Security in the Time of EHRs

March 30, 2010 at 4:18 pm 1 comment

You are online right now.  I don’t just mean that you are sitting in front of your computer or using your smartphone to read this post on the internet.  I mean the majority of your “vital” information about your identity – bank account, social security, address, etc. – can be found somewhere in cyberspace right now.  You exist in the internet; and not just you, but also various versions of you complete with your interests, past transactions and other personal information that you’ve added to your social networking sites or the online store where you buy things.  All of these pieces of you are captured online and are out there in the ether of the web if someone wanted to find them.

It’s a bit creepy, isn’t it?  The fact that so much of our lives these days exist online – and therefore so much of who we are is being captured or constructed on the net – leaves many feeling unsettled.  This is especially true if you’re a person who doesn’t know much about software security, who doesn’t follow how data is captured and stored, who isn’t sure how much of the web works but you are fairly certain it will be working against you.

Now add in the idea that soon some (if not most, if not ALL) of your personal medical information will be stored on a similar system – and you understand why people are apprehensive about the idea of an Electronic Health Record (EHR).  There are those who believe that web-based data storage will only lead to security breaches or identity theft issues.  And there’s definitely the potential for such shenanigans to abound with an EHR.  While these concerns are valid and need to addressed as new systems are created, they shouldn’t stop us from proceeding with developing portable EHR systems.

In this piece, “HIPAA Breaches Related to EMR,” the author reviews this list of HIPAA breaches affecting 500 individuals or more.  While there are instances on that list that would suggest the EMR is at fault – not all of them are related to any sort of electronic medical record.  In fact, the location for where some of the breaches occurred is listed as “Paper Records.”  And, as the author of the post points out, there’s a large number of the breaches that stemmed from insurance companies – which would most likely not be related to the EMR.  But with those caveats aside, there are still numerous examples in that list where someone accessed an electronic device (mostly desktops and laptops) and stole records that somehow pertained to 500 or more individuals.  Clearly, this is an issue that needs better addressing by all EMR developers.

Surely, there are numerous obstacles present to EMR (and all Health IT) developers.  Medical facilities tend to have large staffs and need to ensure that any member of the staff can have access to the patient s/he is treating.  So each user account is a potential gateway for a criminal to steal sensitive information from the system.  However, there are ways to prevent such hacking from taking place.  Commonplace measures such as forced time outs, multiple passwords and tiered levels of security clearance to limit what each user can see by what s/he HAS to be able to see.  Currently, many states are creating requirements and standards for reporting of these breaches as well drafting appropriate responses to all such threats.

But even with every security measure in place, there is still some risk involved in EMRs.  Should we therefore abandon the goal of creating a portable EMR where all relevant medical information travels with the patient?  Of course not.  The benefits of having every vital piece of a patient’s medical history available to any attending physician who is treating that patient far outweigh the risk involved.  As many of our consultants have said, knowing the patient’s history is necessary to efficiently administer treatment.  Waiting on faxes or other slow modes of data transfer in order to receive that information may end up greatly endangering the life of that patient.

Furthermore, as a comment on the EMR and EHR site points out, there’s no indication that there is an increase in breaches, due to the digitizing of records or not.  Since there was no requirement prior to 2009’s HITECH act to report such gaps in security, we have no way of knowing if the problems with privacy are increasing with implementation of EMRs.  While it may be physically easier for someone to abscond with 500 files if those files are electronic than if they are paper,   it doesn’t mean it never happened before.  In fact, the digitizing of patient data makes it easier to detect such breaches and to track their origins.

Privacy and security are always going to be concerns for people when using web-based products.  Add into that the natural concerns people have about their private medical information becoming public, and it’s easy to understand this anxiety.  While developing OpNote, we have worked hard to ensure that any patient data we collect is secure, and only those that should access a patient’s data can access a patient’s data.  We’re sensitive to the concerns of potential surgical users and their patients, as we have all been patients at some time or another.  These questions of patient privacy are important and need to be addressed by all developers as they deploy their Health IT solutions – but it shouldn’t deter us from proceeding forward to a portable electronic health record that can enhance the care we receive from our physicians.


Entry filed under: EMR. Tags: , , , , , , , , , , , , .

Introducing the OpNote Consultants: Carl Brown, MD, MSc, FRCSC Relativity in Reporting

1 Comment Add your own

  • 1. John Lynn  |  March 30, 2010 at 4:52 pm

    Very nice post. It’s amazing how many people start getting freaked out about a security incident when it comes to EMR. It’s like they think that a breach has never happened before. I guess that ignorance is bliss?

    At the end of the day, the benefits of technology will far outweigh the potential risks of security and privacy. Although, try telling that to the person whose security or privacy was violated in a bad way. That’s what makes it so hard.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Wholly Owned Subsidiary of mTuitive


Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 3 other followers

mTuitive on Twitter!


Disclosure Statement - The authors of this blog are paid employees of mTuitive Inc. and are compensated for their services.

%d bloggers like this: