The government is committing billions of dollars for technology systems that help healthcare providers share information. But making patient data more accessible has the unpleasant side effect of it potentially falling into the wrong hands.
Under the Obama administration's stimulus bill and other proposals, portions of a $29 billion fund are available to reimburse hospitals and doctors' offices that invest in electronic records systems and other software that might improve care and lower health-care costs. The government has stressed the need for increased security as part of this digitization initiative, but hasn't yet proposed mechanisms for how the data will be protected.
Now, many privacy advocates are concerned the administration's effort could end up making health information less secure. "If there isn't a concerted effort to acknowledge that the security risks are very real and very serious then we could end up doing it wrong," says Avi Rubin, technical director of the Information Security Institute at Johns Hopkins University.
In recent years, the number of reported data breaches at healthcare organizations has soared, despite laws requiring the groups to protect patient information. In May, a hacker stole more than 500,000 patient records from a state-run database that tracks drug prescriptions in Virginia -- and then demanded a ransom to return the information. The data were backed up and the state didn't pay the ransom. That same month, the University of California disclosed that a hacker broke into a database where patient records were stored for the university health service and stole about 160,000 records.
In all, health organizations publicly disclosed 97 data breaches in 2008, up from 64 in 2007, which was more than the breaches publicly reported by financial institutions, according to the nonprofit Identity Theft Resource Center. That total should jump again in 2009. California, where a new law requires health organizations to report when an unauthorized party has accessed patient data, received 823 such notifications between January and May.
The incidents include lost laptops with patient data on them, misconfigured Web sites that make confidential information public, insider theft by rogue employees, and hackers who penetrate a computer network to steal data. Sometimes, the breaches never hurt the victims; in other cases, the data are used to steal someone's identity.
"Health care is a treasure trove of personally identifiable information," says Don Jackson, a researcher at security consulting company Secure Works Inc. Most health-care organizations collect patient's names, Social Security numbers and dates of birth. Often they store payment information such as insurance and credit-card data.
Criminals can use this information to open credit-card accounts in the victim's name. Among the more nefarious crimes these breaches can lead to is medical identity theft, when someone receives health-care services using the victim's name and insurance. The Federal Trade Commission says medical fraud is involved in about 5% of all identity theft.
Randy Osteen, system director for Irving, Texas, hospital chain Christus Health, says hackers try to steal data from his company "all the time." Christus has a detailed security plan in place, he notes, including tools that ensure only authorized people can access patient records.
But many small offices and clinics that are the focal point of the government's digitization effort don't have such safeguards.
These small practices rarely have a technology professional, let alone a security specialist. These organizations "may not be as aware of the risks and the requirements for safeguarding information," says Daniel Nutkis, chief executive of Health Information Trust Alliance, an industry organization that promotes security.
As more information is shared, it is subjected to the weak-link effect. Mr. Osteen's efforts to safeguard information won't be useful if smaller providers he shares it with haven't made the same kind of security investments.
As part of the stimulus bill, the government will release guidelines over the next year for what constitutes a secure system. But even if it ultimately requires health-care organizations to use systems that can encrypt data and have other security functions, critics warn that making sure people use all of these features is more important.
"If you take a digital system and implement it in a sloppy way, it doesn't matter how good the system is," says Pam Dixon, executive director of the World Privacy Forum, a nonprofit organization with a focus on medical identity theft. "You're going to introduce risk."