Tuesday, April 6, 2010

EHR not used securely

I ran across multiple articles this past week on the topic of EHR security. They were all shocked at the results, but I am not. The reason I am not surprised is that this is the first year when it really became important for a Healthcare Provider Organization to care about security. Sure in past years they should have been concerned with it, but we all know that organizations (or individuals) will not take security seriously until your neighbors are being publicly flogged. One hopes that it is their neighbor, but someone must be the bad guy. What changed is the Breach Notification, and specifically the HHS notification of breaches. I covered this just last week in the article A Look into the HHS Posts Data Breach Notifications.

This means that Provider Organizations are just now talking about it.  It will be slightly better next year, not because they are not changing, well some will be changing, but rather because it takes quite a bit of effort to make changes to a system that is not secure by design. (see #2 on my Three Security Concerns for 2010). The pressure needs to be kept up month after month (I also note three new breach notifications in healthcare just last week).

This article acts surprised that Healthcare Organizations are reactive and not proactive... This is because they have not had to be proactive, and lacking a motivation they will not be proactive:
The 2010 HIMSS Analytics Report: Security of Patient Data indicates that healthcare organizations are actively taking steps to ensure that patient data is secure. However, these efforts appear to be more reactive than proactive, as hospitals dedicate more resources toward breach response vs. breach prevention through risk management activities. More
This article boldly declares that EMR Data Theft is on the rise. Well of course it is, as data is moved into EMRs there are more EMRs to steal data from. This data could simply be telling us of the ever increasing use of  EMR.
EMR Data Theft Booming
Fraud resulting from exposure of electronic medical records has risen from 3% in 2008 to 7% in 2009, a 112% increase, researcher says. More
And this one finds 'mixed results'. The story they weave is that Provider Organizations say they are compliant, but yet breaches are up. Not very useful.
Survey Finds Mixed Results on Security of Electronic Health Data
Health care professionals rated their organizations high for compliance with health IT regulations, but reports of data breaches in the past year were up from two years ago, according to a new biannual report released Monday, Health Data Management reports. More
It is true what they say: Lies, damned lies, and statistics. Yes we must get better, but we will get better by using Risk Assessment to apply reasonable controls against real risks. See my advise for Meaningful Use - Security Plan