Wednesday, January 25, 2012
by Scott Olivier
Privacy is paramount in the move to electronic health records.
In this era of rapid advances in technology, physicians’ offices, diagnostic clinics, hospitals and surgery centers are racing to meet the demand to create the United States’ first private Electronic Health Records database. However, as personal medical records become increasingly electronic in nature, what is being done to protect patients from becoming victimized by nefarious computer hackers or the senseless mishandling of these highly personal records themselves? The Health Insurance Portability and Accountability Act of 1996 (more commonly known as HIPAA) states that “covered entities must have procedures in place to limit who can view and access your health information as well as implement training programs for employees about how to protect your health information.” To this end, each and every medical professional must be mindful of any informational exchange of personal patient records.
As we grow accustomed to the luxury of having virtually any information at our fingertips via mobile device, we must realize that with this access comes an increase in security risk and an overall cavalier attitude of just how safe computers and mobile devices are, in general. Many people consider common password protection enough when clearly, as evidenced by an increase in system level hacking of many medical networks over the past few years, it is not. Storing medical data in unencrypted plain text is a violation of HIPAA privacy, as is emailing patient records over the World Wide Web.
Several months ago, as a simple security test, I emailed a document to a co-worker just across my office. He received the document about 30 seconds later and initiated a “trace route” test to verify from where it had been sent. The report gave us the IP and MAC addresses of our office network and my computer, but a shocking fact was revealed at the end of the transmission report; within that 30-second period, no fewer than nine data-mining servers owned by third party companies had scanned my email.
“How can this be?” Simple. Email is scanned by information-seeking advertisers who collect data about our habits, routines, personal interests and common contacts. Furthermore, as a security precaution, email servers are set up to detect fraud, brute force attacks and other subversive tactics used by hacking squads who normally want little more than to disrupt the status quo. Are these corrupt groups after our personal medical records? Often times not, but how can medical providers be certain our records are safe from prying eyes? An institution of safe electronic data handling must prevail or risk compromise. Every individual who comes into contact with these records must extend the same critical care to the handling and storage of their health records as they would to the patients themselves.
The HIPAA Privacy Act states, “Your health information cannot be used or shared without your written permission unless this law allows it. For example, without your authorization, your provider generally cannot: share private notes about your health care, use or share your information for marketing or advertising purposes or give your information to your employer.” Clearly, emailing medical documents over the World Wide Web is in direct violation of this initiative, yet it is done every day in virtually every medical facility in the United States.
To rectify this mishandling of patient information, important steps should be taken. Medical providers must be certain that electronic health records are not only transferred as encrypted files but also stored as encrypted files. Most consumer-grade data storage providers reveal in their End User Licensing Agreements that client data can and will be used to “create a better experience” at the sole discretion of the data storage provider. This is unacceptable for HIPAA compliance and must be avoided. Also involved in the process is the careful transportation of these records from computer to computer. Secure pathways or Virtual Private Networks can be initiated with the use of private “intranets” such as LUS Fiber’s 100 Megabit per second peer-to-peer transport layer. This enables data to be pushed from facility to facility, on private, user-definable paths, without ever touching the scanning servers of the World Wide Web.
Just as today’s modern physician would never revert to the cumbersome mercury thermometer, technology will soon devour the paper medical record. Tablet computers are changing the diagnostics and record keeping of modern medicine, and with this comes a new responsibility to be certain patient data is exchanged and archived professionally. As medical technology advances, so must the security and protection of the patient information on which it relies.
Scott Eric Olivier, ABiz’s Entrepreneur of the Year for 2011, owns Lafayette-based Skyscraper Holding Company, a group of technology businesses specializing in custom software design, enterprise-class remote data backup and storage archival and the advancement of high-speed, fiber optic broadband.