Healthcare IT systems are ripe for security breaches. Medical records are especially data-rich, and thus are coveted in the circles within which stolen information is circulated. As a point of comparison, while the going rate for an illegally obtained credit card number is a few dollars, a stolen medical record can frequently be sold for upwards of $50.
There is incentive for attacks on health records systems, and they happen frequently. In 2013, 43.8% of security breaches occurred in healthcare, according to the Identity Theft Resource center. Considering that compromised health data can lead to not only identity theft, but also to misdiagnosis as a result of inaccurate medical records, the stakes are high.
But healthcare IT systems are especially at risk, for several reasons. For starters, many of them are old. Most were installed between 1998 and 2005. Over the years, these systems have been updated and redesigned to keep them functional. But as edits are layered on over time, a system becomes more architecturally complex and loses coherence, filling with spaghetti code. Patching a wobbly system that has been accumulating revisions for 16 years is difficult. Changing one part of the code will inevitably affect the rest of the system in ways that are frequently unpredictable, sometimes devastating, and always frustrating.
[Your financial data isn't the only thing that needs to be protected. Read Stolen Medical Data Is Now A Hot Commodity.]
It seems that a new security threat emerges every day. To name a few issues that have made recent headlines, Heartbleed wrought havoc in July, affecting healthcare organizations. Just a few weeks ago, Shellshock, a vulnerability in the Bash shell used regularly in Unix-based systems, was exposed -- this vulnerability enables potential perpetrators to craft malicious code that can then be used to gain control of an affected server. The Health Information Trust Alliance reported that the Bash/Shellshock vulnerability should be a major concern for healthcare providers.
Staying up to date on security is an enormously stressful undertaking for any organization. However, healthcare IT systems have additional burdens. There are government-mandated meaningful use criteria to meet, for example. Also, healthcare organizations are expected to have adopted ICD-10 diagnostic criteria by this month -- despite the fact that only 17% of organizations report that doing so is a priority.
It's a major problem. Where should healthcare organizations target their focus? Which comes first: updates to ensure patient security or updates to systems that will improve patient outcomes? It's an unwinnable predicament; a Sophie's choice.
Truthfully, the solution to the security problem is the same as the solution to meeting meaningful use criteria (and it'll even fix your ICD-10 problem): Get a new, up-to-date, medical records system.
The price tag is steep: Kaiser Permanente's system, for example, cost approximately $4 billion. But before you dismiss or postpone the idea, consider the savings in other areas:
- Saving programmer time: A new system should be more architecturally coherent and free from the code-bloat that older systems have acquired. This not only makes it easier to patch security threats, it also simplifies patching any kind of issue. This can save substantial amounts of time for programmers by reducing the debugging they need to do, leaving them free to develop new features, customize a system to an organization, or keep a system up-to-date with meaningful use criteria.
- Meeting criteria: Newer systems are equipped to meet meaningful use criteria and require less revision to do so. Sure, there's a customization process when working with the vendor to install a new system, but a new system is much closer to the end goal than a system from 1998.
- Improving patient outcomes: Last month, I wrote about the value of electronic medical records systems, and the ways in which EHRs can improve treatment and patient outcomes. Sharing patients' health records with them (as specified in the second-stage meaningful use criteria) reduces the potential for misdiagnosis and increases patient engagement.
Of course, the barriers to updating electronic health records remain: It will be expensive, time-consuming, and difficult to update the surrounding infrastructure. However, improvements in this area will lead to invaluable gains for both payers and providers. Updating sooner rather than later is an important solution for security concerns.
The owners of electronic health records aren't necessarily the patients. How much control should they have? Get the new Who Owns Patient Data? issue of InformationWeek Healthcare today.