In healthcare IT security, there are lots of villains to contend with, but the heroes also deserve attention. The New York eHealth Collaborative (NYeC) is among several that come to mind.
NYeC’s stated goal is simple enough: Improve the healthcare of all New Yorkers through the creation of the statewide health information network for New York, an endeavor they call SHIN-NY. In reviewing the numerous data breaches that have plagued US hospitals and practices, one of the missteps that surfaces over and over among offending providers is the unwillingness to do a detailed risk assessment before their records were breached. NYeC is at the forefront, doing their best to break this irresponsible mindset.
When ONC released a HIT security risk assessment questionnaire in 2011, for instance, NYeC was quick to outline the nuts and bolts to help providers get up to speed. Similarly it has published a variety of tools and resources to help members meet the Meaningful Use requirements on security.
"A large number of very reputable shops are out there that will do a risk assessment if you don’t have the in-house talent," said David Whitlinger, executive director at NYeC during a recent phone interview. I would highly encourage organizations to hire a third party. Those types of organizations have been trained for years in other industries." These specialists will check to see if your laptops are encrypted down to the hard drive level, determine the risks incurred if patient data is allowed on individual devices, review the advantages and disadvantages of storing patient data in a cloud service, and evaluate staff training and readiness in terms of proper password protection and the like.
Equally important, says Whitlinger, is having a C-suite that fully supports IT security as a top priority. "In the most successful organizations, the CEO completely embeds protection of patient data within the culture."
Despite such precautions, some security experts maintain that data breaches are not a matter of if but when. Whitlinger contends that’s old thinking. "While breaches were more commonplace three to five years ago, they are becoming less and less common," because of the institution of security best-practices. "To a large degree, most people’s health information isn’t interesting to someone for financial gain," he added. "There’s not a strong motivation to steal that data for that purpose."
Electronic protected health information can bring a profit of $50 per record, which is much more than what hackers can gain from selling individual pieces of information like SS numbers ($3), birth dates ($3), or credit card numbers ($1.50) , according to a 2011 panel held at the Digital Health Conference. In 2012, the Ponemon Institute reported that 91% of small medical practices in North America had suffered a data breach in the previous 12 months. The same report said only about a third of the management teams in these organizations considered security and privacy a top priority.
While these statistics are disturbing, they don’t detract from one of Whitlinger’s main points, which is that "the benefits of health information exchange far outweigh the risk." Of course, the public has always had a hard time dealing with relative risks and benefits, and continues to be probability illiterate. That being the case, it’s unlikely any provider organization will have the courage to tell patients: Your records are relatively safe, but that’s the reality. HIEs, EMRs, and other healthcare databases are never going to be 100% theft-proof -- any more than your home security system or your credit card information is going to be. The sooner we understand that as a nation, the sooner we’ll see robust health data exchange.