a year, the hospital has confirmed.

Since discovering the breach last month, the hospital has been investigating how a detailed spreadsheet made its way from one of its vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called Student of Fortune, which allows students to solicit paid assistance with their schoolwork.

Gary Migdol, a spokesman for Stanford Hospital and Clinics, said the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph.

Although medical security breaches are not uncommon, the Stanford breach was notable for the length of time that the data remained publicly available without detection.
"Medical security breaches are not uncommon" is an understatement. According to the Department of Health and Human Services, 5,408,977 people have had their medical data lost or stolen, so an article that cries foul of 0.37% of this 2010 total seems fairly trivial. Worse, the reported trend is rising.

The real question that should be asked is this: What is the Department of Health and Human Services going to do about all of these data breaches? They seem to be intent on assuring us they're doing a good job enforcing these breaches, but we have to wonder.

So far, it seems they really can't do much to stem the tide: there are just too many people with computers claiming a "need to know" that have access to patients' private health data.


Addendum: Make that 7.9 million records breached since 2009. (h/t: PDara, MD via Twitter)

Related: KevinMD blog: Your medical information is not private, and it's sold routinely.


Tim Hulsey, MD said...

For goodness' sake, the Pentagon can't even keep itself secure from hackers around the world! There is no way that digitally stored medical records can be accessible to a physician you might need to see on vacation and not be extremely vulnerable to hacking! In the incident Wes is citing, the data was unprotected for ONE YEAR before anyone realized it!
Hackers don't even need to be on the internet to hack into networks. For a few hundred dollars, small flying drones with computer capability can set up botnets to hack into your "secure" network ( If your digital data were to remain unconnected to the web (say, on a memory card- one in the doctor's office, one in the patient's possession for all the times they see doctors around the world), it would be as secure as the patient wanted it to be. After all, it seems that it is the patient's information. The ONLY reasons for EMRs is for government to have control and access to data! As we have discussed before, it does NOTHING to improve patient care! In fact, it is a detriment to the physician's efficient use of time.

Tim Hulsey, MD said...

Your link, "5,408,977 people," leads to an article where the 4th commenter links to another article that talks about a new health care position of which I have never heard: Medical Scribe. "Having scribes do most of the data entry allows the highest-paid people in the room to focus on patients and see more of them and ensure that information used in billing is complete, the companies say. It also allows doctors to make more eye contact with patients, and that makes patients happier."
Notice tha "billing" is mentioned before patient "happiness." I'm sure the extra expense of another tier of medical employees will be made up by improved efficiency of the "system." Unfortunately, that savings never seems to materialize!
Let me make you a bet: in 10 years the Medical Scribe will be asking for prescription privileges!