I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know. (Hippocratic Oath)
I recently read an article titled, “Protect Patient Data from an Inside Job” by Phil Neray of Health Management Technology, which stated, as many news organizations have, that in 2010 healthcare organizations were a top target of data breaches. All totaled, 214 healthcare organizations were breached in 2010 with a total of 6.3 million patients impacted by those security breaches.
Open to the public 24/7, and being the keeper of the most private of all data, healthcare organizations are unlike any other in terms of security challenges. No one questions the importance of privacy in the practice of medicine. A doctor cannot expect a patient to openly disclose private information if that patient fears that they may be harmed by that disclosure. Any information withheld out of fear can have a dramatic impact on the care received.
The Importance of Shared Data in Healthcare
Of course, by its very nature, providing the highest level of care requires sharing confidential information with colleagues. You know the story if you have ever been a patient. You may enter the healthcare system through the emergency room, go to the laboratory for testing, then off to radiology for an X-ray. You then meet with a doctor and get a diagnosis. The doctor then provides treatment where you may be sent to the operating room for surgery and then released to a rehabilitative services center or referred to your primary care physician for post treatment. This data can be provided by electronic submission to support research that can create innovations to further the quality of care. The medical profession consists of multiple silos of specialized functions necessary to treat you as a patient. Each department has its own procedures, specialized record keeping, best practices and scheduling. Improving patient care, and providing more efficient care, is the impetus behind the movement towards electronic health records (EHR) and Health Information Exchange (HIE) in the first place. EHR and HIE systems make it possible to rapidly transmit this data to make optimal care in the digital age a reality.
Protecting Patients in the Modern Age
The issue is that since HIE systems essentially centralize data into data warehouse structures, fending off data breaches can become an even larger issue in the future. As such, it is important that we effectively balance the importance of sharing patient information with the seemingly opposite, but vitally important, concept of keeping patient data private. In his article, Neray recommends that the healthcare industry use the financial services industry, that dealt with data security issues under Sarbanes-Oxley and have been enjoying a decline in data breaches, as a model. Data breaches have declined in the financial sector because financial companies have moved beyond perimeter security and no longer use a firewall as a standalone solution. A frank discussion with any security administrator in financial services, I’ve enjoyed a few, will inform you that security breaches are most often an inside job. These companies are actively monitoring sensitive information stored in databases. Events are created to alert a security team about every small detail in order to prevent unauthorized access by prying eyes both inside and outside of the organization.
I think that financial services does provide healthcare with a good model to follow. However, it is important that healthcare organizations take control of data security issues now to prevent further reluctance of EHR and HIE technologies by a worried public. In the end, both enhanced means for transmitting data, and better security of that data, are both necessary ingredients to enhanced healthcare.