JUST HOW SECURE ARE YOUR ELECTRONIC MEDICAL RECORDS??
Studies show Doctors lag behind rest of the country in Internet security issues.
Steven G. Shalot, R.Ph., D.P.M.
“Editor At Large”
The real danger is the gradual erosion of individual liberties through the automation, integration, and interconnection of many small, separate record-keeping systems, each of which alone may seem innocuous, even benevolent, and wholly justifiable.
-----U.S. Privacy Protection Study Commission, 1977
The EHR Issue from different perspectives . . .
We’ve got our noses to the grindstone, and are working hard to start off the second decade of the twenty first century. Somehow, despite all the naysayers and “talking heads” on cable news networks that predict dire consequences for the healthcare system, especially since the lack of confidence in Obamacare, we’re doing okay here in our little world of podiatry. Our future outlook is good - the number of DPM’s is expected to grow between 7 and 9% over the next 10 years, and our Net income, (which in 2009, was listed at $150,000.00 by Forbes) continues to contribute to the placement of podiatry on Forbes magazine’s “top 25 jobs” list. According to the APMA, “The Bureau of Labor Statistics suggests that until 2014, we can expect job growth of about 16% in podiatric medicine.”
Being the savvy doctors we are, a good number of us have electronic patient records and order prescriptions electronically. However, as great as all of this is, it is not without some foibles. Thieves abound, who are all too eager to get their hands on your records, and exploit the information they can get from them.
Back in 2002, John Hultman, D.P.M., Podiatry Management magazine’s practice management “guru,” said in an issue of PM News, that “it is interesting that patients and doctors feel less secure with digital records than they do with paper.” Eight years later Dr. Hultman’s words still ring true, and there is much good reason to be uncertain about keeping health records digitally. It used to be that medical information theft could be measured in tens of thousands. In 2010, that number has jumped to over 275,000 cases, according to Privacy Rights Clearing House, www.privacyrights.org.
Fraud from these thefts, in other words actual damage being done as opposed to just having records reported as stolen, has gone from 3% in 2008 to over 7% in 2009 – which is a 112% increase, according to Nicole Lewis of Information Week. Is this an unknown, or an unspoken fraud scheme? Hardly, because celebrities such as Britney Spears, Farrah Fawcett, and Maria Shriver, have all had data breeches of health care information.
“As opposed to stealing a driver’s license or a credit card, data gleaned from personal health records provides a wealth of information that helps criminals commit multiple crimes,” this, according to James Van Dyke, President of Javelin Strategy and Research, a Pleasanton, California-based marketing firm. Some of these include making payments from stolen credit card numbers, and ordering and reselling medical equipment with stolen insurance numbers. Compared to stealing a credit card, Van Dyke says that stolen medical information can be used to commit crimes for an average of 320 days, as opposed to around 80 days for credit card or bank information. In addition, it takes more than twice the time to detect fraud from medical information, than from other types of identity theft. His prediction is that as medical providers increase their use of EMR’s, the incidents of fraud will increase; at an astronomical rate.
From the cradle to the grave
With new security measures in place against fraud, credit cards are not the hottest commodity trading in the Identity Theft market place. The number one spot has been taken over by EMR’s and EHR’s. These two are NOT interchangeable. Electronic Health Records, or EHR’s, are more likely to be stored and maintained by patients, as compared to EMR’s, which are more often physician or hospital-generated. Credit cards just aren’t profitable anymore, according to the New York Times. In 2005, a typical stolen VISA card went for about $100.00, and today, the same card on the Black Market will go for maybe $6.00 to as little as $0.40.
With EMR’s you get a lot more than just a number. According to David Bailey, in the March, 2010 edition of Redspin Labs, an identity sold for $14 to $18. With an EMR you get all the information like name, address, date of birth, social security number, prescription history, medical history, and maybe even a driver’s license with a photo. Being targeted here by the thieves is not just identity but the medical information contained within them. A single hospital would retain this information for every patient that ever checked in, and that is all that an identity thief would need. Patients with recent birth or death events are the perfect candidates for identity theft because usually no one is checking on their records. In other words, people are targets right from the cradle to the grave. Hospitals usually keep all their paper patient records in the basement, as they are converted to digital information. Security is very lax here, and this is the point at which most of these records are stolen.
