In 2008, a hospital employee at UCLA Medical Center was fired for leaking details of Farrah Fawcett’s cancer treatment.
But the information didn’t come from someone directly involved with the late actress’s caretaking. Instead, the person in question hacked into Fawcett’s electronic medical record in the hospital’s patient database.
As the national initiative to create electronic medical records for every American moves forward, the Fawcett incident exemplifies the worst-case scenario for putting people’s most personal and sensitive health records in a digital format.
Unless electronic medical records are safe, they could end up in the wrong hands, opening the door to medical identity theft, insurance fraud and other breaches of privacy.
Nevertheless, electronic medical records are the wave of the future in the healthcare industry.
In 2009, the Obama administration allotted $20 billion of stimulus funds for healthcare providers to install electronic health record systems and architect a nationwide electronic medical record database. The ultimate goal is that every American will have a health e-record by 2014.
And with such a lofty goal, the questions of data security and privacy are even more paramount.
WATCH VIDEO: Doc Digs Electronic Health Records. How hard is it to digitize our health records? James Williams answers that question with a trip to an Ear, Nose and Throat Specialist.
No Security Guarantees
“There’s no absolute, 100-percent guarantee that a person's information is secure right now,” said Melissa Goldstein, a public policy expert at George Washington University, who specializes in health information technology.
Striking a balance between the privacy and a national electronic healthcare database involves the enormous task of aligning the various state-patient privacy laws with federal-patient privacy laws outlined in the Health Insurance Portability and Accountability Act (HIPAA).
While public policy experts work to safely merge those patient privacy standards, state and federal governments are also drafting new laws and standards regarding access to and sharing of these records. For instance, people can now penalized for hacking into electronic medical records.
“We realize that (privacy breaches) are going to happen, but that doesn’t mean (electronic medical records) aren’t worthwhile,” Goldstein said.
They can make healthcare more efficient. For example, once nationalized e-records are a reality, doctors could theoretically pull up a new patient’s medical history with a few keystrokes, see what tests the patient needs or has already undergone, and review any allergies to medicines. This reduces wait times, eliminates unnecessary tests and procedures and improves overall healthcare and costs.Privacy Threats Must Be Addressed
But to reap those benefits, leaders on the tech side of the e-health initiative have to resolve data security and patient privacy threats inherent to digitizing medical records.
“The nightmare scenario is that it (healthcare data) becomes completely public and posted on the Web or YouTube, or something like that,” said Carl Gunter, a computer science professor at the University of Illinois.
Gunter is at the helm of the Strategic Healthcare Information Technology Advanced Research Projects on Security (SHARPS), a $15-million initiative to research and improve the security and outcomes of electronic medical records.
Two main factors Gunter and others are investigating in order to lock down privacy and security issues deal with authentication and authorization; in other words, limiting access to different tiers of information to only authorized medical professionals and patients.
“In this space the privacy concerns are the trickier, harder problem (as opposed to data security) because we have a need for finding ways of (acquiring) patient consent, but at the same time ensuring that doesn’t get abused by having the data shared too broadly,” Gunter told Discovery News.
Gunter likens this type of access to how ATMs operate.
ATMs operate securely by having two levels of authentication with the combination of bank cards and PIN numbers, Gunter explains.
“So perhaps there are other strategies that could be more novel in this space, like using cell phones (for patient authorization) somehow,” he said.
One idea on the table, Gunter says, is to set up patient verification systems for electronic medical records using patients’ cell phones as their “ATM cards.”
No Plan for Standardizing Authorization
But there's no plan right now for a standardized authorization method, like the cell phone ID, given that the healthcare IT industry has already put into place many electronic medical records systems for different doctors, hospitals and insurance companies.
In the mean time, as the admittedly complicated legal and technical issues are gradually being addressed, Goldstein and Gunter both reiterated that the reward of more consistent, cost-effective healthcare that comprehensive electronic medical records ought to provide outweighs the potential risks at this point.
“We will see payout,” Goldstein said. “It may be somewhere down the line, but absolutely, it will make a difference.”
Gunter at Illinois couldn’t offer a time line of when electronic health records will be the norm, but says he expects the complete transition to electronic medical records will happen “inch by inch” over time to best ensure that privacy and security issues are worked out before people’s personal health information is jeopardized.
“When the public starts to see (the healthcare) benefits then everybody will start to get on board with the idea of sharing electronic medical records, under respect for privacy and consent,” Gunter said.
Photo: iStockPhoto
Tags: Cybercrime, Health, Healthcare System, Issues and Ethics, Modern Medicine,
comments ( )