The various security issues inherently unique to the healthcare sector is an area that I have been following pretty closely over the course of the past couple of years for a few reasons.
First—and thankfully—there appears to be increasing concern in the healthcare industry that the recent spate of security breaches could bleed over into the healthcare sector and could have an adverse effect on the already-troubled industry. As reported in The New York Times on Monday, there is a renewed emphasis on the protection of patient medical data in the face of an onslaught of consumer privacy data breaches.
As stated in The New York Times article, “… in the last two years, personal medical records of at least 7.8 million people have been improperly exposed, according to government data.”
These numbers seem to grow with time and it is especially troubling that these “improper exposures” have not received the same notoriety that similar data breaches have received in other industries.
I think that number may be somewhat misleading or may only deal with “improper disclosures” since a still-unidentified party hacked into the online systems of the Virginia Prescription Drug Monitoring Program in a 2009 incident allegedly stole approximately 8.3 million patient records and demanded a US$10-million ransom.
Especially troubling is the apparent push to move to electronic health records (EHRs) for patient medical data without proper security mechanisms in place, which can arguably make theft and/or misappropriation of medical data even easier. I won’t go into all of the issues surrounding EHRs but there are arguments on both sides of the issue for cost savings, ease of use (including mobility), and privacy.
It is time to deal with these issues and to ensure that adequate security frameworks are put in place, whether through regulatory- or compliance-based means (more on that later), and start to penalize organizations and individuals who violate these regimes through willful negligence, ignorance, or malice.
Second, the current regulatory and compliance regime—the Health Insurance Portability and Accountability Act (HIPAA) of 1996—is woefully inadequate to deal with the current technical landscape in the healthcare industry. It has been almost 16 years since the HIPAA was created and as The New York Times article points out, the HIPAA needs to be updated to reflect the current complexity and technical reality in the field.
Added confusion in this area arrived earlier this year with the Health Information Technology for Economic and Clinical Health (HITECH) Act, which deals with privacy and security issues involving EHRs.
The news is not all bad. It was reported today that the U.S. Health and Human Services Department is looking to strengthen privacy disclosure rules under the HIPAA to allow patients to learn who actually access their EHRs. This is certainly a move in the right direction.
In fact, I think the renewed attention in this area is very good news indeed since there seem to be certain gaps in the regulatory, compliance, and auditing framework in the healthcare industry.
There are many areas in the healthcare security landscape that deserve much more detailed discussions but which I will not go into in this blog post. Having said that, however, please watch this space for a series of blog posts over the next few weeks where I will examine several of these issues in more detail.