Security for EHR: The Government Learns from the Private Sector

As physicians transition to electronic health records (EHR) a recent breach of Utah's Medicaid data server by hackers raises questions for over 780,000 Utah recipients—and people in other states.  While officials attribute the breach to human error–the failure of a tech employee to use proper protocols when installing the server, further investigation revealed an even more disturbing issue. The hacked information wasn't even encrypted.  According to an April 12, 2012 story in the Salt Lake Tribune, this breach of security has raised more than a few eyebrows of concern. The Tribune’s Kirsten Stewart reported:

Whether Utah broke the law is for U.S. Health and Human Services officials to decide. Under the 2009 Health Information Technology for Economic and Clinical Health Act, or HITECH, insurers, hospitals and government entities that do not encrypt health data, then see it stolen, can be slapped with hefty penalties.

But the breach of trust alarms consumers who wonder whether other health data stored by the state is vulnerable.

Health information technology is a booming, multibillion-dollar industry fueled by a renewed appetite to use patient data to improve medical care and cut costs. And government entities are at the forefront. The health department uses 125 of Utah’s 520 servers.

And on those servers is Utah’s year-old All Payer Database (APD), a repository of private insurance claims.

"If we think Medicaid data sets are big, envision being able to hack into a database which contains everything about almost everyone in the state — addresses, Social Security numbers, family members, and all medical care," said Joan Ogden.

Ogden, an actuary in Salt Lake City, is on Medicare, which doesn’t feed the APD. But the state’s largest insurers, including SelectHealth and Regence BlueCross BlueShield, share claims.

"The reply that questioners about data security have been provided is, ‘We’re the state, our data is secure,’ " said Ogden. "Yeah, sure."

Unlike Medicaid claims, however, APD data are fully encrypted both in transit — en route from insurers — and at rest on the server. Medicaid claims are only encrypted in transit.

Physicians in the private sector have the flexibility of smaller entities allowing for adaptation of newer and safer technologies.  This can better protect the most sensitive patient data.  Many physician offices are turning to cloud-based EHR software though medical billing and collection services to ensure safe and accurate maintenance of their patient records.

A March, 2011 article in the American Medical News indicated that patients trusted their doctors over other parties, including insurers, the government, and employers to protect their private information.  However, this trust didn't extend fully to digitized data. Even though physicians are the most trusted, "they have to be aware that right now your patients have a big, big concern about going to the electronic medical record, and I think part of the onus is on the physician to ease those feelings for their patients," said Bob Rossi, vice president of CDW Healthcare.

When it comes to medical practice management, the private sector understands that the best way to improve patient care is through a coordinated effort to streamline and maximize the efficiency of that practice.  As the research in a Rand study  revealed, health information technology can improve compliance with medical treatment guidelines, reduce medication errors, and decrease the use of potentially unnecessary medical care.

Running a successful medical practice is not easy.  As the Utah government found out, protecting sensitive data must come as a priority.  If you have questions about the best ways to secure patient records as your office transitions to EHR / EMR, our staff and technical team would be happy to answer your questions, regardless of what software you use or plan to use. Just contact us.

Leave a Reply