Now the thieves are starting to sell the actual medical and health information. Retail pharmacies were among the first to digitize patient records for the purpose of insurance billing. The insurance companies usually provided the software for these transactions. Knowledgeable thieves have hacked into systems and have held tremendous amounts of patient records hostage for large sums of money. In October of 2008, an attacker notified Express Scripts, a major national processor of prescriptions and insurance information that “millions of client records would be released to the public” if a large ransom weren’t paid. In a similar incident in April of 2009, an attacker hijacked the Virginia Prescription Monitoring web site, and posted a message demanding a $10 million dollar ransom. Just who is buying this health information? People desperate for medical care who look to acquire stolen medical records to assume an identity in order to get badly needed treatment. This trend is only on the increase. The World Privacy Forum, notes an increase in medical identity theft, from 86,168 in 2001 to 255,565 in 2005. The types of crimes that can come with this type of larceny are simply beyond the imagination – everything from tonsillectomies and bunion surgeries to heart transplants.
A Ghoulish Crime
It may seem like something out of a James Bond novel, and in many respects it is; all the ingredients for terrific fiction are there, except that this one is real. We have a staid brownstone serving as a quaint English medical clinic in a respectable London neighborhood, British doctors and patients, and international smugglers and thieves! It all began back in 2008, when the Harley Street medical clinic in London started to convert all of their medical records in the basement into digital form. They subcontracted out the job to a British firm who in turn sub-subcontracted out the job to another “English firm” which turned out to be two young Indian “entrepreneurs” from Mumbai, India. An investigative British journalist contacted the two men in an Internet chat room pretending to be a marketing executive looking to buy medical charts in order to sell devices, drugs, etc., to different patients. Such leads, according to industry insiders could really be “gold mines.” Some of the charts were being offered for as little as 4 British Pounds each.
A patient whose records were among those stolen from the clinic called the act “one step up from grave robbing.” The point to be learned by this episode is that a lack of security at the points of transfer of these records from one party to another resulted in a leak of information.
Asked to comment on examples of medical information thievery like the type that occurred at the Harley Street Clinic in London, Pam Dixon, a spokesperson for World Privacy Forum had this to say:
“People desperate for medical care are looking more and more at the Black Market for an insurance identity to file fraudulent claims, thus they get the care they seek, but which is otherwise denied through more standard channels.”
In April of 2010, stolen U.S. health records were found on a computer server in Malaysia operated by an international organized crime syndicate. The server compromised the medical and health information of thousands of U.S, citizens. But as we’ve seen earlier, it isn’t just health information at risk. According to Ms. Dixon: “Medical records are really like a ‘Platinum Card’ for organized crime, which can rake in millions of dollars from false billings.” Also, “information generated from these false claims entered into a patient’s EMR, can pose life-threatening risks to patients,” she added.
EHR’s Quantum Leap Despite Risks
A recent survey by a firm near Chicago called Healthcare Information & Management Systems Society (HIMSS), concluded that most hospitals in the U.S. spend less than 3% of their Internet Technology (IT) budget on security. Lisa Gallagher, the senior director for Privacy and Security at HIMSS calls this figure “inadequate,” an understatement at the least. Even though we can see that the risks associated with EMR’s and a paperless “utopia” of medical practice are great, it is doubtful if the momentum can be stopped, in fact, far from it. It seems that the inertia favors an inexorable climb to complete digitalization, on both a clinical level, and on the financial. Indeed, the case for digitalization is quite compelling, and for all of the right reasons. For our geographic illustration of this point, we will go to New England.
