By Stephen Cobb, senior researcher, ESET North America.
The benefits of making health records available electronically would seem to be obvious. For a start, faster access to more accurate patient information – which is one of the promises of EHRs (electronic health records) and HIEs (health information exchanges) – could save lives. The author of a recent report on the many thousands of lethal “patient adverse events” that occur in America every year, Dr. John T. James, pointed to “more accurate and streamlined medical recordkeeping” as a top priority in the effort to reduce these deadly medical errors. Yet headlines about healthcare facilities exposing confidential patient data to potential abuse have been all over the media this year. So, will security issues and privacy concerns stymie EHR adoption or slow down HIE rollouts?
Today, more than half of all Americans probably have at least some part of their medical record stored on computer. In January, the CDC reported that roughly four out of five office-based physicians are now using some type of EHR system, up from one in five in 2001. A few months later, in a Harris poll sponsored by ESET, only 17 percent of adult Americans said that, to their knowledge, their health records were not in electronic format.
During that same survey of 1,734 American adults, we asked “are you concerned about the security and privacy of your electronic patient health records” and 40 percent said they were. Slightly more of them, 43 percent said they were not. However, if we take out the 17 percent whose records were not in electronic format, the “concerned or not?” question breaks down as 48 percent Yes, versus 50 percent No, a statistical tie.
Within these numbers, there are some interesting demographic variations. For example, those aged 45-54 are more likely to be concerned than those 18-44 years. Concern was greater among those with college education and among those with children in the household (54 percent vs. 46 percent). Concern was expressed more often among those at the upper and lower ends of the household income scale, those in the $75K to 90K range being concerned less often (45 percent).
This particular survey population was a subset of 2,034 people to whom we put this question: “How familiar, if at all, are you with the recent NSA news about secret government surveillance of private citizens’ phone calls, emails, online activity, etc.?” The people we quizzed about medical records were “at least somewhat aware” of the Snowden/NSA revelations, about 85 percent of the original sample. So it is fair to say that half of American adults who are in touch with news and technology trends enough to be aware of the Snowden revelations and who know that their health records are stored electronically, are concerned about the privacy and security of those records.
What we don’t know is how much attention those people had been paying to the news about medical data breaches. We would like to do another survey in which we pose a couple of other questions before asking about concern over the privacy and security of electronic medical records, for example:
- Were you aware that a healthcare company in charge of more than 200 hospitals recently reported Chinese hackers had stolen identity records belonging to more than 4.5 million patients?
- Did you know that, according to the OCR database of breaches affecting 500 or more individuals, an average of 24,800 protected medical records were exposed every day in 2013?
- Were you aware that in April the FBI issued a memo warning that the healthcare industry “is poorly protected and ill-equipped to handle new cyber threats exposing patient records, billing and payment organizations, and intellectual property”?
- Did you know that medical records can be sold for $50 each on the black market?
With a preamble like that, I think a lot more people would answer that they are concerned, but would it be enough to impact adoption of EHR and HIE technology? Let me offer some clues from that same survey about the NSA revelations. A quarter of the people who were aware of those revelations said they had done less banking online as a result. A similar percentage said they had done less shopping online and about the same number said they were less now inclined to email. In other words, it is at least possible that people will cut back on their use of technology if they have concerns. Could a sustained drumbeat of medical breaches and OCR settlements of HIPAA violations lead to patients opting out, eroding public support for EHR and HIE? It is not a scenario that I would rule out.
I might be more optimistic if I had not recently attended an event called ChannelCon, put on by CompTIA, the computer trade industry association. ChannelCon is a great place to meet the people who sell and deliver IT products and services. I asked a number them about selling IT security in the medical sector, specifically doctors’ offices. The response I heard most often? “Doctors don’t care.” When I asked “But what about HIPAA?” The answer was: “They just don’t care.” Obviously this is not true of all doctors, but I do think we have a serious problem if doctors don’t feel compelled to protect EHRs, if only on the basis of professional ethics, regardless of the law.
Is there some sort of collective denial in this sector? I think this question has probably come up at the OCR, which continues to find that some large and well-funded hospital systems have not yet met the HIPAA privacy and security requirements. And before anyone says these are too onerous or were imposed too quickly, consider this:
“We are looking at a federally mandated standard for security practices within companies involved in healthcare or handling health-related information. Note that these are considered practices necessary to conduct business electronically in the healthcare industry today. In other words, normal business costs, things you should be doing today …”
That is a direct quote from my first conference presentation on the importance of getting ready for HIPAA’s privacy and security requirements, delivered in March of 2001. The point being, health information on computer systems should have been protected in 2001, before the rules and regulations were finalized, before the compliance deadlines, before the first fines were levied, before the multimillion dollar fines, of which we are likely to see more before the year is out.
Failing to reap the many potential benefits of EHRs and HIEs because of failure to address concerns about the privacy and security of data would be a tragic blow to the healthcare industry in America, an industry in which so many people work so hard to improve the lives of others. But unless attitudes change and numbers improve, and unless our government decides to get serious about reducing cybercrime, the EHR outlook looks stormy at best.