Over the last couple of weeks, a number of healthcare associations have taken proactive measures to help ensure the viability and security of healthcare data. For example, the American College of Physicians issued a searing position statement criticizing EHR applications and vendors for focusing less on patient issues than coding and regulatory concerns.
Not long after that, the Health Information Trust Alliance (HITRUST) formed a working group of healthcare executives and IT professionals to examine the ongoing issue of cybersecurity, with a goal of creating a base of standards for the industry to follow.
As HITRUST's group begins their examination, I'd like to recommend three key areas for them to explore, with a nod to the ACP, whose position statement should also be taken into consideration by the HITRUST group.
Any discussion of health IT needs to follow the ACP's position statement regarding patient-based issues. While security breaches cost the industry upwards of $5.6 billion each year, it's the patients who have the potential to be hurt the most. In addressing the healthcare industry's security needs, the group should also come up with a list of recommendations for patients to help them help themselves prevent health IT breaches. After all, patients probably have even less of an understanding about how EHRs and PHRS work than do healthcare and benefits employees. Patients should have a clear understanding of their rights under the law as well as their own responsibilities with regard to keeping their information private
Security is as much about encryption as it is about who has access to the records, and for what use. In the Sony hack, the company's human resources department was caught emailing personal health information around like they were meeting notes for public consumption. The security guidelines should focus on how companies and their benefits coordinators treat health info in their email system, since that's where more hacks occur. While company benefits managers should know better than to be as cavalier with personal health information as Sony's HR department, that doesn't mean that they do. HITRUST should use their group to come up with a standards-based statement for employers (especially HR staffers) so they have a clear understanding of their responsibilities and liabilities with regard to their employees' private patient records.
On the surface, it doesn't seem like a security concern, but the framework for enabling different systems to talk to each other and exchange information is critically important. Hackers love to target those junctures where information flows and is disseminated by one system to another system, and the more clever ones have developed ways of "faking out" servers to gain access to sensitive data. If those junctures are not thoroughly secured, then we risk exposing private information as we get systems coordinated to share data, sacrificing security for interoperability. While these are separate discussions, they need to happen simultaneously.