As more health-care records go online, cybersecurity fears grow
As more information goes online, security breaches of credit card and Social Security numbers continue to grab headlines. But how safe is your doctor’s most recent prognosis?
In September 2011, an employee of McLean-based Science Applications International Corp. (SAIC) was transporting computer tapes between federal facilities in Texas on behalf of TRICARE, the military health program. The unencrypted tapes were stolen from the parked car, and with them the names, Social Security numbers, home addresses and, in some cases, clinical notes and lab test results of about 4.9 million military clinic and hospital patients. This data breach is still the biggest on record since 2009, when a federal law was passed requiring health-care providers to report to the Department of Health and Human Services all breaches affecting 500 patients or more.
The breach resulted in eight class-action lawsuits, which have yet to be resolved. Besides TRICARE, which is based in Falls Church, and SAIC, the other defendants in the cases include the U.S. Department of Defense and then-Secretary of Defense Leon Panetta.
Since the TRICARE data breach, the health-care industry has continued to digitize rapidly and is incentivized to do so. In 2009, Congress authorized nearly $30 billion to speed the adoption of electronic health record (EHR) systems, an effort designed to improve patient care and drive down costs. About 44 percent of hospitals nationwide report having and using a basic EHR system, and the majority of providers in Virginia have made the shift.
Such higher levels of access provide numerous benefits to physicians and patients but also open the door to increased security threats.
In Virginia, hospitals are responsible for providing their own security. The Virginia Department of Health offers tips to providers “as a courtesy,” says Debbie Condrey, the chief information officer for the Health Department’s Office of Information Management and Health IT.
Condrey says one aspect of EHR implementation that can lead to security risks is related to patient treatment. Physicians have to use up crucial minutes of patient time as they adjust to the new system.
“They [physicians] say they only have nine to 11 minutes scheduled in their day per patient. They don’t want to spend six of those minutes trying to figure out the EHR and log into it,” she says. “The initial implementation of an EHR really does cut into the productivity of an office. I really believe that’s been a deterrent to hospitals setting up these things.”
Letha Fisher, vice president of consulting at VHQC (formerly Virginia Health Quality Center), a health-care consulting organization, says it’s imperative to implement strict rules, policies and procedures to protect data security, and it must be clear that no hospital staff can take “short cuts” when using an EHR system and must “resist any temptation to work outside of the rules and the law.” Privacy infringements violate HIPAA: the Health Insurance Portability and Accountability Act passed by Congress in 1996. Emphasizing the importance of following such regulations is part of VHQC’s mission to help physicians and other providers bridge the gap between health IT — including EHR adoption — and the day-to-day demands of patient care.
“You have to do everything you can to protect sensitive information in the electronic health system,” she says. “There are repercussions of losing patient trust. There’s a lot at risk.”
Fisher says that when VHQC works with hospitals, cybersecurity is discussed in detail. They explain the importance of not sharing passwords and other best practices that hospital staff must comply with to reduce IT security risks.
Even with methods like this in place, experts and officials still have safety concerns. After a yearlong examination of cybersecurity, The Washington Post found health care is one of the most vulnerable industries in the country. The industry notoriously lags behind in addressing known problems, according to the report. Condrey says one reason for this situation, at least in state government, is that health IT security “just hasn’t been as funded as well as other areas.”
“Security is something that really requires dedicated resources — people with good skills. Specifically with health-related security, you really need people who have backgrounds and skills in health-care security,” Condrey said.
This task can be especially challenging for small, independent hospitals, says the IT security team at Carilion Clinic in Roanoke. Judie Snipes, Carilion Clinic’s privacy officer, and Tom Newton, Carilion Clinic’s information security officer, say IT security in health care is a very specialized field and experienced professionals are in high demand. At Carilion, smaller clinics have access to resources offered at the corporate level, which helps them move forward technologically, yet affordably.
Fisher says her organization sometimes will recommend adding an expert consultant as a risk mitigation strategy, and the hospitals they work with don’t have a problem with it.
“They [hospitals] clearly understand the risk and the consequences, and that is not a short cut any hospital would reasonably make,” she says. Every hospital Fisher is familiar with has information officers, she added. “They’re well-staffed to meet those needs.”
However, Fisher says, IT security should be on the brain for all hospital staff. “When you make the IT person the only one who understands the risk, you set yourself up for issues,” she says. “Our take is everyone on the health-care team should understand their risks.”
Internally, Condrey says, the health department demonstrates this higher standard of safety with an expanded security program. The department follows an information security policy based off the commonwealth policy established for other state government entities. “Ours is a bit tighter,” she says.
That’s because confidential information passes through the department, often in the form of patient records. All this data must be encrypted, she says. Unencrypted data was a key component in TRICARE’s security disaster.
Condrey emphasized that security programs need to stay up to date on the latest threats. “As you know, there are always more hackers coming out every day,” she says. She said the department makes sure its systems stay up to date and monitors any type of hacking attempts or virus attempts.
VHQC is expanding cybersecurity services and support, says Fisher. The organization wants hospitals to understand and isolate their risks and keep information security a core value of the organization.
“There probably are inadvertent breaches in spite of everything done well,” she says. “It is vitally important for providers in the health-care world we exist in, with the data and with this new technology, that they be very conscientious and establish a real culture of security.”