Who has seen your health record?

Follow us on Twitter

The 2009 HITECH Act expands HIPAA coverage and definition to include covered entity business associates, definition of security breach and disclosure requirements, new restrictions on use and disclosure of protected health information, new patient rights, mandatory compliance audits and heightened HIPAA enforcement.

Who has seen your electronic health record? What about your paper record? Do you know? Does your doctor know? Odds are no one knows. Health care IT security is well below standards for best practice and is rarely if ever audited for security breaches.

Absence of Standards

Security within the health care industry is behind and patients should be concerned about their records. Few doctors have performed proper security and risk assessments of their facilities and data storage, as there are insufficient resources available to doctors in smaller practices to perform these assessments. Costly IT audits are not reasonable for the smaller firms and none of the new funding available for HER implementation allows for security upgrades and policy changes.

New compliance requirements and associated penalties as part of the 2009 ARRA stimulus funding are not being addressed with any urgency by health care providers, but not without good reason. Many health care providers do not know where to begin and the industry is not helping on this account. When a leading health software company was asked what kind of security precautions they took to safeguard the customer data, they were unable to even address this question without referring back to internal IT staff. Meaningful use for stimulus funding does not impose sufficient security requirements to guarantee safe storage of data and set an example for providers to follow with other IT systems. CCHIT is not addressing the security of SAAS (software as a service) providers of EHR systems in their certification process either. Practice of good security does not have to include high costs and increased headaches for end users but it must be an integral part of all software development.

Reported Breaches

Have you heard of the health care system in Indiana that went down for four weeks due to a viral breach of patient records? It is doubtful you have. I have not found any documented reports and only found out from an employee complaining about the outage. Rarely are these breaches reported properly and although the HITECH Act states breaches of over 500 patient records will be posted on the HHS website, I am unable to find any. Given the lack of security in health care, I doubt there have been zero data breaches since February over 500 patients.

Health Cyber Crime

It is time for security to become a focus and not an afterthought when health care is concerned. First a breach of data, then a modification to prescription records, next cyber crimes for falsification of drug use. As more data is stored electronically, more protection must be imposed. Self-defending networks are commonplace in the finance industry. Is your health not as important if not more important than you money?

Call to Action!

I urge all readers to write to their representatives and demand more enforcement of best practice security in the protection of health care data and IT systems.

By Anthony Niehaus
anthony@ehrtech.info
http://www.ehrtech.info

Armen Hareyan's picture

Posted August 4th, 2009 by Armen Hareyan

View Related News

Receive HULIQ News in Email:

Subscribe in a reader