This article can also be found in the Premium Editorial Download "Information Security magazine: Step-by-step guide to avoiding basic database security risks."
Download it now to read this article plus other related content.
The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act signed into law by President Obama earlier this year, calls for a $19 billion investment into health care information technology to modernize medical practices with electronic medical records systems (EMRs).
One of the keys in this bill to reducing the cost of health care is that physicians could exchange patient data electronically; a physician or hospital cannot obtain the government incentives without demonstrating this capability. The idea is that EMR systems would reduce the number of tests performed because data could be shared easily between physicians across the Internet. However, there is the possibility that this adoption of technology could have an undesired consequence of putting medical data at risk of security and privacy breaches. Think about it: All of your private medical and billing information will be available to any medical practice (there are more than 161,200 in the U.S.) over the Internet. Is the stimulus bill going to foster adoption of technology in health care or end up becoming the cybercrime stimulus act?
To understand the level of risk, it's necessary to grasp the unique environment of health care IT. The average-size hospital manages more than 250 applications, including medical equipment as well as scheduling, billing, laboratory, and surgical applications, all from different vendors. All of these systems can feed data into the EMR with varying security capabilities and compatibility issues. Health care software vendors have not been known for creating or utilizing secure software solutions.
This level of complexity creates an environment that is very difficult to secure and requires all 161,200 medical practices to become information security experts. The number of security professionals working in health care has increased but still is not sufficient to manage this level of increased risk. Most of the larger institutions employ information security staff but this is not affordable or sustainable for the smaller physician practices. Is your doctor qualified to read an intrusion detection log? Should your doctor have to read an intrusion detection log?
There is another issue that compounds the problem. Only about 10 percent of health care providers have adopted EMR systems because of the cost and size of the implementations. With the financial incentives to implement an EMR beginning in 2011 and penalties for noncompliance starting in 2016, the remaining 90 percent of providers have a very slim window to implement complex software installations. How much time will be devoted to developing effective security around these systems? How many information security professionals will be available to build secure communications between these systems?
Heightened portability of health care data poses another problem. It is a well-known fact that the majority of security risks a corporation faces actually reside within the firewall. The health care industry is not immune to the risks posed by the insider threat. People seem to have a heightened level of curiosity about the health care issues of others; how many times have you seen news about celebrities having their medical records compromised while receiving medical care? This problem is usually contained within the hospital where the celebrity received their care, but how will the fact that these records will be available to any health care provider across the country affect our privacy? What if these records are made available around the world? All of the credible EMR systems possess the ability to audit this type of access but it will take an army of auditors to detect these types of privacy violations. I can assure you that no health care provider is prepared for combing through this amount of audit log data.
The implementation of electronic medical record systems has the potential to provide many benefits for both the patient and physician. But EMRs are huge databases of medical and financial information that make them ripe targets for criminal activity and privacy breaches. There are standards available for implementing and configuring these systems to safeguard their vital contents. However, the fact that so many of these systems will be implemented in such a short timeframe increases the risk that they will not be secure. And if these systems are not secure, then HITECH and the American Recovery and Reinvestment Act may well become known as the cybercrime stimulus act.
Joseph Granneman is CTO/CSO of Rockford Health System in Rockford, Ill. Send comments on this column to firstname.lastname@example.org
This was first published in December 2009