Wednesday, November 14, 2012

Does Anyone Know Just How Secure Our Electronic Patient Records Are? Anyone Have Some Numbers?

The following article appeared in the UK Guardian a few days ago.

How to secure patient trust in electronic record systems

A breach of personal data could do considerable damage, so trusts must build patient privacy into NHS IT systems
Electronic records can improve outcomes for patients, but patients should be able to trust that their information is secure. Photograph: Martin Godwin for the Guardian
Electronic record systems are among the most important healthcare advances of our times.
They bring better, more sustainable healthcare and offer the NHS the opportunity to make large savings – allowing more public money to be invested in improving patient outcomes.
However, a recent survey of more than 1,000 UK citizens revealed that 86.5% of respondents believed a serious breach of personal data would do considerable damage to a hospital's reputation, while 87.2% thought the NHS should monitor who looks at their patient records.
Despite this, many NHS hospitals do not have systems in place to proactively detect privacy violation – and remain vulnerable to breaches, litigation and regulator fines.
Until it becomes mandatory for trusts to build patient privacy into NHS IT systems, the risk of major data breaches will remain, and patients will not fully realise the benefits of electronic healthcare systems.

Disclosure and notification

Recent data from the UK Information Commissioner's Office (ICO) reveals that data security breaches within the NHS have increased by 935% in the past five years. Yet there remains no legal requirement in the UK for providers to disclose to the patient when a privacy breach has taken place.
This must be addressed. UK citizens have a basic right to know when their records have been inappropriately accessed and their privacy compromised.
When a breach has occurred, providers must be mandated to disclose this to patients, and notify the ICO. This would bring a level of accountability to care providers that cannot be achieved by other measures such as random audits and fines.
Healthcare privacy laws in the rest of the world are being significantly strengthened – and the NHS cannot afford to be left behind. In the US, Arra Hitech privacy legislation (2009) introduced – and enforced – strict guidelines around breach disclosure and notification.
Similarly, in Europe, pending legislation in the General Data Protection Regulation will mandate the disclosure and notification of privacy breaches to individual patients and governmental organisations respectively. The NHS should rigorously enforce this legislation.
Lots more here:
Does anyone know of comparable statistics for Australia?
Second question - if we don’t know just why might that be?
Sadly I am an answer free zone - but I really feel we should know!


Earl Hose said...

It's a good question, David, but I wonder if the answer needs to be balanced off against another. How secure are our own (personal) records and transactions?
I mean, if users don't know what steps they need to take, themselves, it's a bit much to expect them to appreciate what it takes to keep records safe at a corporate level.
Forbes has 'Ten Incredibly Simple Things You Can Do To Protect Your Privacy'. I've had a look at Tor, and thought "Nah, too complicated", but what happens if consumers use it to interface with their EHR? And what about Cookies and Scripts?

Paul Fitzgerald said...

Earl, I agree we should all take responsibility for our "privacy" - for example, many of those squawking about privacy etc are still quite happy to hand over their credit card to a complete stranger in a restaurant, who then disappears with it for 15 minutes!
The problem as I see it, is that with the new legislation before the parliament, any breach can attract a fine of up to $220K for an individual or >$>1M for a company. A simple mistake in addressing an email referring a patient to a specialist, or the path results accidentally going to the wrong place can attract a fine in the brave new world - and the Senate committee is now trying to toughen up these new rules as well.
I think it would be useful, as David suggests, to understand the extent of the problem - my view is that healthcare has a looming problem with Privacy, but doesn't realise it yet.

Privacy Paul said...

Australia has introduced new legislation in regards Privacy and a variety of amendments are currently before parliament and various committees for comment and eventually enactment including breach notifications. Some specific information can be found about eHealth can be found

Additionally it would be wise for anyone handling personal information including credit card information to have a policy in place on how to handle a breach etc.

Terry Hannan said...

