Security Requires Patient Accountability
Guest post by Edgar T. Wilson, writer, consultant and analyst.
In the age of the digital hospital and the connected patient, security will likely improve the less it depends on providers.
Everything from HIPAA to patient engagement treats physicians as the white hot sun of the healthcare universe, holding everything together and keeping it all in stable orbit. They are accountable for health outcomes, for patient satisfaction, for guiding patients to online portals, and for coordinating with care teams to keep data secure — even as mobility and EHR dominance complicates every node in the connectivity chain. All this digital chaos brings more diminished security.
Only as Strong as the Weakest Link
Every business out there has learned — usually the hard way, or by watching someone else learn the hard way — that whatever the security infrastructure, users are the weakest link. More devices means more users, and more connectivity and data-sharing means more weak spots all along the chain. By design, the EHR system adds vulnerability to healthcare data security through a long chain of users.
Patients don’t have a systemic, accountable role in all of this. Our whole approach fosters passivity on the part of the patient and paternalistic assumptions on the parts of caregivers and policymakers. We give tacit acknowledgement of this imbalance whenever malpractice law or tort reform is mentioned — and promptly left behind in the face of other, patient-exculpatory programs and initiatives.
Patients are a part of this. Clearly they are invested in their own security — the costs of health data breaches contribute to the rising costs of care, besides exposing personal financial and medical information that can carry its own universe of costs.
Patients are implicated, but they must also be accountable for security in the new high tech healthcare system.
An Old Problem with New Importance
Getting patients included in the evolution and delivery of healthcare requires engagement. The same goes for digital security. The ethical and financial dilemmas of the security situation is an expensive distraction for administrators and caregivers, but it is a learning opportunity that could empower patients. A new emphasis on digital security and privacy could be the start of a cascade of engagement with further questions of use and responsibility for outcomes.
Already, patients are key players in making telemedicine effective. Access is on the shoulders of the patients, and utilization depends on their technical literacy. The incentives–time and money savings, improved access to care–are powerful, but come with the obligation to learn the platform through which remote care is delivered. Utilizing any telehealth solutions requires patients to think about what information they want to share, whether they trust the new platform, communicating effectively with their provider, and gaining confidence for the new medium.
This same model can be applied more broadly to EHRs, and the patient role in the digital healthcare system.
They can become more accountable and visible starting with how they opt-in to different sharing systems, and the norms they follow to support security. Patient portals can be more than a question of access to data when they become the basis for putting patients in charge of thinking more critically about how they want their data managed, what is actually on their records, and who is able to see this information in what contexts.
Offloading the Provider Burden
Openness and transparency are the default on social media platforms. Mitigating this exposure requires users to learn, engage and act, changing settings and asserting preferences to manage their online presence.
HIPAA doesn’t allow the same looseness as a default, but in principle EHRs and patient portals could follow a similar template as far as getting patients to look at their data, how it is shared, who is looking, and which information is privileged. The more these systems ask of patients, the more accountability can be shifted or at least shared, alleviating providers and health systems.
Sticking with defaults for sharing and visibility, just like signing a user agreement to download online applications, could be made into an active choice for patients. The alternative is diminished access for patients. Fail to learn what you are ignoring, and you sacrifice involvement in your own healthcare journey, leave your data prone, and know less about how you are presented to providers and insurers. Cleaning up your patient records could be akin to making sure your LinkedIn is up to date when applying for a job.
Patients, not providers, should be responsible for maintaining their records, verifying accuracy and managing mobility. Doing so would make them more active elements in the entire continuum of care, as digital connectivity is linking together the entire healthcare system.
Learning to Survive
Physicians have complained about the challenges of adapting to new, EHR-driven workflows, learning new digital systems, and dealing with all the tools and quirks that come with contemporary care. Patients, meanwhile, have not yet been obliged to engage with new tools, or even basic health literacy any more than before. Doctors are coming around to the benefits of getting more engaged with their EHRs, but patients have not yet been compelled to change their own behavior.
Putting patients in charge of their data and its management would change this situation. Fluency in matters of digital security is quickly becoming necessary in every realm of modern life, so taking on stewardship of EHRs is a more natural extension of the model than it might at first seem. Carrying this a step further would see patients looking not just at the security framework, but the actual data protected by privacy preferences, and contending with their own health literacy.
Slowly, getting patients to confront their health data security can start a deeper conversation about their health.
Patients are, by nature, the largest stakeholder group in healthcare. They are also necessarily participants in the system. Taking full advantage of emerging (and existing) technology requires patients to take on a greater level of participation in both their care, and their records management. They need to have a level of accountability commensurate with their level of involvement and interest in seeing the system improve.
Just as employees well outside the IT wheelhouse have a role to play in preserving the security of the entire IT infrastructure, so do patients need to play more roles than that of consumer when it comes to accessing care. They need to be participants, decision-makers and owners of their data.