Healthcare // Security & Privacy
Commentary
12/4/2013
10:25 AM
Paul Cerrato
Paul Cerrato
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Seeking Secure Health Information Exchange

The New York eHealth Collaborative is among several forward thinking organizations that are helping make HIEs private and secure.

In healthcare IT security, there are lots of villains to contend with, but the heroes also deserve attention. The New York eHealth Collaborative (NYeC) is among several that come to mind.

NYeC’s stated goal is simple enough: Improve the healthcare of all New Yorkers through the creation of the statewide health information network for New York, an endeavor they call SHIN-NY. In reviewing the numerous data breaches that have plagued US hospitals and practices, one of the missteps that surfaces over and over among offending providers is the unwillingness to do a detailed risk assessment before their records were breached. NYeC is at the forefront, doing their best to break this irresponsible mindset.

When ONC released a HIT security risk assessment questionnaire in 2011, for instance, NYeC was quick to outline the nuts and bolts to help providers get up to speed. Similarly it has published a variety of tools and resources to help members meet the Meaningful Use requirements on security.

"A large number of very reputable shops are out there that will do a risk assessment if you don’t have the in-house talent," said David Whitlinger, executive director at NYeC during a recent phone interview. I would highly encourage organizations to hire a third party. Those types of organizations have been trained for years in other industries." These specialists will check to see if your laptops are encrypted down to the hard drive level, determine the risks incurred if patient data is allowed on individual devices, review the advantages and disadvantages of storing patient data in a cloud service, and evaluate staff training and readiness in terms of proper password protection and the like.

Equally important, says Whitlinger, is having a C-suite that fully supports IT security as a top priority. "In the most successful organizations, the CEO completely embeds protection of patient data within the culture."

Despite such precautions, some security experts maintain that data breaches are not a matter of if but when. Whitlinger contends that’s old thinking. "While breaches were more commonplace three to five years ago, they are becoming less and less common," because of the institution of security best-practices. "To a large degree, most people’s health information isn’t interesting to someone for financial gain," he added. "There’s not a strong motivation to steal that data for that purpose."

Really?

Electronic protected health information can bring a profit of $50 per record, which is much more than what hackers can gain from selling individual pieces of information like SS numbers ($3), birth dates ($3), or credit card numbers ($1.50) , according to a 2011 panel held at the Digital Health Conference. In 2012, the Ponemon Institute reported that 91% of small medical practices in North America had suffered a data breach in the previous 12 months. The same report said only about a third of the management teams in these organizations considered security and privacy a top priority.

While these statistics are disturbing, they don’t detract from one of Whitlinger’s main points, which is that "the benefits of health information exchange far outweigh the risk." Of course, the public has always had a hard time dealing with relative risks and benefits, and continues to be probability illiterate. That being the case, it’s unlikely any provider organization will have the courage to tell patients: Your records are relatively safe, but that’s the reality. HIEs, EMRs, and other healthcare databases are never going to be 100% theft-proof -- any more than your home security system or your credit card information is going to be. The sooner we understand that as a nation, the sooner we’ll see robust health data exchange.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RobPreston
50%
50%
RobPreston,
User Rank: Author
12/4/2013 | 10:56:10 AM
How Safe?
Your healthcare records and information being "relatively" safe is a bit like your being relatively pregnant. Especially when it comes to protecting health information, providers and exchanges need to go all-in on security.
WKash
50%
50%
WKash,
User Rank: Author
12/4/2013 | 10:52:16 AM
Value of Health Data
I think your point that value of health data, on the open market, fetches far more than personal financial data, trumps whatever notion we may have about what criminals find of interest.  If it pays better, more criminals will go after it.  That's why we must healthcare data not only more secure, but more costly for criminals to exploit.  That may push their focus elsewhere, rather than reducing criminal activity, but the stakes in healthcare are so huge, we need every innovation we can get, including the one mentioned here.
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.