I have worked with EMR systems that have > 3 million patients across multiple institutions since the 1990s! Do we not think that these implementers have NOT addressed security? These are covered in the full issue of International Journal of Medical Informatics 54 (1999)
Also some 'measured' quotes on security.
“By one estimate, 85 percent of all computer security problems involve employees in the organization.”
R.L.Simpson, 1996. Security threats are usually An inside job. Nursing management 27(December);43
Security of medical Information:The threat from within. J Anderson,Maria Brann. MD Computing. March/April 2000. 15-17
Personnel creating security risks to EMRs
1. Physicians
2. Nurses
3. Students
4. Pharmacists
5. Technicians
6. Social workers
7. Financial managers
8. Medical record clerks
9. Quality assurance personnel
10. Billing clerks
"The major vulnerabilities are related to inappropriate use of patient-specific information by health workers
who have access to those data as part of their regular work. Such risks are greater when data are stored in paper charts.” (The evolution of health-care records in the era of the Internet. EH Shortliffe. Semi-Plenary. MEDINFO Seoul, August 1998)

Bernard Robertson-Dunn said...


A question re the EMR systems you have worked on.

Are the system access controls on an individual or institution basis?

AFAIK Centrelink systems have an access control system closely linked to an individual user. If the user walks away from their computer, the screen is locked. Thus there is a close relationship between the logged on user, what they use the system for and what is seen on the screen.

Contrasting that with the PCEHR, it would seem that the access control for the PCEHR is on an institution basis and there is no reliable relationship between the logged on user, what they can access and who can see the screen.

The issues may have been raised in 1999, but I don't see evidence that the PCEHR has addressed them adequately.

Once again, I'm happy to be informed.

Earl Hose said...

Consumers will make judgments on Privacy from what they see. The local Centrelink seems pretty good, from the little I've had to do with it.
On the other hand, the common desk at a community pharmacy could remind of that supermarket scene in 'Me, Myself & Irene' - "Price check on Vagiclean, aisle five."
We try to be discrete. There is no need for anyone else in the waiting area to learn another patient's name, let alone overhear any other personal details.
What I meant is that there is a profound gap between the face-to-face interactions by which we guard our privacy, and the potential for loss or misuse of millions of files in the NEHR. It wouldn't take much more than one well-publicised instance of harm for there to be a convulsive wave of outrage. Wedged somewhere in that gap is our own approach to electronic privacy, and that would seem to be a good place for the Govt to be helpful. Or, at least, able to demonstrate awareness of problems, instead of behaving like another huckster.

Paul Fitzgerald said...

@Terry, I agree that the major risk is from within - either deliberate or accidental - users having their log in details etc on a post-it tagged on the screen for example - is that deliberate or accidental? In the eyes of the new legislation, the organisation will be held accountable for this behaviour - in either scenario. Clinicians, especially, have to take responsibility for the security of the information they access and add to the system. Most EMRs in the market in Australia today do not have the necessary multi-level authentication to ensure the new laws will not bite the user or organisation. The fact we have know about it for 12 or 15 years is no excuse. As Privacy Paul indicated, organisations need to have a robust policy in place to protect themselves and the majority of users who do the right thing.

Anonymous said...

Isn't it amazing we hear immense histrionics around security and privacy in healthcare, our government writes legislation after legislation to address this space and yet we've yet to see any "facts" published here on "How Big is this Problem in Australia"?

Looks like the legislators and administrators may need to get a grip before they continue to operate in "Ready, Fire, Aim" mode, unless someone here can point to hard numbers and facts around how big of a problem this is in Australia.

I've heard anecdotally of GPs having their records encrypted and access withheld by hackers for blackmail purposes, but I've yet to see any "numbers" on how prevalent this practice is in holding patient records hostage from GP Practices for poorly secured GP systems.

As David has requested, anyone, and that includes both you NEHTA and DOHA, have any "hard numbers" as representative facts illustrating the magnitude of the problem here?

Anonymous said...

Terry, those numbers were correct in the late nighties, early 2000's but nowadays most threats come from organised crime, other states and hacktivists. Apparently organised crime is interested in personal data e.g. medicare data (name, address, medicare no. etc) to support identity theft.