Escalating the Fear of Electronic Medical Records

May 20, 2011 in Health Policy by RangelMD

Fear of the unknown or unfamiliar is nothing new and has been applied to electronic data and the internet since they were developed. The fallacy is that electronic data is no more insecure or secure than paper data simply by virtue (a priori) of it being new. This kind of prejudice often results in oddly irrational choices like the person who will never use their credit card number to purchase products on the internet but doesn’t think twice about handing their credit card to a waiter who disappears into the kitchen for several minutes.

Chart rack: Not very secure

Both forms of data have weakness and strengths. One of the benefits of electronic data is that it can accessed from multiple sites  unlike a single paper chart. But this feature makes it easier for hackers to access electronic data. Then again, unlike paper charts, electronic data can be encrypted and password protected.  I have yet to see a password protected or encrypted copier or fax machine in use at a health care facility.

And paper charts are ridiculously easy to access (or lose).  The majority of hospitals still rely on paper charts openly stored at the nurses station for easy access and most hospitals have extremely loose security requirements such that anyone with a white coat or scrubs and a fake ID can have more than enough time to peruse a chart or even make copies before anyone notices.

The HHS inspector general is rightly concerned about the security of electronic medical records after two recent government reports found many security lapses and potential problems with electronic medical records. But many of the security problems appear to be bonehead screw-ups by facilities in not utilizing the security features available for electronic data.

“The second audit examined computer security at seven large hospitals in different states and found 151 security vulnerabilities, from ineffective wireless encryption to a taped-over door lock on a room used for data storage.”

There are cases in the early days of the use of wireless networks where hospitals didn’t know how or bother to use the encryption options when setting up their networks. Such negligence is odd since hospitals can be fined up to $50,000 per incidence of a breach in patient privacy. Maybe the Federal government should start enforcing it’s own laws rather then just creating reports and audits. And the processing and storage of electronic data is changing such that data is now being stored off site (yes, the cloud)  in facilities that should be able to provide much better security for storage servers than an easily taped-over door lock.

And while Luddites and detractors of electronic data still complain that the system can never be 100% secure, one has to question whether the entire issue of the security and vulnerability of  electronic patient records is another case of sensationalism looking for a problem. As of now, there does not appear to be a large criminal black market in stolen medical records nor any potentially large advantage to going through all the trouble to hack into medical facility networks to steal patient data. Though a lack of logic didn’t prevent the Associated Press from making ridiculously sensationalist claims that an illicit market for stolen health information is “booming”. What is their proof? Don’t laugh. It’s stolen celebrity hospital records.

The market for illicit health care information is booming. In recent years, the case of a former UCLA Medical Center worker who sold details from the files of actress Farah Fawcett, singer Britney Spears and others to the National Enquirer gained notoriety.

I’m not sure I understand the point of this paragraph. Does the writer imply that the issue of secure patent records is not a concern to the 99.99% of Americans who are not celebrities? And do we know for sure that the breached medical records of Farah Fawcett were exclusively in electronic form while her paper chart was perfectly safe at the nurse’s station?

Ironically, none of the celebrity medical information was accessed by outside third parties by hacking into hospital networks which is the entire point of the AP article. Maybe the slant of the AP writers should have been that hospital employees need to be better vetted and instructed about patient privacy?

But as if sensing the ridiculous claims and examples put forth in their previous paragraph, the AP writer(s) appears to back off from the celebrity security claim and instead claims that electronic medical records are valuable because they contain social security numbers.

Most cases don’t involve celebrities or get much attention. Yet fraudsters covet health care records, since they contain identifiers such as names, birth dates and Social Security numbers that can be used to construct a false identity or send Medicare bogus bills.

But almost all personal records contain information such as a name and date of  birth. This is what makes them personal records. Your name and corresponding date of birth are on everything from department of transportation records to voting records to marketing reports to client lists to sales records to school records etc. etc. and many of these are in electronic form.

And as for Social Security numbers, well, that’s an entirely different issue. The SS# was never intended to be used as a de facto national ID number but it is.  Hospitals assign medical record and account numbers to patients that are unique to their facilities and Medicare and private insurances assign their own number identifiers. In my opinion, there should not be any reason for private facilities to record or use a patient’s SS# or they should accept liability if the SS# is ever stolen from their system and used in a case of identify theft.

The bottom line is that identify theft is a national problem that is far bigger than the risk of security holes in electronic medical record systems and there is no evidence that medical records are a significant source for information used in identify theft. The fact is that electronic medical records are much easier to view, transfer, and store and unlike paper records, they can be password protected and encrypted. The benefits of electronic data outweigh their risks.

And apparently, this garbage is what now passes for mainstream journalism in the US. No wonder the Drudge Report linked to it.

Please share.