Boston, MA was a leader in the American Revolution, and it appears as though they are reluctant to give up that role in the “Paperless Revolution” in healthcare. Partners Healthcare is a very large corporation that operates several Boston area hospitals, and they have already turned their sights to the future. Keeping this in mind, let’s look at some background first: Physicians are under a great deal of pressure to digitize records and “get on board,” yet there is a tremendous dichotomy between doctors and hospitals in this regard. Both the New England Journal of Medicine and Partners did their own surveys, and they came out with similar results comparing doctors and hospitals in terms of who was making faster progress in digitizing their health records. They found that less than 17% - 20% of the nations 700,000 doctors are using Electronic Healthcare Systems (EHR’s), yet most of the nation’s largest hospitals have already deployed electronic health record systems.
Financial incentives despite downturn:
(Did someone say ‘Stimulus Package?’)
Compared with these largest and well-known large hospital centers across the country, the second survey dealt with smaller, non-federal hospitals, and stated that 1.5% of these have a comprehensive electronic filing system in place. Whatever survey(s) one looks at, it seems pretty clear that there is much growing to be done. But still, the lingering question is why are doctors in practice reluctant to change over to complete Electronic Systems? One obvious answer is comfort. The old adage that there is safety in doing things the way that they’ve always been done seems to have a foothold. Doctors are just reluctant to change; no matter what common sense or surveys suggest. In medical school we learned to chart a certain way, fill out forms ad infinitum, and write out our prescriptions. Charting, paper charting, that is, is very hard to say goodbye to; but it MUST be gone. The continued use of paper records places physicians at a high risk for medical mistakes, ill-informed treatment decisions and unnecessary tests because hospitals and doctors don’t have easy access to information about recent tests, health histories and other important data.
Yet the fact remains that we are still in the midst of a vast economic downturn. So while many hospitals are trying to catch up, and have taken initial steps with automation, they still have not adopted comprehensive systems. A study by Symantec Corp., the large Internet security company, on the challenges that hospitals face as they make the move to electronic records says that:
“High costs, the difficulty of changing the clinical culture from a paper-based workflow, and the economic situation (resulting in reduced budgets, layoffs, a drop in patients, and difficulties in getting credit) have all impeded caregivers’ ability to invest in new systems.”
However, observers on Capitol Hill believe that the reluctance to embrace EHR’s could dissolve soon as a result of the stimulus package and healthcare reform. Programs such as the inclusion of podiatrists in the EHR Medicare incentive make it very difficult not to participate. In fact, there are penalties for not participating. Last year’s stimulus legislation produces looming financial implications – The $787 billion package, officially known as the American Recovery and Reinvestment Act (ARRA), sets aside more than $20 BILLION in direct incentives to individual doctor practices, hospitals, and other healthcare organizations that show they are making “meaningful use” of EHR’s; which is translated to mean that medical data can readily be exchanged between interested healthcare providers. In fact, some analysts place this number at $36 billion. The major efforts to reform healthcare have focused on improving the quality of patient care, and reducing costs through information technology.
At risk are incentive payments of as much as $64,000.00 for a physician practice and millions of dollars for hospitals, depending on their size. In 2015, penalties for non-compliance will start, when physicians and hospitals that treat Medicare patients will see a reduction in fee reimbursements if they aren’t complying with ‘meaningful use’ requirements.
Now we come back to Partners Healthcare in Boston. Because of the tremendous amounts of money involved as well as governmental penalties, they are not leaving it up to the individual doctors in their system to convert to EHR’s. They take a rather atypical approach of mandating that its physicians use EHR’s. There are some interesting incentives. For instance, Huntington Memorial Hospital is helping its doctors go digital by giving them a free e-prescribing system for their offices. Beth Israel Deaconess Medical Center and Inova Health System are offering their physicians subsidized EHR systems.
Security must equal or surpass technology
These different healthcare organizations may go about using different approaches, but the goal is still the same: to assist the independent practices with which they work to make the complicated and expensive transition to EHR’s. Still, the nagging issue of having technological security keep pace with the items they are supposed to protect is there. The safety and security of EHR’s is an evolving science. A good part of the protection of these records, i.e., prevention of both the illicit possession of, and illicit alteration of them, has to do with security at the places these software programs are installed, and later used.
