Healthcare // Policy & Regulation
News
2/12/2014
09:06 AM
Connect Directly
RSS
E-Mail
50%
50%

Labs Must Protect Newly Portable Patient Data

Now that the Department of Health and Human Services has ruled that consumers can get their medical test results, labs' IT departments must give security and privacy top priority.

Hackers Outsmart Pacemakers, Fitbits: Worried Yet?
Hackers Outsmart Pacemakers, Fitbits: Worried Yet?
(Click image for larger view.)

Now that patients are legally entitled to their medical results from the lab, these laboratories must take further steps to ensure data doesn't get into the wrong hands.

The Department of Health and Human Services last week made its final rule on the Clinical Laboratory Improvement Amendments of 1988, giving patients (or their authorized representatives) the right to access their information. The move is designed to give patients more control over their healthcare choices, empower them to more easily adhere to treatment options, and let them track their health progress, said HHS Secretary Kathleen Sebelius in a statement

HHS estimates 22,861 laboratories will have to spend between $2 million and $10 million among them to develop processes and interoperability systems that enable them to conform with the rule, according to published reports. Most large lab chains and hospital labs can handle these requests already, but smaller facilities could have challenges, experts say. Each year, labs could field between 175,000 and 3.5 million requests from patients, their designees, and personal representatives, HHS predicts. However, doctors will still receive lab results first; the new rule gives labs up to 30 days to comply with a patient's request.

Although most industry groups have voiced approval of the rule, at least one group recommended that patients continued to work closely with healthcare providers to review results to avoid undue concern over phrasing or pictures.

[Does healthcare security have a respect problem? Read Healthcare Information Security: Still No Respect.]

Labs are not doctors' offices, cautioned the American Clinical Laboratory Association:

Because laboratories typically do not have direct contact with the patient, as they often obtain specimens from the physician's office, labs will be diligent in ensuring that the individual making the request has the right to that information. Laboratories will continue to be vigilant in protecting the confidentiality of sensitive private health information.

As part of that protection, labs' IT departments must work closely with front-line staff -- those who will be newly responsible for sharing results with the public -- on security, including social engineering. Conning people out of information hackers can use to further their goals accounts for 17% of cyberattacks. Labs must protect data where it's stored, shared, and as it's being transferred as well.

"The push to make patient medical records and results available at the point of need to internal providers, external providers and even patients themselves increases the need to ensure the secure transmission and remote access to medical records are safe, secure and cannot be exploited by cybersecurity threats," said Doug Copley, IT director and information security officer for Beaumont Health System, during a January 2014 meeting of the Michigan Healthcare Cybersecurity Council. 

Even before the rule change, laboratories experienced some breaches, often through unencrypted mobile devices or media. In 2013, someone stole the flash drive of a Dynacare Laboratories employee containing information on about 9,000 patients. This year, LabMD closed its doors, the result, it said, of a government probe into a 2013 security breach. Several years ago, private lab Cord Blood Registry was affected when a thief broke into an employee's car and stole a laptop that contained sensitive patient data.  

That's not to say patients shouldn't get test results, of course. Yet every time you give another user group the authority to access data, risks increase. There are more vulnerabilities, more risk for error. IT departments must assess these perils, plan accordingly, and spend their limited resources to educate staff, protect data, and update security systems.  Earlier tests prove the diagnosis: All healthcare systems are under attack. Lab systems won't be any different. 

Medical data breaches seem to show up on the 6 o'clock news almost every week. If you think it wouldn't happen to you -- or the financial impact will be minor -- think again. Download the Healthcare Data Breaches Cost More Than You Think report today. (Free registration required.)

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Susan Fourtané
50%
50%
Susan Fourtané,
User Rank: Ninja
2/13/2014 | 4:01:54 AM
A patient's right
Alison, 

Patients should always be entitled to access their lab results and any other of their medical data. 

"You can then envision incorporating the raw results into something that shows you what they mean; what you have to do (if anything) to improve the results"

If healthcare IT would really want to do something neat they should have information on what the patient can do to improve the results, and what they mean. They could add all the normal values to guide the patient who is interested in learning more about his own health --some of them are there, though--. 

They should make the information available through links that could go together with the patient's lab results. This could save them plenty of time. 

-Susan
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
2/12/2014 | 2:27:19 PM
Re: Tricky
You can then envision incorporating the raw results into something that shows you what they mean; what you have to do (if anything) to improve the results, and whether you need to see a doctor or specialist next. In other words, further enhancing patient health and speeding up his/her access to the right provider, which should cut costs. It all sounds good. And labs will protect data. IT will get it done. They usually do.
ChrisMurphy
50%
50%
ChrisMurphy,
User Rank: Author
2/12/2014 | 12:34:37 PM
Re: Tricky
It's notable how far this discussion has come fairly quickly. The debate is about how to secure this data; not that long ago, it would've been about whether patients should have this information at all, and whether they can handle getting such data without a doctor present. The next step should be usability, the kind of changes Rob describes -- how to get this data in a way that's most valuable to patients and providers.  
RobPreston
50%
50%
RobPreston,
User Rank: Author
2/12/2014 | 10:09:36 AM
Re: Tricky
The more basic stuff that I, as a patient, can do myself, the better. Yes, security/access controls will be critical. But like the airline industry, which lets me check in at a kiosk rather than force me to wait in line, the healthcare industry needs to get better at allowing user-friendly self-service in cases where a doctor or nurse doesn't need to be involved. They'll cut their costs; I'll become a more engaged patient.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
2/12/2014 | 10:04:33 AM
Re: Tricky
As a patient (ironically, I had to get bloodwork done this morning), it is terrific that you no longer have to rely exclusively on your doctor. Thinking back to this morning's experience, though, the lab I went to is part of a big chain. However, there was one receptionist/admissions person who did everything from welcoming patients to entering in their data on the computer and answering phones (she was very pleasant, btw). She, I'm guessing, will be the one to also hand over patient's paperwork or email it to them if they request it. Already overworked, I'd imagine it would be relatively easy to find a gap in her defenses, especially if a social engineer waited (as they would) for a time when she was most vulnerable, based on her workload.

While i was checking in someone called and asked for their results and she referred them to their doctor. That, of course, will change in a few months. Interesting to see what will happen then. 
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
2/12/2014 | 9:38:18 AM
Tricky
I think it's great that patients can get access to their own lab results, but the authentication and access control is going to be a bear to get right.
Research: Healthcare IT Priorities
Research: Healthcare IT Priorities
Meeting regulatory requirements barely inched out managing digital patient data as the top priority for our 363 healthcare provider IT pros.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 24, 2014
Start improving branch office support by tapping public and private cloud resources to boost performance, increase worker productivity, and cut costs.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.