Don't let your passion for information lead to a credibility disaster
Don’t let your passion for information lead to a credibility disaster
Follow these tips to secure your systems against information catastrophes
The nuclear power industry had Three Mile Island. Tylenol had package tampering and the death of an innocent human being. A similar debacle is just waiting to happen in health care, warns a report recently issued by the National Research Council (NRC) under the auspices of the Institute of Medicine (IOM), both based in Washington, DC.1
If you think it can’t happen to you, talk to officials at New York City’s St. Clare’s Hospital. The hospital was sued for $10 million in 1994 by Rep. Nydia M. Velazquez (D-NY), who claimed records of a past suicide attempt were leaked by hospital staff to the press.
Unless everyone involved in information management systems starts to insist on better security and patient confidentiality, it’s just a matter of time before the joys of the Internet will become the miseries of health care providers who let information unwittingly slip out, possibly affecting thousands of people. That’s the undiluted warning found in the NRC’s study, titled For the Record: Protecting Electronic Health Information.
Public interest, health care realignment drive concerns
"The public increasingly views this as a very serious topic; the interest in ensuring that data is confidential is higher in the public’s mind, and in the congressional mind, than it’s ever been," warns John Glaser, PhD, vice president and chief information officer of Partners HealthCare System. Glaser is one of 15 IOM-appointed panel members who made seven site visits as part of the study of medical records. Partners is a Boston-area "super-PHO" of 4,000 physicians and three major hospitals.
Besides public sentiment, another reason for concern is how health care organizations are realigning, and how little attention they are paying to database security.
Because so many entities want and need data to guide everything from health care purchasing decisions to provider profiling, there need to be checks and balances in reporting systems to ensure patient confidentiality, Glaser adds.
In fact, for all the progress you might make in going on-line with your medical records, you could blow the entire effort along with the credibility of your practice if one big information blunder allows high-profile information to become public knowledge.
Gail Holman, practice administrator for six-physician Atlanta Dermatology Associates, has not yet placed her practice’s medical records on-line, but is engaged in researching systems now. Security and privacy are high on her agenda.
"We’re looking at two aspects information that stays in-house, and information that goes outside," says Holman. "Security needs to be addressed at both levels and in different ways."
Physician practice officials need to do two main things to avert information disasters, experts recommend:
• Understand what types of security threats exist.
• Specifically instruct computer vendors to install the protections necessary for their systems. (The table above summarizes these threats, along with corresponding countermeasures.)
The best way to start is to understand what threats are out there, researchers point out. (For details on step two, ensuring protections your systems need now and what you will likely need in the future, see related story, p. 67.) The NRC’s report, based largely on information drawn from seven site visits to health care organizations, describes these five typical levels of information security threats:
• Threat 1: "Spills." Insiders make "innocent" mistakes and cause accidental disclosures. Accidental disclosure of information is probably the most common threat, researchers said. They list numerous ways this can occur:
overheard conversations between care providers in the corridor or elevator;
a laboratory technician noticing test results for an acquaintance among lab tests being processed;
information left on the screen of a computer in a nursing station so a passerby can see it;
misaddressed e-mail or fax messages, or misfiled and misclassified data.
• Threat 2: "Improper use." Insiders abuse their record access privileges. Examples of this occur among individuals who have authorized access to key data (whether through on-site or off-site facilities) and who violate the trust associated with that access.
"Although no overall statistics are available to indicate the scope of the problem, discussions with employees during site visits uncovered many cases in which health care workers have accessed information about the health of fellow employees or family members out of concern for their well-being," the report states.
• Threat 3. "Snooping." Insiders knowingly access information for spite or for profit. This kind of threat arises when an attacker has authorization for some part of the system, but through technical or other means gains unauthorized access to critical data. For an example, a billing clerk who has access to financial information could tap into other parts of the system if technical barriers are not in place.
• Threat 4. "Prowling." There is an unauthorized physical intruder. In this kind of case, an unauthorized person would have physical access to computer equipment but no authorization for system use. For example, an individual who puts on a lab coat and a fake badge can walk into a facility, start using a work station, and even ask employees for guidance in using the system.
• Threat 5. "Technical break-in." Vengeful employees and outsiders, such as vindictive patients or intruders, launch attacks to access unauthorized information, sabotage systems, and interfere with operations.
"This is the pure technical threat an attacker with no authorization and no physical access," the report states. An example would be an intruder who breaks into a system from an external network and extracts patient records.
This threat is truly dangerous only when patient records are accessed regularly through an external network, researchers say. But, that interconnection is more common than ever. "Most providers are moving toward the use of networking computer technologies as they move toward electronic medical records," the report points out.
Reference
1. For the Record: Protecting Electronic Health Information. Washington, DC: National Research Council; 1997.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.