A bigger problem that exists in hospitals, but not so much in private offices has to do with a hospital purchasing laptops, desktops, mobile devices and such. The more “gateways” there are of entry into a system, the greater is the likelihood of theft or compromise. So, when you purchase hardware for your office you must make sure that the proper control exists over who will be doing data entry, and exactly “what” they will be entering. A basic principle is that EHR data entry should be incremental – information can never be removed or altered from the record, only added. Basically, NO unauthorized persons should ever have access to your office system. Keeping some type of paper “sign-in log” next to your pieces of computer hardware and iPads and “smart phones,” etc., if you have them in your office would be a good idea. This would give you a decent measure of control over both WHO is entering data, WHEN it is being entered, and lastly WHAT is being entered. It may seem redundant and silly, but just the fact that a log exists and is sitting there on the counter or in the employee break room can be a deterrent to fraudulent activity.
Industry standards for security of EHR’s are needed
Of course, under the health IT provisions of the federal stimulus package, all entities that handle protected health information must comply with HIPAA (Health Insurance Portability and Accountability Act) security and privacy regulations. In addition, the HIPAA rules extend to things like when patient information can be used for marketing purposes. The new law also increases penalties for non-compliance, rules pertaining to business associates, and it also allows for more vigorous enforcement.
Every office or hospital may have a different system in place, but there are “General Principles” for managing EHR’s, that ought to be universal in order to set an industry standard that makes safety and security a cornerstone of their existence (These will be listed below). To be really good at protecting patient’s and physician’s privacies, the developers, and later the users of EHR’s have to be several steps ahead of the criminals who would pirate this information and profit by it. This is no easy task, and the scope of such activity and planning is beyond the scope of this article. In fact, the literature is teeming with the security concerns of the entire “electronic alphabet:” EHR’s, EMR’s, even EPR’s!!! The users of and the creators of these systems must be aware of one fact: Without sufficient attention to security and privacy, the virtues of EHR’s can quickly become vices.
In your office, by paying attention to these aforementioned four general principles of working with Electronic Health Records, you can play a significant role in the reduction of data theft. They are: Confidentiality, Control, Integrity, and Legal Value. Pretty much, they are self-explanatory, and you can adapt them to your practice setting. The last principle, Legal Value, refers to the governing HIPAA rules with regards to commercial use of patient information. For example, using your data to identify diabetic patients for the purposes of marketing by a drug or shoe manufacturer. Your responsibility is to see that the patient is not exploited in any way.
The second principle deserves some mention here: Control. In your office, depending on the number of assistants you have working for you, you should NOT give blanket permission for everyone to access patient information. YOU will have to set the guidelines for data entry, security and financial information. Remember, the financial and billing data in your EMR should be guarded with the same diligence as the clinical information. It is not prudent, nor is it safe for everyone to know about Mrs. Jones’ payment schedule, which includes her VISA Card number, etc.,
We’ve seen how electronic medical records and charting are here to stay and the promises for the bright future they bring. The less occupation we have with the more mundane aspects of our practices, the more time and energy we can spend tending to what we love – relieving the sufferings of the foot sore public. Still, we must be vigilant and guard the privacy of the patients that come to us for treatment. As “captains of our ships,” as dependence on paper becomes less and less, we set the tone for the smooth sailing of our practices. After all, we cannot afford not to.
I would like to acknowledge the following individuals, and sources for assistance in acquiring the information contained in this article:
Nicole Lewis - Information Week
James Van Dyke – Javelin Strategy and Research, Pleasanton, California
John Hultman – quoted in PM News Archives, 2002
Maryanne Kolbasuk-McGee - Information Week ~ Analytics section
David Bailey – Redspin Labs Blog
Pam Dixon – spokesperson, World Privacy Forum
Lisa Gallagher – Healthcare Information & Management Systems Society (HIMSS)
Dr. Shalot is a former Senior Editor of Podiatry Management Magazine,(Kane Comm), and today is a freelance Health and Medical writer interested in a variety of issues pertaining to Practice Management. A trained pharmacist, he is also a specialist in the application of pharmaceutical science to clinical practice. He can be reached at “Scribbler30@gmail.com”